1 /* ssl/s3_clnt.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay (at) cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay (at) cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core (at) openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay (at) cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh (at) cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 /* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151 #include <stdio.h> 152 #include "ssl_locl.h" 153 #include "kssl_lcl.h" 154 #include <openssl/buffer.h> 155 #include <openssl/rand.h> 156 #include <openssl/objects.h> 157 #include <openssl/evp.h> 158 #include <openssl/md5.h> 159 #ifdef OPENSSL_FIPS 160 #include <openssl/fips.h> 161 #endif 162 #ifndef OPENSSL_NO_DH 163 #include <openssl/dh.h> 164 #endif 165 #include <openssl/bn.h> 166 #ifndef OPENSSL_NO_ENGINE 167 #include <openssl/engine.h> 168 #endif 169 170 static const SSL_METHOD *ssl3_get_client_method(int ver); 171 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 172 173 static const SSL_METHOD *ssl3_get_client_method(int ver) 174 { 175 if (ver == SSL3_VERSION) 176 return(SSLv3_client_method()); 177 else 178 return(NULL); 179 } 180 181 IMPLEMENT_ssl3_meth_func(SSLv3_client_method, 182 ssl_undefined_function, 183 ssl3_connect, 184 ssl3_get_client_method) 185 186 int ssl3_connect(SSL *s) 187 { 188 BUF_MEM *buf=NULL; 189 unsigned long Time=(unsigned long)time(NULL); 190 void (*cb)(const SSL *ssl,int type,int val)=NULL; 191 int ret= -1; 192 int new_state,state,skip=0; 193 194 RAND_add(&Time,sizeof(Time),0); 195 ERR_clear_error(); 196 clear_sys_error(); 197 198 if (s->info_callback != NULL) 199 cb=s->info_callback; 200 else if (s->ctx->info_callback != NULL) 201 cb=s->ctx->info_callback; 202 203 s->in_handshake++; 204 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 205 #if 0 /* Send app data in separate packet, otherwise, some particular site 206 * (only one site so far) closes the socket. 207 * Note: there is a very small chance that two TCP packets 208 * could be arriving at server combined into a single TCP packet, 209 * then trigger that site to break. We haven't encounter that though. 210 */ 211 if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) 212 { 213 /* Send app data along with CCS/Finished */ 214 s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED; 215 } 216 #endif 217 218 #ifndef OPENSSL_NO_HEARTBEATS 219 /* If we're awaiting a HeartbeatResponse, pretend we 220 * already got and don't await it anymore, because 221 * Heartbeats don't make sense during handshakes anyway. 222 */ 223 if (s->tlsext_hb_pending) 224 { 225 s->tlsext_hb_pending = 0; 226 s->tlsext_hb_seq++; 227 } 228 #endif 229 230 for (;;) 231 { 232 state=s->state; 233 234 switch(s->state) 235 { 236 case SSL_ST_RENEGOTIATE: 237 s->renegotiate=1; 238 s->state=SSL_ST_CONNECT; 239 s->ctx->stats.sess_connect_renegotiate++; 240 /* break */ 241 case SSL_ST_BEFORE: 242 case SSL_ST_CONNECT: 243 case SSL_ST_BEFORE|SSL_ST_CONNECT: 244 case SSL_ST_OK|SSL_ST_CONNECT: 245 246 s->server=0; 247 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 248 249 if ((s->version & 0xff00 ) != 0x0300) 250 { 251 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 252 ret = -1; 253 goto end; 254 } 255 256 /* s->version=SSL3_VERSION; */ 257 s->type=SSL_ST_CONNECT; 258 259 if (s->init_buf == NULL) 260 { 261 if ((buf=BUF_MEM_new()) == NULL) 262 { 263 ret= -1; 264 goto end; 265 } 266 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 267 { 268 ret= -1; 269 goto end; 270 } 271 s->init_buf=buf; 272 buf=NULL; 273 } 274 275 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 276 277 /* setup buffing BIO */ 278 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 279 280 /* don't push the buffering BIO quite yet */ 281 282 ssl3_init_finished_mac(s); 283 284 s->state=SSL3_ST_CW_CLNT_HELLO_A; 285 s->ctx->stats.sess_connect++; 286 s->init_num=0; 287 break; 288 289 case SSL3_ST_CW_CLNT_HELLO_A: 290 case SSL3_ST_CW_CLNT_HELLO_B: 291 292 s->shutdown=0; 293 ret=ssl3_client_hello(s); 294 if (ret <= 0) goto end; 295 s->state=SSL3_ST_CR_SRVR_HELLO_A; 296 s->init_num=0; 297 298 /* turn on buffering for the next lot of output */ 299 if (s->bbio != s->wbio) 300 s->wbio=BIO_push(s->bbio,s->wbio); 301 302 break; 303 304 case SSL3_ST_CR_SRVR_HELLO_A: 305 case SSL3_ST_CR_SRVR_HELLO_B: 306 ret=ssl3_get_server_hello(s); 307 if (ret <= 0) goto end; 308 309 if (s->hit) 310 { 311 s->state=SSL3_ST_CR_FINISHED_A; 312 #ifndef OPENSSL_NO_TLSEXT 313 if (s->tlsext_ticket_expected) 314 { 315 /* receive renewed session ticket */ 316 s->state=SSL3_ST_CR_SESSION_TICKET_A; 317 } 318 #endif 319 } 320 else 321 s->state=SSL3_ST_CR_CERT_A; 322 s->init_num=0; 323 break; 324 325 case SSL3_ST_CR_CERT_A: 326 case SSL3_ST_CR_CERT_B: 327 #ifndef OPENSSL_NO_TLSEXT 328 ret=ssl3_check_finished(s); 329 if (ret <= 0) goto end; 330 if (ret == 2) 331 { 332 s->hit = 1; 333 if (s->tlsext_ticket_expected) 334 s->state=SSL3_ST_CR_SESSION_TICKET_A; 335 else 336 s->state=SSL3_ST_CR_FINISHED_A; 337 s->init_num=0; 338 break; 339 } 340 #endif 341 /* Check if it is anon DH/ECDH */ 342 /* or PSK */ 343 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 344 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 345 { 346 ret=ssl3_get_server_certificate(s); 347 if (ret <= 0) goto end; 348 #ifndef OPENSSL_NO_TLSEXT 349 if (s->tlsext_status_expected) 350 s->state=SSL3_ST_CR_CERT_STATUS_A; 351 else 352 s->state=SSL3_ST_CR_KEY_EXCH_A; 353 } 354 else 355 { 356 skip = 1; 357 s->state=SSL3_ST_CR_KEY_EXCH_A; 358 } 359 #else 360 } 361 else 362 skip=1; 363 364 s->state=SSL3_ST_CR_KEY_EXCH_A; 365 #endif 366 s->init_num=0; 367 break; 368 369 case SSL3_ST_CR_KEY_EXCH_A: 370 case SSL3_ST_CR_KEY_EXCH_B: 371 ret=ssl3_get_key_exchange(s); 372 if (ret <= 0) goto end; 373 s->state=SSL3_ST_CR_CERT_REQ_A; 374 s->init_num=0; 375 376 /* at this point we check that we have the 377 * required stuff from the server */ 378 if (!ssl3_check_cert_and_algorithm(s)) 379 { 380 ret= -1; 381 goto end; 382 } 383 break; 384 385 case SSL3_ST_CR_CERT_REQ_A: 386 case SSL3_ST_CR_CERT_REQ_B: 387 ret=ssl3_get_certificate_request(s); 388 if (ret <= 0) goto end; 389 s->state=SSL3_ST_CR_SRVR_DONE_A; 390 s->init_num=0; 391 break; 392 393 case SSL3_ST_CR_SRVR_DONE_A: 394 case SSL3_ST_CR_SRVR_DONE_B: 395 ret=ssl3_get_server_done(s); 396 if (ret <= 0) goto end; 397 #ifndef OPENSSL_NO_SRP 398 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) 399 { 400 if ((ret = SRP_Calc_A_param(s))<=0) 401 { 402 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC); 403 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR); 404 goto end; 405 } 406 } 407 #endif 408 if (s->s3->tmp.cert_req) 409 s->state=SSL3_ST_CW_CERT_A; 410 else 411 s->state=SSL3_ST_CW_KEY_EXCH_A; 412 s->init_num=0; 413 414 break; 415 416 case SSL3_ST_CW_CERT_A: 417 case SSL3_ST_CW_CERT_B: 418 case SSL3_ST_CW_CERT_C: 419 case SSL3_ST_CW_CERT_D: 420 ret=ssl3_send_client_certificate(s); 421 if (ret <= 0) goto end; 422 s->state=SSL3_ST_CW_KEY_EXCH_A; 423 s->init_num=0; 424 break; 425 426 case SSL3_ST_CW_KEY_EXCH_A: 427 case SSL3_ST_CW_KEY_EXCH_B: 428 ret=ssl3_send_client_key_exchange(s); 429 if (ret <= 0) goto end; 430 /* EAY EAY EAY need to check for DH fix cert 431 * sent back */ 432 /* For TLS, cert_req is set to 2, so a cert chain 433 * of nothing is sent, but no verify packet is sent */ 434 /* XXX: For now, we do not support client 435 * authentication in ECDH cipher suites with 436 * ECDH (rather than ECDSA) certificates. 437 * We need to skip the certificate verify 438 * message when client's ECDH public key is sent 439 * inside the client certificate. 440 */ 441 if (s->s3->tmp.cert_req == 1) 442 { 443 s->state=SSL3_ST_CW_CERT_VRFY_A; 444 } 445 else 446 { 447 s->state=SSL3_ST_CW_CHANGE_A; 448 s->s3->change_cipher_spec=0; 449 } 450 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) 451 { 452 s->state=SSL3_ST_CW_CHANGE_A; 453 s->s3->change_cipher_spec=0; 454 } 455 456 s->init_num=0; 457 break; 458 459 case SSL3_ST_CW_CERT_VRFY_A: 460 case SSL3_ST_CW_CERT_VRFY_B: 461 ret=ssl3_send_client_verify(s); 462 if (ret <= 0) goto end; 463 s->state=SSL3_ST_CW_CHANGE_A; 464 s->init_num=0; 465 s->s3->change_cipher_spec=0; 466 break; 467 468 case SSL3_ST_CW_CHANGE_A: 469 case SSL3_ST_CW_CHANGE_B: 470 ret=ssl3_send_change_cipher_spec(s, 471 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 472 if (ret <= 0) goto end; 473 474 475 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 476 s->state=SSL3_ST_CW_FINISHED_A; 477 #else 478 if (s->s3->next_proto_neg_seen) 479 s->state=SSL3_ST_CW_NEXT_PROTO_A; 480 else 481 s->state=SSL3_ST_CW_FINISHED_A; 482 #endif 483 s->init_num=0; 484 485 s->session->cipher=s->s3->tmp.new_cipher; 486 #ifdef OPENSSL_NO_COMP 487 s->session->compress_meth=0; 488 #else 489 if (s->s3->tmp.new_compression == NULL) 490 s->session->compress_meth=0; 491 else 492 s->session->compress_meth= 493 s->s3->tmp.new_compression->id; 494 #endif 495 if (!s->method->ssl3_enc->setup_key_block(s)) 496 { 497 ret= -1; 498 goto end; 499 } 500 501 if (!s->method->ssl3_enc->change_cipher_state(s, 502 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 503 { 504 ret= -1; 505 goto end; 506 } 507 508 break; 509 510 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 511 case SSL3_ST_CW_NEXT_PROTO_A: 512 case SSL3_ST_CW_NEXT_PROTO_B: 513 ret=ssl3_send_next_proto(s); 514 if (ret <= 0) goto end; 515 s->state=SSL3_ST_CW_FINISHED_A; 516 break; 517 #endif 518 519 case SSL3_ST_CW_FINISHED_A: 520 case SSL3_ST_CW_FINISHED_B: 521 ret=ssl3_send_finished(s, 522 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 523 s->method->ssl3_enc->client_finished_label, 524 s->method->ssl3_enc->client_finished_label_len); 525 if (ret <= 0) goto end; 526 s->state=SSL3_ST_CW_FLUSH; 527 528 /* clear flags */ 529 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 530 if (s->hit) 531 { 532 s->s3->tmp.next_state=SSL_ST_OK; 533 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 534 { 535 s->state=SSL_ST_OK; 536 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 537 s->s3->delay_buf_pop_ret=0; 538 } 539 } 540 else 541 { 542 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && SSL_get_cipher_bits(s, NULL) >= 128 543 && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */ 544 ) 545 { 546 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 547 { 548 s->state=SSL3_ST_CUTTHROUGH_COMPLETE; 549 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 550 s->s3->delay_buf_pop_ret=0; 551 } 552 else 553 { 554 s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE; 555 } 556 } 557 else 558 { 559 #ifndef OPENSSL_NO_TLSEXT 560 /* Allow NewSessionTicket if ticket expected */ 561 if (s->tlsext_ticket_expected) 562 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 563 else 564 #endif 565 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 566 } 567 } 568 s->init_num=0; 569 break; 570 571 #ifndef OPENSSL_NO_TLSEXT 572 case SSL3_ST_CR_SESSION_TICKET_A: 573 case SSL3_ST_CR_SESSION_TICKET_B: 574 ret=ssl3_get_new_session_ticket(s); 575 if (ret <= 0) goto end; 576 s->state=SSL3_ST_CR_FINISHED_A; 577 s->init_num=0; 578 break; 579 580 case SSL3_ST_CR_CERT_STATUS_A: 581 case SSL3_ST_CR_CERT_STATUS_B: 582 ret=ssl3_get_cert_status(s); 583 if (ret <= 0) goto end; 584 s->state=SSL3_ST_CR_KEY_EXCH_A; 585 s->init_num=0; 586 break; 587 #endif 588 589 case SSL3_ST_CR_FINISHED_A: 590 case SSL3_ST_CR_FINISHED_B: 591 592 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 593 SSL3_ST_CR_FINISHED_B); 594 if (ret <= 0) goto end; 595 596 if (s->hit) 597 s->state=SSL3_ST_CW_CHANGE_A; 598 else 599 s->state=SSL_ST_OK; 600 s->init_num=0; 601 break; 602 603 case SSL3_ST_CW_FLUSH: 604 s->rwstate=SSL_WRITING; 605 if (BIO_flush(s->wbio) <= 0) 606 { 607 ret= -1; 608 goto end; 609 } 610 s->rwstate=SSL_NOTHING; 611 s->state=s->s3->tmp.next_state; 612 break; 613 614 case SSL3_ST_CUTTHROUGH_COMPLETE: 615 #ifndef OPENSSL_NO_TLSEXT 616 /* Allow NewSessionTicket if ticket expected */ 617 if (s->tlsext_ticket_expected) 618 s->state=SSL3_ST_CR_SESSION_TICKET_A; 619 else 620 #endif 621 s->state=SSL3_ST_CR_FINISHED_A; 622 623 /* SSL_write() will take care of flushing buffered data if 624 * DELAY_CLIENT_FINISHED is set. 625 */ 626 if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)) 627 ssl_free_wbio_buffer(s); 628 ret = 1; 629 goto end; 630 /* break; */ 631 632 case SSL_ST_OK: 633 /* clean a few things up */ 634 ssl3_cleanup_key_block(s); 635 636 if (s->init_buf != NULL) 637 { 638 BUF_MEM_free(s->init_buf); 639 s->init_buf=NULL; 640 } 641 642 /* If we are not 'joining' the last two packets, 643 * remove the buffering now */ 644 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 645 ssl_free_wbio_buffer(s); 646 /* else do it later in ssl3_write */ 647 648 s->init_num=0; 649 s->renegotiate=0; 650 s->new_session=0; 651 652 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 653 if (s->hit) s->ctx->stats.sess_hit++; 654 655 ret=1; 656 /* s->server=0; */ 657 s->handshake_func=ssl3_connect; 658 s->ctx->stats.sess_connect_good++; 659 660 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 661 662 goto end; 663 /* break; */ 664 665 default: 666 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 667 ret= -1; 668 goto end; 669 /* break; */ 670 } 671 672 /* did we do anything */ 673 if (!s->s3->tmp.reuse_message && !skip) 674 { 675 if (s->debug) 676 { 677 if ((ret=BIO_flush(s->wbio)) <= 0) 678 goto end; 679 } 680 681 if ((cb != NULL) && (s->state != state)) 682 { 683 new_state=s->state; 684 s->state=state; 685 cb(s,SSL_CB_CONNECT_LOOP,1); 686 s->state=new_state; 687 } 688 } 689 skip=0; 690 } 691 end: 692 s->in_handshake--; 693 if (buf != NULL) 694 BUF_MEM_free(buf); 695 if (cb != NULL) 696 cb(s,SSL_CB_CONNECT_EXIT,ret); 697 return(ret); 698 } 699 700 701 int ssl3_client_hello(SSL *s) 702 { 703 unsigned char *buf; 704 unsigned char *p,*d; 705 int i; 706 unsigned long Time,l; 707 #ifndef OPENSSL_NO_COMP 708 int j; 709 SSL_COMP *comp; 710 #endif 711 712 buf=(unsigned char *)s->init_buf->data; 713 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 714 { 715 SSL_SESSION *sess = s->session; 716 if ((sess == NULL) || 717 (sess->ssl_version != s->version) || 718 #ifdef OPENSSL_NO_TLSEXT 719 !sess->session_id_length || 720 #else 721 (!sess->session_id_length && !sess->tlsext_tick) || 722 #endif 723 (sess->not_resumable)) 724 { 725 if (!s->session_creation_enabled) 726 { 727 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 728 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 729 goto err; 730 } 731 if (!ssl_get_new_session(s,0)) 732 goto err; 733 } 734 /* else use the pre-loaded session */ 735 736 p=s->s3->client_random; 737 Time=(unsigned long)time(NULL); /* Time */ 738 l2n(Time,p); 739 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 740 goto err; 741 742 /* Do the message type and length last */ 743 d=p= &(buf[4]); 744 745 /* version indicates the negotiated version: for example from 746 * an SSLv2/v3 compatible client hello). The client_version 747 * field is the maximum version we permit and it is also 748 * used in RSA encrypted premaster secrets. Some servers can 749 * choke if we initially report a higher version then 750 * renegotiate to a lower one in the premaster secret. This 751 * didn't happen with TLS 1.0 as most servers supported it 752 * but it can with TLS 1.1 or later if the server only supports 753 * 1.0. 754 * 755 * Possible scenario with previous logic: 756 * 1. Client hello indicates TLS 1.2 757 * 2. Server hello says TLS 1.0 758 * 3. RSA encrypted premaster secret uses 1.2. 759 * 4. Handhaked proceeds using TLS 1.0. 760 * 5. Server sends hello request to renegotiate. 761 * 6. Client hello indicates TLS v1.0 as we now 762 * know that is maximum server supports. 763 * 7. Server chokes on RSA encrypted premaster secret 764 * containing version 1.0. 765 * 766 * For interoperability it should be OK to always use the 767 * maximum version we support in client hello and then rely 768 * on the checking of version to ensure the servers isn't 769 * being inconsistent: for example initially negotiating with 770 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using 771 * client_version in client hello and not resetting it to 772 * the negotiated version. 773 */ 774 #if 0 775 *(p++)=s->version>>8; 776 *(p++)=s->version&0xff; 777 s->client_version=s->version; 778 #else 779 *(p++)=s->client_version>>8; 780 *(p++)=s->client_version&0xff; 781 #endif 782 783 /* Random stuff */ 784 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 785 p+=SSL3_RANDOM_SIZE; 786 787 /* Session ID */ 788 if (s->new_session) 789 i=0; 790 else 791 i=s->session->session_id_length; 792 *(p++)=i; 793 if (i != 0) 794 { 795 if (i > (int)sizeof(s->session->session_id)) 796 { 797 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 798 goto err; 799 } 800 memcpy(p,s->session->session_id,i); 801 p+=i; 802 } 803 804 /* Ciphers supported */ 805 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 806 if (i == 0) 807 { 808 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 809 goto err; 810 } 811 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 812 /* Some servers hang if client hello > 256 bytes 813 * as hack workaround chop number of supported ciphers 814 * to keep it well below this if we use TLS v1.2 815 */ 816 if (TLS1_get_version(s) >= TLS1_2_VERSION 817 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 818 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 819 #endif 820 s2n(i,p); 821 p+=i; 822 823 /* COMPRESSION */ 824 #ifdef OPENSSL_NO_COMP 825 *(p++)=1; 826 #else 827 828 if ((s->options & SSL_OP_NO_COMPRESSION) 829 || !s->ctx->comp_methods) 830 j=0; 831 else 832 j=sk_SSL_COMP_num(s->ctx->comp_methods); 833 *(p++)=1+j; 834 for (i=0; i<j; i++) 835 { 836 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 837 *(p++)=comp->id; 838 } 839 #endif 840 *(p++)=0; /* Add the NULL method */ 841 842 #ifndef OPENSSL_NO_TLSEXT 843 /* TLS extensions*/ 844 if (ssl_prepare_clienthello_tlsext(s) <= 0) 845 { 846 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 847 goto err; 848 } 849 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 850 { 851 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 852 goto err; 853 } 854 #endif 855 856 l=(p-d); 857 d=buf; 858 *(d++)=SSL3_MT_CLIENT_HELLO; 859 l2n3(l,d); 860 861 s->state=SSL3_ST_CW_CLNT_HELLO_B; 862 /* number of bytes to write */ 863 s->init_num=p-buf; 864 s->init_off=0; 865 } 866 867 /* SSL3_ST_CW_CLNT_HELLO_B */ 868 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 869 err: 870 return(-1); 871 } 872 873 int ssl3_get_server_hello(SSL *s) 874 { 875 STACK_OF(SSL_CIPHER) *sk; 876 const SSL_CIPHER *c; 877 unsigned char *p,*d; 878 int i,al,ok; 879 unsigned int j; 880 long n; 881 #ifndef OPENSSL_NO_COMP 882 SSL_COMP *comp; 883 #endif 884 885 n=s->method->ssl_get_message(s, 886 SSL3_ST_CR_SRVR_HELLO_A, 887 SSL3_ST_CR_SRVR_HELLO_B, 888 -1, 889 20000, /* ?? */ 890 &ok); 891 892 if (!ok) return((int)n); 893 894 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 895 { 896 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 897 { 898 if ( s->d1->send_cookie == 0) 899 { 900 s->s3->tmp.reuse_message = 1; 901 return 1; 902 } 903 else /* already sent a cookie */ 904 { 905 al=SSL_AD_UNEXPECTED_MESSAGE; 906 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 907 goto f_err; 908 } 909 } 910 } 911 912 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 913 { 914 al=SSL_AD_UNEXPECTED_MESSAGE; 915 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 916 goto f_err; 917 } 918 919 d=p=(unsigned char *)s->init_msg; 920 921 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 922 { 923 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 924 s->version=(s->version&0xff00)|p[1]; 925 al=SSL_AD_PROTOCOL_VERSION; 926 goto f_err; 927 } 928 p+=2; 929 930 /* load the server hello data */ 931 /* load the server random */ 932 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 933 p+=SSL3_RANDOM_SIZE; 934 935 /* get the session-id */ 936 j= *(p++); 937 938 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 939 { 940 al=SSL_AD_ILLEGAL_PARAMETER; 941 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); 942 goto f_err; 943 } 944 945 #ifndef OPENSSL_NO_TLSEXT 946 /* check if we want to resume the session based on external pre-shared secret */ 947 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 948 { 949 SSL_CIPHER *pref_cipher=NULL; 950 s->session->master_key_length=sizeof(s->session->master_key); 951 if (s->tls_session_secret_cb(s, s->session->master_key, 952 &s->session->master_key_length, 953 NULL, &pref_cipher, 954 s->tls_session_secret_cb_arg)) 955 { 956 s->session->cipher = pref_cipher ? 957 pref_cipher : ssl_get_cipher_by_char(s, p+j); 958 } 959 } 960 #endif /* OPENSSL_NO_TLSEXT */ 961 962 if (j != 0 && j == s->session->session_id_length 963 && memcmp(p,s->session->session_id,j) == 0) 964 { 965 if(s->sid_ctx_length != s->session->sid_ctx_length 966 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 967 { 968 /* actually a client application bug */ 969 al=SSL_AD_ILLEGAL_PARAMETER; 970 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 971 goto f_err; 972 } 973 s->hit=1; 974 } 975 else /* a miss or crap from the other end */ 976 { 977 /* If we were trying for session-id reuse, make a new 978 * SSL_SESSION so we don't stuff up other people */ 979 s->hit=0; 980 if (s->session->session_id_length > 0) 981 { 982 if (!s->session_creation_enabled) 983 { 984 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 985 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 986 goto err; 987 } 988 if (!ssl_get_new_session(s,0)) 989 { 990 al=SSL_AD_INTERNAL_ERROR; 991 goto f_err; 992 } 993 } 994 s->session->session_id_length=j; 995 memcpy(s->session->session_id,p,j); /* j could be 0 */ 996 } 997 p+=j; 998 c=ssl_get_cipher_by_char(s,p); 999 if (c == NULL) 1000 { 1001 /* unknown cipher */ 1002 al=SSL_AD_ILLEGAL_PARAMETER; 1003 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 1004 goto f_err; 1005 } 1006 /* TLS v1.2 only ciphersuites require v1.2 or later */ 1007 if ((c->algorithm_ssl & SSL_TLSV1_2) && 1008 (TLS1_get_version(s) < TLS1_2_VERSION)) 1009 { 1010 al=SSL_AD_ILLEGAL_PARAMETER; 1011 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 1012 goto f_err; 1013 } 1014 p+=ssl_put_cipher_by_char(s,NULL,NULL); 1015 1016 sk=ssl_get_ciphers_by_id(s); 1017 i=sk_SSL_CIPHER_find(sk,c); 1018 if (i < 0) 1019 { 1020 /* we did not say we would use this cipher */ 1021 al=SSL_AD_ILLEGAL_PARAMETER; 1022 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 1023 goto f_err; 1024 } 1025 1026 /* Depending on the session caching (internal/external), the cipher 1027 and/or cipher_id values may not be set. Make sure that 1028 cipher_id is set and use it for comparison. */ 1029 if (s->session->cipher) 1030 s->session->cipher_id = s->session->cipher->id; 1031 if (s->hit && (s->session->cipher_id != c->id)) 1032 { 1033 /* Workaround is now obsolete */ 1034 #if 0 1035 if (!(s->options & 1036 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) 1037 #endif 1038 { 1039 al=SSL_AD_ILLEGAL_PARAMETER; 1040 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 1041 goto f_err; 1042 } 1043 } 1044 s->s3->tmp.new_cipher=c; 1045 /* Don't digest cached records if TLS v1.2: we may need them for 1046 * client authentication. 1047 */ 1048 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 1049 goto f_err; 1050 /* lets get the compression algorithm */ 1051 /* COMPRESSION */ 1052 #ifdef OPENSSL_NO_COMP 1053 if (*(p++) != 0) 1054 { 1055 al=SSL_AD_ILLEGAL_PARAMETER; 1056 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1057 goto f_err; 1058 } 1059 /* If compression is disabled we'd better not try to resume a session 1060 * using compression. 1061 */ 1062 if (s->session->compress_meth != 0) 1063 { 1064 al=SSL_AD_INTERNAL_ERROR; 1065 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION); 1066 goto f_err; 1067 } 1068 #else 1069 j= *(p++); 1070 if (s->hit && j != s->session->compress_meth) 1071 { 1072 al=SSL_AD_ILLEGAL_PARAMETER; 1073 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 1074 goto f_err; 1075 } 1076 if (j == 0) 1077 comp=NULL; 1078 else if (s->options & SSL_OP_NO_COMPRESSION) 1079 { 1080 al=SSL_AD_ILLEGAL_PARAMETER; 1081 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED); 1082 goto f_err; 1083 } 1084 else 1085 comp=ssl3_comp_find(s->ctx->comp_methods,j); 1086 1087 if ((j != 0) && (comp == NULL)) 1088 { 1089 al=SSL_AD_ILLEGAL_PARAMETER; 1090 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1091 goto f_err; 1092 } 1093 else 1094 { 1095 s->s3->tmp.new_compression=comp; 1096 } 1097 #endif 1098 1099 #ifndef OPENSSL_NO_TLSEXT 1100 /* TLS extensions*/ 1101 if (s->version >= SSL3_VERSION) 1102 { 1103 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) 1104 { 1105 /* 'al' set by ssl_parse_serverhello_tlsext */ 1106 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 1107 goto f_err; 1108 } 1109 if (ssl_check_serverhello_tlsext(s) <= 0) 1110 { 1111 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); 1112 goto err; 1113 } 1114 } 1115 #endif 1116 1117 if (p != (d+n)) 1118 { 1119 /* wrong packet length */ 1120 al=SSL_AD_DECODE_ERROR; 1121 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 1122 goto f_err; 1123 } 1124 1125 return(1); 1126 f_err: 1127 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1128 err: 1129 return(-1); 1130 } 1131 1132 int ssl3_get_server_certificate(SSL *s) 1133 { 1134 int al,i,ok,ret= -1; 1135 unsigned long n,nc,llen,l; 1136 X509 *x=NULL; 1137 const unsigned char *q,*p; 1138 unsigned char *d; 1139 STACK_OF(X509) *sk=NULL; 1140 SESS_CERT *sc; 1141 EVP_PKEY *pkey=NULL; 1142 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 1143 1144 n=s->method->ssl_get_message(s, 1145 SSL3_ST_CR_CERT_A, 1146 SSL3_ST_CR_CERT_B, 1147 -1, 1148 s->max_cert_list, 1149 &ok); 1150 1151 if (!ok) return((int)n); 1152 1153 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1154 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 1155 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 1156 { 1157 s->s3->tmp.reuse_message=1; 1158 return(1); 1159 } 1160 1161 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 1162 { 1163 al=SSL_AD_UNEXPECTED_MESSAGE; 1164 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); 1165 goto f_err; 1166 } 1167 p=d=(unsigned char *)s->init_msg; 1168 1169 if ((sk=sk_X509_new_null()) == NULL) 1170 { 1171 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1172 goto err; 1173 } 1174 1175 n2l3(p,llen); 1176 if (llen+3 != n) 1177 { 1178 al=SSL_AD_DECODE_ERROR; 1179 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 1180 goto f_err; 1181 } 1182 for (nc=0; nc<llen; ) 1183 { 1184 n2l3(p,l); 1185 if ((l+nc+3) > llen) 1186 { 1187 al=SSL_AD_DECODE_ERROR; 1188 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1189 goto f_err; 1190 } 1191 1192 q=p; 1193 x=d2i_X509(NULL,&q,l); 1194 if (x == NULL) 1195 { 1196 al=SSL_AD_BAD_CERTIFICATE; 1197 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); 1198 goto f_err; 1199 } 1200 if (q != (p+l)) 1201 { 1202 al=SSL_AD_DECODE_ERROR; 1203 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1204 goto f_err; 1205 } 1206 if (!sk_X509_push(sk,x)) 1207 { 1208 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1209 goto err; 1210 } 1211 x=NULL; 1212 nc+=l+3; 1213 p=q; 1214 } 1215 1216 i=ssl_verify_cert_chain(s,sk); 1217 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1218 #ifndef OPENSSL_NO_KRB5 1219 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1220 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1221 #endif /* OPENSSL_NO_KRB5 */ 1222 ) 1223 { 1224 al=ssl_verify_alarm_type(s->verify_result); 1225 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 1226 goto f_err; 1227 } 1228 ERR_clear_error(); /* but we keep s->verify_result */ 1229 1230 sc=ssl_sess_cert_new(); 1231 if (sc == NULL) goto err; 1232 1233 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 1234 s->session->sess_cert=sc; 1235 1236 sc->cert_chain=sk; 1237 /* Inconsistency alert: cert_chain does include the peer's 1238 * certificate, which we don't include in s3_srvr.c */ 1239 x=sk_X509_value(sk,0); 1240 sk=NULL; 1241 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1242 1243 pkey=X509_get_pubkey(x); 1244 1245 /* VRS: allow null cert if auth == KRB5 */ 1246 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1247 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1248 ? 0 : 1; 1249 1250 #ifdef KSSL_DEBUG 1251 printf("pkey,x = %p, %p\n", pkey,x); 1252 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1253 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1254 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1255 #endif /* KSSL_DEBUG */ 1256 1257 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 1258 { 1259 x=NULL; 1260 al=SSL3_AL_FATAL; 1261 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1262 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1263 goto f_err; 1264 } 1265 1266 i=ssl_cert_type(x,pkey); 1267 if (need_cert && i < 0) 1268 { 1269 x=NULL; 1270 al=SSL3_AL_FATAL; 1271 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1272 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1273 goto f_err; 1274 } 1275 1276 if (need_cert) 1277 { 1278 sc->peer_cert_type=i; 1279 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1280 /* Why would the following ever happen? 1281 * We just created sc a couple of lines ago. */ 1282 if (sc->peer_pkeys[i].x509 != NULL) 1283 X509_free(sc->peer_pkeys[i].x509); 1284 sc->peer_pkeys[i].x509=x; 1285 sc->peer_key= &(sc->peer_pkeys[i]); 1286 1287 if (s->session->peer != NULL) 1288 X509_free(s->session->peer); 1289 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1290 s->session->peer=x; 1291 } 1292 else 1293 { 1294 sc->peer_cert_type=i; 1295 sc->peer_key= NULL; 1296 1297 if (s->session->peer != NULL) 1298 X509_free(s->session->peer); 1299 s->session->peer=NULL; 1300 } 1301 s->session->verify_result = s->verify_result; 1302 1303 x=NULL; 1304 ret=1; 1305 1306 if (0) 1307 { 1308 f_err: 1309 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1310 } 1311 err: 1312 EVP_PKEY_free(pkey); 1313 X509_free(x); 1314 sk_X509_pop_free(sk,X509_free); 1315 return(ret); 1316 } 1317 1318 int ssl3_get_key_exchange(SSL *s) 1319 { 1320 #ifndef OPENSSL_NO_RSA 1321 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 1322 #endif 1323 EVP_MD_CTX md_ctx; 1324 unsigned char *param,*p; 1325 int al,i,j,param_len,ok; 1326 long n,alg_k,alg_a; 1327 EVP_PKEY *pkey=NULL; 1328 const EVP_MD *md = NULL; 1329 #ifndef OPENSSL_NO_RSA 1330 RSA *rsa=NULL; 1331 #endif 1332 #ifndef OPENSSL_NO_DH 1333 DH *dh=NULL; 1334 #endif 1335 #ifndef OPENSSL_NO_ECDH 1336 EC_KEY *ecdh = NULL; 1337 BN_CTX *bn_ctx = NULL; 1338 EC_POINT *srvr_ecpoint = NULL; 1339 int curve_nid = 0; 1340 int encoded_pt_len = 0; 1341 #endif 1342 1343 /* use same message size as in ssl3_get_certificate_request() 1344 * as ServerKeyExchange message may be skipped */ 1345 n=s->method->ssl_get_message(s, 1346 SSL3_ST_CR_KEY_EXCH_A, 1347 SSL3_ST_CR_KEY_EXCH_B, 1348 -1, 1349 s->max_cert_list, 1350 &ok); 1351 if (!ok) return((int)n); 1352 1353 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) 1354 { 1355 #ifndef OPENSSL_NO_PSK 1356 /* In plain PSK ciphersuite, ServerKeyExchange can be 1357 omitted if no identity hint is sent. Set 1358 session->sess_cert anyway to avoid problems 1359 later.*/ 1360 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 1361 { 1362 s->session->sess_cert=ssl_sess_cert_new(); 1363 if (s->ctx->psk_identity_hint) 1364 OPENSSL_free(s->ctx->psk_identity_hint); 1365 s->ctx->psk_identity_hint = NULL; 1366 } 1367 #endif 1368 s->s3->tmp.reuse_message=1; 1369 return(1); 1370 } 1371 1372 param=p=(unsigned char *)s->init_msg; 1373 if (s->session->sess_cert != NULL) 1374 { 1375 #ifndef OPENSSL_NO_RSA 1376 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1377 { 1378 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1379 s->session->sess_cert->peer_rsa_tmp=NULL; 1380 } 1381 #endif 1382 #ifndef OPENSSL_NO_DH 1383 if (s->session->sess_cert->peer_dh_tmp) 1384 { 1385 DH_free(s->session->sess_cert->peer_dh_tmp); 1386 s->session->sess_cert->peer_dh_tmp=NULL; 1387 } 1388 #endif 1389 #ifndef OPENSSL_NO_ECDH 1390 if (s->session->sess_cert->peer_ecdh_tmp) 1391 { 1392 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1393 s->session->sess_cert->peer_ecdh_tmp=NULL; 1394 } 1395 #endif 1396 } 1397 else 1398 { 1399 s->session->sess_cert=ssl_sess_cert_new(); 1400 } 1401 1402 param_len=0; 1403 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1404 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1405 EVP_MD_CTX_init(&md_ctx); 1406 1407 #ifndef OPENSSL_NO_PSK 1408 if (alg_k & SSL_kPSK) 1409 { 1410 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; 1411 1412 al=SSL_AD_HANDSHAKE_FAILURE; 1413 n2s(p,i); 1414 param_len=i+2; 1415 /* Store PSK identity hint for later use, hint is used 1416 * in ssl3_send_client_key_exchange. Assume that the 1417 * maximum length of a PSK identity hint can be as 1418 * long as the maximum length of a PSK identity. */ 1419 if (i > PSK_MAX_IDENTITY_LEN) 1420 { 1421 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1422 SSL_R_DATA_LENGTH_TOO_LONG); 1423 goto f_err; 1424 } 1425 if (param_len > n) 1426 { 1427 al=SSL_AD_DECODE_ERROR; 1428 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1429 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1430 goto f_err; 1431 } 1432 /* If received PSK identity hint contains NULL 1433 * characters, the hint is truncated from the first 1434 * NULL. p may not be ending with NULL, so create a 1435 * NULL-terminated string. */ 1436 memcpy(tmp_id_hint, p, i); 1437 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1438 if (s->ctx->psk_identity_hint != NULL) 1439 OPENSSL_free(s->ctx->psk_identity_hint); 1440 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1441 if (s->ctx->psk_identity_hint == NULL) 1442 { 1443 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1444 goto f_err; 1445 } 1446 1447 p+=i; 1448 n-=param_len; 1449 } 1450 else 1451 #endif /* !OPENSSL_NO_PSK */ 1452 #ifndef OPENSSL_NO_SRP 1453 if (alg_k & SSL_kSRP) 1454 { 1455 n2s(p,i); 1456 param_len=i+2; 1457 if (param_len > n) 1458 { 1459 al=SSL_AD_DECODE_ERROR; 1460 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH); 1461 goto f_err; 1462 } 1463 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL))) 1464 { 1465 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1466 goto err; 1467 } 1468 p+=i; 1469 1470 n2s(p,i); 1471 param_len+=i+2; 1472 if (param_len > n) 1473 { 1474 al=SSL_AD_DECODE_ERROR; 1475 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH); 1476 goto f_err; 1477 } 1478 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL))) 1479 { 1480 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1481 goto err; 1482 } 1483 p+=i; 1484 1485 i = (unsigned int)(p[0]); 1486 p++; 1487 param_len+=i+1; 1488 if (param_len > n) 1489 { 1490 al=SSL_AD_DECODE_ERROR; 1491 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH); 1492 goto f_err; 1493 } 1494 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL))) 1495 { 1496 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1497 goto err; 1498 } 1499 p+=i; 1500 1501 n2s(p,i); 1502 param_len+=i+2; 1503 if (param_len > n) 1504 { 1505 al=SSL_AD_DECODE_ERROR; 1506 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH); 1507 goto f_err; 1508 } 1509 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL))) 1510 { 1511 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1512 goto err; 1513 } 1514 p+=i; 1515 n-=param_len; 1516 1517 /* We must check if there is a certificate */ 1518 #ifndef OPENSSL_NO_RSA 1519 if (alg_a & SSL_aRSA) 1520 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1521 #else 1522 if (0) 1523 ; 1524 #endif 1525 #ifndef OPENSSL_NO_DSA 1526 else if (alg_a & SSL_aDSS) 1527 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1528 #endif 1529 } 1530 else 1531 #endif /* !OPENSSL_NO_SRP */ 1532 #ifndef OPENSSL_NO_RSA 1533 if (alg_k & SSL_kRSA) 1534 { 1535 if ((rsa=RSA_new()) == NULL) 1536 { 1537 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1538 goto err; 1539 } 1540 n2s(p,i); 1541 param_len=i+2; 1542 if (param_len > n) 1543 { 1544 al=SSL_AD_DECODE_ERROR; 1545 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); 1546 goto f_err; 1547 } 1548 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 1549 { 1550 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1551 goto err; 1552 } 1553 p+=i; 1554 1555 n2s(p,i); 1556 param_len+=i+2; 1557 if (param_len > n) 1558 { 1559 al=SSL_AD_DECODE_ERROR; 1560 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); 1561 goto f_err; 1562 } 1563 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 1564 { 1565 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1566 goto err; 1567 } 1568 p+=i; 1569 n-=param_len; 1570 1571 /* this should be because we are using an export cipher */ 1572 if (alg_a & SSL_aRSA) 1573 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1574 else 1575 { 1576 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1577 goto err; 1578 } 1579 s->session->sess_cert->peer_rsa_tmp=rsa; 1580 rsa=NULL; 1581 } 1582 #else /* OPENSSL_NO_RSA */ 1583 if (0) 1584 ; 1585 #endif 1586 #ifndef OPENSSL_NO_DH 1587 else if (alg_k & SSL_kEDH) 1588 { 1589 if ((dh=DH_new()) == NULL) 1590 { 1591 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); 1592 goto err; 1593 } 1594 n2s(p,i); 1595 param_len=i+2; 1596 if (param_len > n) 1597 { 1598 al=SSL_AD_DECODE_ERROR; 1599 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); 1600 goto f_err; 1601 } 1602 if (!(dh->p=BN_bin2bn(p,i,NULL))) 1603 { 1604 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1605 goto err; 1606 } 1607 p+=i; 1608 1609 n2s(p,i); 1610 param_len+=i+2; 1611 if (param_len > n) 1612 { 1613 al=SSL_AD_DECODE_ERROR; 1614 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); 1615 goto f_err; 1616 } 1617 if (!(dh->g=BN_bin2bn(p,i,NULL))) 1618 { 1619 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1620 goto err; 1621 } 1622 p+=i; 1623 1624 n2s(p,i); 1625 param_len+=i+2; 1626 if (param_len > n) 1627 { 1628 al=SSL_AD_DECODE_ERROR; 1629 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); 1630 goto f_err; 1631 } 1632 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 1633 { 1634 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1635 goto err; 1636 } 1637 p+=i; 1638 n-=param_len; 1639 1640 #ifndef OPENSSL_NO_RSA 1641 if (alg_a & SSL_aRSA) 1642 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1643 #else 1644 if (0) 1645 ; 1646 #endif 1647 #ifndef OPENSSL_NO_DSA 1648 else if (alg_a & SSL_aDSS) 1649 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1650 #endif 1651 /* else anonymous DH, so no certificate or pkey. */ 1652 1653 s->session->sess_cert->peer_dh_tmp=dh; 1654 dh=NULL; 1655 } 1656 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 1657 { 1658 al=SSL_AD_ILLEGAL_PARAMETER; 1659 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1660 goto f_err; 1661 } 1662 #endif /* !OPENSSL_NO_DH */ 1663 1664 #ifndef OPENSSL_NO_ECDH 1665 else if (alg_k & SSL_kEECDH) 1666 { 1667 EC_GROUP *ngroup; 1668 const EC_GROUP *group; 1669 1670 if ((ecdh=EC_KEY_new()) == NULL) 1671 { 1672 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1673 goto err; 1674 } 1675 1676 /* Extract elliptic curve parameters and the 1677 * server's ephemeral ECDH public key. 1678 * Keep accumulating lengths of various components in 1679 * param_len and make sure it never exceeds n. 1680 */ 1681 1682 /* XXX: For now we only support named (not generic) curves 1683 * and the ECParameters in this case is just three bytes. 1684 */ 1685 param_len=3; 1686 if ((param_len > n) || 1687 (*p != NAMED_CURVE_TYPE) || 1688 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 1689 { 1690 al=SSL_AD_INTERNAL_ERROR; 1691 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 1692 goto f_err; 1693 } 1694 1695 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1696 if (ngroup == NULL) 1697 { 1698 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1699 goto err; 1700 } 1701 if (EC_KEY_set_group(ecdh, ngroup) == 0) 1702 { 1703 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1704 goto err; 1705 } 1706 EC_GROUP_free(ngroup); 1707 1708 group = EC_KEY_get0_group(ecdh); 1709 1710 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1711 (EC_GROUP_get_degree(group) > 163)) 1712 { 1713 al=SSL_AD_EXPORT_RESTRICTION; 1714 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1715 goto f_err; 1716 } 1717 1718 p+=3; 1719 1720 /* Next, get the encoded ECPoint */ 1721 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1722 ((bn_ctx = BN_CTX_new()) == NULL)) 1723 { 1724 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1725 goto err; 1726 } 1727 1728 encoded_pt_len = *p; /* length of encoded point */ 1729 p+=1; 1730 param_len += (1 + encoded_pt_len); 1731 if ((param_len > n) || 1732 (EC_POINT_oct2point(group, srvr_ecpoint, 1733 p, encoded_pt_len, bn_ctx) == 0)) 1734 { 1735 al=SSL_AD_DECODE_ERROR; 1736 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); 1737 goto f_err; 1738 } 1739 1740 n-=param_len; 1741 p+=encoded_pt_len; 1742 1743 /* The ECC/TLS specification does not mention 1744 * the use of DSA to sign ECParameters in the server 1745 * key exchange message. We do support RSA and ECDSA. 1746 */ 1747 if (0) ; 1748 #ifndef OPENSSL_NO_RSA 1749 else if (alg_a & SSL_aRSA) 1750 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1751 #endif 1752 #ifndef OPENSSL_NO_ECDSA 1753 else if (alg_a & SSL_aECDSA) 1754 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1755 #endif 1756 /* else anonymous ECDH, so no certificate or pkey. */ 1757 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1758 s->session->sess_cert->peer_ecdh_tmp=ecdh; 1759 ecdh=NULL; 1760 BN_CTX_free(bn_ctx); 1761 bn_ctx = NULL; 1762 EC_POINT_free(srvr_ecpoint); 1763 srvr_ecpoint = NULL; 1764 } 1765 else if (alg_k) 1766 { 1767 al=SSL_AD_UNEXPECTED_MESSAGE; 1768 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 1769 goto f_err; 1770 } 1771 #endif /* !OPENSSL_NO_ECDH */ 1772 1773 1774 /* p points to the next byte, there are 'n' bytes left */ 1775 1776 /* if it was signed, check the signature */ 1777 if (pkey != NULL) 1778 { 1779 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1780 { 1781 int sigalg = tls12_get_sigid(pkey); 1782 /* Should never happen */ 1783 if (sigalg == -1) 1784 { 1785 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1786 goto err; 1787 } 1788 /* Check key type is consistent with signature */ 1789 if (sigalg != (int)p[1]) 1790 { 1791 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE); 1792 al=SSL_AD_DECODE_ERROR; 1793 goto f_err; 1794 } 1795 md = tls12_get_hash(p[0]); 1796 if (md == NULL) 1797 { 1798 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST); 1799 al=SSL_AD_DECODE_ERROR; 1800 goto f_err; 1801 } 1802 #ifdef SSL_DEBUG 1803 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 1804 #endif 1805 p += 2; 1806 n -= 2; 1807 } 1808 else 1809 md = EVP_sha1(); 1810 1811 n2s(p,i); 1812 n-=2; 1813 j=EVP_PKEY_size(pkey); 1814 1815 if ((i != n) || (n > j) || (n <= 0)) 1816 { 1817 /* wrong packet length */ 1818 al=SSL_AD_DECODE_ERROR; 1819 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1820 goto f_err; 1821 } 1822 1823 #ifndef OPENSSL_NO_RSA 1824 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) 1825 { 1826 int num; 1827 1828 j=0; 1829 q=md_buf; 1830 for (num=2; num > 0; num--) 1831 { 1832 EVP_MD_CTX_set_flags(&md_ctx, 1833 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1834 EVP_DigestInit_ex(&md_ctx,(num == 2) 1835 ?s->ctx->md5:s->ctx->sha1, NULL); 1836 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1837 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1838 EVP_DigestUpdate(&md_ctx,param,param_len); 1839 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1840 q+=i; 1841 j+=i; 1842 } 1843 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1844 pkey->pkey.rsa); 1845 if (i < 0) 1846 { 1847 al=SSL_AD_DECRYPT_ERROR; 1848 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 1849 goto f_err; 1850 } 1851 if (i == 0) 1852 { 1853 /* bad signature */ 1854 al=SSL_AD_DECRYPT_ERROR; 1855 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1856 goto f_err; 1857 } 1858 } 1859 else 1860 #endif 1861 { 1862 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1863 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1864 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1865 EVP_VerifyUpdate(&md_ctx,param,param_len); 1866 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1867 { 1868 /* bad signature */ 1869 al=SSL_AD_DECRYPT_ERROR; 1870 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1871 goto f_err; 1872 } 1873 } 1874 } 1875 else 1876 { 1877 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1878 /* aNULL or kPSK do not need public keys */ 1879 { 1880 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1881 goto err; 1882 } 1883 /* still data left over */ 1884 if (n != 0) 1885 { 1886 al=SSL_AD_DECODE_ERROR; 1887 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); 1888 goto f_err; 1889 } 1890 } 1891 EVP_PKEY_free(pkey); 1892 EVP_MD_CTX_cleanup(&md_ctx); 1893 return(1); 1894 f_err: 1895 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1896 err: 1897 EVP_PKEY_free(pkey); 1898 #ifndef OPENSSL_NO_RSA 1899 if (rsa != NULL) 1900 RSA_free(rsa); 1901 #endif 1902 #ifndef OPENSSL_NO_DH 1903 if (dh != NULL) 1904 DH_free(dh); 1905 #endif 1906 #ifndef OPENSSL_NO_ECDH 1907 BN_CTX_free(bn_ctx); 1908 EC_POINT_free(srvr_ecpoint); 1909 if (ecdh != NULL) 1910 EC_KEY_free(ecdh); 1911 #endif 1912 EVP_MD_CTX_cleanup(&md_ctx); 1913 return(-1); 1914 } 1915 1916 int ssl3_get_certificate_request(SSL *s) 1917 { 1918 int ok,ret=0; 1919 unsigned long n,nc,l; 1920 unsigned int llen, ctype_num,i; 1921 X509_NAME *xn=NULL; 1922 const unsigned char *p,*q; 1923 unsigned char *d; 1924 STACK_OF(X509_NAME) *ca_sk=NULL; 1925 1926 n=s->method->ssl_get_message(s, 1927 SSL3_ST_CR_CERT_REQ_A, 1928 SSL3_ST_CR_CERT_REQ_B, 1929 -1, 1930 s->max_cert_list, 1931 &ok); 1932 1933 if (!ok) return((int)n); 1934 1935 s->s3->tmp.cert_req=0; 1936 1937 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1938 { 1939 s->s3->tmp.reuse_message=1; 1940 /* If we get here we don't need any cached handshake records 1941 * as we wont be doing client auth. 1942 */ 1943 if (s->s3->handshake_buffer) 1944 { 1945 if (!ssl3_digest_cached_records(s)) 1946 goto err; 1947 } 1948 return(1); 1949 } 1950 1951 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 1952 { 1953 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1954 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); 1955 goto err; 1956 } 1957 1958 /* TLS does not like anon-DH with client cert */ 1959 if (s->version > SSL3_VERSION) 1960 { 1961 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1962 { 1963 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1964 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 1965 goto err; 1966 } 1967 } 1968 1969 p=d=(unsigned char *)s->init_msg; 1970 1971 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 1972 { 1973 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 1974 goto err; 1975 } 1976 1977 /* get the certificate types */ 1978 ctype_num= *(p++); 1979 if (ctype_num > SSL3_CT_NUMBER) 1980 ctype_num=SSL3_CT_NUMBER; 1981 for (i=0; i<ctype_num; i++) 1982 s->s3->tmp.ctype[i]= p[i]; 1983 p+=ctype_num; 1984 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1985 { 1986 n2s(p, llen); 1987 /* Check we have enough room for signature algorithms and 1988 * following length value. 1989 */ 1990 if ((unsigned long)(p - d + llen + 2) > n) 1991 { 1992 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1993 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG); 1994 goto err; 1995 } 1996 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) 1997 { 1998 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1999 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR); 2000 goto err; 2001 } 2002 p += llen; 2003 } 2004 2005 /* get the CA RDNs */ 2006 n2s(p,llen); 2007 #if 0 2008 { 2009 FILE *out; 2010 out=fopen("/tmp/vsign.der","w"); 2011 fwrite(p,1,llen,out); 2012 fclose(out); 2013 } 2014 #endif 2015 2016 if ((unsigned long)(p - d + llen) != n) 2017 { 2018 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2019 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 2020 goto err; 2021 } 2022 2023 for (nc=0; nc<llen; ) 2024 { 2025 n2s(p,l); 2026 if ((l+nc+2) > llen) 2027 { 2028 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 2029 goto cont; /* netscape bugs */ 2030 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2031 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 2032 goto err; 2033 } 2034 2035 q=p; 2036 2037 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 2038 { 2039 /* If netscape tolerance is on, ignore errors */ 2040 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 2041 goto cont; 2042 else 2043 { 2044 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2045 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); 2046 goto err; 2047 } 2048 } 2049 2050 if (q != (p+l)) 2051 { 2052 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2053 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); 2054 goto err; 2055 } 2056 if (!sk_X509_NAME_push(ca_sk,xn)) 2057 { 2058 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 2059 goto err; 2060 } 2061 2062 p+=l; 2063 nc+=l+2; 2064 } 2065 2066 if (0) 2067 { 2068 cont: 2069 ERR_clear_error(); 2070 } 2071 2072 /* we should setup a certificate to return.... */ 2073 s->s3->tmp.cert_req=1; 2074 s->s3->tmp.ctype_num=ctype_num; 2075 if (s->s3->tmp.ca_names != NULL) 2076 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 2077 s->s3->tmp.ca_names=ca_sk; 2078 ca_sk=NULL; 2079 2080 ret=1; 2081 err: 2082 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 2083 return(ret); 2084 } 2085 2086 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) 2087 { 2088 return(X509_NAME_cmp(*a,*b)); 2089 } 2090 #ifndef OPENSSL_NO_TLSEXT 2091 int ssl3_get_new_session_ticket(SSL *s) 2092 { 2093 int ok,al,ret=0, ticklen; 2094 long n; 2095 const unsigned char *p; 2096 unsigned char *d; 2097 2098 n=s->method->ssl_get_message(s, 2099 SSL3_ST_CR_SESSION_TICKET_A, 2100 SSL3_ST_CR_SESSION_TICKET_B, 2101 -1, 2102 16384, 2103 &ok); 2104 2105 if (!ok) 2106 return((int)n); 2107 2108 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 2109 { 2110 s->s3->tmp.reuse_message=1; 2111 return(1); 2112 } 2113 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 2114 { 2115 al=SSL_AD_UNEXPECTED_MESSAGE; 2116 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); 2117 goto f_err; 2118 } 2119 if (n < 6) 2120 { 2121 /* need at least ticket_lifetime_hint + ticket length */ 2122 al = SSL_AD_DECODE_ERROR; 2123 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 2124 goto f_err; 2125 } 2126 2127 p=d=(unsigned char *)s->init_msg; 2128 n2l(p, s->session->tlsext_tick_lifetime_hint); 2129 n2s(p, ticklen); 2130 /* ticket_lifetime_hint + ticket_length + ticket */ 2131 if (ticklen + 6 != n) 2132 { 2133 al = SSL_AD_DECODE_ERROR; 2134 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 2135 goto f_err; 2136 } 2137 if (s->session->tlsext_tick) 2138 { 2139 OPENSSL_free(s->session->tlsext_tick); 2140 s->session->tlsext_ticklen = 0; 2141 } 2142 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 2143 if (!s->session->tlsext_tick) 2144 { 2145 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); 2146 goto err; 2147 } 2148 memcpy(s->session->tlsext_tick, p, ticklen); 2149 s->session->tlsext_ticklen = ticklen; 2150 /* There are two ways to detect a resumed ticket sesion. 2151 * One is to set an appropriate session ID and then the server 2152 * must return a match in ServerHello. This allows the normal 2153 * client session ID matching to work and we know much 2154 * earlier that the ticket has been accepted. 2155 * 2156 * The other way is to set zero length session ID when the 2157 * ticket is presented and rely on the handshake to determine 2158 * session resumption. 2159 * 2160 * We choose the former approach because this fits in with 2161 * assumptions elsewhere in OpenSSL. The session ID is set 2162 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 2163 * ticket. 2164 */ 2165 EVP_Digest(p, ticklen, 2166 s->session->session_id, &s->session->session_id_length, 2167 #ifndef OPENSSL_NO_SHA256 2168 EVP_sha256(), NULL); 2169 #else 2170 EVP_sha1(), NULL); 2171 #endif 2172 ret=1; 2173 return(ret); 2174 f_err: 2175 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2176 err: 2177 return(-1); 2178 } 2179 2180 int ssl3_get_cert_status(SSL *s) 2181 { 2182 int ok, al; 2183 unsigned long resplen,n; 2184 const unsigned char *p; 2185 2186 n=s->method->ssl_get_message(s, 2187 SSL3_ST_CR_CERT_STATUS_A, 2188 SSL3_ST_CR_CERT_STATUS_B, 2189 SSL3_MT_CERTIFICATE_STATUS, 2190 16384, 2191 &ok); 2192 2193 if (!ok) return((int)n); 2194 if (n < 4) 2195 { 2196 /* need at least status type + length */ 2197 al = SSL_AD_DECODE_ERROR; 2198 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2199 goto f_err; 2200 } 2201 p = (unsigned char *)s->init_msg; 2202 if (*p++ != TLSEXT_STATUSTYPE_ocsp) 2203 { 2204 al = SSL_AD_DECODE_ERROR; 2205 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 2206 goto f_err; 2207 } 2208 n2l3(p, resplen); 2209 if (resplen + 4 != n) 2210 { 2211 al = SSL_AD_DECODE_ERROR; 2212 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2213 goto f_err; 2214 } 2215 if (s->tlsext_ocsp_resp) 2216 OPENSSL_free(s->tlsext_ocsp_resp); 2217 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 2218 if (!s->tlsext_ocsp_resp) 2219 { 2220 al = SSL_AD_INTERNAL_ERROR; 2221 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2222 goto f_err; 2223 } 2224 s->tlsext_ocsp_resplen = resplen; 2225 if (s->ctx->tlsext_status_cb) 2226 { 2227 int ret; 2228 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2229 if (ret == 0) 2230 { 2231 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2232 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 2233 goto f_err; 2234 } 2235 if (ret < 0) 2236 { 2237 al = SSL_AD_INTERNAL_ERROR; 2238 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2239 goto f_err; 2240 } 2241 } 2242 return 1; 2243 f_err: 2244 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2245 return(-1); 2246 } 2247 #endif 2248 2249 int ssl3_get_server_done(SSL *s) 2250 { 2251 int ok,ret=0; 2252 long n; 2253 2254 n=s->method->ssl_get_message(s, 2255 SSL3_ST_CR_SRVR_DONE_A, 2256 SSL3_ST_CR_SRVR_DONE_B, 2257 SSL3_MT_SERVER_DONE, 2258 30, /* should be very small, like 0 :-) */ 2259 &ok); 2260 2261 if (!ok) return((int)n); 2262 if (n > 0) 2263 { 2264 /* should contain no data */ 2265 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2266 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 2267 return -1; 2268 } 2269 ret=1; 2270 return(ret); 2271 } 2272 2273 2274 int ssl3_send_client_key_exchange(SSL *s) 2275 { 2276 unsigned char *p,*d; 2277 int n; 2278 unsigned long alg_k; 2279 #ifndef OPENSSL_NO_RSA 2280 unsigned char *q; 2281 EVP_PKEY *pkey=NULL; 2282 #endif 2283 #ifndef OPENSSL_NO_KRB5 2284 KSSL_ERR kssl_err; 2285 #endif /* OPENSSL_NO_KRB5 */ 2286 #ifndef OPENSSL_NO_ECDH 2287 EC_KEY *clnt_ecdh = NULL; 2288 const EC_POINT *srvr_ecpoint = NULL; 2289 EVP_PKEY *srvr_pub_pkey = NULL; 2290 unsigned char *encodedPoint = NULL; 2291 int encoded_pt_len = 0; 2292 BN_CTX * bn_ctx = NULL; 2293 #endif 2294 2295 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 2296 { 2297 d=(unsigned char *)s->init_buf->data; 2298 p= &(d[4]); 2299 2300 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2301 2302 /* Fool emacs indentation */ 2303 if (0) {} 2304 #ifndef OPENSSL_NO_RSA 2305 else if (alg_k & SSL_kRSA) 2306 { 2307 RSA *rsa; 2308 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2309 2310 if (s->session->sess_cert->peer_rsa_tmp != NULL) 2311 rsa=s->session->sess_cert->peer_rsa_tmp; 2312 else 2313 { 2314 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 2315 if ((pkey == NULL) || 2316 (pkey->type != EVP_PKEY_RSA) || 2317 (pkey->pkey.rsa == NULL)) 2318 { 2319 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2320 goto err; 2321 } 2322 rsa=pkey->pkey.rsa; 2323 EVP_PKEY_free(pkey); 2324 } 2325 2326 tmp_buf[0]=s->client_version>>8; 2327 tmp_buf[1]=s->client_version&0xff; 2328 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2329 goto err; 2330 2331 s->session->master_key_length=sizeof tmp_buf; 2332 2333 q=p; 2334 /* Fix buf for TLS and beyond */ 2335 if (s->version > SSL3_VERSION) 2336 p+=2; 2337 n=RSA_public_encrypt(sizeof tmp_buf, 2338 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 2339 #ifdef PKCS1_CHECK 2340 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 2341 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 2342 #endif 2343 if (n <= 0) 2344 { 2345 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 2346 goto err; 2347 } 2348 2349 /* Fix buf for TLS and beyond */ 2350 if (s->version > SSL3_VERSION) 2351 { 2352 s2n(n,q); 2353 n+=2; 2354 } 2355 2356 s->session->master_key_length= 2357 s->method->ssl3_enc->generate_master_secret(s, 2358 s->session->master_key, 2359 tmp_buf,sizeof tmp_buf); 2360 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); 2361 } 2362 #endif 2363 #ifndef OPENSSL_NO_KRB5 2364 else if (alg_k & SSL_kKRB5) 2365 { 2366 krb5_error_code krb5rc; 2367 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2368 /* krb5_data krb5_ap_req; */ 2369 krb5_data *enc_ticket; 2370 krb5_data authenticator, *authp = NULL; 2371 EVP_CIPHER_CTX ciph_ctx; 2372 const EVP_CIPHER *enc = NULL; 2373 unsigned char iv[EVP_MAX_IV_LENGTH]; 2374 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2375 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2376 + EVP_MAX_IV_LENGTH]; 2377 int padl, outl = sizeof(epms); 2378 2379 EVP_CIPHER_CTX_init(&ciph_ctx); 2380 2381 #ifdef KSSL_DEBUG 2382 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2383 alg_k, SSL_kKRB5); 2384 #endif /* KSSL_DEBUG */ 2385 2386 authp = NULL; 2387 #ifdef KRB5SENDAUTH 2388 if (KRB5SENDAUTH) authp = &authenticator; 2389 #endif /* KRB5SENDAUTH */ 2390 2391 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2392 &kssl_err); 2393 enc = kssl_map_enc(kssl_ctx->enctype); 2394 if (enc == NULL) 2395 goto err; 2396 #ifdef KSSL_DEBUG 2397 { 2398 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2399 if (krb5rc && kssl_err.text) 2400 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2401 } 2402 #endif /* KSSL_DEBUG */ 2403 2404 if (krb5rc) 2405 { 2406 ssl3_send_alert(s,SSL3_AL_FATAL, 2407 SSL_AD_HANDSHAKE_FAILURE); 2408 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2409 kssl_err.reason); 2410 goto err; 2411 } 2412 2413 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2414 ** in place of RFC 2712 KerberosWrapper, as in: 2415 ** 2416 ** Send ticket (copy to *p, set n = length) 2417 ** n = krb5_ap_req.length; 2418 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2419 ** if (krb5_ap_req.data) 2420 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2421 ** 2422 ** Now using real RFC 2712 KerberosWrapper 2423 ** (Thanks to Simon Wilkinson <sxw (at) sxw.org.uk>) 2424 ** Note: 2712 "opaque" types are here replaced 2425 ** with a 2-byte length followed by the value. 2426 ** Example: 2427 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 2428 ** Where "xx xx" = length bytes. Shown here with 2429 ** optional authenticator omitted. 2430 */ 2431 2432 /* KerberosWrapper.Ticket */ 2433 s2n(enc_ticket->length,p); 2434 memcpy(p, enc_ticket->data, enc_ticket->length); 2435 p+= enc_ticket->length; 2436 n = enc_ticket->length + 2; 2437 2438 /* KerberosWrapper.Authenticator */ 2439 if (authp && authp->length) 2440 { 2441 s2n(authp->length,p); 2442 memcpy(p, authp->data, authp->length); 2443 p+= authp->length; 2444 n+= authp->length + 2; 2445 2446 free(authp->data); 2447 authp->data = NULL; 2448 authp->length = 0; 2449 } 2450 else 2451 { 2452 s2n(0,p);/* null authenticator length */ 2453 n+=2; 2454 } 2455 2456 tmp_buf[0]=s->client_version>>8; 2457 tmp_buf[1]=s->client_version&0xff; 2458 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2459 goto err; 2460 2461 /* 20010420 VRS. Tried it this way; failed. 2462 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 2463 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 2464 ** kssl_ctx->length); 2465 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2466 */ 2467 2468 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2469 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2470 kssl_ctx->key,iv); 2471 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2472 sizeof tmp_buf); 2473 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2474 outl += padl; 2475 if (outl > (int)sizeof epms) 2476 { 2477 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2478 goto err; 2479 } 2480 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2481 2482 /* KerberosWrapper.EncryptedPreMasterSecret */ 2483 s2n(outl,p); 2484 memcpy(p, epms, outl); 2485 p+=outl; 2486 n+=outl + 2; 2487 2488 s->session->master_key_length= 2489 s->method->ssl3_enc->generate_master_secret(s, 2490 s->session->master_key, 2491 tmp_buf, sizeof tmp_buf); 2492 2493 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2494 OPENSSL_cleanse(epms, outl); 2495 } 2496 #endif 2497 #ifndef OPENSSL_NO_DH 2498 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2499 { 2500 DH *dh_srvr,*dh_clnt; 2501 2502 if (s->session->sess_cert == NULL) 2503 { 2504 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2505 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 2506 goto err; 2507 } 2508 2509 if (s->session->sess_cert->peer_dh_tmp != NULL) 2510 dh_srvr=s->session->sess_cert->peer_dh_tmp; 2511 else 2512 { 2513 /* we get them from the cert */ 2514 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2515 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2516 goto err; 2517 } 2518 2519 /* generate a new random key */ 2520 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 2521 { 2522 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2523 goto err; 2524 } 2525 if (!DH_generate_key(dh_clnt)) 2526 { 2527 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2528 DH_free(dh_clnt); 2529 goto err; 2530 } 2531 2532 /* use the 'p' output buffer for the DH key, but 2533 * make sure to clear it out afterwards */ 2534 2535 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 2536 2537 if (n <= 0) 2538 { 2539 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2540 DH_free(dh_clnt); 2541 goto err; 2542 } 2543 2544 /* generate master key from the result */ 2545 s->session->master_key_length= 2546 s->method->ssl3_enc->generate_master_secret(s, 2547 s->session->master_key,p,n); 2548 /* clean up */ 2549 memset(p,0,n); 2550 2551 /* send off the data */ 2552 n=BN_num_bytes(dh_clnt->pub_key); 2553 s2n(n,p); 2554 BN_bn2bin(dh_clnt->pub_key,p); 2555 n+=2; 2556 2557 DH_free(dh_clnt); 2558 2559 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2560 } 2561 #endif 2562 2563 #ifndef OPENSSL_NO_ECDH 2564 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2565 { 2566 const EC_GROUP *srvr_group = NULL; 2567 EC_KEY *tkey; 2568 int ecdh_clnt_cert = 0; 2569 int field_size = 0; 2570 2571 /* Did we send out the client's 2572 * ECDH share for use in premaster 2573 * computation as part of client certificate? 2574 * If so, set ecdh_clnt_cert to 1. 2575 */ 2576 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 2577 { 2578 /* XXX: For now, we do not support client 2579 * authentication using ECDH certificates. 2580 * To add such support, one needs to add 2581 * code that checks for appropriate 2582 * conditions and sets ecdh_clnt_cert to 1. 2583 * For example, the cert have an ECC 2584 * key on the same curve as the server's 2585 * and the key should be authorized for 2586 * key agreement. 2587 * 2588 * One also needs to add code in ssl3_connect 2589 * to skip sending the certificate verify 2590 * message. 2591 * 2592 * if ((s->cert->key->privatekey != NULL) && 2593 * (s->cert->key->privatekey->type == 2594 * EVP_PKEY_EC) && ...) 2595 * ecdh_clnt_cert = 1; 2596 */ 2597 } 2598 2599 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2600 { 2601 tkey = s->session->sess_cert->peer_ecdh_tmp; 2602 } 2603 else 2604 { 2605 /* Get the Server Public Key from Cert */ 2606 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2607 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2608 if ((srvr_pub_pkey == NULL) || 2609 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2610 (srvr_pub_pkey->pkey.ec == NULL)) 2611 { 2612 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2613 ERR_R_INTERNAL_ERROR); 2614 goto err; 2615 } 2616 2617 tkey = srvr_pub_pkey->pkey.ec; 2618 } 2619 2620 srvr_group = EC_KEY_get0_group(tkey); 2621 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2622 2623 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2624 { 2625 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2626 ERR_R_INTERNAL_ERROR); 2627 goto err; 2628 } 2629 2630 if ((clnt_ecdh=EC_KEY_new()) == NULL) 2631 { 2632 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2633 goto err; 2634 } 2635 2636 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2637 { 2638 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2639 goto err; 2640 } 2641 if (ecdh_clnt_cert) 2642 { 2643 /* Reuse key info from our certificate 2644 * We only need our private key to perform 2645 * the ECDH computation. 2646 */ 2647 const BIGNUM *priv_key; 2648 tkey = s->cert->key->privatekey->pkey.ec; 2649 priv_key = EC_KEY_get0_private_key(tkey); 2650 if (priv_key == NULL) 2651 { 2652 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2653 goto err; 2654 } 2655 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2656 { 2657 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2658 goto err; 2659 } 2660 } 2661 else 2662 { 2663 /* Generate a new ECDH key pair */ 2664 if (!(EC_KEY_generate_key(clnt_ecdh))) 2665 { 2666 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2667 goto err; 2668 } 2669 } 2670 2671 /* use the 'p' output buffer for the ECDH key, but 2672 * make sure to clear it out afterwards 2673 */ 2674 2675 field_size = EC_GROUP_get_degree(srvr_group); 2676 if (field_size <= 0) 2677 { 2678 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2679 ERR_R_ECDH_LIB); 2680 goto err; 2681 } 2682 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2683 if (n <= 0) 2684 { 2685 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2686 ERR_R_ECDH_LIB); 2687 goto err; 2688 } 2689 2690 /* generate master key from the result */ 2691 s->session->master_key_length = s->method->ssl3_enc \ 2692 -> generate_master_secret(s, 2693 s->session->master_key, 2694 p, n); 2695 2696 memset(p, 0, n); /* clean up */ 2697 2698 if (ecdh_clnt_cert) 2699 { 2700 /* Send empty client key exch message */ 2701 n = 0; 2702 } 2703 else 2704 { 2705 /* First check the size of encoding and 2706 * allocate memory accordingly. 2707 */ 2708 encoded_pt_len = 2709 EC_POINT_point2oct(srvr_group, 2710 EC_KEY_get0_public_key(clnt_ecdh), 2711 POINT_CONVERSION_UNCOMPRESSED, 2712 NULL, 0, NULL); 2713 2714 encodedPoint = (unsigned char *) 2715 OPENSSL_malloc(encoded_pt_len * 2716 sizeof(unsigned char)); 2717 bn_ctx = BN_CTX_new(); 2718 if ((encodedPoint == NULL) || 2719 (bn_ctx == NULL)) 2720 { 2721 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2722 goto err; 2723 } 2724 2725 /* Encode the public key */ 2726 n = EC_POINT_point2oct(srvr_group, 2727 EC_KEY_get0_public_key(clnt_ecdh), 2728 POINT_CONVERSION_UNCOMPRESSED, 2729 encodedPoint, encoded_pt_len, bn_ctx); 2730 2731 *p = n; /* length of encoded point */ 2732 /* Encoded point will be copied here */ 2733 p += 1; 2734 /* copy the point */ 2735 memcpy((unsigned char *)p, encodedPoint, n); 2736 /* increment n to account for length field */ 2737 n += 1; 2738 } 2739 2740 /* Free allocated memory */ 2741 BN_CTX_free(bn_ctx); 2742 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2743 if (clnt_ecdh != NULL) 2744 EC_KEY_free(clnt_ecdh); 2745 EVP_PKEY_free(srvr_pub_pkey); 2746 } 2747 #endif /* !OPENSSL_NO_ECDH */ 2748 else if (alg_k & SSL_kGOST) 2749 { 2750 /* GOST key exchange message creation */ 2751 EVP_PKEY_CTX *pkey_ctx; 2752 X509 *peer_cert; 2753 size_t msglen; 2754 unsigned int md_len; 2755 int keytype; 2756 unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 2757 EVP_MD_CTX *ukm_hash; 2758 EVP_PKEY *pub_key; 2759 2760 /* Get server sertificate PKEY and create ctx from it */ 2761 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 2762 if (!peer_cert) 2763 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 2764 if (!peer_cert) { 2765 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2766 goto err; 2767 } 2768 2769 pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 2770 /* If we have send a certificate, and certificate key 2771 2772 * parameters match those of server certificate, use 2773 * certificate key for key exchange 2774 */ 2775 2776 /* Otherwise, generate ephemeral key pair */ 2777 2778 EVP_PKEY_encrypt_init(pkey_ctx); 2779 /* Generate session key */ 2780 RAND_bytes(premaster_secret,32); 2781 /* If we have client certificate, use its secret as peer key */ 2782 if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2783 if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 2784 /* If there was an error - just ignore it. Ephemeral key 2785 * would be used 2786 */ 2787 ERR_clear_error(); 2788 } 2789 } 2790 /* Compute shared IV and store it in algorithm-specific 2791 * context data */ 2792 ukm_hash = EVP_MD_CTX_create(); 2793 EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 2794 EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 2795 EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 2796 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2797 EVP_MD_CTX_destroy(ukm_hash); 2798 if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV, 2799 8,shared_ukm)<0) { 2800 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2801 SSL_R_LIBRARY_BUG); 2802 goto err; 2803 } 2804 /* Make GOST keytransport blob message */ 2805 /*Encapsulate it into sequence */ 2806 *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 2807 msglen=255; 2808 if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) { 2809 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2810 SSL_R_LIBRARY_BUG); 2811 goto err; 2812 } 2813 if (msglen >= 0x80) 2814 { 2815 *(p++)=0x81; 2816 *(p++)= msglen & 0xff; 2817 n=msglen+3; 2818 } 2819 else 2820 { 2821 *(p++)= msglen & 0xff; 2822 n=msglen+2; 2823 } 2824 memcpy(p, tmp, msglen); 2825 /* Check if pubkey from client certificate was used */ 2826 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2827 { 2828 /* Set flag "skip certificate verify" */ 2829 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2830 } 2831 EVP_PKEY_CTX_free(pkey_ctx); 2832 s->session->master_key_length= 2833 s->method->ssl3_enc->generate_master_secret(s, 2834 s->session->master_key,premaster_secret,32); 2835 EVP_PKEY_free(pub_key); 2836 2837 } 2838 #ifndef OPENSSL_NO_SRP 2839 else if (alg_k & SSL_kSRP) 2840 { 2841 if (s->srp_ctx.A != NULL) 2842 { 2843 /* send off the data */ 2844 n=BN_num_bytes(s->srp_ctx.A); 2845 s2n(n,p); 2846 BN_bn2bin(s->srp_ctx.A,p); 2847 n+=2; 2848 } 2849 else 2850 { 2851 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2852 goto err; 2853 } 2854 if (s->session->srp_username != NULL) 2855 OPENSSL_free(s->session->srp_username); 2856 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2857 if (s->session->srp_username == NULL) 2858 { 2859 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2860 ERR_R_MALLOC_FAILURE); 2861 goto err; 2862 } 2863 2864 if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0) 2865 { 2866 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2867 goto err; 2868 } 2869 } 2870 #endif 2871 #ifndef OPENSSL_NO_PSK 2872 else if (alg_k & SSL_kPSK) 2873 { 2874 char identity[PSK_MAX_IDENTITY_LEN]; 2875 unsigned char *t = NULL; 2876 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2877 unsigned int pre_ms_len = 0, psk_len = 0; 2878 int psk_err = 1; 2879 2880 n = 0; 2881 if (s->psk_client_callback == NULL) 2882 { 2883 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2884 SSL_R_PSK_NO_CLIENT_CB); 2885 goto err; 2886 } 2887 2888 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 2889 identity, PSK_MAX_IDENTITY_LEN, 2890 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2891 if (psk_len > PSK_MAX_PSK_LEN) 2892 { 2893 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2894 ERR_R_INTERNAL_ERROR); 2895 goto psk_err; 2896 } 2897 else if (psk_len == 0) 2898 { 2899 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2900 SSL_R_PSK_IDENTITY_NOT_FOUND); 2901 goto psk_err; 2902 } 2903 2904 /* create PSK pre_master_secret */ 2905 pre_ms_len = 2+psk_len+2+psk_len; 2906 t = psk_or_pre_ms; 2907 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2908 s2n(psk_len, t); 2909 memset(t, 0, psk_len); 2910 t+=psk_len; 2911 s2n(psk_len, t); 2912 2913 if (s->session->psk_identity_hint != NULL) 2914 OPENSSL_free(s->session->psk_identity_hint); 2915 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2916 if (s->ctx->psk_identity_hint != NULL && 2917 s->session->psk_identity_hint == NULL) 2918 { 2919 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2920 ERR_R_MALLOC_FAILURE); 2921 goto psk_err; 2922 } 2923 2924 if (s->session->psk_identity != NULL) 2925 OPENSSL_free(s->session->psk_identity); 2926 s->session->psk_identity = BUF_strdup(identity); 2927 if (s->session->psk_identity == NULL) 2928 { 2929 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2930 ERR_R_MALLOC_FAILURE); 2931 goto psk_err; 2932 } 2933 2934 s->session->master_key_length = 2935 s->method->ssl3_enc->generate_master_secret(s, 2936 s->session->master_key, 2937 psk_or_pre_ms, pre_ms_len); 2938 n = strlen(identity); 2939 s2n(n, p); 2940 memcpy(p, identity, n); 2941 n+=2; 2942 psk_err = 0; 2943 psk_err: 2944 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 2945 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2946 if (psk_err != 0) 2947 { 2948 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2949 goto err; 2950 } 2951 } 2952 #endif 2953 else 2954 { 2955 ssl3_send_alert(s, SSL3_AL_FATAL, 2956 SSL_AD_HANDSHAKE_FAILURE); 2957 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2958 ERR_R_INTERNAL_ERROR); 2959 goto err; 2960 } 2961 2962 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 2963 l2n3(n,d); 2964 2965 s->state=SSL3_ST_CW_KEY_EXCH_B; 2966 /* number of bytes to write */ 2967 s->init_num=n+4; 2968 s->init_off=0; 2969 } 2970 2971 /* SSL3_ST_CW_KEY_EXCH_B */ 2972 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2973 err: 2974 #ifndef OPENSSL_NO_ECDH 2975 BN_CTX_free(bn_ctx); 2976 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2977 if (clnt_ecdh != NULL) 2978 EC_KEY_free(clnt_ecdh); 2979 EVP_PKEY_free(srvr_pub_pkey); 2980 #endif 2981 return(-1); 2982 } 2983 2984 int ssl3_send_client_verify(SSL *s) 2985 { 2986 unsigned char *p,*d; 2987 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 2988 EVP_PKEY *pkey; 2989 EVP_PKEY_CTX *pctx=NULL; 2990 EVP_MD_CTX mctx; 2991 unsigned u=0; 2992 unsigned long n; 2993 int j; 2994 2995 EVP_MD_CTX_init(&mctx); 2996 2997 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 2998 { 2999 d=(unsigned char *)s->init_buf->data; 3000 p= &(d[4]); 3001 pkey=s->cert->key->privatekey; 3002 /* Create context from key and test if sha1 is allowed as digest */ 3003 pctx = EVP_PKEY_CTX_new(pkey,NULL); 3004 EVP_PKEY_sign_init(pctx); 3005 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 3006 { 3007 if (TLS1_get_version(s) < TLS1_2_VERSION) 3008 s->method->ssl3_enc->cert_verify_mac(s, 3009 NID_sha1, 3010 &(data[MD5_DIGEST_LENGTH])); 3011 } 3012 else 3013 { 3014 ERR_clear_error(); 3015 } 3016 /* For TLS v1.2 send signature algorithm and signature 3017 * using agreed digest and cached handshake records. 3018 */ 3019 if (TLS1_get_version(s) >= TLS1_2_VERSION) 3020 { 3021 long hdatalen = 0; 3022 void *hdata; 3023 const EVP_MD *md = s->cert->key->digest; 3024 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 3025 &hdata); 3026 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) 3027 { 3028 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3029 ERR_R_INTERNAL_ERROR); 3030 goto err; 3031 } 3032 p += 2; 3033 #ifdef SSL_DEBUG 3034 fprintf(stderr, "Using TLS 1.2 with client alg %s\n", 3035 EVP_MD_name(md)); 3036 #endif 3037 if (!EVP_SignInit_ex(&mctx, md, NULL) 3038 || !EVP_SignUpdate(&mctx, hdata, hdatalen) 3039 || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) 3040 { 3041 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3042 ERR_R_EVP_LIB); 3043 goto err; 3044 } 3045 s2n(u,p); 3046 n = u + 4; 3047 if (!ssl3_digest_cached_records(s)) 3048 goto err; 3049 } 3050 else 3051 #ifndef OPENSSL_NO_RSA 3052 if (pkey->type == EVP_PKEY_RSA) 3053 { 3054 s->method->ssl3_enc->cert_verify_mac(s, 3055 NID_md5, 3056 &(data[0])); 3057 if (RSA_sign(NID_md5_sha1, data, 3058 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 3059 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 3060 { 3061 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 3062 goto err; 3063 } 3064 s2n(u,p); 3065 n=u+2; 3066 } 3067 else 3068 #endif 3069 #ifndef OPENSSL_NO_DSA 3070 if (pkey->type == EVP_PKEY_DSA) 3071 { 3072 if (!DSA_sign(pkey->save_type, 3073 &(data[MD5_DIGEST_LENGTH]), 3074 SHA_DIGEST_LENGTH,&(p[2]), 3075 (unsigned int *)&j,pkey->pkey.dsa)) 3076 { 3077 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 3078 goto err; 3079 } 3080 s2n(j,p); 3081 n=j+2; 3082 } 3083 else 3084 #endif 3085 #ifndef OPENSSL_NO_ECDSA 3086 if (pkey->type == EVP_PKEY_EC) 3087 { 3088 if (!ECDSA_sign(pkey->save_type, 3089 &(data[MD5_DIGEST_LENGTH]), 3090 SHA_DIGEST_LENGTH,&(p[2]), 3091 (unsigned int *)&j,pkey->pkey.ec)) 3092 { 3093 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3094 ERR_R_ECDSA_LIB); 3095 goto err; 3096 } 3097 s2n(j,p); 3098 n=j+2; 3099 } 3100 else 3101 #endif 3102 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 3103 { 3104 unsigned char signbuf[64]; 3105 int i; 3106 size_t sigsize=64; 3107 s->method->ssl3_enc->cert_verify_mac(s, 3108 NID_id_GostR3411_94, 3109 data); 3110 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 3111 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 3112 ERR_R_INTERNAL_ERROR); 3113 goto err; 3114 } 3115 for (i=63,j=0; i>=0; j++, i--) { 3116 p[2+j]=signbuf[i]; 3117 } 3118 s2n(j,p); 3119 n=j+2; 3120 } 3121 else 3122 { 3123 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); 3124 goto err; 3125 } 3126 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 3127 l2n3(n,d); 3128 3129 s->state=SSL3_ST_CW_CERT_VRFY_B; 3130 s->init_num=(int)n+4; 3131 s->init_off=0; 3132 } 3133 EVP_MD_CTX_cleanup(&mctx); 3134 EVP_PKEY_CTX_free(pctx); 3135 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3136 err: 3137 EVP_MD_CTX_cleanup(&mctx); 3138 EVP_PKEY_CTX_free(pctx); 3139 return(-1); 3140 } 3141 3142 int ssl3_send_client_certificate(SSL *s) 3143 { 3144 X509 *x509=NULL; 3145 EVP_PKEY *pkey=NULL; 3146 int i; 3147 unsigned long l; 3148 3149 if (s->state == SSL3_ST_CW_CERT_A) 3150 { 3151 if ((s->cert == NULL) || 3152 (s->cert->key->x509 == NULL) || 3153 (s->cert->key->privatekey == NULL)) 3154 s->state=SSL3_ST_CW_CERT_B; 3155 else 3156 s->state=SSL3_ST_CW_CERT_C; 3157 } 3158 3159 /* We need to get a client cert */ 3160 if (s->state == SSL3_ST_CW_CERT_B) 3161 { 3162 /* If we get an error, we need to 3163 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 3164 * We then get retied later */ 3165 i=0; 3166 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3167 if (i < 0) 3168 { 3169 s->rwstate=SSL_X509_LOOKUP; 3170 return(-1); 3171 } 3172 s->rwstate=SSL_NOTHING; 3173 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 3174 { 3175 s->state=SSL3_ST_CW_CERT_B; 3176 if ( !SSL_use_certificate(s,x509) || 3177 !SSL_use_PrivateKey(s,pkey)) 3178 i=0; 3179 } 3180 else if (i == 1) 3181 { 3182 i=0; 3183 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 3184 } 3185 3186 if (x509 != NULL) X509_free(x509); 3187 if (pkey != NULL) EVP_PKEY_free(pkey); 3188 if (i == 0) 3189 { 3190 if (s->version == SSL3_VERSION) 3191 { 3192 s->s3->tmp.cert_req=0; 3193 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 3194 return(1); 3195 } 3196 else 3197 { 3198 s->s3->tmp.cert_req=2; 3199 } 3200 } 3201 3202 /* Ok, we have a cert */ 3203 s->state=SSL3_ST_CW_CERT_C; 3204 } 3205 3206 if (s->state == SSL3_ST_CW_CERT_C) 3207 { 3208 s->state=SSL3_ST_CW_CERT_D; 3209 l=ssl3_output_cert_chain(s, 3210 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 3211 s->init_num=(int)l; 3212 s->init_off=0; 3213 } 3214 /* SSL3_ST_CW_CERT_D */ 3215 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3216 } 3217 3218 #define has_bits(i,m) (((i)&(m)) == (m)) 3219 3220 int ssl3_check_cert_and_algorithm(SSL *s) 3221 { 3222 int i,idx; 3223 long alg_k,alg_a; 3224 EVP_PKEY *pkey=NULL; 3225 SESS_CERT *sc; 3226 #ifndef OPENSSL_NO_RSA 3227 RSA *rsa; 3228 #endif 3229 #ifndef OPENSSL_NO_DH 3230 DH *dh; 3231 #endif 3232 3233 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 3234 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 3235 3236 /* we don't have a certificate */ 3237 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 3238 return(1); 3239 3240 sc=s->session->sess_cert; 3241 if (sc == NULL) 3242 { 3243 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); 3244 goto err; 3245 } 3246 3247 #ifndef OPENSSL_NO_RSA 3248 rsa=s->session->sess_cert->peer_rsa_tmp; 3249 #endif 3250 #ifndef OPENSSL_NO_DH 3251 dh=s->session->sess_cert->peer_dh_tmp; 3252 #endif 3253 3254 /* This is the passed certificate */ 3255 3256 idx=sc->peer_cert_type; 3257 #ifndef OPENSSL_NO_ECDH 3258 if (idx == SSL_PKEY_ECC) 3259 { 3260 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 3261 s) == 0) 3262 { /* check failed */ 3263 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 3264 goto f_err; 3265 } 3266 else 3267 { 3268 return 1; 3269 } 3270 } 3271 #endif 3272 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 3273 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 3274 EVP_PKEY_free(pkey); 3275 3276 3277 /* Check that we have a certificate if we require one */ 3278 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 3279 { 3280 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); 3281 goto f_err; 3282 } 3283 #ifndef OPENSSL_NO_DSA 3284 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 3285 { 3286 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); 3287 goto f_err; 3288 } 3289 #endif 3290 #ifndef OPENSSL_NO_RSA 3291 if ((alg_k & SSL_kRSA) && 3292 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 3293 { 3294 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT); 3295 goto f_err; 3296 } 3297 #endif 3298 #ifndef OPENSSL_NO_DH 3299 if ((alg_k & SSL_kEDH) && 3300 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 3301 { 3302 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); 3303 goto f_err; 3304 } 3305 else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 3306 { 3307 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); 3308 goto f_err; 3309 } 3310 #ifndef OPENSSL_NO_DSA 3311 else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 3312 { 3313 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); 3314 goto f_err; 3315 } 3316 #endif 3317 #endif 3318 3319 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 3320 { 3321 #ifndef OPENSSL_NO_RSA 3322 if (alg_k & SSL_kRSA) 3323 { 3324 if (rsa == NULL 3325 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3326 { 3327 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 3328 goto f_err; 3329 } 3330 } 3331 else 3332 #endif 3333 #ifndef OPENSSL_NO_DH 3334 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 3335 { 3336 if (dh == NULL 3337 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3338 { 3339 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); 3340 goto f_err; 3341 } 3342 } 3343 else 3344 #endif 3345 { 3346 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 3347 goto f_err; 3348 } 3349 } 3350 return(1); 3351 f_err: 3352 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 3353 err: 3354 return(0); 3355 } 3356 3357 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 3358 int ssl3_send_next_proto(SSL *s) 3359 { 3360 unsigned int len, padding_len; 3361 unsigned char *d; 3362 3363 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) 3364 { 3365 len = s->next_proto_negotiated_len; 3366 padding_len = 32 - ((len + 2) % 32); 3367 d = (unsigned char *)s->init_buf->data; 3368 d[4] = len; 3369 memcpy(d + 5, s->next_proto_negotiated, len); 3370 d[5 + len] = padding_len; 3371 memset(d + 6 + len, 0, padding_len); 3372 *(d++)=SSL3_MT_NEXT_PROTO; 3373 l2n3(2 + len + padding_len, d); 3374 s->state = SSL3_ST_CW_NEXT_PROTO_B; 3375 s->init_num = 4 + 2 + len + padding_len; 3376 s->init_off = 0; 3377 } 3378 3379 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3380 } 3381 #endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ 3382 3383 /* Check to see if handshake is full or resumed. Usually this is just a 3384 * case of checking to see if a cache hit has occurred. In the case of 3385 * session tickets we have to check the next message to be sure. 3386 */ 3387 3388 #ifndef OPENSSL_NO_TLSEXT 3389 int ssl3_check_finished(SSL *s) 3390 { 3391 int ok; 3392 long n; 3393 /* If we have no ticket it cannot be a resumed session. */ 3394 if (!s->session->tlsext_tick) 3395 return 1; 3396 /* this function is called when we really expect a Certificate 3397 * message, so permit appropriate message length */ 3398 n=s->method->ssl_get_message(s, 3399 SSL3_ST_CR_CERT_A, 3400 SSL3_ST_CR_CERT_B, 3401 -1, 3402 s->max_cert_list, 3403 &ok); 3404 if (!ok) return((int)n); 3405 s->s3->tmp.reuse_message = 1; 3406 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 3407 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3408 return 2; 3409 3410 return 1; 3411 } 3412 #endif 3413 3414 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3415 { 3416 int i = 0; 3417 #ifndef OPENSSL_NO_ENGINE 3418 if (s->ctx->client_cert_engine) 3419 { 3420 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3421 SSL_get_client_CA_list(s), 3422 px509, ppkey, NULL, NULL, NULL); 3423 if (i != 0) 3424 return i; 3425 } 3426 #endif 3427 if (s->ctx->client_cert_cb) 3428 i = s->ctx->client_cert_cb(s,px509,ppkey); 3429 return i; 3430 } 3431