Symaptic: os/ossrv/ssl/libssl/src/s3_clnt.c@bde4ae8d615e (annotated)

sl@0	1	/* ssl/s3_clnt.c */
sl@0	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	3	* All rights reserved.
sl@0	4	*
sl@0	5	* This package is an SSL implementation written
sl@0	6	* by Eric Young (eay@cryptsoft.com).
sl@0	7	* The implementation was written so as to conform with Netscapes SSL.
sl@0	8	*
sl@0	9	* This library is free for commercial and non-commercial use as long as
sl@0	10	* the following conditions are aheared to. The following conditions
sl@0	11	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	13	* included with this distribution is covered by the same copyright terms
sl@0	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	15	*
sl@0	16	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	17	* the code are not to be removed.
sl@0	18	* If this package is used in a product, Eric Young should be given attribution
sl@0	19	* as the author of the parts of the library used.
sl@0	20	* This can be in the form of a textual message at program startup or
sl@0	21	* in documentation (online or textual) provided with the package.
sl@0	22	*
sl@0	23	* Redistribution and use in source and binary forms, with or without
sl@0	24	* modification, are permitted provided that the following conditions
sl@0	25	* are met:
sl@0	26	* 1. Redistributions of source code must retain the copyright
sl@0	27	* notice, this list of conditions and the following disclaimer.
sl@0	28	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	29	* notice, this list of conditions and the following disclaimer in the
sl@0	30	* documentation and/or other materials provided with the distribution.
sl@0	31	* 3. All advertising materials mentioning features or use of this software
sl@0	32	* must display the following acknowledgement:
sl@0	33	* "This product includes cryptographic software written by
sl@0	34	* Eric Young (eay@cryptsoft.com)"
sl@0	35	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	36	* being used are not cryptographic related :-).
sl@0	37	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	38	* the apps directory (application code) you must include an acknowledgement:
sl@0	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	40	*
sl@0	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	51	* SUCH DAMAGE.
sl@0	52	*
sl@0	53	* The licence and distribution terms for any publically available version or
sl@0	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	55	* copied and put under another distribution licence
sl@0	56	* [including the GNU Public Licence.]
sl@0	57	*/
sl@0	58	/* ====================================================================
sl@0	59	* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
sl@0	60	*
sl@0	61	* Redistribution and use in source and binary forms, with or without
sl@0	62	* modification, are permitted provided that the following conditions
sl@0	63	* are met:
sl@0	64	*
sl@0	65	* 1. Redistributions of source code must retain the above copyright
sl@0	66	* notice, this list of conditions and the following disclaimer.
sl@0	67	*
sl@0	68	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	69	* notice, this list of conditions and the following disclaimer in
sl@0	70	* the documentation and/or other materials provided with the
sl@0	71	* distribution.
sl@0	72	*
sl@0	73	* 3. All advertising materials mentioning features or use of this
sl@0	74	* software must display the following acknowledgment:
sl@0	75	* "This product includes software developed by the OpenSSL Project
sl@0	76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
sl@0	77	*
sl@0	78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	79	* endorse or promote products derived from this software without
sl@0	80	* prior written permission. For written permission, please contact
sl@0	81	* openssl-core@openssl.org.
sl@0	82	*
sl@0	83	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	84	* nor may "OpenSSL" appear in their names without prior written
sl@0	85	* permission of the OpenSSL Project.
sl@0	86	*
sl@0	87	* 6. Redistributions of any form whatsoever must retain the following
sl@0	88	* acknowledgment:
sl@0	89	* "This product includes software developed by the OpenSSL Project
sl@0	90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
sl@0	91	*
sl@0	92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	103	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	104	* ====================================================================
sl@0	105	*
sl@0	106	* This product includes cryptographic software written by Eric Young
sl@0	107	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	108	* Hudson (tjh@cryptsoft.com).
sl@0	109	*
sl@0	110	*/
sl@0	111	/* ====================================================================
sl@0	112	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
sl@0	113	*
sl@0	114	* Portions of the attached software ("Contribution") are developed by
sl@0	115	* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
sl@0	116	*
sl@0	117	* The Contribution is licensed pursuant to the OpenSSL open source
sl@0	118	* license provided above.
sl@0	119	*
sl@0	120	* ECC cipher suite support in OpenSSL originally written by
sl@0	121	* Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
sl@0	122	*
sl@0	123	*/
sl@0	124	/*
sl@0	125	© Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
sl@0	126	*/
sl@0	127
sl@0	128	#include <stdio.h>
sl@0	129	#include "ssl_locl.h"
sl@0	130	#include "kssl_lcl.h"
sl@0	131	#include <openssl/buffer.h>
sl@0	132	#include <openssl/rand.h>
sl@0	133	#include <openssl/objects.h>
sl@0	134	#include <openssl/evp.h>
sl@0	135	#include <openssl/md5.h>
sl@0	136	#ifndef OPENSSL_NO_DH
sl@0	137	#include <openssl/dh.h>
sl@0	138	#endif
sl@0	139	#include <openssl/bn.h>
sl@0	140
sl@0	141
sl@0	142	#if (defined(SYMBIAN) && (defined(__WINSCW__) \|\| defined(__WINS__)))
sl@0	143	#include "libssl_wsd.h"
sl@0	144	#endif
sl@0	145
sl@0	146
sl@0	147	#ifdef EMULATOR
sl@0	148
sl@0	149	GET_STATIC_VAR_FROM_TLS(SSLv3_client_method_data,s3_clnt,SSL_METHOD)
sl@0	150
sl@0	151	#define SSLv3_client_method_data (*GET_WSD_VAR_NAME(SSLv3_client_method_data,s3_clnt,s)())
sl@0	152
sl@0	153	#endif
sl@0	154
sl@0	155	static SSL_METHOD *ssl3_get_client_method(int ver);
sl@0	156	static int ca_dn_cmp(const X509_NAME * const a,const X509_NAME const *b);
sl@0	157
sl@0	158	#ifndef OPENSSL_NO_ECDH
sl@0	159	static int curve_id2nid(int curve_id);
sl@0	160	int check_srvr_ecc_cert_and_alg(X509 x, SSL_CIPHER cs);
sl@0	161	#endif
sl@0	162
sl@0	163	static SSL_METHOD *ssl3_get_client_method(int ver)
sl@0	164	{
sl@0	165	if (ver == SSL3_VERSION)
sl@0	166	return(SSLv3_client_method());
sl@0	167	else
sl@0	168	return(NULL);
sl@0	169	}
sl@0	170
sl@0	171	EXPORT_C IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
sl@0	172	ssl_undefined_function,
sl@0	173	ssl3_connect,
sl@0	174	ssl3_get_client_method)
sl@0	175
sl@0	176	int ssl3_connect(SSL *s)
sl@0	177	{
sl@0	178	BUF_MEM *buf=NULL;
sl@0	179	unsigned long Time=(unsigned long)time(NULL),l;
sl@0	180	long num1;
sl@0	181	void (cb)(const SSL ssl,int type,int val)=NULL;
sl@0	182	int ret= -1;
sl@0	183	int new_state,state,skip=0;;
sl@0	184
sl@0	185	RAND_add(&Time,sizeof(Time),0);
sl@0	186	ERR_clear_error();
sl@0	187	clear_sys_error();
sl@0	188
sl@0	189	if (s->info_callback != NULL)
sl@0	190	cb=s->info_callback;
sl@0	191	else if (s->ctx->info_callback != NULL)
sl@0	192	cb=s->ctx->info_callback;
sl@0	193
sl@0	194	s->in_handshake++;
sl@0	195	if (!SSL_in_init(s) \|\| SSL_in_before(s)) SSL_clear(s);
sl@0	196
sl@0	197	for (;;)
sl@0	198	{
sl@0	199	state=s->state;
sl@0	200
sl@0	201	switch(s->state)
sl@0	202	{
sl@0	203	case SSL_ST_RENEGOTIATE:
sl@0	204	s->new_session=1;
sl@0	205	s->state=SSL_ST_CONNECT;
sl@0	206	s->ctx->stats.sess_connect_renegotiate++;
sl@0	207	/* break */
sl@0	208	case SSL_ST_BEFORE:
sl@0	209	case SSL_ST_CONNECT:
sl@0	210	case SSL_ST_BEFORE\|SSL_ST_CONNECT:
sl@0	211	case SSL_ST_OK\|SSL_ST_CONNECT:
sl@0	212
sl@0	213	s->server=0;
sl@0	214	if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
sl@0	215
sl@0	216	if ((s->version & 0xff00 ) != 0x0300)
sl@0	217	{
sl@0	218	SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
sl@0	219	ret = -1;
sl@0	220	goto end;
sl@0	221	}
sl@0	222
sl@0	223	/* s->version=SSL3_VERSION; */
sl@0	224	s->type=SSL_ST_CONNECT;
sl@0	225
sl@0	226	if (s->init_buf == NULL)
sl@0	227	{
sl@0	228	if ((buf=BUF_MEM_new()) == NULL)
sl@0	229	{
sl@0	230	ret= -1;
sl@0	231	goto end;
sl@0	232	}
sl@0	233	if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
sl@0	234	{
sl@0	235	ret= -1;
sl@0	236	goto end;
sl@0	237	}
sl@0	238	s->init_buf=buf;
sl@0	239	buf=NULL;
sl@0	240	}
sl@0	241
sl@0	242	if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
sl@0	243
sl@0	244	/* setup buffing BIO */
sl@0	245	if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
sl@0	246
sl@0	247	/* don't push the buffering BIO quite yet */
sl@0	248
sl@0	249	ssl3_init_finished_mac(s);
sl@0	250
sl@0	251	s->state=SSL3_ST_CW_CLNT_HELLO_A;
sl@0	252	s->ctx->stats.sess_connect++;
sl@0	253	s->init_num=0;
sl@0	254	break;
sl@0	255
sl@0	256	case SSL3_ST_CW_CLNT_HELLO_A:
sl@0	257	case SSL3_ST_CW_CLNT_HELLO_B:
sl@0	258
sl@0	259	s->shutdown=0;
sl@0	260	ret=ssl3_client_hello(s);
sl@0	261	if (ret <= 0) goto end;
sl@0	262	s->state=SSL3_ST_CR_SRVR_HELLO_A;
sl@0	263	s->init_num=0;
sl@0	264
sl@0	265	/* turn on buffering for the next lot of output */
sl@0	266	if (s->bbio != s->wbio)
sl@0	267	s->wbio=BIO_push(s->bbio,s->wbio);
sl@0	268
sl@0	269	break;
sl@0	270
sl@0	271	case SSL3_ST_CR_SRVR_HELLO_A:
sl@0	272	case SSL3_ST_CR_SRVR_HELLO_B:
sl@0	273	ret=ssl3_get_server_hello(s);
sl@0	274	if (ret <= 0) goto end;
sl@0	275	if (s->hit)
sl@0	276	s->state=SSL3_ST_CR_FINISHED_A;
sl@0	277	else
sl@0	278	s->state=SSL3_ST_CR_CERT_A;
sl@0	279	s->init_num=0;
sl@0	280	break;
sl@0	281
sl@0	282	case SSL3_ST_CR_CERT_A:
sl@0	283	case SSL3_ST_CR_CERT_B:
sl@0	284
sl@0	285	/* Check if it is anon DH/ECDH */
sl@0	286	if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
sl@0	287	{
sl@0	288	ret=ssl3_get_server_certificate(s);
sl@0	289	if (ret <= 0) goto end;
sl@0	290	}
sl@0	291	else
sl@0	292	skip=1;
sl@0	293	s->state=SSL3_ST_CR_KEY_EXCH_A;
sl@0	294	s->init_num=0;
sl@0	295	break;
sl@0	296
sl@0	297	case SSL3_ST_CR_KEY_EXCH_A:
sl@0	298	case SSL3_ST_CR_KEY_EXCH_B:
sl@0	299	ret=ssl3_get_key_exchange(s);
sl@0	300	if (ret <= 0) goto end;
sl@0	301	s->state=SSL3_ST_CR_CERT_REQ_A;
sl@0	302	s->init_num=0;
sl@0	303
sl@0	304	/* at this point we check that we have the
sl@0	305	* required stuff from the server */
sl@0	306	if (!ssl3_check_cert_and_algorithm(s))
sl@0	307	{
sl@0	308	ret= -1;
sl@0	309	goto end;
sl@0	310	}
sl@0	311	break;
sl@0	312
sl@0	313	case SSL3_ST_CR_CERT_REQ_A:
sl@0	314	case SSL3_ST_CR_CERT_REQ_B:
sl@0	315	ret=ssl3_get_certificate_request(s);
sl@0	316	if (ret <= 0) goto end;
sl@0	317	s->state=SSL3_ST_CR_SRVR_DONE_A;
sl@0	318	s->init_num=0;
sl@0	319	break;
sl@0	320
sl@0	321	case SSL3_ST_CR_SRVR_DONE_A:
sl@0	322	case SSL3_ST_CR_SRVR_DONE_B:
sl@0	323	ret=ssl3_get_server_done(s);
sl@0	324	if (ret <= 0) goto end;
sl@0	325	if (s->s3->tmp.cert_req)
sl@0	326	s->state=SSL3_ST_CW_CERT_A;
sl@0	327	else
sl@0	328	s->state=SSL3_ST_CW_KEY_EXCH_A;
sl@0	329	s->init_num=0;
sl@0	330
sl@0	331	break;
sl@0	332
sl@0	333	case SSL3_ST_CW_CERT_A:
sl@0	334	case SSL3_ST_CW_CERT_B:
sl@0	335	case SSL3_ST_CW_CERT_C:
sl@0	336	case SSL3_ST_CW_CERT_D:
sl@0	337	ret=ssl3_send_client_certificate(s);
sl@0	338	if (ret <= 0) goto end;
sl@0	339	s->state=SSL3_ST_CW_KEY_EXCH_A;
sl@0	340	s->init_num=0;
sl@0	341	break;
sl@0	342
sl@0	343	case SSL3_ST_CW_KEY_EXCH_A:
sl@0	344	case SSL3_ST_CW_KEY_EXCH_B:
sl@0	345	ret=ssl3_send_client_key_exchange(s);
sl@0	346	if (ret <= 0) goto end;
sl@0	347	l=s->s3->tmp.new_cipher->algorithms;
sl@0	348	/* EAY EAY EAY need to check for DH fix cert
sl@0	349	* sent back */
sl@0	350	/* For TLS, cert_req is set to 2, so a cert chain
sl@0	351	* of nothing is sent, but no verify packet is sent */
sl@0	352	/* XXX: For now, we do not support client
sl@0	353	* authentication in ECDH cipher suites with
sl@0	354	* ECDH (rather than ECDSA) certificates.
sl@0	355	* We need to skip the certificate verify
sl@0	356	* message when client's ECDH public key is sent
sl@0	357	* inside the client certificate.
sl@0	358	*/
sl@0	359	if (s->s3->tmp.cert_req == 1)
sl@0	360	{
sl@0	361	s->state=SSL3_ST_CW_CERT_VRFY_A;
sl@0	362	}
sl@0	363	else
sl@0	364	{
sl@0	365	s->state=SSL3_ST_CW_CHANGE_A;
sl@0	366	s->s3->change_cipher_spec=0;
sl@0	367	}
sl@0	368
sl@0	369	s->init_num=0;
sl@0	370	break;
sl@0	371
sl@0	372	case SSL3_ST_CW_CERT_VRFY_A:
sl@0	373	case SSL3_ST_CW_CERT_VRFY_B:
sl@0	374	ret=ssl3_send_client_verify(s);
sl@0	375	if (ret <= 0) goto end;
sl@0	376	s->state=SSL3_ST_CW_CHANGE_A;
sl@0	377	s->init_num=0;
sl@0	378	s->s3->change_cipher_spec=0;
sl@0	379	break;
sl@0	380
sl@0	381	case SSL3_ST_CW_CHANGE_A:
sl@0	382	case SSL3_ST_CW_CHANGE_B:
sl@0	383	ret=ssl3_send_change_cipher_spec(s,
sl@0	384	SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
sl@0	385	if (ret <= 0) goto end;
sl@0	386	s->state=SSL3_ST_CW_FINISHED_A;
sl@0	387	s->init_num=0;
sl@0	388
sl@0	389	s->session->cipher=s->s3->tmp.new_cipher;
sl@0	390	#ifdef OPENSSL_NO_COMP
sl@0	391	s->session->compress_meth=0;
sl@0	392	#else
sl@0	393	if (s->s3->tmp.new_compression == NULL)
sl@0	394	s->session->compress_meth=0;
sl@0	395	else
sl@0	396	s->session->compress_meth=
sl@0	397	s->s3->tmp.new_compression->id;
sl@0	398	#endif
sl@0	399	if (!s->method->ssl3_enc->setup_key_block(s))
sl@0	400	{
sl@0	401	ret= -1;
sl@0	402	goto end;
sl@0	403	}
sl@0	404
sl@0	405	if (!s->method->ssl3_enc->change_cipher_state(s,
sl@0	406	SSL3_CHANGE_CIPHER_CLIENT_WRITE))
sl@0	407	{
sl@0	408	ret= -1;
sl@0	409	goto end;
sl@0	410	}
sl@0	411
sl@0	412	break;
sl@0	413
sl@0	414	case SSL3_ST_CW_FINISHED_A:
sl@0	415	case SSL3_ST_CW_FINISHED_B:
sl@0	416	ret=ssl3_send_finished(s,
sl@0	417	SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
sl@0	418	s->method->ssl3_enc->client_finished_label,
sl@0	419	s->method->ssl3_enc->client_finished_label_len);
sl@0	420	if (ret <= 0) goto end;
sl@0	421	s->state=SSL3_ST_CW_FLUSH;
sl@0	422
sl@0	423	/* clear flags */
sl@0	424	s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
sl@0	425	if (s->hit)
sl@0	426	{
sl@0	427	s->s3->tmp.next_state=SSL_ST_OK;
sl@0	428	if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
sl@0	429	{
sl@0	430	s->state=SSL_ST_OK;
sl@0	431	s->s3->flags\|=SSL3_FLAGS_POP_BUFFER;
sl@0	432	s->s3->delay_buf_pop_ret=0;
sl@0	433	}
sl@0	434	}
sl@0	435	else
sl@0	436	{
sl@0	437
sl@0	438
sl@0	439	s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
sl@0	440	}
sl@0	441	s->init_num=0;
sl@0	442	break;
sl@0	443
sl@0	444
sl@0	445
sl@0	446	case SSL3_ST_CR_FINISHED_A:
sl@0	447	case SSL3_ST_CR_FINISHED_B:
sl@0	448
sl@0	449	ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
sl@0	450	SSL3_ST_CR_FINISHED_B);
sl@0	451	if (ret <= 0) goto end;
sl@0	452
sl@0	453	if (s->hit)
sl@0	454	s->state=SSL3_ST_CW_CHANGE_A;
sl@0	455	else
sl@0	456	s->state=SSL_ST_OK;
sl@0	457	s->init_num=0;
sl@0	458	break;
sl@0	459
sl@0	460	case SSL3_ST_CW_FLUSH:
sl@0	461	/* number of bytes to be flushed */
sl@0	462	num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
sl@0	463	if (num1 > 0)
sl@0	464	{
sl@0	465	s->rwstate=SSL_WRITING;
sl@0	466	num1=BIO_flush(s->wbio);
sl@0	467	if (num1 <= 0) { ret= -1; goto end; }
sl@0	468	s->rwstate=SSL_NOTHING;
sl@0	469	}
sl@0	470
sl@0	471	s->state=s->s3->tmp.next_state;
sl@0	472	break;
sl@0	473
sl@0	474	case SSL_ST_OK:
sl@0	475	/* clean a few things up */
sl@0	476	ssl3_cleanup_key_block(s);
sl@0	477
sl@0	478	if (s->init_buf != NULL)
sl@0	479	{
sl@0	480	BUF_MEM_free(s->init_buf);
sl@0	481	s->init_buf=NULL;
sl@0	482	}
sl@0	483
sl@0	484	/* If we are not 'joining' the last two packets,
sl@0	485	* remove the buffering now */
sl@0	486	if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
sl@0	487	ssl_free_wbio_buffer(s);
sl@0	488	/* else do it later in ssl3_write */
sl@0	489
sl@0	490	s->init_num=0;
sl@0	491	s->new_session=0;
sl@0	492
sl@0	493	ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
sl@0	494	if (s->hit) s->ctx->stats.sess_hit++;
sl@0	495
sl@0	496	ret=1;
sl@0	497	/* s->server=0; */
sl@0	498	s->handshake_func=ssl3_connect;
sl@0	499	s->ctx->stats.sess_connect_good++;
sl@0	500
sl@0	501	if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
sl@0	502
sl@0	503	goto end;
sl@0	504	/* break; */
sl@0	505
sl@0	506	default:
sl@0	507	SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
sl@0	508	ret= -1;
sl@0	509	goto end;
sl@0	510	/* break; */
sl@0	511	}
sl@0	512
sl@0	513	/* did we do anything */
sl@0	514	if (!s->s3->tmp.reuse_message && !skip)
sl@0	515	{
sl@0	516	if (s->debug)
sl@0	517	{
sl@0	518	if ((ret=BIO_flush(s->wbio)) <= 0)
sl@0	519	goto end;
sl@0	520	}
sl@0	521
sl@0	522	if ((cb != NULL) && (s->state != state))
sl@0	523	{
sl@0	524	new_state=s->state;
sl@0	525	s->state=state;
sl@0	526	cb(s,SSL_CB_CONNECT_LOOP,1);
sl@0	527	s->state=new_state;
sl@0	528	}
sl@0	529	}
sl@0	530	skip=0;
sl@0	531	}
sl@0	532	end:
sl@0	533	s->in_handshake--;
sl@0	534	if (buf != NULL)
sl@0	535	BUF_MEM_free(buf);
sl@0	536	if (cb != NULL)
sl@0	537	cb(s,SSL_CB_CONNECT_EXIT,ret);
sl@0	538	return(ret);
sl@0	539	}
sl@0	540
sl@0	541
sl@0	542	int ssl3_client_hello(SSL *s)
sl@0	543	{
sl@0	544	unsigned char *buf;
sl@0	545	unsigned char p,d;
sl@0	546	int i;
sl@0	547	unsigned long Time,l;
sl@0	548	#ifndef OPENSSL_NO_COMP
sl@0	549	int j;
sl@0	550	SSL_COMP *comp;
sl@0	551	#endif
sl@0	552
sl@0	553	buf=(unsigned char *)s->init_buf->data;
sl@0	554	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
sl@0	555	{
sl@0	556	if ((s->session == NULL) \|\|
sl@0	557	(s->session->ssl_version != s->version) \|\|
sl@0	558	(s->session->not_resumable))
sl@0	559	{
sl@0	560	if (!ssl_get_new_session(s,0))
sl@0	561	goto err;
sl@0	562	}
sl@0	563	/* else use the pre-loaded session */
sl@0	564
sl@0	565	p=s->s3->client_random;
sl@0	566	Time=(unsigned long)time(NULL); /* Time */
sl@0	567	l2n(Time,p);
sl@0	568	if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
sl@0	569	goto err;
sl@0	570
sl@0	571	/* Do the message type and length last */
sl@0	572	d=p= &(buf[4]);
sl@0	573
sl@0	574	*(p++)=s->version>>8;
sl@0	575	*(p++)=s->version&0xff;
sl@0	576	s->client_version=s->version;
sl@0	577
sl@0	578	/* Random stuff */
sl@0	579	memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
sl@0	580	p+=SSL3_RANDOM_SIZE;
sl@0	581
sl@0	582	/* Session ID */
sl@0	583	if (s->new_session)
sl@0	584	i=0;
sl@0	585	else
sl@0	586	i=s->session->session_id_length;
sl@0	587	*(p++)=i;
sl@0	588	if (i != 0)
sl@0	589	{
sl@0	590	if (i > (int)sizeof(s->session->session_id))
sl@0	591	{
sl@0	592	SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
sl@0	593	goto err;
sl@0	594	}
sl@0	595	memcpy(p,s->session->session_id,i);
sl@0	596	p+=i;
sl@0	597	}
sl@0	598
sl@0	599	/* Ciphers supported */
sl@0	600	i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
sl@0	601	if (i == 0)
sl@0	602	{
sl@0	603	SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
sl@0	604	goto err;
sl@0	605	}
sl@0	606	s2n(i,p);
sl@0	607	p+=i;
sl@0	608
sl@0	609	/* COMPRESSION */
sl@0	610	#ifdef OPENSSL_NO_COMP
sl@0	611	*(p++)=1;
sl@0	612	#else
sl@0	613	if (s->ctx->comp_methods == NULL)
sl@0	614	j=0;
sl@0	615	else
sl@0	616	j=sk_SSL_COMP_num(s->ctx->comp_methods);
sl@0	617	*(p++)=1+j;
sl@0	618	for (i=0; i<j; i++)
sl@0	619	{
sl@0	620	comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
sl@0	621	*(p++)=comp->id;
sl@0	622	}
sl@0	623	#endif
sl@0	624	(p++)=0; / Add the NULL method */
sl@0	625
sl@0	626	l=(p-d);
sl@0	627	d=buf;
sl@0	628	*(d++)=SSL3_MT_CLIENT_HELLO;
sl@0	629	l2n3(l,d);
sl@0	630
sl@0	631	s->state=SSL3_ST_CW_CLNT_HELLO_B;
sl@0	632	/* number of bytes to write */
sl@0	633	s->init_num=p-buf;
sl@0	634	s->init_off=0;
sl@0	635	}
sl@0	636
sl@0	637	/* SSL3_ST_CW_CLNT_HELLO_B */
sl@0	638	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	639	err:
sl@0	640	return(-1);
sl@0	641	}
sl@0	642
sl@0	643	int ssl3_get_server_hello(SSL *s)
sl@0	644	{
sl@0	645	STACK_OF(SSL_CIPHER) *sk;
sl@0	646	SSL_CIPHER *c;
sl@0	647	unsigned char p,d;
sl@0	648	int i,al,ok;
sl@0	649	unsigned int j;
sl@0	650	long n;
sl@0	651	#ifndef OPENSSL_NO_COMP
sl@0	652	SSL_COMP *comp;
sl@0	653	#endif
sl@0	654
sl@0	655	n=s->method->ssl_get_message(s,
sl@0	656	SSL3_ST_CR_SRVR_HELLO_A,
sl@0	657	SSL3_ST_CR_SRVR_HELLO_B,
sl@0	658	-1,
sl@0	659	20000, /* ?? */
sl@0	660	&ok);
sl@0	661
sl@0	662	if (!ok) return((int)n);
sl@0	663
sl@0	664	if ( SSL_version(s) == DTLS1_VERSION)
sl@0	665	{
sl@0	666	if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
sl@0	667	{
sl@0	668	if ( s->d1->send_cookie == 0)
sl@0	669	{
sl@0	670	s->s3->tmp.reuse_message = 1;
sl@0	671	return 1;
sl@0	672	}
sl@0	673	else /* already sent a cookie */
sl@0	674	{
sl@0	675	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	676	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
sl@0	677	goto f_err;
sl@0	678	}
sl@0	679	}
sl@0	680	}
sl@0	681
sl@0	682	if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
sl@0	683	{
sl@0	684	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	685	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
sl@0	686	goto f_err;
sl@0	687	}
sl@0	688
sl@0	689	d=p=(unsigned char *)s->init_msg;
sl@0	690
sl@0	691	if ((p[0] != (s->version>>8)) \|\| (p[1] != (s->version&0xff)))
sl@0	692	{
sl@0	693	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
sl@0	694	s->version=(s->version&0xff00)\|p[1];
sl@0	695	al=SSL_AD_PROTOCOL_VERSION;
sl@0	696	goto f_err;
sl@0	697	}
sl@0	698	p+=2;
sl@0	699
sl@0	700	/* load the server hello data */
sl@0	701	/* load the server random */
sl@0	702	memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
sl@0	703	p+=SSL3_RANDOM_SIZE;
sl@0	704
sl@0	705	/* get the session-id */
sl@0	706	j= *(p++);
sl@0	707
sl@0	708	if ((j > sizeof s->session->session_id) \|\| (j > SSL3_SESSION_ID_SIZE))
sl@0	709	{
sl@0	710	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	711	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
sl@0	712	goto f_err;
sl@0	713	}
sl@0	714
sl@0	715	if (j != 0 && j == s->session->session_id_length
sl@0	716	&& memcmp(p,s->session->session_id,j) == 0)
sl@0	717	{
sl@0	718	if(s->sid_ctx_length != s->session->sid_ctx_length
sl@0	719	\|\| memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
sl@0	720	{
sl@0	721	/* actually a client application bug */
sl@0	722	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	723	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
sl@0	724	goto f_err;
sl@0	725	}
sl@0	726	s->hit=1;
sl@0	727	}
sl@0	728	else /* a miss or crap from the other end */
sl@0	729	{
sl@0	730	/* If we were trying for session-id reuse, make a new
sl@0	731	* SSL_SESSION so we don't stuff up other people */
sl@0	732	s->hit=0;
sl@0	733	if (s->session->session_id_length > 0)
sl@0	734	{
sl@0	735	if (!ssl_get_new_session(s,0))
sl@0	736	{
sl@0	737	al=SSL_AD_INTERNAL_ERROR;
sl@0	738	goto f_err;
sl@0	739	}
sl@0	740	}
sl@0	741	s->session->session_id_length=j;
sl@0	742	memcpy(s->session->session_id,p,j); /* j could be 0 */
sl@0	743	}
sl@0	744	p+=j;
sl@0	745	c=ssl_get_cipher_by_char(s,p);
sl@0	746	if (c == NULL)
sl@0	747	{
sl@0	748	/* unknown cipher */
sl@0	749	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	750	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
sl@0	751	goto f_err;
sl@0	752	}
sl@0	753	p+=ssl_put_cipher_by_char(s,NULL,NULL);
sl@0	754
sl@0	755	sk=ssl_get_ciphers_by_id(s);
sl@0	756	i=sk_SSL_CIPHER_find(sk,c);
sl@0	757	if (i < 0)
sl@0	758	{
sl@0	759	/* we did not say we would use this cipher */
sl@0	760	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	761	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
sl@0	762	goto f_err;
sl@0	763	}
sl@0	764
sl@0	765	/* Depending on the session caching (internal/external), the cipher
sl@0	766	and/or cipher_id values may not be set. Make sure that
sl@0	767	cipher_id is set and use it for comparison. */
sl@0	768	if (s->session->cipher)
sl@0	769	s->session->cipher_id = s->session->cipher->id;
sl@0	770	if (s->hit && (s->session->cipher_id != c->id))
sl@0	771	{
sl@0	772	if (!(s->options &
sl@0	773	SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
sl@0	774	{
sl@0	775	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	776	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
sl@0	777	goto f_err;
sl@0	778	}
sl@0	779	}
sl@0	780	s->s3->tmp.new_cipher=c;
sl@0	781
sl@0	782	/* lets get the compression algorithm */
sl@0	783	/* COMPRESSION */
sl@0	784	#ifdef OPENSSL_NO_COMP
sl@0	785	if (*(p++) != 0)
sl@0	786	{
sl@0	787	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	788	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
sl@0	789	goto f_err;
sl@0	790	}
sl@0	791	#else
sl@0	792	j= *(p++);
sl@0	793	if (j == 0)
sl@0	794	comp=NULL;
sl@0	795	else
sl@0	796	comp=ssl3_comp_find(s->ctx->comp_methods,j);
sl@0	797
sl@0	798	if ((j != 0) && (comp == NULL))
sl@0	799	{
sl@0	800	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	801	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
sl@0	802	goto f_err;
sl@0	803	}
sl@0	804	else
sl@0	805	{
sl@0	806	s->s3->tmp.new_compression=comp;
sl@0	807	}
sl@0	808	#endif
sl@0	809
sl@0	810
sl@0	811
sl@0	812	if (p != (d+n))
sl@0	813	{
sl@0	814	/* wrong packet length */
sl@0	815	al=SSL_AD_DECODE_ERROR;
sl@0	816	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
sl@0	817	goto err;
sl@0	818	}
sl@0	819
sl@0	820	return(1);
sl@0	821	f_err:
sl@0	822	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	823	err:
sl@0	824	return(-1);
sl@0	825	}
sl@0	826
sl@0	827	int ssl3_get_server_certificate(SSL *s)
sl@0	828	{
sl@0	829	int al,i,ok,ret= -1;
sl@0	830	unsigned long n,nc,llen,l;
sl@0	831	X509 *x=NULL;
sl@0	832	const unsigned char q,p;
sl@0	833	unsigned char *d;
sl@0	834	STACK_OF(X509) *sk=NULL;
sl@0	835	SESS_CERT *sc;
sl@0	836	EVP_PKEY *pkey=NULL;
sl@0	837	int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
sl@0	838
sl@0	839	n=s->method->ssl_get_message(s,
sl@0	840	SSL3_ST_CR_CERT_A,
sl@0	841	SSL3_ST_CR_CERT_B,
sl@0	842	-1,
sl@0	843	s->max_cert_list,
sl@0	844	&ok);
sl@0	845
sl@0	846	if (!ok) return((int)n);
sl@0	847
sl@0	848	if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) \|\|
sl@0	849	((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) &&
sl@0	850	(s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
sl@0	851	{
sl@0	852	s->s3->tmp.reuse_message=1;
sl@0	853	return(1);
sl@0	854	}
sl@0	855
sl@0	856	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
sl@0	857	{
sl@0	858	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	859	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
sl@0	860	goto f_err;
sl@0	861	}
sl@0	862	p=d=(unsigned char *)s->init_msg;
sl@0	863
sl@0	864	if ((sk=sk_X509_new_null()) == NULL)
sl@0	865	{
sl@0	866	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
sl@0	867	goto err;
sl@0	868	}
sl@0	869
sl@0	870	n2l3(p,llen);
sl@0	871	if (llen+3 != n)
sl@0	872	{
sl@0	873	al=SSL_AD_DECODE_ERROR;
sl@0	874	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
sl@0	875	goto f_err;
sl@0	876	}
sl@0	877	for (nc=0; nc<llen; )
sl@0	878	{
sl@0	879	n2l3(p,l);
sl@0	880	if ((l+nc+3) > llen)
sl@0	881	{
sl@0	882	al=SSL_AD_DECODE_ERROR;
sl@0	883	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
sl@0	884	goto f_err;
sl@0	885	}
sl@0	886
sl@0	887	q=p;
sl@0	888	x=d2i_X509(NULL,&q,l);
sl@0	889	if (x == NULL)
sl@0	890	{
sl@0	891	al=SSL_AD_BAD_CERTIFICATE;
sl@0	892	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
sl@0	893	goto f_err;
sl@0	894	}
sl@0	895	if (q != (p+l))
sl@0	896	{
sl@0	897	al=SSL_AD_DECODE_ERROR;
sl@0	898	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
sl@0	899	goto f_err;
sl@0	900	}
sl@0	901	if (!sk_X509_push(sk,x))
sl@0	902	{
sl@0	903	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
sl@0	904	goto err;
sl@0	905	}
sl@0	906	x=NULL;
sl@0	907	nc+=l+3;
sl@0	908	p=q;
sl@0	909	}
sl@0	910
sl@0	911	i=ssl_verify_cert_chain(s,sk);
sl@0	912	if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
sl@0	913	#ifndef OPENSSL_NO_KRB5
sl@0	914	&& (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK\|SSL_AUTH_MASK))
sl@0	915	!= (SSL_aKRB5\|SSL_kKRB5)
sl@0	916	#endif /* OPENSSL_NO_KRB5 */
sl@0	917	)
sl@0	918	{
sl@0	919	al=ssl_verify_alarm_type(s->verify_result);
sl@0	920	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
sl@0	921	goto f_err;
sl@0	922	}
sl@0	923	ERR_clear_error(); /* but we keep s->verify_result */
sl@0	924
sl@0	925	sc=ssl_sess_cert_new();
sl@0	926	if (sc == NULL) goto err;
sl@0	927
sl@0	928	if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
sl@0	929	s->session->sess_cert=sc;
sl@0	930
sl@0	931	sc->cert_chain=sk;
sl@0	932	/* Inconsistency alert: cert_chain does include the peer's
sl@0	933	* certificate, which we don't include in s3_srvr.c */
sl@0	934	x=sk_X509_value(sk,0);
sl@0	935	sk=NULL;
sl@0	936	/* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
sl@0	937
sl@0	938	pkey=X509_get_pubkey(x);
sl@0	939
sl@0	940	/* VRS: allow null cert if auth == KRB5 */
sl@0	941	need_cert = ((s->s3->tmp.new_cipher->algorithms
sl@0	942	& (SSL_MKEY_MASK\|SSL_AUTH_MASK))
sl@0	943	== (SSL_aKRB5\|SSL_kKRB5))? 0: 1;
sl@0	944
sl@0	945	#ifdef KSSL_DEBUG
sl@0	946	printf("pkey,x = %p, %p\n", pkey,x);
sl@0	947	printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
sl@0	948	printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
sl@0	949	s->s3->tmp.new_cipher->algorithms, need_cert);
sl@0	950	#endif /* KSSL_DEBUG */
sl@0	951
sl@0	952	if (need_cert && ((pkey == NULL) \|\| EVP_PKEY_missing_parameters(pkey)))
sl@0	953	{
sl@0	954	x=NULL;
sl@0	955	al=SSL3_AL_FATAL;
sl@0	956	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
sl@0	957	SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
sl@0	958	goto f_err;
sl@0	959	}
sl@0	960
sl@0	961	i=ssl_cert_type(x,pkey);
sl@0	962	if (need_cert && i < 0)
sl@0	963	{
sl@0	964	x=NULL;
sl@0	965	al=SSL3_AL_FATAL;
sl@0	966	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
sl@0	967	SSL_R_UNKNOWN_CERTIFICATE_TYPE);
sl@0	968	goto f_err;
sl@0	969	}
sl@0	970
sl@0	971	if (need_cert)
sl@0	972	{
sl@0	973	sc->peer_cert_type=i;
sl@0	974	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
sl@0	975	/* Why would the following ever happen?
sl@0	976	* We just created sc a couple of lines ago. */
sl@0	977	if (sc->peer_pkeys[i].x509 != NULL)
sl@0	978	X509_free(sc->peer_pkeys[i].x509);
sl@0	979	sc->peer_pkeys[i].x509=x;
sl@0	980	sc->peer_key= &(sc->peer_pkeys[i]);
sl@0	981
sl@0	982	if (s->session->peer != NULL)
sl@0	983	X509_free(s->session->peer);
sl@0	984	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
sl@0	985	s->session->peer=x;
sl@0	986	}
sl@0	987	else
sl@0	988	{
sl@0	989	sc->peer_cert_type=i;
sl@0	990	sc->peer_key= NULL;
sl@0	991
sl@0	992	if (s->session->peer != NULL)
sl@0	993	X509_free(s->session->peer);
sl@0	994	s->session->peer=NULL;
sl@0	995	}
sl@0	996	s->session->verify_result = s->verify_result;
sl@0	997
sl@0	998	x=NULL;
sl@0	999	ret=1;
sl@0	1000
sl@0	1001	if (0)
sl@0	1002	{
sl@0	1003	f_err:
sl@0	1004	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	1005	}
sl@0	1006	err:
sl@0	1007	EVP_PKEY_free(pkey);
sl@0	1008	X509_free(x);
sl@0	1009	sk_X509_pop_free(sk,X509_free);
sl@0	1010	return(ret);
sl@0	1011	}
sl@0	1012
sl@0	1013	int ssl3_get_key_exchange(SSL *s)
sl@0	1014	{
sl@0	1015	#ifndef OPENSSL_NO_RSA
sl@0	1016	unsigned char q,md_buf[EVP_MAX_MD_SIZE2];
sl@0	1017	#endif
sl@0	1018	EVP_MD_CTX md_ctx;
sl@0	1019	unsigned char param,p;
sl@0	1020	int al,i,j,param_len,ok;
sl@0	1021	long n,alg;
sl@0	1022	EVP_PKEY *pkey=NULL;
sl@0	1023	#ifndef OPENSSL_NO_RSA
sl@0	1024	RSA *rsa=NULL;
sl@0	1025	#endif
sl@0	1026	#ifndef OPENSSL_NO_DH
sl@0	1027	DH *dh=NULL;
sl@0	1028	#endif
sl@0	1029	#ifndef OPENSSL_NO_ECDH
sl@0	1030	EC_KEY *ecdh = NULL;
sl@0	1031	BN_CTX *bn_ctx = NULL;
sl@0	1032	EC_POINT *srvr_ecpoint = NULL;
sl@0	1033	int curve_nid = 0;
sl@0	1034	int encoded_pt_len = 0;
sl@0	1035	#endif
sl@0	1036
sl@0	1037	/* use same message size as in ssl3_get_certificate_request()
sl@0	1038	* as ServerKeyExchange message may be skipped */
sl@0	1039	n=s->method->ssl_get_message(s,
sl@0	1040	SSL3_ST_CR_KEY_EXCH_A,
sl@0	1041	SSL3_ST_CR_KEY_EXCH_B,
sl@0	1042	-1,
sl@0	1043	s->max_cert_list,
sl@0	1044	&ok);
sl@0	1045
sl@0	1046	if (!ok) return((int)n);
sl@0	1047
sl@0	1048	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
sl@0	1049	{
sl@0	1050	s->s3->tmp.reuse_message=1;
sl@0	1051	return(1);
sl@0	1052	}
sl@0	1053
sl@0	1054	param=p=(unsigned char *)s->init_msg;
sl@0	1055
sl@0	1056	if (s->session->sess_cert != NULL)
sl@0	1057	{
sl@0	1058	#ifndef OPENSSL_NO_RSA
sl@0	1059	if (s->session->sess_cert->peer_rsa_tmp != NULL)
sl@0	1060	{
sl@0	1061	RSA_free(s->session->sess_cert->peer_rsa_tmp);
sl@0	1062	s->session->sess_cert->peer_rsa_tmp=NULL;
sl@0	1063	}
sl@0	1064	#endif
sl@0	1065	#ifndef OPENSSL_NO_DH
sl@0	1066	if (s->session->sess_cert->peer_dh_tmp)
sl@0	1067	{
sl@0	1068	DH_free(s->session->sess_cert->peer_dh_tmp);
sl@0	1069	s->session->sess_cert->peer_dh_tmp=NULL;
sl@0	1070	}
sl@0	1071	#endif
sl@0	1072	#ifndef OPENSSL_NO_ECDH
sl@0	1073	if (s->session->sess_cert->peer_ecdh_tmp)
sl@0	1074	{
sl@0	1075	EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
sl@0	1076	s->session->sess_cert->peer_ecdh_tmp=NULL;
sl@0	1077	}
sl@0	1078	#endif
sl@0	1079	}
sl@0	1080	else
sl@0	1081	{
sl@0	1082	s->session->sess_cert=ssl_sess_cert_new();
sl@0	1083	}
sl@0	1084
sl@0	1085	param_len=0;
sl@0	1086	alg=s->s3->tmp.new_cipher->algorithms;
sl@0	1087	EVP_MD_CTX_init(&md_ctx);
sl@0	1088
sl@0	1089	#ifndef OPENSSL_NO_RSA
sl@0	1090	if (alg & SSL_kRSA)
sl@0	1091	{
sl@0	1092	if ((rsa=RSA_new()) == NULL)
sl@0	1093	{
sl@0	1094	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
sl@0	1095	goto err;
sl@0	1096	}
sl@0	1097	n2s(p,i);
sl@0	1098	param_len=i+2;
sl@0	1099	if (param_len > n)
sl@0	1100	{
sl@0	1101	al=SSL_AD_DECODE_ERROR;
sl@0	1102	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
sl@0	1103	goto f_err;
sl@0	1104	}
sl@0	1105	if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
sl@0	1106	{
sl@0	1107	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
sl@0	1108	goto err;
sl@0	1109	}
sl@0	1110	p+=i;
sl@0	1111
sl@0	1112	n2s(p,i);
sl@0	1113	param_len+=i+2;
sl@0	1114	if (param_len > n)
sl@0	1115	{
sl@0	1116	al=SSL_AD_DECODE_ERROR;
sl@0	1117	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
sl@0	1118	goto f_err;
sl@0	1119	}
sl@0	1120	if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
sl@0	1121	{
sl@0	1122	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
sl@0	1123	goto err;
sl@0	1124	}
sl@0	1125	p+=i;
sl@0	1126	n-=param_len;
sl@0	1127
sl@0	1128	/* this should be because we are using an export cipher */
sl@0	1129	if (alg & SSL_aRSA)
sl@0	1130	pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
sl@0	1131	else
sl@0	1132	{
sl@0	1133	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
sl@0	1134	goto err;
sl@0	1135	}
sl@0	1136	s->session->sess_cert->peer_rsa_tmp=rsa;
sl@0	1137	rsa=NULL;
sl@0	1138	}
sl@0	1139	#else /* OPENSSL_NO_RSA */
sl@0	1140	if (0)
sl@0	1141	;
sl@0	1142	#endif
sl@0	1143	#ifndef OPENSSL_NO_DH
sl@0	1144	else if (alg & SSL_kEDH)
sl@0	1145	{
sl@0	1146	if ((dh=DH_new()) == NULL)
sl@0	1147	{
sl@0	1148	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0	1149	goto err;
sl@0	1150	}
sl@0	1151	n2s(p,i);
sl@0	1152	param_len=i+2;
sl@0	1153	if (param_len > n)
sl@0	1154	{
sl@0	1155	al=SSL_AD_DECODE_ERROR;
sl@0	1156	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
sl@0	1157	goto f_err;
sl@0	1158	}
sl@0	1159	if (!(dh->p=BN_bin2bn(p,i,NULL)))
sl@0	1160	{
sl@0	1161	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
sl@0	1162	goto err;
sl@0	1163	}
sl@0	1164	p+=i;
sl@0	1165
sl@0	1166	n2s(p,i);
sl@0	1167	param_len+=i+2;
sl@0	1168	if (param_len > n)
sl@0	1169	{
sl@0	1170	al=SSL_AD_DECODE_ERROR;
sl@0	1171	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
sl@0	1172	goto f_err;
sl@0	1173	}
sl@0	1174	if (!(dh->g=BN_bin2bn(p,i,NULL)))
sl@0	1175	{
sl@0	1176	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
sl@0	1177	goto err;
sl@0	1178	}
sl@0	1179	p+=i;
sl@0	1180
sl@0	1181	n2s(p,i);
sl@0	1182	param_len+=i+2;
sl@0	1183	if (param_len > n)
sl@0	1184	{
sl@0	1185	al=SSL_AD_DECODE_ERROR;
sl@0	1186	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
sl@0	1187	goto f_err;
sl@0	1188	}
sl@0	1189	if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
sl@0	1190	{
sl@0	1191	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
sl@0	1192	goto err;
sl@0	1193	}
sl@0	1194	p+=i;
sl@0	1195	n-=param_len;
sl@0	1196
sl@0	1197	#ifndef OPENSSL_NO_RSA
sl@0	1198	if (alg & SSL_aRSA)
sl@0	1199	pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
sl@0	1200	#else
sl@0	1201	if (0)
sl@0	1202	;
sl@0	1203	#endif
sl@0	1204	#ifndef OPENSSL_NO_DSA
sl@0	1205	else if (alg & SSL_aDSS)
sl@0	1206	pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
sl@0	1207	#endif
sl@0	1208	/* else anonymous DH, so no certificate or pkey. */
sl@0	1209
sl@0	1210	s->session->sess_cert->peer_dh_tmp=dh;
sl@0	1211	dh=NULL;
sl@0	1212	}
sl@0	1213	else if ((alg & SSL_kDHr) \|\| (alg & SSL_kDHd))
sl@0	1214	{
sl@0	1215	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	1216	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
sl@0	1217	goto f_err;
sl@0	1218	}
sl@0	1219	#endif /* !OPENSSL_NO_DH */
sl@0	1220
sl@0	1221	#ifndef OPENSSL_NO_ECDH
sl@0	1222	else if (alg & SSL_kECDHE)
sl@0	1223	{
sl@0	1224	EC_GROUP *ngroup;
sl@0	1225	const EC_GROUP *group;
sl@0	1226
sl@0	1227	if ((ecdh=EC_KEY_new()) == NULL)
sl@0	1228	{
sl@0	1229	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
sl@0	1230	goto err;
sl@0	1231	}
sl@0	1232
sl@0	1233	/* Extract elliptic curve parameters and the
sl@0	1234	* server's ephemeral ECDH public key.
sl@0	1235	* Keep accumulating lengths of various components in
sl@0	1236	* param_len and make sure it never exceeds n.
sl@0	1237	*/
sl@0	1238
sl@0	1239	/* XXX: For now we only support named (not generic) curves
sl@0	1240	* and the ECParameters in this case is just three bytes.
sl@0	1241	*/
sl@0	1242	param_len=3;
sl@0	1243	if ((param_len > n) \|\|
sl@0	1244	(*p != NAMED_CURVE_TYPE) \|\|
sl@0	1245	((curve_nid = curve_id2nid(*(p + 2))) == 0))
sl@0	1246	{
sl@0	1247	al=SSL_AD_INTERNAL_ERROR;
sl@0	1248	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
sl@0	1249	goto f_err;
sl@0	1250	}
sl@0	1251
sl@0	1252	ngroup = EC_GROUP_new_by_curve_name(curve_nid);
sl@0	1253	if (ngroup == NULL)
sl@0	1254	{
sl@0	1255	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
sl@0	1256	goto err;
sl@0	1257	}
sl@0	1258	if (EC_KEY_set_group(ecdh, ngroup) == 0)
sl@0	1259	{
sl@0	1260	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
sl@0	1261	goto err;
sl@0	1262	}
sl@0	1263	EC_GROUP_free(ngroup);
sl@0	1264
sl@0	1265	group = EC_KEY_get0_group(ecdh);
sl@0	1266
sl@0	1267	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
sl@0	1268	(EC_GROUP_get_degree(group) > 163))
sl@0	1269	{
sl@0	1270	al=SSL_AD_EXPORT_RESTRICTION;
sl@0	1271	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
sl@0	1272	goto f_err;
sl@0	1273	}
sl@0	1274
sl@0	1275	p+=3;
sl@0	1276
sl@0	1277	/* Next, get the encoded ECPoint */
sl@0	1278	if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) \|\|
sl@0	1279	((bn_ctx = BN_CTX_new()) == NULL))
sl@0	1280	{
sl@0	1281	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
sl@0	1282	goto err;
sl@0	1283	}
sl@0	1284
sl@0	1285	encoded_pt_len = p; / length of encoded point */
sl@0	1286	p+=1;
sl@0	1287	param_len += (1 + encoded_pt_len);
sl@0	1288	if ((param_len > n) \|\|
sl@0	1289	(EC_POINT_oct2point(group, srvr_ecpoint,
sl@0	1290	p, encoded_pt_len, bn_ctx) == 0))
sl@0	1291	{
sl@0	1292	al=SSL_AD_DECODE_ERROR;
sl@0	1293	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
sl@0	1294	goto f_err;
sl@0	1295	}
sl@0	1296
sl@0	1297	n-=param_len;
sl@0	1298	p+=encoded_pt_len;
sl@0	1299
sl@0	1300	/* The ECC/TLS specification does not mention
sl@0	1301	* the use of DSA to sign ECParameters in the server
sl@0	1302	* key exchange message. We do support RSA and ECDSA.
sl@0	1303	*/
sl@0	1304	if (0) ;
sl@0	1305	#ifndef OPENSSL_NO_RSA
sl@0	1306	else if (alg & SSL_aRSA)
sl@0	1307	pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
sl@0	1308	#endif
sl@0	1309	#ifndef OPENSSL_NO_ECDSA
sl@0	1310	else if (alg & SSL_aECDSA)
sl@0	1311	pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
sl@0	1312	#endif
sl@0	1313	/* else anonymous ECDH, so no certificate or pkey. */
sl@0	1314	EC_KEY_set_public_key(ecdh, srvr_ecpoint);
sl@0	1315	s->session->sess_cert->peer_ecdh_tmp=ecdh;
sl@0	1316	ecdh=NULL;
sl@0	1317	BN_CTX_free(bn_ctx);
sl@0	1318	EC_POINT_free(srvr_ecpoint);
sl@0	1319	srvr_ecpoint = NULL;
sl@0	1320	}
sl@0	1321	else if (alg & SSL_kECDH)
sl@0	1322	{
sl@0	1323	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	1324	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
sl@0	1325	goto f_err;
sl@0	1326	}
sl@0	1327	#endif /* !OPENSSL_NO_ECDH */
sl@0	1328	if (alg & SSL_aFZA)
sl@0	1329	{
sl@0	1330	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1331	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
sl@0	1332	goto f_err;
sl@0	1333	}
sl@0	1334
sl@0	1335
sl@0	1336	/* p points to the next byte, there are 'n' bytes left */
sl@0	1337
sl@0	1338	/* if it was signed, check the signature */
sl@0	1339	if (pkey != NULL)
sl@0	1340	{
sl@0	1341	n2s(p,i);
sl@0	1342	n-=2;
sl@0	1343	j=EVP_PKEY_size(pkey);
sl@0	1344
sl@0	1345	if ((i != n) \|\| (n > j) \|\| (n <= 0))
sl@0	1346	{
sl@0	1347	/* wrong packet length */
sl@0	1348	al=SSL_AD_DECODE_ERROR;
sl@0	1349	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
sl@0	1350	goto f_err;
sl@0	1351	}
sl@0	1352
sl@0	1353	#ifndef OPENSSL_NO_RSA
sl@0	1354	if (pkey->type == EVP_PKEY_RSA)
sl@0	1355	{
sl@0	1356	int num;
sl@0	1357
sl@0	1358	j=0;
sl@0	1359	q=md_buf;
sl@0	1360	for (num=2; num > 0; num--)
sl@0	1361	{
sl@0	1362	EVP_DigestInit_ex(&md_ctx,(num == 2)
sl@0	1363	?s->ctx->md5:s->ctx->sha1, NULL);
sl@0	1364	EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0	1365	EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0	1366	EVP_DigestUpdate(&md_ctx,param,param_len);
sl@0	1367	EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
sl@0	1368	q+=i;
sl@0	1369	j+=i;
sl@0	1370	}
sl@0	1371	i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
sl@0	1372	pkey->pkey.rsa);
sl@0	1373	if (i < 0)
sl@0	1374	{
sl@0	1375	al=SSL_AD_DECRYPT_ERROR;
sl@0	1376	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
sl@0	1377	goto f_err;
sl@0	1378	}
sl@0	1379	if (i == 0)
sl@0	1380	{
sl@0	1381	/* bad signature */
sl@0	1382	al=SSL_AD_DECRYPT_ERROR;
sl@0	1383	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
sl@0	1384	goto f_err;
sl@0	1385	}
sl@0	1386	}
sl@0	1387	else
sl@0	1388	#endif
sl@0	1389	#ifndef OPENSSL_NO_DSA
sl@0	1390	if (pkey->type == EVP_PKEY_DSA)
sl@0	1391	{
sl@0	1392	/* lets do DSS */
sl@0	1393	EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
sl@0	1394	EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0	1395	EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0	1396	EVP_VerifyUpdate(&md_ctx,param,param_len);
sl@0	1397	if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
sl@0	1398	{
sl@0	1399	/* bad signature */
sl@0	1400	al=SSL_AD_DECRYPT_ERROR;
sl@0	1401	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
sl@0	1402	goto f_err;
sl@0	1403	}
sl@0	1404	}
sl@0	1405	else
sl@0	1406	#endif
sl@0	1407	#ifndef OPENSSL_NO_ECDSA
sl@0	1408	if (pkey->type == EVP_PKEY_EC)
sl@0	1409	{
sl@0	1410	/* let's do ECDSA */
sl@0	1411	EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
sl@0	1412	EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0	1413	EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0	1414	EVP_VerifyUpdate(&md_ctx,param,param_len);
sl@0	1415	if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
sl@0	1416	{
sl@0	1417	/* bad signature */
sl@0	1418	al=SSL_AD_DECRYPT_ERROR;
sl@0	1419	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
sl@0	1420	goto f_err;
sl@0	1421	}
sl@0	1422	}
sl@0	1423	else
sl@0	1424	#endif
sl@0	1425	{
sl@0	1426	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
sl@0	1427	goto err;
sl@0	1428	}
sl@0	1429	}
sl@0	1430	else
sl@0	1431	{
sl@0	1432	/* still data left over */
sl@0	1433	if (!(alg & SSL_aNULL))
sl@0	1434	{
sl@0	1435	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
sl@0	1436	goto err;
sl@0	1437	}
sl@0	1438	if (n != 0)
sl@0	1439	{
sl@0	1440	al=SSL_AD_DECODE_ERROR;
sl@0	1441	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
sl@0	1442	goto f_err;
sl@0	1443	}
sl@0	1444	}
sl@0	1445	EVP_PKEY_free(pkey);
sl@0	1446	EVP_MD_CTX_cleanup(&md_ctx);
sl@0	1447	return(1);
sl@0	1448	f_err:
sl@0	1449	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	1450	err:
sl@0	1451	EVP_PKEY_free(pkey);
sl@0	1452	#ifndef OPENSSL_NO_RSA
sl@0	1453	if (rsa != NULL)
sl@0	1454	RSA_free(rsa);
sl@0	1455	#endif
sl@0	1456	#ifndef OPENSSL_NO_DH
sl@0	1457	if (dh != NULL)
sl@0	1458	DH_free(dh);
sl@0	1459	#endif
sl@0	1460	#ifndef OPENSSL_NO_ECDH
sl@0	1461	BN_CTX_free(bn_ctx);
sl@0	1462	EC_POINT_free(srvr_ecpoint);
sl@0	1463	if (ecdh != NULL)
sl@0	1464	EC_KEY_free(ecdh);
sl@0	1465	#endif
sl@0	1466	EVP_MD_CTX_cleanup(&md_ctx);
sl@0	1467	return(-1);
sl@0	1468	}
sl@0	1469
sl@0	1470	int ssl3_get_certificate_request(SSL *s)
sl@0	1471	{
sl@0	1472	int ok,ret=0;
sl@0	1473	unsigned long n,nc,l;
sl@0	1474	unsigned int llen,ctype_num,i;
sl@0	1475	X509_NAME *xn=NULL;
sl@0	1476	const unsigned char p,q;
sl@0	1477	unsigned char *d;
sl@0	1478	STACK_OF(X509_NAME) *ca_sk=NULL;
sl@0	1479
sl@0	1480	n=s->method->ssl_get_message(s,
sl@0	1481	SSL3_ST_CR_CERT_REQ_A,
sl@0	1482	SSL3_ST_CR_CERT_REQ_B,
sl@0	1483	-1,
sl@0	1484	s->max_cert_list,
sl@0	1485	&ok);
sl@0	1486
sl@0	1487	if (!ok) return((int)n);
sl@0	1488
sl@0	1489	s->s3->tmp.cert_req=0;
sl@0	1490
sl@0	1491	if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
sl@0	1492	{
sl@0	1493	s->s3->tmp.reuse_message=1;
sl@0	1494	return(1);
sl@0	1495	}
sl@0	1496
sl@0	1497	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
sl@0	1498	{
sl@0	1499	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
sl@0	1500	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
sl@0	1501	goto err;
sl@0	1502	}
sl@0	1503
sl@0	1504	/* TLS does not like anon-DH with client cert */
sl@0	1505	if (s->version > SSL3_VERSION)
sl@0	1506	{
sl@0	1507	l=s->s3->tmp.new_cipher->algorithms;
sl@0	1508	if (l & SSL_aNULL)
sl@0	1509	{
sl@0	1510	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
sl@0	1511	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
sl@0	1512	goto err;
sl@0	1513	}
sl@0	1514	}
sl@0	1515
sl@0	1516	p=d=(unsigned char *)s->init_msg;
sl@0	1517
sl@0	1518	if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
sl@0	1519	{
sl@0	1520	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
sl@0	1521	goto err;
sl@0	1522	}
sl@0	1523
sl@0	1524	/* get the certificate types */
sl@0	1525	ctype_num= *(p++);
sl@0	1526	if (ctype_num > SSL3_CT_NUMBER)
sl@0	1527	ctype_num=SSL3_CT_NUMBER;
sl@0	1528	for (i=0; i<ctype_num; i++)
sl@0	1529	s->s3->tmp.ctype[i]= p[i];
sl@0	1530	p+=ctype_num;
sl@0	1531
sl@0	1532	/* get the CA RDNs */
sl@0	1533	n2s(p,llen);
sl@0	1534	#if 0
sl@0	1535	{
sl@0	1536	FILE *out;
sl@0	1537	out=fopen("/tmp/vsign.der","w");
sl@0	1538	fwrite(p,1,llen,out);
sl@0	1539	fclose(out);
sl@0	1540	}
sl@0	1541	#endif
sl@0	1542
sl@0	1543	if ((llen+ctype_num+2+1) != n)
sl@0	1544	{
sl@0	1545	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
sl@0	1546	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
sl@0	1547	goto err;
sl@0	1548	}
sl@0	1549
sl@0	1550	for (nc=0; nc<llen; )
sl@0	1551	{
sl@0	1552	n2s(p,l);
sl@0	1553	if ((l+nc+2) > llen)
sl@0	1554	{
sl@0	1555	if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
sl@0	1556	goto cont; /* netscape bugs */
sl@0	1557	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
sl@0	1558	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
sl@0	1559	goto err;
sl@0	1560	}
sl@0	1561
sl@0	1562	q=p;
sl@0	1563
sl@0	1564	if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
sl@0	1565	{
sl@0	1566	/* If netscape tolerance is on, ignore errors */
sl@0	1567	if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
sl@0	1568	goto cont;
sl@0	1569	else
sl@0	1570	{
sl@0	1571	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
sl@0	1572	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
sl@0	1573	goto err;
sl@0	1574	}
sl@0	1575	}
sl@0	1576
sl@0	1577	if (q != (p+l))
sl@0	1578	{
sl@0	1579	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
sl@0	1580	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
sl@0	1581	goto err;
sl@0	1582	}
sl@0	1583	if (!sk_X509_NAME_push(ca_sk,xn))
sl@0	1584	{
sl@0	1585	SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
sl@0	1586	goto err;
sl@0	1587	}
sl@0	1588
sl@0	1589	p+=l;
sl@0	1590	nc+=l+2;
sl@0	1591	}
sl@0	1592
sl@0	1593	if (0)
sl@0	1594	{
sl@0	1595	cont:
sl@0	1596	ERR_clear_error();
sl@0	1597	}
sl@0	1598
sl@0	1599	/* we should setup a certificate to return.... */
sl@0	1600	s->s3->tmp.cert_req=1;
sl@0	1601	s->s3->tmp.ctype_num=ctype_num;
sl@0	1602	if (s->s3->tmp.ca_names != NULL)
sl@0	1603	sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
sl@0	1604	s->s3->tmp.ca_names=ca_sk;
sl@0	1605	ca_sk=NULL;
sl@0	1606
sl@0	1607	ret=1;
sl@0	1608	err:
sl@0	1609	if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
sl@0	1610	return(ret);
sl@0	1611	}
sl@0	1612
sl@0	1613	static int ca_dn_cmp(const X509_NAME * const a, const X509_NAME const *b)
sl@0	1614	{
sl@0	1615	return(X509_NAME_cmp(a,b));
sl@0	1616	}
sl@0	1617
sl@0	1618	int ssl3_get_server_done(SSL *s)
sl@0	1619	{
sl@0	1620	int ok,ret=0;
sl@0	1621	long n;
sl@0	1622
sl@0	1623	n=s->method->ssl_get_message(s,
sl@0	1624	SSL3_ST_CR_SRVR_DONE_A,
sl@0	1625	SSL3_ST_CR_SRVR_DONE_B,
sl@0	1626	SSL3_MT_SERVER_DONE,
sl@0	1627	30, /* should be very small, like 0 :-) */
sl@0	1628	&ok);
sl@0	1629
sl@0	1630	if (!ok) return((int)n);
sl@0	1631	if (n > 0)
sl@0	1632	{
sl@0	1633	/* should contain no data */
sl@0	1634	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
sl@0	1635	SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
sl@0	1636	return -1;
sl@0	1637	}
sl@0	1638	ret=1;
sl@0	1639	return(ret);
sl@0	1640	}
sl@0	1641
sl@0	1642
sl@0	1643	int ssl3_send_client_key_exchange(SSL *s)
sl@0	1644	{
sl@0	1645	unsigned char p,d;
sl@0	1646	int n;
sl@0	1647	unsigned long l;
sl@0	1648	#ifndef OPENSSL_NO_RSA
sl@0	1649	unsigned char *q;
sl@0	1650	EVP_PKEY *pkey=NULL;
sl@0	1651	#endif
sl@0	1652	#ifndef OPENSSL_NO_KRB5
sl@0	1653	KSSL_ERR kssl_err;
sl@0	1654	#endif /* OPENSSL_NO_KRB5 */
sl@0	1655	#ifndef OPENSSL_NO_ECDH
sl@0	1656	EC_KEY *clnt_ecdh = NULL;
sl@0	1657	const EC_POINT *srvr_ecpoint = NULL;
sl@0	1658	EVP_PKEY *srvr_pub_pkey = NULL;
sl@0	1659	unsigned char *encodedPoint = NULL;
sl@0	1660	int encoded_pt_len = 0;
sl@0	1661	BN_CTX * bn_ctx = NULL;
sl@0	1662	#endif
sl@0	1663
sl@0	1664	if (s->state == SSL3_ST_CW_KEY_EXCH_A)
sl@0	1665	{
sl@0	1666	d=(unsigned char *)s->init_buf->data;
sl@0	1667	p= &(d[4]);
sl@0	1668
sl@0	1669	l=s->s3->tmp.new_cipher->algorithms;
sl@0	1670
sl@0	1671	/* Fool emacs indentation */
sl@0	1672	if (0) {}
sl@0	1673	#ifndef OPENSSL_NO_RSA
sl@0	1674	else if (l & SSL_kRSA)
sl@0	1675	{
sl@0	1676	RSA *rsa;
sl@0	1677	unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
sl@0	1678
sl@0	1679	if (s->session->sess_cert->peer_rsa_tmp != NULL)
sl@0	1680	rsa=s->session->sess_cert->peer_rsa_tmp;
sl@0	1681	else
sl@0	1682	{
sl@0	1683	pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
sl@0	1684	if ((pkey == NULL) \|\|
sl@0	1685	(pkey->type != EVP_PKEY_RSA) \|\|
sl@0	1686	(pkey->pkey.rsa == NULL))
sl@0	1687	{
sl@0	1688	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
sl@0	1689	goto err;
sl@0	1690	}
sl@0	1691	rsa=pkey->pkey.rsa;
sl@0	1692	EVP_PKEY_free(pkey);
sl@0	1693	}
sl@0	1694
sl@0	1695	tmp_buf[0]=s->client_version>>8;
sl@0	1696	tmp_buf[1]=s->client_version&0xff;
sl@0	1697	if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
sl@0	1698	goto err;
sl@0	1699
sl@0	1700	s->session->master_key_length=sizeof tmp_buf;
sl@0	1701
sl@0	1702	q=p;
sl@0	1703	/* Fix buf for TLS and beyond */
sl@0	1704	if (s->version > SSL3_VERSION)
sl@0	1705	p+=2;
sl@0	1706	n=RSA_public_encrypt(sizeof tmp_buf,
sl@0	1707	tmp_buf,p,rsa,RSA_PKCS1_PADDING);
sl@0	1708	#ifdef PKCS1_CHECK
sl@0	1709	if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
sl@0	1710	if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
sl@0	1711	#endif
sl@0	1712	if (n <= 0)
sl@0	1713	{
sl@0	1714	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
sl@0	1715	goto err;
sl@0	1716	}
sl@0	1717
sl@0	1718	/* Fix buf for TLS and beyond */
sl@0	1719	if (s->version > SSL3_VERSION)
sl@0	1720	{
sl@0	1721	s2n(n,q);
sl@0	1722	n+=2;
sl@0	1723	}
sl@0	1724
sl@0	1725	s->session->master_key_length=
sl@0	1726	s->method->ssl3_enc->generate_master_secret(s,
sl@0	1727	s->session->master_key,
sl@0	1728	tmp_buf,sizeof tmp_buf);
sl@0	1729	OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
sl@0	1730	}
sl@0	1731	#endif
sl@0	1732	#ifndef OPENSSL_NO_KRB5
sl@0	1733	else if (l & SSL_kKRB5)
sl@0	1734	{
sl@0	1735	krb5_error_code krb5rc;
sl@0	1736	KSSL_CTX *kssl_ctx = s->kssl_ctx;
sl@0	1737	/* krb5_data krb5_ap_req; */
sl@0	1738	krb5_data *enc_ticket;
sl@0	1739	krb5_data authenticator, *authp = NULL;
sl@0	1740	EVP_CIPHER_CTX ciph_ctx;
sl@0	1741	EVP_CIPHER *enc = NULL;
sl@0	1742	unsigned char iv[EVP_MAX_IV_LENGTH];
sl@0	1743	unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
sl@0	1744	unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
sl@0	1745	+ EVP_MAX_IV_LENGTH];
sl@0	1746	int padl, outl = sizeof(epms);
sl@0	1747
sl@0	1748	EVP_CIPHER_CTX_init(&ciph_ctx);
sl@0	1749
sl@0	1750	#ifdef KSSL_DEBUG
sl@0	1751	printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
sl@0	1752	l, SSL_kKRB5);
sl@0	1753	#endif /* KSSL_DEBUG */
sl@0	1754
sl@0	1755	authp = NULL;
sl@0	1756	#ifdef KRB5SENDAUTH
sl@0	1757	if (KRB5SENDAUTH) authp = &authenticator;
sl@0	1758	#endif /* KRB5SENDAUTH */
sl@0	1759
sl@0	1760	krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
sl@0	1761	&kssl_err);
sl@0	1762	enc = kssl_map_enc(kssl_ctx->enctype);
sl@0	1763	if (enc == NULL)
sl@0	1764	goto err;
sl@0	1765	#ifdef KSSL_DEBUG
sl@0	1766	{
sl@0	1767	printf("kssl_cget_tkt rtn %d\n", krb5rc);
sl@0	1768	if (krb5rc && kssl_err.text)
sl@0	1769	printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
sl@0	1770	}
sl@0	1771	#endif /* KSSL_DEBUG */
sl@0	1772
sl@0	1773	if (krb5rc)
sl@0	1774	{
sl@0	1775	ssl3_send_alert(s,SSL3_AL_FATAL,
sl@0	1776	SSL_AD_HANDSHAKE_FAILURE);
sl@0	1777	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
sl@0	1778	kssl_err.reason);
sl@0	1779	goto err;
sl@0	1780	}
sl@0	1781
sl@0	1782	/* 20010406 VRS - Earlier versions used KRB5 AP_REQ
sl@0	1783	** in place of RFC 2712 KerberosWrapper, as in:
sl@0	1784	**
sl@0	1785	** Send ticket (copy to *p, set n = length)
sl@0	1786	** n = krb5_ap_req.length;
sl@0	1787	** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
sl@0	1788	** if (krb5_ap_req.data)
sl@0	1789	** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
sl@0	1790	**
sl@0	1791	** Now using real RFC 2712 KerberosWrapper
sl@0	1792	** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
sl@0	1793	** Note: 2712 "opaque" types are here replaced
sl@0	1794	** with a 2-byte length followed by the value.
sl@0	1795	** Example:
sl@0	1796	** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
sl@0	1797	** Where "xx xx" = length bytes. Shown here with
sl@0	1798	** optional authenticator omitted.
sl@0	1799	*/
sl@0	1800
sl@0	1801	/* KerberosWrapper.Ticket */
sl@0	1802	s2n(enc_ticket->length,p);
sl@0	1803	memcpy(p, enc_ticket->data, enc_ticket->length);
sl@0	1804	p+= enc_ticket->length;
sl@0	1805	n = enc_ticket->length + 2;
sl@0	1806
sl@0	1807	/* KerberosWrapper.Authenticator */
sl@0	1808	if (authp && authp->length)
sl@0	1809	{
sl@0	1810	s2n(authp->length,p);
sl@0	1811	memcpy(p, authp->data, authp->length);
sl@0	1812	p+= authp->length;
sl@0	1813	n+= authp->length + 2;
sl@0	1814
sl@0	1815	free(authp->data);
sl@0	1816	authp->data = NULL;
sl@0	1817	authp->length = 0;
sl@0	1818	}
sl@0	1819	else
sl@0	1820	{
sl@0	1821	s2n(0,p);/* null authenticator length */
sl@0	1822	n+=2;
sl@0	1823	}
sl@0	1824
sl@0	1825	tmp_buf[0]=s->client_version>>8;
sl@0	1826	tmp_buf[1]=s->client_version&0xff;
sl@0	1827	if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
sl@0	1828	goto err;
sl@0	1829
sl@0	1830	/* 20010420 VRS. Tried it this way; failed.
sl@0	1831	** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
sl@0	1832	** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
sl@0	1833	** kssl_ctx->length);
sl@0	1834	** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
sl@0	1835	*/
sl@0	1836
sl@0	1837	memset(iv, 0, sizeof iv); /* per RFC 1510 */
sl@0	1838	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
sl@0	1839	kssl_ctx->key,iv);
sl@0	1840	EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
sl@0	1841	sizeof tmp_buf);
sl@0	1842	EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
sl@0	1843	outl += padl;
sl@0	1844	if (outl > sizeof epms)
sl@0	1845	{
sl@0	1846	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
sl@0	1847	goto err;
sl@0	1848	}
sl@0	1849	EVP_CIPHER_CTX_cleanup(&ciph_ctx);
sl@0	1850
sl@0	1851	/* KerberosWrapper.EncryptedPreMasterSecret */
sl@0	1852	s2n(outl,p);
sl@0	1853	memcpy(p, epms, outl);
sl@0	1854	p+=outl;
sl@0	1855	n+=outl + 2;
sl@0	1856
sl@0	1857	s->session->master_key_length=
sl@0	1858	s->method->ssl3_enc->generate_master_secret(s,
sl@0	1859	s->session->master_key,
sl@0	1860	tmp_buf, sizeof tmp_buf);
sl@0	1861
sl@0	1862	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
sl@0	1863	OPENSSL_cleanse(epms, outl);
sl@0	1864	}
sl@0	1865	#endif
sl@0	1866	#ifndef OPENSSL_NO_DH
sl@0	1867	else if (l & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd))
sl@0	1868	{
sl@0	1869	DH dh_srvr,dh_clnt;
sl@0	1870
sl@0	1871	if (s->session->sess_cert->peer_dh_tmp != NULL)
sl@0	1872	dh_srvr=s->session->sess_cert->peer_dh_tmp;
sl@0	1873	else
sl@0	1874	{
sl@0	1875	/* we get them from the cert */
sl@0	1876	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
sl@0	1877	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
sl@0	1878	goto err;
sl@0	1879	}
sl@0	1880
sl@0	1881	/* generate a new random key */
sl@0	1882	if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
sl@0	1883	{
sl@0	1884	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0	1885	goto err;
sl@0	1886	}
sl@0	1887	if (!DH_generate_key(dh_clnt))
sl@0	1888	{
sl@0	1889	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0	1890	goto err;
sl@0	1891	}
sl@0	1892
sl@0	1893	/* use the 'p' output buffer for the DH key, but
sl@0	1894	* make sure to clear it out afterwards */
sl@0	1895
sl@0	1896	n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
sl@0	1897
sl@0	1898	if (n <= 0)
sl@0	1899	{
sl@0	1900	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0	1901	goto err;
sl@0	1902	}
sl@0	1903
sl@0	1904	/* generate master key from the result */
sl@0	1905	s->session->master_key_length=
sl@0	1906	s->method->ssl3_enc->generate_master_secret(s,
sl@0	1907	s->session->master_key,p,n);
sl@0	1908	/* clean up */
sl@0	1909	memset(p,0,n);
sl@0	1910
sl@0	1911	/* send off the data */
sl@0	1912	n=BN_num_bytes(dh_clnt->pub_key);
sl@0	1913	s2n(n,p);
sl@0	1914	BN_bn2bin(dh_clnt->pub_key,p);
sl@0	1915	n+=2;
sl@0	1916
sl@0	1917	DH_free(dh_clnt);
sl@0	1918
sl@0	1919	/* perhaps clean things up a bit EAY EAY EAY EAY*/
sl@0	1920	}
sl@0	1921	#endif
sl@0	1922
sl@0	1923	#ifndef OPENSSL_NO_ECDH
sl@0	1924	else if ((l & SSL_kECDH) \|\| (l & SSL_kECDHE))
sl@0	1925	{
sl@0	1926	const EC_GROUP *srvr_group = NULL;
sl@0	1927	EC_KEY *tkey;
sl@0	1928	int ecdh_clnt_cert = 0;
sl@0	1929	int field_size = 0;
sl@0	1930
sl@0	1931	/* Did we send out the client's
sl@0	1932	* ECDH share for use in premaster
sl@0	1933	* computation as part of client certificate?
sl@0	1934	* If so, set ecdh_clnt_cert to 1.
sl@0	1935	*/
sl@0	1936	if ((l & SSL_kECDH) && (s->cert != NULL))
sl@0	1937	{
sl@0	1938	/* XXX: For now, we do not support client
sl@0	1939	* authentication using ECDH certificates.
sl@0	1940	* To add such support, one needs to add
sl@0	1941	* code that checks for appropriate
sl@0	1942	* conditions and sets ecdh_clnt_cert to 1.
sl@0	1943	* For example, the cert have an ECC
sl@0	1944	* key on the same curve as the server's
sl@0	1945	* and the key should be authorized for
sl@0	1946	* key agreement.
sl@0	1947	*
sl@0	1948	* One also needs to add code in ssl3_connect
sl@0	1949	* to skip sending the certificate verify
sl@0	1950	* message.
sl@0	1951	*
sl@0	1952	* if ((s->cert->key->privatekey != NULL) &&
sl@0	1953	* (s->cert->key->privatekey->type ==
sl@0	1954	* EVP_PKEY_EC) && ...)
sl@0	1955	* ecdh_clnt_cert = 1;
sl@0	1956	*/
sl@0	1957	}
sl@0	1958
sl@0	1959	if (s->session->sess_cert->peer_ecdh_tmp != NULL)
sl@0	1960	{
sl@0	1961	tkey = s->session->sess_cert->peer_ecdh_tmp;
sl@0	1962	}
sl@0	1963	else
sl@0	1964	{
sl@0	1965	/* Get the Server Public Key from Cert */
sl@0	1966	srvr_pub_pkey = X509_get_pubkey(s->session-> \
sl@0	1967	sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
sl@0	1968	if ((srvr_pub_pkey == NULL) \|\|
sl@0	1969	(srvr_pub_pkey->type != EVP_PKEY_EC) \|\|
sl@0	1970	(srvr_pub_pkey->pkey.ec == NULL))
sl@0	1971	{
sl@0	1972	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
sl@0	1973	ERR_R_INTERNAL_ERROR);
sl@0	1974	goto err;
sl@0	1975	}
sl@0	1976
sl@0	1977	tkey = srvr_pub_pkey->pkey.ec;
sl@0	1978	}
sl@0	1979
sl@0	1980	srvr_group = EC_KEY_get0_group(tkey);
sl@0	1981	srvr_ecpoint = EC_KEY_get0_public_key(tkey);
sl@0	1982
sl@0	1983	if ((srvr_group == NULL) \|\| (srvr_ecpoint == NULL))
sl@0	1984	{
sl@0	1985	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
sl@0	1986	ERR_R_INTERNAL_ERROR);
sl@0	1987	goto err;
sl@0	1988	}
sl@0	1989
sl@0	1990	if ((clnt_ecdh=EC_KEY_new()) == NULL)
sl@0	1991	{
sl@0	1992	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
sl@0	1993	goto err;
sl@0	1994	}
sl@0	1995
sl@0	1996	if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
sl@0	1997	{
sl@0	1998	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
sl@0	1999	goto err;
sl@0	2000	}
sl@0	2001	if (ecdh_clnt_cert)
sl@0	2002	{
sl@0	2003	/* Reuse key info from our certificate
sl@0	2004	* We only need our private key to perform
sl@0	2005	* the ECDH computation.
sl@0	2006	*/
sl@0	2007	const BIGNUM *priv_key;
sl@0	2008	tkey = s->cert->key->privatekey->pkey.ec;
sl@0	2009	priv_key = EC_KEY_get0_private_key(tkey);
sl@0	2010	if (priv_key == NULL)
sl@0	2011	{
sl@0	2012	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
sl@0	2013	goto err;
sl@0	2014	}
sl@0	2015	if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
sl@0	2016	{
sl@0	2017	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
sl@0	2018	goto err;
sl@0	2019	}
sl@0	2020	}
sl@0	2021	else
sl@0	2022	{
sl@0	2023	/* Generate a new ECDH key pair */
sl@0	2024	if (!(EC_KEY_generate_key(clnt_ecdh)))
sl@0	2025	{
sl@0	2026	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
sl@0	2027	goto err;
sl@0	2028	}
sl@0	2029	}
sl@0	2030
sl@0	2031	/* use the 'p' output buffer for the ECDH key, but
sl@0	2032	* make sure to clear it out afterwards
sl@0	2033	*/
sl@0	2034
sl@0	2035	field_size = EC_GROUP_get_degree(srvr_group);
sl@0	2036	if (field_size <= 0)
sl@0	2037	{
sl@0	2038	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
sl@0	2039	ERR_R_ECDH_LIB);
sl@0	2040	goto err;
sl@0	2041	}
sl@0	2042	n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
sl@0	2043	if (n <= 0)
sl@0	2044	{
sl@0	2045	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
sl@0	2046	ERR_R_ECDH_LIB);
sl@0	2047	goto err;
sl@0	2048	}
sl@0	2049
sl@0	2050	/* generate master key from the result */
sl@0	2051	s->session->master_key_length = s->method->ssl3_enc \
sl@0	2052	-> generate_master_secret(s,
sl@0	2053	s->session->master_key,
sl@0	2054	p, n);
sl@0	2055
sl@0	2056	memset(p, 0, n); /* clean up */
sl@0	2057
sl@0	2058	if (ecdh_clnt_cert)
sl@0	2059	{
sl@0	2060	/* Send empty client key exch message */
sl@0	2061	n = 0;
sl@0	2062	}
sl@0	2063	else
sl@0	2064	{
sl@0	2065	/* First check the size of encoding and
sl@0	2066	* allocate memory accordingly.
sl@0	2067	*/
sl@0	2068	encoded_pt_len =
sl@0	2069	EC_POINT_point2oct(srvr_group,
sl@0	2070	EC_KEY_get0_public_key(clnt_ecdh),
sl@0	2071	POINT_CONVERSION_UNCOMPRESSED,
sl@0	2072	NULL, 0, NULL);
sl@0	2073
sl@0	2074	encodedPoint = (unsigned char *)
sl@0	2075	OPENSSL_malloc(encoded_pt_len *
sl@0	2076	sizeof(unsigned char));
sl@0	2077	bn_ctx = BN_CTX_new();
sl@0	2078	if ((encodedPoint == NULL) \|\|
sl@0	2079	(bn_ctx == NULL))
sl@0	2080	{
sl@0	2081	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
sl@0	2082	goto err;
sl@0	2083	}
sl@0	2084
sl@0	2085	/* Encode the public key */
sl@0	2086	n = EC_POINT_point2oct(srvr_group,
sl@0	2087	EC_KEY_get0_public_key(clnt_ecdh),
sl@0	2088	POINT_CONVERSION_UNCOMPRESSED,
sl@0	2089	encodedPoint, encoded_pt_len, bn_ctx);
sl@0	2090
sl@0	2091	p = n; / length of encoded point */
sl@0	2092	/* Encoded point will be copied here */
sl@0	2093	p += 1;
sl@0	2094	/* copy the point */
sl@0	2095	memcpy((unsigned char *)p, encodedPoint, n);
sl@0	2096	/* increment n to account for length field */
sl@0	2097	n += 1;
sl@0	2098	}
sl@0	2099
sl@0	2100	/* Free allocated memory */
sl@0	2101	BN_CTX_free(bn_ctx);
sl@0	2102	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
sl@0	2103	if (clnt_ecdh != NULL)
sl@0	2104	EC_KEY_free(clnt_ecdh);
sl@0	2105	EVP_PKEY_free(srvr_pub_pkey);
sl@0	2106	}
sl@0	2107	#endif /* !OPENSSL_NO_ECDH */
sl@0	2108	else
sl@0	2109	{
sl@0	2110	ssl3_send_alert(s, SSL3_AL_FATAL,
sl@0	2111	SSL_AD_HANDSHAKE_FAILURE);
sl@0	2112	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
sl@0	2113	ERR_R_INTERNAL_ERROR);
sl@0	2114	goto err;
sl@0	2115	}
sl@0	2116
sl@0	2117	*(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
sl@0	2118	l2n3(n,d);
sl@0	2119
sl@0	2120	s->state=SSL3_ST_CW_KEY_EXCH_B;
sl@0	2121	/* number of bytes to write */
sl@0	2122	s->init_num=n+4;
sl@0	2123	s->init_off=0;
sl@0	2124	}
sl@0	2125
sl@0	2126	/* SSL3_ST_CW_KEY_EXCH_B */
sl@0	2127	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	2128	err:
sl@0	2129	#ifndef OPENSSL_NO_ECDH
sl@0	2130	BN_CTX_free(bn_ctx);
sl@0	2131	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
sl@0	2132	if (clnt_ecdh != NULL)
sl@0	2133	EC_KEY_free(clnt_ecdh);
sl@0	2134	EVP_PKEY_free(srvr_pub_pkey);
sl@0	2135	#endif
sl@0	2136	return(-1);
sl@0	2137	}
sl@0	2138
sl@0	2139	int ssl3_send_client_verify(SSL *s)
sl@0	2140	{
sl@0	2141	unsigned char p,d;
sl@0	2142	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
sl@0	2143	EVP_PKEY *pkey;
sl@0	2144	#ifndef OPENSSL_NO_RSA
sl@0	2145	unsigned u=0;
sl@0	2146	#endif
sl@0	2147	unsigned long n;
sl@0	2148	#if !defined(OPENSSL_NO_DSA) \|\| !defined(OPENSSL_NO_ECDSA)
sl@0	2149	int j;
sl@0	2150	#endif
sl@0	2151
sl@0	2152	if (s->state == SSL3_ST_CW_CERT_VRFY_A)
sl@0	2153	{
sl@0	2154	d=(unsigned char *)s->init_buf->data;
sl@0	2155	p= &(d[4]);
sl@0	2156	pkey=s->cert->key->privatekey;
sl@0	2157
sl@0	2158	s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
sl@0	2159	&(data[MD5_DIGEST_LENGTH]));
sl@0	2160
sl@0	2161	#ifndef OPENSSL_NO_RSA
sl@0	2162	if (pkey->type == EVP_PKEY_RSA)
sl@0	2163	{
sl@0	2164	s->method->ssl3_enc->cert_verify_mac(s,
sl@0	2165	&(s->s3->finish_dgst1),&(data[0]));
sl@0	2166	if (RSA_sign(NID_md5_sha1, data,
sl@0	2167	MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
sl@0	2168	&(p[2]), &u, pkey->pkey.rsa) <= 0 )
sl@0	2169	{
sl@0	2170	SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
sl@0	2171	goto err;
sl@0	2172	}
sl@0	2173	s2n(u,p);
sl@0	2174	n=u+2;
sl@0	2175	}
sl@0	2176	else
sl@0	2177	#endif
sl@0	2178	#ifndef OPENSSL_NO_DSA
sl@0	2179	if (pkey->type == EVP_PKEY_DSA)
sl@0	2180	{
sl@0	2181	if (!DSA_sign(pkey->save_type,
sl@0	2182	&(data[MD5_DIGEST_LENGTH]),
sl@0	2183	SHA_DIGEST_LENGTH,&(p[2]),
sl@0	2184	(unsigned int *)&j,pkey->pkey.dsa))
sl@0	2185	{
sl@0	2186	SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
sl@0	2187	goto err;
sl@0	2188	}
sl@0	2189	s2n(j,p);
sl@0	2190	n=j+2;
sl@0	2191	}
sl@0	2192	else
sl@0	2193	#endif
sl@0	2194	#ifndef OPENSSL_NO_ECDSA
sl@0	2195	if (pkey->type == EVP_PKEY_EC)
sl@0	2196	{
sl@0	2197	if (!ECDSA_sign(pkey->save_type,
sl@0	2198	&(data[MD5_DIGEST_LENGTH]),
sl@0	2199	SHA_DIGEST_LENGTH,&(p[2]),
sl@0	2200	(unsigned int *)&j,pkey->pkey.ec))
sl@0	2201	{
sl@0	2202	SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
sl@0	2203	ERR_R_ECDSA_LIB);
sl@0	2204	goto err;
sl@0	2205	}
sl@0	2206	s2n(j,p);
sl@0	2207	n=j+2;
sl@0	2208	}
sl@0	2209	else
sl@0	2210	#endif
sl@0	2211	{
sl@0	2212	SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
sl@0	2213	goto err;
sl@0	2214	}
sl@0	2215	*(d++)=SSL3_MT_CERTIFICATE_VERIFY;
sl@0	2216	l2n3(n,d);
sl@0	2217
sl@0	2218	s->state=SSL3_ST_CW_CERT_VRFY_B;
sl@0	2219	s->init_num=(int)n+4;
sl@0	2220	s->init_off=0;
sl@0	2221	}
sl@0	2222	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	2223	err:
sl@0	2224	return(-1);
sl@0	2225	}
sl@0	2226
sl@0	2227	int ssl3_send_client_certificate(SSL *s)
sl@0	2228	{
sl@0	2229	X509 *x509=NULL;
sl@0	2230	EVP_PKEY *pkey=NULL;
sl@0	2231	int i;
sl@0	2232	unsigned long l;
sl@0	2233
sl@0	2234	if (s->state == SSL3_ST_CW_CERT_A)
sl@0	2235	{
sl@0	2236	if ((s->cert == NULL) \|\|
sl@0	2237	(s->cert->key->x509 == NULL) \|\|
sl@0	2238	(s->cert->key->privatekey == NULL))
sl@0	2239	s->state=SSL3_ST_CW_CERT_B;
sl@0	2240	else
sl@0	2241	s->state=SSL3_ST_CW_CERT_C;
sl@0	2242	}
sl@0	2243
sl@0	2244	/* We need to get a client cert */
sl@0	2245	if (s->state == SSL3_ST_CW_CERT_B)
sl@0	2246	{
sl@0	2247	/* If we get an error, we need to
sl@0	2248	* ssl->rwstate=SSL_X509_LOOKUP; return(-1);
sl@0	2249	* We then get retied later */
sl@0	2250	i=0;
sl@0	2251	if (s->ctx->client_cert_cb != NULL)
sl@0	2252	i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
sl@0	2253	if (i < 0)
sl@0	2254	{
sl@0	2255	s->rwstate=SSL_X509_LOOKUP;
sl@0	2256	return(-1);
sl@0	2257	}
sl@0	2258	s->rwstate=SSL_NOTHING;
sl@0	2259	if ((i == 1) && (pkey != NULL) && (x509 != NULL))
sl@0	2260	{
sl@0	2261	s->state=SSL3_ST_CW_CERT_B;
sl@0	2262	if ( !SSL_use_certificate(s,x509) \|\|
sl@0	2263	!SSL_use_PrivateKey(s,pkey))
sl@0	2264	i=0;
sl@0	2265	}
sl@0	2266	else if (i == 1)
sl@0	2267	{
sl@0	2268	i=0;
sl@0	2269	SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
sl@0	2270	}
sl@0	2271
sl@0	2272	if (x509 != NULL) X509_free(x509);
sl@0	2273	if (pkey != NULL) EVP_PKEY_free(pkey);
sl@0	2274	if (i == 0)
sl@0	2275	{
sl@0	2276	if (s->version == SSL3_VERSION)
sl@0	2277	{
sl@0	2278	s->s3->tmp.cert_req=0;
sl@0	2279	ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
sl@0	2280	return(1);
sl@0	2281	}
sl@0	2282	else
sl@0	2283	{
sl@0	2284	s->s3->tmp.cert_req=2;
sl@0	2285	}
sl@0	2286	}
sl@0	2287
sl@0	2288	/* Ok, we have a cert */
sl@0	2289	s->state=SSL3_ST_CW_CERT_C;
sl@0	2290	}
sl@0	2291
sl@0	2292	if (s->state == SSL3_ST_CW_CERT_C)
sl@0	2293	{
sl@0	2294	s->state=SSL3_ST_CW_CERT_D;
sl@0	2295	l=ssl3_output_cert_chain(s,
sl@0	2296	(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
sl@0	2297	s->init_num=(int)l;
sl@0	2298	s->init_off=0;
sl@0	2299	}
sl@0	2300	/* SSL3_ST_CW_CERT_D */
sl@0	2301	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	2302	}
sl@0	2303
sl@0	2304	#define has_bits(i,m) (((i)&(m)) == (m))
sl@0	2305
sl@0	2306	int ssl3_check_cert_and_algorithm(SSL *s)
sl@0	2307	{
sl@0	2308	int i,idx;
sl@0	2309	long algs;
sl@0	2310	EVP_PKEY *pkey=NULL;
sl@0	2311	SESS_CERT *sc;
sl@0	2312	#ifndef OPENSSL_NO_RSA
sl@0	2313	RSA *rsa;
sl@0	2314	#endif
sl@0	2315	#ifndef OPENSSL_NO_DH
sl@0	2316	DH *dh;
sl@0	2317	#endif
sl@0	2318
sl@0	2319	sc=s->session->sess_cert;
sl@0	2320
sl@0	2321	algs=s->s3->tmp.new_cipher->algorithms;
sl@0	2322
sl@0	2323	/* we don't have a certificate */
sl@0	2324	if (algs & (SSL_aDH\|SSL_aNULL\|SSL_aKRB5))
sl@0	2325	return(1);
sl@0	2326
sl@0	2327	if (sc == NULL)
sl@0	2328	{
sl@0	2329	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
sl@0	2330	goto err;
sl@0	2331	}
sl@0	2332
sl@0	2333	#ifndef OPENSSL_NO_RSA
sl@0	2334	rsa=s->session->sess_cert->peer_rsa_tmp;
sl@0	2335	#endif
sl@0	2336	#ifndef OPENSSL_NO_DH
sl@0	2337	dh=s->session->sess_cert->peer_dh_tmp;
sl@0	2338	#endif
sl@0	2339
sl@0	2340	/* This is the passed certificate */
sl@0	2341
sl@0	2342	idx=sc->peer_cert_type;
sl@0	2343	#ifndef OPENSSL_NO_ECDH
sl@0	2344	if (idx == SSL_PKEY_ECC)
sl@0	2345	{
sl@0	2346	if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
sl@0	2347	s->s3->tmp.new_cipher) == 0)
sl@0	2348	{ /* check failed */
sl@0	2349	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
sl@0	2350	goto f_err;
sl@0	2351	}
sl@0	2352	else
sl@0	2353	{
sl@0	2354	return 1;
sl@0	2355	}
sl@0	2356	}
sl@0	2357	#endif
sl@0	2358	pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
sl@0	2359	i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
sl@0	2360	EVP_PKEY_free(pkey);
sl@0	2361
sl@0	2362
sl@0	2363	/* Check that we have a certificate if we require one */
sl@0	2364	if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA\|EVP_PKT_SIGN))
sl@0	2365	{
sl@0	2366	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
sl@0	2367	goto f_err;
sl@0	2368	}
sl@0	2369	#ifndef OPENSSL_NO_DSA
sl@0	2370	else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA\|EVP_PKT_SIGN))
sl@0	2371	{
sl@0	2372	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
sl@0	2373	goto f_err;
sl@0	2374	}
sl@0	2375	#endif
sl@0	2376	#ifndef OPENSSL_NO_RSA
sl@0	2377	if ((algs & SSL_kRSA) &&
sl@0	2378	!(has_bits(i,EVP_PK_RSA\|EVP_PKT_ENC) \|\| (rsa != NULL)))
sl@0	2379	{
sl@0	2380	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
sl@0	2381	goto f_err;
sl@0	2382	}
sl@0	2383	#endif
sl@0	2384	#ifndef OPENSSL_NO_DH
sl@0	2385	if ((algs & SSL_kEDH) &&
sl@0	2386	!(has_bits(i,EVP_PK_DH\|EVP_PKT_EXCH) \|\| (dh != NULL)))
sl@0	2387	{
sl@0	2388	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
sl@0	2389	goto f_err;
sl@0	2390	}
sl@0	2391	else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH\|EVP_PKS_RSA))
sl@0	2392	{
sl@0	2393	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
sl@0	2394	goto f_err;
sl@0	2395	}
sl@0	2396	#ifndef OPENSSL_NO_DSA
sl@0	2397	else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH\|EVP_PKS_DSA))
sl@0	2398	{
sl@0	2399	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
sl@0	2400	goto f_err;
sl@0	2401	}
sl@0	2402	#endif
sl@0	2403	#endif
sl@0	2404
sl@0	2405	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
sl@0	2406	{
sl@0	2407	#ifndef OPENSSL_NO_RSA
sl@0	2408	if (algs & SSL_kRSA)
sl@0	2409	{
sl@0	2410	if (rsa == NULL
sl@0	2411	\|\| RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
sl@0	2412	{
sl@0	2413	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
sl@0	2414	goto f_err;
sl@0	2415	}
sl@0	2416	}
sl@0	2417	else
sl@0	2418	#endif
sl@0	2419	#ifndef OPENSSL_NO_DH
sl@0	2420	if (algs & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd))
sl@0	2421	{
sl@0	2422	if (dh == NULL
sl@0	2423	\|\| DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
sl@0	2424	{
sl@0	2425	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
sl@0	2426	goto f_err;
sl@0	2427	}
sl@0	2428	}
sl@0	2429	else
sl@0	2430	#endif
sl@0	2431	{
sl@0	2432	SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
sl@0	2433	goto f_err;
sl@0	2434	}
sl@0	2435	}
sl@0	2436	return(1);
sl@0	2437	f_err:
sl@0	2438	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
sl@0	2439	err:
sl@0	2440	return(0);
sl@0	2441	}
sl@0	2442
sl@0	2443
sl@0	2444	#ifndef OPENSSL_NO_ECDH
sl@0	2445	/* This is the complement of nid2curve_id in s3_srvr.c. */
sl@0	2446	static int curve_id2nid(int curve_id)
sl@0	2447	{
sl@0	2448	/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
sl@0	2449	* (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
sl@0	2450	static int nid_list[26] =
sl@0	2451	{
sl@0	2452	0,
sl@0	2453	NID_sect163k1, /* sect163k1 (1) */
sl@0	2454	NID_sect163r1, /* sect163r1 (2) */
sl@0	2455	NID_sect163r2, /* sect163r2 (3) */
sl@0	2456	NID_sect193r1, /* sect193r1 (4) */
sl@0	2457	NID_sect193r2, /* sect193r2 (5) */
sl@0	2458	NID_sect233k1, /* sect233k1 (6) */
sl@0	2459	NID_sect233r1, /* sect233r1 (7) */
sl@0	2460	NID_sect239k1, /* sect239k1 (8) */
sl@0	2461	NID_sect283k1, /* sect283k1 (9) */
sl@0	2462	NID_sect283r1, /* sect283r1 (10) */
sl@0	2463	NID_sect409k1, /* sect409k1 (11) */
sl@0	2464	NID_sect409r1, /* sect409r1 (12) */
sl@0	2465	NID_sect571k1, /* sect571k1 (13) */
sl@0	2466	NID_sect571r1, /* sect571r1 (14) */
sl@0	2467	NID_secp160k1, /* secp160k1 (15) */
sl@0	2468	NID_secp160r1, /* secp160r1 (16) */
sl@0	2469	NID_secp160r2, /* secp160r2 (17) */
sl@0	2470	NID_secp192k1, /* secp192k1 (18) */
sl@0	2471	NID_X9_62_prime192v1, /* secp192r1 (19) */
sl@0	2472	NID_secp224k1, /* secp224k1 (20) */
sl@0	2473	NID_secp224r1, /* secp224r1 (21) */
sl@0	2474	NID_secp256k1, /* secp256k1 (22) */
sl@0	2475	NID_X9_62_prime256v1, /* secp256r1 (23) */
sl@0	2476	NID_secp384r1, /* secp384r1 (24) */
sl@0	2477	NID_secp521r1 /* secp521r1 (25) */
sl@0	2478	};
sl@0	2479
sl@0	2480	if ((curve_id < 1) \|\| (curve_id > 25)) return 0;
sl@0	2481
sl@0	2482	return nid_list[curve_id];
sl@0	2483	}
sl@0	2484	#endif
sl@0	2485
sl@0	2486

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--