Symaptic: os/ossrv/ssl/libssl/src/s3_srvr.c@bde4ae8d615e (annotated)

sl@0	1	/* ssl/s3_srvr.c */
sl@0	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	3	* All rights reserved.
sl@0	4	*
sl@0	5	* This package is an SSL implementation written
sl@0	6	* by Eric Young (eay@cryptsoft.com).
sl@0	7	* The implementation was written so as to conform with Netscapes SSL.
sl@0	8	*
sl@0	9	* This library is free for commercial and non-commercial use as long as
sl@0	10	* the following conditions are aheared to. The following conditions
sl@0	11	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	13	* included with this distribution is covered by the same copyright terms
sl@0	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	15	*
sl@0	16	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	17	* the code are not to be removed.
sl@0	18	* If this package is used in a product, Eric Young should be given attribution
sl@0	19	* as the author of the parts of the library used.
sl@0	20	* This can be in the form of a textual message at program startup or
sl@0	21	* in documentation (online or textual) provided with the package.
sl@0	22	*
sl@0	23	* Redistribution and use in source and binary forms, with or without
sl@0	24	* modification, are permitted provided that the following conditions
sl@0	25	* are met:
sl@0	26	* 1. Redistributions of source code must retain the copyright
sl@0	27	* notice, this list of conditions and the following disclaimer.
sl@0	28	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	29	* notice, this list of conditions and the following disclaimer in the
sl@0	30	* documentation and/or other materials provided with the distribution.
sl@0	31	* 3. All advertising materials mentioning features or use of this software
sl@0	32	* must display the following acknowledgement:
sl@0	33	* "This product includes cryptographic software written by
sl@0	34	* Eric Young (eay@cryptsoft.com)"
sl@0	35	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	36	* being used are not cryptographic related :-).
sl@0	37	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	38	* the apps directory (application code) you must include an acknowledgement:
sl@0	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	40	*
sl@0	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	51	* SUCH DAMAGE.
sl@0	52	*
sl@0	53	* The licence and distribution terms for any publically available version or
sl@0	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	55	* copied and put under another distribution licence
sl@0	56	* [including the GNU Public Licence.]
sl@0	57	*/
sl@0	58	/* ====================================================================
sl@0	59	* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
sl@0	60	*
sl@0	61	* Redistribution and use in source and binary forms, with or without
sl@0	62	* modification, are permitted provided that the following conditions
sl@0	63	* are met:
sl@0	64	*
sl@0	65	* 1. Redistributions of source code must retain the above copyright
sl@0	66	* notice, this list of conditions and the following disclaimer.
sl@0	67	*
sl@0	68	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	69	* notice, this list of conditions and the following disclaimer in
sl@0	70	* the documentation and/or other materials provided with the
sl@0	71	* distribution.
sl@0	72	*
sl@0	73	* 3. All advertising materials mentioning features or use of this
sl@0	74	* software must display the following acknowledgment:
sl@0	75	* "This product includes software developed by the OpenSSL Project
sl@0	76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
sl@0	77	*
sl@0	78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	79	* endorse or promote products derived from this software without
sl@0	80	* prior written permission. For written permission, please contact
sl@0	81	* openssl-core@openssl.org.
sl@0	82	*
sl@0	83	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	84	* nor may "OpenSSL" appear in their names without prior written
sl@0	85	* permission of the OpenSSL Project.
sl@0	86	*
sl@0	87	* 6. Redistributions of any form whatsoever must retain the following
sl@0	88	* acknowledgment:
sl@0	89	* "This product includes software developed by the OpenSSL Project
sl@0	90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
sl@0	91	*
sl@0	92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	103	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	104	* ====================================================================
sl@0	105	*
sl@0	106	* This product includes cryptographic software written by Eric Young
sl@0	107	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	108	* Hudson (tjh@cryptsoft.com).
sl@0	109	*
sl@0	110	*/
sl@0	111	/* ====================================================================
sl@0	112	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
sl@0	113	*
sl@0	114	* Portions of the attached software ("Contribution") are developed by
sl@0	115	* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
sl@0	116	*
sl@0	117	* The Contribution is licensed pursuant to the OpenSSL open source
sl@0	118	* license provided above.
sl@0	119	*
sl@0	120	* ECC cipher suite support in OpenSSL originally written by
sl@0	121	* Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
sl@0	122	*
sl@0	123	*/
sl@0	124	/*
sl@0	125	© Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
sl@0	126	*/
sl@0	127
sl@0	128	#define REUSE_CIPHER_BUG
sl@0	129	#define NETSCAPE_HANG_BUG
sl@0	130
sl@0	131	#include <stdio.h>
sl@0	132	#include "ssl_locl.h"
sl@0	133	#include "kssl_lcl.h"
sl@0	134	#include <openssl/buffer.h>
sl@0	135	#include <openssl/rand.h>
sl@0	136	#include <openssl/objects.h>
sl@0	137	#include <openssl/evp.h>
sl@0	138	#include <openssl/hmac.h>
sl@0	139	#include <openssl/x509.h>
sl@0	140	#ifndef OPENSSL_NO_DH
sl@0	141	#include <openssl/dh.h>
sl@0	142	#endif
sl@0	143	#include <openssl/bn.h>
sl@0	144	#ifndef OPENSSL_NO_KRB5
sl@0	145	#include <openssl/krb5_asn.h>
sl@0	146	#endif
sl@0	147	#include <openssl/md5.h>
sl@0	148
sl@0	149	#if (defined(SYMBIAN) && (defined(__WINSCW__) \|\| defined(__WINS__)))
sl@0	150	#include "libssl_wsd.h"
sl@0	151	#endif
sl@0	152
sl@0	153	#ifdef EMULATOR
sl@0	154
sl@0	155	GET_STATIC_VAR_FROM_TLS(SSLv3_server_method_data,s3_srvr,SSL_METHOD)
sl@0	156
sl@0	157	#define SSLv3_server_method_data (*GET_WSD_VAR_NAME(SSLv3_server_method_data,s3_srvr,s)())
sl@0	158
sl@0	159	#endif
sl@0	160
sl@0	161	static SSL_METHOD *ssl3_get_server_method(int ver);
sl@0	162
sl@0	163	#ifndef OPENSSL_NO_ECDH
sl@0	164	static int nid2curve_id(int nid);
sl@0	165	#endif
sl@0	166
sl@0	167	static SSL_METHOD *ssl3_get_server_method(int ver)
sl@0	168	{
sl@0	169	if (ver == SSL3_VERSION)
sl@0	170	return(SSLv3_server_method());
sl@0	171	else
sl@0	172	return(NULL);
sl@0	173	}
sl@0	174
sl@0	175	EXPORT_C IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
sl@0	176	ssl3_accept,
sl@0	177	ssl_undefined_function,
sl@0	178	ssl3_get_server_method)
sl@0	179
sl@0	180	int ssl3_accept(SSL *s)
sl@0	181	{
sl@0	182	BUF_MEM *buf;
sl@0	183	unsigned long l,Time=(unsigned long)time(NULL);
sl@0	184	void (cb)(const SSL ssl,int type,int val)=NULL;
sl@0	185	long num1;
sl@0	186	int ret= -1;
sl@0	187	int new_state,state,skip=0;
sl@0	188
sl@0	189	RAND_add(&Time,sizeof(Time),0);
sl@0	190	ERR_clear_error();
sl@0	191	clear_sys_error();
sl@0	192
sl@0	193	if (s->info_callback != NULL)
sl@0	194	cb=s->info_callback;
sl@0	195	else if (s->ctx->info_callback != NULL)
sl@0	196	cb=s->ctx->info_callback;
sl@0	197
sl@0	198	/* init things to blank */
sl@0	199	s->in_handshake++;
sl@0	200	if (!SSL_in_init(s) \|\| SSL_in_before(s)) SSL_clear(s);
sl@0	201
sl@0	202	if (s->cert == NULL)
sl@0	203	{
sl@0	204	SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
sl@0	205	return(-1);
sl@0	206	}
sl@0	207
sl@0	208	for (;;)
sl@0	209	{
sl@0	210	state=s->state;
sl@0	211
sl@0	212	switch (s->state)
sl@0	213	{
sl@0	214	case SSL_ST_RENEGOTIATE:
sl@0	215	s->new_session=1;
sl@0	216	/* s->state=SSL_ST_ACCEPT; */
sl@0	217
sl@0	218	case SSL_ST_BEFORE:
sl@0	219	case SSL_ST_ACCEPT:
sl@0	220	case SSL_ST_BEFORE\|SSL_ST_ACCEPT:
sl@0	221	case SSL_ST_OK\|SSL_ST_ACCEPT:
sl@0	222
sl@0	223	s->server=1;
sl@0	224	if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
sl@0	225
sl@0	226	if ((s->version>>8) != 3)
sl@0	227	{
sl@0	228	SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
sl@0	229	return -1;
sl@0	230	}
sl@0	231	s->type=SSL_ST_ACCEPT;
sl@0	232
sl@0	233	if (s->init_buf == NULL)
sl@0	234	{
sl@0	235	if ((buf=BUF_MEM_new()) == NULL)
sl@0	236	{
sl@0	237	ret= -1;
sl@0	238	goto end;
sl@0	239	}
sl@0	240	if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
sl@0	241	{
sl@0	242	ret= -1;
sl@0	243	goto end;
sl@0	244	}
sl@0	245	s->init_buf=buf;
sl@0	246	}
sl@0	247
sl@0	248	if (!ssl3_setup_buffers(s))
sl@0	249	{
sl@0	250	ret= -1;
sl@0	251	goto end;
sl@0	252	}
sl@0	253
sl@0	254	s->init_num=0;
sl@0	255
sl@0	256	if (s->state != SSL_ST_RENEGOTIATE)
sl@0	257	{
sl@0	258	/* Ok, we now need to push on a buffering BIO so that
sl@0	259	* the output is sent in a way that TCP likes :-)
sl@0	260	*/
sl@0	261	if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
sl@0	262
sl@0	263	ssl3_init_finished_mac(s);
sl@0	264	s->state=SSL3_ST_SR_CLNT_HELLO_A;
sl@0	265	s->ctx->stats.sess_accept++;
sl@0	266	}
sl@0	267	else
sl@0	268	{
sl@0	269	/* s->state == SSL_ST_RENEGOTIATE,
sl@0	270	* we will just send a HelloRequest */
sl@0	271	s->ctx->stats.sess_accept_renegotiate++;
sl@0	272	s->state=SSL3_ST_SW_HELLO_REQ_A;
sl@0	273	}
sl@0	274	break;
sl@0	275
sl@0	276	case SSL3_ST_SW_HELLO_REQ_A:
sl@0	277	case SSL3_ST_SW_HELLO_REQ_B:
sl@0	278
sl@0	279	s->shutdown=0;
sl@0	280	ret=ssl3_send_hello_request(s);
sl@0	281	if (ret <= 0) goto end;
sl@0	282	s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
sl@0	283	s->state=SSL3_ST_SW_FLUSH;
sl@0	284	s->init_num=0;
sl@0	285
sl@0	286	ssl3_init_finished_mac(s);
sl@0	287	break;
sl@0	288
sl@0	289	case SSL3_ST_SW_HELLO_REQ_C:
sl@0	290	s->state=SSL_ST_OK;
sl@0	291	break;
sl@0	292
sl@0	293	case SSL3_ST_SR_CLNT_HELLO_A:
sl@0	294	case SSL3_ST_SR_CLNT_HELLO_B:
sl@0	295	case SSL3_ST_SR_CLNT_HELLO_C:
sl@0	296
sl@0	297	s->shutdown=0;
sl@0	298	ret=ssl3_get_client_hello(s);
sl@0	299	if (ret <= 0) goto end;
sl@0	300	s->new_session = 2;
sl@0	301	s->state=SSL3_ST_SW_SRVR_HELLO_A;
sl@0	302	s->init_num=0;
sl@0	303	break;
sl@0	304
sl@0	305	case SSL3_ST_SW_SRVR_HELLO_A:
sl@0	306	case SSL3_ST_SW_SRVR_HELLO_B:
sl@0	307	ret=ssl3_send_server_hello(s);
sl@0	308	if (ret <= 0) goto end;
sl@0	309
sl@0	310	if (s->hit)
sl@0	311	s->state=SSL3_ST_SW_CHANGE_A;
sl@0	312	else
sl@0	313	s->state=SSL3_ST_SW_CERT_A;
sl@0	314	s->init_num=0;
sl@0	315	break;
sl@0	316
sl@0	317	case SSL3_ST_SW_CERT_A:
sl@0	318	case SSL3_ST_SW_CERT_B:
sl@0	319	/* Check if it is anon DH or anon ECDH or KRB5 */
sl@0	320	if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
sl@0	321	&& !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
sl@0	322	{
sl@0	323	ret=ssl3_send_server_certificate(s);
sl@0	324	if (ret <= 0) goto end;
sl@0	325	}
sl@0	326	else
sl@0	327	skip=1;
sl@0	328	s->state=SSL3_ST_SW_KEY_EXCH_A;
sl@0	329	s->init_num=0;
sl@0	330	break;
sl@0	331
sl@0	332	case SSL3_ST_SW_KEY_EXCH_A:
sl@0	333	case SSL3_ST_SW_KEY_EXCH_B:
sl@0	334	l=s->s3->tmp.new_cipher->algorithms;
sl@0	335
sl@0	336	/* clear this, it may get reset by
sl@0	337	* send_server_key_exchange */
sl@0	338	if ((s->options & SSL_OP_EPHEMERAL_RSA)
sl@0	339	#ifndef OPENSSL_NO_KRB5
sl@0	340	&& !(l & SSL_KRB5)
sl@0	341	#endif /* OPENSSL_NO_KRB5 */
sl@0	342	)
sl@0	343	/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
sl@0	344	* even when forbidden by protocol specs
sl@0	345	* (handshake may fail as clients are not required to
sl@0	346	* be able to handle this) */
sl@0	347	s->s3->tmp.use_rsa_tmp=1;
sl@0	348	else
sl@0	349	s->s3->tmp.use_rsa_tmp=0;
sl@0	350
sl@0	351
sl@0	352	/* only send if a DH key exchange, fortezza or
sl@0	353	* RSA but we have a sign only certificate
sl@0	354	*
sl@0	355	* For ECC ciphersuites, we send a serverKeyExchange
sl@0	356	* message only if the cipher suite is either
sl@0	357	* ECDH-anon or ECDHE. In other cases, the
sl@0	358	* server certificate contains the server's
sl@0	359	* public key for key exchange.
sl@0	360	*/
sl@0	361	if (s->s3->tmp.use_rsa_tmp
sl@0	362	\|\| (l & SSL_kECDHE)
sl@0	363	\|\| (l & (SSL_DH\|SSL_kFZA))
sl@0	364	\|\| ((l & SSL_kRSA)
sl@0	365	&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
sl@0	366	\|\| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
sl@0	367	&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
sl@0	368	)
sl@0	369	)
sl@0	370	)
sl@0	371	)
sl@0	372	{
sl@0	373	ret=ssl3_send_server_key_exchange(s);
sl@0	374	if (ret <= 0) goto end;
sl@0	375	}
sl@0	376	else
sl@0	377	skip=1;
sl@0	378
sl@0	379	s->state=SSL3_ST_SW_CERT_REQ_A;
sl@0	380	s->init_num=0;
sl@0	381	break;
sl@0	382
sl@0	383	case SSL3_ST_SW_CERT_REQ_A:
sl@0	384	case SSL3_ST_SW_CERT_REQ_B:
sl@0	385	if (/* don't request cert unless asked for it: */
sl@0	386	!(s->verify_mode & SSL_VERIFY_PEER) \|\|
sl@0	387	/* if SSL_VERIFY_CLIENT_ONCE is set,
sl@0	388	* don't request cert during re-negotiation: */
sl@0	389	((s->session->peer != NULL) &&
sl@0	390	(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) \|\|
sl@0	391	/* never request cert in anonymous ciphersuites
sl@0	392	* (see section "Certificate request" in SSL 3 drafts
sl@0	393	* and in RFC 2246): */
sl@0	394	((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
sl@0	395	/* ... except when the application insists on verification
sl@0	396	* (against the specs, but s3_clnt.c accepts this for SSL 3) */
sl@0	397	!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) \|\|
sl@0	398	/* never request cert in Kerberos ciphersuites */
sl@0	399	(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
sl@0	400	{
sl@0	401	/* no cert request */
sl@0	402	skip=1;
sl@0	403	s->s3->tmp.cert_request=0;
sl@0	404	s->state=SSL3_ST_SW_SRVR_DONE_A;
sl@0	405	}
sl@0	406	else
sl@0	407	{
sl@0	408	s->s3->tmp.cert_request=1;
sl@0	409	ret=ssl3_send_certificate_request(s);
sl@0	410	if (ret <= 0) goto end;
sl@0	411	#ifndef NETSCAPE_HANG_BUG
sl@0	412	s->state=SSL3_ST_SW_SRVR_DONE_A;
sl@0	413	#else
sl@0	414	s->state=SSL3_ST_SW_FLUSH;
sl@0	415	s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
sl@0	416	#endif
sl@0	417	s->init_num=0;
sl@0	418	}
sl@0	419	break;
sl@0	420
sl@0	421	case SSL3_ST_SW_SRVR_DONE_A:
sl@0	422	case SSL3_ST_SW_SRVR_DONE_B:
sl@0	423	ret=ssl3_send_server_done(s);
sl@0	424	if (ret <= 0) goto end;
sl@0	425	s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
sl@0	426	s->state=SSL3_ST_SW_FLUSH;
sl@0	427	s->init_num=0;
sl@0	428	break;
sl@0	429
sl@0	430	case SSL3_ST_SW_FLUSH:
sl@0	431	/* number of bytes to be flushed */
sl@0	432	num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
sl@0	433	if (num1 > 0)
sl@0	434	{
sl@0	435	s->rwstate=SSL_WRITING;
sl@0	436	num1=BIO_flush(s->wbio);
sl@0	437	if (num1 <= 0) { ret= -1; goto end; }
sl@0	438	s->rwstate=SSL_NOTHING;
sl@0	439	}
sl@0	440
sl@0	441	s->state=s->s3->tmp.next_state;
sl@0	442	break;
sl@0	443
sl@0	444	case SSL3_ST_SR_CERT_A:
sl@0	445	case SSL3_ST_SR_CERT_B:
sl@0	446	/* Check for second client hello (MS SGC) */
sl@0	447	ret = ssl3_check_client_hello(s);
sl@0	448	if (ret <= 0)
sl@0	449	goto end;
sl@0	450	if (ret == 2)
sl@0	451	s->state = SSL3_ST_SR_CLNT_HELLO_C;
sl@0	452	else {
sl@0	453	if (s->s3->tmp.cert_request)
sl@0	454	{
sl@0	455	ret=ssl3_get_client_certificate(s);
sl@0	456	if (ret <= 0) goto end;
sl@0	457	}
sl@0	458	s->init_num=0;
sl@0	459	s->state=SSL3_ST_SR_KEY_EXCH_A;
sl@0	460	}
sl@0	461	break;
sl@0	462
sl@0	463	case SSL3_ST_SR_KEY_EXCH_A:
sl@0	464	case SSL3_ST_SR_KEY_EXCH_B:
sl@0	465	ret=ssl3_get_client_key_exchange(s);
sl@0	466	if (ret <= 0)
sl@0	467	goto end;
sl@0	468	if (ret == 2)
sl@0	469	{
sl@0	470	/* For the ECDH ciphersuites when
sl@0	471	* the client sends its ECDH pub key in
sl@0	472	* a certificate, the CertificateVerify
sl@0	473	* message is not sent.
sl@0	474	*/
sl@0	475	s->state=SSL3_ST_SR_FINISHED_A;
sl@0	476	s->init_num = 0;
sl@0	477	}
sl@0	478	else
sl@0	479	{
sl@0	480	s->state=SSL3_ST_SR_CERT_VRFY_A;
sl@0	481	s->init_num=0;
sl@0	482
sl@0	483	/* We need to get hashes here so if there is
sl@0	484	* a client cert, it can be verified
sl@0	485	*/
sl@0	486	s->method->ssl3_enc->cert_verify_mac(s,
sl@0	487	&(s->s3->finish_dgst1),
sl@0	488	&(s->s3->tmp.cert_verify_md[0]));
sl@0	489	s->method->ssl3_enc->cert_verify_mac(s,
sl@0	490	&(s->s3->finish_dgst2),
sl@0	491	&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
sl@0	492	}
sl@0	493	break;
sl@0	494
sl@0	495	case SSL3_ST_SR_CERT_VRFY_A:
sl@0	496	case SSL3_ST_SR_CERT_VRFY_B:
sl@0	497
sl@0	498	/* we should decide if we expected this one */
sl@0	499	ret=ssl3_get_cert_verify(s);
sl@0	500	if (ret <= 0) goto end;
sl@0	501
sl@0	502	s->state=SSL3_ST_SR_FINISHED_A;
sl@0	503	s->init_num=0;
sl@0	504	break;
sl@0	505
sl@0	506	case SSL3_ST_SR_FINISHED_A:
sl@0	507	case SSL3_ST_SR_FINISHED_B:
sl@0	508	ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
sl@0	509	SSL3_ST_SR_FINISHED_B);
sl@0	510	if (ret <= 0) goto end;
sl@0	511	if (s->hit)
sl@0	512	s->state=SSL_ST_OK;
sl@0	513
sl@0	514	else
sl@0	515	s->state=SSL3_ST_SW_CHANGE_A;
sl@0	516	s->init_num=0;
sl@0	517	break;
sl@0	518
sl@0	519
sl@0	520
sl@0	521	case SSL3_ST_SW_CHANGE_A:
sl@0	522	case SSL3_ST_SW_CHANGE_B:
sl@0	523
sl@0	524	s->session->cipher=s->s3->tmp.new_cipher;
sl@0	525	if (!s->method->ssl3_enc->setup_key_block(s))
sl@0	526	{ ret= -1; goto end; }
sl@0	527
sl@0	528	ret=ssl3_send_change_cipher_spec(s,
sl@0	529	SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
sl@0	530
sl@0	531	if (ret <= 0) goto end;
sl@0	532	s->state=SSL3_ST_SW_FINISHED_A;
sl@0	533	s->init_num=0;
sl@0	534
sl@0	535	if (!s->method->ssl3_enc->change_cipher_state(s,
sl@0	536	SSL3_CHANGE_CIPHER_SERVER_WRITE))
sl@0	537	{
sl@0	538	ret= -1;
sl@0	539	goto end;
sl@0	540	}
sl@0	541
sl@0	542	break;
sl@0	543
sl@0	544	case SSL3_ST_SW_FINISHED_A:
sl@0	545	case SSL3_ST_SW_FINISHED_B:
sl@0	546	ret=ssl3_send_finished(s,
sl@0	547	SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
sl@0	548	s->method->ssl3_enc->server_finished_label,
sl@0	549	s->method->ssl3_enc->server_finished_label_len);
sl@0	550	if (ret <= 0) goto end;
sl@0	551	s->state=SSL3_ST_SW_FLUSH;
sl@0	552	if (s->hit)
sl@0	553	s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
sl@0	554	else
sl@0	555	s->s3->tmp.next_state=SSL_ST_OK;
sl@0	556	s->init_num=0;
sl@0	557	break;
sl@0	558
sl@0	559	case SSL_ST_OK:
sl@0	560	/* clean a few things up */
sl@0	561	ssl3_cleanup_key_block(s);
sl@0	562
sl@0	563	BUF_MEM_free(s->init_buf);
sl@0	564	s->init_buf=NULL;
sl@0	565
sl@0	566	/* remove buffering on output */
sl@0	567	ssl_free_wbio_buffer(s);
sl@0	568
sl@0	569	s->init_num=0;
sl@0	570
sl@0	571	if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
sl@0	572	{
sl@0	573	/* actually not necessarily a 'new' session unless
sl@0	574	* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
sl@0	575
sl@0	576	s->new_session=0;
sl@0	577
sl@0	578	ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
sl@0	579
sl@0	580	s->ctx->stats.sess_accept_good++;
sl@0	581	/* s->server=1; */
sl@0	582	s->handshake_func=ssl3_accept;
sl@0	583
sl@0	584	if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
sl@0	585	}
sl@0	586
sl@0	587	ret = 1;
sl@0	588	goto end;
sl@0	589	/* break; */
sl@0	590
sl@0	591	default:
sl@0	592	SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
sl@0	593	ret= -1;
sl@0	594	goto end;
sl@0	595	/* break; */
sl@0	596	}
sl@0	597
sl@0	598	if (!s->s3->tmp.reuse_message && !skip)
sl@0	599	{
sl@0	600	if (s->debug)
sl@0	601	{
sl@0	602	if ((ret=BIO_flush(s->wbio)) <= 0)
sl@0	603	goto end;
sl@0	604	}
sl@0	605
sl@0	606
sl@0	607	if ((cb != NULL) && (s->state != state))
sl@0	608	{
sl@0	609	new_state=s->state;
sl@0	610	s->state=state;
sl@0	611	cb(s,SSL_CB_ACCEPT_LOOP,1);
sl@0	612	s->state=new_state;
sl@0	613	}
sl@0	614	}
sl@0	615	skip=0;
sl@0	616	}
sl@0	617	end:
sl@0	618	/* BIO_flush(s->wbio); */
sl@0	619
sl@0	620	s->in_handshake--;
sl@0	621	if (cb != NULL)
sl@0	622	cb(s,SSL_CB_ACCEPT_EXIT,ret);
sl@0	623	return(ret);
sl@0	624	}
sl@0	625
sl@0	626	int ssl3_send_hello_request(SSL *s)
sl@0	627	{
sl@0	628	unsigned char *p;
sl@0	629
sl@0	630	if (s->state == SSL3_ST_SW_HELLO_REQ_A)
sl@0	631	{
sl@0	632	p=(unsigned char *)s->init_buf->data;
sl@0	633	*(p++)=SSL3_MT_HELLO_REQUEST;
sl@0	634	*(p++)=0;
sl@0	635	*(p++)=0;
sl@0	636	*(p++)=0;
sl@0	637
sl@0	638	s->state=SSL3_ST_SW_HELLO_REQ_B;
sl@0	639	/* number of bytes to write */
sl@0	640	s->init_num=4;
sl@0	641	s->init_off=0;
sl@0	642	}
sl@0	643
sl@0	644	/* SSL3_ST_SW_HELLO_REQ_B */
sl@0	645	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	646	}
sl@0	647
sl@0	648	int ssl3_check_client_hello(SSL *s)
sl@0	649	{
sl@0	650	int ok;
sl@0	651	long n;
sl@0	652
sl@0	653	/* this function is called when we really expect a Certificate message,
sl@0	654	* so permit appropriate message length */
sl@0	655	n=s->method->ssl_get_message(s,
sl@0	656	SSL3_ST_SR_CERT_A,
sl@0	657	SSL3_ST_SR_CERT_B,
sl@0	658	-1,
sl@0	659	s->max_cert_list,
sl@0	660	&ok);
sl@0	661	if (!ok) return((int)n);
sl@0	662	s->s3->tmp.reuse_message = 1;
sl@0	663	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
sl@0	664	{
sl@0	665	/* Throw away what we have done so far in the current handshake,
sl@0	666	* which will now be aborted. (A full SSL_clear would be too much.)
sl@0	667	* I hope that tmp.dh is the only thing that may need to be cleared
sl@0	668	* when a handshake is not completed ... */
sl@0	669	#ifndef OPENSSL_NO_DH
sl@0	670	if (s->s3->tmp.dh != NULL)
sl@0	671	{
sl@0	672	DH_free(s->s3->tmp.dh);
sl@0	673	s->s3->tmp.dh = NULL;
sl@0	674	}
sl@0	675	#endif
sl@0	676	return 2;
sl@0	677	}
sl@0	678	return 1;
sl@0	679	}
sl@0	680
sl@0	681	int ssl3_get_client_hello(SSL *s)
sl@0	682	{
sl@0	683	int i,j,ok,al,ret= -1;
sl@0	684	unsigned int cookie_len;
sl@0	685	long n;
sl@0	686	unsigned long id;
sl@0	687	unsigned char p,d,*q;
sl@0	688	SSL_CIPHER *c;
sl@0	689	#ifndef OPENSSL_NO_COMP
sl@0	690	SSL_COMP *comp=NULL;
sl@0	691	#endif
sl@0	692	STACK_OF(SSL_CIPHER) *ciphers=NULL;
sl@0	693
sl@0	694	/* We do this so that we will respond with our native type.
sl@0	695	* If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
sl@0	696	* This down switching should be handled by a different method.
sl@0	697	* If we are SSLv3, we will respond with SSLv3, even if prompted with
sl@0	698	* TLSv1.
sl@0	699	*/
sl@0	700	if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
sl@0	701	{
sl@0	702	s->state=SSL3_ST_SR_CLNT_HELLO_B;
sl@0	703	}
sl@0	704	s->first_packet=1;
sl@0	705	n=s->method->ssl_get_message(s,
sl@0	706	SSL3_ST_SR_CLNT_HELLO_B,
sl@0	707	SSL3_ST_SR_CLNT_HELLO_C,
sl@0	708	SSL3_MT_CLIENT_HELLO,
sl@0	709	SSL3_RT_MAX_PLAIN_LENGTH,
sl@0	710	&ok);
sl@0	711
sl@0	712	if (!ok) return((int)n);
sl@0	713	s->first_packet=0;
sl@0	714	d=p=(unsigned char *)s->init_msg;
sl@0	715
sl@0	716	/* use version from inside client hello, not from record header
sl@0	717	* (may differ: see RFC 2246, Appendix E, second paragraph) */
sl@0	718	s->client_version=(((int)p[0])<<8)\|(int)p[1];
sl@0	719	p+=2;
sl@0	720
sl@0	721	if ((s->version == DTLS1_VERSION && s->client_version > s->version) \|\|
sl@0	722	(s->version != DTLS1_VERSION && s->client_version < s->version))
sl@0	723	{
sl@0	724	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
sl@0	725	if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
sl@0	726	{
sl@0	727	/* similar to ssl3_get_record, send alert using remote version number */
sl@0	728	s->version = s->client_version;
sl@0	729	}
sl@0	730	al = SSL_AD_PROTOCOL_VERSION;
sl@0	731	goto f_err;
sl@0	732	}
sl@0	733
sl@0	734	/* load the client random */
sl@0	735	memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
sl@0	736	p+=SSL3_RANDOM_SIZE;
sl@0	737
sl@0	738	/* get the session-id */
sl@0	739	j= *(p++);
sl@0	740
sl@0	741	s->hit=0;
sl@0	742	/* Versions before 0.9.7 always allow session reuse during renegotiation
sl@0	743	* (i.e. when s->new_session is true), option
sl@0	744	* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
sl@0	745	* Maybe this optional behaviour should always have been the default,
sl@0	746	* but we cannot safely change the default behaviour (or new applications
sl@0	747	* might be written that become totally unsecure when compiled with
sl@0	748	* an earlier library version)
sl@0	749	*/
sl@0	750	if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
sl@0	751	{
sl@0	752	if (!ssl_get_new_session(s,1))
sl@0	753	goto err;
sl@0	754	}
sl@0	755	else
sl@0	756	{
sl@0	757	i=ssl_get_prev_session(s, p, j, d + n);
sl@0	758	if (i == 1)
sl@0	759	{ /* previous session */
sl@0	760	s->hit=1;
sl@0	761	}
sl@0	762	else if (i == -1)
sl@0	763	goto err;
sl@0	764	else /* i == 0 */
sl@0	765	{
sl@0	766	if (!ssl_get_new_session(s,1))
sl@0	767	goto err;
sl@0	768	}
sl@0	769	}
sl@0	770
sl@0	771	p+=j;
sl@0	772
sl@0	773	if (s->version == DTLS1_VERSION)
sl@0	774	{
sl@0	775	/* cookie stuff */
sl@0	776	cookie_len = *(p++);
sl@0	777
sl@0	778	if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
sl@0	779	s->d1->send_cookie == 0)
sl@0	780	{
sl@0	781	/* HelloVerifyMessage has already been sent */
sl@0	782	if ( cookie_len != s->d1->cookie_len)
sl@0	783	{
sl@0	784	al = SSL_AD_HANDSHAKE_FAILURE;
sl@0	785	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
sl@0	786	goto f_err;
sl@0	787	}
sl@0	788	}
sl@0	789
sl@0	790	/*
sl@0	791	* The ClientHello may contain a cookie even if the
sl@0	792	* HelloVerify message has not been sent--make sure that it
sl@0	793	* does not cause an overflow.
sl@0	794	*/
sl@0	795	if ( cookie_len > sizeof(s->d1->rcvd_cookie))
sl@0	796	{
sl@0	797	/* too much data */
sl@0	798	al = SSL_AD_DECODE_ERROR;
sl@0	799	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
sl@0	800	goto f_err;
sl@0	801	}
sl@0	802
sl@0	803	/* verify the cookie if appropriate option is set. */
sl@0	804	if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
sl@0	805	cookie_len > 0)
sl@0	806	{
sl@0	807	memcpy(s->d1->rcvd_cookie, p, cookie_len);
sl@0	808
sl@0	809	if ( s->ctx->app_verify_cookie_cb != NULL)
sl@0	810	{
sl@0	811	if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
sl@0	812	cookie_len) == 0)
sl@0	813	{
sl@0	814	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	815	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
sl@0	816	SSL_R_COOKIE_MISMATCH);
sl@0	817	goto f_err;
sl@0	818	}
sl@0	819	/* else cookie verification succeeded */
sl@0	820	}
sl@0	821	else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie,
sl@0	822	s->d1->cookie_len) != 0) /* default verification */
sl@0	823	{
sl@0	824	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	825	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
sl@0	826	SSL_R_COOKIE_MISMATCH);
sl@0	827	goto f_err;
sl@0	828	}
sl@0	829	}
sl@0	830
sl@0	831	p += cookie_len;
sl@0	832	}
sl@0	833
sl@0	834	n2s(p,i);
sl@0	835	if ((i == 0) && (j != 0))
sl@0	836	{
sl@0	837	/* we need a cipher if we are not resuming a session */
sl@0	838	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	839	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
sl@0	840	goto f_err;
sl@0	841	}
sl@0	842	if ((p+i) >= (d+n))
sl@0	843	{
sl@0	844	/* not enough data */
sl@0	845	al=SSL_AD_DECODE_ERROR;
sl@0	846	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
sl@0	847	goto f_err;
sl@0	848	}
sl@0	849	if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
sl@0	850	== NULL))
sl@0	851	{
sl@0	852	goto err;
sl@0	853	}
sl@0	854	p+=i;
sl@0	855
sl@0	856	/* If it is a hit, check that the cipher is in the list */
sl@0	857	if ((s->hit) && (i > 0))
sl@0	858	{
sl@0	859	j=0;
sl@0	860	id=s->session->cipher->id;
sl@0	861
sl@0	862	#ifdef CIPHER_DEBUG
sl@0	863	printf("client sent %d ciphers\n",sk_num(ciphers));
sl@0	864	#endif
sl@0	865	for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
sl@0	866	{
sl@0	867	c=sk_SSL_CIPHER_value(ciphers,i);
sl@0	868	#ifdef CIPHER_DEBUG
sl@0	869	printf("client [%2d of %2d]:%s\n",
sl@0	870	i,sk_num(ciphers),SSL_CIPHER_get_name(c));
sl@0	871	#endif
sl@0	872	if (c->id == id)
sl@0	873	{
sl@0	874	j=1;
sl@0	875	break;
sl@0	876	}
sl@0	877	}
sl@0	878	if (j == 0)
sl@0	879	{
sl@0	880	if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
sl@0	881	{
sl@0	882	/* Very bad for multi-threading.... */
sl@0	883	s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0);
sl@0	884	}
sl@0	885	else
sl@0	886	{
sl@0	887	/* we need to have the cipher in the cipher
sl@0	888	* list if we are asked to reuse it */
sl@0	889	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	890	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
sl@0	891	goto f_err;
sl@0	892	}
sl@0	893	}
sl@0	894	}
sl@0	895
sl@0	896	/* compression */
sl@0	897	i= *(p++);
sl@0	898	if ((p+i) > (d+n))
sl@0	899	{
sl@0	900	/* not enough data */
sl@0	901	al=SSL_AD_DECODE_ERROR;
sl@0	902	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
sl@0	903	goto f_err;
sl@0	904	}
sl@0	905	q=p;
sl@0	906	for (j=0; j<i; j++)
sl@0	907	{
sl@0	908	if (p[j] == 0) break;
sl@0	909	}
sl@0	910
sl@0	911	p+=i;
sl@0	912	if (j >= i)
sl@0	913	{
sl@0	914	/* no compress */
sl@0	915	al=SSL_AD_DECODE_ERROR;
sl@0	916	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
sl@0	917	goto f_err;
sl@0	918	}
sl@0	919
sl@0	920
sl@0	921	/* Worst case, we will use the NULL compression, but if we have other
sl@0	922	* options, we will now look for them. We have i-1 compression
sl@0	923	* algorithms from the client, starting at q. */
sl@0	924	s->s3->tmp.new_compression=NULL;
sl@0	925	#ifndef OPENSSL_NO_COMP
sl@0	926	if (s->ctx->comp_methods != NULL)
sl@0	927	{ /* See if we have a match */
sl@0	928	int m,nn,o,v,done=0;
sl@0	929
sl@0	930	nn=sk_SSL_COMP_num(s->ctx->comp_methods);
sl@0	931	for (m=0; m<nn; m++)
sl@0	932	{
sl@0	933	comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
sl@0	934	v=comp->id;
sl@0	935	for (o=0; o<i; o++)
sl@0	936	{
sl@0	937	if (v == q[o])
sl@0	938	{
sl@0	939	done=1;
sl@0	940	break;
sl@0	941	}
sl@0	942	}
sl@0	943	if (done) break;
sl@0	944	}
sl@0	945	if (done)
sl@0	946	s->s3->tmp.new_compression=comp;
sl@0	947	else
sl@0	948	comp=NULL;
sl@0	949	}
sl@0	950	#endif
sl@0	951
sl@0	952	/* TLS does not mind if there is extra stuff */
sl@0	953	#if 0 /* SSL 3.0 does not mind either, so we should disable this test
sl@0	954	* (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
sl@0	955	* in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
sl@0	956	if (s->version == SSL3_VERSION)
sl@0	957	{
sl@0	958	if (p < (d+n))
sl@0	959	{
sl@0	960	/* wrong number of bytes,
sl@0	961	* there could be more to follow */
sl@0	962	al=SSL_AD_DECODE_ERROR;
sl@0	963	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
sl@0	964	goto f_err;
sl@0	965	}
sl@0	966	}
sl@0	967	#endif
sl@0	968
sl@0	969	/* Given s->session->ciphers and SSL_get_ciphers, we must
sl@0	970	* pick a cipher */
sl@0	971
sl@0	972	if (!s->hit)
sl@0	973	{
sl@0	974	#ifdef OPENSSL_NO_COMP
sl@0	975	s->session->compress_meth=0;
sl@0	976	#else
sl@0	977	s->session->compress_meth=(comp == NULL)?0:comp->id;
sl@0	978	#endif
sl@0	979	if (s->session->ciphers != NULL)
sl@0	980	sk_SSL_CIPHER_free(s->session->ciphers);
sl@0	981	s->session->ciphers=ciphers;
sl@0	982	if (ciphers == NULL)
sl@0	983	{
sl@0	984	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	985	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
sl@0	986	goto f_err;
sl@0	987	}
sl@0	988	ciphers=NULL;
sl@0	989	c=ssl3_choose_cipher(s,s->session->ciphers,
sl@0	990	SSL_get_ciphers(s));
sl@0	991
sl@0	992	if (c == NULL)
sl@0	993	{
sl@0	994	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	995	SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
sl@0	996	goto f_err;
sl@0	997	}
sl@0	998	s->s3->tmp.new_cipher=c;
sl@0	999	}
sl@0	1000	else
sl@0	1001	{
sl@0	1002	/* Session-id reuse */
sl@0	1003	#ifdef REUSE_CIPHER_BUG
sl@0	1004	STACK_OF(SSL_CIPHER) *sk;
sl@0	1005	SSL_CIPHER *nc=NULL;
sl@0	1006	SSL_CIPHER *ec=NULL;
sl@0	1007
sl@0	1008	if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
sl@0	1009	{
sl@0	1010	sk=s->session->ciphers;
sl@0	1011	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
sl@0	1012	{
sl@0	1013	c=sk_SSL_CIPHER_value(sk,i);
sl@0	1014	if (c->algorithms & SSL_eNULL)
sl@0	1015	nc=c;
sl@0	1016	if (SSL_C_IS_EXPORT(c))
sl@0	1017	ec=c;
sl@0	1018	}
sl@0	1019	if (nc != NULL)
sl@0	1020	s->s3->tmp.new_cipher=nc;
sl@0	1021	else if (ec != NULL)
sl@0	1022	s->s3->tmp.new_cipher=ec;
sl@0	1023	else
sl@0	1024	s->s3->tmp.new_cipher=s->session->cipher;
sl@0	1025	}
sl@0	1026	else
sl@0	1027	#endif
sl@0	1028	s->s3->tmp.new_cipher=s->session->cipher;
sl@0	1029	}
sl@0	1030
sl@0	1031	/* we now have the following setup.
sl@0	1032	* client_random
sl@0	1033	* cipher_list - our prefered list of ciphers
sl@0	1034	* ciphers - the clients prefered list of ciphers
sl@0	1035	* compression - basically ignored right now
sl@0	1036	* ssl version is set - sslv3
sl@0	1037	* s->session - The ssl session has been setup.
sl@0	1038	* s->hit - session reuse flag
sl@0	1039	* s->tmp.new_cipher - the new cipher to use.
sl@0	1040	*/
sl@0	1041
sl@0	1042	ret=1;
sl@0	1043	if (0)
sl@0	1044	{
sl@0	1045	f_err:
sl@0	1046	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	1047	}
sl@0	1048	err:
sl@0	1049	if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
sl@0	1050	return(ret);
sl@0	1051	}
sl@0	1052
sl@0	1053	int ssl3_send_server_hello(SSL *s)
sl@0	1054	{
sl@0	1055	unsigned char *buf;
sl@0	1056	unsigned char p,d;
sl@0	1057	int i,sl;
sl@0	1058	unsigned long l,Time;
sl@0	1059
sl@0	1060	if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
sl@0	1061	{
sl@0	1062	buf=(unsigned char *)s->init_buf->data;
sl@0	1063	p=s->s3->server_random;
sl@0	1064	Time=(unsigned long)time(NULL); /* Time */
sl@0	1065	l2n(Time,p);
sl@0	1066	if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
sl@0	1067	return -1;
sl@0	1068	/* Do the message type and length last */
sl@0	1069	d=p= &(buf[4]);
sl@0	1070
sl@0	1071	*(p++)=s->version>>8;
sl@0	1072	*(p++)=s->version&0xff;
sl@0	1073
sl@0	1074	/* Random stuff */
sl@0	1075	memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
sl@0	1076	p+=SSL3_RANDOM_SIZE;
sl@0	1077
sl@0	1078	/* now in theory we have 3 options to sending back the
sl@0	1079	* session id. If it is a re-use, we send back the
sl@0	1080	* old session-id, if it is a new session, we send
sl@0	1081	* back the new session-id or we send back a 0 length
sl@0	1082	* session-id if we want it to be single use.
sl@0	1083	* Currently I will not implement the '0' length session-id
sl@0	1084	* 12-Jan-98 - I'll now support the '0' length stuff.
sl@0	1085	*/
sl@0	1086	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
sl@0	1087	s->session->session_id_length=0;
sl@0	1088
sl@0	1089	sl=s->session->session_id_length;
sl@0	1090	if (sl > (int)sizeof(s->session->session_id))
sl@0	1091	{
sl@0	1092	SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
sl@0	1093	return -1;
sl@0	1094	}
sl@0	1095	*(p++)=sl;
sl@0	1096	memcpy(p,s->session->session_id,sl);
sl@0	1097	p+=sl;
sl@0	1098
sl@0	1099	/* put the cipher */
sl@0	1100	i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
sl@0	1101	p+=i;
sl@0	1102
sl@0	1103	/* put the compression method */
sl@0	1104	#ifdef OPENSSL_NO_COMP
sl@0	1105	*(p++)=0;
sl@0	1106	#else
sl@0	1107	if (s->s3->tmp.new_compression == NULL)
sl@0	1108	*(p++)=0;
sl@0	1109	else
sl@0	1110	*(p++)=s->s3->tmp.new_compression->id;
sl@0	1111	#endif
sl@0	1112
sl@0	1113	/* do the header */
sl@0	1114	l=(p-d);
sl@0	1115	d=buf;
sl@0	1116	*(d++)=SSL3_MT_SERVER_HELLO;
sl@0	1117	l2n3(l,d);
sl@0	1118
sl@0	1119	s->state=SSL3_ST_CW_CLNT_HELLO_B;
sl@0	1120	/* number of bytes to write */
sl@0	1121	s->init_num=p-buf;
sl@0	1122	s->init_off=0;
sl@0	1123	}
sl@0	1124
sl@0	1125	/* SSL3_ST_CW_CLNT_HELLO_B */
sl@0	1126	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	1127	}
sl@0	1128
sl@0	1129	int ssl3_send_server_done(SSL *s)
sl@0	1130	{
sl@0	1131	unsigned char *p;
sl@0	1132
sl@0	1133	if (s->state == SSL3_ST_SW_SRVR_DONE_A)
sl@0	1134	{
sl@0	1135	p=(unsigned char *)s->init_buf->data;
sl@0	1136
sl@0	1137	/* do the header */
sl@0	1138	*(p++)=SSL3_MT_SERVER_DONE;
sl@0	1139	*(p++)=0;
sl@0	1140	*(p++)=0;
sl@0	1141	*(p++)=0;
sl@0	1142
sl@0	1143	s->state=SSL3_ST_SW_SRVR_DONE_B;
sl@0	1144	/* number of bytes to write */
sl@0	1145	s->init_num=4;
sl@0	1146	s->init_off=0;
sl@0	1147	}
sl@0	1148
sl@0	1149	/* SSL3_ST_CW_CLNT_HELLO_B */
sl@0	1150	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	1151	}
sl@0	1152
sl@0	1153	int ssl3_send_server_key_exchange(SSL *s)
sl@0	1154	{
sl@0	1155	#ifndef OPENSSL_NO_RSA
sl@0	1156	unsigned char *q;
sl@0	1157	int j,num;
sl@0	1158	RSA *rsa;
sl@0	1159	unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
sl@0	1160	unsigned int u;
sl@0	1161	#endif
sl@0	1162	#ifndef OPENSSL_NO_DH
sl@0	1163	DH dh=NULL,dhp;
sl@0	1164	#endif
sl@0	1165	#ifndef OPENSSL_NO_ECDH
sl@0	1166	EC_KEY ecdh=NULL, ecdhp;
sl@0	1167	unsigned char *encodedPoint = NULL;
sl@0	1168	int encodedlen = 0;
sl@0	1169	int curve_id = 0;
sl@0	1170	BN_CTX *bn_ctx = NULL;
sl@0	1171	#endif
sl@0	1172	EVP_PKEY *pkey;
sl@0	1173	unsigned char p,d;
sl@0	1174	int al,i;
sl@0	1175	unsigned long type;
sl@0	1176	int n;
sl@0	1177	CERT *cert;
sl@0	1178	BIGNUM *r[4];
sl@0	1179	int nr[4],kn;
sl@0	1180	BUF_MEM *buf;
sl@0	1181	EVP_MD_CTX md_ctx;
sl@0	1182
sl@0	1183	EVP_MD_CTX_init(&md_ctx);
sl@0	1184	if (s->state == SSL3_ST_SW_KEY_EXCH_A)
sl@0	1185	{
sl@0	1186	type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
sl@0	1187	cert=s->cert;
sl@0	1188
sl@0	1189	buf=s->init_buf;
sl@0	1190
sl@0	1191	r[0]=r[1]=r[2]=r[3]=NULL;
sl@0	1192	n=0;
sl@0	1193	#ifndef OPENSSL_NO_RSA
sl@0	1194	if (type & SSL_kRSA)
sl@0	1195	{
sl@0	1196	rsa=cert->rsa_tmp;
sl@0	1197	if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
sl@0	1198	{
sl@0	1199	rsa=s->cert->rsa_tmp_cb(s,
sl@0	1200	SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
sl@0	1201	SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
sl@0	1202	if(rsa == NULL)
sl@0	1203	{
sl@0	1204	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1205	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
sl@0	1206	goto f_err;
sl@0	1207	}
sl@0	1208	RSA_up_ref(rsa);
sl@0	1209	cert->rsa_tmp=rsa;
sl@0	1210	}
sl@0	1211	if (rsa == NULL)
sl@0	1212	{
sl@0	1213	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1214	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
sl@0	1215	goto f_err;
sl@0	1216	}
sl@0	1217	r[0]=rsa->n;
sl@0	1218	r[1]=rsa->e;
sl@0	1219	s->s3->tmp.use_rsa_tmp=1;
sl@0	1220	}
sl@0	1221	else
sl@0	1222	#endif
sl@0	1223	#ifndef OPENSSL_NO_DH
sl@0	1224	if (type & SSL_kEDH)
sl@0	1225	{
sl@0	1226	dhp=cert->dh_tmp;
sl@0	1227	if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
sl@0	1228	dhp=s->cert->dh_tmp_cb(s,
sl@0	1229	SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
sl@0	1230	SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
sl@0	1231	if (dhp == NULL)
sl@0	1232	{
sl@0	1233	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1234	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
sl@0	1235	goto f_err;
sl@0	1236	}
sl@0	1237
sl@0	1238	if (s->s3->tmp.dh != NULL)
sl@0	1239	{
sl@0	1240	DH_free(dh);
sl@0	1241	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
sl@0	1242	goto err;
sl@0	1243	}
sl@0	1244
sl@0	1245	if ((dh=DHparams_dup(dhp)) == NULL)
sl@0	1246	{
sl@0	1247	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0	1248	goto err;
sl@0	1249	}
sl@0	1250
sl@0	1251	s->s3->tmp.dh=dh;
sl@0	1252	if ((dhp->pub_key == NULL \|\|
sl@0	1253	dhp->priv_key == NULL \|\|
sl@0	1254	(s->options & SSL_OP_SINGLE_DH_USE)))
sl@0	1255	{
sl@0	1256	if(!DH_generate_key(dh))
sl@0	1257	{
sl@0	1258	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
sl@0	1259	ERR_R_DH_LIB);
sl@0	1260	goto err;
sl@0	1261	}
sl@0	1262	}
sl@0	1263	else
sl@0	1264	{
sl@0	1265	dh->pub_key=BN_dup(dhp->pub_key);
sl@0	1266	dh->priv_key=BN_dup(dhp->priv_key);
sl@0	1267	if ((dh->pub_key == NULL) \|\|
sl@0	1268	(dh->priv_key == NULL))
sl@0	1269	{
sl@0	1270	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0	1271	goto err;
sl@0	1272	}
sl@0	1273	}
sl@0	1274	r[0]=dh->p;
sl@0	1275	r[1]=dh->g;
sl@0	1276	r[2]=dh->pub_key;
sl@0	1277	}
sl@0	1278	else
sl@0	1279	#endif
sl@0	1280	#ifndef OPENSSL_NO_ECDH
sl@0	1281	if (type & SSL_kECDHE)
sl@0	1282	{
sl@0	1283	const EC_GROUP *group;
sl@0	1284
sl@0	1285	ecdhp=cert->ecdh_tmp;
sl@0	1286	if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
sl@0	1287	{
sl@0	1288	ecdhp=s->cert->ecdh_tmp_cb(s,
sl@0	1289	SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
sl@0	1290	SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
sl@0	1291	}
sl@0	1292	if (ecdhp == NULL)
sl@0	1293	{
sl@0	1294	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1295	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
sl@0	1296	goto f_err;
sl@0	1297	}
sl@0	1298
sl@0	1299	if (s->s3->tmp.ecdh != NULL)
sl@0	1300	{
sl@0	1301	EC_KEY_free(s->s3->tmp.ecdh);
sl@0	1302	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
sl@0	1303	goto err;
sl@0	1304	}
sl@0	1305
sl@0	1306	/* Duplicate the ECDH structure. */
sl@0	1307	if (ecdhp == NULL)
sl@0	1308	{
sl@0	1309	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
sl@0	1310	goto err;
sl@0	1311	}
sl@0	1312	if (!EC_KEY_up_ref(ecdhp))
sl@0	1313	{
sl@0	1314	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
sl@0	1315	goto err;
sl@0	1316	}
sl@0	1317	ecdh = ecdhp;
sl@0	1318
sl@0	1319	s->s3->tmp.ecdh=ecdh;
sl@0	1320	if ((EC_KEY_get0_public_key(ecdh) == NULL) \|\|
sl@0	1321	(EC_KEY_get0_private_key(ecdh) == NULL) \|\|
sl@0	1322	(s->options & SSL_OP_SINGLE_ECDH_USE))
sl@0	1323	{
sl@0	1324	if(!EC_KEY_generate_key(ecdh))
sl@0	1325	{
sl@0	1326	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
sl@0	1327	goto err;
sl@0	1328	}
sl@0	1329	}
sl@0	1330
sl@0	1331	if (((group = EC_KEY_get0_group(ecdh)) == NULL) \|\|
sl@0	1332	(EC_KEY_get0_public_key(ecdh) == NULL) \|\|
sl@0	1333	(EC_KEY_get0_private_key(ecdh) == NULL))
sl@0	1334	{
sl@0	1335	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
sl@0	1336	goto err;
sl@0	1337	}
sl@0	1338
sl@0	1339	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
sl@0	1340	(EC_GROUP_get_degree(group) > 163))
sl@0	1341	{
sl@0	1342	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
sl@0	1343	goto err;
sl@0	1344	}
sl@0	1345
sl@0	1346	/* XXX: For now, we only support ephemeral ECDH
sl@0	1347	* keys over named (not generic) curves. For
sl@0	1348	* supported named curves, curve_id is non-zero.
sl@0	1349	*/
sl@0	1350	if ((curve_id =
sl@0	1351	nid2curve_id(EC_GROUP_get_curve_name(group)))
sl@0	1352	== 0)
sl@0	1353	{
sl@0	1354	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
sl@0	1355	goto err;
sl@0	1356	}
sl@0	1357
sl@0	1358	/* Encode the public key.
sl@0	1359	* First check the size of encoding and
sl@0	1360	* allocate memory accordingly.
sl@0	1361	*/
sl@0	1362	encodedlen = EC_POINT_point2oct(group,
sl@0	1363	EC_KEY_get0_public_key(ecdh),
sl@0	1364	POINT_CONVERSION_UNCOMPRESSED,
sl@0	1365	NULL, 0, NULL);
sl@0	1366
sl@0	1367	encodedPoint = (unsigned char *)
sl@0	1368	OPENSSL_malloc(encodedlen*sizeof(unsigned char));
sl@0	1369	bn_ctx = BN_CTX_new();
sl@0	1370	if ((encodedPoint == NULL) \|\| (bn_ctx == NULL))
sl@0	1371	{
sl@0	1372	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
sl@0	1373	goto err;
sl@0	1374	}
sl@0	1375
sl@0	1376
sl@0	1377	encodedlen = EC_POINT_point2oct(group,
sl@0	1378	EC_KEY_get0_public_key(ecdh),
sl@0	1379	POINT_CONVERSION_UNCOMPRESSED,
sl@0	1380	encodedPoint, encodedlen, bn_ctx);
sl@0	1381
sl@0	1382	if (encodedlen == 0)
sl@0	1383	{
sl@0	1384	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
sl@0	1385	goto err;
sl@0	1386	}
sl@0	1387
sl@0	1388	BN_CTX_free(bn_ctx); bn_ctx=NULL;
sl@0	1389
sl@0	1390	/* XXX: For now, we only support named (not
sl@0	1391	* generic) curves in ECDH ephemeral key exchanges.
sl@0	1392	* In this situation, we need four additional bytes
sl@0	1393	* to encode the entire ServerECDHParams
sl@0	1394	* structure.
sl@0	1395	*/
sl@0	1396	n = 4 + encodedlen;
sl@0	1397
sl@0	1398	/* We'll generate the serverKeyExchange message
sl@0	1399	* explicitly so we can set these to NULLs
sl@0	1400	*/
sl@0	1401	r[0]=NULL;
sl@0	1402	r[1]=NULL;
sl@0	1403	r[2]=NULL;
sl@0	1404	r[3]=NULL;
sl@0	1405	}
sl@0	1406	else
sl@0	1407	#endif /* !OPENSSL_NO_ECDH */
sl@0	1408	{
sl@0	1409	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1410	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
sl@0	1411	goto f_err;
sl@0	1412	}
sl@0	1413	for (i=0; r[i] != NULL; i++)
sl@0	1414	{
sl@0	1415	nr[i]=BN_num_bytes(r[i]);
sl@0	1416	n+=2+nr[i];
sl@0	1417	}
sl@0	1418
sl@0	1419	if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
sl@0	1420	{
sl@0	1421	if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
sl@0	1422	== NULL)
sl@0	1423	{
sl@0	1424	al=SSL_AD_DECODE_ERROR;
sl@0	1425	goto f_err;
sl@0	1426	}
sl@0	1427	kn=EVP_PKEY_size(pkey);
sl@0	1428	}
sl@0	1429	else
sl@0	1430	{
sl@0	1431	pkey=NULL;
sl@0	1432	kn=0;
sl@0	1433	}
sl@0	1434
sl@0	1435	if (!BUF_MEM_grow_clean(buf,n+4+kn))
sl@0	1436	{
sl@0	1437	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
sl@0	1438	goto err;
sl@0	1439	}
sl@0	1440	d=(unsigned char *)s->init_buf->data;
sl@0	1441	p= &(d[4]);
sl@0	1442
sl@0	1443	for (i=0; r[i] != NULL; i++)
sl@0	1444	{
sl@0	1445	s2n(nr[i],p);
sl@0	1446	BN_bn2bin(r[i],p);
sl@0	1447	p+=nr[i];
sl@0	1448	}
sl@0	1449
sl@0	1450	#ifndef OPENSSL_NO_ECDH
sl@0	1451	if (type & SSL_kECDHE)
sl@0	1452	{
sl@0	1453	/* XXX: For now, we only support named (not generic) curves.
sl@0	1454	* In this situation, the serverKeyExchange message has:
sl@0	1455	* [1 byte CurveType], [2 byte CurveName]
sl@0	1456	* [1 byte length of encoded point], followed by
sl@0	1457	* the actual encoded point itself
sl@0	1458	*/
sl@0	1459	*p = NAMED_CURVE_TYPE;
sl@0	1460	p += 1;
sl@0	1461	*p = 0;
sl@0	1462	p += 1;
sl@0	1463	*p = curve_id;
sl@0	1464	p += 1;
sl@0	1465	*p = encodedlen;
sl@0	1466	p += 1;
sl@0	1467	memcpy((unsigned char*)p,
sl@0	1468	(unsigned char *)encodedPoint,
sl@0	1469	encodedlen);
sl@0	1470	OPENSSL_free(encodedPoint);
sl@0	1471	p += encodedlen;
sl@0	1472	}
sl@0	1473	#endif
sl@0	1474
sl@0	1475	/* not anonymous */
sl@0	1476	if (pkey != NULL)
sl@0	1477	{
sl@0	1478	/* n is the length of the params, they start at &(d[4])
sl@0	1479	* and p points to the space at the end. */
sl@0	1480	#ifndef OPENSSL_NO_RSA
sl@0	1481	if (pkey->type == EVP_PKEY_RSA)
sl@0	1482	{
sl@0	1483	q=md_buf;
sl@0	1484	j=0;
sl@0	1485	for (num=2; num > 0; num--)
sl@0	1486	{
sl@0	1487	EVP_DigestInit_ex(&md_ctx,(num == 2)
sl@0	1488	?s->ctx->md5:s->ctx->sha1, NULL);
sl@0	1489	EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0	1490	EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0	1491	EVP_DigestUpdate(&md_ctx,&(d[4]),n);
sl@0	1492	EVP_DigestFinal_ex(&md_ctx,q,
sl@0	1493	(unsigned int *)&i);
sl@0	1494	q+=i;
sl@0	1495	j+=i;
sl@0	1496	}
sl@0	1497	if (RSA_sign(NID_md5_sha1, md_buf, j,
sl@0	1498	&(p[2]), &u, pkey->pkey.rsa) <= 0)
sl@0	1499	{
sl@0	1500	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
sl@0	1501	goto err;
sl@0	1502	}
sl@0	1503	s2n(u,p);
sl@0	1504	n+=u+2;
sl@0	1505	}
sl@0	1506	else
sl@0	1507	#endif
sl@0	1508	#if !defined(OPENSSL_NO_DSA)
sl@0	1509	if (pkey->type == EVP_PKEY_DSA)
sl@0	1510	{
sl@0	1511	/* lets do DSS */
sl@0	1512	EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
sl@0	1513	EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0	1514	EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0	1515	EVP_SignUpdate(&md_ctx,&(d[4]),n);
sl@0	1516	if (!EVP_SignFinal(&md_ctx,&(p[2]),
sl@0	1517	(unsigned int *)&i,pkey))
sl@0	1518	{
sl@0	1519	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
sl@0	1520	goto err;
sl@0	1521	}
sl@0	1522	s2n(i,p);
sl@0	1523	n+=i+2;
sl@0	1524	}
sl@0	1525	else
sl@0	1526	#endif
sl@0	1527	#if !defined(OPENSSL_NO_ECDSA)
sl@0	1528	if (pkey->type == EVP_PKEY_EC)
sl@0	1529	{
sl@0	1530	/* let's do ECDSA */
sl@0	1531	EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
sl@0	1532	EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0	1533	EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0	1534	EVP_SignUpdate(&md_ctx,&(d[4]),n);
sl@0	1535	if (!EVP_SignFinal(&md_ctx,&(p[2]),
sl@0	1536	(unsigned int *)&i,pkey))
sl@0	1537	{
sl@0	1538	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA);
sl@0	1539	goto err;
sl@0	1540	}
sl@0	1541	s2n(i,p);
sl@0	1542	n+=i+2;
sl@0	1543	}
sl@0	1544	else
sl@0	1545	#endif
sl@0	1546	{
sl@0	1547	/* Is this error check actually needed? */
sl@0	1548	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1549	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
sl@0	1550	goto f_err;
sl@0	1551	}
sl@0	1552	}
sl@0	1553
sl@0	1554	*(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
sl@0	1555	l2n3(n,d);
sl@0	1556
sl@0	1557	/* we should now have things packed up, so lets send
sl@0	1558	* it off */
sl@0	1559	s->init_num=n+4;
sl@0	1560	s->init_off=0;
sl@0	1561	}
sl@0	1562
sl@0	1563	s->state = SSL3_ST_SW_KEY_EXCH_B;
sl@0	1564	EVP_MD_CTX_cleanup(&md_ctx);
sl@0	1565	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	1566	f_err:
sl@0	1567	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	1568	err:
sl@0	1569	#ifndef OPENSSL_NO_ECDH
sl@0	1570	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
sl@0	1571	BN_CTX_free(bn_ctx);
sl@0	1572	#endif
sl@0	1573	EVP_MD_CTX_cleanup(&md_ctx);
sl@0	1574	return(-1);
sl@0	1575	}
sl@0	1576
sl@0	1577	int ssl3_send_certificate_request(SSL *s)
sl@0	1578	{
sl@0	1579	unsigned char p,d;
sl@0	1580	int i,j,nl,off,n;
sl@0	1581	STACK_OF(X509_NAME) *sk=NULL;
sl@0	1582	X509_NAME *name;
sl@0	1583	BUF_MEM *buf;
sl@0	1584
sl@0	1585	if (s->state == SSL3_ST_SW_CERT_REQ_A)
sl@0	1586	{
sl@0	1587	buf=s->init_buf;
sl@0	1588
sl@0	1589	d=p=(unsigned char *)&(buf->data[4]);
sl@0	1590
sl@0	1591	/* get the list of acceptable cert types */
sl@0	1592	p++;
sl@0	1593	n=ssl3_get_req_cert_type(s,p);
sl@0	1594	d[0]=n;
sl@0	1595	p+=n;
sl@0	1596	n++;
sl@0	1597
sl@0	1598	off=n;
sl@0	1599	p+=2;
sl@0	1600	n+=2;
sl@0	1601
sl@0	1602	sk=SSL_get_client_CA_list(s);
sl@0	1603	nl=0;
sl@0	1604	if (sk != NULL)
sl@0	1605	{
sl@0	1606	for (i=0; i<sk_X509_NAME_num(sk); i++)
sl@0	1607	{
sl@0	1608	name=sk_X509_NAME_value(sk,i);
sl@0	1609	j=i2d_X509_NAME(name,NULL);
sl@0	1610	if (!BUF_MEM_grow_clean(buf,4+n+j+2))
sl@0	1611	{
sl@0	1612	SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
sl@0	1613	goto err;
sl@0	1614	}
sl@0	1615	p=(unsigned char *)&(buf->data[4+n]);
sl@0	1616	if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
sl@0	1617	{
sl@0	1618	s2n(j,p);
sl@0	1619	i2d_X509_NAME(name,&p);
sl@0	1620	n+=2+j;
sl@0	1621	nl+=2+j;
sl@0	1622	}
sl@0	1623	else
sl@0	1624	{
sl@0	1625	d=p;
sl@0	1626	i2d_X509_NAME(name,&p);
sl@0	1627	j-=2; s2n(j,d); j+=2;
sl@0	1628	n+=j;
sl@0	1629	nl+=j;
sl@0	1630	}
sl@0	1631	}
sl@0	1632	}
sl@0	1633	/* else no CA names */
sl@0	1634	p=(unsigned char *)&(buf->data[4+off]);
sl@0	1635	s2n(nl,p);
sl@0	1636
sl@0	1637	d=(unsigned char *)buf->data;
sl@0	1638	*(d++)=SSL3_MT_CERTIFICATE_REQUEST;
sl@0	1639	l2n3(n,d);
sl@0	1640
sl@0	1641	/* we should now have things packed up, so lets send
sl@0	1642	* it off */
sl@0	1643
sl@0	1644	s->init_num=n+4;
sl@0	1645	s->init_off=0;
sl@0	1646	#ifdef NETSCAPE_HANG_BUG
sl@0	1647	p=(unsigned char *)s->init_buf->data + s->init_num;
sl@0	1648
sl@0	1649	/* do the header */
sl@0	1650	*(p++)=SSL3_MT_SERVER_DONE;
sl@0	1651	*(p++)=0;
sl@0	1652	*(p++)=0;
sl@0	1653	*(p++)=0;
sl@0	1654	s->init_num += 4;
sl@0	1655	#endif
sl@0	1656
sl@0	1657	s->state = SSL3_ST_SW_CERT_REQ_B;
sl@0	1658	}
sl@0	1659
sl@0	1660	/* SSL3_ST_SW_CERT_REQ_B */
sl@0	1661	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	1662	err:
sl@0	1663	return(-1);
sl@0	1664	}
sl@0	1665
sl@0	1666	int ssl3_get_client_key_exchange(SSL *s)
sl@0	1667	{
sl@0	1668	int i,al,ok;
sl@0	1669	long n;
sl@0	1670	unsigned long l;
sl@0	1671	unsigned char *p;
sl@0	1672	#ifndef OPENSSL_NO_RSA
sl@0	1673	RSA *rsa=NULL;
sl@0	1674	EVP_PKEY *pkey=NULL;
sl@0	1675	#endif
sl@0	1676	#ifndef OPENSSL_NO_DH
sl@0	1677	BIGNUM *pub=NULL;
sl@0	1678	DH *dh_srvr;
sl@0	1679	#endif
sl@0	1680	#ifndef OPENSSL_NO_KRB5
sl@0	1681	KSSL_ERR kssl_err;
sl@0	1682	#endif /* OPENSSL_NO_KRB5 */
sl@0	1683
sl@0	1684	#ifndef OPENSSL_NO_ECDH
sl@0	1685	EC_KEY *srvr_ecdh = NULL;
sl@0	1686	EVP_PKEY *clnt_pub_pkey = NULL;
sl@0	1687	EC_POINT *clnt_ecpoint = NULL;
sl@0	1688	BN_CTX *bn_ctx = NULL;
sl@0	1689	#endif
sl@0	1690
sl@0	1691	n=s->method->ssl_get_message(s,
sl@0	1692	SSL3_ST_SR_KEY_EXCH_A,
sl@0	1693	SSL3_ST_SR_KEY_EXCH_B,
sl@0	1694	SSL3_MT_CLIENT_KEY_EXCHANGE,
sl@0	1695	2048, /* ??? */
sl@0	1696	&ok);
sl@0	1697
sl@0	1698	if (!ok) return((int)n);
sl@0	1699	p=(unsigned char *)s->init_msg;
sl@0	1700
sl@0	1701	l=s->s3->tmp.new_cipher->algorithms;
sl@0	1702
sl@0	1703	#ifndef OPENSSL_NO_RSA
sl@0	1704	if (l & SSL_kRSA)
sl@0	1705	{
sl@0	1706	/* FIX THIS UP EAY EAY EAY EAY */
sl@0	1707	if (s->s3->tmp.use_rsa_tmp)
sl@0	1708	{
sl@0	1709	if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
sl@0	1710	rsa=s->cert->rsa_tmp;
sl@0	1711	/* Don't do a callback because rsa_tmp should
sl@0	1712	* be sent already */
sl@0	1713	if (rsa == NULL)
sl@0	1714	{
sl@0	1715	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1716	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
sl@0	1717	goto f_err;
sl@0	1718
sl@0	1719	}
sl@0	1720	}
sl@0	1721	else
sl@0	1722	{
sl@0	1723	pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
sl@0	1724	if ( (pkey == NULL) \|\|
sl@0	1725	(pkey->type != EVP_PKEY_RSA) \|\|
sl@0	1726	(pkey->pkey.rsa == NULL))
sl@0	1727	{
sl@0	1728	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1729	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
sl@0	1730	goto f_err;
sl@0	1731	}
sl@0	1732	rsa=pkey->pkey.rsa;
sl@0	1733	}
sl@0	1734
sl@0	1735	/* TLS and [incidentally] DTLS, including pre-0.9.8f */
sl@0	1736	if (s->version > SSL3_VERSION &&
sl@0	1737	s->client_version != DTLS1_BAD_VER)
sl@0	1738	{
sl@0	1739	n2s(p,i);
sl@0	1740	if (n != i+2)
sl@0	1741	{
sl@0	1742	if (!(s->options & SSL_OP_TLS_D5_BUG))
sl@0	1743	{
sl@0	1744	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
sl@0	1745	goto err;
sl@0	1746	}
sl@0	1747	else
sl@0	1748	p-=2;
sl@0	1749	}
sl@0	1750	else
sl@0	1751	n=i;
sl@0	1752	}
sl@0	1753
sl@0	1754	i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
sl@0	1755
sl@0	1756	al = -1;
sl@0	1757
sl@0	1758	if (i != SSL_MAX_MASTER_KEY_LENGTH)
sl@0	1759	{
sl@0	1760	al=SSL_AD_DECODE_ERROR;
sl@0	1761	/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
sl@0	1762	}
sl@0	1763
sl@0	1764	if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
sl@0	1765	{
sl@0	1766	/* The premaster secret must contain the same version number as the
sl@0	1767	* ClientHello to detect version rollback attacks (strangely, the
sl@0	1768	* protocol does not offer such protection for DH ciphersuites).
sl@0	1769	* However, buggy clients exist that send the negotiated protocol
sl@0	1770	* version instead if the server does not support the requested
sl@0	1771	* protocol version.
sl@0	1772	* If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
sl@0	1773	if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
sl@0	1774	(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
sl@0	1775	{
sl@0	1776	al=SSL_AD_DECODE_ERROR;
sl@0	1777	/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
sl@0	1778
sl@0	1779	/* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
sl@0	1780	* (http://eprint.iacr.org/2003/052/) exploits the version
sl@0	1781	* number check as a "bad version oracle" -- an alert would
sl@0	1782	* reveal that the plaintext corresponding to some ciphertext
sl@0	1783	* made up by the adversary is properly formatted except
sl@0	1784	* that the version number is wrong. To avoid such attacks,
sl@0	1785	* we should treat this just like any other decryption error. */
sl@0	1786	}
sl@0	1787	}
sl@0	1788
sl@0	1789	if (al != -1)
sl@0	1790	{
sl@0	1791	/* Some decryption failure -- use random value instead as countermeasure
sl@0	1792	* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
sl@0	1793	* (see RFC 2246, section 7.4.7.1). */
sl@0	1794	ERR_clear_error();
sl@0	1795	i = SSL_MAX_MASTER_KEY_LENGTH;
sl@0	1796	p[0] = s->client_version >> 8;
sl@0	1797	p[1] = s->client_version & 0xff;
sl@0	1798	if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
sl@0	1799	goto err;
sl@0	1800	}
sl@0	1801
sl@0	1802	s->session->master_key_length=
sl@0	1803	s->method->ssl3_enc->generate_master_secret(s,
sl@0	1804	s->session->master_key,
sl@0	1805	p,i);
sl@0	1806	OPENSSL_cleanse(p,i);
sl@0	1807	}
sl@0	1808	else
sl@0	1809	#endif
sl@0	1810	#ifndef OPENSSL_NO_DH
sl@0	1811	if (l & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd))
sl@0	1812	{
sl@0	1813	n2s(p,i);
sl@0	1814	if (n != i+2)
sl@0	1815	{
sl@0	1816	if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
sl@0	1817	{
sl@0	1818	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
sl@0	1819	goto err;
sl@0	1820	}
sl@0	1821	else
sl@0	1822	{
sl@0	1823	p-=2;
sl@0	1824	i=(int)n;
sl@0	1825	}
sl@0	1826	}
sl@0	1827
sl@0	1828	if (n == 0L) /* the parameters are in the cert */
sl@0	1829	{
sl@0	1830	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1831	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
sl@0	1832	goto f_err;
sl@0	1833	}
sl@0	1834	else
sl@0	1835	{
sl@0	1836	if (s->s3->tmp.dh == NULL)
sl@0	1837	{
sl@0	1838	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1839	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
sl@0	1840	goto f_err;
sl@0	1841	}
sl@0	1842	else
sl@0	1843	dh_srvr=s->s3->tmp.dh;
sl@0	1844	}
sl@0	1845
sl@0	1846	pub=BN_bin2bn(p,i,NULL);
sl@0	1847	if (pub == NULL)
sl@0	1848	{
sl@0	1849	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
sl@0	1850	goto err;
sl@0	1851	}
sl@0	1852
sl@0	1853	i=DH_compute_key(p,pub,dh_srvr);
sl@0	1854
sl@0	1855	if (i <= 0)
sl@0	1856	{
sl@0	1857	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0	1858	goto err;
sl@0	1859	}
sl@0	1860
sl@0	1861	DH_free(s->s3->tmp.dh);
sl@0	1862	s->s3->tmp.dh=NULL;
sl@0	1863
sl@0	1864	BN_clear_free(pub);
sl@0	1865	pub=NULL;
sl@0	1866	s->session->master_key_length=
sl@0	1867	s->method->ssl3_enc->generate_master_secret(s,
sl@0	1868	s->session->master_key,p,i);
sl@0	1869	OPENSSL_cleanse(p,i);
sl@0	1870	}
sl@0	1871	else
sl@0	1872	#endif
sl@0	1873	#ifndef OPENSSL_NO_KRB5
sl@0	1874	if (l & SSL_kKRB5)
sl@0	1875	{
sl@0	1876	krb5_error_code krb5rc;
sl@0	1877	krb5_data enc_ticket;
sl@0	1878	krb5_data authenticator;
sl@0	1879	krb5_data enc_pms;
sl@0	1880	KSSL_CTX *kssl_ctx = s->kssl_ctx;
sl@0	1881	EVP_CIPHER_CTX ciph_ctx;
sl@0	1882	EVP_CIPHER *enc = NULL;
sl@0	1883	unsigned char iv[EVP_MAX_IV_LENGTH];
sl@0	1884	unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
sl@0	1885	+ EVP_MAX_BLOCK_LENGTH];
sl@0	1886	int padl, outl;
sl@0	1887	krb5_timestamp authtime = 0;
sl@0	1888	krb5_ticket_times ttimes;
sl@0	1889
sl@0	1890	EVP_CIPHER_CTX_init(&ciph_ctx);
sl@0	1891
sl@0	1892	if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
sl@0	1893
sl@0	1894	n2s(p,i);
sl@0	1895	enc_ticket.length = i;
sl@0	1896
sl@0	1897	if (n < (int)enc_ticket.length + 6)
sl@0	1898	{
sl@0	1899	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	1900	SSL_R_DATA_LENGTH_TOO_LONG);
sl@0	1901	goto err;
sl@0	1902	}
sl@0	1903
sl@0	1904	enc_ticket.data = (char *)p;
sl@0	1905	p+=enc_ticket.length;
sl@0	1906
sl@0	1907	n2s(p,i);
sl@0	1908	authenticator.length = i;
sl@0	1909
sl@0	1910	if (n < (int)(enc_ticket.length + authenticator.length) + 6)
sl@0	1911	{
sl@0	1912	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	1913	SSL_R_DATA_LENGTH_TOO_LONG);
sl@0	1914	goto err;
sl@0	1915	}
sl@0	1916
sl@0	1917	authenticator.data = (char *)p;
sl@0	1918	p+=authenticator.length;
sl@0	1919
sl@0	1920	n2s(p,i);
sl@0	1921	enc_pms.length = i;
sl@0	1922	enc_pms.data = (char *)p;
sl@0	1923	p+=enc_pms.length;
sl@0	1924
sl@0	1925	/* Note that the length is checked again below,
sl@0	1926	** after decryption
sl@0	1927	*/
sl@0	1928	if(enc_pms.length > sizeof pms)
sl@0	1929	{
sl@0	1930	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	1931	SSL_R_DATA_LENGTH_TOO_LONG);
sl@0	1932	goto err;
sl@0	1933	}
sl@0	1934
sl@0	1935	if (n != (long)(enc_ticket.length + authenticator.length +
sl@0	1936	enc_pms.length + 6))
sl@0	1937	{
sl@0	1938	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	1939	SSL_R_DATA_LENGTH_TOO_LONG);
sl@0	1940	goto err;
sl@0	1941	}
sl@0	1942
sl@0	1943	if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
sl@0	1944	&kssl_err)) != 0)
sl@0	1945	{
sl@0	1946	#ifdef KSSL_DEBUG
sl@0	1947	printf("kssl_sget_tkt rtn %d [%d]\n",
sl@0	1948	krb5rc, kssl_err.reason);
sl@0	1949	if (kssl_err.text)
sl@0	1950	printf("kssl_err text= %s\n", kssl_err.text);
sl@0	1951	#endif /* KSSL_DEBUG */
sl@0	1952	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	1953	kssl_err.reason);
sl@0	1954	goto err;
sl@0	1955	}
sl@0	1956
sl@0	1957	/* Note: no authenticator is not considered an error,
sl@0	1958	** but will return authtime == 0.
sl@0	1959	*/
sl@0	1960	if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
sl@0	1961	&authtime, &kssl_err)) != 0)
sl@0	1962	{
sl@0	1963	#ifdef KSSL_DEBUG
sl@0	1964	printf("kssl_check_authent rtn %d [%d]\n",
sl@0	1965	krb5rc, kssl_err.reason);
sl@0	1966	if (kssl_err.text)
sl@0	1967	printf("kssl_err text= %s\n", kssl_err.text);
sl@0	1968	#endif /* KSSL_DEBUG */
sl@0	1969	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	1970	kssl_err.reason);
sl@0	1971	goto err;
sl@0	1972	}
sl@0	1973
sl@0	1974	if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
sl@0	1975	{
sl@0	1976	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
sl@0	1977	goto err;
sl@0	1978	}
sl@0	1979
sl@0	1980	#ifdef KSSL_DEBUG
sl@0	1981	kssl_ctx_show(kssl_ctx);
sl@0	1982	#endif /* KSSL_DEBUG */
sl@0	1983
sl@0	1984	enc = kssl_map_enc(kssl_ctx->enctype);
sl@0	1985	if (enc == NULL)
sl@0	1986	goto err;
sl@0	1987
sl@0	1988	memset(iv, 0, sizeof iv); /* per RFC 1510 */
sl@0	1989
sl@0	1990	if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
sl@0	1991	{
sl@0	1992	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	1993	SSL_R_DECRYPTION_FAILED);
sl@0	1994	goto err;
sl@0	1995	}
sl@0	1996	if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
sl@0	1997	(unsigned char *)enc_pms.data, enc_pms.length))
sl@0	1998	{
sl@0	1999	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2000	SSL_R_DECRYPTION_FAILED);
sl@0	2001	goto err;
sl@0	2002	}
sl@0	2003	if (outl > SSL_MAX_MASTER_KEY_LENGTH)
sl@0	2004	{
sl@0	2005	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2006	SSL_R_DATA_LENGTH_TOO_LONG);
sl@0	2007	goto err;
sl@0	2008	}
sl@0	2009	if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl))
sl@0	2010	{
sl@0	2011	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2012	SSL_R_DECRYPTION_FAILED);
sl@0	2013	goto err;
sl@0	2014	}
sl@0	2015	outl += padl;
sl@0	2016	if (outl > SSL_MAX_MASTER_KEY_LENGTH)
sl@0	2017	{
sl@0	2018	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2019	SSL_R_DATA_LENGTH_TOO_LONG);
sl@0	2020	goto err;
sl@0	2021	}
sl@0	2022	if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))
sl@0	2023	{
sl@0	2024	/* The premaster secret must contain the same version number as the
sl@0	2025	* ClientHello to detect version rollback attacks (strangely, the
sl@0	2026	* protocol does not offer such protection for DH ciphersuites).
sl@0	2027	* However, buggy clients exist that send random bytes instead of
sl@0	2028	* the protocol version.
sl@0	2029	* If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
sl@0	2030	* (Perhaps we should have a separate BUG value for the Kerberos cipher)
sl@0	2031	*/
sl@0	2032	if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
sl@0	2033	{
sl@0	2034	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2035	SSL_AD_DECODE_ERROR);
sl@0	2036	goto err;
sl@0	2037	}
sl@0	2038	}
sl@0	2039	EVP_CIPHER_CTX_cleanup(&ciph_ctx);
sl@0	2040
sl@0	2041	s->session->master_key_length=
sl@0	2042	s->method->ssl3_enc->generate_master_secret(s,
sl@0	2043	s->session->master_key, pms, outl);
sl@0	2044
sl@0	2045	if (kssl_ctx->client_princ)
sl@0	2046	{
sl@0	2047	size_t len = strlen(kssl_ctx->client_princ);
sl@0	2048	if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
sl@0	2049	{
sl@0	2050	s->session->krb5_client_princ_len = len;
sl@0	2051	memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
sl@0	2052	}
sl@0	2053	}
sl@0	2054
sl@0	2055
sl@0	2056	/* Was doing kssl_ctx_free() here,
sl@0	2057	** but it caused problems for apache.
sl@0	2058	** kssl_ctx = kssl_ctx_free(kssl_ctx);
sl@0	2059	** if (s->kssl_ctx) s->kssl_ctx = NULL;
sl@0	2060	*/
sl@0	2061	}
sl@0	2062	else
sl@0	2063	#endif /* OPENSSL_NO_KRB5 */
sl@0	2064
sl@0	2065	#ifndef OPENSSL_NO_ECDH
sl@0	2066	if ((l & SSL_kECDH) \|\| (l & SSL_kECDHE))
sl@0	2067	{
sl@0	2068	int ret = 1;
sl@0	2069	int field_size = 0;
sl@0	2070	const EC_KEY *tkey;
sl@0	2071	const EC_GROUP *group;
sl@0	2072	const BIGNUM *priv_key;
sl@0	2073
sl@0	2074	/* initialize structures for server's ECDH key pair */
sl@0	2075	if ((srvr_ecdh = EC_KEY_new()) == NULL)
sl@0	2076	{
sl@0	2077	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2078	ERR_R_MALLOC_FAILURE);
sl@0	2079	goto err;
sl@0	2080	}
sl@0	2081
sl@0	2082	/* Let's get server private key and group information */
sl@0	2083	if (l & SSL_kECDH)
sl@0	2084	{
sl@0	2085	/* use the certificate */
sl@0	2086	tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
sl@0	2087	}
sl@0	2088	else
sl@0	2089	{
sl@0	2090	/* use the ephermeral values we saved when
sl@0	2091	* generating the ServerKeyExchange msg.
sl@0	2092	*/
sl@0	2093	tkey = s->s3->tmp.ecdh;
sl@0	2094	}
sl@0	2095
sl@0	2096	group = EC_KEY_get0_group(tkey);
sl@0	2097	priv_key = EC_KEY_get0_private_key(tkey);
sl@0	2098
sl@0	2099	if (!EC_KEY_set_group(srvr_ecdh, group) \|\|
sl@0	2100	!EC_KEY_set_private_key(srvr_ecdh, priv_key))
sl@0	2101	{
sl@0	2102	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2103	ERR_R_EC_LIB);
sl@0	2104	goto err;
sl@0	2105	}
sl@0	2106
sl@0	2107	/* Let's get client's public key */
sl@0	2108	if ((clnt_ecpoint = EC_POINT_new(group)) == NULL)
sl@0	2109	{
sl@0	2110	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2111	ERR_R_MALLOC_FAILURE);
sl@0	2112	goto err;
sl@0	2113	}
sl@0	2114
sl@0	2115	if (n == 0L)
sl@0	2116	{
sl@0	2117	/* Client Publickey was in Client Certificate */
sl@0	2118
sl@0	2119	if (l & SSL_kECDHE)
sl@0	2120	{
sl@0	2121	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	2122	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
sl@0	2123	goto f_err;
sl@0	2124	}
sl@0	2125	if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
sl@0	2126	== NULL) \|\|
sl@0	2127	(clnt_pub_pkey->type != EVP_PKEY_EC))
sl@0	2128	{
sl@0	2129	/* XXX: For now, we do not support client
sl@0	2130	* authentication using ECDH certificates
sl@0	2131	* so this branch (n == 0L) of the code is
sl@0	2132	* never executed. When that support is
sl@0	2133	* added, we ought to ensure the key
sl@0	2134	* received in the certificate is
sl@0	2135	* authorized for key agreement.
sl@0	2136	* ECDH_compute_key implicitly checks that
sl@0	2137	* the two ECDH shares are for the same
sl@0	2138	* group.
sl@0	2139	*/
sl@0	2140	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	2141	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2142	SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
sl@0	2143	goto f_err;
sl@0	2144	}
sl@0	2145
sl@0	2146	if (EC_POINT_copy(clnt_ecpoint,
sl@0	2147	EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
sl@0	2148	{
sl@0	2149	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2150	ERR_R_EC_LIB);
sl@0	2151	goto err;
sl@0	2152	}
sl@0	2153	ret = 2; /* Skip certificate verify processing */
sl@0	2154	}
sl@0	2155	else
sl@0	2156	{
sl@0	2157	/* Get client's public key from encoded point
sl@0	2158	* in the ClientKeyExchange message.
sl@0	2159	*/
sl@0	2160	if ((bn_ctx = BN_CTX_new()) == NULL)
sl@0	2161	{
sl@0	2162	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2163	ERR_R_MALLOC_FAILURE);
sl@0	2164	goto err;
sl@0	2165	}
sl@0	2166
sl@0	2167	/* Get encoded point length */
sl@0	2168	i = *p;
sl@0	2169	p += 1;
sl@0	2170	if (EC_POINT_oct2point(group,
sl@0	2171	clnt_ecpoint, p, i, bn_ctx) == 0)
sl@0	2172	{
sl@0	2173	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2174	ERR_R_EC_LIB);
sl@0	2175	goto err;
sl@0	2176	}
sl@0	2177	/* p is pointing to somewhere in the buffer
sl@0	2178	* currently, so set it to the start
sl@0	2179	*/
sl@0	2180	p=(unsigned char *)s->init_buf->data;
sl@0	2181	}
sl@0	2182
sl@0	2183	/* Compute the shared pre-master secret */
sl@0	2184	field_size = EC_GROUP_get_degree(group);
sl@0	2185	if (field_size <= 0)
sl@0	2186	{
sl@0	2187	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2188	ERR_R_ECDH_LIB);
sl@0	2189	goto err;
sl@0	2190	}
sl@0	2191	i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
sl@0	2192	if (i <= 0)
sl@0	2193	{
sl@0	2194	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2195	ERR_R_ECDH_LIB);
sl@0	2196	goto err;
sl@0	2197	}
sl@0	2198
sl@0	2199	EVP_PKEY_free(clnt_pub_pkey);
sl@0	2200	EC_POINT_free(clnt_ecpoint);
sl@0	2201	if (srvr_ecdh != NULL)
sl@0	2202	EC_KEY_free(srvr_ecdh);
sl@0	2203	BN_CTX_free(bn_ctx);
sl@0	2204
sl@0	2205	/* Compute the master secret */
sl@0	2206	s->session->master_key_length = s->method->ssl3_enc-> \
sl@0	2207	generate_master_secret(s, s->session->master_key, p, i);
sl@0	2208
sl@0	2209	OPENSSL_cleanse(p, i);
sl@0	2210	return (ret);
sl@0	2211	}
sl@0	2212	else
sl@0	2213	#endif
sl@0	2214	{
sl@0	2215	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	2216	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
sl@0	2217	SSL_R_UNKNOWN_CIPHER_TYPE);
sl@0	2218	goto f_err;
sl@0	2219	}
sl@0	2220
sl@0	2221	return(1);
sl@0	2222	f_err:
sl@0	2223	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	2224	#if !defined(OPENSSL_NO_DH) \|\| !defined(OPENSSL_NO_RSA) \|\| !defined(OPENSSL_NO_ECDH)
sl@0	2225	err:
sl@0	2226	#endif
sl@0	2227	#ifndef OPENSSL_NO_ECDH
sl@0	2228	EVP_PKEY_free(clnt_pub_pkey);
sl@0	2229	EC_POINT_free(clnt_ecpoint);
sl@0	2230	if (srvr_ecdh != NULL)
sl@0	2231	EC_KEY_free(srvr_ecdh);
sl@0	2232	BN_CTX_free(bn_ctx);
sl@0	2233	#endif
sl@0	2234	return(-1);
sl@0	2235	}
sl@0	2236
sl@0	2237	int ssl3_get_cert_verify(SSL *s)
sl@0	2238	{
sl@0	2239	EVP_PKEY *pkey=NULL;
sl@0	2240	unsigned char *p;
sl@0	2241	int al,ok,ret=0;
sl@0	2242	long n;
sl@0	2243	int type=0,i,j;
sl@0	2244	X509 *peer;
sl@0	2245
sl@0	2246	n=s->method->ssl_get_message(s,
sl@0	2247	SSL3_ST_SR_CERT_VRFY_A,
sl@0	2248	SSL3_ST_SR_CERT_VRFY_B,
sl@0	2249	-1,
sl@0	2250	514, /* 514? */
sl@0	2251	&ok);
sl@0	2252
sl@0	2253	if (!ok) return((int)n);
sl@0	2254
sl@0	2255	if (s->session->peer != NULL)
sl@0	2256	{
sl@0	2257	peer=s->session->peer;
sl@0	2258	pkey=X509_get_pubkey(peer);
sl@0	2259	type=X509_certificate_type(peer,pkey);
sl@0	2260	}
sl@0	2261	else
sl@0	2262	{
sl@0	2263	peer=NULL;
sl@0	2264	pkey=NULL;
sl@0	2265	}
sl@0	2266
sl@0	2267	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
sl@0	2268	{
sl@0	2269	s->s3->tmp.reuse_message=1;
sl@0	2270	if ((peer != NULL) && (type \| EVP_PKT_SIGN))
sl@0	2271	{
sl@0	2272	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	2273	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
sl@0	2274	goto f_err;
sl@0	2275	}
sl@0	2276	ret=1;
sl@0	2277	goto end;
sl@0	2278	}
sl@0	2279
sl@0	2280	if (peer == NULL)
sl@0	2281	{
sl@0	2282	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
sl@0	2283	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	2284	goto f_err;
sl@0	2285	}
sl@0	2286
sl@0	2287	if (!(type & EVP_PKT_SIGN))
sl@0	2288	{
sl@0	2289	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
sl@0	2290	al=SSL_AD_ILLEGAL_PARAMETER;
sl@0	2291	goto f_err;
sl@0	2292	}
sl@0	2293
sl@0	2294	if (s->s3->change_cipher_spec)
sl@0	2295	{
sl@0	2296	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
sl@0	2297	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	2298	goto f_err;
sl@0	2299	}
sl@0	2300
sl@0	2301	/* we now have a signature that we need to verify */
sl@0	2302	p=(unsigned char *)s->init_msg;
sl@0	2303	n2s(p,i);
sl@0	2304	n-=2;
sl@0	2305	if (i > n)
sl@0	2306	{
sl@0	2307	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
sl@0	2308	al=SSL_AD_DECODE_ERROR;
sl@0	2309	goto f_err;
sl@0	2310	}
sl@0	2311
sl@0	2312	j=EVP_PKEY_size(pkey);
sl@0	2313	if ((i > j) \|\| (n > j) \|\| (n <= 0))
sl@0	2314	{
sl@0	2315	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
sl@0	2316	al=SSL_AD_DECODE_ERROR;
sl@0	2317	goto f_err;
sl@0	2318	}
sl@0	2319
sl@0	2320	#ifndef OPENSSL_NO_RSA
sl@0	2321	if (pkey->type == EVP_PKEY_RSA)
sl@0	2322	{
sl@0	2323	i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
sl@0	2324	MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i,
sl@0	2325	pkey->pkey.rsa);
sl@0	2326	if (i < 0)
sl@0	2327	{
sl@0	2328	al=SSL_AD_DECRYPT_ERROR;
sl@0	2329	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
sl@0	2330	goto f_err;
sl@0	2331	}
sl@0	2332	if (i == 0)
sl@0	2333	{
sl@0	2334	al=SSL_AD_DECRYPT_ERROR;
sl@0	2335	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
sl@0	2336	goto f_err;
sl@0	2337	}
sl@0	2338	}
sl@0	2339	else
sl@0	2340	#endif
sl@0	2341	#ifndef OPENSSL_NO_DSA
sl@0	2342	if (pkey->type == EVP_PKEY_DSA)
sl@0	2343	{
sl@0	2344	j=DSA_verify(pkey->save_type,
sl@0	2345	&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
sl@0	2346	SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
sl@0	2347	if (j <= 0)
sl@0	2348	{
sl@0	2349	/* bad signature */
sl@0	2350	al=SSL_AD_DECRYPT_ERROR;
sl@0	2351	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
sl@0	2352	goto f_err;
sl@0	2353	}
sl@0	2354	}
sl@0	2355	else
sl@0	2356	#endif
sl@0	2357	#ifndef OPENSSL_NO_ECDSA
sl@0	2358	if (pkey->type == EVP_PKEY_EC)
sl@0	2359	{
sl@0	2360	j=ECDSA_verify(pkey->save_type,
sl@0	2361	&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
sl@0	2362	SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec);
sl@0	2363	if (j <= 0)
sl@0	2364	{
sl@0	2365	/* bad signature */
sl@0	2366	al=SSL_AD_DECRYPT_ERROR;
sl@0	2367	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
sl@0	2368	SSL_R_BAD_ECDSA_SIGNATURE);
sl@0	2369	goto f_err;
sl@0	2370	}
sl@0	2371	}
sl@0	2372	else
sl@0	2373	#endif
sl@0	2374	{
sl@0	2375	SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
sl@0	2376	al=SSL_AD_UNSUPPORTED_CERTIFICATE;
sl@0	2377	goto f_err;
sl@0	2378	}
sl@0	2379
sl@0	2380
sl@0	2381	ret=1;
sl@0	2382	if (0)
sl@0	2383	{
sl@0	2384	f_err:
sl@0	2385	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	2386	}
sl@0	2387	end:
sl@0	2388	EVP_PKEY_free(pkey);
sl@0	2389	return(ret);
sl@0	2390	}
sl@0	2391
sl@0	2392	int ssl3_get_client_certificate(SSL *s)
sl@0	2393	{
sl@0	2394	int i,ok,al,ret= -1;
sl@0	2395	X509 *x=NULL;
sl@0	2396	unsigned long l,nc,llen,n;
sl@0	2397	const unsigned char p,q;
sl@0	2398	unsigned char *d;
sl@0	2399	STACK_OF(X509) *sk=NULL;
sl@0	2400
sl@0	2401	n=s->method->ssl_get_message(s,
sl@0	2402	SSL3_ST_SR_CERT_A,
sl@0	2403	SSL3_ST_SR_CERT_B,
sl@0	2404	-1,
sl@0	2405	s->max_cert_list,
sl@0	2406	&ok);
sl@0	2407
sl@0	2408	if (!ok) return((int)n);
sl@0	2409
sl@0	2410	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
sl@0	2411	{
sl@0	2412	if ( (s->verify_mode & SSL_VERIFY_PEER) &&
sl@0	2413	(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
sl@0	2414	{
sl@0	2415	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
sl@0	2416	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	2417	goto f_err;
sl@0	2418	}
sl@0	2419	/* If tls asked for a client cert, the client must return a 0 list */
sl@0	2420	if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
sl@0	2421	{
sl@0	2422	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
sl@0	2423	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	2424	goto f_err;
sl@0	2425	}
sl@0	2426	s->s3->tmp.reuse_message=1;
sl@0	2427	return(1);
sl@0	2428	}
sl@0	2429
sl@0	2430	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
sl@0	2431	{
sl@0	2432	al=SSL_AD_UNEXPECTED_MESSAGE;
sl@0	2433	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
sl@0	2434	goto f_err;
sl@0	2435	}
sl@0	2436	p=d=(unsigned char *)s->init_msg;
sl@0	2437
sl@0	2438	if ((sk=sk_X509_new_null()) == NULL)
sl@0	2439	{
sl@0	2440	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
sl@0	2441	goto err;
sl@0	2442	}
sl@0	2443
sl@0	2444	n2l3(p,llen);
sl@0	2445	if (llen+3 != n)
sl@0	2446	{
sl@0	2447	al=SSL_AD_DECODE_ERROR;
sl@0	2448	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
sl@0	2449	goto f_err;
sl@0	2450	}
sl@0	2451	for (nc=0; nc<llen; )
sl@0	2452	{
sl@0	2453	n2l3(p,l);
sl@0	2454	if ((l+nc+3) > llen)
sl@0	2455	{
sl@0	2456	al=SSL_AD_DECODE_ERROR;
sl@0	2457	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
sl@0	2458	goto f_err;
sl@0	2459	}
sl@0	2460
sl@0	2461	q=p;
sl@0	2462	x=d2i_X509(NULL,&p,l);
sl@0	2463	if (x == NULL)
sl@0	2464	{
sl@0	2465	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
sl@0	2466	goto err;
sl@0	2467	}
sl@0	2468	if (p != (q+l))
sl@0	2469	{
sl@0	2470	al=SSL_AD_DECODE_ERROR;
sl@0	2471	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
sl@0	2472	goto f_err;
sl@0	2473	}
sl@0	2474	if (!sk_X509_push(sk,x))
sl@0	2475	{
sl@0	2476	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
sl@0	2477	goto err;
sl@0	2478	}
sl@0	2479	x=NULL;
sl@0	2480	nc+=l+3;
sl@0	2481	}
sl@0	2482
sl@0	2483	if (sk_X509_num(sk) <= 0)
sl@0	2484	{
sl@0	2485	/* TLS does not mind 0 certs returned */
sl@0	2486	if (s->version == SSL3_VERSION)
sl@0	2487	{
sl@0	2488	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	2489	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
sl@0	2490	goto f_err;
sl@0	2491	}
sl@0	2492	/* Fail for TLS only if we required a certificate */
sl@0	2493	else if ((s->verify_mode & SSL_VERIFY_PEER) &&
sl@0	2494	(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
sl@0	2495	{
sl@0	2496	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
sl@0	2497	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	2498	goto f_err;
sl@0	2499	}
sl@0	2500	}
sl@0	2501	else
sl@0	2502	{
sl@0	2503	i=ssl_verify_cert_chain(s,sk);
sl@0	2504	if (!i)
sl@0	2505	{
sl@0	2506	al=ssl_verify_alarm_type(s->verify_result);
sl@0	2507	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
sl@0	2508	goto f_err;
sl@0	2509	}
sl@0	2510	}
sl@0	2511
sl@0	2512	if (s->session->peer != NULL) /* This should not be needed */
sl@0	2513	X509_free(s->session->peer);
sl@0	2514	s->session->peer=sk_X509_shift(sk);
sl@0	2515	s->session->verify_result = s->verify_result;
sl@0	2516
sl@0	2517	/* With the current implementation, sess_cert will always be NULL
sl@0	2518	* when we arrive here. */
sl@0	2519	if (s->session->sess_cert == NULL)
sl@0	2520	{
sl@0	2521	s->session->sess_cert = ssl_sess_cert_new();
sl@0	2522	if (s->session->sess_cert == NULL)
sl@0	2523	{
sl@0	2524	SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
sl@0	2525	goto err;
sl@0	2526	}
sl@0	2527	}
sl@0	2528	if (s->session->sess_cert->cert_chain != NULL)
sl@0	2529	sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
sl@0	2530	s->session->sess_cert->cert_chain=sk;
sl@0	2531	/* Inconsistency alert: cert_chain does not include the
sl@0	2532	* peer's own certificate, while we do include it in s3_clnt.c */
sl@0	2533
sl@0	2534	sk=NULL;
sl@0	2535
sl@0	2536	ret=1;
sl@0	2537	if (0)
sl@0	2538	{
sl@0	2539	f_err:
sl@0	2540	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	2541	}
sl@0	2542	err:
sl@0	2543	if (x != NULL) X509_free(x);
sl@0	2544	if (sk != NULL) sk_X509_pop_free(sk,X509_free);
sl@0	2545	return(ret);
sl@0	2546	}
sl@0	2547
sl@0	2548	int ssl3_send_server_certificate(SSL *s)
sl@0	2549	{
sl@0	2550	unsigned long l;
sl@0	2551	X509 *x;
sl@0	2552
sl@0	2553	if (s->state == SSL3_ST_SW_CERT_A)
sl@0	2554	{
sl@0	2555	x=ssl_get_server_send_cert(s);
sl@0	2556	if (x == NULL &&
sl@0	2557	/* VRS: allow null cert if auth == KRB5 */
sl@0	2558	(s->s3->tmp.new_cipher->algorithms
sl@0	2559	& (SSL_MKEY_MASK\|SSL_AUTH_MASK))
sl@0	2560	!= (SSL_aKRB5\|SSL_kKRB5))
sl@0	2561	{
sl@0	2562	SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
sl@0	2563	return(0);
sl@0	2564	}
sl@0	2565
sl@0	2566	l=ssl3_output_cert_chain(s,x);
sl@0	2567	s->state=SSL3_ST_SW_CERT_B;
sl@0	2568	s->init_num=(int)l;
sl@0	2569	s->init_off=0;
sl@0	2570	}
sl@0	2571
sl@0	2572	/* SSL3_ST_SW_CERT_B */
sl@0	2573	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	2574	}
sl@0	2575
sl@0	2576
sl@0	2577	#ifndef OPENSSL_NO_ECDH
sl@0	2578	/* This is the complement of curve_id2nid in s3_clnt.c. */
sl@0	2579	static int nid2curve_id(int nid)
sl@0	2580	{
sl@0	2581	/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
sl@0	2582	* (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
sl@0	2583	switch (nid) {
sl@0	2584	case NID_sect163k1: /* sect163k1 (1) */
sl@0	2585	return 1;
sl@0	2586	case NID_sect163r1: /* sect163r1 (2) */
sl@0	2587	return 2;
sl@0	2588	case NID_sect163r2: /* sect163r2 (3) */
sl@0	2589	return 3;
sl@0	2590	case NID_sect193r1: /* sect193r1 (4) */
sl@0	2591	return 4;
sl@0	2592	case NID_sect193r2: /* sect193r2 (5) */
sl@0	2593	return 5;
sl@0	2594	case NID_sect233k1: /* sect233k1 (6) */
sl@0	2595	return 6;
sl@0	2596	case NID_sect233r1: /* sect233r1 (7) */
sl@0	2597	return 7;
sl@0	2598	case NID_sect239k1: /* sect239k1 (8) */
sl@0	2599	return 8;
sl@0	2600	case NID_sect283k1: /* sect283k1 (9) */
sl@0	2601	return 9;
sl@0	2602	case NID_sect283r1: /* sect283r1 (10) */
sl@0	2603	return 10;
sl@0	2604	case NID_sect409k1: /* sect409k1 (11) */
sl@0	2605	return 11;
sl@0	2606	case NID_sect409r1: /* sect409r1 (12) */
sl@0	2607	return 12;
sl@0	2608	case NID_sect571k1: /* sect571k1 (13) */
sl@0	2609	return 13;
sl@0	2610	case NID_sect571r1: /* sect571r1 (14) */
sl@0	2611	return 14;
sl@0	2612	case NID_secp160k1: /* secp160k1 (15) */
sl@0	2613	return 15;
sl@0	2614	case NID_secp160r1: /* secp160r1 (16) */
sl@0	2615	return 16;
sl@0	2616	case NID_secp160r2: /* secp160r2 (17) */
sl@0	2617	return 17;
sl@0	2618	case NID_secp192k1: /* secp192k1 (18) */
sl@0	2619	return 18;
sl@0	2620	case NID_X9_62_prime192v1: /* secp192r1 (19) */
sl@0	2621	return 19;
sl@0	2622	case NID_secp224k1: /* secp224k1 (20) */
sl@0	2623	return 20;
sl@0	2624	case NID_secp224r1: /* secp224r1 (21) */
sl@0	2625	return 21;
sl@0	2626	case NID_secp256k1: /* secp256k1 (22) */
sl@0	2627	return 22;
sl@0	2628	case NID_X9_62_prime256v1: /* secp256r1 (23) */
sl@0	2629	return 23;
sl@0	2630	case NID_secp384r1: /* secp384r1 (24) */
sl@0	2631	return 24;
sl@0	2632	case NID_secp521r1: /* secp521r1 (25) */
sl@0	2633	return 25;
sl@0	2634	default:
sl@0	2635	return 0;
sl@0	2636	}
sl@0	2637	}
sl@0	2638	#endif

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--