sl@0: /* ssl/s3_srvr.c */ sl@0: /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) sl@0: * All rights reserved. sl@0: * sl@0: * This package is an SSL implementation written sl@0: * by Eric Young (eay@cryptsoft.com). sl@0: * The implementation was written so as to conform with Netscapes SSL. sl@0: * sl@0: * This library is free for commercial and non-commercial use as long as sl@0: * the following conditions are aheared to. The following conditions sl@0: * apply to all code found in this distribution, be it the RC4, RSA, sl@0: * lhash, DES, etc., code; not just the SSL code. The SSL documentation sl@0: * included with this distribution is covered by the same copyright terms sl@0: * except that the holder is Tim Hudson (tjh@cryptsoft.com). sl@0: * sl@0: * Copyright remains Eric Young's, and as such any Copyright notices in sl@0: * the code are not to be removed. sl@0: * If this package is used in a product, Eric Young should be given attribution sl@0: * as the author of the parts of the library used. sl@0: * This can be in the form of a textual message at program startup or sl@0: * in documentation (online or textual) provided with the package. sl@0: * sl@0: * Redistribution and use in source and binary forms, with or without sl@0: * modification, are permitted provided that the following conditions sl@0: * are met: sl@0: * 1. Redistributions of source code must retain the copyright sl@0: * notice, this list of conditions and the following disclaimer. sl@0: * 2. Redistributions in binary form must reproduce the above copyright sl@0: * notice, this list of conditions and the following disclaimer in the sl@0: * documentation and/or other materials provided with the distribution. sl@0: * 3. All advertising materials mentioning features or use of this software sl@0: * must display the following acknowledgement: sl@0: * "This product includes cryptographic software written by sl@0: * Eric Young (eay@cryptsoft.com)" sl@0: * The word 'cryptographic' can be left out if the rouines from the library sl@0: * being used are not cryptographic related :-). sl@0: * 4. If you include any Windows specific code (or a derivative thereof) from sl@0: * the apps directory (application code) you must include an acknowledgement: sl@0: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" sl@0: * sl@0: * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND sl@0: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE sl@0: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE sl@0: * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE sl@0: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL sl@0: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS sl@0: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) sl@0: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT sl@0: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY sl@0: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF sl@0: * SUCH DAMAGE. sl@0: * sl@0: * The licence and distribution terms for any publically available version or sl@0: * derivative of this code cannot be changed. i.e. this code cannot simply be sl@0: * copied and put under another distribution licence sl@0: * [including the GNU Public Licence.] sl@0: */ sl@0: /* ==================================================================== sl@0: * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. sl@0: * sl@0: * Redistribution and use in source and binary forms, with or without sl@0: * modification, are permitted provided that the following conditions sl@0: * are met: sl@0: * sl@0: * 1. Redistributions of source code must retain the above copyright sl@0: * notice, this list of conditions and the following disclaimer. sl@0: * sl@0: * 2. Redistributions in binary form must reproduce the above copyright sl@0: * notice, this list of conditions and the following disclaimer in sl@0: * the documentation and/or other materials provided with the sl@0: * distribution. sl@0: * sl@0: * 3. All advertising materials mentioning features or use of this sl@0: * software must display the following acknowledgment: sl@0: * "This product includes software developed by the OpenSSL Project sl@0: * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" sl@0: * sl@0: * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to sl@0: * endorse or promote products derived from this software without sl@0: * prior written permission. For written permission, please contact sl@0: * openssl-core@openssl.org. sl@0: * sl@0: * 5. Products derived from this software may not be called "OpenSSL" sl@0: * nor may "OpenSSL" appear in their names without prior written sl@0: * permission of the OpenSSL Project. sl@0: * sl@0: * 6. Redistributions of any form whatsoever must retain the following sl@0: * acknowledgment: sl@0: * "This product includes software developed by the OpenSSL Project sl@0: * for use in the OpenSSL Toolkit (http://www.openssl.org/)" sl@0: * sl@0: * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY sl@0: * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE sl@0: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR sl@0: * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR sl@0: * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, sl@0: * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT sl@0: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; sl@0: * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) sl@0: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, sl@0: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) sl@0: * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED sl@0: * OF THE POSSIBILITY OF SUCH DAMAGE. sl@0: * ==================================================================== sl@0: * sl@0: * This product includes cryptographic software written by Eric Young sl@0: * (eay@cryptsoft.com). This product includes software written by Tim sl@0: * Hudson (tjh@cryptsoft.com). sl@0: * sl@0: */ sl@0: /* ==================================================================== sl@0: * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. sl@0: * sl@0: * Portions of the attached software ("Contribution") are developed by sl@0: * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. sl@0: * sl@0: * The Contribution is licensed pursuant to the OpenSSL open source sl@0: * license provided above. sl@0: * sl@0: * ECC cipher suite support in OpenSSL originally written by sl@0: * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. sl@0: * sl@0: */ sl@0: /* sl@0: © Portions copyright (c) 2006 Nokia Corporation. All rights reserved. sl@0: */ sl@0: sl@0: #define REUSE_CIPHER_BUG sl@0: #define NETSCAPE_HANG_BUG sl@0: sl@0: #include sl@0: #include "ssl_locl.h" sl@0: #include "kssl_lcl.h" sl@0: #include sl@0: #include sl@0: #include sl@0: #include sl@0: #include sl@0: #include sl@0: #ifndef OPENSSL_NO_DH sl@0: #include sl@0: #endif sl@0: #include sl@0: #ifndef OPENSSL_NO_KRB5 sl@0: #include sl@0: #endif sl@0: #include sl@0: sl@0: #if (defined(SYMBIAN) && (defined(__WINSCW__) || defined(__WINS__))) sl@0: #include "libssl_wsd.h" sl@0: #endif sl@0: sl@0: #ifdef EMULATOR sl@0: sl@0: GET_STATIC_VAR_FROM_TLS(SSLv3_server_method_data,s3_srvr,SSL_METHOD) sl@0: sl@0: #define SSLv3_server_method_data (*GET_WSD_VAR_NAME(SSLv3_server_method_data,s3_srvr,s)()) sl@0: sl@0: #endif sl@0: sl@0: static SSL_METHOD *ssl3_get_server_method(int ver); sl@0: sl@0: #ifndef OPENSSL_NO_ECDH sl@0: static int nid2curve_id(int nid); sl@0: #endif sl@0: sl@0: static SSL_METHOD *ssl3_get_server_method(int ver) sl@0: { sl@0: if (ver == SSL3_VERSION) sl@0: return(SSLv3_server_method()); sl@0: else sl@0: return(NULL); sl@0: } sl@0: sl@0: EXPORT_C IMPLEMENT_ssl3_meth_func(SSLv3_server_method, sl@0: ssl3_accept, sl@0: ssl_undefined_function, sl@0: ssl3_get_server_method) sl@0: sl@0: int ssl3_accept(SSL *s) sl@0: { sl@0: BUF_MEM *buf; sl@0: unsigned long l,Time=(unsigned long)time(NULL); sl@0: void (*cb)(const SSL *ssl,int type,int val)=NULL; sl@0: long num1; sl@0: int ret= -1; sl@0: int new_state,state,skip=0; sl@0: sl@0: RAND_add(&Time,sizeof(Time),0); sl@0: ERR_clear_error(); sl@0: clear_sys_error(); sl@0: sl@0: if (s->info_callback != NULL) sl@0: cb=s->info_callback; sl@0: else if (s->ctx->info_callback != NULL) sl@0: cb=s->ctx->info_callback; sl@0: sl@0: /* init things to blank */ sl@0: s->in_handshake++; sl@0: if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); sl@0: sl@0: if (s->cert == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); sl@0: return(-1); sl@0: } sl@0: sl@0: for (;;) sl@0: { sl@0: state=s->state; sl@0: sl@0: switch (s->state) sl@0: { sl@0: case SSL_ST_RENEGOTIATE: sl@0: s->new_session=1; sl@0: /* s->state=SSL_ST_ACCEPT; */ sl@0: sl@0: case SSL_ST_BEFORE: sl@0: case SSL_ST_ACCEPT: sl@0: case SSL_ST_BEFORE|SSL_ST_ACCEPT: sl@0: case SSL_ST_OK|SSL_ST_ACCEPT: sl@0: sl@0: s->server=1; sl@0: if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); sl@0: sl@0: if ((s->version>>8) != 3) sl@0: { sl@0: SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); sl@0: return -1; sl@0: } sl@0: s->type=SSL_ST_ACCEPT; sl@0: sl@0: if (s->init_buf == NULL) sl@0: { sl@0: if ((buf=BUF_MEM_new()) == NULL) sl@0: { sl@0: ret= -1; sl@0: goto end; sl@0: } sl@0: if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) sl@0: { sl@0: ret= -1; sl@0: goto end; sl@0: } sl@0: s->init_buf=buf; sl@0: } sl@0: sl@0: if (!ssl3_setup_buffers(s)) sl@0: { sl@0: ret= -1; sl@0: goto end; sl@0: } sl@0: sl@0: s->init_num=0; sl@0: sl@0: if (s->state != SSL_ST_RENEGOTIATE) sl@0: { sl@0: /* Ok, we now need to push on a buffering BIO so that sl@0: * the output is sent in a way that TCP likes :-) sl@0: */ sl@0: if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } sl@0: sl@0: ssl3_init_finished_mac(s); sl@0: s->state=SSL3_ST_SR_CLNT_HELLO_A; sl@0: s->ctx->stats.sess_accept++; sl@0: } sl@0: else sl@0: { sl@0: /* s->state == SSL_ST_RENEGOTIATE, sl@0: * we will just send a HelloRequest */ sl@0: s->ctx->stats.sess_accept_renegotiate++; sl@0: s->state=SSL3_ST_SW_HELLO_REQ_A; sl@0: } sl@0: break; sl@0: sl@0: case SSL3_ST_SW_HELLO_REQ_A: sl@0: case SSL3_ST_SW_HELLO_REQ_B: sl@0: sl@0: s->shutdown=0; sl@0: ret=ssl3_send_hello_request(s); sl@0: if (ret <= 0) goto end; sl@0: s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; sl@0: s->state=SSL3_ST_SW_FLUSH; sl@0: s->init_num=0; sl@0: sl@0: ssl3_init_finished_mac(s); sl@0: break; sl@0: sl@0: case SSL3_ST_SW_HELLO_REQ_C: sl@0: s->state=SSL_ST_OK; sl@0: break; sl@0: sl@0: case SSL3_ST_SR_CLNT_HELLO_A: sl@0: case SSL3_ST_SR_CLNT_HELLO_B: sl@0: case SSL3_ST_SR_CLNT_HELLO_C: sl@0: sl@0: s->shutdown=0; sl@0: ret=ssl3_get_client_hello(s); sl@0: if (ret <= 0) goto end; sl@0: s->new_session = 2; sl@0: s->state=SSL3_ST_SW_SRVR_HELLO_A; sl@0: s->init_num=0; sl@0: break; sl@0: sl@0: case SSL3_ST_SW_SRVR_HELLO_A: sl@0: case SSL3_ST_SW_SRVR_HELLO_B: sl@0: ret=ssl3_send_server_hello(s); sl@0: if (ret <= 0) goto end; sl@0: sl@0: if (s->hit) sl@0: s->state=SSL3_ST_SW_CHANGE_A; sl@0: else sl@0: s->state=SSL3_ST_SW_CERT_A; sl@0: s->init_num=0; sl@0: break; sl@0: sl@0: case SSL3_ST_SW_CERT_A: sl@0: case SSL3_ST_SW_CERT_B: sl@0: /* Check if it is anon DH or anon ECDH or KRB5 */ sl@0: if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) sl@0: && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) sl@0: { sl@0: ret=ssl3_send_server_certificate(s); sl@0: if (ret <= 0) goto end; sl@0: } sl@0: else sl@0: skip=1; sl@0: s->state=SSL3_ST_SW_KEY_EXCH_A; sl@0: s->init_num=0; sl@0: break; sl@0: sl@0: case SSL3_ST_SW_KEY_EXCH_A: sl@0: case SSL3_ST_SW_KEY_EXCH_B: sl@0: l=s->s3->tmp.new_cipher->algorithms; sl@0: sl@0: /* clear this, it may get reset by sl@0: * send_server_key_exchange */ sl@0: if ((s->options & SSL_OP_EPHEMERAL_RSA) sl@0: #ifndef OPENSSL_NO_KRB5 sl@0: && !(l & SSL_KRB5) sl@0: #endif /* OPENSSL_NO_KRB5 */ sl@0: ) sl@0: /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key sl@0: * even when forbidden by protocol specs sl@0: * (handshake may fail as clients are not required to sl@0: * be able to handle this) */ sl@0: s->s3->tmp.use_rsa_tmp=1; sl@0: else sl@0: s->s3->tmp.use_rsa_tmp=0; sl@0: sl@0: sl@0: /* only send if a DH key exchange, fortezza or sl@0: * RSA but we have a sign only certificate sl@0: * sl@0: * For ECC ciphersuites, we send a serverKeyExchange sl@0: * message only if the cipher suite is either sl@0: * ECDH-anon or ECDHE. In other cases, the sl@0: * server certificate contains the server's sl@0: * public key for key exchange. sl@0: */ sl@0: if (s->s3->tmp.use_rsa_tmp sl@0: || (l & SSL_kECDHE) sl@0: || (l & (SSL_DH|SSL_kFZA)) sl@0: || ((l & SSL_kRSA) sl@0: && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL sl@0: || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) sl@0: && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) sl@0: ) sl@0: ) sl@0: ) sl@0: ) sl@0: { sl@0: ret=ssl3_send_server_key_exchange(s); sl@0: if (ret <= 0) goto end; sl@0: } sl@0: else sl@0: skip=1; sl@0: sl@0: s->state=SSL3_ST_SW_CERT_REQ_A; sl@0: s->init_num=0; sl@0: break; sl@0: sl@0: case SSL3_ST_SW_CERT_REQ_A: sl@0: case SSL3_ST_SW_CERT_REQ_B: sl@0: if (/* don't request cert unless asked for it: */ sl@0: !(s->verify_mode & SSL_VERIFY_PEER) || sl@0: /* if SSL_VERIFY_CLIENT_ONCE is set, sl@0: * don't request cert during re-negotiation: */ sl@0: ((s->session->peer != NULL) && sl@0: (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || sl@0: /* never request cert in anonymous ciphersuites sl@0: * (see section "Certificate request" in SSL 3 drafts sl@0: * and in RFC 2246): */ sl@0: ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && sl@0: /* ... except when the application insists on verification sl@0: * (against the specs, but s3_clnt.c accepts this for SSL 3) */ sl@0: !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || sl@0: /* never request cert in Kerberos ciphersuites */ sl@0: (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) sl@0: { sl@0: /* no cert request */ sl@0: skip=1; sl@0: s->s3->tmp.cert_request=0; sl@0: s->state=SSL3_ST_SW_SRVR_DONE_A; sl@0: } sl@0: else sl@0: { sl@0: s->s3->tmp.cert_request=1; sl@0: ret=ssl3_send_certificate_request(s); sl@0: if (ret <= 0) goto end; sl@0: #ifndef NETSCAPE_HANG_BUG sl@0: s->state=SSL3_ST_SW_SRVR_DONE_A; sl@0: #else sl@0: s->state=SSL3_ST_SW_FLUSH; sl@0: s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; sl@0: #endif sl@0: s->init_num=0; sl@0: } sl@0: break; sl@0: sl@0: case SSL3_ST_SW_SRVR_DONE_A: sl@0: case SSL3_ST_SW_SRVR_DONE_B: sl@0: ret=ssl3_send_server_done(s); sl@0: if (ret <= 0) goto end; sl@0: s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; sl@0: s->state=SSL3_ST_SW_FLUSH; sl@0: s->init_num=0; sl@0: break; sl@0: sl@0: case SSL3_ST_SW_FLUSH: sl@0: /* number of bytes to be flushed */ sl@0: num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); sl@0: if (num1 > 0) sl@0: { sl@0: s->rwstate=SSL_WRITING; sl@0: num1=BIO_flush(s->wbio); sl@0: if (num1 <= 0) { ret= -1; goto end; } sl@0: s->rwstate=SSL_NOTHING; sl@0: } sl@0: sl@0: s->state=s->s3->tmp.next_state; sl@0: break; sl@0: sl@0: case SSL3_ST_SR_CERT_A: sl@0: case SSL3_ST_SR_CERT_B: sl@0: /* Check for second client hello (MS SGC) */ sl@0: ret = ssl3_check_client_hello(s); sl@0: if (ret <= 0) sl@0: goto end; sl@0: if (ret == 2) sl@0: s->state = SSL3_ST_SR_CLNT_HELLO_C; sl@0: else { sl@0: if (s->s3->tmp.cert_request) sl@0: { sl@0: ret=ssl3_get_client_certificate(s); sl@0: if (ret <= 0) goto end; sl@0: } sl@0: s->init_num=0; sl@0: s->state=SSL3_ST_SR_KEY_EXCH_A; sl@0: } sl@0: break; sl@0: sl@0: case SSL3_ST_SR_KEY_EXCH_A: sl@0: case SSL3_ST_SR_KEY_EXCH_B: sl@0: ret=ssl3_get_client_key_exchange(s); sl@0: if (ret <= 0) sl@0: goto end; sl@0: if (ret == 2) sl@0: { sl@0: /* For the ECDH ciphersuites when sl@0: * the client sends its ECDH pub key in sl@0: * a certificate, the CertificateVerify sl@0: * message is not sent. sl@0: */ sl@0: s->state=SSL3_ST_SR_FINISHED_A; sl@0: s->init_num = 0; sl@0: } sl@0: else sl@0: { sl@0: s->state=SSL3_ST_SR_CERT_VRFY_A; sl@0: s->init_num=0; sl@0: sl@0: /* We need to get hashes here so if there is sl@0: * a client cert, it can be verified sl@0: */ sl@0: s->method->ssl3_enc->cert_verify_mac(s, sl@0: &(s->s3->finish_dgst1), sl@0: &(s->s3->tmp.cert_verify_md[0])); sl@0: s->method->ssl3_enc->cert_verify_mac(s, sl@0: &(s->s3->finish_dgst2), sl@0: &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); sl@0: } sl@0: break; sl@0: sl@0: case SSL3_ST_SR_CERT_VRFY_A: sl@0: case SSL3_ST_SR_CERT_VRFY_B: sl@0: sl@0: /* we should decide if we expected this one */ sl@0: ret=ssl3_get_cert_verify(s); sl@0: if (ret <= 0) goto end; sl@0: sl@0: s->state=SSL3_ST_SR_FINISHED_A; sl@0: s->init_num=0; sl@0: break; sl@0: sl@0: case SSL3_ST_SR_FINISHED_A: sl@0: case SSL3_ST_SR_FINISHED_B: sl@0: ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, sl@0: SSL3_ST_SR_FINISHED_B); sl@0: if (ret <= 0) goto end; sl@0: if (s->hit) sl@0: s->state=SSL_ST_OK; sl@0: sl@0: else sl@0: s->state=SSL3_ST_SW_CHANGE_A; sl@0: s->init_num=0; sl@0: break; sl@0: sl@0: sl@0: sl@0: case SSL3_ST_SW_CHANGE_A: sl@0: case SSL3_ST_SW_CHANGE_B: sl@0: sl@0: s->session->cipher=s->s3->tmp.new_cipher; sl@0: if (!s->method->ssl3_enc->setup_key_block(s)) sl@0: { ret= -1; goto end; } sl@0: sl@0: ret=ssl3_send_change_cipher_spec(s, sl@0: SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); sl@0: sl@0: if (ret <= 0) goto end; sl@0: s->state=SSL3_ST_SW_FINISHED_A; sl@0: s->init_num=0; sl@0: sl@0: if (!s->method->ssl3_enc->change_cipher_state(s, sl@0: SSL3_CHANGE_CIPHER_SERVER_WRITE)) sl@0: { sl@0: ret= -1; sl@0: goto end; sl@0: } sl@0: sl@0: break; sl@0: sl@0: case SSL3_ST_SW_FINISHED_A: sl@0: case SSL3_ST_SW_FINISHED_B: sl@0: ret=ssl3_send_finished(s, sl@0: SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, sl@0: s->method->ssl3_enc->server_finished_label, sl@0: s->method->ssl3_enc->server_finished_label_len); sl@0: if (ret <= 0) goto end; sl@0: s->state=SSL3_ST_SW_FLUSH; sl@0: if (s->hit) sl@0: s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; sl@0: else sl@0: s->s3->tmp.next_state=SSL_ST_OK; sl@0: s->init_num=0; sl@0: break; sl@0: sl@0: case SSL_ST_OK: sl@0: /* clean a few things up */ sl@0: ssl3_cleanup_key_block(s); sl@0: sl@0: BUF_MEM_free(s->init_buf); sl@0: s->init_buf=NULL; sl@0: sl@0: /* remove buffering on output */ sl@0: ssl_free_wbio_buffer(s); sl@0: sl@0: s->init_num=0; sl@0: sl@0: if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ sl@0: { sl@0: /* actually not necessarily a 'new' session unless sl@0: * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ sl@0: sl@0: s->new_session=0; sl@0: sl@0: ssl_update_cache(s,SSL_SESS_CACHE_SERVER); sl@0: sl@0: s->ctx->stats.sess_accept_good++; sl@0: /* s->server=1; */ sl@0: s->handshake_func=ssl3_accept; sl@0: sl@0: if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); sl@0: } sl@0: sl@0: ret = 1; sl@0: goto end; sl@0: /* break; */ sl@0: sl@0: default: sl@0: SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); sl@0: ret= -1; sl@0: goto end; sl@0: /* break; */ sl@0: } sl@0: sl@0: if (!s->s3->tmp.reuse_message && !skip) sl@0: { sl@0: if (s->debug) sl@0: { sl@0: if ((ret=BIO_flush(s->wbio)) <= 0) sl@0: goto end; sl@0: } sl@0: sl@0: sl@0: if ((cb != NULL) && (s->state != state)) sl@0: { sl@0: new_state=s->state; sl@0: s->state=state; sl@0: cb(s,SSL_CB_ACCEPT_LOOP,1); sl@0: s->state=new_state; sl@0: } sl@0: } sl@0: skip=0; sl@0: } sl@0: end: sl@0: /* BIO_flush(s->wbio); */ sl@0: sl@0: s->in_handshake--; sl@0: if (cb != NULL) sl@0: cb(s,SSL_CB_ACCEPT_EXIT,ret); sl@0: return(ret); sl@0: } sl@0: sl@0: int ssl3_send_hello_request(SSL *s) sl@0: { sl@0: unsigned char *p; sl@0: sl@0: if (s->state == SSL3_ST_SW_HELLO_REQ_A) sl@0: { sl@0: p=(unsigned char *)s->init_buf->data; sl@0: *(p++)=SSL3_MT_HELLO_REQUEST; sl@0: *(p++)=0; sl@0: *(p++)=0; sl@0: *(p++)=0; sl@0: sl@0: s->state=SSL3_ST_SW_HELLO_REQ_B; sl@0: /* number of bytes to write */ sl@0: s->init_num=4; sl@0: s->init_off=0; sl@0: } sl@0: sl@0: /* SSL3_ST_SW_HELLO_REQ_B */ sl@0: return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); sl@0: } sl@0: sl@0: int ssl3_check_client_hello(SSL *s) sl@0: { sl@0: int ok; sl@0: long n; sl@0: sl@0: /* this function is called when we really expect a Certificate message, sl@0: * so permit appropriate message length */ sl@0: n=s->method->ssl_get_message(s, sl@0: SSL3_ST_SR_CERT_A, sl@0: SSL3_ST_SR_CERT_B, sl@0: -1, sl@0: s->max_cert_list, sl@0: &ok); sl@0: if (!ok) return((int)n); sl@0: s->s3->tmp.reuse_message = 1; sl@0: if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) sl@0: { sl@0: /* Throw away what we have done so far in the current handshake, sl@0: * which will now be aborted. (A full SSL_clear would be too much.) sl@0: * I hope that tmp.dh is the only thing that may need to be cleared sl@0: * when a handshake is not completed ... */ sl@0: #ifndef OPENSSL_NO_DH sl@0: if (s->s3->tmp.dh != NULL) sl@0: { sl@0: DH_free(s->s3->tmp.dh); sl@0: s->s3->tmp.dh = NULL; sl@0: } sl@0: #endif sl@0: return 2; sl@0: } sl@0: return 1; sl@0: } sl@0: sl@0: int ssl3_get_client_hello(SSL *s) sl@0: { sl@0: int i,j,ok,al,ret= -1; sl@0: unsigned int cookie_len; sl@0: long n; sl@0: unsigned long id; sl@0: unsigned char *p,*d,*q; sl@0: SSL_CIPHER *c; sl@0: #ifndef OPENSSL_NO_COMP sl@0: SSL_COMP *comp=NULL; sl@0: #endif sl@0: STACK_OF(SSL_CIPHER) *ciphers=NULL; sl@0: sl@0: /* We do this so that we will respond with our native type. sl@0: * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, sl@0: * This down switching should be handled by a different method. sl@0: * If we are SSLv3, we will respond with SSLv3, even if prompted with sl@0: * TLSv1. sl@0: */ sl@0: if (s->state == SSL3_ST_SR_CLNT_HELLO_A) sl@0: { sl@0: s->state=SSL3_ST_SR_CLNT_HELLO_B; sl@0: } sl@0: s->first_packet=1; sl@0: n=s->method->ssl_get_message(s, sl@0: SSL3_ST_SR_CLNT_HELLO_B, sl@0: SSL3_ST_SR_CLNT_HELLO_C, sl@0: SSL3_MT_CLIENT_HELLO, sl@0: SSL3_RT_MAX_PLAIN_LENGTH, sl@0: &ok); sl@0: sl@0: if (!ok) return((int)n); sl@0: s->first_packet=0; sl@0: d=p=(unsigned char *)s->init_msg; sl@0: sl@0: /* use version from inside client hello, not from record header sl@0: * (may differ: see RFC 2246, Appendix E, second paragraph) */ sl@0: s->client_version=(((int)p[0])<<8)|(int)p[1]; sl@0: p+=2; sl@0: sl@0: if ((s->version == DTLS1_VERSION && s->client_version > s->version) || sl@0: (s->version != DTLS1_VERSION && s->client_version < s->version)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); sl@0: if ((s->client_version>>8) == SSL3_VERSION_MAJOR) sl@0: { sl@0: /* similar to ssl3_get_record, send alert using remote version number */ sl@0: s->version = s->client_version; sl@0: } sl@0: al = SSL_AD_PROTOCOL_VERSION; sl@0: goto f_err; sl@0: } sl@0: sl@0: /* load the client random */ sl@0: memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); sl@0: p+=SSL3_RANDOM_SIZE; sl@0: sl@0: /* get the session-id */ sl@0: j= *(p++); sl@0: sl@0: s->hit=0; sl@0: /* Versions before 0.9.7 always allow session reuse during renegotiation sl@0: * (i.e. when s->new_session is true), option sl@0: * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. sl@0: * Maybe this optional behaviour should always have been the default, sl@0: * but we cannot safely change the default behaviour (or new applications sl@0: * might be written that become totally unsecure when compiled with sl@0: * an earlier library version) sl@0: */ sl@0: if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) sl@0: { sl@0: if (!ssl_get_new_session(s,1)) sl@0: goto err; sl@0: } sl@0: else sl@0: { sl@0: i=ssl_get_prev_session(s, p, j, d + n); sl@0: if (i == 1) sl@0: { /* previous session */ sl@0: s->hit=1; sl@0: } sl@0: else if (i == -1) sl@0: goto err; sl@0: else /* i == 0 */ sl@0: { sl@0: if (!ssl_get_new_session(s,1)) sl@0: goto err; sl@0: } sl@0: } sl@0: sl@0: p+=j; sl@0: sl@0: if (s->version == DTLS1_VERSION) sl@0: { sl@0: /* cookie stuff */ sl@0: cookie_len = *(p++); sl@0: sl@0: if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && sl@0: s->d1->send_cookie == 0) sl@0: { sl@0: /* HelloVerifyMessage has already been sent */ sl@0: if ( cookie_len != s->d1->cookie_len) sl@0: { sl@0: al = SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: } sl@0: sl@0: /* sl@0: * The ClientHello may contain a cookie even if the sl@0: * HelloVerify message has not been sent--make sure that it sl@0: * does not cause an overflow. sl@0: */ sl@0: if ( cookie_len > sizeof(s->d1->rcvd_cookie)) sl@0: { sl@0: /* too much data */ sl@0: al = SSL_AD_DECODE_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: sl@0: /* verify the cookie if appropriate option is set. */ sl@0: if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && sl@0: cookie_len > 0) sl@0: { sl@0: memcpy(s->d1->rcvd_cookie, p, cookie_len); sl@0: sl@0: if ( s->ctx->app_verify_cookie_cb != NULL) sl@0: { sl@0: if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, sl@0: cookie_len) == 0) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, sl@0: SSL_R_COOKIE_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: /* else cookie verification succeeded */ sl@0: } sl@0: else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, sl@0: s->d1->cookie_len) != 0) /* default verification */ sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, sl@0: SSL_R_COOKIE_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: } sl@0: sl@0: p += cookie_len; sl@0: } sl@0: sl@0: n2s(p,i); sl@0: if ((i == 0) && (j != 0)) sl@0: { sl@0: /* we need a cipher if we are not resuming a session */ sl@0: al=SSL_AD_ILLEGAL_PARAMETER; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); sl@0: goto f_err; sl@0: } sl@0: if ((p+i) >= (d+n)) sl@0: { sl@0: /* not enough data */ sl@0: al=SSL_AD_DECODE_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) sl@0: == NULL)) sl@0: { sl@0: goto err; sl@0: } sl@0: p+=i; sl@0: sl@0: /* If it is a hit, check that the cipher is in the list */ sl@0: if ((s->hit) && (i > 0)) sl@0: { sl@0: j=0; sl@0: id=s->session->cipher->id; sl@0: sl@0: #ifdef CIPHER_DEBUG sl@0: printf("client sent %d ciphers\n",sk_num(ciphers)); sl@0: #endif sl@0: for (i=0; iid == id) sl@0: { sl@0: j=1; sl@0: break; sl@0: } sl@0: } sl@0: if (j == 0) sl@0: { sl@0: if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) sl@0: { sl@0: /* Very bad for multi-threading.... */ sl@0: s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0); sl@0: } sl@0: else sl@0: { sl@0: /* we need to have the cipher in the cipher sl@0: * list if we are asked to reuse it */ sl@0: al=SSL_AD_ILLEGAL_PARAMETER; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); sl@0: goto f_err; sl@0: } sl@0: } sl@0: } sl@0: sl@0: /* compression */ sl@0: i= *(p++); sl@0: if ((p+i) > (d+n)) sl@0: { sl@0: /* not enough data */ sl@0: al=SSL_AD_DECODE_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: q=p; sl@0: for (j=0; j= i) sl@0: { sl@0: /* no compress */ sl@0: al=SSL_AD_DECODE_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); sl@0: goto f_err; sl@0: } sl@0: sl@0: sl@0: /* Worst case, we will use the NULL compression, but if we have other sl@0: * options, we will now look for them. We have i-1 compression sl@0: * algorithms from the client, starting at q. */ sl@0: s->s3->tmp.new_compression=NULL; sl@0: #ifndef OPENSSL_NO_COMP sl@0: if (s->ctx->comp_methods != NULL) sl@0: { /* See if we have a match */ sl@0: int m,nn,o,v,done=0; sl@0: sl@0: nn=sk_SSL_COMP_num(s->ctx->comp_methods); sl@0: for (m=0; mctx->comp_methods,m); sl@0: v=comp->id; sl@0: for (o=0; os3->tmp.new_compression=comp; sl@0: else sl@0: comp=NULL; sl@0: } sl@0: #endif sl@0: sl@0: /* TLS does not mind if there is extra stuff */ sl@0: #if 0 /* SSL 3.0 does not mind either, so we should disable this test sl@0: * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, sl@0: * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ sl@0: if (s->version == SSL3_VERSION) sl@0: { sl@0: if (p < (d+n)) sl@0: { sl@0: /* wrong number of bytes, sl@0: * there could be more to follow */ sl@0: al=SSL_AD_DECODE_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: } sl@0: #endif sl@0: sl@0: /* Given s->session->ciphers and SSL_get_ciphers, we must sl@0: * pick a cipher */ sl@0: sl@0: if (!s->hit) sl@0: { sl@0: #ifdef OPENSSL_NO_COMP sl@0: s->session->compress_meth=0; sl@0: #else sl@0: s->session->compress_meth=(comp == NULL)?0:comp->id; sl@0: #endif sl@0: if (s->session->ciphers != NULL) sl@0: sk_SSL_CIPHER_free(s->session->ciphers); sl@0: s->session->ciphers=ciphers; sl@0: if (ciphers == NULL) sl@0: { sl@0: al=SSL_AD_ILLEGAL_PARAMETER; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED); sl@0: goto f_err; sl@0: } sl@0: ciphers=NULL; sl@0: c=ssl3_choose_cipher(s,s->session->ciphers, sl@0: SSL_get_ciphers(s)); sl@0: sl@0: if (c == NULL) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); sl@0: goto f_err; sl@0: } sl@0: s->s3->tmp.new_cipher=c; sl@0: } sl@0: else sl@0: { sl@0: /* Session-id reuse */ sl@0: #ifdef REUSE_CIPHER_BUG sl@0: STACK_OF(SSL_CIPHER) *sk; sl@0: SSL_CIPHER *nc=NULL; sl@0: SSL_CIPHER *ec=NULL; sl@0: sl@0: if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) sl@0: { sl@0: sk=s->session->ciphers; sl@0: for (i=0; ialgorithms & SSL_eNULL) sl@0: nc=c; sl@0: if (SSL_C_IS_EXPORT(c)) sl@0: ec=c; sl@0: } sl@0: if (nc != NULL) sl@0: s->s3->tmp.new_cipher=nc; sl@0: else if (ec != NULL) sl@0: s->s3->tmp.new_cipher=ec; sl@0: else sl@0: s->s3->tmp.new_cipher=s->session->cipher; sl@0: } sl@0: else sl@0: #endif sl@0: s->s3->tmp.new_cipher=s->session->cipher; sl@0: } sl@0: sl@0: /* we now have the following setup. sl@0: * client_random sl@0: * cipher_list - our prefered list of ciphers sl@0: * ciphers - the clients prefered list of ciphers sl@0: * compression - basically ignored right now sl@0: * ssl version is set - sslv3 sl@0: * s->session - The ssl session has been setup. sl@0: * s->hit - session reuse flag sl@0: * s->tmp.new_cipher - the new cipher to use. sl@0: */ sl@0: sl@0: ret=1; sl@0: if (0) sl@0: { sl@0: f_err: sl@0: ssl3_send_alert(s,SSL3_AL_FATAL,al); sl@0: } sl@0: err: sl@0: if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); sl@0: return(ret); sl@0: } sl@0: sl@0: int ssl3_send_server_hello(SSL *s) sl@0: { sl@0: unsigned char *buf; sl@0: unsigned char *p,*d; sl@0: int i,sl; sl@0: unsigned long l,Time; sl@0: sl@0: if (s->state == SSL3_ST_SW_SRVR_HELLO_A) sl@0: { sl@0: buf=(unsigned char *)s->init_buf->data; sl@0: p=s->s3->server_random; sl@0: Time=(unsigned long)time(NULL); /* Time */ sl@0: l2n(Time,p); sl@0: if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) sl@0: return -1; sl@0: /* Do the message type and length last */ sl@0: d=p= &(buf[4]); sl@0: sl@0: *(p++)=s->version>>8; sl@0: *(p++)=s->version&0xff; sl@0: sl@0: /* Random stuff */ sl@0: memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); sl@0: p+=SSL3_RANDOM_SIZE; sl@0: sl@0: /* now in theory we have 3 options to sending back the sl@0: * session id. If it is a re-use, we send back the sl@0: * old session-id, if it is a new session, we send sl@0: * back the new session-id or we send back a 0 length sl@0: * session-id if we want it to be single use. sl@0: * Currently I will not implement the '0' length session-id sl@0: * 12-Jan-98 - I'll now support the '0' length stuff. sl@0: */ sl@0: if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) sl@0: s->session->session_id_length=0; sl@0: sl@0: sl=s->session->session_id_length; sl@0: if (sl > (int)sizeof(s->session->session_id)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); sl@0: return -1; sl@0: } sl@0: *(p++)=sl; sl@0: memcpy(p,s->session->session_id,sl); sl@0: p+=sl; sl@0: sl@0: /* put the cipher */ sl@0: i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); sl@0: p+=i; sl@0: sl@0: /* put the compression method */ sl@0: #ifdef OPENSSL_NO_COMP sl@0: *(p++)=0; sl@0: #else sl@0: if (s->s3->tmp.new_compression == NULL) sl@0: *(p++)=0; sl@0: else sl@0: *(p++)=s->s3->tmp.new_compression->id; sl@0: #endif sl@0: sl@0: /* do the header */ sl@0: l=(p-d); sl@0: d=buf; sl@0: *(d++)=SSL3_MT_SERVER_HELLO; sl@0: l2n3(l,d); sl@0: sl@0: s->state=SSL3_ST_CW_CLNT_HELLO_B; sl@0: /* number of bytes to write */ sl@0: s->init_num=p-buf; sl@0: s->init_off=0; sl@0: } sl@0: sl@0: /* SSL3_ST_CW_CLNT_HELLO_B */ sl@0: return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); sl@0: } sl@0: sl@0: int ssl3_send_server_done(SSL *s) sl@0: { sl@0: unsigned char *p; sl@0: sl@0: if (s->state == SSL3_ST_SW_SRVR_DONE_A) sl@0: { sl@0: p=(unsigned char *)s->init_buf->data; sl@0: sl@0: /* do the header */ sl@0: *(p++)=SSL3_MT_SERVER_DONE; sl@0: *(p++)=0; sl@0: *(p++)=0; sl@0: *(p++)=0; sl@0: sl@0: s->state=SSL3_ST_SW_SRVR_DONE_B; sl@0: /* number of bytes to write */ sl@0: s->init_num=4; sl@0: s->init_off=0; sl@0: } sl@0: sl@0: /* SSL3_ST_CW_CLNT_HELLO_B */ sl@0: return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); sl@0: } sl@0: sl@0: int ssl3_send_server_key_exchange(SSL *s) sl@0: { sl@0: #ifndef OPENSSL_NO_RSA sl@0: unsigned char *q; sl@0: int j,num; sl@0: RSA *rsa; sl@0: unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; sl@0: unsigned int u; sl@0: #endif sl@0: #ifndef OPENSSL_NO_DH sl@0: DH *dh=NULL,*dhp; sl@0: #endif sl@0: #ifndef OPENSSL_NO_ECDH sl@0: EC_KEY *ecdh=NULL, *ecdhp; sl@0: unsigned char *encodedPoint = NULL; sl@0: int encodedlen = 0; sl@0: int curve_id = 0; sl@0: BN_CTX *bn_ctx = NULL; sl@0: #endif sl@0: EVP_PKEY *pkey; sl@0: unsigned char *p,*d; sl@0: int al,i; sl@0: unsigned long type; sl@0: int n; sl@0: CERT *cert; sl@0: BIGNUM *r[4]; sl@0: int nr[4],kn; sl@0: BUF_MEM *buf; sl@0: EVP_MD_CTX md_ctx; sl@0: sl@0: EVP_MD_CTX_init(&md_ctx); sl@0: if (s->state == SSL3_ST_SW_KEY_EXCH_A) sl@0: { sl@0: type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; sl@0: cert=s->cert; sl@0: sl@0: buf=s->init_buf; sl@0: sl@0: r[0]=r[1]=r[2]=r[3]=NULL; sl@0: n=0; sl@0: #ifndef OPENSSL_NO_RSA sl@0: if (type & SSL_kRSA) sl@0: { sl@0: rsa=cert->rsa_tmp; sl@0: if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) sl@0: { sl@0: rsa=s->cert->rsa_tmp_cb(s, sl@0: SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), sl@0: SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); sl@0: if(rsa == NULL) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); sl@0: goto f_err; sl@0: } sl@0: RSA_up_ref(rsa); sl@0: cert->rsa_tmp=rsa; sl@0: } sl@0: if (rsa == NULL) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); sl@0: goto f_err; sl@0: } sl@0: r[0]=rsa->n; sl@0: r[1]=rsa->e; sl@0: s->s3->tmp.use_rsa_tmp=1; sl@0: } sl@0: else sl@0: #endif sl@0: #ifndef OPENSSL_NO_DH sl@0: if (type & SSL_kEDH) sl@0: { sl@0: dhp=cert->dh_tmp; sl@0: if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) sl@0: dhp=s->cert->dh_tmp_cb(s, sl@0: SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), sl@0: SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); sl@0: if (dhp == NULL) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); sl@0: goto f_err; sl@0: } sl@0: sl@0: if (s->s3->tmp.dh != NULL) sl@0: { sl@0: DH_free(dh); sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); sl@0: goto err; sl@0: } sl@0: sl@0: if ((dh=DHparams_dup(dhp)) == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); sl@0: goto err; sl@0: } sl@0: sl@0: s->s3->tmp.dh=dh; sl@0: if ((dhp->pub_key == NULL || sl@0: dhp->priv_key == NULL || sl@0: (s->options & SSL_OP_SINGLE_DH_USE))) sl@0: { sl@0: if(!DH_generate_key(dh)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, sl@0: ERR_R_DH_LIB); sl@0: goto err; sl@0: } sl@0: } sl@0: else sl@0: { sl@0: dh->pub_key=BN_dup(dhp->pub_key); sl@0: dh->priv_key=BN_dup(dhp->priv_key); sl@0: if ((dh->pub_key == NULL) || sl@0: (dh->priv_key == NULL)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); sl@0: goto err; sl@0: } sl@0: } sl@0: r[0]=dh->p; sl@0: r[1]=dh->g; sl@0: r[2]=dh->pub_key; sl@0: } sl@0: else sl@0: #endif sl@0: #ifndef OPENSSL_NO_ECDH sl@0: if (type & SSL_kECDHE) sl@0: { sl@0: const EC_GROUP *group; sl@0: sl@0: ecdhp=cert->ecdh_tmp; sl@0: if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) sl@0: { sl@0: ecdhp=s->cert->ecdh_tmp_cb(s, sl@0: SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), sl@0: SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); sl@0: } sl@0: if (ecdhp == NULL) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); sl@0: goto f_err; sl@0: } sl@0: sl@0: if (s->s3->tmp.ecdh != NULL) sl@0: { sl@0: EC_KEY_free(s->s3->tmp.ecdh); sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); sl@0: goto err; sl@0: } sl@0: sl@0: /* Duplicate the ECDH structure. */ sl@0: if (ecdhp == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); sl@0: goto err; sl@0: } sl@0: if (!EC_KEY_up_ref(ecdhp)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); sl@0: goto err; sl@0: } sl@0: ecdh = ecdhp; sl@0: sl@0: s->s3->tmp.ecdh=ecdh; sl@0: if ((EC_KEY_get0_public_key(ecdh) == NULL) || sl@0: (EC_KEY_get0_private_key(ecdh) == NULL) || sl@0: (s->options & SSL_OP_SINGLE_ECDH_USE)) sl@0: { sl@0: if(!EC_KEY_generate_key(ecdh)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); sl@0: goto err; sl@0: } sl@0: } sl@0: sl@0: if (((group = EC_KEY_get0_group(ecdh)) == NULL) || sl@0: (EC_KEY_get0_public_key(ecdh) == NULL) || sl@0: (EC_KEY_get0_private_key(ecdh) == NULL)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); sl@0: goto err; sl@0: } sl@0: sl@0: if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && sl@0: (EC_GROUP_get_degree(group) > 163)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); sl@0: goto err; sl@0: } sl@0: sl@0: /* XXX: For now, we only support ephemeral ECDH sl@0: * keys over named (not generic) curves. For sl@0: * supported named curves, curve_id is non-zero. sl@0: */ sl@0: if ((curve_id = sl@0: nid2curve_id(EC_GROUP_get_curve_name(group))) sl@0: == 0) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); sl@0: goto err; sl@0: } sl@0: sl@0: /* Encode the public key. sl@0: * First check the size of encoding and sl@0: * allocate memory accordingly. sl@0: */ sl@0: encodedlen = EC_POINT_point2oct(group, sl@0: EC_KEY_get0_public_key(ecdh), sl@0: POINT_CONVERSION_UNCOMPRESSED, sl@0: NULL, 0, NULL); sl@0: sl@0: encodedPoint = (unsigned char *) sl@0: OPENSSL_malloc(encodedlen*sizeof(unsigned char)); sl@0: bn_ctx = BN_CTX_new(); sl@0: if ((encodedPoint == NULL) || (bn_ctx == NULL)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); sl@0: goto err; sl@0: } sl@0: sl@0: sl@0: encodedlen = EC_POINT_point2oct(group, sl@0: EC_KEY_get0_public_key(ecdh), sl@0: POINT_CONVERSION_UNCOMPRESSED, sl@0: encodedPoint, encodedlen, bn_ctx); sl@0: sl@0: if (encodedlen == 0) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); sl@0: goto err; sl@0: } sl@0: sl@0: BN_CTX_free(bn_ctx); bn_ctx=NULL; sl@0: sl@0: /* XXX: For now, we only support named (not sl@0: * generic) curves in ECDH ephemeral key exchanges. sl@0: * In this situation, we need four additional bytes sl@0: * to encode the entire ServerECDHParams sl@0: * structure. sl@0: */ sl@0: n = 4 + encodedlen; sl@0: sl@0: /* We'll generate the serverKeyExchange message sl@0: * explicitly so we can set these to NULLs sl@0: */ sl@0: r[0]=NULL; sl@0: r[1]=NULL; sl@0: r[2]=NULL; sl@0: r[3]=NULL; sl@0: } sl@0: else sl@0: #endif /* !OPENSSL_NO_ECDH */ sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); sl@0: goto f_err; sl@0: } sl@0: for (i=0; r[i] != NULL; i++) sl@0: { sl@0: nr[i]=BN_num_bytes(r[i]); sl@0: n+=2+nr[i]; sl@0: } sl@0: sl@0: if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) sl@0: { sl@0: if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) sl@0: == NULL) sl@0: { sl@0: al=SSL_AD_DECODE_ERROR; sl@0: goto f_err; sl@0: } sl@0: kn=EVP_PKEY_size(pkey); sl@0: } sl@0: else sl@0: { sl@0: pkey=NULL; sl@0: kn=0; sl@0: } sl@0: sl@0: if (!BUF_MEM_grow_clean(buf,n+4+kn)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); sl@0: goto err; sl@0: } sl@0: d=(unsigned char *)s->init_buf->data; sl@0: p= &(d[4]); sl@0: sl@0: for (i=0; r[i] != NULL; i++) sl@0: { sl@0: s2n(nr[i],p); sl@0: BN_bn2bin(r[i],p); sl@0: p+=nr[i]; sl@0: } sl@0: sl@0: #ifndef OPENSSL_NO_ECDH sl@0: if (type & SSL_kECDHE) sl@0: { sl@0: /* XXX: For now, we only support named (not generic) curves. sl@0: * In this situation, the serverKeyExchange message has: sl@0: * [1 byte CurveType], [2 byte CurveName] sl@0: * [1 byte length of encoded point], followed by sl@0: * the actual encoded point itself sl@0: */ sl@0: *p = NAMED_CURVE_TYPE; sl@0: p += 1; sl@0: *p = 0; sl@0: p += 1; sl@0: *p = curve_id; sl@0: p += 1; sl@0: *p = encodedlen; sl@0: p += 1; sl@0: memcpy((unsigned char*)p, sl@0: (unsigned char *)encodedPoint, sl@0: encodedlen); sl@0: OPENSSL_free(encodedPoint); sl@0: p += encodedlen; sl@0: } sl@0: #endif sl@0: sl@0: /* not anonymous */ sl@0: if (pkey != NULL) sl@0: { sl@0: /* n is the length of the params, they start at &(d[4]) sl@0: * and p points to the space at the end. */ sl@0: #ifndef OPENSSL_NO_RSA sl@0: if (pkey->type == EVP_PKEY_RSA) sl@0: { sl@0: q=md_buf; sl@0: j=0; sl@0: for (num=2; num > 0; num--) sl@0: { sl@0: EVP_DigestInit_ex(&md_ctx,(num == 2) sl@0: ?s->ctx->md5:s->ctx->sha1, NULL); sl@0: EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); sl@0: EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); sl@0: EVP_DigestUpdate(&md_ctx,&(d[4]),n); sl@0: EVP_DigestFinal_ex(&md_ctx,q, sl@0: (unsigned int *)&i); sl@0: q+=i; sl@0: j+=i; sl@0: } sl@0: if (RSA_sign(NID_md5_sha1, md_buf, j, sl@0: &(p[2]), &u, pkey->pkey.rsa) <= 0) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); sl@0: goto err; sl@0: } sl@0: s2n(u,p); sl@0: n+=u+2; sl@0: } sl@0: else sl@0: #endif sl@0: #if !defined(OPENSSL_NO_DSA) sl@0: if (pkey->type == EVP_PKEY_DSA) sl@0: { sl@0: /* lets do DSS */ sl@0: EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); sl@0: EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); sl@0: EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); sl@0: EVP_SignUpdate(&md_ctx,&(d[4]),n); sl@0: if (!EVP_SignFinal(&md_ctx,&(p[2]), sl@0: (unsigned int *)&i,pkey)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); sl@0: goto err; sl@0: } sl@0: s2n(i,p); sl@0: n+=i+2; sl@0: } sl@0: else sl@0: #endif sl@0: #if !defined(OPENSSL_NO_ECDSA) sl@0: if (pkey->type == EVP_PKEY_EC) sl@0: { sl@0: /* let's do ECDSA */ sl@0: EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL); sl@0: EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); sl@0: EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); sl@0: EVP_SignUpdate(&md_ctx,&(d[4]),n); sl@0: if (!EVP_SignFinal(&md_ctx,&(p[2]), sl@0: (unsigned int *)&i,pkey)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA); sl@0: goto err; sl@0: } sl@0: s2n(i,p); sl@0: n+=i+2; sl@0: } sl@0: else sl@0: #endif sl@0: { sl@0: /* Is this error check actually needed? */ sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); sl@0: goto f_err; sl@0: } sl@0: } sl@0: sl@0: *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; sl@0: l2n3(n,d); sl@0: sl@0: /* we should now have things packed up, so lets send sl@0: * it off */ sl@0: s->init_num=n+4; sl@0: s->init_off=0; sl@0: } sl@0: sl@0: s->state = SSL3_ST_SW_KEY_EXCH_B; sl@0: EVP_MD_CTX_cleanup(&md_ctx); sl@0: return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); sl@0: f_err: sl@0: ssl3_send_alert(s,SSL3_AL_FATAL,al); sl@0: err: sl@0: #ifndef OPENSSL_NO_ECDH sl@0: if (encodedPoint != NULL) OPENSSL_free(encodedPoint); sl@0: BN_CTX_free(bn_ctx); sl@0: #endif sl@0: EVP_MD_CTX_cleanup(&md_ctx); sl@0: return(-1); sl@0: } sl@0: sl@0: int ssl3_send_certificate_request(SSL *s) sl@0: { sl@0: unsigned char *p,*d; sl@0: int i,j,nl,off,n; sl@0: STACK_OF(X509_NAME) *sk=NULL; sl@0: X509_NAME *name; sl@0: BUF_MEM *buf; sl@0: sl@0: if (s->state == SSL3_ST_SW_CERT_REQ_A) sl@0: { sl@0: buf=s->init_buf; sl@0: sl@0: d=p=(unsigned char *)&(buf->data[4]); sl@0: sl@0: /* get the list of acceptable cert types */ sl@0: p++; sl@0: n=ssl3_get_req_cert_type(s,p); sl@0: d[0]=n; sl@0: p+=n; sl@0: n++; sl@0: sl@0: off=n; sl@0: p+=2; sl@0: n+=2; sl@0: sl@0: sk=SSL_get_client_CA_list(s); sl@0: nl=0; sl@0: if (sk != NULL) sl@0: { sl@0: for (i=0; idata[4+n]); sl@0: if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) sl@0: { sl@0: s2n(j,p); sl@0: i2d_X509_NAME(name,&p); sl@0: n+=2+j; sl@0: nl+=2+j; sl@0: } sl@0: else sl@0: { sl@0: d=p; sl@0: i2d_X509_NAME(name,&p); sl@0: j-=2; s2n(j,d); j+=2; sl@0: n+=j; sl@0: nl+=j; sl@0: } sl@0: } sl@0: } sl@0: /* else no CA names */ sl@0: p=(unsigned char *)&(buf->data[4+off]); sl@0: s2n(nl,p); sl@0: sl@0: d=(unsigned char *)buf->data; sl@0: *(d++)=SSL3_MT_CERTIFICATE_REQUEST; sl@0: l2n3(n,d); sl@0: sl@0: /* we should now have things packed up, so lets send sl@0: * it off */ sl@0: sl@0: s->init_num=n+4; sl@0: s->init_off=0; sl@0: #ifdef NETSCAPE_HANG_BUG sl@0: p=(unsigned char *)s->init_buf->data + s->init_num; sl@0: sl@0: /* do the header */ sl@0: *(p++)=SSL3_MT_SERVER_DONE; sl@0: *(p++)=0; sl@0: *(p++)=0; sl@0: *(p++)=0; sl@0: s->init_num += 4; sl@0: #endif sl@0: sl@0: s->state = SSL3_ST_SW_CERT_REQ_B; sl@0: } sl@0: sl@0: /* SSL3_ST_SW_CERT_REQ_B */ sl@0: return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); sl@0: err: sl@0: return(-1); sl@0: } sl@0: sl@0: int ssl3_get_client_key_exchange(SSL *s) sl@0: { sl@0: int i,al,ok; sl@0: long n; sl@0: unsigned long l; sl@0: unsigned char *p; sl@0: #ifndef OPENSSL_NO_RSA sl@0: RSA *rsa=NULL; sl@0: EVP_PKEY *pkey=NULL; sl@0: #endif sl@0: #ifndef OPENSSL_NO_DH sl@0: BIGNUM *pub=NULL; sl@0: DH *dh_srvr; sl@0: #endif sl@0: #ifndef OPENSSL_NO_KRB5 sl@0: KSSL_ERR kssl_err; sl@0: #endif /* OPENSSL_NO_KRB5 */ sl@0: sl@0: #ifndef OPENSSL_NO_ECDH sl@0: EC_KEY *srvr_ecdh = NULL; sl@0: EVP_PKEY *clnt_pub_pkey = NULL; sl@0: EC_POINT *clnt_ecpoint = NULL; sl@0: BN_CTX *bn_ctx = NULL; sl@0: #endif sl@0: sl@0: n=s->method->ssl_get_message(s, sl@0: SSL3_ST_SR_KEY_EXCH_A, sl@0: SSL3_ST_SR_KEY_EXCH_B, sl@0: SSL3_MT_CLIENT_KEY_EXCHANGE, sl@0: 2048, /* ??? */ sl@0: &ok); sl@0: sl@0: if (!ok) return((int)n); sl@0: p=(unsigned char *)s->init_msg; sl@0: sl@0: l=s->s3->tmp.new_cipher->algorithms; sl@0: sl@0: #ifndef OPENSSL_NO_RSA sl@0: if (l & SSL_kRSA) sl@0: { sl@0: /* FIX THIS UP EAY EAY EAY EAY */ sl@0: if (s->s3->tmp.use_rsa_tmp) sl@0: { sl@0: if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) sl@0: rsa=s->cert->rsa_tmp; sl@0: /* Don't do a callback because rsa_tmp should sl@0: * be sent already */ sl@0: if (rsa == NULL) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY); sl@0: goto f_err; sl@0: sl@0: } sl@0: } sl@0: else sl@0: { sl@0: pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; sl@0: if ( (pkey == NULL) || sl@0: (pkey->type != EVP_PKEY_RSA) || sl@0: (pkey->pkey.rsa == NULL)) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE); sl@0: goto f_err; sl@0: } sl@0: rsa=pkey->pkey.rsa; sl@0: } sl@0: sl@0: /* TLS and [incidentally] DTLS, including pre-0.9.8f */ sl@0: if (s->version > SSL3_VERSION && sl@0: s->client_version != DTLS1_BAD_VER) sl@0: { sl@0: n2s(p,i); sl@0: if (n != i+2) sl@0: { sl@0: if (!(s->options & SSL_OP_TLS_D5_BUG)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); sl@0: goto err; sl@0: } sl@0: else sl@0: p-=2; sl@0: } sl@0: else sl@0: n=i; sl@0: } sl@0: sl@0: i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); sl@0: sl@0: al = -1; sl@0: sl@0: if (i != SSL_MAX_MASTER_KEY_LENGTH) sl@0: { sl@0: al=SSL_AD_DECODE_ERROR; sl@0: /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ sl@0: } sl@0: sl@0: if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) sl@0: { sl@0: /* The premaster secret must contain the same version number as the sl@0: * ClientHello to detect version rollback attacks (strangely, the sl@0: * protocol does not offer such protection for DH ciphersuites). sl@0: * However, buggy clients exist that send the negotiated protocol sl@0: * version instead if the server does not support the requested sl@0: * protocol version. sl@0: * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ sl@0: if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && sl@0: (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) sl@0: { sl@0: al=SSL_AD_DECODE_ERROR; sl@0: /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ sl@0: sl@0: /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack sl@0: * (http://eprint.iacr.org/2003/052/) exploits the version sl@0: * number check as a "bad version oracle" -- an alert would sl@0: * reveal that the plaintext corresponding to some ciphertext sl@0: * made up by the adversary is properly formatted except sl@0: * that the version number is wrong. To avoid such attacks, sl@0: * we should treat this just like any other decryption error. */ sl@0: } sl@0: } sl@0: sl@0: if (al != -1) sl@0: { sl@0: /* Some decryption failure -- use random value instead as countermeasure sl@0: * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding sl@0: * (see RFC 2246, section 7.4.7.1). */ sl@0: ERR_clear_error(); sl@0: i = SSL_MAX_MASTER_KEY_LENGTH; sl@0: p[0] = s->client_version >> 8; sl@0: p[1] = s->client_version & 0xff; sl@0: if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ sl@0: goto err; sl@0: } sl@0: sl@0: s->session->master_key_length= sl@0: s->method->ssl3_enc->generate_master_secret(s, sl@0: s->session->master_key, sl@0: p,i); sl@0: OPENSSL_cleanse(p,i); sl@0: } sl@0: else sl@0: #endif sl@0: #ifndef OPENSSL_NO_DH sl@0: if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) sl@0: { sl@0: n2s(p,i); sl@0: if (n != i+2) sl@0: { sl@0: if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); sl@0: goto err; sl@0: } sl@0: else sl@0: { sl@0: p-=2; sl@0: i=(int)n; sl@0: } sl@0: } sl@0: sl@0: if (n == 0L) /* the parameters are in the cert */ sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); sl@0: goto f_err; sl@0: } sl@0: else sl@0: { sl@0: if (s->s3->tmp.dh == NULL) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); sl@0: goto f_err; sl@0: } sl@0: else sl@0: dh_srvr=s->s3->tmp.dh; sl@0: } sl@0: sl@0: pub=BN_bin2bn(p,i,NULL); sl@0: if (pub == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); sl@0: goto err; sl@0: } sl@0: sl@0: i=DH_compute_key(p,pub,dh_srvr); sl@0: sl@0: if (i <= 0) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); sl@0: goto err; sl@0: } sl@0: sl@0: DH_free(s->s3->tmp.dh); sl@0: s->s3->tmp.dh=NULL; sl@0: sl@0: BN_clear_free(pub); sl@0: pub=NULL; sl@0: s->session->master_key_length= sl@0: s->method->ssl3_enc->generate_master_secret(s, sl@0: s->session->master_key,p,i); sl@0: OPENSSL_cleanse(p,i); sl@0: } sl@0: else sl@0: #endif sl@0: #ifndef OPENSSL_NO_KRB5 sl@0: if (l & SSL_kKRB5) sl@0: { sl@0: krb5_error_code krb5rc; sl@0: krb5_data enc_ticket; sl@0: krb5_data authenticator; sl@0: krb5_data enc_pms; sl@0: KSSL_CTX *kssl_ctx = s->kssl_ctx; sl@0: EVP_CIPHER_CTX ciph_ctx; sl@0: EVP_CIPHER *enc = NULL; sl@0: unsigned char iv[EVP_MAX_IV_LENGTH]; sl@0: unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH sl@0: + EVP_MAX_BLOCK_LENGTH]; sl@0: int padl, outl; sl@0: krb5_timestamp authtime = 0; sl@0: krb5_ticket_times ttimes; sl@0: sl@0: EVP_CIPHER_CTX_init(&ciph_ctx); sl@0: sl@0: if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); sl@0: sl@0: n2s(p,i); sl@0: enc_ticket.length = i; sl@0: sl@0: if (n < (int)enc_ticket.length + 6) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_DATA_LENGTH_TOO_LONG); sl@0: goto err; sl@0: } sl@0: sl@0: enc_ticket.data = (char *)p; sl@0: p+=enc_ticket.length; sl@0: sl@0: n2s(p,i); sl@0: authenticator.length = i; sl@0: sl@0: if (n < (int)(enc_ticket.length + authenticator.length) + 6) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_DATA_LENGTH_TOO_LONG); sl@0: goto err; sl@0: } sl@0: sl@0: authenticator.data = (char *)p; sl@0: p+=authenticator.length; sl@0: sl@0: n2s(p,i); sl@0: enc_pms.length = i; sl@0: enc_pms.data = (char *)p; sl@0: p+=enc_pms.length; sl@0: sl@0: /* Note that the length is checked again below, sl@0: ** after decryption sl@0: */ sl@0: if(enc_pms.length > sizeof pms) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_DATA_LENGTH_TOO_LONG); sl@0: goto err; sl@0: } sl@0: sl@0: if (n != (long)(enc_ticket.length + authenticator.length + sl@0: enc_pms.length + 6)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_DATA_LENGTH_TOO_LONG); sl@0: goto err; sl@0: } sl@0: sl@0: if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, sl@0: &kssl_err)) != 0) sl@0: { sl@0: #ifdef KSSL_DEBUG sl@0: printf("kssl_sget_tkt rtn %d [%d]\n", sl@0: krb5rc, kssl_err.reason); sl@0: if (kssl_err.text) sl@0: printf("kssl_err text= %s\n", kssl_err.text); sl@0: #endif /* KSSL_DEBUG */ sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: kssl_err.reason); sl@0: goto err; sl@0: } sl@0: sl@0: /* Note: no authenticator is not considered an error, sl@0: ** but will return authtime == 0. sl@0: */ sl@0: if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, sl@0: &authtime, &kssl_err)) != 0) sl@0: { sl@0: #ifdef KSSL_DEBUG sl@0: printf("kssl_check_authent rtn %d [%d]\n", sl@0: krb5rc, kssl_err.reason); sl@0: if (kssl_err.text) sl@0: printf("kssl_err text= %s\n", kssl_err.text); sl@0: #endif /* KSSL_DEBUG */ sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: kssl_err.reason); sl@0: goto err; sl@0: } sl@0: sl@0: if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); sl@0: goto err; sl@0: } sl@0: sl@0: #ifdef KSSL_DEBUG sl@0: kssl_ctx_show(kssl_ctx); sl@0: #endif /* KSSL_DEBUG */ sl@0: sl@0: enc = kssl_map_enc(kssl_ctx->enctype); sl@0: if (enc == NULL) sl@0: goto err; sl@0: sl@0: memset(iv, 0, sizeof iv); /* per RFC 1510 */ sl@0: sl@0: if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_DECRYPTION_FAILED); sl@0: goto err; sl@0: } sl@0: if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, sl@0: (unsigned char *)enc_pms.data, enc_pms.length)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_DECRYPTION_FAILED); sl@0: goto err; sl@0: } sl@0: if (outl > SSL_MAX_MASTER_KEY_LENGTH) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_DATA_LENGTH_TOO_LONG); sl@0: goto err; sl@0: } sl@0: if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_DECRYPTION_FAILED); sl@0: goto err; sl@0: } sl@0: outl += padl; sl@0: if (outl > SSL_MAX_MASTER_KEY_LENGTH) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_DATA_LENGTH_TOO_LONG); sl@0: goto err; sl@0: } sl@0: if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) sl@0: { sl@0: /* The premaster secret must contain the same version number as the sl@0: * ClientHello to detect version rollback attacks (strangely, the sl@0: * protocol does not offer such protection for DH ciphersuites). sl@0: * However, buggy clients exist that send random bytes instead of sl@0: * the protocol version. sl@0: * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. sl@0: * (Perhaps we should have a separate BUG value for the Kerberos cipher) sl@0: */ sl@0: if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_AD_DECODE_ERROR); sl@0: goto err; sl@0: } sl@0: } sl@0: EVP_CIPHER_CTX_cleanup(&ciph_ctx); sl@0: sl@0: s->session->master_key_length= sl@0: s->method->ssl3_enc->generate_master_secret(s, sl@0: s->session->master_key, pms, outl); sl@0: sl@0: if (kssl_ctx->client_princ) sl@0: { sl@0: size_t len = strlen(kssl_ctx->client_princ); sl@0: if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) sl@0: { sl@0: s->session->krb5_client_princ_len = len; sl@0: memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); sl@0: } sl@0: } sl@0: sl@0: sl@0: /* Was doing kssl_ctx_free() here, sl@0: ** but it caused problems for apache. sl@0: ** kssl_ctx = kssl_ctx_free(kssl_ctx); sl@0: ** if (s->kssl_ctx) s->kssl_ctx = NULL; sl@0: */ sl@0: } sl@0: else sl@0: #endif /* OPENSSL_NO_KRB5 */ sl@0: sl@0: #ifndef OPENSSL_NO_ECDH sl@0: if ((l & SSL_kECDH) || (l & SSL_kECDHE)) sl@0: { sl@0: int ret = 1; sl@0: int field_size = 0; sl@0: const EC_KEY *tkey; sl@0: const EC_GROUP *group; sl@0: const BIGNUM *priv_key; sl@0: sl@0: /* initialize structures for server's ECDH key pair */ sl@0: if ((srvr_ecdh = EC_KEY_new()) == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: ERR_R_MALLOC_FAILURE); sl@0: goto err; sl@0: } sl@0: sl@0: /* Let's get server private key and group information */ sl@0: if (l & SSL_kECDH) sl@0: { sl@0: /* use the certificate */ sl@0: tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; sl@0: } sl@0: else sl@0: { sl@0: /* use the ephermeral values we saved when sl@0: * generating the ServerKeyExchange msg. sl@0: */ sl@0: tkey = s->s3->tmp.ecdh; sl@0: } sl@0: sl@0: group = EC_KEY_get0_group(tkey); sl@0: priv_key = EC_KEY_get0_private_key(tkey); sl@0: sl@0: if (!EC_KEY_set_group(srvr_ecdh, group) || sl@0: !EC_KEY_set_private_key(srvr_ecdh, priv_key)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: ERR_R_EC_LIB); sl@0: goto err; sl@0: } sl@0: sl@0: /* Let's get client's public key */ sl@0: if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: ERR_R_MALLOC_FAILURE); sl@0: goto err; sl@0: } sl@0: sl@0: if (n == 0L) sl@0: { sl@0: /* Client Publickey was in Client Certificate */ sl@0: sl@0: if (l & SSL_kECDHE) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); sl@0: goto f_err; sl@0: } sl@0: if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) sl@0: == NULL) || sl@0: (clnt_pub_pkey->type != EVP_PKEY_EC)) sl@0: { sl@0: /* XXX: For now, we do not support client sl@0: * authentication using ECDH certificates sl@0: * so this branch (n == 0L) of the code is sl@0: * never executed. When that support is sl@0: * added, we ought to ensure the key sl@0: * received in the certificate is sl@0: * authorized for key agreement. sl@0: * ECDH_compute_key implicitly checks that sl@0: * the two ECDH shares are for the same sl@0: * group. sl@0: */ sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); sl@0: goto f_err; sl@0: } sl@0: sl@0: if (EC_POINT_copy(clnt_ecpoint, sl@0: EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: ERR_R_EC_LIB); sl@0: goto err; sl@0: } sl@0: ret = 2; /* Skip certificate verify processing */ sl@0: } sl@0: else sl@0: { sl@0: /* Get client's public key from encoded point sl@0: * in the ClientKeyExchange message. sl@0: */ sl@0: if ((bn_ctx = BN_CTX_new()) == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: ERR_R_MALLOC_FAILURE); sl@0: goto err; sl@0: } sl@0: sl@0: /* Get encoded point length */ sl@0: i = *p; sl@0: p += 1; sl@0: if (EC_POINT_oct2point(group, sl@0: clnt_ecpoint, p, i, bn_ctx) == 0) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: ERR_R_EC_LIB); sl@0: goto err; sl@0: } sl@0: /* p is pointing to somewhere in the buffer sl@0: * currently, so set it to the start sl@0: */ sl@0: p=(unsigned char *)s->init_buf->data; sl@0: } sl@0: sl@0: /* Compute the shared pre-master secret */ sl@0: field_size = EC_GROUP_get_degree(group); sl@0: if (field_size <= 0) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: ERR_R_ECDH_LIB); sl@0: goto err; sl@0: } sl@0: i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); sl@0: if (i <= 0) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: ERR_R_ECDH_LIB); sl@0: goto err; sl@0: } sl@0: sl@0: EVP_PKEY_free(clnt_pub_pkey); sl@0: EC_POINT_free(clnt_ecpoint); sl@0: if (srvr_ecdh != NULL) sl@0: EC_KEY_free(srvr_ecdh); sl@0: BN_CTX_free(bn_ctx); sl@0: sl@0: /* Compute the master secret */ sl@0: s->session->master_key_length = s->method->ssl3_enc-> \ sl@0: generate_master_secret(s, s->session->master_key, p, i); sl@0: sl@0: OPENSSL_cleanse(p, i); sl@0: return (ret); sl@0: } sl@0: else sl@0: #endif sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, sl@0: SSL_R_UNKNOWN_CIPHER_TYPE); sl@0: goto f_err; sl@0: } sl@0: sl@0: return(1); sl@0: f_err: sl@0: ssl3_send_alert(s,SSL3_AL_FATAL,al); sl@0: #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) sl@0: err: sl@0: #endif sl@0: #ifndef OPENSSL_NO_ECDH sl@0: EVP_PKEY_free(clnt_pub_pkey); sl@0: EC_POINT_free(clnt_ecpoint); sl@0: if (srvr_ecdh != NULL) sl@0: EC_KEY_free(srvr_ecdh); sl@0: BN_CTX_free(bn_ctx); sl@0: #endif sl@0: return(-1); sl@0: } sl@0: sl@0: int ssl3_get_cert_verify(SSL *s) sl@0: { sl@0: EVP_PKEY *pkey=NULL; sl@0: unsigned char *p; sl@0: int al,ok,ret=0; sl@0: long n; sl@0: int type=0,i,j; sl@0: X509 *peer; sl@0: sl@0: n=s->method->ssl_get_message(s, sl@0: SSL3_ST_SR_CERT_VRFY_A, sl@0: SSL3_ST_SR_CERT_VRFY_B, sl@0: -1, sl@0: 514, /* 514? */ sl@0: &ok); sl@0: sl@0: if (!ok) return((int)n); sl@0: sl@0: if (s->session->peer != NULL) sl@0: { sl@0: peer=s->session->peer; sl@0: pkey=X509_get_pubkey(peer); sl@0: type=X509_certificate_type(peer,pkey); sl@0: } sl@0: else sl@0: { sl@0: peer=NULL; sl@0: pkey=NULL; sl@0: } sl@0: sl@0: if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) sl@0: { sl@0: s->s3->tmp.reuse_message=1; sl@0: if ((peer != NULL) && (type | EVP_PKT_SIGN)) sl@0: { sl@0: al=SSL_AD_UNEXPECTED_MESSAGE; sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); sl@0: goto f_err; sl@0: } sl@0: ret=1; sl@0: goto end; sl@0: } sl@0: sl@0: if (peer == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); sl@0: al=SSL_AD_UNEXPECTED_MESSAGE; sl@0: goto f_err; sl@0: } sl@0: sl@0: if (!(type & EVP_PKT_SIGN)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); sl@0: al=SSL_AD_ILLEGAL_PARAMETER; sl@0: goto f_err; sl@0: } sl@0: sl@0: if (s->s3->change_cipher_spec) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); sl@0: al=SSL_AD_UNEXPECTED_MESSAGE; sl@0: goto f_err; sl@0: } sl@0: sl@0: /* we now have a signature that we need to verify */ sl@0: p=(unsigned char *)s->init_msg; sl@0: n2s(p,i); sl@0: n-=2; sl@0: if (i > n) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); sl@0: al=SSL_AD_DECODE_ERROR; sl@0: goto f_err; sl@0: } sl@0: sl@0: j=EVP_PKEY_size(pkey); sl@0: if ((i > j) || (n > j) || (n <= 0)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); sl@0: al=SSL_AD_DECODE_ERROR; sl@0: goto f_err; sl@0: } sl@0: sl@0: #ifndef OPENSSL_NO_RSA sl@0: if (pkey->type == EVP_PKEY_RSA) sl@0: { sl@0: i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, sl@0: MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, sl@0: pkey->pkey.rsa); sl@0: if (i < 0) sl@0: { sl@0: al=SSL_AD_DECRYPT_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); sl@0: goto f_err; sl@0: } sl@0: if (i == 0) sl@0: { sl@0: al=SSL_AD_DECRYPT_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); sl@0: goto f_err; sl@0: } sl@0: } sl@0: else sl@0: #endif sl@0: #ifndef OPENSSL_NO_DSA sl@0: if (pkey->type == EVP_PKEY_DSA) sl@0: { sl@0: j=DSA_verify(pkey->save_type, sl@0: &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), sl@0: SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); sl@0: if (j <= 0) sl@0: { sl@0: /* bad signature */ sl@0: al=SSL_AD_DECRYPT_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); sl@0: goto f_err; sl@0: } sl@0: } sl@0: else sl@0: #endif sl@0: #ifndef OPENSSL_NO_ECDSA sl@0: if (pkey->type == EVP_PKEY_EC) sl@0: { sl@0: j=ECDSA_verify(pkey->save_type, sl@0: &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), sl@0: SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); sl@0: if (j <= 0) sl@0: { sl@0: /* bad signature */ sl@0: al=SSL_AD_DECRYPT_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, sl@0: SSL_R_BAD_ECDSA_SIGNATURE); sl@0: goto f_err; sl@0: } sl@0: } sl@0: else sl@0: #endif sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); sl@0: al=SSL_AD_UNSUPPORTED_CERTIFICATE; sl@0: goto f_err; sl@0: } sl@0: sl@0: sl@0: ret=1; sl@0: if (0) sl@0: { sl@0: f_err: sl@0: ssl3_send_alert(s,SSL3_AL_FATAL,al); sl@0: } sl@0: end: sl@0: EVP_PKEY_free(pkey); sl@0: return(ret); sl@0: } sl@0: sl@0: int ssl3_get_client_certificate(SSL *s) sl@0: { sl@0: int i,ok,al,ret= -1; sl@0: X509 *x=NULL; sl@0: unsigned long l,nc,llen,n; sl@0: const unsigned char *p,*q; sl@0: unsigned char *d; sl@0: STACK_OF(X509) *sk=NULL; sl@0: sl@0: n=s->method->ssl_get_message(s, sl@0: SSL3_ST_SR_CERT_A, sl@0: SSL3_ST_SR_CERT_B, sl@0: -1, sl@0: s->max_cert_list, sl@0: &ok); sl@0: sl@0: if (!ok) return((int)n); sl@0: sl@0: if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) sl@0: { sl@0: if ( (s->verify_mode & SSL_VERIFY_PEER) && sl@0: (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: goto f_err; sl@0: } sl@0: /* If tls asked for a client cert, the client must return a 0 list */ sl@0: if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); sl@0: al=SSL_AD_UNEXPECTED_MESSAGE; sl@0: goto f_err; sl@0: } sl@0: s->s3->tmp.reuse_message=1; sl@0: return(1); sl@0: } sl@0: sl@0: if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) sl@0: { sl@0: al=SSL_AD_UNEXPECTED_MESSAGE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); sl@0: goto f_err; sl@0: } sl@0: p=d=(unsigned char *)s->init_msg; sl@0: sl@0: if ((sk=sk_X509_new_null()) == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); sl@0: goto err; sl@0: } sl@0: sl@0: n2l3(p,llen); sl@0: if (llen+3 != n) sl@0: { sl@0: al=SSL_AD_DECODE_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: for (nc=0; nc llen) sl@0: { sl@0: al=SSL_AD_DECODE_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: sl@0: q=p; sl@0: x=d2i_X509(NULL,&p,l); sl@0: if (x == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB); sl@0: goto err; sl@0: } sl@0: if (p != (q+l)) sl@0: { sl@0: al=SSL_AD_DECODE_ERROR; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); sl@0: goto f_err; sl@0: } sl@0: if (!sk_X509_push(sk,x)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); sl@0: goto err; sl@0: } sl@0: x=NULL; sl@0: nc+=l+3; sl@0: } sl@0: sl@0: if (sk_X509_num(sk) <= 0) sl@0: { sl@0: /* TLS does not mind 0 certs returned */ sl@0: if (s->version == SSL3_VERSION) sl@0: { sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED); sl@0: goto f_err; sl@0: } sl@0: /* Fail for TLS only if we required a certificate */ sl@0: else if ((s->verify_mode & SSL_VERIFY_PEER) && sl@0: (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); sl@0: al=SSL_AD_HANDSHAKE_FAILURE; sl@0: goto f_err; sl@0: } sl@0: } sl@0: else sl@0: { sl@0: i=ssl_verify_cert_chain(s,sk); sl@0: if (!i) sl@0: { sl@0: al=ssl_verify_alarm_type(s->verify_result); sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); sl@0: goto f_err; sl@0: } sl@0: } sl@0: sl@0: if (s->session->peer != NULL) /* This should not be needed */ sl@0: X509_free(s->session->peer); sl@0: s->session->peer=sk_X509_shift(sk); sl@0: s->session->verify_result = s->verify_result; sl@0: sl@0: /* With the current implementation, sess_cert will always be NULL sl@0: * when we arrive here. */ sl@0: if (s->session->sess_cert == NULL) sl@0: { sl@0: s->session->sess_cert = ssl_sess_cert_new(); sl@0: if (s->session->sess_cert == NULL) sl@0: { sl@0: SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); sl@0: goto err; sl@0: } sl@0: } sl@0: if (s->session->sess_cert->cert_chain != NULL) sl@0: sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); sl@0: s->session->sess_cert->cert_chain=sk; sl@0: /* Inconsistency alert: cert_chain does *not* include the sl@0: * peer's own certificate, while we do include it in s3_clnt.c */ sl@0: sl@0: sk=NULL; sl@0: sl@0: ret=1; sl@0: if (0) sl@0: { sl@0: f_err: sl@0: ssl3_send_alert(s,SSL3_AL_FATAL,al); sl@0: } sl@0: err: sl@0: if (x != NULL) X509_free(x); sl@0: if (sk != NULL) sk_X509_pop_free(sk,X509_free); sl@0: return(ret); sl@0: } sl@0: sl@0: int ssl3_send_server_certificate(SSL *s) sl@0: { sl@0: unsigned long l; sl@0: X509 *x; sl@0: sl@0: if (s->state == SSL3_ST_SW_CERT_A) sl@0: { sl@0: x=ssl_get_server_send_cert(s); sl@0: if (x == NULL && sl@0: /* VRS: allow null cert if auth == KRB5 */ sl@0: (s->s3->tmp.new_cipher->algorithms sl@0: & (SSL_MKEY_MASK|SSL_AUTH_MASK)) sl@0: != (SSL_aKRB5|SSL_kKRB5)) sl@0: { sl@0: SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); sl@0: return(0); sl@0: } sl@0: sl@0: l=ssl3_output_cert_chain(s,x); sl@0: s->state=SSL3_ST_SW_CERT_B; sl@0: s->init_num=(int)l; sl@0: s->init_off=0; sl@0: } sl@0: sl@0: /* SSL3_ST_SW_CERT_B */ sl@0: return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); sl@0: } sl@0: sl@0: sl@0: #ifndef OPENSSL_NO_ECDH sl@0: /* This is the complement of curve_id2nid in s3_clnt.c. */ sl@0: static int nid2curve_id(int nid) sl@0: { sl@0: /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) sl@0: * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ sl@0: switch (nid) { sl@0: case NID_sect163k1: /* sect163k1 (1) */ sl@0: return 1; sl@0: case NID_sect163r1: /* sect163r1 (2) */ sl@0: return 2; sl@0: case NID_sect163r2: /* sect163r2 (3) */ sl@0: return 3; sl@0: case NID_sect193r1: /* sect193r1 (4) */ sl@0: return 4; sl@0: case NID_sect193r2: /* sect193r2 (5) */ sl@0: return 5; sl@0: case NID_sect233k1: /* sect233k1 (6) */ sl@0: return 6; sl@0: case NID_sect233r1: /* sect233r1 (7) */ sl@0: return 7; sl@0: case NID_sect239k1: /* sect239k1 (8) */ sl@0: return 8; sl@0: case NID_sect283k1: /* sect283k1 (9) */ sl@0: return 9; sl@0: case NID_sect283r1: /* sect283r1 (10) */ sl@0: return 10; sl@0: case NID_sect409k1: /* sect409k1 (11) */ sl@0: return 11; sl@0: case NID_sect409r1: /* sect409r1 (12) */ sl@0: return 12; sl@0: case NID_sect571k1: /* sect571k1 (13) */ sl@0: return 13; sl@0: case NID_sect571r1: /* sect571r1 (14) */ sl@0: return 14; sl@0: case NID_secp160k1: /* secp160k1 (15) */ sl@0: return 15; sl@0: case NID_secp160r1: /* secp160r1 (16) */ sl@0: return 16; sl@0: case NID_secp160r2: /* secp160r2 (17) */ sl@0: return 17; sl@0: case NID_secp192k1: /* secp192k1 (18) */ sl@0: return 18; sl@0: case NID_X9_62_prime192v1: /* secp192r1 (19) */ sl@0: return 19; sl@0: case NID_secp224k1: /* secp224k1 (20) */ sl@0: return 20; sl@0: case NID_secp224r1: /* secp224r1 (21) */ sl@0: return 21; sl@0: case NID_secp256k1: /* secp256k1 (22) */ sl@0: return 22; sl@0: case NID_X9_62_prime256v1: /* secp256r1 (23) */ sl@0: return 23; sl@0: case NID_secp384r1: /* secp384r1 (24) */ sl@0: return 24; sl@0: case NID_secp521r1: /* secp521r1 (25) */ sl@0: return 25; sl@0: default: sl@0: return 0; sl@0: } sl@0: } sl@0: #endif