1 /* ssl/s3_srvr.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 125 #define REUSE_CIPHER_BUG 126 #define NETSCAPE_HANG_BUG 127 128 #include <stdio.h> 129 #include "ssl_locl.h" 130 #include "kssl_lcl.h" 131 #include <openssl/buffer.h> 132 #include <openssl/rand.h> 133 #include <openssl/objects.h> 134 #include <openssl/evp.h> 135 #include <openssl/x509.h> 136 #ifndef OPENSSL_NO_DH 137 #include <openssl/dh.h> 138 #endif 139 #include <openssl/bn.h> 140 #ifndef OPENSSL_NO_KRB5 141 #include <openssl/krb5_asn.h> 142 #endif 143 #include <openssl/md5.h> 144 145 static SSL_METHOD *ssl3_get_server_method(int ver); 146 147 #ifndef OPENSSL_NO_ECDH 148 static int nid2curve_id(int nid); 149 #endif 150 151 static SSL_METHOD *ssl3_get_server_method(int ver) 152 { 153 if (ver == SSL3_VERSION) 154 return(SSLv3_server_method()); 155 else 156 return(NULL); 157 } 158 159 IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 160 ssl3_accept, 161 ssl_undefined_function, 162 ssl3_get_server_method) 163 164 int ssl3_accept(SSL *s) 165 { 166 BUF_MEM *buf; 167 unsigned long l,Time=time(NULL); 168 void (*cb)(const SSL *ssl,int type,int val)=NULL; 169 long num1; 170 int ret= -1; 171 int new_state,state,skip=0; 172 173 RAND_add(&Time,sizeof(Time),0); 174 ERR_clear_error(); 175 clear_sys_error(); 176 177 if (s->info_callback != NULL) 178 cb=s->info_callback; 179 else if (s->ctx->info_callback != NULL) 180 cb=s->ctx->info_callback; 181 182 /* init things to blank */ 183 s->in_handshake++; 184 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 185 186 if (s->cert == NULL) 187 { 188 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 189 return(-1); 190 } 191 192 for (;;) 193 { 194 state=s->state; 195 196 switch (s->state) 197 { 198 case SSL_ST_RENEGOTIATE: 199 s->new_session=1; 200 /* s->state=SSL_ST_ACCEPT; */ 201 202 case SSL_ST_BEFORE: 203 case SSL_ST_ACCEPT: 204 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 205 case SSL_ST_OK|SSL_ST_ACCEPT: 206 207 s->server=1; 208 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 209 210 if ((s->version>>8) != 3) 211 { 212 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 213 return -1; 214 } 215 s->type=SSL_ST_ACCEPT; 216 217 if (s->init_buf == NULL) 218 { 219 if ((buf=BUF_MEM_new()) == NULL) 220 { 221 ret= -1; 222 goto end; 223 } 224 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 225 { 226 ret= -1; 227 goto end; 228 } 229 s->init_buf=buf; 230 } 231 232 if (!ssl3_setup_buffers(s)) 233 { 234 ret= -1; 235 goto end; 236 } 237 238 s->init_num=0; 239 240 if (s->state != SSL_ST_RENEGOTIATE) 241 { 242 /* Ok, we now need to push on a buffering BIO so that 243 * the output is sent in a way that TCP likes :-) 244 */ 245 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 246 247 ssl3_init_finished_mac(s); 248 s->state=SSL3_ST_SR_CLNT_HELLO_A; 249 s->ctx->stats.sess_accept++; 250 } 251 else 252 { 253 /* s->state == SSL_ST_RENEGOTIATE, 254 * we will just send a HelloRequest */ 255 s->ctx->stats.sess_accept_renegotiate++; 256 s->state=SSL3_ST_SW_HELLO_REQ_A; 257 } 258 break; 259 260 case SSL3_ST_SW_HELLO_REQ_A: 261 case SSL3_ST_SW_HELLO_REQ_B: 262 263 s->shutdown=0; 264 ret=ssl3_send_hello_request(s); 265 if (ret <= 0) goto end; 266 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 267 s->state=SSL3_ST_SW_FLUSH; 268 s->init_num=0; 269 270 ssl3_init_finished_mac(s); 271 break; 272 273 case SSL3_ST_SW_HELLO_REQ_C: 274 s->state=SSL_ST_OK; 275 break; 276 277 case SSL3_ST_SR_CLNT_HELLO_A: 278 case SSL3_ST_SR_CLNT_HELLO_B: 279 case SSL3_ST_SR_CLNT_HELLO_C: 280 281 s->shutdown=0; 282 ret=ssl3_get_client_hello(s); 283 if (ret <= 0) goto end; 284 s->new_session = 2; 285 s->state=SSL3_ST_SW_SRVR_HELLO_A; 286 s->init_num=0; 287 break; 288 289 case SSL3_ST_SW_SRVR_HELLO_A: 290 case SSL3_ST_SW_SRVR_HELLO_B: 291 ret=ssl3_send_server_hello(s); 292 if (ret <= 0) goto end; 293 294 if (s->hit) 295 s->state=SSL3_ST_SW_CHANGE_A; 296 else 297 s->state=SSL3_ST_SW_CERT_A; 298 s->init_num=0; 299 break; 300 301 case SSL3_ST_SW_CERT_A: 302 case SSL3_ST_SW_CERT_B: 303 /* Check if it is anon DH or anon ECDH */ 304 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 305 { 306 ret=ssl3_send_server_certificate(s); 307 if (ret <= 0) goto end; 308 } 309 else 310 skip=1; 311 s->state=SSL3_ST_SW_KEY_EXCH_A; 312 s->init_num=0; 313 break; 314 315 case SSL3_ST_SW_KEY_EXCH_A: 316 case SSL3_ST_SW_KEY_EXCH_B: 317 l=s->s3->tmp.new_cipher->algorithms; 318 319 /* clear this, it may get reset by 320 * send_server_key_exchange */ 321 if ((s->options & SSL_OP_EPHEMERAL_RSA) 322 #ifndef OPENSSL_NO_KRB5 323 && !(l & SSL_KRB5) 324 #endif /* OPENSSL_NO_KRB5 */ 325 ) 326 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 327 * even when forbidden by protocol specs 328 * (handshake may fail as clients are not required to 329 * be able to handle this) */ 330 s->s3->tmp.use_rsa_tmp=1; 331 else 332 s->s3->tmp.use_rsa_tmp=0; 333 334 335 /* only send if a DH key exchange, fortezza or 336 * RSA but we have a sign only certificate 337 * 338 * For ECC ciphersuites, we send a serverKeyExchange 339 * message only if the cipher suite is either 340 * ECDH-anon or ECDHE. In other cases, the 341 * server certificate contains the server's 342 * public key for key exchange. 343 */ 344 if (s->s3->tmp.use_rsa_tmp 345 || (l & SSL_kECDHE) 346 || (l & (SSL_DH|SSL_kFZA)) 347 || ((l & SSL_kRSA) 348 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 349 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 350 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 351 ) 352 ) 353 ) 354 ) 355 { 356 ret=ssl3_send_server_key_exchange(s); 357 if (ret <= 0) goto end; 358 } 359 else 360 skip=1; 361 362 s->state=SSL3_ST_SW_CERT_REQ_A; 363 s->init_num=0; 364 break; 365 366 case SSL3_ST_SW_CERT_REQ_A: 367 case SSL3_ST_SW_CERT_REQ_B: 368 if (/* don't request cert unless asked for it: */ 369 !(s->verify_mode & SSL_VERIFY_PEER) || 370 /* if SSL_VERIFY_CLIENT_ONCE is set, 371 * don't request cert during re-negotiation: */ 372 ((s->session->peer != NULL) && 373 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 374 /* never request cert in anonymous ciphersuites 375 * (see section "Certificate request" in SSL 3 drafts 376 * and in RFC 2246): */ 377 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && 378 /* ... except when the application insists on verification 379 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 380 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 381 /* never request cert in Kerberos ciphersuites */ 382 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 383 { 384 /* no cert request */ 385 skip=1; 386 s->s3->tmp.cert_request=0; 387 s->state=SSL3_ST_SW_SRVR_DONE_A; 388 } 389 else 390 { 391 s->s3->tmp.cert_request=1; 392 ret=ssl3_send_certificate_request(s); 393 if (ret <= 0) goto end; 394 #ifndef NETSCAPE_HANG_BUG 395 s->state=SSL3_ST_SW_SRVR_DONE_A; 396 #else 397 s->state=SSL3_ST_SW_FLUSH; 398 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 399 #endif 400 s->init_num=0; 401 } 402 break; 403 404 case SSL3_ST_SW_SRVR_DONE_A: 405 case SSL3_ST_SW_SRVR_DONE_B: 406 ret=ssl3_send_server_done(s); 407 if (ret <= 0) goto end; 408 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 409 s->state=SSL3_ST_SW_FLUSH; 410 s->init_num=0; 411 break; 412 413 case SSL3_ST_SW_FLUSH: 414 /* number of bytes to be flushed */ 415 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 416 if (num1 > 0) 417 { 418 s->rwstate=SSL_WRITING; 419 num1=BIO_flush(s->wbio); 420 if (num1 <= 0) { ret= -1; goto end; } 421 s->rwstate=SSL_NOTHING; 422 } 423 424 s->state=s->s3->tmp.next_state; 425 break; 426 427 case SSL3_ST_SR_CERT_A: 428 case SSL3_ST_SR_CERT_B: 429 /* Check for second client hello (MS SGC) */ 430 ret = ssl3_check_client_hello(s); 431 if (ret <= 0) 432 goto end; 433 if (ret == 2) 434 s->state = SSL3_ST_SR_CLNT_HELLO_C; 435 else { 436 if (s->s3->tmp.cert_request) 437 { 438 ret=ssl3_get_client_certificate(s); 439 if (ret <= 0) goto end; 440 } 441 s->init_num=0; 442 s->state=SSL3_ST_SR_KEY_EXCH_A; 443 } 444 break; 445 446 case SSL3_ST_SR_KEY_EXCH_A: 447 case SSL3_ST_SR_KEY_EXCH_B: 448 ret=ssl3_get_client_key_exchange(s); 449 if (ret <= 0) 450 goto end; 451 if (ret == 2) 452 { 453 /* For the ECDH ciphersuites when 454 * the client sends its ECDH pub key in 455 * a certificate, the CertificateVerify 456 * message is not sent. 457 */ 458 s->state=SSL3_ST_SR_FINISHED_A; 459 s->init_num = 0; 460 } 461 else 462 { 463 s->state=SSL3_ST_SR_CERT_VRFY_A; 464 s->init_num=0; 465 466 /* We need to get hashes here so if there is 467 * a client cert, it can be verified 468 */ 469 s->method->ssl3_enc->cert_verify_mac(s, 470 &(s->s3->finish_dgst1), 471 &(s->s3->tmp.cert_verify_md[0])); 472 s->method->ssl3_enc->cert_verify_mac(s, 473 &(s->s3->finish_dgst2), 474 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 475 } 476 break; 477 478 case SSL3_ST_SR_CERT_VRFY_A: 479 case SSL3_ST_SR_CERT_VRFY_B: 480 481 /* we should decide if we expected this one */ 482 ret=ssl3_get_cert_verify(s); 483 if (ret <= 0) goto end; 484 485 s->state=SSL3_ST_SR_FINISHED_A; 486 s->init_num=0; 487 break; 488 489 case SSL3_ST_SR_FINISHED_A: 490 case SSL3_ST_SR_FINISHED_B: 491 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 492 SSL3_ST_SR_FINISHED_B); 493 if (ret <= 0) goto end; 494 if (s->hit) 495 s->state=SSL_ST_OK; 496 else 497 s->state=SSL3_ST_SW_CHANGE_A; 498 s->init_num=0; 499 break; 500 501 case SSL3_ST_SW_CHANGE_A: 502 case SSL3_ST_SW_CHANGE_B: 503 504 s->session->cipher=s->s3->tmp.new_cipher; 505 if (!s->method->ssl3_enc->setup_key_block(s)) 506 { ret= -1; goto end; } 507 508 ret=ssl3_send_change_cipher_spec(s, 509 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 510 511 if (ret <= 0) goto end; 512 s->state=SSL3_ST_SW_FINISHED_A; 513 s->init_num=0; 514 515 if (!s->method->ssl3_enc->change_cipher_state(s, 516 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 517 { 518 ret= -1; 519 goto end; 520 } 521 522 break; 523 524 case SSL3_ST_SW_FINISHED_A: 525 case SSL3_ST_SW_FINISHED_B: 526 ret=ssl3_send_finished(s, 527 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 528 s->method->ssl3_enc->server_finished_label, 529 s->method->ssl3_enc->server_finished_label_len); 530 if (ret <= 0) goto end; 531 s->state=SSL3_ST_SW_FLUSH; 532 if (s->hit) 533 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 534 else 535 s->s3->tmp.next_state=SSL_ST_OK; 536 s->init_num=0; 537 break; 538 539 case SSL_ST_OK: 540 /* clean a few things up */ 541 ssl3_cleanup_key_block(s); 542 543 BUF_MEM_free(s->init_buf); 544 s->init_buf=NULL; 545 546 /* remove buffering on output */ 547 ssl_free_wbio_buffer(s); 548 549 s->init_num=0; 550 551 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ 552 { 553 /* actually not necessarily a 'new' session unless 554 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ 555 556 s->new_session=0; 557 558 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 559 560 s->ctx->stats.sess_accept_good++; 561 /* s->server=1; */ 562 s->handshake_func=ssl3_accept; 563 564 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 565 } 566 567 ret = 1; 568 goto end; 569 /* break; */ 570 571 default: 572 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 573 ret= -1; 574 goto end; 575 /* break; */ 576 } 577 578 if (!s->s3->tmp.reuse_message && !skip) 579 { 580 if (s->debug) 581 { 582 if ((ret=BIO_flush(s->wbio)) <= 0) 583 goto end; 584 } 585 586 587 if ((cb != NULL) && (s->state != state)) 588 { 589 new_state=s->state; 590 s->state=state; 591 cb(s,SSL_CB_ACCEPT_LOOP,1); 592 s->state=new_state; 593 } 594 } 595 skip=0; 596 } 597 end: 598 /* BIO_flush(s->wbio); */ 599 600 s->in_handshake--; 601 if (cb != NULL) 602 cb(s,SSL_CB_ACCEPT_EXIT,ret); 603 return(ret); 604 } 605 606 int ssl3_send_hello_request(SSL *s) 607 { 608 unsigned char *p; 609 610 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 611 { 612 p=(unsigned char *)s->init_buf->data; 613 *(p++)=SSL3_MT_HELLO_REQUEST; 614 *(p++)=0; 615 *(p++)=0; 616 *(p++)=0; 617 618 s->state=SSL3_ST_SW_HELLO_REQ_B; 619 /* number of bytes to write */ 620 s->init_num=4; 621 s->init_off=0; 622 } 623 624 /* SSL3_ST_SW_HELLO_REQ_B */ 625 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 626 } 627 628 int ssl3_check_client_hello(SSL *s) 629 { 630 int ok; 631 long n; 632 633 /* this function is called when we really expect a Certificate message, 634 * so permit appropriate message length */ 635 n=s->method->ssl_get_message(s, 636 SSL3_ST_SR_CERT_A, 637 SSL3_ST_SR_CERT_B, 638 -1, 639 s->max_cert_list, 640 &ok); 641 if (!ok) return((int)n); 642 s->s3->tmp.reuse_message = 1; 643 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 644 { 645 /* Throw away what we have done so far in the current handshake, 646 * which will now be aborted. (A full SSL_clear would be too much.) 647 * I hope that tmp.dh is the only thing that may need to be cleared 648 * when a handshake is not completed ... */ 649 #ifndef OPENSSL_NO_DH 650 if (s->s3->tmp.dh != NULL) 651 { 652 DH_free(s->s3->tmp.dh); 653 s->s3->tmp.dh = NULL; 654 } 655 #endif 656 return 2; 657 } 658 return 1; 659 } 660 661 int ssl3_get_client_hello(SSL *s) 662 { 663 int i,j,ok,al,ret= -1; 664 unsigned int cookie_len; 665 long n; 666 unsigned long id; 667 unsigned char *p,*d,*q; 668 SSL_CIPHER *c; 669 #ifndef OPENSSL_NO_COMP 670 SSL_COMP *comp=NULL; 671 #endif 672 STACK_OF(SSL_CIPHER) *ciphers=NULL; 673 674 /* We do this so that we will respond with our native type. 675 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 676 * This down switching should be handled by a different method. 677 * If we are SSLv3, we will respond with SSLv3, even if prompted with 678 * TLSv1. 679 */ 680 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) 681 { 682 s->first_packet=1; 683 s->state=SSL3_ST_SR_CLNT_HELLO_B; 684 } 685 n=s->method->ssl_get_message(s, 686 SSL3_ST_SR_CLNT_HELLO_B, 687 SSL3_ST_SR_CLNT_HELLO_C, 688 SSL3_MT_CLIENT_HELLO, 689 SSL3_RT_MAX_PLAIN_LENGTH, 690 &ok); 691 692 if (!ok) return((int)n); 693 d=p=(unsigned char *)s->init_msg; 694 695 /* use version from inside client hello, not from record header 696 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 697 s->client_version=(((int)p[0])<<8)|(int)p[1]; 698 p+=2; 699 700 if (s->client_version < s->version) 701 { 702 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 703 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 704 { 705 /* similar to ssl3_get_record, send alert using remote version number */ 706 s->version = s->client_version; 707 } 708 al = SSL_AD_PROTOCOL_VERSION; 709 goto f_err; 710 } 711 712 /* load the client random */ 713 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 714 p+=SSL3_RANDOM_SIZE; 715 716 /* get the session-id */ 717 j= *(p++); 718 719 s->hit=0; 720 /* Versions before 0.9.7 always allow session reuse during renegotiation 721 * (i.e. when s->new_session is true), option 722 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. 723 * Maybe this optional behaviour should always have been the default, 724 * but we cannot safely change the default behaviour (or new applications 725 * might be written that become totally unsecure when compiled with 726 * an earlier library version) 727 */ 728 if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 729 { 730 if (!ssl_get_new_session(s,1)) 731 goto err; 732 } 733 else 734 { 735 i=ssl_get_prev_session(s,p,j); 736 if (i == 1) 737 { /* previous session */ 738 s->hit=1; 739 } 740 else if (i == -1) 741 goto err; 742 else /* i == 0 */ 743 { 744 if (!ssl_get_new_session(s,1)) 745 goto err; 746 } 747 } 748 749 p+=j; 750 751 if (SSL_version(s) == DTLS1_VERSION) 752 { 753 /* cookie stuff */ 754 cookie_len = *(p++); 755 756 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 757 s->d1->send_cookie == 0) 758 { 759 /* HelloVerifyMessage has already been sent */ 760 if ( cookie_len != s->d1->cookie_len) 761 { 762 al = SSL_AD_HANDSHAKE_FAILURE; 763 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 764 goto f_err; 765 } 766 } 767 768 /* 769 * The ClientHello may contain a cookie even if the 770 * HelloVerify message has not been sent--make sure that it 771 * does not cause an overflow. 772 */ 773 if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 774 { 775 /* too much data */ 776 al = SSL_AD_DECODE_ERROR; 777 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 778 goto f_err; 779 } 780 781 /* verify the cookie if appropriate option is set. */ 782 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 783 cookie_len > 0) 784 { 785 memcpy(s->d1->rcvd_cookie, p, cookie_len); 786 787 if ( s->ctx->app_verify_cookie_cb != NULL) 788 { 789 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 790 cookie_len) == 0) 791 { 792 al=SSL_AD_HANDSHAKE_FAILURE; 793 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 794 SSL_R_COOKIE_MISMATCH); 795 goto f_err; 796 } 797 /* else cookie verification succeeded */ 798 } 799 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, 800 s->d1->cookie_len) != 0) /* default verification */ 801 { 802 al=SSL_AD_HANDSHAKE_FAILURE; 803 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 804 SSL_R_COOKIE_MISMATCH); 805 goto f_err; 806 } 807 } 808 809 p += cookie_len; 810 } 811 812 n2s(p,i); 813 if ((i == 0) && (j != 0)) 814 { 815 /* we need a cipher if we are not resuming a session */ 816 al=SSL_AD_ILLEGAL_PARAMETER; 817 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 818 goto f_err; 819 } 820 if ((p+i) >= (d+n)) 821 { 822 /* not enough data */ 823 al=SSL_AD_DECODE_ERROR; 824 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 825 goto f_err; 826 } 827 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 828 == NULL)) 829 { 830 goto err; 831 } 832 p+=i; 833 834 /* If it is a hit, check that the cipher is in the list */ 835 if ((s->hit) && (i > 0)) 836 { 837 j=0; 838 id=s->session->cipher->id; 839 840 #ifdef CIPHER_DEBUG 841 printf("client sent %d ciphers\n",sk_num(ciphers)); 842 #endif 843 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 844 { 845 c=sk_SSL_CIPHER_value(ciphers,i); 846 #ifdef CIPHER_DEBUG 847 printf("client [%2d of %2d]:%s\n", 848 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 849 #endif 850 if (c->id == id) 851 { 852 j=1; 853 break; 854 } 855 } 856 if (j == 0) 857 { 858 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 859 { 860 /* Very bad for multi-threading.... */ 861 s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0); 862 } 863 else 864 { 865 /* we need to have the cipher in the cipher 866 * list if we are asked to reuse it */ 867 al=SSL_AD_ILLEGAL_PARAMETER; 868 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 869 goto f_err; 870 } 871 } 872 } 873 874 /* compression */ 875 i= *(p++); 876 if ((p+i) > (d+n)) 877 { 878 /* not enough data */ 879 al=SSL_AD_DECODE_ERROR; 880 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 881 goto f_err; 882 } 883 q=p; 884 for (j=0; j<i; j++) 885 { 886 if (p[j] == 0) break; 887 } 888 889 p+=i; 890 if (j >= i) 891 { 892 /* no compress */ 893 al=SSL_AD_DECODE_ERROR; 894 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 895 goto f_err; 896 } 897 898 /* Worst case, we will use the NULL compression, but if we have other 899 * options, we will now look for them. We have i-1 compression 900 * algorithms from the client, starting at q. */ 901 s->s3->tmp.new_compression=NULL; 902 #ifndef OPENSSL_NO_COMP 903 if (s->ctx->comp_methods != NULL) 904 { /* See if we have a match */ 905 int m,nn,o,v,done=0; 906 907 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 908 for (m=0; m<nn; m++) 909 { 910 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 911 v=comp->id; 912 for (o=0; o<i; o++) 913 { 914 if (v == q[o]) 915 { 916 done=1; 917 break; 918 } 919 } 920 if (done) break; 921 } 922 if (done) 923 s->s3->tmp.new_compression=comp; 924 else 925 comp=NULL; 926 } 927 #endif 928 929 /* TLS does not mind if there is extra stuff */ 930 #if 0 /* SSL 3.0 does not mind either, so we should disable this test 931 * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, 932 * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ 933 if (s->version == SSL3_VERSION) 934 { 935 if (p < (d+n)) 936 { 937 /* wrong number of bytes, 938 * there could be more to follow */ 939 al=SSL_AD_DECODE_ERROR; 940 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 941 goto f_err; 942 } 943 } 944 #endif 945 946 /* Given s->session->ciphers and SSL_get_ciphers, we must 947 * pick a cipher */ 948 949 if (!s->hit) 950 { 951 #ifdef OPENSSL_NO_COMP 952 s->session->compress_meth=0; 953 #else 954 s->session->compress_meth=(comp == NULL)?0:comp->id; 955 #endif 956 if (s->session->ciphers != NULL) 957 sk_SSL_CIPHER_free(s->session->ciphers); 958 s->session->ciphers=ciphers; 959 if (ciphers == NULL) 960 { 961 al=SSL_AD_ILLEGAL_PARAMETER; 962 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED); 963 goto f_err; 964 } 965 ciphers=NULL; 966 c=ssl3_choose_cipher(s,s->session->ciphers, 967 SSL_get_ciphers(s)); 968 969 if (c == NULL) 970 { 971 al=SSL_AD_HANDSHAKE_FAILURE; 972 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); 973 goto f_err; 974 } 975 s->s3->tmp.new_cipher=c; 976 } 977 else 978 { 979 /* Session-id reuse */ 980 #ifdef REUSE_CIPHER_BUG 981 STACK_OF(SSL_CIPHER) *sk; 982 SSL_CIPHER *nc=NULL; 983 SSL_CIPHER *ec=NULL; 984 985 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 986 { 987 sk=s->session->ciphers; 988 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 989 { 990 c=sk_SSL_CIPHER_value(sk,i); 991 if (c->algorithms & SSL_eNULL) 992 nc=c; 993 if (SSL_C_IS_EXPORT(c)) 994 ec=c; 995 } 996 if (nc != NULL) 997 s->s3->tmp.new_cipher=nc; 998 else if (ec != NULL) 999 s->s3->tmp.new_cipher=ec; 1000 else 1001 s->s3->tmp.new_cipher=s->session->cipher; 1002 } 1003 else 1004 #endif 1005 s->s3->tmp.new_cipher=s->session->cipher; 1006 } 1007 1008 /* we now have the following setup. 1009 * client_random 1010 * cipher_list - our prefered list of ciphers 1011 * ciphers - the clients prefered list of ciphers 1012 * compression - basically ignored right now 1013 * ssl version is set - sslv3 1014 * s->session - The ssl session has been setup. 1015 * s->hit - session reuse flag 1016 * s->tmp.new_cipher - the new cipher to use. 1017 */ 1018 1019 ret=1; 1020 if (0) 1021 { 1022 f_err: 1023 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1024 } 1025 err: 1026 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); 1027 return(ret); 1028 } 1029 1030 int ssl3_send_server_hello(SSL *s) 1031 { 1032 unsigned char *buf; 1033 unsigned char *p,*d; 1034 int i,sl; 1035 unsigned long l,Time; 1036 1037 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1038 { 1039 buf=(unsigned char *)s->init_buf->data; 1040 p=s->s3->server_random; 1041 Time=time(NULL); /* Time */ 1042 l2n(Time,p); 1043 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 1044 return -1; 1045 /* Do the message type and length last */ 1046 d=p= &(buf[4]); 1047 1048 *(p++)=s->version>>8; 1049 *(p++)=s->version&0xff; 1050 1051 /* Random stuff */ 1052 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1053 p+=SSL3_RANDOM_SIZE; 1054 1055 /* now in theory we have 3 options to sending back the 1056 * session id. If it is a re-use, we send back the 1057 * old session-id, if it is a new session, we send 1058 * back the new session-id or we send back a 0 length 1059 * session-id if we want it to be single use. 1060 * Currently I will not implement the '0' length session-id 1061 * 12-Jan-98 - I'll now support the '0' length stuff. 1062 */ 1063 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) 1064 s->session->session_id_length=0; 1065 1066 sl=s->session->session_id_length; 1067 if (sl > (int)sizeof(s->session->session_id)) 1068 { 1069 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1070 return -1; 1071 } 1072 *(p++)=sl; 1073 memcpy(p,s->session->session_id,sl); 1074 p+=sl; 1075 1076 /* put the cipher */ 1077 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1078 p+=i; 1079 1080 /* put the compression method */ 1081 #ifdef OPENSSL_NO_COMP 1082 *(p++)=0; 1083 #else 1084 if (s->s3->tmp.new_compression == NULL) 1085 *(p++)=0; 1086 else 1087 *(p++)=s->s3->tmp.new_compression->id; 1088 #endif 1089 1090 /* do the header */ 1091 l=(p-d); 1092 d=buf; 1093 *(d++)=SSL3_MT_SERVER_HELLO; 1094 l2n3(l,d); 1095 1096 s->state=SSL3_ST_CW_CLNT_HELLO_B; 1097 /* number of bytes to write */ 1098 s->init_num=p-buf; 1099 s->init_off=0; 1100 } 1101 1102 /* SSL3_ST_CW_CLNT_HELLO_B */ 1103 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1104 } 1105 1106 int ssl3_send_server_done(SSL *s) 1107 { 1108 unsigned char *p; 1109 1110 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1111 { 1112 p=(unsigned char *)s->init_buf->data; 1113 1114 /* do the header */ 1115 *(p++)=SSL3_MT_SERVER_DONE; 1116 *(p++)=0; 1117 *(p++)=0; 1118 *(p++)=0; 1119 1120 s->state=SSL3_ST_SW_SRVR_DONE_B; 1121 /* number of bytes to write */ 1122 s->init_num=4; 1123 s->init_off=0; 1124 } 1125 1126 /* SSL3_ST_CW_CLNT_HELLO_B */ 1127 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1128 } 1129 1130 int ssl3_send_server_key_exchange(SSL *s) 1131 { 1132 #ifndef OPENSSL_NO_RSA 1133 unsigned char *q; 1134 int j,num; 1135 RSA *rsa; 1136 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1137 unsigned int u; 1138 #endif 1139 #ifndef OPENSSL_NO_DH 1140 DH *dh=NULL,*dhp; 1141 #endif 1142 #ifndef OPENSSL_NO_ECDH 1143 EC_KEY *ecdh=NULL, *ecdhp; 1144 unsigned char *encodedPoint = NULL; 1145 int encodedlen = 0; 1146 int curve_id = 0; 1147 BN_CTX *bn_ctx = NULL; 1148 #endif 1149 EVP_PKEY *pkey; 1150 unsigned char *p,*d; 1151 int al,i; 1152 unsigned long type; 1153 int n; 1154 CERT *cert; 1155 BIGNUM *r[4]; 1156 int nr[4],kn; 1157 BUF_MEM *buf; 1158 EVP_MD_CTX md_ctx; 1159 1160 EVP_MD_CTX_init(&md_ctx); 1161 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1162 { 1163 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 1164 cert=s->cert; 1165 1166 buf=s->init_buf; 1167 1168 r[0]=r[1]=r[2]=r[3]=NULL; 1169 n=0; 1170 #ifndef OPENSSL_NO_RSA 1171 if (type & SSL_kRSA) 1172 { 1173 rsa=cert->rsa_tmp; 1174 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1175 { 1176 rsa=s->cert->rsa_tmp_cb(s, 1177 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1178 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1179 if(rsa == NULL) 1180 { 1181 al=SSL_AD_HANDSHAKE_FAILURE; 1182 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1183 goto f_err; 1184 } 1185 RSA_up_ref(rsa); 1186 cert->rsa_tmp=rsa; 1187 } 1188 if (rsa == NULL) 1189 { 1190 al=SSL_AD_HANDSHAKE_FAILURE; 1191 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); 1192 goto f_err; 1193 } 1194 r[0]=rsa->n; 1195 r[1]=rsa->e; 1196 s->s3->tmp.use_rsa_tmp=1; 1197 } 1198 else 1199 #endif 1200 #ifndef OPENSSL_NO_DH 1201 if (type & SSL_kEDH) 1202 { 1203 dhp=cert->dh_tmp; 1204 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1205 dhp=s->cert->dh_tmp_cb(s, 1206 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1207 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1208 if (dhp == NULL) 1209 { 1210 al=SSL_AD_HANDSHAKE_FAILURE; 1211 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1212 goto f_err; 1213 } 1214 1215 if (s->s3->tmp.dh != NULL) 1216 { 1217 DH_free(dh); 1218 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1219 goto err; 1220 } 1221 1222 if ((dh=DHparams_dup(dhp)) == NULL) 1223 { 1224 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1225 goto err; 1226 } 1227 1228 s->s3->tmp.dh=dh; 1229 if ((dhp->pub_key == NULL || 1230 dhp->priv_key == NULL || 1231 (s->options & SSL_OP_SINGLE_DH_USE))) 1232 { 1233 if(!DH_generate_key(dh)) 1234 { 1235 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1236 ERR_R_DH_LIB); 1237 goto err; 1238 } 1239 } 1240 else 1241 { 1242 dh->pub_key=BN_dup(dhp->pub_key); 1243 dh->priv_key=BN_dup(dhp->priv_key); 1244 if ((dh->pub_key == NULL) || 1245 (dh->priv_key == NULL)) 1246 { 1247 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1248 goto err; 1249 } 1250 } 1251 r[0]=dh->p; 1252 r[1]=dh->g; 1253 r[2]=dh->pub_key; 1254 } 1255 else 1256 #endif 1257 #ifndef OPENSSL_NO_ECDH 1258 if (type & SSL_kECDHE) 1259 { 1260 const EC_GROUP *group; 1261 1262 ecdhp=cert->ecdh_tmp; 1263 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1264 { 1265 ecdhp=s->cert->ecdh_tmp_cb(s, 1266 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1267 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1268 } 1269 if (ecdhp == NULL) 1270 { 1271 al=SSL_AD_HANDSHAKE_FAILURE; 1272 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 1273 goto f_err; 1274 } 1275 1276 if (s->s3->tmp.ecdh != NULL) 1277 { 1278 EC_KEY_free(s->s3->tmp.ecdh); 1279 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1280 goto err; 1281 } 1282 1283 /* Duplicate the ECDH structure. */ 1284 if (ecdhp == NULL) 1285 { 1286 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1287 goto err; 1288 } 1289 if (!EC_KEY_up_ref(ecdhp)) 1290 { 1291 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1292 goto err; 1293 } 1294 ecdh = ecdhp; 1295 1296 s->s3->tmp.ecdh=ecdh; 1297 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1298 (EC_KEY_get0_private_key(ecdh) == NULL) || 1299 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1300 { 1301 if(!EC_KEY_generate_key(ecdh)) 1302 { 1303 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1304 goto err; 1305 } 1306 } 1307 1308 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1309 (EC_KEY_get0_public_key(ecdh) == NULL) || 1310 (EC_KEY_get0_private_key(ecdh) == NULL)) 1311 { 1312 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1313 goto err; 1314 } 1315 1316 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1317 (EC_GROUP_get_degree(group) > 163)) 1318 { 1319 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1320 goto err; 1321 } 1322 1323 /* XXX: For now, we only support ephemeral ECDH 1324 * keys over named (not generic) curves. For 1325 * supported named curves, curve_id is non-zero. 1326 */ 1327 if ((curve_id = 1328 nid2curve_id(EC_GROUP_get_curve_name(group))) 1329 == 0) 1330 { 1331 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1332 goto err; 1333 } 1334 1335 /* Encode the public key. 1336 * First check the size of encoding and 1337 * allocate memory accordingly. 1338 */ 1339 encodedlen = EC_POINT_point2oct(group, 1340 EC_KEY_get0_public_key(ecdh), 1341 POINT_CONVERSION_UNCOMPRESSED, 1342 NULL, 0, NULL); 1343 1344 encodedPoint = (unsigned char *) 1345 OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 1346 bn_ctx = BN_CTX_new(); 1347 if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1348 { 1349 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1350 goto err; 1351 } 1352 1353 1354 encodedlen = EC_POINT_point2oct(group, 1355 EC_KEY_get0_public_key(ecdh), 1356 POINT_CONVERSION_UNCOMPRESSED, 1357 encodedPoint, encodedlen, bn_ctx); 1358 1359 if (encodedlen == 0) 1360 { 1361 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1362 goto err; 1363 } 1364 1365 BN_CTX_free(bn_ctx); bn_ctx=NULL; 1366 1367 /* XXX: For now, we only support named (not 1368 * generic) curves in ECDH ephemeral key exchanges. 1369 * In this situation, we need three additional bytes 1370 * to encode the entire ServerECDHParams 1371 * structure. 1372 */ 1373 n = 3 + encodedlen; 1374 1375 /* We'll generate the serverKeyExchange message 1376 * explicitly so we can set these to NULLs 1377 */ 1378 r[0]=NULL; 1379 r[1]=NULL; 1380 r[2]=NULL; 1381 } 1382 else 1383 #endif /* !OPENSSL_NO_ECDH */ 1384 { 1385 al=SSL_AD_HANDSHAKE_FAILURE; 1386 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1387 goto f_err; 1388 } 1389 for (i=0; r[i] != NULL; i++) 1390 { 1391 nr[i]=BN_num_bytes(r[i]); 1392 n+=2+nr[i]; 1393 } 1394 1395 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 1396 { 1397 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1398 == NULL) 1399 { 1400 al=SSL_AD_DECODE_ERROR; 1401 goto f_err; 1402 } 1403 kn=EVP_PKEY_size(pkey); 1404 } 1405 else 1406 { 1407 pkey=NULL; 1408 kn=0; 1409 } 1410 1411 if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1412 { 1413 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); 1414 goto err; 1415 } 1416 d=(unsigned char *)s->init_buf->data; 1417 p= &(d[4]); 1418 1419 for (i=0; r[i] != NULL; i++) 1420 { 1421 s2n(nr[i],p); 1422 BN_bn2bin(r[i],p); 1423 p+=nr[i]; 1424 } 1425 1426 #ifndef OPENSSL_NO_ECDH 1427 if (type & SSL_kECDHE) 1428 { 1429 /* XXX: For now, we only support named (not generic) curves. 1430 * In this situation, the serverKeyExchange message has: 1431 * [1 byte CurveType], [1 byte CurveName] 1432 * [1 byte length of encoded point], followed by 1433 * the actual encoded point itself 1434 */ 1435 *p = NAMED_CURVE_TYPE; 1436 p += 1; 1437 *p = curve_id; 1438 p += 1; 1439 *p = encodedlen; 1440 p += 1; 1441 memcpy((unsigned char*)p, 1442 (unsigned char *)encodedPoint, 1443 encodedlen); 1444 OPENSSL_free(encodedPoint); 1445 p += encodedlen; 1446 } 1447 #endif 1448 1449 /* not anonymous */ 1450 if (pkey != NULL) 1451 { 1452 /* n is the length of the params, they start at &(d[4]) 1453 * and p points to the space at the end. */ 1454 #ifndef OPENSSL_NO_RSA 1455 if (pkey->type == EVP_PKEY_RSA) 1456 { 1457 q=md_buf; 1458 j=0; 1459 for (num=2; num > 0; num--) 1460 { 1461 EVP_DigestInit_ex(&md_ctx,(num == 2) 1462 ?s->ctx->md5:s->ctx->sha1, NULL); 1463 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1464 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1465 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1466 EVP_DigestFinal_ex(&md_ctx,q, 1467 (unsigned int *)&i); 1468 q+=i; 1469 j+=i; 1470 } 1471 if (RSA_sign(NID_md5_sha1, md_buf, j, 1472 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1473 { 1474 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); 1475 goto err; 1476 } 1477 s2n(u,p); 1478 n+=u+2; 1479 } 1480 else 1481 #endif 1482 #if !defined(OPENSSL_NO_DSA) 1483 if (pkey->type == EVP_PKEY_DSA) 1484 { 1485 /* lets do DSS */ 1486 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); 1487 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1488 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1489 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1490 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1491 (unsigned int *)&i,pkey)) 1492 { 1493 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); 1494 goto err; 1495 } 1496 s2n(i,p); 1497 n+=i+2; 1498 } 1499 else 1500 #endif 1501 #if !defined(OPENSSL_NO_ECDSA) 1502 if (pkey->type == EVP_PKEY_EC) 1503 { 1504 /* let's do ECDSA */ 1505 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1506 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1507 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1508 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1509 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1510 (unsigned int *)&i,pkey)) 1511 { 1512 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA); 1513 goto err; 1514 } 1515 s2n(i,p); 1516 n+=i+2; 1517 } 1518 else 1519 #endif 1520 { 1521 /* Is this error check actually needed? */ 1522 al=SSL_AD_HANDSHAKE_FAILURE; 1523 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1524 goto f_err; 1525 } 1526 } 1527 1528 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 1529 l2n3(n,d); 1530 1531 /* we should now have things packed up, so lets send 1532 * it off */ 1533 s->init_num=n+4; 1534 s->init_off=0; 1535 } 1536 1537 s->state = SSL3_ST_SW_KEY_EXCH_B; 1538 EVP_MD_CTX_cleanup(&md_ctx); 1539 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1540 f_err: 1541 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1542 err: 1543 #ifndef OPENSSL_NO_ECDH 1544 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1545 BN_CTX_free(bn_ctx); 1546 #endif 1547 EVP_MD_CTX_cleanup(&md_ctx); 1548 return(-1); 1549 } 1550 1551 int ssl3_send_certificate_request(SSL *s) 1552 { 1553 unsigned char *p,*d; 1554 int i,j,nl,off,n; 1555 STACK_OF(X509_NAME) *sk=NULL; 1556 X509_NAME *name; 1557 BUF_MEM *buf; 1558 1559 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1560 { 1561 buf=s->init_buf; 1562 1563 d=p=(unsigned char *)&(buf->data[4]); 1564 1565 /* get the list of acceptable cert types */ 1566 p++; 1567 n=ssl3_get_req_cert_type(s,p); 1568 d[0]=n; 1569 p+=n; 1570 n++; 1571 1572 off=n; 1573 p+=2; 1574 n+=2; 1575 1576 sk=SSL_get_client_CA_list(s); 1577 nl=0; 1578 if (sk != NULL) 1579 { 1580 for (i=0; i<sk_X509_NAME_num(sk); i++) 1581 { 1582 name=sk_X509_NAME_value(sk,i); 1583 j=i2d_X509_NAME(name,NULL); 1584 if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 1585 { 1586 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1587 goto err; 1588 } 1589 p=(unsigned char *)&(buf->data[4+n]); 1590 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1591 { 1592 s2n(j,p); 1593 i2d_X509_NAME(name,&p); 1594 n+=2+j; 1595 nl+=2+j; 1596 } 1597 else 1598 { 1599 d=p; 1600 i2d_X509_NAME(name,&p); 1601 j-=2; s2n(j,d); j+=2; 1602 n+=j; 1603 nl+=j; 1604 } 1605 } 1606 } 1607 /* else no CA names */ 1608 p=(unsigned char *)&(buf->data[4+off]); 1609 s2n(nl,p); 1610 1611 d=(unsigned char *)buf->data; 1612 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1613 l2n3(n,d); 1614 1615 /* we should now have things packed up, so lets send 1616 * it off */ 1617 1618 s->init_num=n+4; 1619 s->init_off=0; 1620 #ifdef NETSCAPE_HANG_BUG 1621 p=(unsigned char *)s->init_buf->data + s->init_num; 1622 1623 /* do the header */ 1624 *(p++)=SSL3_MT_SERVER_DONE; 1625 *(p++)=0; 1626 *(p++)=0; 1627 *(p++)=0; 1628 s->init_num += 4; 1629 #endif 1630 1631 s->state = SSL3_ST_SW_CERT_REQ_B; 1632 } 1633 1634 /* SSL3_ST_SW_CERT_REQ_B */ 1635 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1636 err: 1637 return(-1); 1638 } 1639 1640 1641 #ifndef OPENSSL_NO_ECDH 1642 static const int KDF1_SHA1_len = 20; 1643 static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen) 1644 { 1645 #ifndef OPENSSL_NO_SHA 1646 if (*outlen < SHA_DIGEST_LENGTH) 1647 return NULL; 1648 else 1649 *outlen = SHA_DIGEST_LENGTH; 1650 return SHA1(in, inlen, out); 1651 #else 1652 return NULL; 1653 #endif /* OPENSSL_NO_SHA */ 1654 } 1655 #endif /* OPENSSL_NO_ECDH */ 1656 1657 int ssl3_get_client_key_exchange(SSL *s) 1658 { 1659 int i,al,ok; 1660 long n; 1661 unsigned long l; 1662 unsigned char *p; 1663 #ifndef OPENSSL_NO_RSA 1664 RSA *rsa=NULL; 1665 EVP_PKEY *pkey=NULL; 1666 #endif 1667 #ifndef OPENSSL_NO_DH 1668 BIGNUM *pub=NULL; 1669 DH *dh_srvr; 1670 #endif 1671 #ifndef OPENSSL_NO_KRB5 1672 KSSL_ERR kssl_err; 1673 #endif /* OPENSSL_NO_KRB5 */ 1674 1675 #ifndef OPENSSL_NO_ECDH 1676 EC_KEY *srvr_ecdh = NULL; 1677 EVP_PKEY *clnt_pub_pkey = NULL; 1678 EC_POINT *clnt_ecpoint = NULL; 1679 BN_CTX *bn_ctx = NULL; 1680 #endif 1681 1682 n=s->method->ssl_get_message(s, 1683 SSL3_ST_SR_KEY_EXCH_A, 1684 SSL3_ST_SR_KEY_EXCH_B, 1685 SSL3_MT_CLIENT_KEY_EXCHANGE, 1686 2048, /* ??? */ 1687 &ok); 1688 1689 if (!ok) return((int)n); 1690 p=(unsigned char *)s->init_msg; 1691 1692 l=s->s3->tmp.new_cipher->algorithms; 1693 1694 #ifndef OPENSSL_NO_RSA 1695 if (l & SSL_kRSA) 1696 { 1697 /* FIX THIS UP EAY EAY EAY EAY */ 1698 if (s->s3->tmp.use_rsa_tmp) 1699 { 1700 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 1701 rsa=s->cert->rsa_tmp; 1702 /* Don't do a callback because rsa_tmp should 1703 * be sent already */ 1704 if (rsa == NULL) 1705 { 1706 al=SSL_AD_HANDSHAKE_FAILURE; 1707 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY); 1708 goto f_err; 1709 1710 } 1711 } 1712 else 1713 { 1714 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 1715 if ( (pkey == NULL) || 1716 (pkey->type != EVP_PKEY_RSA) || 1717 (pkey->pkey.rsa == NULL)) 1718 { 1719 al=SSL_AD_HANDSHAKE_FAILURE; 1720 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE); 1721 goto f_err; 1722 } 1723 rsa=pkey->pkey.rsa; 1724 } 1725 1726 /* TLS */ 1727 if (s->version > SSL3_VERSION) 1728 { 1729 n2s(p,i); 1730 if (n != i+2) 1731 { 1732 if (!(s->options & SSL_OP_TLS_D5_BUG)) 1733 { 1734 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 1735 goto err; 1736 } 1737 else 1738 p-=2; 1739 } 1740 else 1741 n=i; 1742 } 1743 1744 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 1745 1746 al = -1; 1747 1748 if (i != SSL_MAX_MASTER_KEY_LENGTH) 1749 { 1750 al=SSL_AD_DECODE_ERROR; 1751 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 1752 } 1753 1754 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) 1755 { 1756 /* The premaster secret must contain the same version number as the 1757 * ClientHello to detect version rollback attacks (strangely, the 1758 * protocol does not offer such protection for DH ciphersuites). 1759 * However, buggy clients exist that send the negotiated protocol 1760 * version instead if the server does not support the requested 1761 * protocol version. 1762 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 1763 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 1764 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 1765 { 1766 al=SSL_AD_DECODE_ERROR; 1767 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 1768 1769 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 1770 * (http://eprint.iacr.org/2003/052/) exploits the version 1771 * number check as a "bad version oracle" -- an alert would 1772 * reveal that the plaintext corresponding to some ciphertext 1773 * made up by the adversary is properly formatted except 1774 * that the version number is wrong. To avoid such attacks, 1775 * we should treat this just like any other decryption error. */ 1776 } 1777 } 1778 1779 if (al != -1) 1780 { 1781 /* Some decryption failure -- use random value instead as countermeasure 1782 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 1783 * (see RFC 2246, section 7.4.7.1). */ 1784 ERR_clear_error(); 1785 i = SSL_MAX_MASTER_KEY_LENGTH; 1786 p[0] = s->client_version >> 8; 1787 p[1] = s->client_version & 0xff; 1788 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 1789 goto err; 1790 } 1791 1792 s->session->master_key_length= 1793 s->method->ssl3_enc->generate_master_secret(s, 1794 s->session->master_key, 1795 p,i); 1796 OPENSSL_cleanse(p,i); 1797 } 1798 else 1799 #endif 1800 #ifndef OPENSSL_NO_DH 1801 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1802 { 1803 n2s(p,i); 1804 if (n != i+2) 1805 { 1806 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) 1807 { 1808 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 1809 goto err; 1810 } 1811 else 1812 { 1813 p-=2; 1814 i=(int)n; 1815 } 1816 } 1817 1818 if (n == 0L) /* the parameters are in the cert */ 1819 { 1820 al=SSL_AD_HANDSHAKE_FAILURE; 1821 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 1822 goto f_err; 1823 } 1824 else 1825 { 1826 if (s->s3->tmp.dh == NULL) 1827 { 1828 al=SSL_AD_HANDSHAKE_FAILURE; 1829 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1830 goto f_err; 1831 } 1832 else 1833 dh_srvr=s->s3->tmp.dh; 1834 } 1835 1836 pub=BN_bin2bn(p,i,NULL); 1837 if (pub == NULL) 1838 { 1839 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); 1840 goto err; 1841 } 1842 1843 i=DH_compute_key(p,pub,dh_srvr); 1844 1845 if (i <= 0) 1846 { 1847 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1848 goto err; 1849 } 1850 1851 DH_free(s->s3->tmp.dh); 1852 s->s3->tmp.dh=NULL; 1853 1854 BN_clear_free(pub); 1855 pub=NULL; 1856 s->session->master_key_length= 1857 s->method->ssl3_enc->generate_master_secret(s, 1858 s->session->master_key,p,i); 1859 OPENSSL_cleanse(p,i); 1860 } 1861 else 1862 #endif 1863 #ifndef OPENSSL_NO_KRB5 1864 if (l & SSL_kKRB5) 1865 { 1866 krb5_error_code krb5rc; 1867 krb5_data enc_ticket; 1868 krb5_data authenticator; 1869 krb5_data enc_pms; 1870 KSSL_CTX *kssl_ctx = s->kssl_ctx; 1871 EVP_CIPHER_CTX ciph_ctx; 1872 EVP_CIPHER *enc = NULL; 1873 unsigned char iv[EVP_MAX_IV_LENGTH]; 1874 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 1875 + EVP_MAX_BLOCK_LENGTH]; 1876 int padl, outl; 1877 krb5_timestamp authtime = 0; 1878 krb5_ticket_times ttimes; 1879 1880 EVP_CIPHER_CTX_init(&ciph_ctx); 1881 1882 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 1883 1884 n2s(p,i); 1885 enc_ticket.length = i; 1886 1887 if (n < (int)enc_ticket.length + 6) 1888 { 1889 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1890 SSL_R_DATA_LENGTH_TOO_LONG); 1891 goto err; 1892 } 1893 1894 enc_ticket.data = (char *)p; 1895 p+=enc_ticket.length; 1896 1897 n2s(p,i); 1898 authenticator.length = i; 1899 1900 if (n < (int)(enc_ticket.length + authenticator.length) + 6) 1901 { 1902 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1903 SSL_R_DATA_LENGTH_TOO_LONG); 1904 goto err; 1905 } 1906 1907 authenticator.data = (char *)p; 1908 p+=authenticator.length; 1909 1910 n2s(p,i); 1911 enc_pms.length = i; 1912 enc_pms.data = (char *)p; 1913 p+=enc_pms.length; 1914 1915 /* Note that the length is checked again below, 1916 ** after decryption 1917 */ 1918 if(enc_pms.length > sizeof pms) 1919 { 1920 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1921 SSL_R_DATA_LENGTH_TOO_LONG); 1922 goto err; 1923 } 1924 1925 if (n != (long)(enc_ticket.length + authenticator.length + 1926 enc_pms.length + 6)) 1927 { 1928 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1929 SSL_R_DATA_LENGTH_TOO_LONG); 1930 goto err; 1931 } 1932 1933 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 1934 &kssl_err)) != 0) 1935 { 1936 #ifdef KSSL_DEBUG 1937 printf("kssl_sget_tkt rtn %d [%d]\n", 1938 krb5rc, kssl_err.reason); 1939 if (kssl_err.text) 1940 printf("kssl_err text= %s\n", kssl_err.text); 1941 #endif /* KSSL_DEBUG */ 1942 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1943 kssl_err.reason); 1944 goto err; 1945 } 1946 1947 /* Note: no authenticator is not considered an error, 1948 ** but will return authtime == 0. 1949 */ 1950 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 1951 &authtime, &kssl_err)) != 0) 1952 { 1953 #ifdef KSSL_DEBUG 1954 printf("kssl_check_authent rtn %d [%d]\n", 1955 krb5rc, kssl_err.reason); 1956 if (kssl_err.text) 1957 printf("kssl_err text= %s\n", kssl_err.text); 1958 #endif /* KSSL_DEBUG */ 1959 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1960 kssl_err.reason); 1961 goto err; 1962 } 1963 1964 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 1965 { 1966 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 1967 goto err; 1968 } 1969 1970 #ifdef KSSL_DEBUG 1971 kssl_ctx_show(kssl_ctx); 1972 #endif /* KSSL_DEBUG */ 1973 1974 enc = kssl_map_enc(kssl_ctx->enctype); 1975 if (enc == NULL) 1976 goto err; 1977 1978 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 1979 1980 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 1981 { 1982 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1983 SSL_R_DECRYPTION_FAILED); 1984 goto err; 1985 } 1986 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 1987 (unsigned char *)enc_pms.data, enc_pms.length)) 1988 { 1989 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1990 SSL_R_DECRYPTION_FAILED); 1991 goto err; 1992 } 1993 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 1994 { 1995 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1996 SSL_R_DATA_LENGTH_TOO_LONG); 1997 goto err; 1998 } 1999 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2000 { 2001 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2002 SSL_R_DECRYPTION_FAILED); 2003 goto err; 2004 } 2005 outl += padl; 2006 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2007 { 2008 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2009 SSL_R_DATA_LENGTH_TOO_LONG); 2010 goto err; 2011 } 2012 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2013 2014 s->session->master_key_length= 2015 s->method->ssl3_enc->generate_master_secret(s, 2016 s->session->master_key, pms, outl); 2017 2018 if (kssl_ctx->client_princ) 2019 { 2020 size_t len = strlen(kssl_ctx->client_princ); 2021 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2022 { 2023 s->session->krb5_client_princ_len = len; 2024 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2025 } 2026 } 2027 2028 2029 /* Was doing kssl_ctx_free() here, 2030 ** but it caused problems for apache. 2031 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2032 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2033 */ 2034 } 2035 else 2036 #endif /* OPENSSL_NO_KRB5 */ 2037 2038 #ifndef OPENSSL_NO_ECDH 2039 if ((l & SSL_kECDH) || (l & SSL_kECDHE)) 2040 { 2041 int ret = 1; 2042 int field_size = 0; 2043 const EC_KEY *tkey; 2044 const EC_GROUP *group; 2045 const BIGNUM *priv_key; 2046 2047 /* initialize structures for server's ECDH key pair */ 2048 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2049 { 2050 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2051 ERR_R_MALLOC_FAILURE); 2052 goto err; 2053 } 2054 2055 /* Let's get server private key and group information */ 2056 if (l & SSL_kECDH) 2057 { 2058 /* use the certificate */ 2059 tkey = s->cert->key->privatekey->pkey.ec; 2060 } 2061 else 2062 { 2063 /* use the ephermeral values we saved when 2064 * generating the ServerKeyExchange msg. 2065 */ 2066 tkey = s->s3->tmp.ecdh; 2067 } 2068 2069 group = EC_KEY_get0_group(tkey); 2070 priv_key = EC_KEY_get0_private_key(tkey); 2071 2072 if (!EC_KEY_set_group(srvr_ecdh, group) || 2073 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2074 { 2075 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2076 ERR_R_EC_LIB); 2077 goto err; 2078 } 2079 2080 /* Let's get client's public key */ 2081 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2082 { 2083 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2084 ERR_R_MALLOC_FAILURE); 2085 goto err; 2086 } 2087 2088 if (n == 0L) 2089 { 2090 /* Client Publickey was in Client Certificate */ 2091 2092 if (l & SSL_kECDHE) 2093 { 2094 al=SSL_AD_HANDSHAKE_FAILURE; 2095 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2096 goto f_err; 2097 } 2098 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2099 == NULL) || 2100 (clnt_pub_pkey->type != EVP_PKEY_EC)) 2101 { 2102 /* XXX: For now, we do not support client 2103 * authentication using ECDH certificates 2104 * so this branch (n == 0L) of the code is 2105 * never executed. When that support is 2106 * added, we ought to ensure the key 2107 * received in the certificate is 2108 * authorized for key agreement. 2109 * ECDH_compute_key implicitly checks that 2110 * the two ECDH shares are for the same 2111 * group. 2112 */ 2113 al=SSL_AD_HANDSHAKE_FAILURE; 2114 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2115 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2116 goto f_err; 2117 } 2118 2119 EC_POINT_copy(clnt_ecpoint, 2120 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)); 2121 ret = 2; /* Skip certificate verify processing */ 2122 } 2123 else 2124 { 2125 /* Get client's public key from encoded point 2126 * in the ClientKeyExchange message. 2127 */ 2128 if ((bn_ctx = BN_CTX_new()) == NULL) 2129 { 2130 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2131 ERR_R_MALLOC_FAILURE); 2132 goto err; 2133 } 2134 2135 /* Get encoded point length */ 2136 i = *p; 2137 p += 1; 2138 if (EC_POINT_oct2point(group, 2139 clnt_ecpoint, p, i, bn_ctx) == 0) 2140 { 2141 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2142 ERR_R_EC_LIB); 2143 goto err; 2144 } 2145 /* p is pointing to somewhere in the buffer 2146 * currently, so set it to the start 2147 */ 2148 p=(unsigned char *)s->init_buf->data; 2149 } 2150 2151 /* Compute the shared pre-master secret */ 2152 field_size = EC_GROUP_get_degree(group); 2153 if (field_size <= 0) 2154 { 2155 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2156 ERR_R_ECDH_LIB); 2157 goto err; 2158 } 2159 /* If field size is not more than 24 octets, then use SHA-1 hash of result; 2160 * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt; 2161 * this is new with this version of the Internet Draft). 2162 */ 2163 if (field_size <= 24 * 8) 2164 i = ECDH_compute_key(p, KDF1_SHA1_len, clnt_ecpoint, srvr_ecdh, KDF1_SHA1); 2165 else 2166 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2167 if (i <= 0) 2168 { 2169 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2170 ERR_R_ECDH_LIB); 2171 goto err; 2172 } 2173 2174 EVP_PKEY_free(clnt_pub_pkey); 2175 EC_POINT_free(clnt_ecpoint); 2176 if (srvr_ecdh != NULL) 2177 EC_KEY_free(srvr_ecdh); 2178 BN_CTX_free(bn_ctx); 2179 2180 /* Compute the master secret */ 2181 s->session->master_key_length = s->method->ssl3_enc-> \ 2182 generate_master_secret(s, s->session->master_key, p, i); 2183 2184 OPENSSL_cleanse(p, i); 2185 return (ret); 2186 } 2187 else 2188 #endif 2189 { 2190 al=SSL_AD_HANDSHAKE_FAILURE; 2191 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2192 SSL_R_UNKNOWN_CIPHER_TYPE); 2193 goto f_err; 2194 } 2195 2196 return(1); 2197 f_err: 2198 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2199 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) 2200 err: 2201 #endif 2202 #ifndef OPENSSL_NO_ECDH 2203 EVP_PKEY_free(clnt_pub_pkey); 2204 EC_POINT_free(clnt_ecpoint); 2205 if (srvr_ecdh != NULL) 2206 EC_KEY_free(srvr_ecdh); 2207 BN_CTX_free(bn_ctx); 2208 #endif 2209 return(-1); 2210 } 2211 2212 int ssl3_get_cert_verify(SSL *s) 2213 { 2214 EVP_PKEY *pkey=NULL; 2215 unsigned char *p; 2216 int al,ok,ret=0; 2217 long n; 2218 int type=0,i,j; 2219 X509 *peer; 2220 2221 n=s->method->ssl_get_message(s, 2222 SSL3_ST_SR_CERT_VRFY_A, 2223 SSL3_ST_SR_CERT_VRFY_B, 2224 -1, 2225 514, /* 514? */ 2226 &ok); 2227 2228 if (!ok) return((int)n); 2229 2230 if (s->session->peer != NULL) 2231 { 2232 peer=s->session->peer; 2233 pkey=X509_get_pubkey(peer); 2234 type=X509_certificate_type(peer,pkey); 2235 } 2236 else 2237 { 2238 peer=NULL; 2239 pkey=NULL; 2240 } 2241 2242 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2243 { 2244 s->s3->tmp.reuse_message=1; 2245 if ((peer != NULL) && (type | EVP_PKT_SIGN)) 2246 { 2247 al=SSL_AD_UNEXPECTED_MESSAGE; 2248 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); 2249 goto f_err; 2250 } 2251 ret=1; 2252 goto end; 2253 } 2254 2255 if (peer == NULL) 2256 { 2257 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 2258 al=SSL_AD_UNEXPECTED_MESSAGE; 2259 goto f_err; 2260 } 2261 2262 if (!(type & EVP_PKT_SIGN)) 2263 { 2264 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2265 al=SSL_AD_ILLEGAL_PARAMETER; 2266 goto f_err; 2267 } 2268 2269 if (s->s3->change_cipher_spec) 2270 { 2271 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2272 al=SSL_AD_UNEXPECTED_MESSAGE; 2273 goto f_err; 2274 } 2275 2276 /* we now have a signature that we need to verify */ 2277 p=(unsigned char *)s->init_msg; 2278 n2s(p,i); 2279 n-=2; 2280 if (i > n) 2281 { 2282 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2283 al=SSL_AD_DECODE_ERROR; 2284 goto f_err; 2285 } 2286 2287 j=EVP_PKEY_size(pkey); 2288 if ((i > j) || (n > j) || (n <= 0)) 2289 { 2290 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); 2291 al=SSL_AD_DECODE_ERROR; 2292 goto f_err; 2293 } 2294 2295 #ifndef OPENSSL_NO_RSA 2296 if (pkey->type == EVP_PKEY_RSA) 2297 { 2298 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 2299 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 2300 pkey->pkey.rsa); 2301 if (i < 0) 2302 { 2303 al=SSL_AD_DECRYPT_ERROR; 2304 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); 2305 goto f_err; 2306 } 2307 if (i == 0) 2308 { 2309 al=SSL_AD_DECRYPT_ERROR; 2310 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); 2311 goto f_err; 2312 } 2313 } 2314 else 2315 #endif 2316 #ifndef OPENSSL_NO_DSA 2317 if (pkey->type == EVP_PKEY_DSA) 2318 { 2319 j=DSA_verify(pkey->save_type, 2320 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2321 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 2322 if (j <= 0) 2323 { 2324 /* bad signature */ 2325 al=SSL_AD_DECRYPT_ERROR; 2326 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 2327 goto f_err; 2328 } 2329 } 2330 else 2331 #endif 2332 #ifndef OPENSSL_NO_ECDSA 2333 if (pkey->type == EVP_PKEY_EC) 2334 { 2335 j=ECDSA_verify(pkey->save_type, 2336 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2337 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 2338 if (j <= 0) 2339 { 2340 /* bad signature */ 2341 al=SSL_AD_DECRYPT_ERROR; 2342 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2343 SSL_R_BAD_ECDSA_SIGNATURE); 2344 goto f_err; 2345 } 2346 } 2347 else 2348 #endif 2349 { 2350 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2351 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 2352 goto f_err; 2353 } 2354 2355 2356 ret=1; 2357 if (0) 2358 { 2359 f_err: 2360 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2361 } 2362 end: 2363 EVP_PKEY_free(pkey); 2364 return(ret); 2365 } 2366 2367 int ssl3_get_client_certificate(SSL *s) 2368 { 2369 int i,ok,al,ret= -1; 2370 X509 *x=NULL; 2371 unsigned long l,nc,llen,n; 2372 const unsigned char *p,*q; 2373 unsigned char *d; 2374 STACK_OF(X509) *sk=NULL; 2375 2376 n=s->method->ssl_get_message(s, 2377 SSL3_ST_SR_CERT_A, 2378 SSL3_ST_SR_CERT_B, 2379 -1, 2380 s->max_cert_list, 2381 &ok); 2382 2383 if (!ok) return((int)n); 2384 2385 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 2386 { 2387 if ( (s->verify_mode & SSL_VERIFY_PEER) && 2388 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2389 { 2390 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2391 al=SSL_AD_HANDSHAKE_FAILURE; 2392 goto f_err; 2393 } 2394 /* If tls asked for a client cert, the client must return a 0 list */ 2395 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 2396 { 2397 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 2398 al=SSL_AD_UNEXPECTED_MESSAGE; 2399 goto f_err; 2400 } 2401 s->s3->tmp.reuse_message=1; 2402 return(1); 2403 } 2404 2405 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 2406 { 2407 al=SSL_AD_UNEXPECTED_MESSAGE; 2408 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); 2409 goto f_err; 2410 } 2411 p=d=(unsigned char *)s->init_msg; 2412 2413 if ((sk=sk_X509_new_null()) == NULL) 2414 { 2415 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 2416 goto err; 2417 } 2418 2419 n2l3(p,llen); 2420 if (llen+3 != n) 2421 { 2422 al=SSL_AD_DECODE_ERROR; 2423 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 2424 goto f_err; 2425 } 2426 for (nc=0; nc<llen; ) 2427 { 2428 n2l3(p,l); 2429 if ((l+nc+3) > llen) 2430 { 2431 al=SSL_AD_DECODE_ERROR; 2432 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 2433 goto f_err; 2434 } 2435 2436 q=p; 2437 x=d2i_X509(NULL,&p,l); 2438 if (x == NULL) 2439 { 2440 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB); 2441 goto err; 2442 } 2443 if (p != (q+l)) 2444 { 2445 al=SSL_AD_DECODE_ERROR; 2446 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 2447 goto f_err; 2448 } 2449 if (!sk_X509_push(sk,x)) 2450 { 2451 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 2452 goto err; 2453 } 2454 x=NULL; 2455 nc+=l+3; 2456 } 2457 2458 if (sk_X509_num(sk) <= 0) 2459 { 2460 /* TLS does not mind 0 certs returned */ 2461 if (s->version == SSL3_VERSION) 2462 { 2463 al=SSL_AD_HANDSHAKE_FAILURE; 2464 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED); 2465 goto f_err; 2466 } 2467 /* Fail for TLS only if we required a certificate */ 2468 else if ((s->verify_mode & SSL_VERIFY_PEER) && 2469 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2470 { 2471 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2472 al=SSL_AD_HANDSHAKE_FAILURE; 2473 goto f_err; 2474 } 2475 } 2476 else 2477 { 2478 i=ssl_verify_cert_chain(s,sk); 2479 if (!i) 2480 { 2481 al=ssl_verify_alarm_type(s->verify_result); 2482 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); 2483 goto f_err; 2484 } 2485 } 2486 2487 if (s->session->peer != NULL) /* This should not be needed */ 2488 X509_free(s->session->peer); 2489 s->session->peer=sk_X509_shift(sk); 2490 s->session->verify_result = s->verify_result; 2491 2492 /* With the current implementation, sess_cert will always be NULL 2493 * when we arrive here. */ 2494 if (s->session->sess_cert == NULL) 2495 { 2496 s->session->sess_cert = ssl_sess_cert_new(); 2497 if (s->session->sess_cert == NULL) 2498 { 2499 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 2500 goto err; 2501 } 2502 } 2503 if (s->session->sess_cert->cert_chain != NULL) 2504 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 2505 s->session->sess_cert->cert_chain=sk; 2506 /* Inconsistency alert: cert_chain does *not* include the 2507 * peer's own certificate, while we do include it in s3_clnt.c */ 2508 2509 sk=NULL; 2510 2511 ret=1; 2512 if (0) 2513 { 2514 f_err: 2515 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2516 } 2517 err: 2518 if (x != NULL) X509_free(x); 2519 if (sk != NULL) sk_X509_pop_free(sk,X509_free); 2520 return(ret); 2521 } 2522 2523 int ssl3_send_server_certificate(SSL *s) 2524 { 2525 unsigned long l; 2526 X509 *x; 2527 2528 if (s->state == SSL3_ST_SW_CERT_A) 2529 { 2530 x=ssl_get_server_send_cert(s); 2531 if (x == NULL && 2532 /* VRS: allow null cert if auth == KRB5 */ 2533 (s->s3->tmp.new_cipher->algorithms 2534 & (SSL_MKEY_MASK|SSL_AUTH_MASK)) 2535 != (SSL_aKRB5|SSL_kKRB5)) 2536 { 2537 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 2538 return(0); 2539 } 2540 2541 l=ssl3_output_cert_chain(s,x); 2542 s->state=SSL3_ST_SW_CERT_B; 2543 s->init_num=(int)l; 2544 s->init_off=0; 2545 } 2546 2547 /* SSL3_ST_SW_CERT_B */ 2548 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2549 } 2550 2551 2552 #ifndef OPENSSL_NO_ECDH 2553 /* This is the complement of curve_id2nid in s3_clnt.c. */ 2554 static int nid2curve_id(int nid) 2555 { 2556 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) 2557 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ 2558 switch (nid) { 2559 case NID_sect163k1: /* sect163k1 (1) */ 2560 return 1; 2561 case NID_sect163r1: /* sect163r1 (2) */ 2562 return 2; 2563 case NID_sect163r2: /* sect163r2 (3) */ 2564 return 3; 2565 case NID_sect193r1: /* sect193r1 (4) */ 2566 return 4; 2567 case NID_sect193r2: /* sect193r2 (5) */ 2568 return 5; 2569 case NID_sect233k1: /* sect233k1 (6) */ 2570 return 6; 2571 case NID_sect233r1: /* sect233r1 (7) */ 2572 return 7; 2573 case NID_sect239k1: /* sect239k1 (8) */ 2574 return 8; 2575 case NID_sect283k1: /* sect283k1 (9) */ 2576 return 9; 2577 case NID_sect283r1: /* sect283r1 (10) */ 2578 return 10; 2579 case NID_sect409k1: /* sect409k1 (11) */ 2580 return 11; 2581 case NID_sect409r1: /* sect409r1 (12) */ 2582 return 12; 2583 case NID_sect571k1: /* sect571k1 (13) */ 2584 return 13; 2585 case NID_sect571r1: /* sect571r1 (14) */ 2586 return 14; 2587 case NID_secp160k1: /* secp160k1 (15) */ 2588 return 15; 2589 case NID_secp160r1: /* secp160r1 (16) */ 2590 return 16; 2591 case NID_secp160r2: /* secp160r2 (17) */ 2592 return 17; 2593 case NID_secp192k1: /* secp192k1 (18) */ 2594 return 18; 2595 case NID_X9_62_prime192v1: /* secp192r1 (19) */ 2596 return 19; 2597 case NID_secp224k1: /* secp224k1 (20) */ 2598 return 20; 2599 case NID_secp224r1: /* secp224r1 (21) */ 2600 return 21; 2601 case NID_secp256k1: /* secp256k1 (22) */ 2602 return 22; 2603 case NID_X9_62_prime256v1: /* secp256r1 (23) */ 2604 return 23; 2605 case NID_secp384r1: /* secp384r1 (24) */ 2606 return 24; 2607 case NID_secp521r1: /* secp521r1 (25) */ 2608 return 25; 2609 default: 2610 return 0; 2611 } 2612 } 2613 #endif 2614