]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/s3_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove ssl_put_cipher_by_char
[thirdparty/openssl.git] / ssl / s3_srvr.c
CommitLineData
cbb92dfa 1/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 8 *
d02b48c6
RE		 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 15 *
d02b48c6
RE		 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
0f113f3e 22 *
d02b48c6
RE		 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
0f113f3e 37 * 4. If you include any Windows specific code (or a derivative thereof) from
d02b48c6
RE		 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 40 *
d02b48c6
RE		 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
0f113f3e 52 *
d02b48c6
RE		 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
8e2f6b79 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
8e2f6b79
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
0f113f3e 66 * notice, this list of conditions and the following disclaimer.
8e2f6b79
BM		 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ea262260
BM		 111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
0f113f3e 114 * Portions of the attached software ("Contribution") are developed by
ea262260
BM		 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
ea262260
BM		 120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
ddac1974
NL		 124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
d02b48c6 150
de469ef2 151
d02b48c6 152#include <stdio.h>
7b63c0fa 153#include "ssl_locl.h"
68570797 154#include "internal/constant_time_locl.h"
ec577822
BM		 155#include <openssl/buffer.h>
156#include <openssl/rand.h>
157#include <openssl/objects.h>
158#include <openssl/evp.h>
6434abbf 159#include <openssl/hmac.h>
ec577822 160#include <openssl/x509.h>
3eeaab4b 161#ifndef OPENSSL_NO_DH
0f113f3e 162# include <openssl/dh.h>
3eeaab4b 163#endif
d095b68d 164#include <openssl/bn.h>
dbad1690 165#include <openssl/md5.h>
f9b3bff6 166
d45ba43d
MC		 167static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p,
168 int num, STACK_OF(SSL_CIPHER) **skp, int sslv2format);
169
d02b48c6 170
edc032b5 171#ifndef OPENSSL_NO_SRP
71fa4513 172static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
0f113f3e
MC		 173{
174 int ret = SSL_ERROR_NONE;
175
176 *al = SSL_AD_UNRECOGNIZED_NAME;
177
178 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
179 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
180 if (s->srp_ctx.login == NULL) {
181 /*
182 * RFC 5054 says SHOULD reject, we do so if There is no srp
183 * login name
184 */
185 ret = SSL3_AL_FATAL;
186 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
187 } else {
188 ret = SSL_srp_server_param_with_username(s, al);
189 }
190 }
191 return ret;
192}
edc032b5
BL		 193#endif
194
6b691a5c 195int ssl3_accept(SSL *s)
0f113f3e
MC		 196{
197 BUF_MEM *buf;
198 unsigned long alg_k, Time = (unsigned long)time(NULL);
199 void (*cb) (const SSL *ssl, int type, int val) = NULL;
200 int ret = -1;
201 int new_state, state, skip = 0;
202
203 RAND_add(&Time, sizeof(Time), 0);
204 ERR_clear_error();
205 clear_sys_error();
206
207 if (s->info_callback != NULL)
208 cb = s->info_callback;
209 else if (s->ctx->info_callback != NULL)
210 cb = s->ctx->info_callback;
211
212 /* init things to blank */
213 s->in_handshake++;
69f68237 214 if (!SSL_in_init(s) || SSL_in_before(s)) {
61986d32 215 if (!SSL_clear(s))
69f68237
MC		 216 return -1;
217 }
0f113f3e 218
4817504d 219#ifndef OPENSSL_NO_HEARTBEATS
0f113f3e
MC		 220 /*
221 * If we're awaiting a HeartbeatResponse, pretend we already got and
222 * don't await it anymore, because Heartbeats don't make sense during
223 * handshakes anyway.
224 */
225 if (s->tlsext_hb_pending) {
226 s->tlsext_hb_pending = 0;
227 s->tlsext_hb_seq++;
228 }
4817504d
DSH		 229#endif
230
0f113f3e
MC		 231 for (;;) {
232 state = s->state;
233
234 switch (s->state) {
235 case SSL_ST_RENEGOTIATE:
236 s->renegotiate = 1;
237 /* s->state=SSL_ST_ACCEPT; */
238
239 case SSL_ST_BEFORE:
240 case SSL_ST_ACCEPT:
241 case SSL_ST_BEFORE | SSL_ST_ACCEPT:
242 case SSL_ST_OK | SSL_ST_ACCEPT:
243
244 s->server = 1;
245 if (cb != NULL)
246 cb(s, SSL_CB_HANDSHAKE_START, 1);
247
32ec4153 248 if ((s->version >> 8 != 3) && s->version != TLS_ANY_VERSION) {
0f113f3e 249 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
cf9b0b6f 250 s->state = SSL_ST_ERR;
0f113f3e
MC		 251 return -1;
252 }
253
254 if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
255 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_VERSION_TOO_LOW);
256 return -1;
257 }
258
259 s->type = SSL_ST_ACCEPT;
260
261 if (s->init_buf == NULL) {
262 if ((buf = BUF_MEM_new()) == NULL) {
263 ret = -1;
cf9b0b6f 264 s->state = SSL_ST_ERR;
0f113f3e
MC		 265 goto end;
266 }
267 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
268 BUF_MEM_free(buf);
269 ret = -1;
cf9b0b6f 270 s->state = SSL_ST_ERR;
0f113f3e
MC		 271 goto end;
272 }
273 s->init_buf = buf;
274 }
275
276 if (!ssl3_setup_buffers(s)) {
277 ret = -1;
cf9b0b6f 278 s->state = SSL_ST_ERR;
0f113f3e
MC		 279 goto end;
280 }
281
282 s->init_num = 0;
283 s->s3->flags &= ~TLS1_FLAGS_SKIP_CERT_VERIFY;
0f113f3e
MC		 284 /*
285 * Should have been reset by ssl3_get_finished, too.
286 */
287 s->s3->change_cipher_spec = 0;
288
289 if (s->state != SSL_ST_RENEGOTIATE) {
290 /*
291 * Ok, we now need to push on a buffering BIO so that the
292 * output is sent in a way that TCP likes :-)
293 */
294 if (!ssl_init_wbio_buffer(s, 1)) {
295 ret = -1;
cf9b0b6f 296 s->state = SSL_ST_ERR;
0f113f3e
MC		 297 goto end;
298 }
299
300 ssl3_init_finished_mac(s);
301 s->state = SSL3_ST_SR_CLNT_HELLO_A;
302 s->ctx->stats.sess_accept++;
303 } else if (!s->s3->send_connection_binding &&
304 !(s->options &
305 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
306 /*
307 * Server attempting to renegotiate with client that doesn't
308 * support secure renegotiation.
309 */
310 SSLerr(SSL_F_SSL3_ACCEPT,
311 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
312 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
313 ret = -1;
cf9b0b6f 314 s->state = SSL_ST_ERR;
0f113f3e
MC		 315 goto end;
316 } else {
317 /*
318 * s->state == SSL_ST_RENEGOTIATE, we will just send a
319 * HelloRequest
320 */
321 s->ctx->stats.sess_accept_renegotiate++;
322 s->state = SSL3_ST_SW_HELLO_REQ_A;
323 }
324 break;
325
326 case SSL3_ST_SW_HELLO_REQ_A:
327 case SSL3_ST_SW_HELLO_REQ_B:
328
329 s->shutdown = 0;
330 ret = ssl3_send_hello_request(s);
331 if (ret <= 0)
332 goto end;
333 s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C;
334 s->state = SSL3_ST_SW_FLUSH;
335 s->init_num = 0;
336
337 ssl3_init_finished_mac(s);
338 break;
339
340 case SSL3_ST_SW_HELLO_REQ_C:
341 s->state = SSL_ST_OK;
342 break;
343
344 case SSL3_ST_SR_CLNT_HELLO_A:
345 case SSL3_ST_SR_CLNT_HELLO_B:
346 case SSL3_ST_SR_CLNT_HELLO_C:
347
348 ret = ssl3_get_client_hello(s);
349 if (ret <= 0)
350 goto end;
edc032b5 351#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 352 s->state = SSL3_ST_SR_CLNT_HELLO_D;
353 case SSL3_ST_SR_CLNT_HELLO_D:
354 {
355 int al;
356 if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
357 /*
358 * callback indicates firther work to be done
359 */
360 s->rwstate = SSL_X509_LOOKUP;
361 goto end;
362 }
363 if (ret != SSL_ERROR_NONE) {
364 ssl3_send_alert(s, SSL3_AL_FATAL, al);
365 /*
366 * This is not really an error but the only means to for
367 * a client to detect whether srp is supported.
368 */
369 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
370 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
371 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
372 ret = -1;
cf9b0b6f 373 s->state = SSL_ST_ERR;
0f113f3e
MC		 374 goto end;
375 }
376 }
377#endif
378
379 s->renegotiate = 2;
380 s->state = SSL3_ST_SW_SRVR_HELLO_A;
381 s->init_num = 0;
382 break;
383
384 case SSL3_ST_SW_SRVR_HELLO_A:
385 case SSL3_ST_SW_SRVR_HELLO_B:
386 ret = ssl3_send_server_hello(s);
387 if (ret <= 0)
388 goto end;
e481f9b9 389
0f113f3e
MC		 390 if (s->hit) {
391 if (s->tlsext_ticket_expected)
392 s->state = SSL3_ST_SW_SESSION_TICKET_A;
393 else
394 s->state = SSL3_ST_SW_CHANGE_A;
e481f9b9 395 } else {
0f113f3e 396 s->state = SSL3_ST_SW_CERT_A;
e481f9b9 397 }
0f113f3e
MC		 398 s->init_num = 0;
399 break;
400
401 case SSL3_ST_SW_CERT_A:
402 case SSL3_ST_SW_CERT_B:
403 /* Check if it is anon DH or anon ECDH, */
55a9a16f 404 /* normal PSK or SRP */
85269210
DSH		 405 if (!(s->s3->tmp.new_cipher->algorithm_auth &
406 (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
0f113f3e
MC		 407 ret = ssl3_send_server_certificate(s);
408 if (ret <= 0)
409 goto end;
e481f9b9 410
0f113f3e
MC		 411 if (s->tlsext_status_expected)
412 s->state = SSL3_ST_SW_CERT_STATUS_A;
413 else
414 s->state = SSL3_ST_SW_KEY_EXCH_A;
415 } else {
416 skip = 1;
417 s->state = SSL3_ST_SW_KEY_EXCH_A;
418 }
0f113f3e
MC		 419 s->init_num = 0;
420 break;
421
422 case SSL3_ST_SW_KEY_EXCH_A:
423 case SSL3_ST_SW_KEY_EXCH_B:
424 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
425
426 /*
427 * clear this, it may get reset by
428 * send_server_key_exchange
429 */
430 s->s3->tmp.use_rsa_tmp = 0;
431
432 /*
433 * only send if a DH key exchange, fortezza or RSA but we have a
434 * sign only certificate PSK: may send PSK identity hints For
435 * ECC ciphersuites, we send a serverKeyExchange message only if
436 * the cipher suite is either ECDH-anon or ECDHE. In other cases,
437 * the server certificate contains the server's public key for
438 * key exchange.
439 */
440 if (0
441 /*
442 * PSK: send ServerKeyExchange if PSK identity hint if
443 * provided
444 */
ddac1974 445#ifndef OPENSSL_NO_PSK
85269210 446 /* Only send SKE if we have identity hint for plain PSK */
df6da24b 447 || ((alg_k & (SSL_kPSK | SSL_kRSAPSK)) && s->cert->psk_identity_hint)
85269210
DSH		 448 /* For other PSK always send SKE */
449 || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
edc032b5
BL		 450#endif
451#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 452 /* SRP: send ServerKeyExchange */
453 || (alg_k & SSL_kSRP)
ddac1974 454#endif
0f113f3e
MC		 455 || (alg_k & SSL_kDHE)
456 || (alg_k & SSL_kECDHE)
457 || ((alg_k & SSL_kRSA)
458 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
459 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
739a5eee 460 && EVP_PKEY_size(s->cert->pkeys
0f113f3e
MC		 461 [SSL_PKEY_RSA_ENC].privatekey) *
462 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
463 )
464 )
465 )
466 ) {
467 ret = ssl3_send_server_key_exchange(s);
468 if (ret <= 0)
469 goto end;
470 } else
471 skip = 1;
472
473 s->state = SSL3_ST_SW_CERT_REQ_A;
474 s->init_num = 0;
475 break;
476
477 case SSL3_ST_SW_CERT_REQ_A:
478 case SSL3_ST_SW_CERT_REQ_B:
479 if ( /* don't request cert unless asked for it: */
480 !(s->verify_mode & SSL_VERIFY_PEER) ||
481 /*
482 * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
483 * during re-negotiation:
484 */
485 ((s->session->peer != NULL) &&
486 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
487 /*
488 * never request cert in anonymous ciphersuites (see
489 * section "Certificate request" in SSL 3 drafts and in
490 * RFC 2246):
491 */
492 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
0f113f3e 493 /*
55a9a16f
MC		 494 * ... except when the application insists on
495 * verification (against the specs, but s3_clnt.c accepts
496 * this for SSL 3)
0f113f3e 497 */
55a9a16f 498 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
0f113f3e
MC		 499 /* don't request certificate for SRP auth */
500 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
501 /*
502 * With normal PSK Certificates and Certificate Requests
503 * are omitted
504 */
a3f7ff2b 505 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
0f113f3e
MC		 506 /* no cert request */
507 skip = 1;
508 s->s3->tmp.cert_request = 0;
509 s->state = SSL3_ST_SW_SRVR_DONE_A;
124037fd
DSH		 510 if (!ssl3_digest_cached_records(s, 0)) {
511 s->state = SSL_ST_ERR;
512 return -1;
cf9b0b6f 513 }
0f113f3e
MC		 514 } else {
515 s->s3->tmp.cert_request = 1;
516 ret = ssl3_send_certificate_request(s);
517 if (ret <= 0)
518 goto end;
0f113f3e 519 s->state = SSL3_ST_SW_SRVR_DONE_A;
0f113f3e
MC		 520 s->init_num = 0;
521 }
522 break;
523
524 case SSL3_ST_SW_SRVR_DONE_A:
525 case SSL3_ST_SW_SRVR_DONE_B:
526 ret = ssl3_send_server_done(s);
527 if (ret <= 0)
528 goto end;
529 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
530 s->state = SSL3_ST_SW_FLUSH;
531 s->init_num = 0;
532 break;
533
534 case SSL3_ST_SW_FLUSH:
535
536 /*
537 * This code originally checked to see if any data was pending
538 * using BIO_CTRL_INFO and then flushed. This caused problems as
539 * documented in PR#1939. The proposed fix doesn't completely
540 * resolve this issue as buggy implementations of
541 * BIO_CTRL_PENDING still exist. So instead we just flush
542 * unconditionally.
543 */
544
545 s->rwstate = SSL_WRITING;
546 if (BIO_flush(s->wbio) <= 0) {
547 ret = -1;
548 goto end;
549 }
550 s->rwstate = SSL_NOTHING;
551
552 s->state = s->s3->tmp.next_state;
553 break;
554
555 case SSL3_ST_SR_CERT_A:
556 case SSL3_ST_SR_CERT_B:
557 if (s->s3->tmp.cert_request) {
558 ret = ssl3_get_client_certificate(s);
559 if (ret <= 0)
560 goto end;
561 }
562 s->init_num = 0;
563 s->state = SSL3_ST_SR_KEY_EXCH_A;
564 break;
565
566 case SSL3_ST_SR_KEY_EXCH_A:
567 case SSL3_ST_SR_KEY_EXCH_B:
568 ret = ssl3_get_client_key_exchange(s);
569 if (ret <= 0)
570 goto end;
571 if (ret == 2) {
572 /*
573 * For the ECDH ciphersuites when the client sends its ECDH
574 * pub key in a certificate, the CertificateVerify message is
575 * not sent. Also for GOST ciphersuites when the client uses
576 * its key from the certificate for key exchange.
577 */
657da85e 578 s->state = SSL3_ST_SR_CHANGE_A;
0f113f3e
MC		 579 s->init_num = 0;
580 } else if (SSL_USE_SIGALGS(s)) {
581 s->state = SSL3_ST_SR_CERT_VRFY_A;
582 s->init_num = 0;
583 if (!s->session->peer)
584 break;
0f113f3e
MC		 585 if (!s->s3->handshake_buffer) {
586 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
cf9b0b6f 587 s->state = SSL_ST_ERR;
0f113f3e
MC		 588 return -1;
589 }
0cfb0e75
DSH		 590 /*
591 * For sigalgs freeze the handshake buffer. If we support
124037fd 592 * extms we've done this already so this is a no-op
0cfb0e75 593 */
124037fd
DSH		 594 if (!ssl3_digest_cached_records(s, 1)) {
595 s->state = SSL_ST_ERR;
596 return -1;
0cfb0e75 597 }
0f113f3e
MC		 598 } else {
599 int offset = 0;
600 int dgst_num;
601
602 s->state = SSL3_ST_SR_CERT_VRFY_A;
603 s->init_num = 0;
604
605 /*
606 * We need to get hashes here so if there is a client cert,
607 * it can be verified FIXME - digest processing for
608 * CertificateVerify should be generalized. But it is next
609 * step
610 */
124037fd
DSH		 611 if (!ssl3_digest_cached_records(s, 0)) {
612 s->state = SSL_ST_ERR;
613 return -1;
cf9b0b6f 614 }
0f113f3e
MC		 615 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++)
616 if (s->s3->handshake_dgst[dgst_num]) {
617 int dgst_size;
618
619 s->method->ssl3_enc->cert_verify_mac(s,
620 EVP_MD_CTX_type
621 (s->
622 s3->handshake_dgst
623 [dgst_num]),
624 &(s->s3->
625 tmp.cert_verify_md
626 [offset]));
627 dgst_size =
628 EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
629 if (dgst_size < 0) {
cf9b0b6f 630 s->state = SSL_ST_ERR;
0f113f3e
MC		 631 ret = -1;
632 goto end;
633 }
634 offset += dgst_size;
635 }
636 }
637 break;
638
639 case SSL3_ST_SR_CERT_VRFY_A:
640 case SSL3_ST_SR_CERT_VRFY_B:
0f113f3e
MC		 641 ret = ssl3_get_cert_verify(s);
642 if (ret <= 0)
643 goto end;
d02b48c6 644
657da85e 645 s->state = SSL3_ST_SR_CHANGE_A;
0f113f3e
MC		 646 s->init_num = 0;
647 break;
d02b48c6 648
e481f9b9 649#if !defined(OPENSSL_NO_NEXTPROTONEG)
0f113f3e
MC		 650 case SSL3_ST_SR_NEXT_PROTO_A:
651 case SSL3_ST_SR_NEXT_PROTO_B:
0f113f3e
MC		 652 ret = ssl3_get_next_proto(s);
653 if (ret <= 0)
654 goto end;
655 s->init_num = 0;
656 s->state = SSL3_ST_SR_FINISHED_A;
657 break;
ee2ffc27
BL		 658#endif
659
657da85e
MC		 660
661 case SSL3_ST_SR_CHANGE_A:
662 case SSL3_ST_SR_CHANGE_B:
663 ret = ssl3_get_change_cipher_spec(s, SSL3_ST_SR_CHANGE_A,
664 SSL3_ST_SR_CHANGE_B);
665 if (ret <= 0)
666 goto end;
667
668#if defined(OPENSSL_NO_NEXTPROTONEG)
669 s->state = SSL3_ST_SR_FINISHED_A;
670#else
671 if (s->s3->next_proto_neg_seen)
672 s->state = SSL3_ST_SR_NEXT_PROTO_A;
673 else
674 s->state = SSL3_ST_SR_FINISHED_A;
675#endif
676 s->init_num = 0;
677 break;
678
0f113f3e
MC		 679 case SSL3_ST_SR_FINISHED_A:
680 case SSL3_ST_SR_FINISHED_B:
0f113f3e
MC		 681 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
682 SSL3_ST_SR_FINISHED_B);
683 if (ret <= 0)
684 goto end;
685 if (s->hit)
686 s->state = SSL_ST_OK;
0f113f3e
MC		 687 else if (s->tlsext_ticket_expected)
688 s->state = SSL3_ST_SW_SESSION_TICKET_A;
0f113f3e
MC		 689 else
690 s->state = SSL3_ST_SW_CHANGE_A;
691 s->init_num = 0;
692 break;
d02b48c6 693
0f113f3e
MC		 694 case SSL3_ST_SW_SESSION_TICKET_A:
695 case SSL3_ST_SW_SESSION_TICKET_B:
696 ret = ssl3_send_newsession_ticket(s);
697 if (ret <= 0)
698 goto end;
699 s->state = SSL3_ST_SW_CHANGE_A;
700 s->init_num = 0;
701 break;
702
703 case SSL3_ST_SW_CERT_STATUS_A:
704 case SSL3_ST_SW_CERT_STATUS_B:
705 ret = ssl3_send_cert_status(s);
706 if (ret <= 0)
707 goto end;
708 s->state = SSL3_ST_SW_KEY_EXCH_A;
709 s->init_num = 0;
710 break;
67c8e7f4 711
0f113f3e
MC		 712 case SSL3_ST_SW_CHANGE_A:
713 case SSL3_ST_SW_CHANGE_B:
714
715 s->session->cipher = s->s3->tmp.new_cipher;
716 if (!s->method->ssl3_enc->setup_key_block(s)) {
717 ret = -1;
cf9b0b6f 718 s->state = SSL_ST_ERR;
0f113f3e
MC		 719 goto end;
720 }
721
722 ret = ssl3_send_change_cipher_spec(s,
723 SSL3_ST_SW_CHANGE_A,
724 SSL3_ST_SW_CHANGE_B);
725
726 if (ret <= 0)
727 goto end;
728 s->state = SSL3_ST_SW_FINISHED_A;
729 s->init_num = 0;
730
731 if (!s->method->ssl3_enc->change_cipher_state(s,
732 SSL3_CHANGE_CIPHER_SERVER_WRITE))
733 {
734 ret = -1;
cf9b0b6f 735 s->state = SSL_ST_ERR;
0f113f3e
MC		 736 goto end;
737 }
738
739 break;
740
741 case SSL3_ST_SW_FINISHED_A:
742 case SSL3_ST_SW_FINISHED_B:
743 ret = ssl3_send_finished(s,
744 SSL3_ST_SW_FINISHED_A,
745 SSL3_ST_SW_FINISHED_B,
746 s->method->
747 ssl3_enc->server_finished_label,
748 s->method->
749 ssl3_enc->server_finished_label_len);
750 if (ret <= 0)
751 goto end;
752 s->state = SSL3_ST_SW_FLUSH;
753 if (s->hit) {
657da85e 754 s->s3->tmp.next_state = SSL3_ST_SR_CHANGE_A;
0f113f3e
MC		 755 } else
756 s->s3->tmp.next_state = SSL_ST_OK;
757 s->init_num = 0;
758 break;
759
760 case SSL_ST_OK:
761 /* clean a few things up */
762 ssl3_cleanup_key_block(s);
763
764 BUF_MEM_free(s->init_buf);
765 s->init_buf = NULL;
766
767 /* remove buffering on output */
768 ssl_free_wbio_buffer(s);
769
770 s->init_num = 0;
771
772 if (s->renegotiate == 2) { /* skipped if we just sent a
773 * HelloRequest */
774 s->renegotiate = 0;
775 s->new_session = 0;
776
777 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
778
779 s->ctx->stats.sess_accept_good++;
780 /* s->server=1; */
781 s->handshake_func = ssl3_accept;
782
783 if (cb != NULL)
784 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
785 }
786
787 ret = 1;
788 goto end;
789 /* break; */
790
a89db885 791 case SSL_ST_ERR:
0f113f3e
MC		 792 default:
793 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE);
794 ret = -1;
795 goto end;
796 /* break; */
797 }
798
799 if (!s->s3->tmp.reuse_message && !skip) {
800 if (s->debug) {
801 if ((ret = BIO_flush(s->wbio)) <= 0)
802 goto end;
803 }
804
805 if ((cb != NULL) && (s->state != state)) {
806 new_state = s->state;
807 s->state = state;
808 cb(s, SSL_CB_ACCEPT_LOOP, 1);
809 s->state = new_state;
810 }
811 }
812 skip = 0;
813 }
814 end:
815 /* BIO_flush(s->wbio); */
816
817 s->in_handshake--;
818 if (cb != NULL)
819 cb(s, SSL_CB_ACCEPT_EXIT, ret);
820 return (ret);
821}
d02b48c6 822
36d16f8e 823int ssl3_send_hello_request(SSL *s)
0f113f3e 824{
d02b48c6 825
0f113f3e 826 if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
61986d32 827 if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
77d514c5
MC		 828 SSLerr(SSL_F_SSL3_SEND_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
829 return -1;
830 }
0f113f3e
MC		 831 s->state = SSL3_ST_SW_HELLO_REQ_B;
832 }
d02b48c6 833
0f113f3e
MC		 834 /* SSL3_ST_SW_HELLO_REQ_B */
835 return ssl_do_write(s);
836}
d02b48c6 837
36d16f8e 838int ssl3_get_client_hello(SSL *s)
0f113f3e 839{
9ceb2426 840 int i, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
ec30e856 841 unsigned int j, complen = 0;
0f113f3e
MC		 842 long n;
843 unsigned long id;
0f113f3e 844 SSL_CIPHER *c;
09b6c2ef 845#ifndef OPENSSL_NO_COMP
0f113f3e 846 SSL_COMP *comp = NULL;
09b6c2ef 847#endif
0f113f3e 848 STACK_OF(SSL_CIPHER) *ciphers = NULL;
32ec4153 849 int protverr = 1;
ec30e856 850 PACKET pkt, cipher_suite, compression;
0f113f3e
MC		 851
852 if (s->state == SSL3_ST_SR_CLNT_HELLO_C && !s->first_packet)
853 goto retry_cert;
854
855 /*
856 * We do this so that we will respond with our native type. If we are
857 * TLSv1 and we get SSLv3, we will respond with TLSv1, This down
858 * switching should be handled by a different method. If we are SSLv3, we
859 * will respond with SSLv3, even if prompted with TLSv1.
860 */
861 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) {
862 s->state = SSL3_ST_SR_CLNT_HELLO_B;
863 }
864 s->first_packet = 1;
865 n = s->method->ssl_get_message(s,
866 SSL3_ST_SR_CLNT_HELLO_B,
867 SSL3_ST_SR_CLNT_HELLO_C,
868 SSL3_MT_CLIENT_HELLO,
869 SSL3_RT_MAX_PLAIN_LENGTH, &ok);
870
871 if (!ok)
872 return ((int)n);
873 s->first_packet = 0;
f9f60534
MC		 874 if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
875 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
876 al = SSL_AD_INTERNAL_ERROR;
877 goto f_err;
878 }
0f113f3e 879
32ec4153 880 /* First lets get s->client_version set correctly */
b2ce0337 881 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
9ceb2426
MC		 882 unsigned int version;
883 unsigned int mt;
32ec4153
MC		 884 /*-
885 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
886 * header is sent directly on the wire, not wrapped as a TLS
887 * record. Our record layer just processes the message length and passes
888 * the rest right through. Its format is:
889 * Byte Content
890 * 0-1 msg_length - decoded by the record layer
891 * 2 msg_type - s->init_msg points here
892 * 3-4 version
893 * 5-6 cipher_spec_length
894 * 7-8 session_id_length
895 * 9-10 challenge_length
896 * ... ...
897 */
898
9ceb2426
MC		 899 if (!PACKET_get_1(&pkt, &mt)
900 || mt != SSL2_MT_CLIENT_HELLO) {
32ec4153
MC		 901 /*
902 * Should never happen. We should have tested this in the record
903 * layer in order to have determined that this is a SSLv2 record
904 * in the first place
905 */
32ec4153 906 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
d45ba43d 907 goto err;
32ec4153
MC		 908 }
909
9ceb2426
MC		 910 if (!PACKET_get_net_2(&pkt, &version)) {
911 /* No protocol version supplied! */
912 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
913 goto err;
914 }
915 if (version == 0x0002) {
32ec4153
MC		 916 /* This is real SSLv2. We don't support it. */
917 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
918 goto err;
9ceb2426 919 } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
32ec4153 920 /* SSLv3/TLS */
9ceb2426 921 s->client_version = version;
32ec4153
MC		 922 } else {
923 /* No idea what protocol this is */
924 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
925 goto err;
926 }
927 } else {
928 /*
9ceb2426
MC		 929 * use version from inside client hello, not from record header (may
930 * differ: see RFC 2246, Appendix E, second paragraph)
32ec4153 931 */
9ceb2426 932 if(!PACKET_get_net_2(&pkt, (unsigned int *)&s->client_version)) {
32ec4153
MC		 933 al = SSL_AD_DECODE_ERROR;
934 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
935 goto f_err;
936 }
5e9f0eeb
MC		 937 }
938
32ec4153
MC		 939 /* Do SSL/TLS version negotiation if applicable */
940 if (!SSL_IS_DTLS(s)) {
941 if (s->version != TLS_ANY_VERSION) {
b2ce0337 942 if (s->client_version >= s->version) {
32ec4153
MC		 943 protverr = 0;
944 }
b2ce0337 945 } else if (s->client_version >= SSL3_VERSION) {
32ec4153
MC		 946 switch(s->client_version) {
947 default:
948 case TLS1_2_VERSION:
949 if(!(s->options & SSL_OP_NO_TLSv1_2)) {
950 s->version = TLS1_2_VERSION;
951 s->method = TLSv1_2_server_method();
952 protverr = 0;
953 break;
954 }
955 /* Deliberately fall through */
956 case TLS1_1_VERSION:
957 if(!(s->options & SSL_OP_NO_TLSv1_1)) {
958 s->version = TLS1_1_VERSION;
959 s->method = TLSv1_1_server_method();
960 protverr = 0;
961 break;
962 }
963 /* Deliberately fall through */
964 case TLS1_VERSION:
965 if(!(s->options & SSL_OP_NO_TLSv1)) {
966 s->version = TLS1_VERSION;
967 s->method = TLSv1_server_method();
968 protverr = 0;
969 break;
970 }
971 /* Deliberately fall through */
972 case SSL3_VERSION:
b2ce0337 973#ifndef OPENSSL_NO_SSL3
32ec4153
MC		 974 if(!(s->options & SSL_OP_NO_SSLv3)) {
975 s->version = SSL3_VERSION;
976 s->method = SSLv3_server_method();
977 protverr = 0;
978 break;
979 }
b2ce0337
MC		 980#else
981 break;
982#endif
32ec4153
MC		 983 }
984 }
b2ce0337
MC		 985 } else if (s->client_version <= s->version
986 || s->method->version == DTLS_ANY_VERSION) {
32ec4153
MC		 987 /*
988 * For DTLS we just check versions are potentially compatible. Version
989 * negotiation comes later.
990 */
991 protverr = 0;
992 }
993
994 if (protverr) {
995 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
996 if ((!s->enc_write_ctx && !s->write_hash)) {
0f113f3e
MC		 997 /*
998 * similar to ssl3_get_record, send alert using remote version
999 * number
1000 */
1001 s->version = s->client_version;
1002 }
1003 al = SSL_AD_PROTOCOL_VERSION;
1004 goto f_err;
1005 }
1006
32ec4153
MC		 1007 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1008 /*
1009 * Handle an SSLv2 backwards compatible ClientHello
1010 * Note, this is only for SSLv3+ using the backward compatible format.
1011 * Real SSLv2 is not supported, and is rejected above.
1012 */
ec30e856 1013 unsigned int cipher_len, session_id_len, challenge_len;
0f113f3e 1014
ec30e856
EK		 1015 if (!PACKET_get_net_2(&pkt, &cipher_len)
1016 || !PACKET_get_net_2(&pkt, &session_id_len)
1017 || !PACKET_get_net_2(&pkt, &challenge_len)) {
6f136aa6 1018 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
6c3cca57
AE		 1019 al = SSL_AD_DECODE_ERROR;
1020 goto f_err;
5e9f0eeb 1021 }
0f113f3e 1022
ec30e856 1023 if (cipher_len == 0) {
32ec4153
MC		 1024 /* we need at least one cipher */
1025 al = SSL_AD_ILLEGAL_PARAMETER;
1026 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
1027 goto f_err;
1028 }
0f113f3e 1029
ec30e856 1030 if (!PACKET_get_sub_packet(&pkt, &cipher_suite, cipher_len)) {
9ceb2426
MC		 1031 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
1032 al = SSL_AD_DECODE_ERROR;
1033 goto f_err;
1034 }
1035
ec30e856
EK		 1036 if (ssl_bytes_to_cipher_list(s, PACKET_data(&cipher_suite),
1037 cipher_len, &(ciphers), 1) == NULL) {
32ec4153
MC		 1038 goto err;
1039 }
0f113f3e 1040
32ec4153
MC		 1041 /*
1042 * Ignore any session id. We don't allow resumption in a backwards
1043 * compatible ClientHello
1044 */
ec30e856 1045 if (!PACKET_forward(&pkt, session_id_len)) {
9ceb2426
MC		 1046 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
1047 al = SSL_AD_DECODE_ERROR;
1048 goto f_err;
1049 }
32ec4153 1050 s->hit = 0;
5e9f0eeb 1051
0f113f3e
MC		 1052 if (!ssl_get_new_session(s, 1))
1053 goto err;
32ec4153
MC		 1054
1055 /* Load the client random */
ec30e856 1056 i = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE : challenge_len;
32ec4153 1057 memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
9cc3e8f1
EK		 1058 if (!PACKET_peek_copy_bytes(&pkt,
1059 s->s3->client_random + SSL3_RANDOM_SIZE - i,
1060 i)
ec30e856 1061 || !PACKET_forward(&pkt, challenge_len)
bc6616a4 1062 || PACKET_remaining(&pkt) != 0) {
9ceb2426
MC		 1063 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
1064 al = SSL_AD_DECODE_ERROR;
1065 goto f_err;
1066 }
0f113f3e 1067 } else {
32ec4153 1068 /* If we get here we've got SSLv3+ in an SSLv3+ record */
ec30e856
EK		 1069 PACKET session_id;
1070 unsigned int cookie_len;
9ceb2426
MC		 1071 /* load the client random and get the session-id */
1072 if (!PACKET_copy_bytes(&pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
ec30e856 1073 || !PACKET_get_length_prefixed_1(&pkt, &session_id)) {
9ceb2426
MC		 1074 al = SSL_AD_DECODE_ERROR;
1075 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
1076 goto f_err;
1077 }
32ec4153 1078
0f113f3e 1079 /*
32ec4153
MC		 1080 * If we require cookies and this ClientHello doesn't contain one, just
1081 * return since we do not want to allocate any memory yet. So check
1082 * cookie length...
0f113f3e 1083 */
32ec4153 1084 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
0f113f3e 1085
9ceb2426 1086 if (!PACKET_peek_1(&pkt, &cookie_len)) {
32ec4153
MC		 1087 al = SSL_AD_DECODE_ERROR;
1088 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
1089 goto f_err;
1090 }
0f113f3e 1091
9ceb2426 1092 if (cookie_len == 0)
32ec4153 1093 return 1;
5e9f0eeb 1094 }
0f113f3e 1095
32ec4153 1096 s->hit = 0;
0f113f3e 1097 /*
32ec4153
MC		 1098 * Versions before 0.9.7 always allow clients to resume sessions in
1099 * renegotiation. 0.9.7 and later allow this by default, but optionally
1100 * ignore resumption requests with flag
1101 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
1102 * than a change to default behavior so that applications relying on
1103 * this for security won't even compile against older library versions).
1104 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
1105 * request renegotiation but not a new session (s->new_session remains
1106 * unset): for servers, this essentially just means that the
1107 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
1108 * ignored.
0f113f3e 1109 */
32ec4153
MC		 1110 if ((s->new_session
1111 && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1112 if (!ssl_get_new_session(s, 1))
1113 goto err;
1114 } else {
ec30e856
EK		 1115 /*
1116 * TODO(openssl-team): ssl_get_prev_session passes a non-const
1117 * 'unsigned char*' session id to a user callback. Grab a copy of
1118 * the data?
1119 */
1120 i = ssl_get_prev_session(s, &pkt, PACKET_data(&session_id),
1121 PACKET_remaining(&session_id));
32ec4153
MC		 1122 /*
1123 * Only resume if the session's version matches the negotiated
1124 * version.
1125 * RFC 5246 does not provide much useful advice on resumption
1126 * with a different protocol version. It doesn't forbid it but
1127 * the sanity of such behaviour would be questionable.
1128 * In practice, clients do not accept a version mismatch and
1129 * will abort the handshake with an error.
1130 */
1131 if (i == 1 && s->version == s->session->ssl_version) {
1132 /* previous session */
1133 s->hit = 1;
1134 } else if (i == -1)
1135 goto err;
1136 else {
1137 /* i == 0 */
1138 if (!ssl_get_new_session(s, 1))
1139 goto err;
1140 }
0f113f3e
MC		 1141 }
1142
32ec4153 1143 if (SSL_IS_DTLS(s)) {
ec30e856
EK		 1144 PACKET cookie;
1145 if (!PACKET_get_length_prefixed_1(&pkt, &cookie)) {
32ec4153
MC		 1146 al = SSL_AD_DECODE_ERROR;
1147 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
0f113f3e
MC		 1148 goto f_err;
1149 }
ec30e856 1150 cookie_len = PACKET_remaining(&cookie);
32ec4153
MC		 1151 /*
1152 * The ClientHello may contain a cookie even if the
1153 * HelloVerify message has not been sent--make sure that it
1154 * does not cause an overflow.
1155 */
1156 if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
1157 /* too much data */
1158 al = SSL_AD_DECODE_ERROR;
1159 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
0f113f3e
MC		 1160 goto f_err;
1161 }
32ec4153
MC		 1162
1163 /* verify the cookie if appropriate option is set. */
1164 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)
1165 && cookie_len > 0) {
9ceb2426 1166 /* Get cookie */
ec30e856
EK		 1167 /*
1168 * TODO(openssl-team): rcvd_cookie appears unused outside this
1169 * function. Remove the field?
1170 */
1171 if (!PACKET_copy_bytes(&cookie, s->d1->rcvd_cookie, cookie_len)) {
1172 al = SSL_AD_INTERNAL_ERROR;
1173 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
9ceb2426
MC		 1174 goto f_err;
1175 }
32ec4153
MC		 1176
1177 if (s->ctx->app_verify_cookie_cb != NULL) {
1178 if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
1179 cookie_len) == 0) {
1180 al = SSL_AD_HANDSHAKE_FAILURE;
1181 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1182 SSL_R_COOKIE_MISMATCH);
1183 goto f_err;
1184 }
1185 /* else cookie verification succeeded */
1186 }
1187 /* default verification */
1188 else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1189 s->d1->cookie_len) != 0) {
1190 al = SSL_AD_HANDSHAKE_FAILURE;
1191 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
1192 goto f_err;
1193 }
1194 /* Set to -2 so if successful we return 2 */
1195 ret = -2;
1196 }
32ec4153
MC		 1197 if (s->method->version == DTLS_ANY_VERSION) {
1198 /* Select version to use */
1199 if (s->client_version <= DTLS1_2_VERSION &&
1200 !(s->options & SSL_OP_NO_DTLSv1_2)) {
1201 s->version = DTLS1_2_VERSION;
1202 s->method = DTLSv1_2_server_method();
1203 } else if (tls1_suiteb(s)) {
1204 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1205 SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
1206 s->version = s->client_version;
1207 al = SSL_AD_PROTOCOL_VERSION;
1208 goto f_err;
1209 } else if (s->client_version <= DTLS1_VERSION &&
1210 !(s->options & SSL_OP_NO_DTLSv1)) {
1211 s->version = DTLS1_VERSION;
1212 s->method = DTLSv1_server_method();
1213 } else {
1214 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1215 SSL_R_WRONG_VERSION_NUMBER);
1216 s->version = s->client_version;
1217 al = SSL_AD_PROTOCOL_VERSION;
1218 goto f_err;
1219 }
1220 s->session->ssl_version = s->version;
1221 }
0f113f3e 1222 }
0f113f3e 1223
ec30e856 1224 if (!PACKET_get_length_prefixed_2(&pkt, &cipher_suite)) {
32ec4153
MC		 1225 al = SSL_AD_DECODE_ERROR;
1226 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
1227 goto f_err;
1228 }
3ae91cfb 1229
ec30e856 1230 if (PACKET_remaining(&cipher_suite) == 0) {
32ec4153
MC		 1231 al = SSL_AD_ILLEGAL_PARAMETER;
1232 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
1233 goto f_err;
1234 }
5e9f0eeb 1235
ec30e856
EK		 1236 if (ssl_bytes_to_cipher_list(s, PACKET_data(&cipher_suite),
1237 PACKET_remaining(&cipher_suite),
1238 &(ciphers), 0) == NULL) {
32ec4153
MC		 1239 goto err;
1240 }
0f113f3e 1241
32ec4153
MC		 1242 /* If it is a hit, check that the cipher is in the list */
1243 if (s->hit) {
1244 j = 0;
1245 id = s->session->cipher->id;
d02b48c6 1246
413c4f45 1247#ifdef CIPHER_DEBUG
32ec4153
MC		 1248 fprintf(stderr, "client sent %d ciphers\n",
1249 sk_SSL_CIPHER_num(ciphers));
413c4f45 1250#endif
32ec4153
MC		 1251 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1252 c = sk_SSL_CIPHER_value(ciphers, i);
413c4f45 1253#ifdef CIPHER_DEBUG
32ec4153
MC		 1254 fprintf(stderr, "client [%2d of %2d]:%s\n",
1255 i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
413c4f45 1256#endif
32ec4153
MC		 1257 if (c->id == id) {
1258 j = 1;
1259 break;
1260 }
0f113f3e 1261 }
0f113f3e 1262 /*
32ec4153
MC		 1263 * Disabled because it can be used in a ciphersuite downgrade
1264 * attack:
1265 * CVE-2010-4180.
0f113f3e 1266 */
32ec4153
MC		 1267#if 0
1268 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
1269 && (sk_SSL_CIPHER_num(ciphers) == 1)) {
1270 /*
1271 * Special case as client bug workaround: the previously used
1272 * cipher may not be in the current list, the client instead
1273 * might be trying to continue using a cipher that before wasn't
1274 * chosen due to server preferences. We'll have to reject the
1275 * connection if the cipher is not enabled, though.
1276 */
1277 c = sk_SSL_CIPHER_value(ciphers, 0);
1278 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
1279 s->session->cipher = c;
1280 j = 1;
1281 }
0f113f3e 1282 }
88f2a4cf 1283#endif
32ec4153
MC		 1284 if (j == 0) {
1285 /*
1286 * we need to have the cipher in the cipher list if we are asked
1287 * to reuse it
1288 */
1289 al = SSL_AD_ILLEGAL_PARAMETER;
1290 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1291 SSL_R_REQUIRED_CIPHER_MISSING);
1292 goto f_err;
1293 }
0f113f3e 1294 }
0f113f3e 1295
32ec4153 1296 /* compression */
ec30e856 1297 if (!PACKET_get_length_prefixed_1(&pkt, &compression)) {
32ec4153
MC		 1298 /* not enough data */
1299 al = SSL_AD_DECODE_ERROR;
ec30e856
EK		 1300 /*
1301 * TODO(openssl-team):
1302 * SSL_R_LENGTH_TOO_SHORT and SSL_R_LENGTH_MISMATCH are used
1303 * interchangeably. Pick one.
1304 */
32ec4153
MC		 1305 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1306 goto f_err;
1307 }
9ceb2426 1308
ec30e856 1309 complen = PACKET_remaining(&compression);
b2ce0337 1310 for (j = 0; j < complen; j++) {
ec30e856 1311 if (PACKET_data(&compression)[j] == 0)
32ec4153
MC		 1312 break;
1313 }
0f113f3e 1314
b2ce0337 1315 if (j >= complen) {
32ec4153
MC		 1316 /* no compress */
1317 al = SSL_AD_DECODE_ERROR;
1318 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1319 goto f_err;
1320 }
0f113f3e 1321 }
32ec4153 1322
0f113f3e
MC		 1323 /* TLS extensions */
1324 if (s->version >= SSL3_VERSION) {
9ceb2426 1325 if (!ssl_parse_clienthello_tlsext(s, &pkt)) {
0f113f3e
MC		 1326 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1327 goto err;
1328 }
1329 }
1330
1331 /*
1332 * Check if we want to use external pre-shared secret for this handshake
1333 * for not reused session only. We need to generate server_random before
1334 * calling tls_session_secret_cb in order to allow SessionTicket
1335 * processing to use it in key derivation.
1336 */
1337 {
1338 unsigned char *pos;
1339 pos = s->s3->server_random;
1340 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
1341 goto f_err;
1342 }
1343 }
1344
1345 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1346 SSL_CIPHER *pref_cipher = NULL;
1347
1348 s->session->master_key_length = sizeof(s->session->master_key);
1349 if (s->tls_session_secret_cb(s, s->session->master_key,
1350 &s->session->master_key_length, ciphers,
1351 &pref_cipher,
1352 s->tls_session_secret_cb_arg)) {
1353 s->hit = 1;
1354 s->session->ciphers = ciphers;
1355 s->session->verify_result = X509_V_OK;
1356
1357 ciphers = NULL;
1358
1359 /* check if some cipher was preferred by call back */
1360 pref_cipher =
1361 pref_cipher ? pref_cipher : ssl3_choose_cipher(s,
1362 s->
1363 session->ciphers,
1364 SSL_get_ciphers
1365 (s));
1366 if (pref_cipher == NULL) {
1367 al = SSL_AD_HANDSHAKE_FAILURE;
1368 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1369 goto f_err;
1370 }
1371
1372 s->session->cipher = pref_cipher;
25aaa98a 1373 sk_SSL_CIPHER_free(s->cipher_list);
0f113f3e 1374 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
25aaa98a 1375 sk_SSL_CIPHER_free(s->cipher_list_by_id);
0f113f3e
MC		 1376 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1377 }
1378 }
58ece833 1379
0f113f3e
MC		 1380 /*
1381 * Worst case, we will use the NULL compression, but if we have other
b2ce0337 1382 * options, we will now look for them. We have complen-1 compression
0f113f3e
MC		 1383 * algorithms from the client, starting at q.
1384 */
1385 s->s3->tmp.new_compression = NULL;
09b6c2ef 1386#ifndef OPENSSL_NO_COMP
0f113f3e
MC		 1387 /* This only happens if we have a cache hit */
1388 if (s->session->compress_meth != 0) {
1389 int m, comp_id = s->session->compress_meth;
9ceb2426 1390 unsigned int k;
0f113f3e
MC		 1391 /* Perform sanity checks on resumed compression algorithm */
1392 /* Can't disable compression */
1393 if (!ssl_allow_compression(s)) {
1394 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1395 SSL_R_INCONSISTENT_COMPRESSION);
1396 goto f_err;
1397 }
1398 /* Look for resumed compression method */
1399 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
1400 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1401 if (comp_id == comp->id) {
1402 s->s3->tmp.new_compression = comp;
1403 break;
1404 }
1405 }
1406 if (s->s3->tmp.new_compression == NULL) {
1407 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1408 SSL_R_INVALID_COMPRESSION_ALGORITHM);
1409 goto f_err;
1410 }
1411 /* Look for resumed method in compression list */
9ceb2426 1412 for (k = 0; k < complen; k++) {
ec30e856 1413 if (PACKET_data(&compression)[k] == comp_id)
0f113f3e
MC		 1414 break;
1415 }
9ceb2426 1416 if (k >= complen) {
0f113f3e
MC		 1417 al = SSL_AD_ILLEGAL_PARAMETER;
1418 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1419 SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1420 goto f_err;
1421 }
1422 } else if (s->hit)
1423 comp = NULL;
1424 else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
df6741c9 1425 /* See if we have a match */
9ceb2426
MC		 1426 int m, nn, v, done = 0;
1427 unsigned int o;
0f113f3e
MC		 1428
1429 nn = sk_SSL_COMP_num(s->ctx->comp_methods);
1430 for (m = 0; m < nn; m++) {
1431 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1432 v = comp->id;
b2ce0337 1433 for (o = 0; o < complen; o++) {
ec30e856 1434 if (v == PACKET_data(&compression)[o]) {
0f113f3e
MC		 1435 done = 1;
1436 break;
1437 }
1438 }
1439 if (done)
1440 break;
1441 }
1442 if (done)
1443 s->s3->tmp.new_compression = comp;
1444 else
1445 comp = NULL;
1446 }
e6f418bc 1447#else
0f113f3e
MC		 1448 /*
1449 * If compression is disabled we'd better not try to resume a session
1450 * using compression.
1451 */
1452 if (s->session->compress_meth != 0) {
1453 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1454 goto f_err;
1455 }
09b6c2ef 1456#endif
413c4f45 1457
0f113f3e
MC		 1458 /*
1459 * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
1460 */
d02b48c6 1461
0f113f3e 1462 if (!s->hit) {
09b6c2ef 1463#ifdef OPENSSL_NO_COMP
0f113f3e 1464 s->session->compress_meth = 0;
09b6c2ef 1465#else
0f113f3e 1466 s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
09b6c2ef 1467#endif
25aaa98a 1468 sk_SSL_CIPHER_free(s->session->ciphers);
0f113f3e
MC		 1469 s->session->ciphers = ciphers;
1470 if (ciphers == NULL) {
3ae91cfb
EK		 1471 al = SSL_AD_INTERNAL_ERROR;
1472 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
0f113f3e
MC		 1473 goto f_err;
1474 }
1475 ciphers = NULL;
1476 if (!tls1_set_server_sigalgs(s)) {
1477 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1478 goto err;
1479 }
1480 /* Let cert callback update server certificates if required */
1481 retry_cert:
1482 if (s->cert->cert_cb) {
1483 int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
1484 if (rv == 0) {
1485 al = SSL_AD_INTERNAL_ERROR;
1486 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
1487 goto f_err;
1488 }
1489 if (rv < 0) {
1490 s->rwstate = SSL_X509_LOOKUP;
1491 return -1;
1492 }
1493 s->rwstate = SSL_NOTHING;
1494 }
1495 c = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1496
1497 if (c == NULL) {
1498 al = SSL_AD_HANDSHAKE_FAILURE;
1499 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1500 goto f_err;
1501 }
1502 s->s3->tmp.new_cipher = c;
1503 /* check whether we should disable session resumption */
1504 if (s->not_resumable_session_cb != NULL)
1505 s->session->not_resumable = s->not_resumable_session_cb(s,
1506 ((c->algorithm_mkey & (SSL_kDHE | SSL_kECDHE))
1507 != 0));
1508 if (s->session->not_resumable)
1509 /* do not send a session ticket */
1510 s->tlsext_ticket_expected = 0;
1511 } else {
1512 /* Session-id reuse */
7a4dadc3 1513 s->s3->tmp.new_cipher = s->session->cipher;
0f113f3e
MC		 1514 }
1515
1516 if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) {
124037fd 1517 if (!ssl3_digest_cached_records(s, 0))
0f113f3e
MC		 1518 goto f_err;
1519 }
1520
50e735f9
MC		 1521 /*-
1522 * we now have the following setup.
1523 * client_random
1524 * cipher_list - our prefered list of ciphers
1525 * ciphers - the clients prefered list of ciphers
1526 * compression - basically ignored right now
1527 * ssl version is set - sslv3
1528 * s->session - The ssl session has been setup.
1529 * s->hit - session reuse flag
1530 * s->s3->tmp.new_cipher- the new cipher to use.
1531 */
0f113f3e
MC		 1532
1533 /* Handles TLS extensions that we couldn't check earlier */
1534 if (s->version >= SSL3_VERSION) {
1535 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1536 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1537 goto err;
1538 }
1539 }
1540
1541 if (ret < 0)
1542 ret = -ret;
1543 if (0) {
1544 f_err:
1545 ssl3_send_alert(s, SSL3_AL_FATAL, al);
0f113f3e 1546 err:
a89db885
MC		 1547 s->state = SSL_ST_ERR;
1548 }
1549
25aaa98a 1550 sk_SSL_CIPHER_free(ciphers);
0f113f3e
MC		 1551 return ret < 0 ? -1 : ret;
1552}
d02b48c6 1553
36d16f8e 1554int ssl3_send_server_hello(SSL *s)
0f113f3e
MC		 1555{
1556 unsigned char *buf;
1557 unsigned char *p, *d;
1558 int i, sl;
1559 int al = 0;
1560 unsigned long l;
1561
1562 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
1563 buf = (unsigned char *)s->init_buf->data;
e481f9b9 1564
0f113f3e
MC		 1565 /* Do the message type and length last */
1566 d = p = ssl_handshake_start(s);
1567
1568 *(p++) = s->version >> 8;
1569 *(p++) = s->version & 0xff;
1570
e1e088ec
MC		 1571 /*
1572 * Random stuff. Filling of the server_random takes place in
1573 * ssl3_get_client_hello()
1574 */
0f113f3e
MC		 1575 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1576 p += SSL3_RANDOM_SIZE;
1577
50e735f9
MC		 1578 /*-
1579 * There are several cases for the session ID to send
1580 * back in the server hello:
1581 * - For session reuse from the session cache,
1582 * we send back the old session ID.
1583 * - If stateless session reuse (using a session ticket)
1584 * is successful, we send back the client's "session ID"
1585 * (which doesn't actually identify the session).
1586 * - If it is a new session, we send back the new
1587 * session ID.
1588 * - However, if we want the new session to be single-use,
1589 * we send back a 0-length session ID.
1590 * s->hit is non-zero in either case of session reuse,
1591 * so the following won't overwrite an ID that we're supposed
1592 * to send back.
1593 */
0f113f3e
MC		 1594 if (s->session->not_resumable ||
1595 (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1596 && !s->hit))
1597 s->session->session_id_length = 0;
1598
1599 sl = s->session->session_id_length;
1600 if (sl > (int)sizeof(s->session->session_id)) {
1601 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
cf9b0b6f 1602 s->state = SSL_ST_ERR;
0f113f3e
MC		 1603 return -1;
1604 }
1605 *(p++) = sl;
1606 memcpy(p, s->session->session_id, sl);
1607 p += sl;
1608
1609 /* put the cipher */
1610 i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
1611 p += i;
1612
1613 /* put the compression method */
09b6c2ef 1614#ifdef OPENSSL_NO_COMP
0f113f3e 1615 *(p++) = 0;
09b6c2ef 1616#else
0f113f3e
MC		 1617 if (s->s3->tmp.new_compression == NULL)
1618 *(p++) = 0;
1619 else
1620 *(p++) = s->s3->tmp.new_compression->id;
09b6c2ef 1621#endif
e481f9b9 1622
0f113f3e
MC		 1623 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1624 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
cf9b0b6f 1625 s->state = SSL_ST_ERR;
0f113f3e
MC		 1626 return -1;
1627 }
1628 if ((p =
1629 ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
1630 &al)) == NULL) {
1631 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1632 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
cf9b0b6f 1633 s->state = SSL_ST_ERR;
0f113f3e
MC		 1634 return -1;
1635 }
e481f9b9 1636
0f113f3e
MC		 1637 /* do the header */
1638 l = (p - d);
61986d32 1639 if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
77d514c5
MC		 1640 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1641 return -1;
1642 }
0f113f3e
MC		 1643 s->state = SSL3_ST_SW_SRVR_HELLO_B;
1644 }
d02b48c6 1645
0f113f3e
MC		 1646 /* SSL3_ST_SW_SRVR_HELLO_B */
1647 return ssl_do_write(s);
1648}
d02b48c6 1649
36d16f8e 1650int ssl3_send_server_done(SSL *s)
0f113f3e 1651{
d02b48c6 1652
0f113f3e 1653 if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
61986d32 1654 if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
77d514c5
MC		 1655 SSLerr(SSL_F_SSL3_SEND_SERVER_DONE, ERR_R_INTERNAL_ERROR);
1656 return -1;
1657 }
0f113f3e
MC		 1658 s->state = SSL3_ST_SW_SRVR_DONE_B;
1659 }
d02b48c6 1660
0f113f3e
MC		 1661 /* SSL3_ST_SW_SRVR_DONE_B */
1662 return ssl_do_write(s);
1663}
d02b48c6 1664
36d16f8e 1665int ssl3_send_server_key_exchange(SSL *s)
0f113f3e 1666{
bc36ee62 1667#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 1668 unsigned char *q;
1669 int j, num;
1670 RSA *rsa;
1671 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1672 unsigned int u;
d02b48c6 1673#endif
bc36ee62 1674#ifndef OPENSSL_NO_DH
0f113f3e 1675 DH *dh = NULL, *dhp;
ea262260 1676#endif
10bf4fc2 1677#ifndef OPENSSL_NO_EC
0f113f3e
MC		 1678 EC_KEY *ecdh = NULL, *ecdhp;
1679 unsigned char *encodedPoint = NULL;
1680 int encodedlen = 0;
1681 int curve_id = 0;
1682 BN_CTX *bn_ctx = NULL;
d02b48c6 1683#endif
0f113f3e
MC		 1684 EVP_PKEY *pkey;
1685 const EVP_MD *md = NULL;
1686 unsigned char *p, *d;
1687 int al, i;
1688 unsigned long type;
1689 int n;
1690 CERT *cert;
1691 BIGNUM *r[4];
1692 int nr[4], kn;
1693 BUF_MEM *buf;
1694 EVP_MD_CTX md_ctx;
1695
1696 EVP_MD_CTX_init(&md_ctx);
1697 if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1698 type = s->s3->tmp.new_cipher->algorithm_mkey;
1699 cert = s->cert;
1700
1701 buf = s->init_buf;
1702
1703 r[0] = r[1] = r[2] = r[3] = NULL;
1704 n = 0;
85269210
DSH		 1705#ifndef OPENSSL_NO_PSK
1706 if (type & SSL_PSK) {
1707 /*
1708 * reserve size for record length and PSK identity hint
1709 */
1710 n += 2;
df6da24b
DSH		 1711 if (s->cert->psk_identity_hint)
1712 n += strlen(s->cert->psk_identity_hint);
85269210
DSH		 1713 }
1714 /* Plain PSK or RSAPSK nothing to do */
1715 if (type & (SSL_kPSK | SSL_kRSAPSK)) {
1716 } else
1717#endif /* !OPENSSL_NO_PSK */
bc36ee62 1718#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 1719 if (type & SSL_kRSA) {
1720 rsa = cert->rsa_tmp;
1721 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
1722 rsa = s->cert->rsa_tmp_cb(s,
1723 SSL_C_IS_EXPORT(s->s3->
1724 tmp.new_cipher),
1725 SSL_C_EXPORT_PKEYLENGTH(s->s3->
1726 tmp.new_cipher));
1727 if (rsa == NULL) {
1728 al = SSL_AD_HANDSHAKE_FAILURE;
1729 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1730 SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1731 goto f_err;
1732 }
1733 RSA_up_ref(rsa);
1734 cert->rsa_tmp = rsa;
1735 }
1736 if (rsa == NULL) {
1737 al = SSL_AD_HANDSHAKE_FAILURE;
1738 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1739 SSL_R_MISSING_TMP_RSA_KEY);
1740 goto f_err;
1741 }
1742 r[0] = rsa->n;
1743 r[1] = rsa->e;
1744 s->s3->tmp.use_rsa_tmp = 1;
1745 } else
d02b48c6 1746#endif
bc36ee62 1747#ifndef OPENSSL_NO_DH
85269210 1748 if (type & (SSL_kDHE | SSL_kDHEPSK)) {
0f113f3e
MC		 1749 if (s->cert->dh_tmp_auto) {
1750 dhp = ssl_get_auto_dh(s);
1751 if (dhp == NULL) {
1752 al = SSL_AD_INTERNAL_ERROR;
1753 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1754 ERR_R_INTERNAL_ERROR);
1755 goto f_err;
1756 }
1757 } else
1758 dhp = cert->dh_tmp;
1759 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
1760 dhp = s->cert->dh_tmp_cb(s,
1761 SSL_C_IS_EXPORT(s->s3->
1762 tmp.new_cipher),
1763 SSL_C_EXPORT_PKEYLENGTH(s->s3->
1764 tmp.new_cipher));
1765 if (dhp == NULL) {
1766 al = SSL_AD_HANDSHAKE_FAILURE;
1767 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1768 SSL_R_MISSING_TMP_DH_KEY);
1769 goto f_err;
1770 }
1771 if (!ssl_security(s, SSL_SECOP_TMP_DH,
1772 DH_security_bits(dhp), 0, dhp)) {
1773 al = SSL_AD_HANDSHAKE_FAILURE;
1774 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1775 SSL_R_DH_KEY_TOO_SMALL);
1776 goto f_err;
1777 }
1778 if (s->s3->tmp.dh != NULL) {
1779 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1780 ERR_R_INTERNAL_ERROR);
1781 goto err;
1782 }
1783
1784 if (s->cert->dh_tmp_auto)
1785 dh = dhp;
1786 else if ((dh = DHparams_dup(dhp)) == NULL) {
1787 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1788 goto err;
1789 }
1790
1791 s->s3->tmp.dh = dh;
1792 if ((dhp->pub_key == NULL ||
1793 dhp->priv_key == NULL ||
1794 (s->options & SSL_OP_SINGLE_DH_USE))) {
1795 if (!DH_generate_key(dh)) {
1796 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1797 goto err;
1798 }
1799 } else {
1800 dh->pub_key = BN_dup(dhp->pub_key);
1801 dh->priv_key = BN_dup(dhp->priv_key);
1802 if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) {
1803 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1804 goto err;
1805 }
1806 }
1807 r[0] = dh->p;
1808 r[1] = dh->g;
1809 r[2] = dh->pub_key;
1810 } else
d02b48c6 1811#endif
10bf4fc2 1812#ifndef OPENSSL_NO_EC
85269210 1813 if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
0f113f3e
MC		 1814 const EC_GROUP *group;
1815
1816 ecdhp = cert->ecdh_tmp;
1817 if (s->cert->ecdh_tmp_auto) {
1818 /* Get NID of appropriate shared curve */
1819 int nid = tls1_shared_curve(s, -2);
1820 if (nid != NID_undef)
1821 ecdhp = EC_KEY_new_by_curve_name(nid);
1822 } else if ((ecdhp == NULL) && s->cert->ecdh_tmp_cb) {
1823 ecdhp = s->cert->ecdh_tmp_cb(s,
1824 SSL_C_IS_EXPORT(s->s3->
1825 tmp.new_cipher),
1826 SSL_C_EXPORT_PKEYLENGTH(s->
1827 s3->tmp.new_cipher));
1828 }
1829 if (ecdhp == NULL) {
1830 al = SSL_AD_HANDSHAKE_FAILURE;
1831 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1832 SSL_R_MISSING_TMP_ECDH_KEY);
1833 goto f_err;
1834 }
1835
1836 if (s->s3->tmp.ecdh != NULL) {
1837 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1838 ERR_R_INTERNAL_ERROR);
1839 goto err;
1840 }
1841
1842 /* Duplicate the ECDH structure. */
1843 if (ecdhp == NULL) {
1844 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1845 goto err;
1846 }
1847 if (s->cert->ecdh_tmp_auto)
1848 ecdh = ecdhp;
1849 else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1850 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1851 goto err;
1852 }
1853
1854 s->s3->tmp.ecdh = ecdh;
1855 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1856 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1857 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1858 if (!EC_KEY_generate_key(ecdh)) {
1859 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1860 ERR_R_ECDH_LIB);
1861 goto err;
1862 }
1863 }
1864
1865 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1866 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1867 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1868 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1869 goto err;
1870 }
1871
1872 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1873 (EC_GROUP_get_degree(group) > 163)) {
1874 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1875 SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1876 goto err;
1877 }
1878
1879 /*
1880 * XXX: For now, we only support ephemeral ECDH keys over named
1881 * (not generic) curves. For supported named curves, curve_id is
1882 * non-zero.
1883 */
1884 if ((curve_id =
1885 tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
1886 == 0) {
1887 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1888 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1889 goto err;
1890 }
1891
1892 /*
1893 * Encode the public key. First check the size of encoding and
1894 * allocate memory accordingly.
1895 */
1896 encodedlen = EC_POINT_point2oct(group,
1897 EC_KEY_get0_public_key(ecdh),
1898 POINT_CONVERSION_UNCOMPRESSED,
1899 NULL, 0, NULL);
1900
1901 encodedPoint = (unsigned char *)
1902 OPENSSL_malloc(encodedlen * sizeof(unsigned char));
1903 bn_ctx = BN_CTX_new();
1904 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1905 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1906 ERR_R_MALLOC_FAILURE);
1907 goto err;
1908 }
1909
1910 encodedlen = EC_POINT_point2oct(group,
1911 EC_KEY_get0_public_key(ecdh),
1912 POINT_CONVERSION_UNCOMPRESSED,
1913 encodedPoint, encodedlen, bn_ctx);
1914
1915 if (encodedlen == 0) {
1916 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1917 goto err;
1918 }
1919
1920 BN_CTX_free(bn_ctx);
1921 bn_ctx = NULL;
1922
1923 /*
1924 * XXX: For now, we only support named (not generic) curves in
1925 * ECDH ephemeral key exchanges. In this situation, we need four
1926 * additional bytes to encode the entire ServerECDHParams
1927 * structure.
1928 */
85269210 1929 n += 4 + encodedlen;
0f113f3e
MC		 1930
1931 /*
1932 * We'll generate the serverKeyExchange message explicitly so we
1933 * can set these to NULLs
1934 */
1935 r[0] = NULL;
1936 r[1] = NULL;
1937 r[2] = NULL;
1938 r[3] = NULL;
1939 } else
10bf4fc2 1940#endif /* !OPENSSL_NO_EC */
edc032b5 1941#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1942 if (type & SSL_kSRP) {
1943 if ((s->srp_ctx.N == NULL) ||
1944 (s->srp_ctx.g == NULL) ||
1945 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
1946 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1947 SSL_R_MISSING_SRP_PARAM);
1948 goto err;
1949 }
1950 r[0] = s->srp_ctx.N;
1951 r[1] = s->srp_ctx.g;
1952 r[2] = s->srp_ctx.s;
1953 r[3] = s->srp_ctx.B;
1954 } else
edc032b5 1955#endif
0f113f3e
MC		 1956 {
1957 al = SSL_AD_HANDSHAKE_FAILURE;
1958 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1959 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1960 goto f_err;
1961 }
1962 for (i = 0; i < 4 && r[i] != NULL; i++) {
1963 nr[i] = BN_num_bytes(r[i]);
edc032b5 1964#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1965 if ((i == 2) && (type & SSL_kSRP))
1966 n += 1 + nr[i];
1967 else
edc032b5 1968#endif
0f113f3e
MC		 1969 n += 2 + nr[i];
1970 }
1971
85269210
DSH		 1972 if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
1973 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
0f113f3e
MC		 1974 if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
1975 == NULL) {
1976 al = SSL_AD_DECODE_ERROR;
1977 goto f_err;
1978 }
1979 kn = EVP_PKEY_size(pkey);
1980 } else {
1981 pkey = NULL;
1982 kn = 0;
1983 }
1984
1985 if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
1986 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
1987 goto err;
1988 }
1989 d = p = ssl_handshake_start(s);
1990
85269210
DSH		 1991#ifndef OPENSSL_NO_PSK
1992 if (type & SSL_PSK) {
1993 /* copy PSK identity hint */
df6da24b
DSH		 1994 if (s->cert->psk_identity_hint) {
1995 s2n(strlen(s->cert->psk_identity_hint), p);
1996 strncpy((char *)p, s->cert->psk_identity_hint,
1997 strlen(s->cert->psk_identity_hint));
1998 p += strlen(s->cert->psk_identity_hint);
85269210
DSH		 1999 } else {
2000 s2n(0, p);
2001 }
2002 }
2003#endif
2004
0f113f3e 2005 for (i = 0; i < 4 && r[i] != NULL; i++) {
edc032b5 2006#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 2007 if ((i == 2) && (type & SSL_kSRP)) {
2008 *p = nr[i];
2009 p++;
2010 } else
edc032b5 2011#endif
0f113f3e
MC		 2012 s2n(nr[i], p);
2013 BN_bn2bin(r[i], p);
2014 p += nr[i];
2015 }
d02b48c6 2016
10bf4fc2 2017#ifndef OPENSSL_NO_EC
85269210 2018 if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
0f113f3e
MC		 2019 /*
2020 * XXX: For now, we only support named (not generic) curves. In
2021 * this situation, the serverKeyExchange message has: [1 byte
2022 * CurveType], [2 byte CurveName] [1 byte length of encoded
2023 * point], followed by the actual encoded point itself
2024 */
2025 *p = NAMED_CURVE_TYPE;
2026 p += 1;
2027 *p = 0;
2028 p += 1;
2029 *p = curve_id;
2030 p += 1;
2031 *p = encodedlen;
2032 p += 1;
16f8d4eb 2033 memcpy(p, encodedPoint, encodedlen);
0f113f3e
MC		 2034 OPENSSL_free(encodedPoint);
2035 encodedPoint = NULL;
2036 p += encodedlen;
2037 }
ea262260
BM		 2038#endif
2039
0f113f3e
MC		 2040 /* not anonymous */
2041 if (pkey != NULL) {
2042 /*
2043 * n is the length of the params, they start at &(d[4]) and p
2044 * points to the space at the end.
2045 */
bc36ee62 2046#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 2047 if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) {
2048 q = md_buf;
2049 j = 0;
2050 for (num = 2; num > 0; num--) {
2051 EVP_MD_CTX_set_flags(&md_ctx,
2052 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
2053 EVP_DigestInit_ex(&md_ctx, (num == 2)
2054 ? s->ctx->md5 : s->ctx->sha1, NULL);
2055 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
2056 SSL3_RANDOM_SIZE);
2057 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
2058 SSL3_RANDOM_SIZE);
2059 EVP_DigestUpdate(&md_ctx, d, n);
2060 EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i);
2061 q += i;
2062 j += i;
2063 }
2064 if (RSA_sign(NID_md5_sha1, md_buf, j,
2065 &(p[2]), &u, pkey->pkey.rsa) <= 0) {
2066 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA);
2067 goto err;
2068 }
2069 s2n(u, p);
2070 n += u + 2;
2071 } else
d02b48c6 2072#endif
0f113f3e
MC		 2073 if (md) {
2074 /* send signature algorithm */
2075 if (SSL_USE_SIGALGS(s)) {
2076 if (!tls12_get_sigandhash(p, pkey, md)) {
2077 /* Should never happen */
2078 al = SSL_AD_INTERNAL_ERROR;
2079 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
2080 ERR_R_INTERNAL_ERROR);
2081 goto f_err;
2082 }
2083 p += 2;
2084 }
a2f9200f 2085#ifdef SSL_DEBUG
0f113f3e 2086 fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
a2f9200f 2087#endif
0f113f3e
MC		 2088 EVP_SignInit_ex(&md_ctx, md, NULL);
2089 EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]),
2090 SSL3_RANDOM_SIZE);
2091 EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]),
2092 SSL3_RANDOM_SIZE);
2093 EVP_SignUpdate(&md_ctx, d, n);
2094 if (!EVP_SignFinal(&md_ctx, &(p[2]),
2095 (unsigned int *)&i, pkey)) {
2096 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
2097 goto err;
2098 }
2099 s2n(i, p);
2100 n += i + 2;
2101 if (SSL_USE_SIGALGS(s))
2102 n += 2;
2103 } else {
2104 /* Is this error check actually needed? */
2105 al = SSL_AD_HANDSHAKE_FAILURE;
2106 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
2107 SSL_R_UNKNOWN_PKEY_TYPE);
2108 goto f_err;
2109 }
2110 }
2111
61986d32 2112 if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
77d514c5
MC		 2113 al = SSL_AD_HANDSHAKE_FAILURE;
2114 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2115 goto f_err;
2116 }
0f113f3e
MC		 2117 }
2118
2119 s->state = SSL3_ST_SW_KEY_EXCH_B;
2120 EVP_MD_CTX_cleanup(&md_ctx);
2121 return ssl_do_write(s);
2122 f_err:
2123 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2124 err:
556efe79 2125#ifndef OPENSSL_NO_EC
b548a1f1 2126 OPENSSL_free(encodedPoint);
0f113f3e 2127 BN_CTX_free(bn_ctx);
ea262260 2128#endif
0f113f3e 2129 EVP_MD_CTX_cleanup(&md_ctx);
cf9b0b6f 2130 s->state = SSL_ST_ERR;
0f113f3e
MC		 2131 return (-1);
2132}
d02b48c6 2133
36d16f8e 2134int ssl3_send_certificate_request(SSL *s)
0f113f3e
MC		 2135{
2136 unsigned char *p, *d;
2137 int i, j, nl, off, n;
2138 STACK_OF(X509_NAME) *sk = NULL;
2139 X509_NAME *name;
2140 BUF_MEM *buf;
2141
2142 if (s->state == SSL3_ST_SW_CERT_REQ_A) {
2143 buf = s->init_buf;
2144
2145 d = p = ssl_handshake_start(s);
2146
2147 /* get the list of acceptable cert types */
2148 p++;
2149 n = ssl3_get_req_cert_type(s, p);
2150 d[0] = n;
2151 p += n;
2152 n++;
2153
2154 if (SSL_USE_SIGALGS(s)) {
2155 const unsigned char *psigs;
2156 unsigned char *etmp = p;
2157 nl = tls12_get_psigalgs(s, &psigs);
2158 /* Skip over length for now */
2159 p += 2;
2160 nl = tls12_copy_sigalgs(s, p, psigs, nl);
2161 /* Now fill in length */
2162 s2n(nl, etmp);
2163 p += nl;
2164 n += nl + 2;
2165 }
2166
2167 off = n;
2168 p += 2;
2169 n += 2;
2170
2171 sk = SSL_get_client_CA_list(s);
2172 nl = 0;
2173 if (sk != NULL) {
2174 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2175 name = sk_X509_NAME_value(sk, i);
2176 j = i2d_X509_NAME(name, NULL);
2177 if (!BUF_MEM_grow_clean
2178 (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
2179 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
2180 ERR_R_BUF_LIB);
2181 goto err;
2182 }
2183 p = ssl_handshake_start(s) + n;
3c33c6f6
MC		 2184 s2n(j, p);
2185 i2d_X509_NAME(name, &p);
2186 n += 2 + j;
2187 nl += 2 + j;
0f113f3e
MC		 2188 }
2189 }
2190 /* else no CA names */
2191 p = ssl_handshake_start(s) + off;
2192 s2n(nl, p);
2193
61986d32 2194 if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
77d514c5
MC		 2195 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
2196 return -1;
2197 }
d02b48c6 2198
0f113f3e
MC		 2199 s->state = SSL3_ST_SW_CERT_REQ_B;
2200 }
d02b48c6 2201
0f113f3e
MC		 2202 /* SSL3_ST_SW_CERT_REQ_B */
2203 return ssl_do_write(s);
2204 err:
cf9b0b6f 2205 s->state = SSL_ST_ERR;
0f113f3e
MC		 2206 return (-1);
2207}
d02b48c6 2208
36d16f8e 2209int ssl3_get_client_key_exchange(SSL *s)
0f113f3e 2210{
efcdbcbe
MC		 2211 unsigned int i;
2212 int al, ok;
0f113f3e
MC		 2213 long n;
2214 unsigned long alg_k;
bc36ee62 2215#ifndef OPENSSL_NO_RSA
0f113f3e
MC		 2216 RSA *rsa = NULL;
2217 EVP_PKEY *pkey = NULL;
79df9d62 2218#endif
bc36ee62 2219#ifndef OPENSSL_NO_DH
0f113f3e
MC		 2220 BIGNUM *pub = NULL;
2221 DH *dh_srvr, *dh_clnt = NULL;
58964a49 2222#endif
556efe79 2223#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2224 EC_KEY *srvr_ecdh = NULL;
2225 EVP_PKEY *clnt_pub_pkey = NULL;
2226 EC_POINT *clnt_ecpoint = NULL;
2227 BN_CTX *bn_ctx = NULL;
ea262260 2228#endif
20ca916d
EK		 2229 PACKET pkt, enc_premaster;
2230 unsigned char *data, *rsa_decrypt = NULL;
ea262260 2231
0f113f3e
MC		 2232 n = s->method->ssl_get_message(s,
2233 SSL3_ST_SR_KEY_EXCH_A,
2234 SSL3_ST_SR_KEY_EXCH_B,
2235 SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok);
d02b48c6 2236
0f113f3e
MC		 2237 if (!ok)
2238 return ((int)n);
efcdbcbe
MC		 2239 if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
2240 al = SSL_AD_INTERNAL_ERROR;
2241 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2242 goto f_err;
2243 }
d02b48c6 2244
0f113f3e 2245 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
d02b48c6 2246
85269210
DSH		 2247#ifndef OPENSSL_NO_PSK
2248 /* For PSK parse and retrieve identity, obtain PSK key */
2249 if (alg_k & SSL_PSK) {
2250 unsigned char psk[PSK_MAX_PSK_LEN];
2251 size_t psklen;
6d41fc80 2252 PACKET psk_identity;
efcdbcbe 2253
6d41fc80 2254 if (!PACKET_get_length_prefixed_2(&pkt, &psk_identity)) {
85269210
DSH		 2255 al = SSL_AD_DECODE_ERROR;
2256 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2257 goto f_err;
2258 }
6d41fc80 2259 if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
85269210
DSH		 2260 al = SSL_AD_DECODE_ERROR;
2261 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2262 SSL_R_DATA_LENGTH_TOO_LONG);
2263 goto f_err;
2264 }
2265 if (s->psk_server_callback == NULL) {
2266 al = SSL_AD_INTERNAL_ERROR;
2267 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2268 SSL_R_PSK_NO_SERVER_CB);
2269 goto f_err;
2270 }
2271
6d41fc80 2272 if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
cdde7b49 2273 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
85269210 2274 al = SSL_AD_INTERNAL_ERROR;
efcdbcbe
MC		 2275 goto f_err;
2276 }
85269210
DSH		 2277
2278 psklen = s->psk_server_callback(s, s->session->psk_identity,
2279 psk, sizeof(psk));
2280
2281 if (psklen > PSK_MAX_PSK_LEN) {
2282 al = SSL_AD_INTERNAL_ERROR;
2283 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2284 goto f_err;
2285 } else if (psklen == 0) {
2286 /*
2287 * PSK related to the given identity not found
2288 */
2289 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2290 SSL_R_PSK_IDENTITY_NOT_FOUND);
2291 al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2292 goto f_err;
2293 }
2294
2295 OPENSSL_free(s->s3->tmp.psk);
2296 s->s3->tmp.psk = BUF_memdup(psk, psklen);
2297 OPENSSL_cleanse(psk, psklen);
2298
2299 if (s->s3->tmp.psk == NULL) {
2300 al = SSL_AD_INTERNAL_ERROR;
2301 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2302 goto f_err;
2303 }
2304
2305 s->s3->tmp.psklen = psklen;
85269210
DSH		 2306 }
2307 if (alg_k & SSL_kPSK) {
2308 /* Identity extracted earlier: should be nothing left */
efcdbcbe 2309 if (PACKET_remaining(&pkt) != 0) {
85269210
DSH		 2310 al = SSL_AD_HANDSHAKE_FAILURE;
2311 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2312 goto f_err;
2313 }
2314 /* PSK handled by ssl_generate_master_secret */
2315 if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
2316 al = SSL_AD_INTERNAL_ERROR;
2317 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2318 goto f_err;
2319 }
2320 } else
2321#endif
bc36ee62 2322#ifndef OPENSSL_NO_RSA
85269210 2323 if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
0f113f3e
MC		 2324 unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
2325 int decrypt_len;
2326 unsigned char decrypt_good, version_good;
2327 size_t j;
2328
2329 /* FIX THIS UP EAY EAY EAY EAY */
2330 if (s->s3->tmp.use_rsa_tmp) {
2331 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
2332 rsa = s->cert->rsa_tmp;
2333 /*
2334 * Don't do a callback because rsa_tmp should be sent already
2335 */
2336 if (rsa == NULL) {
2337 al = SSL_AD_HANDSHAKE_FAILURE;
2338 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2339 SSL_R_MISSING_TMP_RSA_PKEY);
2340 goto f_err;
2341
2342 }
2343 } else {
2344 pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
2345 if ((pkey == NULL) ||
2346 (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
2347 al = SSL_AD_HANDSHAKE_FAILURE;
2348 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2349 SSL_R_MISSING_RSA_CERTIFICATE);
2350 goto f_err;
2351 }
2352 rsa = pkey->pkey.rsa;
2353 }
2354
20ca916d
EK		 2355 /* SSLv3 and pre-standard DTLS omit the length bytes. */
2356 if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
2357 enc_premaster = pkt;
2358 } else {
2359 PACKET orig = pkt;
2360 if (!PACKET_get_length_prefixed_2(&pkt, &enc_premaster)
2361 || PACKET_remaining(&pkt) != 0) {
2362 /* Try SSLv3 behaviour for TLS. */
2363 if (s->options & SSL_OP_TLS_D5_BUG) {
2364 enc_premaster = orig;
2365 } else {
0f113f3e 2366 al = SSL_AD_DECODE_ERROR;
20ca916d 2367 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
0f113f3e 2368 goto f_err;
efcdbcbe
MC		 2369 }
2370 }
0f113f3e
MC		 2371 }
2372
2373 /*
20ca916d
EK		 2374 * We want to be sure that the plaintext buffer size makes it safe to
2375 * iterate over the entire size of a premaster secret
2376 * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
2377 * their ciphertext cannot accommodate a premaster secret anyway.
0f113f3e 2378 */
20ca916d
EK		 2379 if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
2380 al = SSL_AD_INTERNAL_ERROR;
0f113f3e 2381 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
20ca916d 2382 RSA_R_KEY_SIZE_TOO_SMALL);
0f113f3e
MC		 2383 goto f_err;
2384 }
2385
20ca916d
EK		 2386 rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
2387 if (rsa_decrypt == NULL) {
efcdbcbe 2388 al = SSL_AD_INTERNAL_ERROR;
20ca916d 2389 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
efcdbcbe
MC		 2390 goto f_err;
2391 }
20ca916d 2392
0f113f3e
MC		 2393 /*
2394 * We must not leak whether a decryption failure occurs because of
2395 * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
2396 * section 7.4.7.1). The code follows that advice of the TLS RFC and
2397 * generates a random premaster secret for the case that the decrypt
2398 * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
2399 */
2400
266483d2 2401 if (RAND_bytes(rand_premaster_secret,
20ca916d 2402 sizeof(rand_premaster_secret)) <= 0) {
0f113f3e 2403 goto err;
20ca916d
EK		 2404 }
2405
2406 decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
2407 PACKET_data(&enc_premaster),
2408 rsa_decrypt, rsa, RSA_PKCS1_PADDING);
0f113f3e
MC		 2409 ERR_clear_error();
2410
2411 /*
2412 * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
2413 * be 0xff if so and zero otherwise.
2414 */
2415 decrypt_good =
2416 constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);
2417
2418 /*
2419 * If the version in the decrypted pre-master secret is correct then
2420 * version_good will be 0xff, otherwise it'll be zero. The
2421 * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
2422 * (http://eprint.iacr.org/2003/052/) exploits the version number
2423 * check as a "bad version oracle". Thus version checks are done in
2424 * constant time and are treated like any other decryption error.
2425 */
2426 version_good =
20ca916d
EK		 2427 constant_time_eq_8(rsa_decrypt[0],
2428 (unsigned)(s->client_version >> 8));
0f113f3e 2429 version_good &=
20ca916d
EK		 2430 constant_time_eq_8(rsa_decrypt[1],
2431 (unsigned)(s->client_version & 0xff));
0f113f3e
MC		 2432
2433 /*
2434 * The premaster secret must contain the same version number as the
2435 * ClientHello to detect version rollback attacks (strangely, the
2436 * protocol does not offer such protection for DH ciphersuites).
2437 * However, buggy clients exist that send the negotiated protocol
2438 * version instead if the server does not support the requested
2439 * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
2440 * clients.
2441 */
2442 if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
2443 unsigned char workaround_good;
2444 workaround_good =
20ca916d 2445 constant_time_eq_8(rsa_decrypt[0], (unsigned)(s->version >> 8));
0f113f3e 2446 workaround_good &=
20ca916d
EK		 2447 constant_time_eq_8(rsa_decrypt[1],
2448 (unsigned)(s->version & 0xff));
0f113f3e
MC		 2449 version_good |= workaround_good;
2450 }
2451
2452 /*
2453 * Both decryption and version must be good for decrypt_good to
2454 * remain non-zero (0xff).
2455 */
2456 decrypt_good &= version_good;
2457
2458 /*
2459 * Now copy rand_premaster_secret over from p using
2460 * decrypt_good_mask. If decryption failed, then p does not
2461 * contain valid plaintext, however, a check above guarantees
2462 * it is still sufficiently large to read from.
2463 */
2464 for (j = 0; j < sizeof(rand_premaster_secret); j++) {
20ca916d
EK		 2465 rsa_decrypt[j] =
2466 constant_time_select_8(decrypt_good, rsa_decrypt[j],
2467 rand_premaster_secret[j]);
0f113f3e
MC		 2468 }
2469
20ca916d
EK		 2470 if (!ssl_generate_master_secret(s, rsa_decrypt,
2471 sizeof(rand_premaster_secret), 0)) {
69f68237
MC		 2472 al = SSL_AD_INTERNAL_ERROR;
2473 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2474 goto f_err;
2475 }
20ca916d
EK		 2476 OPENSSL_free(rsa_decrypt);
2477 rsa_decrypt = NULL;
0f113f3e 2478 } else
4c5fac4a 2479#endif
bc36ee62 2480#ifndef OPENSSL_NO_DH
85269210 2481 if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd | SSL_kDHEPSK)) {
0f113f3e
MC		 2482 int idx = -1;
2483 EVP_PKEY *skey = NULL;
4bd16463 2484 PACKET bookmark = pkt;
efcdbcbe
MC		 2485 unsigned char shared[(OPENSSL_DH_MAX_MODULUS_BITS + 7) / 8];
2486
efcdbcbe 2487 if (!PACKET_get_net_2(&pkt, &i)) {
85269210 2488 if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
d3cc5e61
MC		 2489 al = SSL_AD_HANDSHAKE_FAILURE;
2490 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2491 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2492 goto f_err;
2493 }
0f113f3e 2494 i = 0;
d3cc5e61 2495 }
efcdbcbe 2496 if (PACKET_remaining(&pkt) != i) {
0f113f3e
MC		 2497 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
2498 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2499 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2500 goto err;
2501 } else {
4bd16463 2502 pkt = bookmark;
efcdbcbe 2503 i = PACKET_remaining(&pkt);
0f113f3e
MC		 2504 }
2505 }
2506 if (alg_k & SSL_kDHr)
2507 idx = SSL_PKEY_DH_RSA;
2508 else if (alg_k & SSL_kDHd)
2509 idx = SSL_PKEY_DH_DSA;
2510 if (idx >= 0) {
2511 skey = s->cert->pkeys[idx].privatekey;
2512 if ((skey == NULL) ||
2513 (skey->type != EVP_PKEY_DH) || (skey->pkey.dh == NULL)) {
2514 al = SSL_AD_HANDSHAKE_FAILURE;
2515 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2516 SSL_R_MISSING_RSA_CERTIFICATE);
2517 goto f_err;
2518 }
2519 dh_srvr = skey->pkey.dh;
2520 } else if (s->s3->tmp.dh == NULL) {
2521 al = SSL_AD_HANDSHAKE_FAILURE;
2522 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2523 SSL_R_MISSING_TMP_DH_KEY);
2524 goto f_err;
2525 } else
2526 dh_srvr = s->s3->tmp.dh;
2527
2528 if (n == 0L) {
2529 /* Get pubkey from cert */
2530 EVP_PKEY *clkey = X509_get_pubkey(s->session->peer);
2531 if (clkey) {
2532 if (EVP_PKEY_cmp_parameters(clkey, skey) == 1)
2533 dh_clnt = EVP_PKEY_get1_DH(clkey);
2534 }
2535 if (dh_clnt == NULL) {
2536 al = SSL_AD_HANDSHAKE_FAILURE;
2537 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2538 SSL_R_MISSING_TMP_DH_KEY);
2539 goto f_err;
2540 }
2541 EVP_PKEY_free(clkey);
2542 pub = dh_clnt->pub_key;
efcdbcbe
MC		 2543 } else {
2544 if (!PACKET_get_bytes(&pkt, &data, i)) {
2545 /* We already checked we have enough data */
2546 al = SSL_AD_INTERNAL_ERROR;
2547 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2548 ERR_R_INTERNAL_ERROR);
2549 goto f_err;
2550 }
2551 pub = BN_bin2bn(data, i, NULL);
2552 }
0f113f3e
MC		 2553 if (pub == NULL) {
2554 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2555 goto err;
2556 }
2557
efcdbcbe 2558 i = DH_compute_key(shared, pub, dh_srvr);
0f113f3e
MC		 2559
2560 if (i <= 0) {
2561 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2562 BN_clear_free(pub);
2563 goto err;
2564 }
2565
2566 DH_free(s->s3->tmp.dh);
2567 s->s3->tmp.dh = NULL;
2568 if (dh_clnt)
2569 DH_free(dh_clnt);
2570 else
2571 BN_clear_free(pub);
2572 pub = NULL;
efcdbcbe 2573 if (!ssl_generate_master_secret(s, shared, i, 0)) {
69f68237
MC		 2574 al = SSL_AD_INTERNAL_ERROR;
2575 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2576 goto f_err;
2577 }
0f113f3e
MC		 2578 if (dh_clnt)
2579 return 2;
2580 } else
d02b48c6 2581#endif
ea262260 2582
556efe79 2583#ifndef OPENSSL_NO_EC
85269210 2584 if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) {
0f113f3e
MC		 2585 int ret = 1;
2586 int field_size = 0;
2587 const EC_KEY *tkey;
2588 const EC_GROUP *group;
2589 const BIGNUM *priv_key;
efcdbcbe 2590 unsigned char *shared;
0f113f3e
MC		 2591
2592 /* initialize structures for server's ECDH key pair */
2593 if ((srvr_ecdh = EC_KEY_new()) == NULL) {
2594 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2595 goto err;
2596 }
2597
2598 /* Let's get server private key and group information */
2599 if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
2600 /* use the certificate */
2601 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2602 } else {
2603 /*
2604 * use the ephermeral values we saved when generating the
2605 * ServerKeyExchange msg.
2606 */
2607 tkey = s->s3->tmp.ecdh;
2608 }
2609
2610 group = EC_KEY_get0_group(tkey);
2611 priv_key = EC_KEY_get0_private_key(tkey);
2612
2613 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2614 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
2615 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2616 goto err;
2617 }
2618
2619 /* Let's get client's public key */
2620 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
2621 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2622 goto err;
2623 }
2624
2625 if (n == 0L) {
2626 /* Client Publickey was in Client Certificate */
2627
85269210 2628 if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
0f113f3e
MC		 2629 al = SSL_AD_HANDSHAKE_FAILURE;
2630 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2631 SSL_R_MISSING_TMP_ECDH_KEY);
2632 goto f_err;
2633 }
2634 if (((clnt_pub_pkey = X509_get_pubkey(s->session->peer))
2635 == NULL) || (clnt_pub_pkey->type != EVP_PKEY_EC)) {
2636 /*
2637 * XXX: For now, we do not support client authentication
2638 * using ECDH certificates so this branch (n == 0L) of the
2639 * code is never executed. When that support is added, we
2640 * ought to ensure the key received in the certificate is
2641 * authorized for key agreement. ECDH_compute_key implicitly
2642 * checks that the two ECDH shares are for the same group.
2643 */
2644 al = SSL_AD_HANDSHAKE_FAILURE;
2645 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2646 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2647 goto f_err;
2648 }
2649
2650 if (EC_POINT_copy(clnt_ecpoint,
2651 EC_KEY_get0_public_key(clnt_pub_pkey->
2652 pkey.ec)) == 0) {
2653 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2654 goto err;
2655 }
2656 ret = 2; /* Skip certificate verify processing */
2657 } else {
2658 /*
2659 * Get client's public key from encoded point in the
2660 * ClientKeyExchange message.
2661 */
2662 if ((bn_ctx = BN_CTX_new()) == NULL) {
2663 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2664 ERR_R_MALLOC_FAILURE);
2665 goto err;
2666 }
2667
2668 /* Get encoded point length */
efcdbcbe
MC		 2669 if (!PACKET_get_1(&pkt, &i)) {
2670 al = SSL_AD_DECODE_ERROR;
2671 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2672 SSL_R_LENGTH_MISMATCH);
2673 goto f_err;
2674 }
2675 if (!PACKET_get_bytes(&pkt, &data, i)
2676 || PACKET_remaining(&pkt) != 0) {
0f113f3e
MC		 2677 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2678 goto err;
2679 }
efcdbcbe 2680 if (EC_POINT_oct2point(group, clnt_ecpoint, data, i, bn_ctx) == 0) {
0f113f3e
MC		 2681 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2682 goto err;
2683 }
0f113f3e
MC		 2684 }
2685
2686 /* Compute the shared pre-master secret */
2687 field_size = EC_GROUP_get_degree(group);
2688 if (field_size <= 0) {
2689 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2690 goto err;
2691 }
efcdbcbe
MC		 2692 shared = OPENSSL_malloc((field_size + 7) / 8);
2693 if (shared == NULL) {
2694 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2695 goto err;
2696 }
2697 i = ECDH_compute_key(shared, (field_size + 7) / 8, clnt_ecpoint,
2698 srvr_ecdh, NULL);
0f113f3e
MC		 2699 if (i <= 0) {
2700 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
efcdbcbe 2701 OPENSSL_free(shared);
0f113f3e
MC		 2702 goto err;
2703 }
2704
2705 EVP_PKEY_free(clnt_pub_pkey);
2706 EC_POINT_free(clnt_ecpoint);
2707 EC_KEY_free(srvr_ecdh);
2708 BN_CTX_free(bn_ctx);
2709 EC_KEY_free(s->s3->tmp.ecdh);
2710 s->s3->tmp.ecdh = NULL;
2711
efcdbcbe 2712 if (!ssl_generate_master_secret(s, shared, i, 1)) {
69f68237
MC		 2713 al = SSL_AD_INTERNAL_ERROR;
2714 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2715 goto f_err;
2716 }
0f113f3e
MC		 2717 return (ret);
2718 } else
ddac1974 2719#endif
edc032b5 2720#ifndef OPENSSL_NO_SRP
0f113f3e 2721 if (alg_k & SSL_kSRP) {
efcdbcbe
MC		 2722 if (!PACKET_get_net_2(&pkt, &i)
2723 || !PACKET_get_bytes(&pkt, &data, i)) {
0f113f3e 2724 al = SSL_AD_DECODE_ERROR;
efcdbcbe 2725 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
0f113f3e
MC		 2726 goto f_err;
2727 }
efcdbcbe 2728 if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
0f113f3e
MC		 2729 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
2730 goto err;
2731 }
2732 if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
2733 || BN_is_zero(s->srp_ctx.A)) {
2734 al = SSL_AD_ILLEGAL_PARAMETER;
2735 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2736 SSL_R_BAD_SRP_PARAMETERS);
2737 goto f_err;
2738 }
b548a1f1 2739 OPENSSL_free(s->session->srp_username);
0f113f3e
MC		 2740 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2741 if (s->session->srp_username == NULL) {
2742 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2743 goto err;
2744 }
2745
57b272b0 2746 if (!srp_generate_server_master_secret(s)) {
0f113f3e
MC		 2747 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2748 goto err;
2749 }
0f113f3e
MC		 2750 } else
2751#endif /* OPENSSL_NO_SRP */
2752 if (alg_k & SSL_kGOST) {
2753 int ret = 0;
2754 EVP_PKEY_CTX *pkey_ctx;
2755 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
2756 unsigned char premaster_secret[32], *start;
2757 size_t outlen = 32, inlen;
2758 unsigned long alg_a;
2759 int Ttag, Tclass;
2760 long Tlen;
2761
2762 /* Get our certificate private key */
2763 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
ade44dcb 2764 if (alg_a & SSL_aGOST01)
0f113f3e
MC		 2765 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2766
2767 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2768 EVP_PKEY_decrypt_init(pkey_ctx);
2769 /*
2770 * If client certificate is present and is of the same type, maybe
2771 * use it for key exchange. Don't mind errors from
2772 * EVP_PKEY_derive_set_peer, because it is completely valid to use a
2773 * client certificate for authorization only.
2774 */
2775 client_pub_pkey = X509_get_pubkey(s->session->peer);
2776 if (client_pub_pkey) {
2777 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
2778 ERR_clear_error();
2779 }
2780 /* Decrypt session key */
efcdbcbe
MC		 2781 if (!PACKET_get_bytes(&pkt, &data, n)) {
2782 al = SSL_AD_INTERNAL_ERROR;
2783 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2784 goto f_err;
2785 }
0f113f3e 2786 if (ASN1_get_object
efcdbcbe 2787 ((const unsigned char **)&data, &Tlen, &Ttag, &Tclass,
0f113f3e
MC		 2788 n) != V_ASN1_CONSTRUCTED || Ttag != V_ASN1_SEQUENCE
2789 || Tclass != V_ASN1_UNIVERSAL) {
2790 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2791 SSL_R_DECRYPTION_FAILED);
2792 goto gerr;
2793 }
efcdbcbe 2794 start = data;
0f113f3e
MC		 2795 inlen = Tlen;
2796 if (EVP_PKEY_decrypt
2797 (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
2798 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2799 SSL_R_DECRYPTION_FAILED);
2800 goto gerr;
2801 }
2802 /* Generate master secret */
57b272b0
DSH		 2803 if (!ssl_generate_master_secret(s, premaster_secret,
2804 sizeof(premaster_secret), 0)) {
69f68237
MC		 2805 al = SSL_AD_INTERNAL_ERROR;
2806 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2807 goto f_err;
2808 }
0f113f3e
MC		 2809 /* Check if pubkey from client certificate was used */
2810 if (EVP_PKEY_CTX_ctrl
2811 (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2812 ret = 2;
2813 else
2814 ret = 1;
2815 gerr:
2816 EVP_PKEY_free(client_pub_pkey);
2817 EVP_PKEY_CTX_free(pkey_ctx);
2818 if (ret)
2819 return ret;
c5ba2d99 2820 goto err;
0f113f3e
MC		 2821 } else {
2822 al = SSL_AD_HANDSHAKE_FAILURE;
2823 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
2824 goto f_err;
2825 }
2826
2827 return (1);
2828 f_err:
2829 ssl3_send_alert(s, SSL3_AL_FATAL, al);
556efe79 2830#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SRP)
0f113f3e 2831 err:
ea262260 2832#endif
556efe79 2833#ifndef OPENSSL_NO_EC
0f113f3e
MC		 2834 EVP_PKEY_free(clnt_pub_pkey);
2835 EC_POINT_free(clnt_ecpoint);
8fdc3734 2836 EC_KEY_free(srvr_ecdh);
0f113f3e 2837 BN_CTX_free(bn_ctx);
20ca916d 2838 OPENSSL_free(rsa_decrypt);
85269210
DSH		 2839#endif
2840#ifndef OPENSSL_NO_PSK
2841 OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
2842 s->s3->tmp.psk = NULL;
58964a49 2843#endif
cf9b0b6f 2844 s->state = SSL_ST_ERR;
0f113f3e
MC		 2845 return (-1);
2846}
d02b48c6 2847
36d16f8e 2848int ssl3_get_cert_verify(SSL *s)
0f113f3e
MC		 2849{
2850 EVP_PKEY *pkey = NULL;
f532a35d 2851 unsigned char *sig, *data;
0f113f3e
MC		 2852 int al, ok, ret = 0;
2853 long n;
2854 int type = 0, i, j;
f532a35d 2855 unsigned int len;
0f113f3e
MC		 2856 X509 *peer;
2857 const EVP_MD *md = NULL;
2858 EVP_MD_CTX mctx;
f532a35d 2859 PACKET pkt;
0f113f3e
MC		 2860 EVP_MD_CTX_init(&mctx);
2861
a0bd6493
MC		 2862 /*
2863 * We should only process a CertificateVerify message if we have received
2864 * a Certificate from the client. If so then |s->session->peer| will be non
2865 * NULL. In some instances a CertificateVerify message is not required even
2866 * if the peer has sent a Certificate (e.g. such as in the case of static
2867 * DH). In that case the ClientKeyExchange processing will skip the
2868 * CertificateVerify state so we should not arrive here.
2869 */
2870 if (s->session->peer == NULL) {
2871 ret = 1;
2872 goto end;
2873 }
2874
0f113f3e
MC		 2875 n = s->method->ssl_get_message(s,
2876 SSL3_ST_SR_CERT_VRFY_A,
2877 SSL3_ST_SR_CERT_VRFY_B,
a0bd6493
MC		 2878 SSL3_MT_CERTIFICATE_VERIFY,
2879 SSL3_RT_MAX_PLAIN_LENGTH, &ok);
0f113f3e
MC		 2880
2881 if (!ok)
2882 return ((int)n);
2883
a0bd6493
MC		 2884 peer = s->session->peer;
2885 pkey = X509_get_pubkey(peer);
2886 type = X509_certificate_type(peer, pkey);
0f113f3e
MC		 2887
2888 if (!(type & EVP_PKT_SIGN)) {
2889 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2890 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2891 al = SSL_AD_ILLEGAL_PARAMETER;
2892 goto f_err;
2893 }
2894
0f113f3e 2895 /* we now have a signature that we need to verify */
f532a35d
MC		 2896 if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
2897 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
2898 al = SSL_AD_INTERNAL_ERROR;
2899 goto f_err;
2900 }
0f113f3e
MC		 2901 /* Check for broken implementations of GOST ciphersuites */
2902 /*
2903 * If key is GOST and n is exactly 64, it is bare signature without
2904 * length field
2905 */
ade44dcb 2906 if (n == 64 && pkey->type == NID_id_GostR3410_2001) {
f532a35d 2907 len = 64;
0f113f3e
MC		 2908 } else {
2909 if (SSL_USE_SIGALGS(s)) {
f532a35d
MC		 2910 int rv;
2911
2912 if (!PACKET_get_bytes(&pkt, &sig, 2)) {
2913 al = SSL_AD_DECODE_ERROR;
2914 goto f_err;
2915 }
2916 rv = tls12_check_peer_sigalg(&md, s, sig, pkey);
0f113f3e
MC		 2917 if (rv == -1) {
2918 al = SSL_AD_INTERNAL_ERROR;
2919 goto f_err;
2920 } else if (rv == 0) {
2921 al = SSL_AD_DECODE_ERROR;
2922 goto f_err;
2923 }
f37f20ff 2924#ifdef SSL_DEBUG
0f113f3e 2925 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
f37f20ff 2926#endif
0f113f3e 2927 }
f532a35d 2928 if (!PACKET_get_net_2(&pkt, &len)) {
0f113f3e
MC		 2929 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2930 al = SSL_AD_DECODE_ERROR;
2931 goto f_err;
2932 }
2933 }
2934 j = EVP_PKEY_size(pkey);
f532a35d 2935 if (((int)len > j) || ((int)PACKET_remaining(&pkt) > j) || (n <= 0)) {
0f113f3e
MC		 2936 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2937 al = SSL_AD_DECODE_ERROR;
2938 goto f_err;
2939 }
f532a35d
MC		 2940 if (!PACKET_get_bytes(&pkt, &data, len)) {
2941 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2942 al = SSL_AD_DECODE_ERROR;
2943 goto f_err;
2944 }
0f113f3e
MC		 2945
2946 if (SSL_USE_SIGALGS(s)) {
2947 long hdatalen = 0;
2948 void *hdata;
2949 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
2950 if (hdatalen <= 0) {
2951 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
2952 al = SSL_AD_INTERNAL_ERROR;
2953 goto f_err;
2954 }
f37f20ff 2955#ifdef SSL_DEBUG
0f113f3e
MC		 2956 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
2957 EVP_MD_name(md));
f37f20ff 2958#endif
0f113f3e
MC		 2959 if (!EVP_VerifyInit_ex(&mctx, md, NULL)
2960 || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
2961 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB);
2962 al = SSL_AD_INTERNAL_ERROR;
2963 goto f_err;
2964 }
2965
f532a35d 2966 if (EVP_VerifyFinal(&mctx, data, len, pkey) <= 0) {
0f113f3e
MC		 2967 al = SSL_AD_DECRYPT_ERROR;
2968 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
2969 goto f_err;
2970 }
2971 } else
2972#ifndef OPENSSL_NO_RSA
2973 if (pkey->type == EVP_PKEY_RSA) {
2974 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
f532a35d 2975 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, data, len,
0f113f3e
MC		 2976 pkey->pkey.rsa);
2977 if (i < 0) {
2978 al = SSL_AD_DECRYPT_ERROR;
2979 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT);
2980 goto f_err;
2981 }
2982 if (i == 0) {
2983 al = SSL_AD_DECRYPT_ERROR;
2984 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE);
2985 goto f_err;
2986 }
2987 } else
d02b48c6 2988#endif
bc36ee62 2989#ifndef OPENSSL_NO_DSA
0f113f3e
MC		 2990 if (pkey->type == EVP_PKEY_DSA) {
2991 j = DSA_verify(pkey->save_type,
2992 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
f532a35d 2993 SHA_DIGEST_LENGTH, data, len, pkey->pkey.dsa);
0f113f3e
MC		 2994 if (j <= 0) {
2995 /* bad signature */
2996 al = SSL_AD_DECRYPT_ERROR;
2997 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE);
2998 goto f_err;
2999 }
3000 } else
ea262260 3001#endif
10bf4fc2 3002#ifndef OPENSSL_NO_EC
0f113f3e
MC		 3003 if (pkey->type == EVP_PKEY_EC) {
3004 j = ECDSA_verify(pkey->save_type,
3005 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
f532a35d 3006 SHA_DIGEST_LENGTH, data, len, pkey->pkey.ec);
0f113f3e
MC		 3007 if (j <= 0) {
3008 /* bad signature */
3009 al = SSL_AD_DECRYPT_ERROR;
3010 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE);
3011 goto f_err;
3012 }
3013 } else
d02b48c6 3014#endif
ade44dcb 3015 if (pkey->type == NID_id_GostR3410_2001) {
0f113f3e
MC		 3016 unsigned char signature[64];
3017 int idx;
3018 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
3019 EVP_PKEY_verify_init(pctx);
f532a35d
MC		 3020 if (len != 64) {
3021 fprintf(stderr, "GOST signature length is %d", len);
0f113f3e
MC		 3022 }
3023 for (idx = 0; idx < 64; idx++) {
f532a35d 3024 signature[63 - idx] = data[idx];
0f113f3e
MC		 3025 }
3026 j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md,
3027 32);
3028 EVP_PKEY_CTX_free(pctx);
3029 if (j <= 0) {
3030 al = SSL_AD_DECRYPT_ERROR;
3031 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE);
3032 goto f_err;
3033 }
3034 } else {
3035 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3036 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
3037 goto f_err;
3038 }
3039
3040 ret = 1;
3041 if (0) {
3042 f_err:
3043 ssl3_send_alert(s, SSL3_AL_FATAL, al);
cf9b0b6f 3044 s->state = SSL_ST_ERR;
0f113f3e
MC		 3045 }
3046 end:
25aaa98a
RS		 3047 BIO_free(s->s3->handshake_buffer);
3048 s->s3->handshake_buffer = NULL;
0f113f3e
MC		 3049 EVP_MD_CTX_cleanup(&mctx);
3050 EVP_PKEY_free(pkey);
3051 return (ret);
3052}
d02b48c6 3053
36d16f8e 3054int ssl3_get_client_certificate(SSL *s)
0f113f3e
MC		 3055{
3056 int i, ok, al, ret = -1;
3057 X509 *x = NULL;
0bc09ecd
MC		 3058 unsigned long l, llen, n;
3059 const unsigned char *certstart;
3060 unsigned char *certbytes;
0f113f3e 3061 STACK_OF(X509) *sk = NULL;
0bc09ecd 3062 PACKET pkt, spkt;
0f113f3e
MC		 3063
3064 n = s->method->ssl_get_message(s,
3065 SSL3_ST_SR_CERT_A,
3066 SSL3_ST_SR_CERT_B,
3067 -1, s->max_cert_list, &ok);
3068
3069 if (!ok)
3070 return ((int)n);
3071
3072 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
3073 if ((s->verify_mode & SSL_VERIFY_PEER) &&
3074 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3075 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3076 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3077 al = SSL_AD_HANDSHAKE_FAILURE;
3078 goto f_err;
3079 }
3080 /*
3081 * If tls asked for a client cert, the client must return a 0 list
3082 */
3083 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
3084 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3085 SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
3086 al = SSL_AD_UNEXPECTED_MESSAGE;
3087 goto f_err;
3088 }
3089 s->s3->tmp.reuse_message = 1;
3090 return (1);
3091 }
3092
3093 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
3094 al = SSL_AD_UNEXPECTED_MESSAGE;
3095 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE);
3096 goto f_err;
3097 }
0bc09ecd
MC		 3098
3099 if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
3100 al = SSL_AD_INTERNAL_ERROR;
3101 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3102 goto f_err;
3103 }
0f113f3e
MC		 3104
3105 if ((sk = sk_X509_new_null()) == NULL) {
3106 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
66696478 3107 goto done;
0f113f3e
MC		 3108 }
3109
0bc09ecd
MC		 3110 if (!PACKET_get_net_3(&pkt, &llen)
3111 || !PACKET_get_sub_packet(&pkt, &spkt, llen)
3112 || PACKET_remaining(&pkt) != 0) {
0f113f3e
MC		 3113 al = SSL_AD_DECODE_ERROR;
3114 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
3115 goto f_err;
3116 }
0bc09ecd
MC		 3117
3118 while (PACKET_remaining(&spkt) > 0) {
3119 if (!PACKET_get_net_3(&spkt, &l)
3120 || !PACKET_get_bytes(&spkt, &certbytes, l)) {
0f113f3e
MC		 3121 al = SSL_AD_DECODE_ERROR;
3122 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3123 SSL_R_CERT_LENGTH_MISMATCH);
3124 goto f_err;
3125 }
3126
0bc09ecd
MC		 3127 certstart = certbytes;
3128 x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
0f113f3e
MC		 3129 if (x == NULL) {
3130 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
66696478 3131 goto done;
0f113f3e 3132 }
0bc09ecd 3133 if (certbytes != (certstart + l)) {
0f113f3e
MC		 3134 al = SSL_AD_DECODE_ERROR;
3135 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3136 SSL_R_CERT_LENGTH_MISMATCH);
3137 goto f_err;
3138 }
3139 if (!sk_X509_push(sk, x)) {
3140 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
66696478 3141 goto done;
0f113f3e
MC		 3142 }
3143 x = NULL;
0f113f3e
MC		 3144 }
3145
3146 if (sk_X509_num(sk) <= 0) {
3147 /* TLS does not mind 0 certs returned */
3148 if (s->version == SSL3_VERSION) {
3149 al = SSL_AD_HANDSHAKE_FAILURE;
3150 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3151 SSL_R_NO_CERTIFICATES_RETURNED);
3152 goto f_err;
3153 }
3154 /* Fail for TLS only if we required a certificate */
3155 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
3156 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3157 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3158 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3159 al = SSL_AD_HANDSHAKE_FAILURE;
3160 goto f_err;
3161 }
3162 /* No client certificate so digest cached records */
124037fd 3163 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
0f113f3e
MC		 3164 al = SSL_AD_INTERNAL_ERROR;
3165 goto f_err;
3166 }
3167 } else {
3168 EVP_PKEY *pkey;
3169 i = ssl_verify_cert_chain(s, sk);
3170 if (i <= 0) {
3171 al = ssl_verify_alarm_type(s->verify_result);
3172 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3173 SSL_R_CERTIFICATE_VERIFY_FAILED);
3174 goto f_err;
3175 }
3176 if (i > 1) {
3177 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, i);
3178 al = SSL_AD_HANDSHAKE_FAILURE;
3179 goto f_err;
3180 }
3181 pkey = X509_get_pubkey(sk_X509_value(sk, 0));
3182 if (pkey == NULL) {
3183 al = SSL3_AD_HANDSHAKE_FAILURE;
3184 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3185 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
3186 goto f_err;
3187 }
3188 EVP_PKEY_free(pkey);
3189 }
3190
222561fe 3191 X509_free(s->session->peer);
0f113f3e
MC		 3192 s->session->peer = sk_X509_shift(sk);
3193 s->session->verify_result = s->verify_result;
3194
c34b0f99
DSH		 3195 sk_X509_pop_free(s->session->peer_chain, X509_free);
3196 s->session->peer_chain = sk;
0f113f3e
MC		 3197 /*
3198 * Inconsistency alert: cert_chain does *not* include the peer's own
3199 * certificate, while we do include it in s3_clnt.c
3200 */
0f113f3e 3201 sk = NULL;
0f113f3e 3202 ret = 1;
66696478
RS		 3203 goto done;
3204
0f113f3e 3205 f_err:
66696478
RS		 3206 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3207 done:
cf9b0b6f 3208 s->state = SSL_ST_ERR;
222561fe
RS		 3209 X509_free(x);
3210 sk_X509_pop_free(sk, X509_free);
0f113f3e
MC		 3211 return (ret);
3212}
d02b48c6 3213
6b691a5c 3214int ssl3_send_server_certificate(SSL *s)
0f113f3e
MC		 3215{
3216 CERT_PKEY *cpk;
3217
3218 if (s->state == SSL3_ST_SW_CERT_A) {
3219 cpk = ssl_get_server_send_pkey(s);
3220 if (cpk == NULL) {
55a9a16f
MC		 3221 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3222 s->state = SSL_ST_ERR;
3223 return (0);
0f113f3e
MC		 3224 }
3225
3226 if (!ssl3_output_cert_chain(s, cpk)) {
3227 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
cf9b0b6f 3228 s->state = SSL_ST_ERR;
0f113f3e
MC		 3229 return (0);
3230 }
3231 s->state = SSL3_ST_SW_CERT_B;
3232 }
3233
3234 /* SSL3_ST_SW_CERT_B */
3235 return ssl_do_write(s);
3236}
c519e89f 3237
c519e89f 3238/* send a new session ticket (not necessarily for a new session) */
6434abbf 3239int ssl3_send_newsession_ticket(SSL *s)
0f113f3e 3240{
687eaf27
MC		 3241 unsigned char *senc = NULL;
3242 EVP_CIPHER_CTX ctx;
3243 HMAC_CTX hctx;
3244
0f113f3e 3245 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
687eaf27 3246 unsigned char *p, *macstart;
0f113f3e
MC		 3247 const unsigned char *const_p;
3248 int len, slen_full, slen;
3249 SSL_SESSION *sess;
3250 unsigned int hlen;
0f113f3e
MC		 3251 SSL_CTX *tctx = s->initial_ctx;
3252 unsigned char iv[EVP_MAX_IV_LENGTH];
3253 unsigned char key_name[16];
3254
3255 /* get session encoding length */
3256 slen_full = i2d_SSL_SESSION(s->session, NULL);
3257 /*
3258 * Some length values are 16 bits, so forget it if session is too
3259 * long
3260 */
cf9b0b6f
MC		 3261 if (slen_full == 0 || slen_full > 0xFF00) {
3262 s->state = SSL_ST_ERR;
0f113f3e 3263 return -1;
cf9b0b6f 3264 }
0f113f3e 3265 senc = OPENSSL_malloc(slen_full);
cf9b0b6f
MC		 3266 if (!senc) {
3267 s->state = SSL_ST_ERR;
0f113f3e 3268 return -1;
cf9b0b6f 3269 }
687eaf27
MC		 3270
3271 EVP_CIPHER_CTX_init(&ctx);
3272 HMAC_CTX_init(&hctx);
3273
0f113f3e 3274 p = senc;
687eaf27
MC		 3275 if (!i2d_SSL_SESSION(s->session, &p))
3276 goto err;
0f113f3e
MC		 3277
3278 /*
3279 * create a fresh copy (not shared with other threads) to clean up
3280 */
3281 const_p = senc;
3282 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
687eaf27
MC		 3283 if (sess == NULL)
3284 goto err;
0f113f3e
MC		 3285 sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3286
3287 slen = i2d_SSL_SESSION(sess, NULL);
687eaf27
MC		 3288 if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
3289 SSL_SESSION_free(sess);
3290 goto err;
0f113f3e
MC		 3291 }
3292 p = senc;
687eaf27
MC		 3293 if (!i2d_SSL_SESSION(sess, &p)) {
3294 SSL_SESSION_free(sess);
3295 goto err;
3296 }
0f113f3e
MC		 3297 SSL_SESSION_free(sess);
3298
50e735f9
MC		 3299 /*-
3300 * Grow buffer if need be: the length calculation is as
3301 * follows handshake_header_length +
3302 * 4 (ticket lifetime hint) + 2 (ticket length) +
3303 * 16 (key name) + max_iv_len (iv length) +
3304 * session_length + max_enc_block_size (max encrypted session
3305 * length) + max_md_size (HMAC).
3306 */
0f113f3e
MC		 3307 if (!BUF_MEM_grow(s->init_buf,
3308 SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH +
3309 EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
687eaf27
MC		 3310 goto err;
3311
0f113f3e 3312 p = ssl_handshake_start(s);
0f113f3e
MC		 3313 /*
3314 * Initialize HMAC and cipher contexts. If callback present it does
3315 * all the work otherwise use generated values from parent ctx.
3316 */
3317 if (tctx->tlsext_ticket_key_cb) {
3318 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
687eaf27
MC		 3319 &hctx, 1) < 0)
3320 goto err;
0f113f3e 3321 } else {
687eaf27
MC		 3322 if (RAND_bytes(iv, 16) <= 0)
3323 goto err;
3324 if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3325 tctx->tlsext_tick_aes_key, iv))
3326 goto err;
3327 if (!HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3328 EVP_sha256(), NULL))
3329 goto err;
0f113f3e
MC		 3330 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3331 }
3332
3333 /*
3334 * Ticket lifetime hint (advisory only): We leave this unspecified
3335 * for resumed session (for simplicity), and guess that tickets for
3336 * new sessions will live as long as their sessions.
3337 */
3338 l2n(s->hit ? 0 : s->session->timeout, p);
3339
3340 /* Skip ticket length for now */
3341 p += 2;
3342 /* Output key name */
3343 macstart = p;
3344 memcpy(p, key_name, 16);
3345 p += 16;
3346 /* output IV */
3347 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
3348 p += EVP_CIPHER_CTX_iv_length(&ctx);
3349 /* Encrypt session data */
687eaf27
MC		 3350 if (!EVP_EncryptUpdate(&ctx, p, &len, senc, slen))
3351 goto err;
0f113f3e 3352 p += len;
687eaf27
MC		 3353 if (!EVP_EncryptFinal(&ctx, p, &len))
3354 goto err;
0f113f3e 3355 p += len;
0f113f3e 3356
687eaf27
MC		 3357 if (!HMAC_Update(&hctx, macstart, p - macstart))
3358 goto err;
3359 if (!HMAC_Final(&hctx, p, &hlen))
3360 goto err;
3361
3362 EVP_CIPHER_CTX_cleanup(&ctx);
0f113f3e
MC		 3363 HMAC_CTX_cleanup(&hctx);
3364
3365 p += hlen;
3366 /* Now write out lengths: p points to end of data written */
3367 /* Total length */
3368 len = p - ssl_handshake_start(s);
0f113f3e
MC		 3369 /* Skip ticket lifetime hint */
3370 p = ssl_handshake_start(s) + 4;
3371 s2n(len - 6, p);
61986d32 3372 if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
4f9fab6b 3373 goto err;
0f113f3e
MC		 3374 s->state = SSL3_ST_SW_SESSION_TICKET_B;
3375 OPENSSL_free(senc);
3376 }
3377
3378 /* SSL3_ST_SW_SESSION_TICKET_B */
3379 return ssl_do_write(s);
687eaf27 3380 err:
b548a1f1 3381 OPENSSL_free(senc);
687eaf27
MC		 3382 EVP_CIPHER_CTX_cleanup(&ctx);
3383 HMAC_CTX_cleanup(&hctx);
cf9b0b6f 3384 s->state = SSL_ST_ERR;
687eaf27 3385 return -1;
0f113f3e 3386}
67c8e7f4
DSH		 3387
3388int ssl3_send_cert_status(SSL *s)
0f113f3e
MC		 3389{
3390 if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
3391 unsigned char *p;
50e735f9
MC		 3392 /*-
3393 * Grow buffer if need be: the length calculation is as
3394 * follows 1 (message type) + 3 (message length) +
3395 * 1 (ocsp response type) + 3 (ocsp response length)
3396 * + (ocsp response)
3397 */
cf9b0b6f
MC		 3398 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
3399 s->state = SSL_ST_ERR;
0f113f3e 3400 return -1;
cf9b0b6f 3401 }
0f113f3e
MC		 3402
3403 p = (unsigned char *)s->init_buf->data;
3404
3405 /* do the header */
3406 *(p++) = SSL3_MT_CERTIFICATE_STATUS;
3407 /* message length */
3408 l2n3(s->tlsext_ocsp_resplen + 4, p);
3409 /* status type */
3410 *(p++) = s->tlsext_status_type;
3411 /* length of OCSP response */
3412 l2n3(s->tlsext_ocsp_resplen, p);
3413 /* actual response */
3414 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
3415 /* number of bytes to write */
3416 s->init_num = 8 + s->tlsext_ocsp_resplen;
3417 s->state = SSL3_ST_SW_CERT_STATUS_B;
3418 s->init_off = 0;
3419 }
3420
3421 /* SSL3_ST_SW_CERT_STATUS_B */
3422 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3423}
ee2ffc27 3424
e481f9b9 3425#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 3426/*
3427 * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
3428 * It sets the next_proto member in s if found
3429 */
ee2ffc27 3430int ssl3_get_next_proto(SSL *s)
0f113f3e
MC		 3431{
3432 int ok;
0f113f3e 3433 long n;
6d41fc80
EK		 3434 PACKET pkt, next_proto, padding;
3435 size_t next_proto_len;
0f113f3e
MC		 3436
3437 /*
3438 * Clients cannot send a NextProtocol message if we didn't see the
3439 * extension in their ClientHello
3440 */
3441 if (!s->s3->next_proto_neg_seen) {
3442 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3443 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
cf9b0b6f 3444 s->state = SSL_ST_ERR;
0f113f3e
MC		 3445 return -1;
3446 }
3447
3448 /* See the payload format below */
3449 n = s->method->ssl_get_message(s,
3450 SSL3_ST_SR_NEXT_PROTO_A,
3451 SSL3_ST_SR_NEXT_PROTO_B,
3452 SSL3_MT_NEXT_PROTO, 514, &ok);
3453
3454 if (!ok)
3455 return ((int)n);
3456
3457 /*
3458 * s->state doesn't reflect whether ChangeCipherSpec has been received in
3459 * this handshake, but s->s3->change_cipher_spec does (will be reset by
3460 * ssl3_get_finished).
3461 */
3462 if (!s->s3->change_cipher_spec) {
3463 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
cf9b0b6f 3464 s->state = SSL_ST_ERR;
0f113f3e
MC		 3465 return -1;
3466 }
3467
cf9b0b6f 3468 if (n < 2) {
c3fc7eea 3469 goto err; /* The body must be > 1 bytes long */
cf9b0b6f 3470 }
0f113f3e 3471
c3fc7eea
MC		 3472 if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
3473 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
3474 goto err;
3475 }
0f113f3e 3476
50e735f9
MC		 3477 /*-
3478 * The payload looks like:
3479 * uint8 proto_len;
3480 * uint8 proto[proto_len];
3481 * uint8 padding_len;
3482 * uint8 padding[padding_len];
3483 */
6d41fc80
EK		 3484 if (!PACKET_get_length_prefixed_1(&pkt, &next_proto)
3485 || !PACKET_get_length_prefixed_1(&pkt, &padding)
3486 || PACKET_remaining(&pkt) > 0) {
c3fc7eea
MC		 3487 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
3488 goto err;
cf9b0b6f 3489 }
0f113f3e 3490
6d41fc80
EK		 3491 if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated,
3492 &next_proto_len)) {
3493 s->next_proto_negotiated_len = 0;
c3fc7eea
MC		 3494 goto err;
3495 }
3496
6d41fc80 3497 s->next_proto_negotiated_len = (unsigned char)next_proto_len;
0f113f3e
MC		 3498
3499 return 1;
c3fc7eea
MC		 3500err:
3501 s->state = SSL_ST_ERR;
3502 return 0;
0f113f3e 3503}
6434abbf 3504#endif
d45ba43d
MC		 3505
3506#define SSLV2_CIPHER_LEN 3
3507
3508STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p,
3509 int num,
3510 STACK_OF(SSL_CIPHER) **skp,
3511 int sslv2format)
3512{
3513 const SSL_CIPHER *c;
3514 STACK_OF(SSL_CIPHER) *sk;
3515 int i, n;
3516
3517 if (s->s3)
3518 s->s3->send_connection_binding = 0;
3519
3520 if(sslv2format) {
3521 n = SSLV2_CIPHER_LEN;
3522 } else {
e9fa092e 3523 n = TLS_CIPHER_LEN;
d45ba43d
MC		 3524 }
3525 if (n == 0 || (num % n) != 0) {
3526 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
3527 SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
3528 return (NULL);
3529 }
3530 if ((skp == NULL) || (*skp == NULL)) {
3531 sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
3532 if(sk == NULL) {
3533 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3534 return NULL;
3535 }
3536 } else {
3537 sk = *skp;
3538 sk_SSL_CIPHER_zero(sk);
3539 }
3540
76106e60
DSH		 3541 OPENSSL_free(s->s3->tmp.ciphers_raw);
3542 s->s3->tmp.ciphers_raw = BUF_memdup(p, num);
3543 if (s->s3->tmp.ciphers_raw == NULL) {
d45ba43d
MC		 3544 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3545 goto err;
3546 }
76106e60 3547 s->s3->tmp.ciphers_rawlen = (size_t)num;
d45ba43d
MC		 3548
3549 for (i = 0; i < num; i += n) {
3550 /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
3551 if (s->s3 && (n != 3 || !p[0]) &&
3552 (p[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
3553 (p[n - 1] == (SSL3_CK_SCSV & 0xff))) {
3554 /* SCSV fatal if renegotiating */
3555 if (s->renegotiate) {
3556 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
3557 SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
3558 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
3559 goto err;
3560 }
3561 s->s3->send_connection_binding = 1;
3562 p += n;
3563#ifdef OPENSSL_RI_DEBUG
3564 fprintf(stderr, "SCSV received by server\n");
3565#endif
3566 continue;
3567 }
3568
3569 /* Check for TLS_FALLBACK_SCSV */
3570 if ((n != 3 || !p[0]) &&
3571 (p[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
3572 (p[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
3573 /*
3574 * The SCSV indicates that the client previously tried a higher
3575 * version. Fail if the current version is an unexpected
3576 * downgrade.
3577 */
3578 if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) {
3579 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
3580 SSL_R_INAPPROPRIATE_FALLBACK);
3581 if (s->s3)
3582 ssl3_send_alert(s, SSL3_AL_FATAL,
3583 SSL_AD_INAPPROPRIATE_FALLBACK);
3584 goto err;
3585 }
3586 p += n;
3587 continue;
3588 }
3589
3590 if(sslv2format) {
3591 /*
3592 * We only support SSLv2 format ciphers in SSLv3+ using a
3593 * SSLv2 backward compatible ClientHello. In this case the first
3594 * byte is always 0 for SSLv3 compatible ciphers. Anything else
3595 * is an SSLv2 cipher and we ignore it
3596 */
3597 if(p[0] == 0)
3598 c = ssl_get_cipher_by_char(s, &p[1]);
3599 else
3600 c = NULL;
3601 } else {
3602 c = ssl_get_cipher_by_char(s, p);
3603 }
3604 p += n;
3605 if (c != NULL) {
3606 if (!sk_SSL_CIPHER_push(sk, c)) {
3607 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3608 goto err;
3609 }
3610 }
3611 }
3612
3613 if (skp != NULL)
3614 *skp = sk;
3615 return (sk);
3616 err:
3617 if ((skp == NULL) || (*skp == NULL))
3618 sk_SSL_CIPHER_free(sk);
3619 return (NULL);
3620}
A mirror of the official openssl repository