ssl/s3_clnt.c

   1 /* ssl/s3_clnt.c */
   2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
   3  * All rights reserved.
   4  *
   5  * This package is an SSL implementation written
   6  * by Eric Young (eay@cryptsoft.com).
   7  * The implementation was written so as to conform with Netscapes SSL.
   8  *
   9  * This library is free for commercial and non-commercial use as long as
  10  * the following conditions are aheared to.  The following conditions
  11  * apply to all code found in this distribution, be it the RC4, RSA,
  12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  13  * included with this distribution is covered by the same copyright terms
  14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15  *
  16  * Copyright remains Eric Young's, and as such any Copyright notices in
  17  * the code are not to be removed.
  18  * If this package is used in a product, Eric Young should be given attribution
  19  * as the author of the parts of the library used.
  20  * This can be in the form of a textual message at program startup or
  21  * in documentation (online or textual) provided with the package.
  22  *
  23  * Redistribution and use in source and binary forms, with or without
  24  * modification, are permitted provided that the following conditions
  25  * are met:
  26  * 1. Redistributions of source code must retain the copyright
  27  *    notice, this list of conditions and the following disclaimer.
  28  * 2. Redistributions in binary form must reproduce the above copyright
  29  *    notice, this list of conditions and the following disclaimer in the
  30  *    documentation and/or other materials provided with the distribution.
  31  * 3. All advertising materials mentioning features or use of this software
  32  *    must display the following acknowledgement:
  33  *    "This product includes cryptographic software written by
  34  *     Eric Young (eay@cryptsoft.com)"
  35  *    The word 'cryptographic' can be left out if the rouines from the library
  36  *    being used are not cryptographic related :-).
  37  * 4. If you include any Windows specific code (or a derivative thereof) from
  38  *    the apps directory (application code) you must include an acknowledgement:
  39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40  *
  41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51  * SUCH DAMAGE.
  52  *
  53  * The licence and distribution terms for any publically available version or
  54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  55  * copied and put under another distribution licence
  56  * [including the GNU Public Licence.]
  57  */
  58 /* ====================================================================
  59  * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  60  *
  61  * Redistribution and use in source and binary forms, with or without
  62  * modification, are permitted provided that the following conditions
  63  * are met:
  64  *
  65  * 1. Redistributions of source code must retain the above copyright
  66  *    notice, this list of conditions and the following disclaimer.
  67  *
  68  * 2. Redistributions in binary form must reproduce the above copyright
  69  *    notice, this list of conditions and the following disclaimer in
  70  *    the documentation and/or other materials provided with the
  71  *    distribution.
  72  *
  73  * 3. All advertising materials mentioning features or use of this
  74  *    software must display the following acknowledgment:
  75  *    "This product includes software developed by the OpenSSL Project
  76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77  *
  78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79  *    endorse or promote products derived from this software without
  80  *    prior written permission. For written permission, please contact
  81  *    openssl-core@openssl.org.
  82  *
  83  * 5. Products derived from this software may not be called "OpenSSL"
  84  *    nor may "OpenSSL" appear in their names without prior written
  85  *    permission of the OpenSSL Project.
  86  *
  87  * 6. Redistributions of any form whatsoever must retain the following
  88  *    acknowledgment:
  89  *    "This product includes software developed by the OpenSSL Project
  90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91  *
  92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 103  * OF THE POSSIBILITY OF SUCH DAMAGE.
 104  * ====================================================================
 105  *
 106  * This product includes cryptographic software written by Eric Young
 107  * (eay@cryptsoft.com).  This product includes software written by Tim
 108  * Hudson (tjh@cryptsoft.com).
 109  *
 110  */
 111 /* ====================================================================
 112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 113  *
 114  * Portions of the attached software ("Contribution") are developed by
 115  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 116  *
 117  * The Contribution is licensed pursuant to the OpenSSL open source
 118  * license provided above.
 119  *
 120  * ECC cipher suite support in OpenSSL originally written by
 121  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 122  *
 123  */
 124
 125 #include <stdio.h>
 126 #include "ssl_locl.h"
 127 #include "kssl_lcl.h"
 128 #include <openssl/buffer.h>
 129 #include <openssl/rand.h>
 130 #include <openssl/objects.h>
 131 #include <openssl/evp.h>
 132 #include <openssl/md5.h>
 133 #ifndef OPENSSL_NO_DH
 134 #include <openssl/dh.h>
 135 #endif
 136 #include <openssl/bn.h>
 137
 138 static const SSL_METHOD *ssl3_get_client_method(int ver);
 139 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
 140
 141 #ifndef OPENSSL_NO_ECDH
 142 static int curve_id2nid(int curve_id);
 143 int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
 144 #endif
 145
 146 static const SSL_METHOD *ssl3_get_client_method(int ver)
 147         {
 148         if (ver == SSL3_VERSION)
 149                 return(SSLv3_client_method());
 150         else
 151                 return(NULL);
 152         }
 153
 154 IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
 155                         ssl_undefined_function,
 156                         ssl3_connect,
 157                         ssl3_get_client_method)
 158
 159 int ssl3_connect(SSL *s)
 160         {
 161         BUF_MEM *buf=NULL;
 162         unsigned long Time=(unsigned long)time(NULL),l;
 163         long num1;
 164         void (*cb)(const SSL *ssl,int type,int val)=NULL;
 165         int ret= -1;
 166         int new_state,state,skip=0;;
 167
 168         RAND_add(&Time,sizeof(Time),0);
 169         ERR_clear_error();
 170         clear_sys_error();
 171
 172         if (s->info_callback != NULL)
 173                 cb=s->info_callback;
 174         else if (s->ctx->info_callback != NULL)
 175                 cb=s->ctx->info_callback;
 176
 177         s->in_handshake++;
 178         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
 179
 180         for (;;)
 181                 {
 182                 state=s->state;
 183
 184                 switch(s->state)
 185                         {
 186                 case SSL_ST_RENEGOTIATE:
 187                         s->new_session=1;
 188                         s->state=SSL_ST_CONNECT;
 189                         s->ctx->stats.sess_connect_renegotiate++;
 190                         /* break */
 191                 case SSL_ST_BEFORE:
 192                 case SSL_ST_CONNECT:
 193                 case SSL_ST_BEFORE|SSL_ST_CONNECT:
 194                 case SSL_ST_OK|SSL_ST_CONNECT:
 195
 196                         s->server=0;
 197                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 198
 199                         if ((s->version & 0xff00 ) != 0x0300)
 200                                 {
 201                                 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
 202                                 ret = -1;
 203                                 goto end;
 204                                 }
 205
 206                         /* s->version=SSL3_VERSION; */
 207                         s->type=SSL_ST_CONNECT;
 208
 209                         if (s->init_buf == NULL)
 210                                 {
 211                                 if ((buf=BUF_MEM_new()) == NULL)
 212                                         {
 213                                         ret= -1;
 214                                         goto end;
 215                                         }
 216                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 217                                         {
 218                                         ret= -1;
 219                                         goto end;
 220                                         }
 221                                 s->init_buf=buf;
 222                                 buf=NULL;
 223                                 }
 224
 225                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
 226
 227                         /* setup buffing BIO */
 228                         if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
 229
 230                         /* don't push the buffering BIO quite yet */
 231
 232                         ssl3_init_finished_mac(s);
 233
 234                         s->state=SSL3_ST_CW_CLNT_HELLO_A;
 235                         s->ctx->stats.sess_connect++;
 236                         s->init_num=0;
 237                         break;
 238
 239                 case SSL3_ST_CW_CLNT_HELLO_A:
 240                 case SSL3_ST_CW_CLNT_HELLO_B:
 241
 242                         s->shutdown=0;
 243                         ret=ssl3_client_hello(s);
 244                         if (ret <= 0) goto end;
 245                         s->state=SSL3_ST_CR_SRVR_HELLO_A;
 246                         s->init_num=0;
 247
 248                         /* turn on buffering for the next lot of output */
 249                         if (s->bbio != s->wbio)
 250                                 s->wbio=BIO_push(s->bbio,s->wbio);
 251
 252                         break;
 253
 254                 case SSL3_ST_CR_SRVR_HELLO_A:
 255                 case SSL3_ST_CR_SRVR_HELLO_B:
 256                         ret=ssl3_get_server_hello(s);
 257                         if (ret <= 0) goto end;
 258 #ifndef OPENSSL_NO_TLSEXT
 259                         {
 260                                 int extension_error = 0,al;
 261                                 if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
 262                                         ret = -1;
 263                                         SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
 264                                         goto end;
 265                                 }
 266                         }
 267 #endif
 268                         if (s->hit)
 269                                 s->state=SSL3_ST_CR_FINISHED_A;
 270                         else
 271                                 s->state=SSL3_ST_CR_CERT_A;
 272                         s->init_num=0;
 273                         break;
 274
 275                 case SSL3_ST_CR_CERT_A:
 276                 case SSL3_ST_CR_CERT_B:
 277                         /* Check if it is anon DH/ECDH */
 278                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
 279                                 {
 280                                 ret=ssl3_get_server_certificate(s);
 281                                 if (ret <= 0) goto end;
 282                                 }
 283                         else
 284                                 skip=1;
 285                         s->state=SSL3_ST_CR_KEY_EXCH_A;
 286                         s->init_num=0;
 287                         break;
 288
 289                 case SSL3_ST_CR_KEY_EXCH_A:
 290                 case SSL3_ST_CR_KEY_EXCH_B:
 291                         ret=ssl3_get_key_exchange(s);
 292                         if (ret <= 0) goto end;
 293                         s->state=SSL3_ST_CR_CERT_REQ_A;
 294                         s->init_num=0;
 295
 296                         /* at this point we check that we have the
 297                          * required stuff from the server */
 298                         if (!ssl3_check_cert_and_algorithm(s))
 299                                 {
 300                                 ret= -1;
 301                                 goto end;
 302                                 }
 303                         break;
 304
 305                 case SSL3_ST_CR_CERT_REQ_A:
 306                 case SSL3_ST_CR_CERT_REQ_B:
 307                         ret=ssl3_get_certificate_request(s);
 308                         if (ret <= 0) goto end;
 309                         s->state=SSL3_ST_CR_SRVR_DONE_A;
 310                         s->init_num=0;
 311                         break;
 312
 313                 case SSL3_ST_CR_SRVR_DONE_A:
 314                 case SSL3_ST_CR_SRVR_DONE_B:
 315                         ret=ssl3_get_server_done(s);
 316                         if (ret <= 0) goto end;
 317                         if (s->s3->tmp.cert_req)
 318                                 s->state=SSL3_ST_CW_CERT_A;
 319                         else
 320                                 s->state=SSL3_ST_CW_KEY_EXCH_A;
 321                         s->init_num=0;
 322
 323                         break;
 324
 325                 case SSL3_ST_CW_CERT_A:
 326                 case SSL3_ST_CW_CERT_B:
 327                 case SSL3_ST_CW_CERT_C:
 328                 case SSL3_ST_CW_CERT_D:
 329                         ret=ssl3_send_client_certificate(s);
 330                         if (ret <= 0) goto end;
 331                         s->state=SSL3_ST_CW_KEY_EXCH_A;
 332                         s->init_num=0;
 333                         break;
 334
 335                 case SSL3_ST_CW_KEY_EXCH_A:
 336                 case SSL3_ST_CW_KEY_EXCH_B:
 337                         ret=ssl3_send_client_key_exchange(s);
 338                         if (ret <= 0) goto end;
 339                         l=s->s3->tmp.new_cipher->algorithms;
 340                         /* EAY EAY EAY need to check for DH fix cert
 341                          * sent back */
 342                         /* For TLS, cert_req is set to 2, so a cert chain
 343                          * of nothing is sent, but no verify packet is sent */
 344                         /* XXX: For now, we do not support client
 345                          * authentication in ECDH cipher suites with
 346                          * ECDH (rather than ECDSA) certificates.
 347                          * We need to skip the certificate verify
 348                          * message when client's ECDH public key is sent
 349                          * inside the client certificate.
 350                          */
 351                         if (s->s3->tmp.cert_req == 1)
 352                                 {
 353                                 s->state=SSL3_ST_CW_CERT_VRFY_A;
 354                                 }
 355                         else
 356                                 {
 357                                 s->state=SSL3_ST_CW_CHANGE_A;
 358                                 s->s3->change_cipher_spec=0;
 359                                 }
 360
 361                         s->init_num=0;
 362                         break;
 363
 364                 case SSL3_ST_CW_CERT_VRFY_A:
 365                 case SSL3_ST_CW_CERT_VRFY_B:
 366                         ret=ssl3_send_client_verify(s);
 367                         if (ret <= 0) goto end;
 368                         s->state=SSL3_ST_CW_CHANGE_A;
 369                         s->init_num=0;
 370                         s->s3->change_cipher_spec=0;
 371                         break;
 372
 373                 case SSL3_ST_CW_CHANGE_A:
 374                 case SSL3_ST_CW_CHANGE_B:
 375                         ret=ssl3_send_change_cipher_spec(s,
 376                                 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
 377                         if (ret <= 0) goto end;
 378                         s->state=SSL3_ST_CW_FINISHED_A;
 379                         s->init_num=0;
 380
 381                         s->session->cipher=s->s3->tmp.new_cipher;
 382 #ifdef OPENSSL_NO_COMP
 383                         s->session->compress_meth=0;
 384 #else
 385                         if (s->s3->tmp.new_compression == NULL)
 386                                 s->session->compress_meth=0;
 387                         else
 388                                 s->session->compress_meth=
 389                                         s->s3->tmp.new_compression->id;
 390 #endif
 391                         if (!s->method->ssl3_enc->setup_key_block(s))
 392                                 {
 393                                 ret= -1;
 394                                 goto end;
 395                                 }
 396
 397                         if (!s->method->ssl3_enc->change_cipher_state(s,
 398                                 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
 399                                 {
 400                                 ret= -1;
 401                                 goto end;
 402                                 }
 403
 404                         break;
 405
 406                 case SSL3_ST_CW_FINISHED_A:
 407                 case SSL3_ST_CW_FINISHED_B:
 408                         ret=ssl3_send_finished(s,
 409                                 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
 410                                 s->method->ssl3_enc->client_finished_label,
 411                                 s->method->ssl3_enc->client_finished_label_len);
 412                         if (ret <= 0) goto end;
 413                         s->state=SSL3_ST_CW_FLUSH;
 414
 415                         /* clear flags */
 416                         s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
 417                         if (s->hit)
 418                                 {
 419                                 s->s3->tmp.next_state=SSL_ST_OK;
 420                                 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
 421                                         {
 422                                         s->state=SSL_ST_OK;
 423                                         s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
 424                                         s->s3->delay_buf_pop_ret=0;
 425                                         }
 426                                 }
 427                         else
 428                                 {
 429                                 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
 430                                 }
 431                         s->init_num=0;
 432                         break;
 433
 434                 case SSL3_ST_CR_FINISHED_A:
 435                 case SSL3_ST_CR_FINISHED_B:
 436
 437                         ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
 438                                 SSL3_ST_CR_FINISHED_B);
 439                         if (ret <= 0) goto end;
 440
 441                         if (s->hit)
 442                                 s->state=SSL3_ST_CW_CHANGE_A;
 443                         else
 444                                 s->state=SSL_ST_OK;
 445                         s->init_num=0;
 446                         break;
 447
 448                 case SSL3_ST_CW_FLUSH:
 449                         /* number of bytes to be flushed */
 450                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
 451                         if (num1 > 0)
 452                                 {
 453                                 s->rwstate=SSL_WRITING;
 454                                 num1=BIO_flush(s->wbio);
 455                                 if (num1 <= 0) { ret= -1; goto end; }
 456                                 s->rwstate=SSL_NOTHING;
 457                                 }
 458
 459                         s->state=s->s3->tmp.next_state;
 460                         break;
 461
 462                 case SSL_ST_OK:
 463                         /* clean a few things up */
 464                         ssl3_cleanup_key_block(s);
 465
 466                         if (s->init_buf != NULL)
 467                                 {
 468                                 BUF_MEM_free(s->init_buf);
 469                                 s->init_buf=NULL;
 470                                 }
 471
 472                         /* If we are not 'joining' the last two packets,
 473                          * remove the buffering now */
 474                         if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
 475                                 ssl_free_wbio_buffer(s);
 476                         /* else do it later in ssl3_write */
 477
 478                         s->init_num=0;
 479                         s->new_session=0;
 480
 481                         ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
 482                         if (s->hit) s->ctx->stats.sess_hit++;
 483
 484                         ret=1;
 485                         /* s->server=0; */
 486                         s->handshake_func=ssl3_connect;
 487                         s->ctx->stats.sess_connect_good++;
 488
 489                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
 490
 491                         goto end;
 492                         /* break; */
 493
 494                 default:
 495                         SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
 496                         ret= -1;
 497                         goto end;
 498                         /* break; */
 499                         }
 500
 501                 /* did we do anything */
 502                 if (!s->s3->tmp.reuse_message && !skip)
 503                         {
 504                         if (s->debug)
 505                                 {
 506                                 if ((ret=BIO_flush(s->wbio)) <= 0)
 507                                         goto end;
 508                                 }
 509
 510                         if ((cb != NULL) && (s->state != state))
 511                                 {
 512                                 new_state=s->state;
 513                                 s->state=state;
 514                                 cb(s,SSL_CB_CONNECT_LOOP,1);
 515                                 s->state=new_state;
 516                                 }
 517                         }
 518                 skip=0;
 519                 }
 520 end:
 521         s->in_handshake--;
 522         if (buf != NULL)
 523                 BUF_MEM_free(buf);
 524         if (cb != NULL)
 525                 cb(s,SSL_CB_CONNECT_EXIT,ret);
 526         return(ret);
 527         }
 528
 529
 530 int ssl3_client_hello(SSL *s)
 531         {
 532         unsigned char *buf;
 533         unsigned char *p,*d;
 534         int i;
 535         unsigned long Time,l;
 536 #ifndef OPENSSL_NO_COMP
 537         int j;
 538         SSL_COMP *comp;
 539 #endif
 540
 541         buf=(unsigned char *)s->init_buf->data;
 542         if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
 543                 {
 544                 if ((s->session == NULL) ||
 545                         (s->session->ssl_version != s->version) ||
 546                         (s->session->not_resumable))
 547                         {
 548                         if (!ssl_get_new_session(s,0))
 549                                 goto err;
 550                         }
 551                 /* else use the pre-loaded session */
 552
 553                 p=s->s3->client_random;
 554                 Time=(unsigned long)time(NULL);                 /* Time */
 555                 l2n(Time,p);
 556                 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
 557                         goto err;
 558
 559                 /* Do the message type and length last */
 560                 d=p= &(buf[4]);
 561
 562                 *(p++)=s->version>>8;
 563                 *(p++)=s->version&0xff;
 564                 s->client_version=s->version;
 565
 566                 /* Random stuff */
 567                 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
 568                 p+=SSL3_RANDOM_SIZE;
 569
 570                 /* Session ID */
 571                 if (s->new_session)
 572                         i=0;
 573                 else
 574                         i=s->session->session_id_length;
 575                 *(p++)=i;
 576                 if (i != 0)
 577                         {
 578                         if (i > (int)sizeof(s->session->session_id))
 579                                 {
 580                                 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
 581                                 goto err;
 582                                 }
 583                         memcpy(p,s->session->session_id,i);
 584                         p+=i;
 585                         }
 586
 587                 /* Ciphers supported */
 588                 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
 589                 if (i == 0)
 590                         {
 591                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
 592                         goto err;
 593                         }
 594                 s2n(i,p);
 595                 p+=i;
 596
 597                 /* COMPRESSION */
 598 #ifdef OPENSSL_NO_COMP
 599                 *(p++)=1;
 600 #else
 601
 602                 if ((s->options & SSL_OP_NO_COMPRESSION)
 603                                         || !s->ctx->comp_methods)
 604                         j=0;
 605                 else
 606                         j=sk_SSL_COMP_num(s->ctx->comp_methods);
 607                 *(p++)=1+j;
 608                 for (i=0; i<j; i++)
 609                         {
 610                         comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
 611                         *(p++)=comp->id;
 612                         }
 613 #endif
 614                 *(p++)=0; /* Add the NULL method */
 615 #ifndef OPENSSL_NO_TLSEXT
 616                 if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
 617                 {
 618                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
 619                         goto err;
 620                 }
 621 #endif
 622
 623                 l=(p-d);
 624                 d=buf;
 625                 *(d++)=SSL3_MT_CLIENT_HELLO;
 626                 l2n3(l,d);
 627
 628                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
 629                 /* number of bytes to write */
 630                 s->init_num=p-buf;
 631                 s->init_off=0;
 632                 }
 633
 634         /* SSL3_ST_CW_CLNT_HELLO_B */
 635         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 636 err:
 637         return(-1);
 638         }
 639
 640 int ssl3_get_server_hello(SSL *s)
 641         {
 642         STACK_OF(SSL_CIPHER) *sk;
 643         SSL_CIPHER *c;
 644         unsigned char *p,*d;
 645         int i,al,ok;
 646         unsigned int j;
 647         long n;
 648 #ifndef OPENSSL_NO_COMP
 649         SSL_COMP *comp;
 650 #endif
 651
 652         n=s->method->ssl_get_message(s,
 653                 SSL3_ST_CR_SRVR_HELLO_A,
 654                 SSL3_ST_CR_SRVR_HELLO_B,
 655                 -1,
 656                 300, /* ?? */
 657                 &ok);
 658
 659         if (!ok) return((int)n);
 660
 661         if ( SSL_version(s) == DTLS1_VERSION)
 662                 {
 663                 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
 664                         {
 665                         if ( s->d1->send_cookie == 0)
 666                                 {
 667                                 s->s3->tmp.reuse_message = 1;
 668                                 return 1;
 669                                 }
 670                         else /* already sent a cookie */
 671                                 {
 672                                 al=SSL_AD_UNEXPECTED_MESSAGE;
 673                                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
 674                                 goto f_err;
 675                                 }
 676                         }
 677                 }
 678
 679         if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
 680                 {
 681                 al=SSL_AD_UNEXPECTED_MESSAGE;
 682                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
 683                 goto f_err;
 684                 }
 685
 686         d=p=(unsigned char *)s->init_msg;
 687
 688         if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
 689                 {
 690                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
 691                 s->version=(s->version&0xff00)|p[1];
 692                 al=SSL_AD_PROTOCOL_VERSION;
 693                 goto f_err;
 694                 }
 695         p+=2;
 696
 697         /* load the server hello data */
 698         /* load the server random */
 699         memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
 700         p+=SSL3_RANDOM_SIZE;
 701
 702         /* get the session-id */
 703         j= *(p++);
 704
 705         if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
 706                 {
 707                 al=SSL_AD_ILLEGAL_PARAMETER;
 708                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
 709                 goto f_err;
 710                 }
 711
 712         if (j != 0 && j == s->session->session_id_length
 713             && memcmp(p,s->session->session_id,j) == 0)
 714             {
 715             if(s->sid_ctx_length != s->session->sid_ctx_length
 716                || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
 717                 {
 718                 /* actually a client application bug */
 719                 al=SSL_AD_ILLEGAL_PARAMETER;
 720                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
 721                 goto f_err;
 722                 }
 723             s->hit=1;
 724             }
 725         else    /* a miss or crap from the other end */
 726                 {
 727                 /* If we were trying for session-id reuse, make a new
 728                  * SSL_SESSION so we don't stuff up other people */
 729                 s->hit=0;
 730                 if (s->session->session_id_length > 0)
 731                         {
 732                         if (!ssl_get_new_session(s,0))
 733                                 {
 734                                 al=SSL_AD_INTERNAL_ERROR;
 735                                 goto f_err;
 736                                 }
 737                         }
 738                 s->session->session_id_length=j;
 739                 memcpy(s->session->session_id,p,j); /* j could be 0 */
 740                 }
 741         p+=j;
 742         c=ssl_get_cipher_by_char(s,p);
 743         if (c == NULL)
 744                 {
 745                 /* unknown cipher */
 746                 al=SSL_AD_ILLEGAL_PARAMETER;
 747                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
 748                 goto f_err;
 749                 }
 750         p+=ssl_put_cipher_by_char(s,NULL,NULL);
 751
 752         sk=ssl_get_ciphers_by_id(s);
 753         i=sk_SSL_CIPHER_find(sk,c);
 754         if (i < 0)
 755                 {
 756                 /* we did not say we would use this cipher */
 757                 al=SSL_AD_ILLEGAL_PARAMETER;
 758                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
 759                 goto f_err;
 760                 }
 761
 762         /* Depending on the session caching (internal/external), the cipher
 763            and/or cipher_id values may not be set. Make sure that
 764            cipher_id is set and use it for comparison. */
 765         if (s->session->cipher)
 766                 s->session->cipher_id = s->session->cipher->id;
 767         if (s->hit && (s->session->cipher_id != c->id))
 768                 {
 769                 if (!(s->options &
 770                         SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
 771                         {
 772                         al=SSL_AD_ILLEGAL_PARAMETER;
 773                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
 774                         goto f_err;
 775                         }
 776                 }
 777         s->s3->tmp.new_cipher=c;
 778
 779         /* lets get the compression algorithm */
 780         /* COMPRESSION */
 781 #ifdef OPENSSL_NO_COMP
 782         if (*(p++) != 0)
 783                 {
 784                 al=SSL_AD_ILLEGAL_PARAMETER;
 785                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
 786                 goto f_err;
 787                 }
 788 #else
 789         j= *(p++);
 790         if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))
 791                 comp=NULL;
 792         else
 793                 comp=ssl3_comp_find(s->ctx->comp_methods,j);
 794
 795         if ((j != 0) && (comp == NULL))
 796                 {
 797                 al=SSL_AD_ILLEGAL_PARAMETER;
 798                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
 799                 goto f_err;
 800                 }
 801         else
 802                 {
 803                 s->s3->tmp.new_compression=comp;
 804                 }
 805 #endif
 806 #ifndef OPENSSL_NO_TLSEXT
 807         /* TLS extensions*/
 808         if (s->version > SSL3_VERSION)
 809         {
 810                 if ((al = ssl_parse_ServerHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
 811                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
 812                         goto f_err;
 813                 }
 814         }
 815 #endif
 816
 817         if (p != (d+n))
 818                 {
 819                 /* wrong packet length */
 820                 al=SSL_AD_DECODE_ERROR;
 821                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
 822                 goto err;
 823                 }
 824
 825         return(1);
 826 f_err:
 827         ssl3_send_alert(s,SSL3_AL_FATAL,al);
 828 err:
 829         return(-1);
 830         }
 831
 832 int ssl3_get_server_certificate(SSL *s)
 833         {
 834         int al,i,ok,ret= -1;
 835         unsigned long n,nc,llen,l;
 836         X509 *x=NULL;
 837         const unsigned char *q,*p;
 838         unsigned char *d;
 839         STACK_OF(X509) *sk=NULL;
 840         SESS_CERT *sc;
 841         EVP_PKEY *pkey=NULL;
 842         int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
 843
 844         n=s->method->ssl_get_message(s,
 845                 SSL3_ST_CR_CERT_A,
 846                 SSL3_ST_CR_CERT_B,
 847                 -1,
 848                 s->max_cert_list,
 849                 &ok);
 850
 851         if (!ok) return((int)n);
 852
 853         if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
 854                 {
 855                 s->s3->tmp.reuse_message=1;
 856                 return(1);
 857                 }
 858
 859         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
 860                 {
 861                 al=SSL_AD_UNEXPECTED_MESSAGE;
 862                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
 863                 goto f_err;
 864                 }
 865         p=d=(unsigned char *)s->init_msg;
 866
 867         if ((sk=sk_X509_new_null()) == NULL)
 868                 {
 869                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
 870                 goto err;
 871                 }
 872
 873         n2l3(p,llen);
 874         if (llen+3 != n)
 875                 {
 876                 al=SSL_AD_DECODE_ERROR;
 877                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
 878                 goto f_err;
 879                 }
 880         for (nc=0; nc<llen; )
 881                 {
 882                 n2l3(p,l);
 883                 if ((l+nc+3) > llen)
 884                         {
 885                         al=SSL_AD_DECODE_ERROR;
 886                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
 887                         goto f_err;
 888                         }
 889
 890                 q=p;
 891                 x=d2i_X509(NULL,&q,l);
 892                 if (x == NULL)
 893                         {
 894                         al=SSL_AD_BAD_CERTIFICATE;
 895                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
 896                         goto f_err;
 897                         }
 898                 if (q != (p+l))
 899                         {
 900                         al=SSL_AD_DECODE_ERROR;
 901                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
 902                         goto f_err;
 903                         }
 904                 if (!sk_X509_push(sk,x))
 905                         {
 906                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
 907                         goto err;
 908                         }
 909                 x=NULL;
 910                 nc+=l+3;
 911                 p=q;
 912                 }
 913
 914         i=ssl_verify_cert_chain(s,sk);
 915         if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
 916 #ifndef OPENSSL_NO_KRB5
 917                 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
 918                 != (SSL_aKRB5|SSL_kKRB5)
 919 #endif /* OPENSSL_NO_KRB5 */
 920                 )
 921                 {
 922                 al=ssl_verify_alarm_type(s->verify_result);
 923                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
 924                 goto f_err;
 925                 }
 926         ERR_clear_error(); /* but we keep s->verify_result */
 927
 928         sc=ssl_sess_cert_new();
 929         if (sc == NULL) goto err;
 930
 931         if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
 932         s->session->sess_cert=sc;
 933
 934         sc->cert_chain=sk;
 935         /* Inconsistency alert: cert_chain does include the peer's
 936          * certificate, which we don't include in s3_srvr.c */
 937         x=sk_X509_value(sk,0);
 938         sk=NULL;
 939         /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
 940
 941         pkey=X509_get_pubkey(x);
 942
 943         /* VRS: allow null cert if auth == KRB5 */
 944         need_cert =     ((s->s3->tmp.new_cipher->algorithms
 945                          & (SSL_MKEY_MASK|SSL_AUTH_MASK))
 946                          == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
 947
 948 #ifdef KSSL_DEBUG
 949         printf("pkey,x = %p, %p\n", pkey,x);
 950         printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
 951         printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
 952                 s->s3->tmp.new_cipher->algorithms, need_cert);
 953 #endif    /* KSSL_DEBUG */
 954
 955         if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
 956                 {
 957                 x=NULL;
 958                 al=SSL3_AL_FATAL;
 959                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
 960                         SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
 961                 goto f_err;
 962                 }
 963
 964         i=ssl_cert_type(x,pkey);
 965         if (need_cert && i < 0)
 966                 {
 967                 x=NULL;
 968                 al=SSL3_AL_FATAL;
 969                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
 970                         SSL_R_UNKNOWN_CERTIFICATE_TYPE);
 971                 goto f_err;
 972                 }
 973
 974         if (need_cert)
 975                 {
 976                 sc->peer_cert_type=i;
 977                 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
 978                 /* Why would the following ever happen?
 979                  * We just created sc a couple of lines ago. */
 980                 if (sc->peer_pkeys[i].x509 != NULL)
 981                         X509_free(sc->peer_pkeys[i].x509);
 982                 sc->peer_pkeys[i].x509=x;
 983                 sc->peer_key= &(sc->peer_pkeys[i]);
 984
 985                 if (s->session->peer != NULL)
 986                         X509_free(s->session->peer);
 987                 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
 988                 s->session->peer=x;
 989                 }
 990         else
 991                 {
 992                 sc->peer_cert_type=i;
 993                 sc->peer_key= NULL;
 994
 995                 if (s->session->peer != NULL)
 996                         X509_free(s->session->peer);
 997                 s->session->peer=NULL;
 998                 }
 999         s->session->verify_result = s->verify_result;
1000
1001         x=NULL;
1002         ret=1;
1003
1004         if (0)
1005                 {
1006 f_err:
1007                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1008                 }
1009 err:
1010         EVP_PKEY_free(pkey);
1011         X509_free(x);
1012         sk_X509_pop_free(sk,X509_free);
1013         return(ret);
1014         }
1015
1016 int ssl3_get_key_exchange(SSL *s)
1017         {
1018 #ifndef OPENSSL_NO_RSA
1019         unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1020 #endif
1021         EVP_MD_CTX md_ctx;
1022         unsigned char *param,*p;
1023         int al,i,j,param_len,ok;
1024         long n,alg;
1025         EVP_PKEY *pkey=NULL;
1026 #ifndef OPENSSL_NO_RSA
1027         RSA *rsa=NULL;
1028 #endif
1029 #ifndef OPENSSL_NO_DH
1030         DH *dh=NULL;
1031 #endif
1032 #ifndef OPENSSL_NO_ECDH
1033         EC_KEY *ecdh = NULL;
1034         BN_CTX *bn_ctx = NULL;
1035         EC_POINT *srvr_ecpoint = NULL;
1036         int curve_nid = 0;
1037         int encoded_pt_len = 0;
1038 #endif
1039
1040         /* use same message size as in ssl3_get_certificate_request()
1041          * as ServerKeyExchange message may be skipped */
1042         n=s->method->ssl_get_message(s,
1043                 SSL3_ST_CR_KEY_EXCH_A,
1044                 SSL3_ST_CR_KEY_EXCH_B,
1045                 -1,
1046                 s->max_cert_list,
1047                 &ok);
1048
1049         if (!ok) return((int)n);
1050
1051         if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1052                 {
1053                 s->s3->tmp.reuse_message=1;
1054                 return(1);
1055                 }
1056
1057         param=p=(unsigned char *)s->init_msg;
1058
1059         if (s->session->sess_cert != NULL)
1060                 {
1061 #ifndef OPENSSL_NO_RSA
1062                 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1063                         {
1064                         RSA_free(s->session->sess_cert->peer_rsa_tmp);
1065                         s->session->sess_cert->peer_rsa_tmp=NULL;
1066                         }
1067 #endif
1068 #ifndef OPENSSL_NO_DH
1069                 if (s->session->sess_cert->peer_dh_tmp)
1070                         {
1071                         DH_free(s->session->sess_cert->peer_dh_tmp);
1072                         s->session->sess_cert->peer_dh_tmp=NULL;
1073                         }
1074 #endif
1075 #ifndef OPENSSL_NO_ECDH
1076                 if (s->session->sess_cert->peer_ecdh_tmp)
1077                         {
1078                         EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1079                         s->session->sess_cert->peer_ecdh_tmp=NULL;
1080                         }
1081 #endif
1082                 }
1083         else
1084                 {
1085                 s->session->sess_cert=ssl_sess_cert_new();
1086                 }
1087
1088         param_len=0;
1089         alg=s->s3->tmp.new_cipher->algorithms;
1090         EVP_MD_CTX_init(&md_ctx);
1091
1092 #ifndef OPENSSL_NO_RSA
1093         if (alg & SSL_kRSA)
1094                 {
1095                 if ((rsa=RSA_new()) == NULL)
1096                         {
1097                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1098                         goto err;
1099                         }
1100                 n2s(p,i);
1101                 param_len=i+2;
1102                 if (param_len > n)
1103                         {
1104                         al=SSL_AD_DECODE_ERROR;
1105                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1106                         goto f_err;
1107                         }
1108                 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1109                         {
1110                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1111                         goto err;
1112                         }
1113                 p+=i;
1114
1115                 n2s(p,i);
1116                 param_len+=i+2;
1117                 if (param_len > n)
1118                         {
1119                         al=SSL_AD_DECODE_ERROR;
1120                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1121                         goto f_err;
1122                         }
1123                 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1124                         {
1125                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1126                         goto err;
1127                         }
1128                 p+=i;
1129                 n-=param_len;
1130
1131                 /* this should be because we are using an export cipher */
1132                 if (alg & SSL_aRSA)
1133                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1134                 else
1135                         {
1136                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1137                         goto err;
1138                         }
1139                 s->session->sess_cert->peer_rsa_tmp=rsa;
1140                 rsa=NULL;
1141                 }
1142 #else /* OPENSSL_NO_RSA */
1143         if (0)
1144                 ;
1145 #endif
1146 #ifndef OPENSSL_NO_DH
1147         else if (alg & SSL_kEDH)
1148                 {
1149                 if ((dh=DH_new()) == NULL)
1150                         {
1151                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1152                         goto err;
1153                         }
1154                 n2s(p,i);
1155                 param_len=i+2;
1156                 if (param_len > n)
1157                         {
1158                         al=SSL_AD_DECODE_ERROR;
1159                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1160                         goto f_err;
1161                         }
1162                 if (!(dh->p=BN_bin2bn(p,i,NULL)))
1163                         {
1164                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1165                         goto err;
1166                         }
1167                 p+=i;
1168
1169                 n2s(p,i);
1170                 param_len+=i+2;
1171                 if (param_len > n)
1172                         {
1173                         al=SSL_AD_DECODE_ERROR;
1174                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1175                         goto f_err;
1176                         }
1177                 if (!(dh->g=BN_bin2bn(p,i,NULL)))
1178                         {
1179                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1180                         goto err;
1181                         }
1182                 p+=i;
1183
1184                 n2s(p,i);
1185                 param_len+=i+2;
1186                 if (param_len > n)
1187                         {
1188                         al=SSL_AD_DECODE_ERROR;
1189                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1190                         goto f_err;
1191                         }
1192                 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1193                         {
1194                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1195                         goto err;
1196                         }
1197                 p+=i;
1198                 n-=param_len;
1199
1200 #ifndef OPENSSL_NO_RSA
1201                 if (alg & SSL_aRSA)
1202                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1203 #else
1204                 if (0)
1205                         ;
1206 #endif
1207 #ifndef OPENSSL_NO_DSA
1208                 else if (alg & SSL_aDSS)
1209                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1210 #endif
1211                 /* else anonymous DH, so no certificate or pkey. */
1212
1213                 s->session->sess_cert->peer_dh_tmp=dh;
1214                 dh=NULL;
1215                 }
1216         else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
1217                 {
1218                 al=SSL_AD_ILLEGAL_PARAMETER;
1219                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1220                 goto f_err;
1221                 }
1222 #endif /* !OPENSSL_NO_DH */
1223
1224 #ifndef OPENSSL_NO_ECDH
1225         else if (alg & SSL_kECDHE)
1226                 {
1227                 EC_GROUP *ngroup;
1228                 const EC_GROUP *group;
1229
1230                 if ((ecdh=EC_KEY_new()) == NULL)
1231                         {
1232                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1233                         goto err;
1234                         }
1235
1236                 /* Extract elliptic curve parameters and the
1237                  * server's ephemeral ECDH public key.
1238                  * Keep accumulating lengths of various components in
1239                  * param_len and make sure it never exceeds n.
1240                  */
1241
1242                 /* XXX: For now we only support named (not generic) curves
1243                  * and the ECParameters in this case is just three bytes.
1244                  */
1245                 param_len=3;
1246                 if ((param_len > n) ||
1247                     (*p != NAMED_CURVE_TYPE) ||
1248                     ((curve_nid = curve_id2nid(*(p + 2))) == 0))
1249                         {
1250                         al=SSL_AD_INTERNAL_ERROR;
1251                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1252                         goto f_err;
1253                         }
1254
1255                 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1256                 if (ngroup == NULL)
1257                         {
1258                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1259                         goto err;
1260                         }
1261                 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1262                         {
1263                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1264                         goto err;
1265                         }
1266                 EC_GROUP_free(ngroup);
1267
1268                 group = EC_KEY_get0_group(ecdh);
1269
1270                 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1271                     (EC_GROUP_get_degree(group) > 163))
1272                         {
1273                         al=SSL_AD_EXPORT_RESTRICTION;
1274                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1275                         goto f_err;
1276                         }
1277
1278                 p+=3;
1279
1280                 /* Next, get the encoded ECPoint */
1281                 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1282                     ((bn_ctx = BN_CTX_new()) == NULL))
1283                         {
1284                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1285                         goto err;
1286                         }
1287
1288                 encoded_pt_len = *p;  /* length of encoded point */
1289                 p+=1;
1290                 param_len += (1 + encoded_pt_len);
1291                 if ((param_len > n) ||
1292                     (EC_POINT_oct2point(group, srvr_ecpoint,
1293                         p, encoded_pt_len, bn_ctx) == 0))
1294                         {
1295                         al=SSL_AD_DECODE_ERROR;
1296                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1297                         goto f_err;
1298                         }
1299
1300                 n-=param_len;
1301                 p+=encoded_pt_len;
1302
1303                 /* The ECC/TLS specification does not mention
1304                  * the use of DSA to sign ECParameters in the server
1305                  * key exchange message. We do support RSA and ECDSA.
1306                  */
1307                 if (0) ;
1308 #ifndef OPENSSL_NO_RSA
1309                 else if (alg & SSL_aRSA)
1310                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1311 #endif
1312 #ifndef OPENSSL_NO_ECDSA
1313                 else if (alg & SSL_aECDSA)
1314                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1315 #endif
1316                 /* else anonymous ECDH, so no certificate or pkey. */
1317                 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1318                 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1319                 ecdh=NULL;
1320                 BN_CTX_free(bn_ctx);
1321                 EC_POINT_free(srvr_ecpoint);
1322                 srvr_ecpoint = NULL;
1323                 }
1324         else if (alg & SSL_kECDH)
1325                 {
1326                 al=SSL_AD_UNEXPECTED_MESSAGE;
1327                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1328                 goto f_err;
1329                 }
1330 #endif /* !OPENSSL_NO_ECDH */
1331         if (alg & SSL_aFZA)
1332                 {
1333                 al=SSL_AD_HANDSHAKE_FAILURE;
1334                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1335                 goto f_err;
1336                 }
1337
1338
1339         /* p points to the next byte, there are 'n' bytes left */
1340
1341         /* if it was signed, check the signature */
1342         if (pkey != NULL)
1343                 {
1344                 n2s(p,i);
1345                 n-=2;
1346                 j=EVP_PKEY_size(pkey);
1347
1348                 if ((i != n) || (n > j) || (n <= 0))
1349                         {
1350                         /* wrong packet length */
1351                         al=SSL_AD_DECODE_ERROR;
1352                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1353                         goto f_err;
1354                         }
1355
1356 #ifndef OPENSSL_NO_RSA
1357                 if (pkey->type == EVP_PKEY_RSA)
1358                         {
1359                         int num;
1360
1361                         j=0;
1362                         q=md_buf;
1363                         for (num=2; num > 0; num--)
1364                                 {
1365                                 EVP_DigestInit_ex(&md_ctx,(num == 2)
1366                                         ?s->ctx->md5:s->ctx->sha1, NULL);
1367                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1368                                 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1369                                 EVP_DigestUpdate(&md_ctx,param,param_len);
1370                                 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1371                                 q+=i;
1372                                 j+=i;
1373                                 }
1374                         i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1375                                                                 pkey->pkey.rsa);
1376                         if (i < 0)
1377                                 {
1378                                 al=SSL_AD_DECRYPT_ERROR;
1379                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1380                                 goto f_err;
1381                                 }
1382                         if (i == 0)
1383                                 {
1384                                 /* bad signature */
1385                                 al=SSL_AD_DECRYPT_ERROR;
1386                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1387                                 goto f_err;
1388                                 }
1389                         }
1390                 else
1391 #endif
1392 #ifndef OPENSSL_NO_DSA
1393                         if (pkey->type == EVP_PKEY_DSA)
1394                         {
1395                         /* lets do DSS */
1396                         EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1397                         EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1398                         EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1399                         EVP_VerifyUpdate(&md_ctx,param,param_len);
1400                         if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1401                                 {
1402                                 /* bad signature */
1403                                 al=SSL_AD_DECRYPT_ERROR;
1404                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1405                                 goto f_err;
1406                                 }
1407                         }
1408                 else
1409 #endif
1410 #ifndef OPENSSL_NO_ECDSA
1411                         if (pkey->type == EVP_PKEY_EC)
1412                         {
1413                         /* let's do ECDSA */
1414                         EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1415                         EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1416                         EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1417                         EVP_VerifyUpdate(&md_ctx,param,param_len);
1418                         if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1419                                 {
1420                                 /* bad signature */
1421                                 al=SSL_AD_DECRYPT_ERROR;
1422                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1423                                 goto f_err;
1424                                 }
1425                         }
1426                 else
1427 #endif
1428                         {
1429                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1430                         goto err;
1431                         }
1432                 }
1433         else
1434                 {
1435                 /* still data left over */
1436                 if (!(alg & SSL_aNULL))
1437                         {
1438                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1439                         goto err;
1440                         }
1441                 if (n != 0)
1442                         {
1443                         al=SSL_AD_DECODE_ERROR;
1444                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1445                         goto f_err;
1446                         }
1447                 }
1448         EVP_PKEY_free(pkey);
1449         EVP_MD_CTX_cleanup(&md_ctx);
1450         return(1);
1451 f_err:
1452         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1453 err:
1454         EVP_PKEY_free(pkey);
1455 #ifndef OPENSSL_NO_RSA
1456         if (rsa != NULL)
1457                 RSA_free(rsa);
1458 #endif
1459 #ifndef OPENSSL_NO_DH
1460         if (dh != NULL)
1461                 DH_free(dh);
1462 #endif
1463 #ifndef OPENSSL_NO_ECDH
1464         BN_CTX_free(bn_ctx);
1465         EC_POINT_free(srvr_ecpoint);
1466         if (ecdh != NULL)
1467                 EC_KEY_free(ecdh);
1468 #endif
1469         EVP_MD_CTX_cleanup(&md_ctx);
1470         return(-1);
1471         }
1472
1473 int ssl3_get_certificate_request(SSL *s)
1474         {
1475         int ok,ret=0;
1476         unsigned long n,nc,l;
1477         unsigned int llen,ctype_num,i;
1478         X509_NAME *xn=NULL;
1479         const unsigned char *p,*q;
1480         unsigned char *d;
1481         STACK_OF(X509_NAME) *ca_sk=NULL;
1482
1483         n=s->method->ssl_get_message(s,
1484                 SSL3_ST_CR_CERT_REQ_A,
1485                 SSL3_ST_CR_CERT_REQ_B,
1486                 -1,
1487                 s->max_cert_list,
1488                 &ok);
1489
1490         if (!ok) return((int)n);
1491
1492         s->s3->tmp.cert_req=0;
1493
1494         if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1495                 {
1496                 s->s3->tmp.reuse_message=1;
1497                 return(1);
1498                 }
1499
1500         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1501                 {
1502                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1503                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1504                 goto err;
1505                 }
1506
1507         /* TLS does not like anon-DH with client cert */
1508         if (s->version > SSL3_VERSION)
1509                 {
1510                 l=s->s3->tmp.new_cipher->algorithms;
1511                 if (l & SSL_aNULL)
1512                         {
1513                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1514                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1515                         goto err;
1516                         }
1517                 }
1518
1519         p=d=(unsigned char *)s->init_msg;
1520
1521         if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1522                 {
1523                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1524                 goto err;
1525                 }
1526
1527         /* get the certificate types */
1528         ctype_num= *(p++);
1529         if (ctype_num > SSL3_CT_NUMBER)
1530                 ctype_num=SSL3_CT_NUMBER;
1531         for (i=0; i<ctype_num; i++)
1532                 s->s3->tmp.ctype[i]= p[i];
1533         p+=ctype_num;
1534
1535         /* get the CA RDNs */
1536         n2s(p,llen);
1537 #if 0
1538 {
1539 FILE *out;
1540 out=fopen("/tmp/vsign.der","w");
1541 fwrite(p,1,llen,out);
1542 fclose(out);
1543 }
1544 #endif
1545
1546         if ((llen+ctype_num+2+1) != n)
1547                 {
1548                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1549                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1550                 goto err;
1551                 }
1552
1553         for (nc=0; nc<llen; )
1554                 {
1555                 n2s(p,l);
1556                 if ((l+nc+2) > llen)
1557                         {
1558                         if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1559                                 goto cont; /* netscape bugs */
1560                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1561                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1562                         goto err;
1563                         }
1564
1565                 q=p;
1566
1567                 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1568                         {
1569                         /* If netscape tolerance is on, ignore errors */
1570                         if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1571                                 goto cont;
1572                         else
1573                                 {
1574                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1575                                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1576                                 goto err;
1577                                 }
1578                         }
1579
1580                 if (q != (p+l))
1581                         {
1582                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1583                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1584                         goto err;
1585                         }
1586                 if (!sk_X509_NAME_push(ca_sk,xn))
1587                         {
1588                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1589                         goto err;
1590                         }
1591
1592                 p+=l;
1593                 nc+=l+2;
1594                 }
1595
1596         if (0)
1597                 {
1598 cont:
1599                 ERR_clear_error();
1600                 }
1601
1602         /* we should setup a certificate to return.... */
1603         s->s3->tmp.cert_req=1;
1604         s->s3->tmp.ctype_num=ctype_num;
1605         if (s->s3->tmp.ca_names != NULL)
1606                 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1607         s->s3->tmp.ca_names=ca_sk;
1608         ca_sk=NULL;
1609
1610         ret=1;
1611 err:
1612         if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1613         return(ret);
1614         }
1615
1616 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1617         {
1618         return(X509_NAME_cmp(*a,*b));
1619         }
1620
1621 int ssl3_get_server_done(SSL *s)
1622         {
1623         int ok,ret=0;
1624         long n;
1625
1626         n=s->method->ssl_get_message(s,
1627                 SSL3_ST_CR_SRVR_DONE_A,
1628                 SSL3_ST_CR_SRVR_DONE_B,
1629                 SSL3_MT_SERVER_DONE,
1630                 30, /* should be very small, like 0 :-) */
1631                 &ok);
1632
1633         if (!ok) return((int)n);
1634         if (n > 0)
1635                 {
1636                 /* should contain no data */
1637                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1638                 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1639                 return -1;
1640                 }
1641         ret=1;
1642         return(ret);
1643         }
1644
1645
1646 int ssl3_send_client_key_exchange(SSL *s)
1647         {
1648         unsigned char *p,*d;
1649         int n;
1650         unsigned long l;
1651 #ifndef OPENSSL_NO_RSA
1652         unsigned char *q;
1653         EVP_PKEY *pkey=NULL;
1654 #endif
1655 #ifndef OPENSSL_NO_KRB5
1656         KSSL_ERR kssl_err;
1657 #endif /* OPENSSL_NO_KRB5 */
1658 #ifndef OPENSSL_NO_ECDH
1659         EC_KEY *clnt_ecdh = NULL;
1660         const EC_POINT *srvr_ecpoint = NULL;
1661         EVP_PKEY *srvr_pub_pkey = NULL;
1662         unsigned char *encodedPoint = NULL;
1663         int encoded_pt_len = 0;
1664         BN_CTX * bn_ctx = NULL;
1665 #endif
1666
1667         if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1668                 {
1669                 d=(unsigned char *)s->init_buf->data;
1670                 p= &(d[4]);
1671
1672                 l=s->s3->tmp.new_cipher->algorithms;
1673
1674                 /* Fool emacs indentation */
1675                 if (0) {}
1676 #ifndef OPENSSL_NO_RSA
1677                 else if (l & SSL_kRSA)
1678                         {
1679                         RSA *rsa;
1680                         unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1681
1682                         if (s->session->sess_cert->peer_rsa_tmp != NULL)
1683                                 rsa=s->session->sess_cert->peer_rsa_tmp;
1684                         else
1685                                 {
1686                                 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1687                                 if ((pkey == NULL) ||
1688                                         (pkey->type != EVP_PKEY_RSA) ||
1689                                         (pkey->pkey.rsa == NULL))
1690                                         {
1691                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1692                                         goto err;
1693                                         }
1694                                 rsa=pkey->pkey.rsa;
1695                                 EVP_PKEY_free(pkey);
1696                                 }
1697
1698                         tmp_buf[0]=s->client_version>>8;
1699                         tmp_buf[1]=s->client_version&0xff;
1700                         if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
1701                                         goto err;
1702
1703                         s->session->master_key_length=sizeof tmp_buf;
1704
1705                         q=p;
1706                         /* Fix buf for TLS and beyond */
1707                         if (s->version > SSL3_VERSION)
1708                                 p+=2;
1709                         n=RSA_public_encrypt(sizeof tmp_buf,
1710                                 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1711 #ifdef PKCS1_CHECK
1712                         if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
1713                         if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
1714 #endif
1715                         if (n <= 0)
1716                                 {
1717                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1718                                 goto err;
1719                                 }
1720
1721                         /* Fix buf for TLS and beyond */
1722                         if (s->version > SSL3_VERSION)
1723                                 {
1724                                 s2n(n,q);
1725                                 n+=2;
1726                                 }
1727
1728                         s->session->master_key_length=
1729                                 s->method->ssl3_enc->generate_master_secret(s,
1730                                         s->session->master_key,
1731                                         tmp_buf,sizeof tmp_buf);
1732                         OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
1733                         }
1734 #endif
1735 #ifndef OPENSSL_NO_KRB5
1736                 else if (l & SSL_kKRB5)
1737                         {
1738                         krb5_error_code krb5rc;
1739                         KSSL_CTX        *kssl_ctx = s->kssl_ctx;
1740                         /*  krb5_data   krb5_ap_req;  */
1741                         krb5_data       *enc_ticket;
1742                         krb5_data       authenticator, *authp = NULL;
1743                         EVP_CIPHER_CTX  ciph_ctx;
1744                         EVP_CIPHER      *enc = NULL;
1745                         unsigned char   iv[EVP_MAX_IV_LENGTH];
1746                         unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1747                         unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH
1748                                                 + EVP_MAX_IV_LENGTH];
1749                         int             padl, outl = sizeof(epms);
1750
1751                         EVP_CIPHER_CTX_init(&ciph_ctx);
1752
1753 #ifdef KSSL_DEBUG
1754                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
1755                                 l, SSL_kKRB5);
1756 #endif  /* KSSL_DEBUG */
1757
1758                         authp = NULL;
1759 #ifdef KRB5SENDAUTH
1760                         if (KRB5SENDAUTH)  authp = &authenticator;
1761 #endif  /* KRB5SENDAUTH */
1762
1763                         krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
1764                                 &kssl_err);
1765                         enc = kssl_map_enc(kssl_ctx->enctype);
1766                         if (enc == NULL)
1767                             goto err;
1768 #ifdef KSSL_DEBUG
1769                         {
1770                         printf("kssl_cget_tkt rtn %d\n", krb5rc);
1771                         if (krb5rc && kssl_err.text)
1772                           printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
1773                         }
1774 #endif  /* KSSL_DEBUG */
1775
1776                         if (krb5rc)
1777                                 {
1778                                 ssl3_send_alert(s,SSL3_AL_FATAL,
1779                                                 SSL_AD_HANDSHAKE_FAILURE);
1780                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1781                                                 kssl_err.reason);
1782                                 goto err;
1783                                 }
1784
1785                         /*  20010406 VRS - Earlier versions used KRB5 AP_REQ
1786                         **  in place of RFC 2712 KerberosWrapper, as in:
1787                         **
1788                         **  Send ticket (copy to *p, set n = length)
1789                         **  n = krb5_ap_req.length;
1790                         **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
1791                         **  if (krb5_ap_req.data)
1792                         **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
1793                         **
1794                         **  Now using real RFC 2712 KerberosWrapper
1795                         **  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
1796                         **  Note: 2712 "opaque" types are here replaced
1797                         **  with a 2-byte length followed by the value.
1798                         **  Example:
1799                         **  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
1800                         **  Where "xx xx" = length bytes.  Shown here with
1801                         **  optional authenticator omitted.
1802                         */
1803
1804                         /*  KerberosWrapper.Ticket              */
1805                         s2n(enc_ticket->length,p);
1806                         memcpy(p, enc_ticket->data, enc_ticket->length);
1807                         p+= enc_ticket->length;
1808                         n = enc_ticket->length + 2;
1809
1810                         /*  KerberosWrapper.Authenticator       */
1811                         if (authp  &&  authp->length)
1812                                 {
1813                                 s2n(authp->length,p);
1814                                 memcpy(p, authp->data, authp->length);
1815                                 p+= authp->length;
1816                                 n+= authp->length + 2;
1817
1818                                 free(authp->data);
1819                                 authp->data = NULL;
1820                                 authp->length = 0;
1821                                 }
1822                         else
1823                                 {
1824                                 s2n(0,p);/*  null authenticator length  */
1825                                 n+=2;
1826                                 }
1827
1828                         if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
1829                             goto err;
1830
1831                         /*  20010420 VRS.  Tried it this way; failed.
1832                         **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
1833                         **      EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
1834                         **                              kssl_ctx->length);
1835                         **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
1836                         */
1837
1838                         memset(iv, 0, sizeof iv);  /* per RFC 1510 */
1839                         EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
1840                                 kssl_ctx->key,iv);
1841                         EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
1842                                 sizeof tmp_buf);
1843                         EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
1844                         outl += padl;
1845                         if (outl > sizeof epms)
1846                                 {
1847                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1848                                 goto err;
1849                                 }
1850                         EVP_CIPHER_CTX_cleanup(&ciph_ctx);
1851
1852                         /*  KerberosWrapper.EncryptedPreMasterSecret    */
1853                         s2n(outl,p);
1854                         memcpy(p, epms, outl);
1855                         p+=outl;
1856                         n+=outl + 2;
1857
1858                         s->session->master_key_length=
1859                                 s->method->ssl3_enc->generate_master_secret(s,
1860                                         s->session->master_key,
1861                                         tmp_buf, sizeof tmp_buf);
1862
1863                         OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
1864                         OPENSSL_cleanse(epms, outl);
1865                         }
1866 #endif
1867 #ifndef OPENSSL_NO_DH
1868                 else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1869                         {
1870                         DH *dh_srvr,*dh_clnt;
1871
1872                         if (s->session->sess_cert->peer_dh_tmp != NULL)
1873                                 dh_srvr=s->session->sess_cert->peer_dh_tmp;
1874                         else
1875                                 {
1876                                 /* we get them from the cert */
1877                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1878                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1879                                 goto err;
1880                                 }
1881
1882                         /* generate a new random key */
1883                         if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
1884                                 {
1885                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1886                                 goto err;
1887                                 }
1888                         if (!DH_generate_key(dh_clnt))
1889                                 {
1890                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1891                                 goto err;
1892                                 }
1893
1894                         /* use the 'p' output buffer for the DH key, but
1895                          * make sure to clear it out afterwards */
1896
1897                         n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
1898
1899                         if (n <= 0)
1900                                 {
1901                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1902                                 goto err;
1903                                 }
1904
1905                         /* generate master key from the result */
1906                         s->session->master_key_length=
1907                                 s->method->ssl3_enc->generate_master_secret(s,
1908                                         s->session->master_key,p,n);
1909                         /* clean up */
1910                         memset(p,0,n);
1911
1912                         /* send off the data */
1913                         n=BN_num_bytes(dh_clnt->pub_key);
1914                         s2n(n,p);
1915                         BN_bn2bin(dh_clnt->pub_key,p);
1916                         n+=2;
1917
1918                         DH_free(dh_clnt);
1919
1920                         /* perhaps clean things up a bit EAY EAY EAY EAY*/
1921                         }
1922 #endif
1923
1924 #ifndef OPENSSL_NO_ECDH
1925                 else if ((l & SSL_kECDH) || (l & SSL_kECDHE))
1926                         {
1927                         const EC_GROUP *srvr_group = NULL;
1928                         EC_KEY *tkey;
1929                         int ecdh_clnt_cert = 0;
1930                         int field_size = 0;
1931
1932                         /* Did we send out the client's
1933                          * ECDH share for use in premaster
1934                          * computation as part of client certificate?
1935                          * If so, set ecdh_clnt_cert to 1.
1936                          */
1937                         if ((l & SSL_kECDH) && (s->cert != NULL))
1938                                 {
1939                                 /* XXX: For now, we do not support client
1940                                  * authentication using ECDH certificates.
1941                                  * To add such support, one needs to add
1942                                  * code that checks for appropriate
1943                                  * conditions and sets ecdh_clnt_cert to 1.
1944                                  * For example, the cert have an ECC
1945                                  * key on the same curve as the server's
1946                                  * and the key should be authorized for
1947                                  * key agreement.
1948                                  *
1949                                  * One also needs to add code in ssl3_connect
1950                                  * to skip sending the certificate verify
1951                                  * message.
1952                                  *
1953                                  * if ((s->cert->key->privatekey != NULL) &&
1954                                  *     (s->cert->key->privatekey->type ==
1955                                  *      EVP_PKEY_EC) && ...)
1956                                  * ecdh_clnt_cert = 1;
1957                                  */
1958                                 }
1959
1960                         if (s->session->sess_cert->peer_ecdh_tmp != NULL)
1961                                 {
1962                                 tkey = s->session->sess_cert->peer_ecdh_tmp;
1963                                 }
1964                         else
1965                                 {
1966                                 /* Get the Server Public Key from Cert */
1967                                 srvr_pub_pkey = X509_get_pubkey(s->session-> \
1968                                     sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1969                                 if ((srvr_pub_pkey == NULL) ||
1970                                     (srvr_pub_pkey->type != EVP_PKEY_EC) ||
1971                                     (srvr_pub_pkey->pkey.ec == NULL))
1972                                         {
1973                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1974                                             ERR_R_INTERNAL_ERROR);
1975                                         goto err;
1976                                         }
1977
1978                                 tkey = srvr_pub_pkey->pkey.ec;
1979                                 }
1980
1981                         srvr_group   = EC_KEY_get0_group(tkey);
1982                         srvr_ecpoint = EC_KEY_get0_public_key(tkey);
1983
1984                         if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
1985                                 {
1986                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1987                                     ERR_R_INTERNAL_ERROR);
1988                                 goto err;
1989                                 }
1990
1991                         if ((clnt_ecdh=EC_KEY_new()) == NULL)
1992                                 {
1993                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1994                                 goto err;
1995                                 }
1996
1997                         if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
1998                                 {
1999                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2000                                 goto err;
2001                                 }
2002                         if (ecdh_clnt_cert)
2003                                 {
2004                                 /* Reuse key info from our certificate
2005                                  * We only need our private key to perform
2006                                  * the ECDH computation.
2007                                  */
2008                                 const BIGNUM *priv_key;
2009                                 tkey = s->cert->key->privatekey->pkey.ec;
2010                                 priv_key = EC_KEY_get0_private_key(tkey);
2011                                 if (priv_key == NULL)
2012                                         {
2013                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2014                                         goto err;
2015                                         }
2016                                 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2017                                         {
2018                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2019                                         goto err;
2020                                         }
2021                                 }
2022                         else
2023                                 {
2024                                 /* Generate a new ECDH key pair */
2025                                 if (!(EC_KEY_generate_key(clnt_ecdh)))
2026                                         {
2027                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2028                                         goto err;
2029                                         }
2030                                 }
2031
2032                         /* use the 'p' output buffer for the ECDH key, but
2033                          * make sure to clear it out afterwards
2034                          */
2035
2036                         field_size = EC_GROUP_get_degree(srvr_group);
2037                         if (field_size <= 0)
2038                                 {
2039                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2040                                        ERR_R_ECDH_LIB);
2041                                 goto err;
2042                                 }
2043                         n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2044                         if (n <= 0)
2045                                 {
2046                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2047                                        ERR_R_ECDH_LIB);
2048                                 goto err;
2049                                 }
2050
2051                         /* generate master key from the result */
2052                         s->session->master_key_length = s->method->ssl3_enc \
2053                             -> generate_master_secret(s,
2054                                 s->session->master_key,
2055                                 p, n);
2056
2057                         memset(p, 0, n); /* clean up */
2058
2059                         if (ecdh_clnt_cert)
2060                                 {
2061                                 /* Send empty client key exch message */
2062                                 n = 0;
2063                                 }
2064                         else
2065                                 {
2066                                 /* First check the size of encoding and
2067                                  * allocate memory accordingly.
2068                                  */
2069                                 encoded_pt_len =
2070                                     EC_POINT_point2oct(srvr_group,
2071                                         EC_KEY_get0_public_key(clnt_ecdh),
2072                                         POINT_CONVERSION_UNCOMPRESSED,
2073                                         NULL, 0, NULL);
2074
2075                                 encodedPoint = (unsigned char *)
2076                                     OPENSSL_malloc(encoded_pt_len *
2077                                         sizeof(unsigned char));
2078                                 bn_ctx = BN_CTX_new();
2079                                 if ((encodedPoint == NULL) ||
2080                                     (bn_ctx == NULL))
2081                                         {
2082                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2083                                         goto err;
2084                                         }
2085
2086                                 /* Encode the public key */
2087                                 n = EC_POINT_point2oct(srvr_group,
2088                                     EC_KEY_get0_public_key(clnt_ecdh),
2089                                     POINT_CONVERSION_UNCOMPRESSED,
2090                                     encodedPoint, encoded_pt_len, bn_ctx);
2091
2092                                 *p = n; /* length of encoded point */
2093                                 /* Encoded point will be copied here */
2094                                 p += 1;
2095                                 /* copy the point */
2096                                 memcpy((unsigned char *)p, encodedPoint, n);
2097                                 /* increment n to account for length field */
2098                                 n += 1;
2099                                 }
2100
2101                         /* Free allocated memory */
2102                         BN_CTX_free(bn_ctx);
2103                         if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2104                         if (clnt_ecdh != NULL)
2105                                  EC_KEY_free(clnt_ecdh);
2106                         EVP_PKEY_free(srvr_pub_pkey);
2107                         }
2108 #endif /* !OPENSSL_NO_ECDH */
2109                 else
2110                         {
2111                         ssl3_send_alert(s, SSL3_AL_FATAL,
2112                             SSL_AD_HANDSHAKE_FAILURE);
2113                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2114                             ERR_R_INTERNAL_ERROR);
2115                         goto err;
2116                         }
2117
2118                 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2119                 l2n3(n,d);
2120
2121                 s->state=SSL3_ST_CW_KEY_EXCH_B;
2122                 /* number of bytes to write */
2123                 s->init_num=n+4;
2124                 s->init_off=0;
2125                 }
2126
2127         /* SSL3_ST_CW_KEY_EXCH_B */
2128         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2129 err:
2130 #ifndef OPENSSL_NO_ECDH
2131         BN_CTX_free(bn_ctx);
2132         if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2133         if (clnt_ecdh != NULL)
2134                 EC_KEY_free(clnt_ecdh);
2135         EVP_PKEY_free(srvr_pub_pkey);
2136 #endif
2137         return(-1);
2138         }
2139
2140 int ssl3_send_client_verify(SSL *s)
2141         {
2142         unsigned char *p,*d;
2143         unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2144         EVP_PKEY *pkey;
2145 #ifndef OPENSSL_NO_RSA
2146         unsigned u=0;
2147 #endif
2148         unsigned long n;
2149 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
2150         int j;
2151 #endif
2152
2153         if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2154                 {
2155                 d=(unsigned char *)s->init_buf->data;
2156                 p= &(d[4]);
2157                 pkey=s->cert->key->privatekey;
2158
2159                 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
2160                         &(data[MD5_DIGEST_LENGTH]));
2161
2162 #ifndef OPENSSL_NO_RSA
2163                 if (pkey->type == EVP_PKEY_RSA)
2164                         {
2165                         s->method->ssl3_enc->cert_verify_mac(s,
2166                                 &(s->s3->finish_dgst1),&(data[0]));
2167                         if (RSA_sign(NID_md5_sha1, data,
2168                                          MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2169                                         &(p[2]), &u, pkey->pkey.rsa) <= 0 )
2170                                 {
2171                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
2172                                 goto err;
2173                                 }
2174                         s2n(u,p);
2175                         n=u+2;
2176                         }
2177                 else
2178 #endif
2179 #ifndef OPENSSL_NO_DSA
2180                         if (pkey->type == EVP_PKEY_DSA)
2181                         {
2182                         if (!DSA_sign(pkey->save_type,
2183                                 &(data[MD5_DIGEST_LENGTH]),
2184                                 SHA_DIGEST_LENGTH,&(p[2]),
2185                                 (unsigned int *)&j,pkey->pkey.dsa))
2186                                 {
2187                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
2188                                 goto err;
2189                                 }
2190                         s2n(j,p);
2191                         n=j+2;
2192                         }
2193                 else
2194 #endif
2195 #ifndef OPENSSL_NO_ECDSA
2196                         if (pkey->type == EVP_PKEY_EC)
2197                         {
2198                         if (!ECDSA_sign(pkey->save_type,
2199                                 &(data[MD5_DIGEST_LENGTH]),
2200                                 SHA_DIGEST_LENGTH,&(p[2]),
2201                                 (unsigned int *)&j,pkey->pkey.ec))
2202                                 {
2203                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2204                                     ERR_R_ECDSA_LIB);
2205                                 goto err;
2206                                 }
2207                         s2n(j,p);
2208                         n=j+2;
2209                         }
2210                 else
2211 #endif
2212                         {
2213                         SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
2214                         goto err;
2215                         }
2216                 *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
2217                 l2n3(n,d);
2218
2219                 s->state=SSL3_ST_CW_CERT_VRFY_B;
2220                 s->init_num=(int)n+4;
2221                 s->init_off=0;
2222                 }
2223         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2224 err:
2225         return(-1);
2226         }
2227
2228 int ssl3_send_client_certificate(SSL *s)
2229         {
2230         X509 *x509=NULL;
2231         EVP_PKEY *pkey=NULL;
2232         int i;
2233         unsigned long l;
2234
2235         if (s->state == SSL3_ST_CW_CERT_A)
2236                 {
2237                 if ((s->cert == NULL) ||
2238                         (s->cert->key->x509 == NULL) ||
2239                         (s->cert->key->privatekey == NULL))
2240                         s->state=SSL3_ST_CW_CERT_B;
2241                 else
2242                         s->state=SSL3_ST_CW_CERT_C;
2243                 }
2244
2245         /* We need to get a client cert */
2246         if (s->state == SSL3_ST_CW_CERT_B)
2247                 {
2248                 /* If we get an error, we need to
2249                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2250                  * We then get retied later */
2251                 i=0;
2252                 if (s->ctx->client_cert_cb != NULL)
2253                         i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
2254                 if (i < 0)
2255                         {
2256                         s->rwstate=SSL_X509_LOOKUP;
2257                         return(-1);
2258                         }
2259                 s->rwstate=SSL_NOTHING;
2260                 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2261                         {
2262                         s->state=SSL3_ST_CW_CERT_B;
2263                         if (    !SSL_use_certificate(s,x509) ||
2264                                 !SSL_use_PrivateKey(s,pkey))
2265                                 i=0;
2266                         }
2267                 else if (i == 1)
2268                         {
2269                         i=0;
2270                         SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2271                         }
2272
2273                 if (x509 != NULL) X509_free(x509);
2274                 if (pkey != NULL) EVP_PKEY_free(pkey);
2275                 if (i == 0)
2276                         {
2277                         if (s->version == SSL3_VERSION)
2278                                 {
2279                                 s->s3->tmp.cert_req=0;
2280                                 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2281                                 return(1);
2282                                 }
2283                         else
2284                                 {
2285                                 s->s3->tmp.cert_req=2;
2286                                 }
2287                         }
2288
2289                 /* Ok, we have a cert */
2290                 s->state=SSL3_ST_CW_CERT_C;
2291                 }
2292
2293         if (s->state == SSL3_ST_CW_CERT_C)
2294                 {
2295                 s->state=SSL3_ST_CW_CERT_D;
2296                 l=ssl3_output_cert_chain(s,
2297                         (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
2298                 s->init_num=(int)l;
2299                 s->init_off=0;
2300                 }
2301         /* SSL3_ST_CW_CERT_D */
2302         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2303         }
2304
2305 #define has_bits(i,m)   (((i)&(m)) == (m))
2306
2307 int ssl3_check_cert_and_algorithm(SSL *s)
2308         {
2309         int i,idx;
2310         long algs;
2311         EVP_PKEY *pkey=NULL;
2312         SESS_CERT *sc;
2313 #ifndef OPENSSL_NO_RSA
2314         RSA *rsa;
2315 #endif
2316 #ifndef OPENSSL_NO_DH
2317         DH *dh;
2318 #endif
2319
2320         sc=s->session->sess_cert;
2321
2322         if (sc == NULL)
2323                 {
2324                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
2325                 goto err;
2326                 }
2327
2328         algs=s->s3->tmp.new_cipher->algorithms;
2329
2330         /* we don't have a certificate */
2331         if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
2332                 return(1);
2333
2334 #ifndef OPENSSL_NO_RSA
2335         rsa=s->session->sess_cert->peer_rsa_tmp;
2336 #endif
2337 #ifndef OPENSSL_NO_DH
2338         dh=s->session->sess_cert->peer_dh_tmp;
2339 #endif
2340
2341         /* This is the passed certificate */
2342
2343         idx=sc->peer_cert_type;
2344 #ifndef OPENSSL_NO_ECDH
2345         if (idx == SSL_PKEY_ECC)
2346                 {
2347                 if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2348                     s->s3->tmp.new_cipher) == 0)
2349                         { /* check failed */
2350                         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
2351                         goto f_err;
2352                         }
2353                 else
2354                         {
2355                         return 1;
2356                         }
2357                 }
2358 #endif
2359         pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
2360         i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
2361         EVP_PKEY_free(pkey);
2362
2363
2364         /* Check that we have a certificate if we require one */
2365         if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
2366                 {
2367                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
2368                 goto f_err;
2369                 }
2370 #ifndef OPENSSL_NO_DSA
2371         else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
2372                 {
2373                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
2374                 goto f_err;
2375                 }
2376 #endif
2377 #ifndef OPENSSL_NO_RSA
2378         if ((algs & SSL_kRSA) &&
2379                 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
2380                 {
2381                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2382                 goto f_err;
2383                 }
2384 #endif
2385 #ifndef OPENSSL_NO_DH
2386         if ((algs & SSL_kEDH) &&
2387                 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
2388                 {
2389                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
2390                 goto f_err;
2391                 }
2392         else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
2393                 {
2394                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
2395                 goto f_err;
2396                 }
2397 #ifndef OPENSSL_NO_DSA
2398         else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
2399                 {
2400                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
2401                 goto f_err;
2402                 }
2403 #endif
2404 #endif
2405
2406         if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
2407                 {
2408 #ifndef OPENSSL_NO_RSA
2409                 if (algs & SSL_kRSA)
2410                         {
2411                         if (rsa == NULL
2412                             || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2413                                 {
2414                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
2415                                 goto f_err;
2416                                 }
2417                         }
2418                 else
2419 #endif
2420 #ifndef OPENSSL_NO_DH
2421                         if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2422                             {
2423                             if (dh == NULL
2424                                 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2425                                 {
2426                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
2427                                 goto f_err;
2428                                 }
2429                         }
2430                 else
2431 #endif
2432                         {
2433                         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2434                         goto f_err;
2435                         }
2436                 }
2437         return(1);
2438 f_err:
2439         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2440 err:
2441         return(0);
2442         }
2443
2444
2445 #ifndef OPENSSL_NO_ECDH
2446 /* This is the complement of nid2curve_id in s3_srvr.c. */
2447 static int curve_id2nid(int curve_id)
2448 {
2449         /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2450          * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2451         static int nid_list[26] =
2452         {
2453                 0,
2454                 NID_sect163k1, /* sect163k1 (1) */
2455                 NID_sect163r1, /* sect163r1 (2) */
2456                 NID_sect163r2, /* sect163r2 (3) */
2457                 NID_sect193r1, /* sect193r1 (4) */
2458                 NID_sect193r2, /* sect193r2 (5) */
2459                 NID_sect233k1, /* sect233k1 (6) */
2460                 NID_sect233r1, /* sect233r1 (7) */
2461                 NID_sect239k1, /* sect239k1 (8) */
2462                 NID_sect283k1, /* sect283k1 (9) */
2463                 NID_sect283r1, /* sect283r1 (10) */
2464                 NID_sect409k1, /* sect409k1 (11) */
2465                 NID_sect409r1, /* sect409r1 (12) */
2466                 NID_sect571k1, /* sect571k1 (13) */
2467                 NID_sect571r1, /* sect571r1 (14) */
2468                 NID_secp160k1, /* secp160k1 (15) */
2469                 NID_secp160r1, /* secp160r1 (16) */
2470                 NID_secp160r2, /* secp160r2 (17) */
2471                 NID_secp192k1, /* secp192k1 (18) */
2472                 NID_X9_62_prime192v1, /* secp192r1 (19) */
2473                 NID_secp224k1, /* secp224k1 (20) */
2474                 NID_secp224r1, /* secp224r1 (21) */
2475                 NID_secp256k1, /* secp256k1 (22) */
2476                 NID_X9_62_prime256v1, /* secp256r1 (23) */
2477                 NID_secp384r1, /* secp384r1 (24) */
2478                 NID_secp521r1  /* secp521r1 (25) */
2479         };
2480
2481         if ((curve_id < 1) || (curve_id > 25)) return 0;
2482
2483         return nid_list[curve_id];
2484 }
2485 #endif