2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
126 #include "ssl_locl.h"
127 #include "kssl_lcl.h"
128 #include <openssl/buffer.h>
129 #include <openssl/rand.h>
130 #include <openssl/objects.h>
131 #include <openssl/evp.h>
132 #include <openssl/md5.h>
133 #ifndef OPENSSL_NO_DH
134 #include <openssl/dh.h>
136 #include <openssl/bn.h>
138 static const SSL_METHOD
*ssl3_get_client_method(int ver
);
139 static int ca_dn_cmp(const X509_NAME
* const *a
,const X509_NAME
* const *b
);
141 #ifndef OPENSSL_NO_ECDH
142 static int curve_id2nid(int curve_id
);
143 int check_srvr_ecc_cert_and_alg(X509
*x
, SSL_CIPHER
*cs
);
146 static const SSL_METHOD
*ssl3_get_client_method(int ver
)
148 if (ver
== SSL3_VERSION
)
149 return(SSLv3_client_method());
154 IMPLEMENT_ssl3_meth_func(SSLv3_client_method
,
155 ssl_undefined_function
,
157 ssl3_get_client_method
)
159 int ssl3_connect(SSL
*s
)
162 unsigned long Time
=(unsigned long)time(NULL
),l
;
164 void (*cb
)(const SSL
*ssl
,int type
,int val
)=NULL
;
166 int new_state
,state
,skip
=0;;
168 RAND_add(&Time
,sizeof(Time
),0);
172 if (s
->info_callback
!= NULL
)
174 else if (s
->ctx
->info_callback
!= NULL
)
175 cb
=s
->ctx
->info_callback
;
178 if (!SSL_in_init(s
) || SSL_in_before(s
)) SSL_clear(s
);
186 case SSL_ST_RENEGOTIATE
:
188 s
->state
=SSL_ST_CONNECT
;
189 s
->ctx
->stats
.sess_connect_renegotiate
++;
193 case SSL_ST_BEFORE
|SSL_ST_CONNECT
:
194 case SSL_ST_OK
|SSL_ST_CONNECT
:
197 if (cb
!= NULL
) cb(s
,SSL_CB_HANDSHAKE_START
,1);
199 if ((s
->version
& 0xff00 ) != 0x0300)
201 SSLerr(SSL_F_SSL3_CONNECT
, ERR_R_INTERNAL_ERROR
);
206 /* s->version=SSL3_VERSION; */
207 s
->type
=SSL_ST_CONNECT
;
209 if (s
->init_buf
== NULL
)
211 if ((buf
=BUF_MEM_new()) == NULL
)
216 if (!BUF_MEM_grow(buf
,SSL3_RT_MAX_PLAIN_LENGTH
))
225 if (!ssl3_setup_buffers(s
)) { ret
= -1; goto end
; }
227 /* setup buffing BIO */
228 if (!ssl_init_wbio_buffer(s
,0)) { ret
= -1; goto end
; }
230 /* don't push the buffering BIO quite yet */
232 ssl3_init_finished_mac(s
);
234 s
->state
=SSL3_ST_CW_CLNT_HELLO_A
;
235 s
->ctx
->stats
.sess_connect
++;
239 case SSL3_ST_CW_CLNT_HELLO_A
:
240 case SSL3_ST_CW_CLNT_HELLO_B
:
243 ret
=ssl3_client_hello(s
);
244 if (ret
<= 0) goto end
;
245 s
->state
=SSL3_ST_CR_SRVR_HELLO_A
;
248 /* turn on buffering for the next lot of output */
249 if (s
->bbio
!= s
->wbio
)
250 s
->wbio
=BIO_push(s
->bbio
,s
->wbio
);
254 case SSL3_ST_CR_SRVR_HELLO_A
:
255 case SSL3_ST_CR_SRVR_HELLO_B
:
256 ret
=ssl3_get_server_hello(s
);
257 if (ret
<= 0) goto end
;
258 #ifndef OPENSSL_NO_TLSEXT
260 int extension_error
= 0,al
;
261 if ((al
= ssl_check_Hello_TLS_extensions(s
,&extension_error
)) != SSL_ERROR_NONE
){
263 SSLerr(SSL_F_SSL3_CONNECT
,SSL_R_SERVERHELLO_TLS_EXT
);
269 s
->state
=SSL3_ST_CR_FINISHED_A
;
271 s
->state
=SSL3_ST_CR_CERT_A
;
275 case SSL3_ST_CR_CERT_A
:
276 case SSL3_ST_CR_CERT_B
:
277 /* Check if it is anon DH/ECDH */
278 if (!(s
->s3
->tmp
.new_cipher
->algorithms
& SSL_aNULL
))
280 ret
=ssl3_get_server_certificate(s
);
281 if (ret
<= 0) goto end
;
285 s
->state
=SSL3_ST_CR_KEY_EXCH_A
;
289 case SSL3_ST_CR_KEY_EXCH_A
:
290 case SSL3_ST_CR_KEY_EXCH_B
:
291 ret
=ssl3_get_key_exchange(s
);
292 if (ret
<= 0) goto end
;
293 s
->state
=SSL3_ST_CR_CERT_REQ_A
;
296 /* at this point we check that we have the
297 * required stuff from the server */
298 if (!ssl3_check_cert_and_algorithm(s
))
305 case SSL3_ST_CR_CERT_REQ_A
:
306 case SSL3_ST_CR_CERT_REQ_B
:
307 ret
=ssl3_get_certificate_request(s
);
308 if (ret
<= 0) goto end
;
309 s
->state
=SSL3_ST_CR_SRVR_DONE_A
;
313 case SSL3_ST_CR_SRVR_DONE_A
:
314 case SSL3_ST_CR_SRVR_DONE_B
:
315 ret
=ssl3_get_server_done(s
);
316 if (ret
<= 0) goto end
;
317 if (s
->s3
->tmp
.cert_req
)
318 s
->state
=SSL3_ST_CW_CERT_A
;
320 s
->state
=SSL3_ST_CW_KEY_EXCH_A
;
325 case SSL3_ST_CW_CERT_A
:
326 case SSL3_ST_CW_CERT_B
:
327 case SSL3_ST_CW_CERT_C
:
328 case SSL3_ST_CW_CERT_D
:
329 ret
=ssl3_send_client_certificate(s
);
330 if (ret
<= 0) goto end
;
331 s
->state
=SSL3_ST_CW_KEY_EXCH_A
;
335 case SSL3_ST_CW_KEY_EXCH_A
:
336 case SSL3_ST_CW_KEY_EXCH_B
:
337 ret
=ssl3_send_client_key_exchange(s
);
338 if (ret
<= 0) goto end
;
339 l
=s
->s3
->tmp
.new_cipher
->algorithms
;
340 /* EAY EAY EAY need to check for DH fix cert
342 /* For TLS, cert_req is set to 2, so a cert chain
343 * of nothing is sent, but no verify packet is sent */
344 /* XXX: For now, we do not support client
345 * authentication in ECDH cipher suites with
346 * ECDH (rather than ECDSA) certificates.
347 * We need to skip the certificate verify
348 * message when client's ECDH public key is sent
349 * inside the client certificate.
351 if (s
->s3
->tmp
.cert_req
== 1)
353 s
->state
=SSL3_ST_CW_CERT_VRFY_A
;
357 s
->state
=SSL3_ST_CW_CHANGE_A
;
358 s
->s3
->change_cipher_spec
=0;
364 case SSL3_ST_CW_CERT_VRFY_A
:
365 case SSL3_ST_CW_CERT_VRFY_B
:
366 ret
=ssl3_send_client_verify(s
);
367 if (ret
<= 0) goto end
;
368 s
->state
=SSL3_ST_CW_CHANGE_A
;
370 s
->s3
->change_cipher_spec
=0;
373 case SSL3_ST_CW_CHANGE_A
:
374 case SSL3_ST_CW_CHANGE_B
:
375 ret
=ssl3_send_change_cipher_spec(s
,
376 SSL3_ST_CW_CHANGE_A
,SSL3_ST_CW_CHANGE_B
);
377 if (ret
<= 0) goto end
;
378 s
->state
=SSL3_ST_CW_FINISHED_A
;
381 s
->session
->cipher
=s
->s3
->tmp
.new_cipher
;
382 #ifdef OPENSSL_NO_COMP
383 s
->session
->compress_meth
=0;
385 if (s
->s3
->tmp
.new_compression
== NULL
)
386 s
->session
->compress_meth
=0;
388 s
->session
->compress_meth
=
389 s
->s3
->tmp
.new_compression
->id
;
391 if (!s
->method
->ssl3_enc
->setup_key_block(s
))
397 if (!s
->method
->ssl3_enc
->change_cipher_state(s
,
398 SSL3_CHANGE_CIPHER_CLIENT_WRITE
))
406 case SSL3_ST_CW_FINISHED_A
:
407 case SSL3_ST_CW_FINISHED_B
:
408 ret
=ssl3_send_finished(s
,
409 SSL3_ST_CW_FINISHED_A
,SSL3_ST_CW_FINISHED_B
,
410 s
->method
->ssl3_enc
->client_finished_label
,
411 s
->method
->ssl3_enc
->client_finished_label_len
);
412 if (ret
<= 0) goto end
;
413 s
->state
=SSL3_ST_CW_FLUSH
;
416 s
->s3
->flags
&= ~SSL3_FLAGS_POP_BUFFER
;
419 s
->s3
->tmp
.next_state
=SSL_ST_OK
;
420 if (s
->s3
->flags
& SSL3_FLAGS_DELAY_CLIENT_FINISHED
)
423 s
->s3
->flags
|=SSL3_FLAGS_POP_BUFFER
;
424 s
->s3
->delay_buf_pop_ret
=0;
429 s
->s3
->tmp
.next_state
=SSL3_ST_CR_FINISHED_A
;
434 case SSL3_ST_CR_FINISHED_A
:
435 case SSL3_ST_CR_FINISHED_B
:
437 ret
=ssl3_get_finished(s
,SSL3_ST_CR_FINISHED_A
,
438 SSL3_ST_CR_FINISHED_B
);
439 if (ret
<= 0) goto end
;
442 s
->state
=SSL3_ST_CW_CHANGE_A
;
448 case SSL3_ST_CW_FLUSH
:
449 /* number of bytes to be flushed */
450 num1
=BIO_ctrl(s
->wbio
,BIO_CTRL_INFO
,0,NULL
);
453 s
->rwstate
=SSL_WRITING
;
454 num1
=BIO_flush(s
->wbio
);
455 if (num1
<= 0) { ret
= -1; goto end
; }
456 s
->rwstate
=SSL_NOTHING
;
459 s
->state
=s
->s3
->tmp
.next_state
;
463 /* clean a few things up */
464 ssl3_cleanup_key_block(s
);
466 if (s
->init_buf
!= NULL
)
468 BUF_MEM_free(s
->init_buf
);
472 /* If we are not 'joining' the last two packets,
473 * remove the buffering now */
474 if (!(s
->s3
->flags
& SSL3_FLAGS_POP_BUFFER
))
475 ssl_free_wbio_buffer(s
);
476 /* else do it later in ssl3_write */
481 ssl_update_cache(s
,SSL_SESS_CACHE_CLIENT
);
482 if (s
->hit
) s
->ctx
->stats
.sess_hit
++;
486 s
->handshake_func
=ssl3_connect
;
487 s
->ctx
->stats
.sess_connect_good
++;
489 if (cb
!= NULL
) cb(s
,SSL_CB_HANDSHAKE_DONE
,1);
495 SSLerr(SSL_F_SSL3_CONNECT
,SSL_R_UNKNOWN_STATE
);
501 /* did we do anything */
502 if (!s
->s3
->tmp
.reuse_message
&& !skip
)
506 if ((ret
=BIO_flush(s
->wbio
)) <= 0)
510 if ((cb
!= NULL
) && (s
->state
!= state
))
514 cb(s
,SSL_CB_CONNECT_LOOP
,1);
525 cb(s
,SSL_CB_CONNECT_EXIT
,ret
);
530 int ssl3_client_hello(SSL
*s
)
535 unsigned long Time
,l
;
536 #ifndef OPENSSL_NO_COMP
541 buf
=(unsigned char *)s
->init_buf
->data
;
542 if (s
->state
== SSL3_ST_CW_CLNT_HELLO_A
)
544 if ((s
->session
== NULL
) ||
545 (s
->session
->ssl_version
!= s
->version
) ||
546 (s
->session
->not_resumable
))
548 if (!ssl_get_new_session(s
,0))
551 /* else use the pre-loaded session */
553 p
=s
->s3
->client_random
;
554 Time
=(unsigned long)time(NULL
); /* Time */
556 if (RAND_pseudo_bytes(p
,SSL3_RANDOM_SIZE
-4) <= 0)
559 /* Do the message type and length last */
562 *(p
++)=s
->version
>>8;
563 *(p
++)=s
->version
&0xff;
564 s
->client_version
=s
->version
;
567 memcpy(p
,s
->s3
->client_random
,SSL3_RANDOM_SIZE
);
574 i
=s
->session
->session_id_length
;
578 if (i
> (int)sizeof(s
->session
->session_id
))
580 SSLerr(SSL_F_SSL3_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
583 memcpy(p
,s
->session
->session_id
,i
);
587 /* Ciphers supported */
588 i
=ssl_cipher_list_to_bytes(s
,SSL_get_ciphers(s
),&(p
[2]),0);
591 SSLerr(SSL_F_SSL3_CLIENT_HELLO
,SSL_R_NO_CIPHERS_AVAILABLE
);
598 #ifdef OPENSSL_NO_COMP
602 if ((s
->options
& SSL_OP_NO_COMPRESSION
)
603 || !s
->ctx
->comp_methods
)
606 j
=sk_SSL_COMP_num(s
->ctx
->comp_methods
);
610 comp
=sk_SSL_COMP_value(s
->ctx
->comp_methods
,i
);
614 *(p
++)=0; /* Add the NULL method */
615 #ifndef OPENSSL_NO_TLSEXT
616 if ((p
= ssl_add_ClientHello_TLS_extensions(s
, p
, buf
+SSL3_RT_MAX_PLAIN_LENGTH
)) == NULL
)
618 SSLerr(SSL_F_SSL3_CLIENT_HELLO
,ERR_R_INTERNAL_ERROR
);
625 *(d
++)=SSL3_MT_CLIENT_HELLO
;
628 s
->state
=SSL3_ST_CW_CLNT_HELLO_B
;
629 /* number of bytes to write */
634 /* SSL3_ST_CW_CLNT_HELLO_B */
635 return(ssl3_do_write(s
,SSL3_RT_HANDSHAKE
));
640 int ssl3_get_server_hello(SSL
*s
)
642 STACK_OF(SSL_CIPHER
) *sk
;
648 #ifndef OPENSSL_NO_COMP
652 n
=s
->method
->ssl_get_message(s
,
653 SSL3_ST_CR_SRVR_HELLO_A
,
654 SSL3_ST_CR_SRVR_HELLO_B
,
659 if (!ok
) return((int)n
);
661 if ( SSL_version(s
) == DTLS1_VERSION
)
663 if ( s
->s3
->tmp
.message_type
== DTLS1_MT_HELLO_VERIFY_REQUEST
)
665 if ( s
->d1
->send_cookie
== 0)
667 s
->s3
->tmp
.reuse_message
= 1;
670 else /* already sent a cookie */
672 al
=SSL_AD_UNEXPECTED_MESSAGE
;
673 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_BAD_MESSAGE_TYPE
);
679 if ( s
->s3
->tmp
.message_type
!= SSL3_MT_SERVER_HELLO
)
681 al
=SSL_AD_UNEXPECTED_MESSAGE
;
682 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_BAD_MESSAGE_TYPE
);
686 d
=p
=(unsigned char *)s
->init_msg
;
688 if ((p
[0] != (s
->version
>>8)) || (p
[1] != (s
->version
&0xff)))
690 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_WRONG_SSL_VERSION
);
691 s
->version
=(s
->version
&0xff00)|p
[1];
692 al
=SSL_AD_PROTOCOL_VERSION
;
697 /* load the server hello data */
698 /* load the server random */
699 memcpy(s
->s3
->server_random
,p
,SSL3_RANDOM_SIZE
);
702 /* get the session-id */
705 if ((j
> sizeof s
->session
->session_id
) || (j
> SSL3_SESSION_ID_SIZE
))
707 al
=SSL_AD_ILLEGAL_PARAMETER
;
708 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_SSL3_SESSION_ID_TOO_LONG
);
712 if (j
!= 0 && j
== s
->session
->session_id_length
713 && memcmp(p
,s
->session
->session_id
,j
) == 0)
715 if(s
->sid_ctx_length
!= s
->session
->sid_ctx_length
716 || memcmp(s
->session
->sid_ctx
,s
->sid_ctx
,s
->sid_ctx_length
))
718 /* actually a client application bug */
719 al
=SSL_AD_ILLEGAL_PARAMETER
;
720 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT
);
725 else /* a miss or crap from the other end */
727 /* If we were trying for session-id reuse, make a new
728 * SSL_SESSION so we don't stuff up other people */
730 if (s
->session
->session_id_length
> 0)
732 if (!ssl_get_new_session(s
,0))
734 al
=SSL_AD_INTERNAL_ERROR
;
738 s
->session
->session_id_length
=j
;
739 memcpy(s
->session
->session_id
,p
,j
); /* j could be 0 */
742 c
=ssl_get_cipher_by_char(s
,p
);
746 al
=SSL_AD_ILLEGAL_PARAMETER
;
747 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_UNKNOWN_CIPHER_RETURNED
);
750 p
+=ssl_put_cipher_by_char(s
,NULL
,NULL
);
752 sk
=ssl_get_ciphers_by_id(s
);
753 i
=sk_SSL_CIPHER_find(sk
,c
);
756 /* we did not say we would use this cipher */
757 al
=SSL_AD_ILLEGAL_PARAMETER
;
758 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_WRONG_CIPHER_RETURNED
);
762 /* Depending on the session caching (internal/external), the cipher
763 and/or cipher_id values may not be set. Make sure that
764 cipher_id is set and use it for comparison. */
765 if (s
->session
->cipher
)
766 s
->session
->cipher_id
= s
->session
->cipher
->id
;
767 if (s
->hit
&& (s
->session
->cipher_id
!= c
->id
))
770 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
))
772 al
=SSL_AD_ILLEGAL_PARAMETER
;
773 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED
);
777 s
->s3
->tmp
.new_cipher
=c
;
779 /* lets get the compression algorithm */
781 #ifdef OPENSSL_NO_COMP
784 al
=SSL_AD_ILLEGAL_PARAMETER
;
785 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM
);
790 if ((j
== 0) || (s
->options
& SSL_OP_NO_COMPRESSION
))
793 comp
=ssl3_comp_find(s
->ctx
->comp_methods
,j
);
795 if ((j
!= 0) && (comp
== NULL
))
797 al
=SSL_AD_ILLEGAL_PARAMETER
;
798 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM
);
803 s
->s3
->tmp
.new_compression
=comp
;
806 #ifndef OPENSSL_NO_TLSEXT
808 if (s
->version
> SSL3_VERSION
)
810 if ((al
= ssl_parse_ServerHello_TLS_extensions(s
,&p
,d
,n
)) != SSL_ERROR_NONE
){
811 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_PARSE_TLS_EXT
);
819 /* wrong packet length */
820 al
=SSL_AD_DECODE_ERROR
;
821 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO
,SSL_R_BAD_PACKET_LENGTH
);
827 ssl3_send_alert(s
,SSL3_AL_FATAL
,al
);
832 int ssl3_get_server_certificate(SSL
*s
)
835 unsigned long n
,nc
,llen
,l
;
837 const unsigned char *q
,*p
;
839 STACK_OF(X509
) *sk
=NULL
;
842 int need_cert
= 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
844 n
=s
->method
->ssl_get_message(s
,
851 if (!ok
) return((int)n
);
853 if (s
->s3
->tmp
.message_type
== SSL3_MT_SERVER_KEY_EXCHANGE
)
855 s
->s3
->tmp
.reuse_message
=1;
859 if (s
->s3
->tmp
.message_type
!= SSL3_MT_CERTIFICATE
)
861 al
=SSL_AD_UNEXPECTED_MESSAGE
;
862 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,SSL_R_BAD_MESSAGE_TYPE
);
865 p
=d
=(unsigned char *)s
->init_msg
;
867 if ((sk
=sk_X509_new_null()) == NULL
)
869 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,ERR_R_MALLOC_FAILURE
);
876 al
=SSL_AD_DECODE_ERROR
;
877 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,SSL_R_LENGTH_MISMATCH
);
880 for (nc
=0; nc
<llen
; )
885 al
=SSL_AD_DECODE_ERROR
;
886 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,SSL_R_CERT_LENGTH_MISMATCH
);
891 x
=d2i_X509(NULL
,&q
,l
);
894 al
=SSL_AD_BAD_CERTIFICATE
;
895 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,ERR_R_ASN1_LIB
);
900 al
=SSL_AD_DECODE_ERROR
;
901 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,SSL_R_CERT_LENGTH_MISMATCH
);
904 if (!sk_X509_push(sk
,x
))
906 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,ERR_R_MALLOC_FAILURE
);
914 i
=ssl_verify_cert_chain(s
,sk
);
915 if ((s
->verify_mode
!= SSL_VERIFY_NONE
) && (!i
)
916 #ifndef OPENSSL_NO_KRB5
917 && (s
->s3
->tmp
.new_cipher
->algorithms
& (SSL_MKEY_MASK
|SSL_AUTH_MASK
))
918 != (SSL_aKRB5
|SSL_kKRB5
)
919 #endif /* OPENSSL_NO_KRB5 */
922 al
=ssl_verify_alarm_type(s
->verify_result
);
923 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,SSL_R_CERTIFICATE_VERIFY_FAILED
);
926 ERR_clear_error(); /* but we keep s->verify_result */
928 sc
=ssl_sess_cert_new();
929 if (sc
== NULL
) goto err
;
931 if (s
->session
->sess_cert
) ssl_sess_cert_free(s
->session
->sess_cert
);
932 s
->session
->sess_cert
=sc
;
935 /* Inconsistency alert: cert_chain does include the peer's
936 * certificate, which we don't include in s3_srvr.c */
937 x
=sk_X509_value(sk
,0);
939 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
941 pkey
=X509_get_pubkey(x
);
943 /* VRS: allow null cert if auth == KRB5 */
944 need_cert
= ((s
->s3
->tmp
.new_cipher
->algorithms
945 & (SSL_MKEY_MASK
|SSL_AUTH_MASK
))
946 == (SSL_aKRB5
|SSL_kKRB5
))? 0: 1;
949 printf("pkey,x = %p, %p\n", pkey
,x
);
950 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x
,pkey
));
951 printf("cipher, alg, nc = %s, %lx, %d\n", s
->s3
->tmp
.new_cipher
->name
,
952 s
->s3
->tmp
.new_cipher
->algorithms
, need_cert
);
953 #endif /* KSSL_DEBUG */
955 if (need_cert
&& ((pkey
== NULL
) || EVP_PKEY_missing_parameters(pkey
)))
959 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,
960 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS
);
964 i
=ssl_cert_type(x
,pkey
);
965 if (need_cert
&& i
< 0)
969 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE
,
970 SSL_R_UNKNOWN_CERTIFICATE_TYPE
);
976 sc
->peer_cert_type
=i
;
977 CRYPTO_add(&x
->references
,1,CRYPTO_LOCK_X509
);
978 /* Why would the following ever happen?
979 * We just created sc a couple of lines ago. */
980 if (sc
->peer_pkeys
[i
].x509
!= NULL
)
981 X509_free(sc
->peer_pkeys
[i
].x509
);
982 sc
->peer_pkeys
[i
].x509
=x
;
983 sc
->peer_key
= &(sc
->peer_pkeys
[i
]);
985 if (s
->session
->peer
!= NULL
)
986 X509_free(s
->session
->peer
);
987 CRYPTO_add(&x
->references
,1,CRYPTO_LOCK_X509
);
992 sc
->peer_cert_type
=i
;
995 if (s
->session
->peer
!= NULL
)
996 X509_free(s
->session
->peer
);
997 s
->session
->peer
=NULL
;
999 s
->session
->verify_result
= s
->verify_result
;
1007 ssl3_send_alert(s
,SSL3_AL_FATAL
,al
);
1010 EVP_PKEY_free(pkey
);
1012 sk_X509_pop_free(sk
,X509_free
);
1016 int ssl3_get_key_exchange(SSL
*s
)
1018 #ifndef OPENSSL_NO_RSA
1019 unsigned char *q
,md_buf
[EVP_MAX_MD_SIZE
*2];
1022 unsigned char *param
,*p
;
1023 int al
,i
,j
,param_len
,ok
;
1025 EVP_PKEY
*pkey
=NULL
;
1026 #ifndef OPENSSL_NO_RSA
1029 #ifndef OPENSSL_NO_DH
1032 #ifndef OPENSSL_NO_ECDH
1033 EC_KEY
*ecdh
= NULL
;
1034 BN_CTX
*bn_ctx
= NULL
;
1035 EC_POINT
*srvr_ecpoint
= NULL
;
1037 int encoded_pt_len
= 0;
1040 /* use same message size as in ssl3_get_certificate_request()
1041 * as ServerKeyExchange message may be skipped */
1042 n
=s
->method
->ssl_get_message(s
,
1043 SSL3_ST_CR_KEY_EXCH_A
,
1044 SSL3_ST_CR_KEY_EXCH_B
,
1049 if (!ok
) return((int)n
);
1051 if (s
->s3
->tmp
.message_type
!= SSL3_MT_SERVER_KEY_EXCHANGE
)
1053 s
->s3
->tmp
.reuse_message
=1;
1057 param
=p
=(unsigned char *)s
->init_msg
;
1059 if (s
->session
->sess_cert
!= NULL
)
1061 #ifndef OPENSSL_NO_RSA
1062 if (s
->session
->sess_cert
->peer_rsa_tmp
!= NULL
)
1064 RSA_free(s
->session
->sess_cert
->peer_rsa_tmp
);
1065 s
->session
->sess_cert
->peer_rsa_tmp
=NULL
;
1068 #ifndef OPENSSL_NO_DH
1069 if (s
->session
->sess_cert
->peer_dh_tmp
)
1071 DH_free(s
->session
->sess_cert
->peer_dh_tmp
);
1072 s
->session
->sess_cert
->peer_dh_tmp
=NULL
;
1075 #ifndef OPENSSL_NO_ECDH
1076 if (s
->session
->sess_cert
->peer_ecdh_tmp
)
1078 EC_KEY_free(s
->session
->sess_cert
->peer_ecdh_tmp
);
1079 s
->session
->sess_cert
->peer_ecdh_tmp
=NULL
;
1085 s
->session
->sess_cert
=ssl_sess_cert_new();
1089 alg
=s
->s3
->tmp
.new_cipher
->algorithms
;
1090 EVP_MD_CTX_init(&md_ctx
);
1092 #ifndef OPENSSL_NO_RSA
1095 if ((rsa
=RSA_new()) == NULL
)
1097 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_MALLOC_FAILURE
);
1104 al
=SSL_AD_DECODE_ERROR
;
1105 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_RSA_MODULUS_LENGTH
);
1108 if (!(rsa
->n
=BN_bin2bn(p
,i
,rsa
->n
)))
1110 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_BN_LIB
);
1119 al
=SSL_AD_DECODE_ERROR
;
1120 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_RSA_E_LENGTH
);
1123 if (!(rsa
->e
=BN_bin2bn(p
,i
,rsa
->e
)))
1125 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_BN_LIB
);
1131 /* this should be because we are using an export cipher */
1133 pkey
=X509_get_pubkey(s
->session
->sess_cert
->peer_pkeys
[SSL_PKEY_RSA_ENC
].x509
);
1136 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_INTERNAL_ERROR
);
1139 s
->session
->sess_cert
->peer_rsa_tmp
=rsa
;
1142 #else /* OPENSSL_NO_RSA */
1146 #ifndef OPENSSL_NO_DH
1147 else if (alg
& SSL_kEDH
)
1149 if ((dh
=DH_new()) == NULL
)
1151 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_DH_LIB
);
1158 al
=SSL_AD_DECODE_ERROR
;
1159 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_DH_P_LENGTH
);
1162 if (!(dh
->p
=BN_bin2bn(p
,i
,NULL
)))
1164 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_BN_LIB
);
1173 al
=SSL_AD_DECODE_ERROR
;
1174 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_DH_G_LENGTH
);
1177 if (!(dh
->g
=BN_bin2bn(p
,i
,NULL
)))
1179 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_BN_LIB
);
1188 al
=SSL_AD_DECODE_ERROR
;
1189 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_DH_PUB_KEY_LENGTH
);
1192 if (!(dh
->pub_key
=BN_bin2bn(p
,i
,NULL
)))
1194 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_BN_LIB
);
1200 #ifndef OPENSSL_NO_RSA
1202 pkey
=X509_get_pubkey(s
->session
->sess_cert
->peer_pkeys
[SSL_PKEY_RSA_ENC
].x509
);
1207 #ifndef OPENSSL_NO_DSA
1208 else if (alg
& SSL_aDSS
)
1209 pkey
=X509_get_pubkey(s
->session
->sess_cert
->peer_pkeys
[SSL_PKEY_DSA_SIGN
].x509
);
1211 /* else anonymous DH, so no certificate or pkey. */
1213 s
->session
->sess_cert
->peer_dh_tmp
=dh
;
1216 else if ((alg
& SSL_kDHr
) || (alg
& SSL_kDHd
))
1218 al
=SSL_AD_ILLEGAL_PARAMETER
;
1219 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER
);
1222 #endif /* !OPENSSL_NO_DH */
1224 #ifndef OPENSSL_NO_ECDH
1225 else if (alg
& SSL_kECDHE
)
1228 const EC_GROUP
*group
;
1230 if ((ecdh
=EC_KEY_new()) == NULL
)
1232 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_MALLOC_FAILURE
);
1236 /* Extract elliptic curve parameters and the
1237 * server's ephemeral ECDH public key.
1238 * Keep accumulating lengths of various components in
1239 * param_len and make sure it never exceeds n.
1242 /* XXX: For now we only support named (not generic) curves
1243 * and the ECParameters in this case is just three bytes.
1246 if ((param_len
> n
) ||
1247 (*p
!= NAMED_CURVE_TYPE
) ||
1248 ((curve_nid
= curve_id2nid(*(p
+ 2))) == 0))
1250 al
=SSL_AD_INTERNAL_ERROR
;
1251 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS
);
1255 ngroup
= EC_GROUP_new_by_curve_name(curve_nid
);
1258 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_EC_LIB
);
1261 if (EC_KEY_set_group(ecdh
, ngroup
) == 0)
1263 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_EC_LIB
);
1266 EC_GROUP_free(ngroup
);
1268 group
= EC_KEY_get0_group(ecdh
);
1270 if (SSL_C_IS_EXPORT(s
->s3
->tmp
.new_cipher
) &&
1271 (EC_GROUP_get_degree(group
) > 163))
1273 al
=SSL_AD_EXPORT_RESTRICTION
;
1274 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER
);
1280 /* Next, get the encoded ECPoint */
1281 if (((srvr_ecpoint
= EC_POINT_new(group
)) == NULL
) ||
1282 ((bn_ctx
= BN_CTX_new()) == NULL
))
1284 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_MALLOC_FAILURE
);
1288 encoded_pt_len
= *p
; /* length of encoded point */
1290 param_len
+= (1 + encoded_pt_len
);
1291 if ((param_len
> n
) ||
1292 (EC_POINT_oct2point(group
, srvr_ecpoint
,
1293 p
, encoded_pt_len
, bn_ctx
) == 0))
1295 al
=SSL_AD_DECODE_ERROR
;
1296 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_ECPOINT
);
1303 /* The ECC/TLS specification does not mention
1304 * the use of DSA to sign ECParameters in the server
1305 * key exchange message. We do support RSA and ECDSA.
1308 #ifndef OPENSSL_NO_RSA
1309 else if (alg
& SSL_aRSA
)
1310 pkey
=X509_get_pubkey(s
->session
->sess_cert
->peer_pkeys
[SSL_PKEY_RSA_ENC
].x509
);
1312 #ifndef OPENSSL_NO_ECDSA
1313 else if (alg
& SSL_aECDSA
)
1314 pkey
=X509_get_pubkey(s
->session
->sess_cert
->peer_pkeys
[SSL_PKEY_ECC
].x509
);
1316 /* else anonymous ECDH, so no certificate or pkey. */
1317 EC_KEY_set_public_key(ecdh
, srvr_ecpoint
);
1318 s
->session
->sess_cert
->peer_ecdh_tmp
=ecdh
;
1320 BN_CTX_free(bn_ctx
);
1321 EC_POINT_free(srvr_ecpoint
);
1322 srvr_ecpoint
= NULL
;
1324 else if (alg
& SSL_kECDH
)
1326 al
=SSL_AD_UNEXPECTED_MESSAGE
;
1327 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_UNEXPECTED_MESSAGE
);
1330 #endif /* !OPENSSL_NO_ECDH */
1333 al
=SSL_AD_HANDSHAKE_FAILURE
;
1334 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER
);
1339 /* p points to the next byte, there are 'n' bytes left */
1341 /* if it was signed, check the signature */
1346 j
=EVP_PKEY_size(pkey
);
1348 if ((i
!= n
) || (n
> j
) || (n
<= 0))
1350 /* wrong packet length */
1351 al
=SSL_AD_DECODE_ERROR
;
1352 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_WRONG_SIGNATURE_LENGTH
);
1356 #ifndef OPENSSL_NO_RSA
1357 if (pkey
->type
== EVP_PKEY_RSA
)
1363 for (num
=2; num
> 0; num
--)
1365 EVP_DigestInit_ex(&md_ctx
,(num
== 2)
1366 ?s
->ctx
->md5
:s
->ctx
->sha1
, NULL
);
1367 EVP_DigestUpdate(&md_ctx
,&(s
->s3
->client_random
[0]),SSL3_RANDOM_SIZE
);
1368 EVP_DigestUpdate(&md_ctx
,&(s
->s3
->server_random
[0]),SSL3_RANDOM_SIZE
);
1369 EVP_DigestUpdate(&md_ctx
,param
,param_len
);
1370 EVP_DigestFinal_ex(&md_ctx
,q
,(unsigned int *)&i
);
1374 i
=RSA_verify(NID_md5_sha1
, md_buf
, j
, p
, n
,
1378 al
=SSL_AD_DECRYPT_ERROR
;
1379 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_RSA_DECRYPT
);
1385 al
=SSL_AD_DECRYPT_ERROR
;
1386 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_SIGNATURE
);
1392 #ifndef OPENSSL_NO_DSA
1393 if (pkey
->type
== EVP_PKEY_DSA
)
1396 EVP_VerifyInit_ex(&md_ctx
,EVP_dss1(), NULL
);
1397 EVP_VerifyUpdate(&md_ctx
,&(s
->s3
->client_random
[0]),SSL3_RANDOM_SIZE
);
1398 EVP_VerifyUpdate(&md_ctx
,&(s
->s3
->server_random
[0]),SSL3_RANDOM_SIZE
);
1399 EVP_VerifyUpdate(&md_ctx
,param
,param_len
);
1400 if (!EVP_VerifyFinal(&md_ctx
,p
,(int)n
,pkey
))
1403 al
=SSL_AD_DECRYPT_ERROR
;
1404 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_SIGNATURE
);
1410 #ifndef OPENSSL_NO_ECDSA
1411 if (pkey
->type
== EVP_PKEY_EC
)
1413 /* let's do ECDSA */
1414 EVP_VerifyInit_ex(&md_ctx
,EVP_ecdsa(), NULL
);
1415 EVP_VerifyUpdate(&md_ctx
,&(s
->s3
->client_random
[0]),SSL3_RANDOM_SIZE
);
1416 EVP_VerifyUpdate(&md_ctx
,&(s
->s3
->server_random
[0]),SSL3_RANDOM_SIZE
);
1417 EVP_VerifyUpdate(&md_ctx
,param
,param_len
);
1418 if (!EVP_VerifyFinal(&md_ctx
,p
,(int)n
,pkey
))
1421 al
=SSL_AD_DECRYPT_ERROR
;
1422 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_BAD_SIGNATURE
);
1429 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_INTERNAL_ERROR
);
1435 /* still data left over */
1436 if (!(alg
& SSL_aNULL
))
1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,ERR_R_INTERNAL_ERROR
);
1443 al
=SSL_AD_DECODE_ERROR
;
1444 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE
,SSL_R_EXTRA_DATA_IN_MESSAGE
);
1448 EVP_PKEY_free(pkey
);
1449 EVP_MD_CTX_cleanup(&md_ctx
);
1452 ssl3_send_alert(s
,SSL3_AL_FATAL
,al
);
1454 EVP_PKEY_free(pkey
);
1455 #ifndef OPENSSL_NO_RSA
1459 #ifndef OPENSSL_NO_DH
1463 #ifndef OPENSSL_NO_ECDH
1464 BN_CTX_free(bn_ctx
);
1465 EC_POINT_free(srvr_ecpoint
);
1469 EVP_MD_CTX_cleanup(&md_ctx
);
1473 int ssl3_get_certificate_request(SSL
*s
)
1476 unsigned long n
,nc
,l
;
1477 unsigned int llen
,ctype_num
,i
;
1479 const unsigned char *p
,*q
;
1481 STACK_OF(X509_NAME
) *ca_sk
=NULL
;
1483 n
=s
->method
->ssl_get_message(s
,
1484 SSL3_ST_CR_CERT_REQ_A
,
1485 SSL3_ST_CR_CERT_REQ_B
,
1490 if (!ok
) return((int)n
);
1492 s
->s3
->tmp
.cert_req
=0;
1494 if (s
->s3
->tmp
.message_type
== SSL3_MT_SERVER_DONE
)
1496 s
->s3
->tmp
.reuse_message
=1;
1500 if (s
->s3
->tmp
.message_type
!= SSL3_MT_CERTIFICATE_REQUEST
)
1502 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_UNEXPECTED_MESSAGE
);
1503 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST
,SSL_R_WRONG_MESSAGE_TYPE
);
1507 /* TLS does not like anon-DH with client cert */
1508 if (s
->version
> SSL3_VERSION
)
1510 l
=s
->s3
->tmp
.new_cipher
->algorithms
;
1513 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_UNEXPECTED_MESSAGE
);
1514 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST
,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER
);
1519 p
=d
=(unsigned char *)s
->init_msg
;
1521 if ((ca_sk
=sk_X509_NAME_new(ca_dn_cmp
)) == NULL
)
1523 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST
,ERR_R_MALLOC_FAILURE
);
1527 /* get the certificate types */
1529 if (ctype_num
> SSL3_CT_NUMBER
)
1530 ctype_num
=SSL3_CT_NUMBER
;
1531 for (i
=0; i
<ctype_num
; i
++)
1532 s
->s3
->tmp
.ctype
[i
]= p
[i
];
1535 /* get the CA RDNs */
1540 out
=fopen("/tmp/vsign.der","w");
1541 fwrite(p
,1,llen
,out
);
1546 if ((llen
+ctype_num
+2+1) != n
)
1548 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_DECODE_ERROR
);
1549 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST
,SSL_R_LENGTH_MISMATCH
);
1553 for (nc
=0; nc
<llen
; )
1556 if ((l
+nc
+2) > llen
)
1558 if ((s
->options
& SSL_OP_NETSCAPE_CA_DN_BUG
))
1559 goto cont
; /* netscape bugs */
1560 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_DECODE_ERROR
);
1561 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST
,SSL_R_CA_DN_TOO_LONG
);
1567 if ((xn
=d2i_X509_NAME(NULL
,&q
,l
)) == NULL
)
1569 /* If netscape tolerance is on, ignore errors */
1570 if (s
->options
& SSL_OP_NETSCAPE_CA_DN_BUG
)
1574 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_DECODE_ERROR
);
1575 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST
,ERR_R_ASN1_LIB
);
1582 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_DECODE_ERROR
);
1583 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST
,SSL_R_CA_DN_LENGTH_MISMATCH
);
1586 if (!sk_X509_NAME_push(ca_sk
,xn
))
1588 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST
,ERR_R_MALLOC_FAILURE
);
1602 /* we should setup a certificate to return.... */
1603 s
->s3
->tmp
.cert_req
=1;
1604 s
->s3
->tmp
.ctype_num
=ctype_num
;
1605 if (s
->s3
->tmp
.ca_names
!= NULL
)
1606 sk_X509_NAME_pop_free(s
->s3
->tmp
.ca_names
,X509_NAME_free
);
1607 s
->s3
->tmp
.ca_names
=ca_sk
;
1612 if (ca_sk
!= NULL
) sk_X509_NAME_pop_free(ca_sk
,X509_NAME_free
);
1616 static int ca_dn_cmp(const X509_NAME
* const *a
, const X509_NAME
* const *b
)
1618 return(X509_NAME_cmp(*a
,*b
));
1621 int ssl3_get_server_done(SSL
*s
)
1626 n
=s
->method
->ssl_get_message(s
,
1627 SSL3_ST_CR_SRVR_DONE_A
,
1628 SSL3_ST_CR_SRVR_DONE_B
,
1629 SSL3_MT_SERVER_DONE
,
1630 30, /* should be very small, like 0 :-) */
1633 if (!ok
) return((int)n
);
1636 /* should contain no data */
1637 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_DECODE_ERROR
);
1638 SSLerr(SSL_F_SSL3_GET_SERVER_DONE
,SSL_R_LENGTH_MISMATCH
);
1646 int ssl3_send_client_key_exchange(SSL
*s
)
1648 unsigned char *p
,*d
;
1651 #ifndef OPENSSL_NO_RSA
1653 EVP_PKEY
*pkey
=NULL
;
1655 #ifndef OPENSSL_NO_KRB5
1657 #endif /* OPENSSL_NO_KRB5 */
1658 #ifndef OPENSSL_NO_ECDH
1659 EC_KEY
*clnt_ecdh
= NULL
;
1660 const EC_POINT
*srvr_ecpoint
= NULL
;
1661 EVP_PKEY
*srvr_pub_pkey
= NULL
;
1662 unsigned char *encodedPoint
= NULL
;
1663 int encoded_pt_len
= 0;
1664 BN_CTX
* bn_ctx
= NULL
;
1667 if (s
->state
== SSL3_ST_CW_KEY_EXCH_A
)
1669 d
=(unsigned char *)s
->init_buf
->data
;
1672 l
=s
->s3
->tmp
.new_cipher
->algorithms
;
1674 /* Fool emacs indentation */
1676 #ifndef OPENSSL_NO_RSA
1677 else if (l
& SSL_kRSA
)
1680 unsigned char tmp_buf
[SSL_MAX_MASTER_KEY_LENGTH
];
1682 if (s
->session
->sess_cert
->peer_rsa_tmp
!= NULL
)
1683 rsa
=s
->session
->sess_cert
->peer_rsa_tmp
;
1686 pkey
=X509_get_pubkey(s
->session
->sess_cert
->peer_pkeys
[SSL_PKEY_RSA_ENC
].x509
);
1687 if ((pkey
== NULL
) ||
1688 (pkey
->type
!= EVP_PKEY_RSA
) ||
1689 (pkey
->pkey
.rsa
== NULL
))
1691 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_INTERNAL_ERROR
);
1695 EVP_PKEY_free(pkey
);
1698 tmp_buf
[0]=s
->client_version
>>8;
1699 tmp_buf
[1]=s
->client_version
&0xff;
1700 if (RAND_bytes(&(tmp_buf
[2]),sizeof tmp_buf
-2) <= 0)
1703 s
->session
->master_key_length
=sizeof tmp_buf
;
1706 /* Fix buf for TLS and beyond */
1707 if (s
->version
> SSL3_VERSION
)
1709 n
=RSA_public_encrypt(sizeof tmp_buf
,
1710 tmp_buf
,p
,rsa
,RSA_PKCS1_PADDING
);
1712 if (s
->options
& SSL_OP_PKCS1_CHECK_1
) p
[1]++;
1713 if (s
->options
& SSL_OP_PKCS1_CHECK_2
) tmp_buf
[0]=0x70;
1717 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,SSL_R_BAD_RSA_ENCRYPT
);
1721 /* Fix buf for TLS and beyond */
1722 if (s
->version
> SSL3_VERSION
)
1728 s
->session
->master_key_length
=
1729 s
->method
->ssl3_enc
->generate_master_secret(s
,
1730 s
->session
->master_key
,
1731 tmp_buf
,sizeof tmp_buf
);
1732 OPENSSL_cleanse(tmp_buf
,sizeof tmp_buf
);
1735 #ifndef OPENSSL_NO_KRB5
1736 else if (l
& SSL_kKRB5
)
1738 krb5_error_code krb5rc
;
1739 KSSL_CTX
*kssl_ctx
= s
->kssl_ctx
;
1740 /* krb5_data krb5_ap_req; */
1741 krb5_data
*enc_ticket
;
1742 krb5_data authenticator
, *authp
= NULL
;
1743 EVP_CIPHER_CTX ciph_ctx
;
1744 EVP_CIPHER
*enc
= NULL
;
1745 unsigned char iv
[EVP_MAX_IV_LENGTH
];
1746 unsigned char tmp_buf
[SSL_MAX_MASTER_KEY_LENGTH
];
1747 unsigned char epms
[SSL_MAX_MASTER_KEY_LENGTH
1748 + EVP_MAX_IV_LENGTH
];
1749 int padl
, outl
= sizeof(epms
);
1751 EVP_CIPHER_CTX_init(&ciph_ctx
);
1754 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
1756 #endif /* KSSL_DEBUG */
1760 if (KRB5SENDAUTH
) authp
= &authenticator
;
1761 #endif /* KRB5SENDAUTH */
1763 krb5rc
= kssl_cget_tkt(kssl_ctx
, &enc_ticket
, authp
,
1765 enc
= kssl_map_enc(kssl_ctx
->enctype
);
1770 printf("kssl_cget_tkt rtn %d\n", krb5rc
);
1771 if (krb5rc
&& kssl_err
.text
)
1772 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err
.text
);
1774 #endif /* KSSL_DEBUG */
1778 ssl3_send_alert(s
,SSL3_AL_FATAL
,
1779 SSL_AD_HANDSHAKE_FAILURE
);
1780 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
1785 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
1786 ** in place of RFC 2712 KerberosWrapper, as in:
1788 ** Send ticket (copy to *p, set n = length)
1789 ** n = krb5_ap_req.length;
1790 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
1791 ** if (krb5_ap_req.data)
1792 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
1794 ** Now using real RFC 2712 KerberosWrapper
1795 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
1796 ** Note: 2712 "opaque" types are here replaced
1797 ** with a 2-byte length followed by the value.
1799 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
1800 ** Where "xx xx" = length bytes. Shown here with
1801 ** optional authenticator omitted.
1804 /* KerberosWrapper.Ticket */
1805 s2n(enc_ticket
->length
,p
);
1806 memcpy(p
, enc_ticket
->data
, enc_ticket
->length
);
1807 p
+= enc_ticket
->length
;
1808 n
= enc_ticket
->length
+ 2;
1810 /* KerberosWrapper.Authenticator */
1811 if (authp
&& authp
->length
)
1813 s2n(authp
->length
,p
);
1814 memcpy(p
, authp
->data
, authp
->length
);
1816 n
+= authp
->length
+ 2;
1824 s2n(0,p
);/* null authenticator length */
1828 if (RAND_bytes(tmp_buf
,sizeof tmp_buf
) <= 0)
1831 /* 20010420 VRS. Tried it this way; failed.
1832 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
1833 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
1834 ** kssl_ctx->length);
1835 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
1838 memset(iv
, 0, sizeof iv
); /* per RFC 1510 */
1839 EVP_EncryptInit_ex(&ciph_ctx
,enc
, NULL
,
1841 EVP_EncryptUpdate(&ciph_ctx
,epms
,&outl
,tmp_buf
,
1843 EVP_EncryptFinal_ex(&ciph_ctx
,&(epms
[outl
]),&padl
);
1845 if (outl
> sizeof epms
)
1847 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
, ERR_R_INTERNAL_ERROR
);
1850 EVP_CIPHER_CTX_cleanup(&ciph_ctx
);
1852 /* KerberosWrapper.EncryptedPreMasterSecret */
1854 memcpy(p
, epms
, outl
);
1858 s
->session
->master_key_length
=
1859 s
->method
->ssl3_enc
->generate_master_secret(s
,
1860 s
->session
->master_key
,
1861 tmp_buf
, sizeof tmp_buf
);
1863 OPENSSL_cleanse(tmp_buf
, sizeof tmp_buf
);
1864 OPENSSL_cleanse(epms
, outl
);
1867 #ifndef OPENSSL_NO_DH
1868 else if (l
& (SSL_kEDH
|SSL_kDHr
|SSL_kDHd
))
1870 DH
*dh_srvr
,*dh_clnt
;
1872 if (s
->session
->sess_cert
->peer_dh_tmp
!= NULL
)
1873 dh_srvr
=s
->session
->sess_cert
->peer_dh_tmp
;
1876 /* we get them from the cert */
1877 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_HANDSHAKE_FAILURE
);
1878 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS
);
1882 /* generate a new random key */
1883 if ((dh_clnt
=DHparams_dup(dh_srvr
)) == NULL
)
1885 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_DH_LIB
);
1888 if (!DH_generate_key(dh_clnt
))
1890 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_DH_LIB
);
1894 /* use the 'p' output buffer for the DH key, but
1895 * make sure to clear it out afterwards */
1897 n
=DH_compute_key(p
,dh_srvr
->pub_key
,dh_clnt
);
1901 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_DH_LIB
);
1905 /* generate master key from the result */
1906 s
->session
->master_key_length
=
1907 s
->method
->ssl3_enc
->generate_master_secret(s
,
1908 s
->session
->master_key
,p
,n
);
1912 /* send off the data */
1913 n
=BN_num_bytes(dh_clnt
->pub_key
);
1915 BN_bn2bin(dh_clnt
->pub_key
,p
);
1920 /* perhaps clean things up a bit EAY EAY EAY EAY*/
1924 #ifndef OPENSSL_NO_ECDH
1925 else if ((l
& SSL_kECDH
) || (l
& SSL_kECDHE
))
1927 const EC_GROUP
*srvr_group
= NULL
;
1929 int ecdh_clnt_cert
= 0;
1932 /* Did we send out the client's
1933 * ECDH share for use in premaster
1934 * computation as part of client certificate?
1935 * If so, set ecdh_clnt_cert to 1.
1937 if ((l
& SSL_kECDH
) && (s
->cert
!= NULL
))
1939 /* XXX: For now, we do not support client
1940 * authentication using ECDH certificates.
1941 * To add such support, one needs to add
1942 * code that checks for appropriate
1943 * conditions and sets ecdh_clnt_cert to 1.
1944 * For example, the cert have an ECC
1945 * key on the same curve as the server's
1946 * and the key should be authorized for
1949 * One also needs to add code in ssl3_connect
1950 * to skip sending the certificate verify
1953 * if ((s->cert->key->privatekey != NULL) &&
1954 * (s->cert->key->privatekey->type ==
1955 * EVP_PKEY_EC) && ...)
1956 * ecdh_clnt_cert = 1;
1960 if (s
->session
->sess_cert
->peer_ecdh_tmp
!= NULL
)
1962 tkey
= s
->session
->sess_cert
->peer_ecdh_tmp
;
1966 /* Get the Server Public Key from Cert */
1967 srvr_pub_pkey
= X509_get_pubkey(s
->session
-> \
1968 sess_cert
->peer_pkeys
[SSL_PKEY_ECC
].x509
);
1969 if ((srvr_pub_pkey
== NULL
) ||
1970 (srvr_pub_pkey
->type
!= EVP_PKEY_EC
) ||
1971 (srvr_pub_pkey
->pkey
.ec
== NULL
))
1973 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
1974 ERR_R_INTERNAL_ERROR
);
1978 tkey
= srvr_pub_pkey
->pkey
.ec
;
1981 srvr_group
= EC_KEY_get0_group(tkey
);
1982 srvr_ecpoint
= EC_KEY_get0_public_key(tkey
);
1984 if ((srvr_group
== NULL
) || (srvr_ecpoint
== NULL
))
1986 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
1987 ERR_R_INTERNAL_ERROR
);
1991 if ((clnt_ecdh
=EC_KEY_new()) == NULL
)
1993 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_MALLOC_FAILURE
);
1997 if (!EC_KEY_set_group(clnt_ecdh
, srvr_group
))
1999 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_EC_LIB
);
2004 /* Reuse key info from our certificate
2005 * We only need our private key to perform
2006 * the ECDH computation.
2008 const BIGNUM
*priv_key
;
2009 tkey
= s
->cert
->key
->privatekey
->pkey
.ec
;
2010 priv_key
= EC_KEY_get0_private_key(tkey
);
2011 if (priv_key
== NULL
)
2013 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_MALLOC_FAILURE
);
2016 if (!EC_KEY_set_private_key(clnt_ecdh
, priv_key
))
2018 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_EC_LIB
);
2024 /* Generate a new ECDH key pair */
2025 if (!(EC_KEY_generate_key(clnt_ecdh
)))
2027 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
, ERR_R_ECDH_LIB
);
2032 /* use the 'p' output buffer for the ECDH key, but
2033 * make sure to clear it out afterwards
2036 field_size
= EC_GROUP_get_degree(srvr_group
);
2037 if (field_size
<= 0)
2039 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
2043 n
=ECDH_compute_key(p
, (field_size
+7)/8, srvr_ecpoint
, clnt_ecdh
, NULL
);
2046 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
2051 /* generate master key from the result */
2052 s
->session
->master_key_length
= s
->method
->ssl3_enc \
2053 -> generate_master_secret(s
,
2054 s
->session
->master_key
,
2057 memset(p
, 0, n
); /* clean up */
2061 /* Send empty client key exch message */
2066 /* First check the size of encoding and
2067 * allocate memory accordingly.
2070 EC_POINT_point2oct(srvr_group
,
2071 EC_KEY_get0_public_key(clnt_ecdh
),
2072 POINT_CONVERSION_UNCOMPRESSED
,
2075 encodedPoint
= (unsigned char *)
2076 OPENSSL_malloc(encoded_pt_len
*
2077 sizeof(unsigned char));
2078 bn_ctx
= BN_CTX_new();
2079 if ((encodedPoint
== NULL
) ||
2082 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_MALLOC_FAILURE
);
2086 /* Encode the public key */
2087 n
= EC_POINT_point2oct(srvr_group
,
2088 EC_KEY_get0_public_key(clnt_ecdh
),
2089 POINT_CONVERSION_UNCOMPRESSED
,
2090 encodedPoint
, encoded_pt_len
, bn_ctx
);
2092 *p
= n
; /* length of encoded point */
2093 /* Encoded point will be copied here */
2095 /* copy the point */
2096 memcpy((unsigned char *)p
, encodedPoint
, n
);
2097 /* increment n to account for length field */
2101 /* Free allocated memory */
2102 BN_CTX_free(bn_ctx
);
2103 if (encodedPoint
!= NULL
) OPENSSL_free(encodedPoint
);
2104 if (clnt_ecdh
!= NULL
)
2105 EC_KEY_free(clnt_ecdh
);
2106 EVP_PKEY_free(srvr_pub_pkey
);
2108 #endif /* !OPENSSL_NO_ECDH */
2111 ssl3_send_alert(s
, SSL3_AL_FATAL
,
2112 SSL_AD_HANDSHAKE_FAILURE
);
2113 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE
,
2114 ERR_R_INTERNAL_ERROR
);
2118 *(d
++)=SSL3_MT_CLIENT_KEY_EXCHANGE
;
2121 s
->state
=SSL3_ST_CW_KEY_EXCH_B
;
2122 /* number of bytes to write */
2127 /* SSL3_ST_CW_KEY_EXCH_B */
2128 return(ssl3_do_write(s
,SSL3_RT_HANDSHAKE
));
2130 #ifndef OPENSSL_NO_ECDH
2131 BN_CTX_free(bn_ctx
);
2132 if (encodedPoint
!= NULL
) OPENSSL_free(encodedPoint
);
2133 if (clnt_ecdh
!= NULL
)
2134 EC_KEY_free(clnt_ecdh
);
2135 EVP_PKEY_free(srvr_pub_pkey
);
2140 int ssl3_send_client_verify(SSL
*s
)
2142 unsigned char *p
,*d
;
2143 unsigned char data
[MD5_DIGEST_LENGTH
+SHA_DIGEST_LENGTH
];
2145 #ifndef OPENSSL_NO_RSA
2149 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
2153 if (s
->state
== SSL3_ST_CW_CERT_VRFY_A
)
2155 d
=(unsigned char *)s
->init_buf
->data
;
2157 pkey
=s
->cert
->key
->privatekey
;
2159 s
->method
->ssl3_enc
->cert_verify_mac(s
,&(s
->s3
->finish_dgst2
),
2160 &(data
[MD5_DIGEST_LENGTH
]));
2162 #ifndef OPENSSL_NO_RSA
2163 if (pkey
->type
== EVP_PKEY_RSA
)
2165 s
->method
->ssl3_enc
->cert_verify_mac(s
,
2166 &(s
->s3
->finish_dgst1
),&(data
[0]));
2167 if (RSA_sign(NID_md5_sha1
, data
,
2168 MD5_DIGEST_LENGTH
+SHA_DIGEST_LENGTH
,
2169 &(p
[2]), &u
, pkey
->pkey
.rsa
) <= 0 )
2171 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY
,ERR_R_RSA_LIB
);
2179 #ifndef OPENSSL_NO_DSA
2180 if (pkey
->type
== EVP_PKEY_DSA
)
2182 if (!DSA_sign(pkey
->save_type
,
2183 &(data
[MD5_DIGEST_LENGTH
]),
2184 SHA_DIGEST_LENGTH
,&(p
[2]),
2185 (unsigned int *)&j
,pkey
->pkey
.dsa
))
2187 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY
,ERR_R_DSA_LIB
);
2195 #ifndef OPENSSL_NO_ECDSA
2196 if (pkey
->type
== EVP_PKEY_EC
)
2198 if (!ECDSA_sign(pkey
->save_type
,
2199 &(data
[MD5_DIGEST_LENGTH
]),
2200 SHA_DIGEST_LENGTH
,&(p
[2]),
2201 (unsigned int *)&j
,pkey
->pkey
.ec
))
2203 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY
,
2213 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY
,ERR_R_INTERNAL_ERROR
);
2216 *(d
++)=SSL3_MT_CERTIFICATE_VERIFY
;
2219 s
->state
=SSL3_ST_CW_CERT_VRFY_B
;
2220 s
->init_num
=(int)n
+4;
2223 return(ssl3_do_write(s
,SSL3_RT_HANDSHAKE
));
2228 int ssl3_send_client_certificate(SSL
*s
)
2231 EVP_PKEY
*pkey
=NULL
;
2235 if (s
->state
== SSL3_ST_CW_CERT_A
)
2237 if ((s
->cert
== NULL
) ||
2238 (s
->cert
->key
->x509
== NULL
) ||
2239 (s
->cert
->key
->privatekey
== NULL
))
2240 s
->state
=SSL3_ST_CW_CERT_B
;
2242 s
->state
=SSL3_ST_CW_CERT_C
;
2245 /* We need to get a client cert */
2246 if (s
->state
== SSL3_ST_CW_CERT_B
)
2248 /* If we get an error, we need to
2249 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2250 * We then get retied later */
2252 if (s
->ctx
->client_cert_cb
!= NULL
)
2253 i
=s
->ctx
->client_cert_cb(s
,&(x509
),&(pkey
));
2256 s
->rwstate
=SSL_X509_LOOKUP
;
2259 s
->rwstate
=SSL_NOTHING
;
2260 if ((i
== 1) && (pkey
!= NULL
) && (x509
!= NULL
))
2262 s
->state
=SSL3_ST_CW_CERT_B
;
2263 if ( !SSL_use_certificate(s
,x509
) ||
2264 !SSL_use_PrivateKey(s
,pkey
))
2270 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE
,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK
);
2273 if (x509
!= NULL
) X509_free(x509
);
2274 if (pkey
!= NULL
) EVP_PKEY_free(pkey
);
2277 if (s
->version
== SSL3_VERSION
)
2279 s
->s3
->tmp
.cert_req
=0;
2280 ssl3_send_alert(s
,SSL3_AL_WARNING
,SSL_AD_NO_CERTIFICATE
);
2285 s
->s3
->tmp
.cert_req
=2;
2289 /* Ok, we have a cert */
2290 s
->state
=SSL3_ST_CW_CERT_C
;
2293 if (s
->state
== SSL3_ST_CW_CERT_C
)
2295 s
->state
=SSL3_ST_CW_CERT_D
;
2296 l
=ssl3_output_cert_chain(s
,
2297 (s
->s3
->tmp
.cert_req
== 2)?NULL
:s
->cert
->key
->x509
);
2301 /* SSL3_ST_CW_CERT_D */
2302 return(ssl3_do_write(s
,SSL3_RT_HANDSHAKE
));
2305 #define has_bits(i,m) (((i)&(m)) == (m))
2307 int ssl3_check_cert_and_algorithm(SSL
*s
)
2311 EVP_PKEY
*pkey
=NULL
;
2313 #ifndef OPENSSL_NO_RSA
2316 #ifndef OPENSSL_NO_DH
2320 sc
=s
->session
->sess_cert
;
2324 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,ERR_R_INTERNAL_ERROR
);
2328 algs
=s
->s3
->tmp
.new_cipher
->algorithms
;
2330 /* we don't have a certificate */
2331 if (algs
& (SSL_aDH
|SSL_aNULL
|SSL_aKRB5
))
2334 #ifndef OPENSSL_NO_RSA
2335 rsa
=s
->session
->sess_cert
->peer_rsa_tmp
;
2337 #ifndef OPENSSL_NO_DH
2338 dh
=s
->session
->sess_cert
->peer_dh_tmp
;
2341 /* This is the passed certificate */
2343 idx
=sc
->peer_cert_type
;
2344 #ifndef OPENSSL_NO_ECDH
2345 if (idx
== SSL_PKEY_ECC
)
2347 if (check_srvr_ecc_cert_and_alg(sc
->peer_pkeys
[idx
].x509
,
2348 s
->s3
->tmp
.new_cipher
) == 0)
2349 { /* check failed */
2350 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_BAD_ECC_CERT
);
2359 pkey
=X509_get_pubkey(sc
->peer_pkeys
[idx
].x509
);
2360 i
=X509_certificate_type(sc
->peer_pkeys
[idx
].x509
,pkey
);
2361 EVP_PKEY_free(pkey
);
2364 /* Check that we have a certificate if we require one */
2365 if ((algs
& SSL_aRSA
) && !has_bits(i
,EVP_PK_RSA
|EVP_PKT_SIGN
))
2367 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_MISSING_RSA_SIGNING_CERT
);
2370 #ifndef OPENSSL_NO_DSA
2371 else if ((algs
& SSL_aDSS
) && !has_bits(i
,EVP_PK_DSA
|EVP_PKT_SIGN
))
2373 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_MISSING_DSA_SIGNING_CERT
);
2377 #ifndef OPENSSL_NO_RSA
2378 if ((algs
& SSL_kRSA
) &&
2379 !(has_bits(i
,EVP_PK_RSA
|EVP_PKT_ENC
) || (rsa
!= NULL
)))
2381 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_MISSING_RSA_ENCRYPTING_CERT
);
2385 #ifndef OPENSSL_NO_DH
2386 if ((algs
& SSL_kEDH
) &&
2387 !(has_bits(i
,EVP_PK_DH
|EVP_PKT_EXCH
) || (dh
!= NULL
)))
2389 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_MISSING_DH_KEY
);
2392 else if ((algs
& SSL_kDHr
) && !has_bits(i
,EVP_PK_DH
|EVP_PKS_RSA
))
2394 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_MISSING_DH_RSA_CERT
);
2397 #ifndef OPENSSL_NO_DSA
2398 else if ((algs
& SSL_kDHd
) && !has_bits(i
,EVP_PK_DH
|EVP_PKS_DSA
))
2400 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_MISSING_DH_DSA_CERT
);
2406 if (SSL_C_IS_EXPORT(s
->s3
->tmp
.new_cipher
) && !has_bits(i
,EVP_PKT_EXP
))
2408 #ifndef OPENSSL_NO_RSA
2409 if (algs
& SSL_kRSA
)
2412 || RSA_size(rsa
)*8 > SSL_C_EXPORT_PKEYLENGTH(s
->s3
->tmp
.new_cipher
))
2414 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_MISSING_EXPORT_TMP_RSA_KEY
);
2420 #ifndef OPENSSL_NO_DH
2421 if (algs
& (SSL_kEDH
|SSL_kDHr
|SSL_kDHd
))
2424 || DH_size(dh
)*8 > SSL_C_EXPORT_PKEYLENGTH(s
->s3
->tmp
.new_cipher
))
2426 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_MISSING_EXPORT_TMP_DH_KEY
);
2433 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM
,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE
);
2439 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_HANDSHAKE_FAILURE
);
2445 #ifndef OPENSSL_NO_ECDH
2446 /* This is the complement of nid2curve_id in s3_srvr.c. */
2447 static int curve_id2nid(int curve_id
)
2449 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2450 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2451 static int nid_list
[26] =
2454 NID_sect163k1
, /* sect163k1 (1) */
2455 NID_sect163r1
, /* sect163r1 (2) */
2456 NID_sect163r2
, /* sect163r2 (3) */
2457 NID_sect193r1
, /* sect193r1 (4) */
2458 NID_sect193r2
, /* sect193r2 (5) */
2459 NID_sect233k1
, /* sect233k1 (6) */
2460 NID_sect233r1
, /* sect233r1 (7) */
2461 NID_sect239k1
, /* sect239k1 (8) */
2462 NID_sect283k1
, /* sect283k1 (9) */
2463 NID_sect283r1
, /* sect283r1 (10) */
2464 NID_sect409k1
, /* sect409k1 (11) */
2465 NID_sect409r1
, /* sect409r1 (12) */
2466 NID_sect571k1
, /* sect571k1 (13) */
2467 NID_sect571r1
, /* sect571r1 (14) */
2468 NID_secp160k1
, /* secp160k1 (15) */
2469 NID_secp160r1
, /* secp160r1 (16) */
2470 NID_secp160r2
, /* secp160r2 (17) */
2471 NID_secp192k1
, /* secp192k1 (18) */
2472 NID_X9_62_prime192v1
, /* secp192r1 (19) */
2473 NID_secp224k1
, /* secp224k1 (20) */
2474 NID_secp224r1
, /* secp224r1 (21) */
2475 NID_secp256k1
, /* secp256k1 (22) */
2476 NID_X9_62_prime256v1
, /* secp256r1 (23) */
2477 NID_secp384r1
, /* secp384r1 (24) */
2478 NID_secp521r1
/* secp521r1 (25) */
2481 if ((curve_id
< 1) || (curve_id
> 25)) return 0;
2483 return nid_list
[curve_id
];