]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/s3_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add support for new TLS export ciphersuites.
[thirdparty/openssl.git] / ssl / s3_srvr.c
1 /* ssl/s3_srvr.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #define REUSE_CIPHER_BUG
60
61 #include <stdio.h>
62 #include "buffer.h"
63 #include "rand.h"
64 #include "objects.h"
65 #include "evp.h"
66 #include "x509.h"
67 #include "ssl_locl.h"
68
69 #define BREAK break
70 /* SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_MALLOC_FAILURE);
71 * SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
72 * SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
73 * SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_MALLOC_FAILURE);
74 * SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
75 */
76
77 #ifndef NOPROTO
78 static SSL_METHOD *ssl3_get_server_method(int ver);
79 static int ssl3_get_client_hello(SSL *s);
80 static int ssl3_send_server_hello(SSL *s);
81 static int ssl3_send_server_key_exchange(SSL *s);
82 static int ssl3_send_certificate_request(SSL *s);
83 static int ssl3_send_server_done(SSL *s);
84 static int ssl3_get_cert_verify(SSL *s);
85 static int ssl3_get_client_key_exchange(SSL *s);
86 static int ssl3_get_client_certificate(SSL *s);
87 static int ssl3_send_hello_request(SSL *s);
88
89 #else
90
91 static SSL_METHOD *ssl3_get_server_method();
92 static int ssl3_get_client_hello();
93 static int ssl3_send_server_hello();
94 static int ssl3_send_server_key_exchange();
95 static int ssl3_send_certificate_request();
96 static int ssl3_send_server_done();
97 static int ssl3_get_cert_verify();
98 static int ssl3_get_client_key_exchange();
99 static int ssl3_get_client_certificate();
100 static int ssl3_send_hello_request();
101
102 #endif
103
104 static SSL_METHOD *ssl3_get_server_method(ver)
105 int ver;
106 {
107 if (ver == SSL3_VERSION)
108 return(SSLv3_server_method());
109 else
110 return(NULL);
111 }
112
113 SSL_METHOD *SSLv3_server_method()
114 {
115 static int init=1;
116 static SSL_METHOD SSLv3_server_data;
117
118 if (init)
119 {
120 init=0;
121 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
122 sizeof(SSL_METHOD));
123 SSLv3_server_data.ssl_accept=ssl3_accept;
124 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
125 }
126 return(&SSLv3_server_data);
127 }
128
129 int ssl3_accept(s)
130 SSL *s;
131 {
132 BUF_MEM *buf;
133 unsigned long l,Time=time(NULL);
134 void (*cb)()=NULL;
135 long num1;
136 int ret= -1;
137 CERT *ct;
138 int new_state,state,skip=0;
139
140 RAND_seed(&Time,sizeof(Time));
141 ERR_clear_error();
142 clear_sys_error();
143
144 if (s->info_callback != NULL)
145 cb=s->info_callback;
146 else if (s->ctx->info_callback != NULL)
147 cb=s->ctx->info_callback;
148
149 /* init things to blank */
150 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
151 s->in_handshake++;
152
153 #ifdef undef
154 /* FIX THIS EAY EAY EAY */
155 /* we don't actually need a cert, we just need a cert or a DH_tmp */
156 if (((s->session == NULL) || (s->session->cert == NULL)) &&
157 (s->cert == NULL))
158 {
159 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
160 ret= -1;
161 goto end;
162 }
163 #endif
164
165 for (;;)
166 {
167 state=s->state;
168
169 switch (s->state)
170 {
171 case SSL_ST_RENEGOTIATE:
172 s->new_session=1;
173 /* s->state=SSL_ST_ACCEPT; */
174
175 case SSL_ST_BEFORE:
176 case SSL_ST_ACCEPT:
177 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
178 case SSL_ST_OK|SSL_ST_ACCEPT:
179
180 s->server=1;
181 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
182
183 if ((s->version>>8) != 3)
184 abort();
185 /* s->version=SSL3_VERSION; */
186 s->type=SSL_ST_ACCEPT;
187
188 if (s->init_buf == NULL)
189 {
190 if ((buf=BUF_MEM_new()) == NULL)
191 {
192 ret= -1;
193 goto end;
194 }
195 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
196 {
197 ret= -1;
198 goto end;
199 }
200 s->init_buf=buf;
201 }
202
203 if (!ssl3_setup_buffers(s))
204 {
205 ret= -1;
206 goto end;
207 }
208
209 /* Ok, we now need to push on a buffering BIO so that
210 * the output is sent in a way that TCP likes :-)
211 */
212 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
213
214 s->init_num=0;
215
216 if (s->state != SSL_ST_RENEGOTIATE)
217 {
218 s->state=SSL3_ST_SR_CLNT_HELLO_A;
219 ssl3_init_finished_mac(s);
220 s->ctx->stats.sess_accept++;
221 }
222 else
223 {
224 s->ctx->stats.sess_accept_renegotiate++;
225 s->state=SSL3_ST_SW_HELLO_REQ_A;
226 }
227 break;
228
229 case SSL3_ST_SW_HELLO_REQ_A:
230 case SSL3_ST_SW_HELLO_REQ_B:
231
232 s->shutdown=0;
233 ret=ssl3_send_hello_request(s);
234 if (ret <= 0) goto end;
235 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
236 s->state=SSL3_ST_SW_FLUSH;
237 s->init_num=0;
238
239 ssl3_init_finished_mac(s);
240 break;
241
242 case SSL3_ST_SW_HELLO_REQ_C:
243 s->state=SSL_ST_OK;
244 ret=1;
245 goto end;
246 /* break; */
247
248 case SSL3_ST_SR_CLNT_HELLO_A:
249 case SSL3_ST_SR_CLNT_HELLO_B:
250 case SSL3_ST_SR_CLNT_HELLO_C:
251
252 s->shutdown=0;
253 ret=ssl3_get_client_hello(s);
254 if (ret <= 0) goto end;
255 s->state=SSL3_ST_SW_SRVR_HELLO_A;
256 s->init_num=0;
257 break;
258
259 case SSL3_ST_SW_SRVR_HELLO_A:
260 case SSL3_ST_SW_SRVR_HELLO_B:
261 ret=ssl3_send_server_hello(s);
262 if (ret <= 0) goto end;
263
264 if (s->hit)
265 s->state=SSL3_ST_SW_CHANGE_A;
266 else
267 s->state=SSL3_ST_SW_CERT_A;
268 s->init_num=0;
269 break;
270
271 case SSL3_ST_SW_CERT_A:
272 case SSL3_ST_SW_CERT_B:
273 /* Check if it is anon DH */
274 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
275 {
276 ret=ssl3_send_server_certificate(s);
277 if (ret <= 0) goto end;
278 }
279 else
280 skip=1;
281 s->state=SSL3_ST_SW_KEY_EXCH_A;
282 s->init_num=0;
283 break;
284
285 case SSL3_ST_SW_KEY_EXCH_A:
286 case SSL3_ST_SW_KEY_EXCH_B:
287 l=s->s3->tmp.new_cipher->algorithms;
288 if (s->session->cert == NULL)
289 {
290 if (s->cert != NULL)
291 {
292 CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
293 s->session->cert=s->cert;
294 }
295 else
296 {
297 CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT);
298 s->session->cert=s->ctx->default_cert;
299 }
300 }
301 ct=s->session->cert;
302
303 /* clear this, it may get reset by
304 * send_server_key_exchange */
305 if (s->options & SSL_OP_EPHEMERAL_RSA)
306 s->s3->tmp.use_rsa_tmp=1;
307 else
308 s->s3->tmp.use_rsa_tmp=0;
309
310 /* only send if a DH key exchange, fortezza or
311 * RSA but we have a sign only certificate */
312 if (s->s3->tmp.use_rsa_tmp
313 || (l & (SSL_DH|SSL_kFZA))
314 || ((l & SSL_kRSA)
315 && (ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
316 || (SSL_IS_EXPORT(l)
317 && EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
318 )
319 )
320 )
321 )
322 {
323 ret=ssl3_send_server_key_exchange(s);
324 if (ret <= 0) goto end;
325 }
326 else
327 skip=1;
328
329 s->state=SSL3_ST_SW_CERT_REQ_A;
330 s->init_num=0;
331 break;
332
333 case SSL3_ST_SW_CERT_REQ_A:
334 case SSL3_ST_SW_CERT_REQ_B:
335 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
336 ((s->session->peer != NULL) &&
337 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
338 {
339 /* no cert request */
340 skip=1;
341 s->s3->tmp.cert_request=0;
342 s->state=SSL3_ST_SW_SRVR_DONE_A;
343 }
344 else
345 {
346 s->s3->tmp.cert_request=1;
347 ret=ssl3_send_certificate_request(s);
348 if (ret <= 0) goto end;
349 s->state=SSL3_ST_SW_SRVR_DONE_A;
350 s->init_num=0;
351 }
352 break;
353
354 case SSL3_ST_SW_SRVR_DONE_A:
355 case SSL3_ST_SW_SRVR_DONE_B:
356 ret=ssl3_send_server_done(s);
357 if (ret <= 0) goto end;
358 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
359 s->state=SSL3_ST_SW_FLUSH;
360 s->init_num=0;
361 break;
362
363 case SSL3_ST_SW_FLUSH:
364 /* number of bytes to be flushed */
365 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
366 if (num1 > 0)
367 {
368 s->rwstate=SSL_WRITING;
369 num1=BIO_flush(s->wbio);
370 if (num1 <= 0) { ret= -1; goto end; }
371 s->rwstate=SSL_NOTHING;
372 }
373
374 s->state=s->s3->tmp.next_state;
375 break;
376
377 case SSL3_ST_SR_CERT_A:
378 case SSL3_ST_SR_CERT_B:
379 /* could be sent for a DH cert, even if we
380 * have not asked for it :-) */
381 ret=ssl3_get_client_certificate(s);
382 if (ret <= 0) goto end;
383 s->init_num=0;
384 s->state=SSL3_ST_SR_KEY_EXCH_A;
385 break;
386
387 case SSL3_ST_SR_KEY_EXCH_A:
388 case SSL3_ST_SR_KEY_EXCH_B:
389 ret=ssl3_get_client_key_exchange(s);
390 if (ret <= 0) goto end;
391 s->state=SSL3_ST_SR_CERT_VRFY_A;
392 s->init_num=0;
393
394 /* We need to get hashes here so if there is
395 * a client cert, it can be verified */
396 s->method->ssl3_enc->cert_verify_mac(s,
397 &(s->s3->finish_dgst1),
398 &(s->s3->tmp.finish_md[0]));
399 s->method->ssl3_enc->cert_verify_mac(s,
400 &(s->s3->finish_dgst2),
401 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]));
402
403 break;
404
405 case SSL3_ST_SR_CERT_VRFY_A:
406 case SSL3_ST_SR_CERT_VRFY_B:
407
408 /* we should decide if we expected this one */
409 ret=ssl3_get_cert_verify(s);
410 if (ret <= 0) goto end;
411
412 s->state=SSL3_ST_SR_FINISHED_A;
413 s->init_num=0;
414 break;
415
416 case SSL3_ST_SR_FINISHED_A:
417 case SSL3_ST_SR_FINISHED_B:
418 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
419 SSL3_ST_SR_FINISHED_B);
420 if (ret <= 0) goto end;
421 if (s->hit)
422 s->state=SSL_ST_OK;
423 else
424 s->state=SSL3_ST_SW_CHANGE_A;
425 s->init_num=0;
426 break;
427
428 case SSL3_ST_SW_CHANGE_A:
429 case SSL3_ST_SW_CHANGE_B:
430
431 s->session->cipher=s->s3->tmp.new_cipher;
432 if (!s->method->ssl3_enc->setup_key_block(s))
433 { ret= -1; goto end; }
434
435 ret=ssl3_send_change_cipher_spec(s,
436 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
437
438 if (ret <= 0) goto end;
439 s->state=SSL3_ST_SW_FINISHED_A;
440 s->init_num=0;
441
442 if (!s->method->ssl3_enc->change_cipher_state(s,
443 SSL3_CHANGE_CIPHER_SERVER_WRITE))
444 {
445 ret= -1;
446 goto end;
447 }
448
449 break;
450
451 case SSL3_ST_SW_FINISHED_A:
452 case SSL3_ST_SW_FINISHED_B:
453 ret=ssl3_send_finished(s,
454 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
455 s->method->ssl3_enc->server_finished,
456 s->method->ssl3_enc->server_finished_len);
457 if (ret <= 0) goto end;
458 s->state=SSL3_ST_SW_FLUSH;
459 if (s->hit)
460 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
461 else
462 s->s3->tmp.next_state=SSL_ST_OK;
463 s->init_num=0;
464 break;
465
466 case SSL_ST_OK:
467 /* clean a few things up */
468 ssl3_cleanup_key_block(s);
469
470 BUF_MEM_free(s->init_buf);
471 s->init_buf=NULL;
472
473 /* remove buffering on output */
474 ssl_free_wbio_buffer(s);
475
476 s->new_session=0;
477 s->init_num=0;
478
479 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
480
481 s->ctx->stats.sess_accept_good++;
482 /* s->server=1; */
483 s->handshake_func=ssl3_accept;
484 ret=1;
485
486 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
487
488 goto end;
489 /* break; */
490
491 default:
492 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
493 ret= -1;
494 goto end;
495 /* break; */
496 }
497
498 if (!s->s3->tmp.reuse_message && !skip)
499 {
500 if (s->debug)
501 {
502 if ((ret=BIO_flush(s->wbio)) <= 0)
503 goto end;
504 }
505
506
507 if ((cb != NULL) && (s->state != state))
508 {
509 new_state=s->state;
510 s->state=state;
511 cb(s,SSL_CB_ACCEPT_LOOP,1);
512 s->state=new_state;
513 }
514 }
515 skip=0;
516 }
517 end:
518 /* BIO_flush(s->wbio); */
519
520 if (cb != NULL)
521 cb(s,SSL_CB_ACCEPT_EXIT,ret);
522 s->in_handshake--;
523 return(ret);
524 }
525
526 static int ssl3_send_hello_request(s)
527 SSL *s;
528 {
529 unsigned char *p;
530
531 if (s->state == SSL3_ST_SW_HELLO_REQ_A)
532 {
533 p=(unsigned char *)s->init_buf->data;
534 *(p++)=SSL3_MT_CLIENT_REQUEST;
535 *(p++)=0;
536 *(p++)=0;
537 *(p++)=0;
538
539 s->state=SSL3_ST_SW_HELLO_REQ_B;
540 /* number of bytes to write */
541 s->init_num=4;
542 s->init_off=0;
543 }
544
545 /* SSL3_ST_SW_HELLO_REQ_B */
546 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
547 }
548
549 static int ssl3_get_client_hello(s)
550 SSL *s;
551 {
552 int i,j,ok,al,ret= -1;
553 long n;
554 unsigned long id;
555 unsigned char *p,*d,*q;
556 SSL_CIPHER *c;
557 SSL_COMP *comp=NULL;
558 STACK *ciphers=NULL;
559
560 /* We do this so that we will respond with our native type.
561 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
562 * This down switching should be handled by a different method.
563 * If we are SSLv3, we will respond with SSLv3, even if prompted with
564 * TLSv1.
565 */
566 if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
567 {
568 s->first_packet=1;
569 s->state=SSL3_ST_SR_CLNT_HELLO_B;
570 }
571 n=ssl3_get_message(s,
572 SSL3_ST_SR_CLNT_HELLO_B,
573 SSL3_ST_SR_CLNT_HELLO_C,
574 SSL3_MT_CLIENT_HELLO,
575 SSL3_RT_MAX_PLAIN_LENGTH,
576 &ok);
577
578 if (!ok) return((int)n);
579 d=p=(unsigned char *)s->init_buf->data;
580
581 /* The version number has already been checked in ssl3_get_message.
582 * I a native TLSv1/SSLv3 method, the match must be correct except
583 * perhaps for the first message */
584 /* s->client_version=(((int)p[0])<<8)|(int)p[1]; */
585 p+=2;
586
587 /* load the client random */
588 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
589 p+=SSL3_RANDOM_SIZE;
590
591 /* get the session-id */
592 j= *(p++);
593
594 s->hit=0;
595 if (j == 0)
596 {
597 if (!ssl_get_new_session(s,1))
598 goto err;
599 }
600 else
601 {
602 i=ssl_get_prev_session(s,p,j);
603 if (i == 1)
604 { /* previous session */
605 s->hit=1;
606 }
607 else
608 {
609 if (!ssl_get_new_session(s,1))
610 goto err;
611 }
612 }
613
614 p+=j;
615 n2s(p,i);
616 if ((i == 0) && (j != 0))
617 {
618 /* we need a cipher if we are not resuming a session */
619 al=SSL_AD_ILLEGAL_PARAMETER;
620 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
621 goto f_err;
622 }
623 if ((i+p) > (d+n))
624 {
625 /* not enough data */
626 al=SSL_AD_DECODE_ERROR;
627 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
628 goto f_err;
629 }
630 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
631 == NULL))
632 {
633 goto err;
634 }
635 p+=i;
636
637 /* If it is a hit, check that the cipher is in the list */
638 if ((s->hit) && (i > 0))
639 {
640 j=0;
641 id=s->session->cipher->id;
642
643 #ifdef CIPHER_DEBUG
644 printf("client sent %d ciphers\n",sk_num(ciphers));
645 #endif
646 for (i=0; i<sk_num(ciphers); i++)
647 {
648 c=(SSL_CIPHER *)sk_value(ciphers,i);
649 #ifdef CIPHER_DEBUG
650 printf("client [%2d of %2d]:%s\n",
651 i,sk_num(ciphers),SSL_CIPHER_get_name(c));
652 #endif
653 if (c->id == id)
654 {
655 j=1;
656 break;
657 }
658 }
659 if (j == 0)
660 {
661 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_num(ciphers) == 1))
662 {
663 /* Very bad for multi-threading.... */
664 s->session->cipher=
665 (SSL_CIPHER *)sk_value(ciphers,0);
666 }
667 else
668 {
669 /* we need to have the cipher in the cipher
670 * list if we are asked to reuse it */
671 al=SSL_AD_ILLEGAL_PARAMETER;
672 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
673 goto f_err;
674 }
675 }
676 }
677
678 /* compression */
679 i= *(p++);
680 q=p;
681 for (j=0; j<i; j++)
682 {
683 if (p[j] == 0) break;
684 }
685
686 p+=i;
687 if (j >= i)
688 {
689 /* no compress */
690 al=SSL_AD_DECODE_ERROR;
691 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
692 goto f_err;
693 }
694
695 /* Worst case, we will use the NULL compression, but if we have other
696 * options, we will now look for them. We have i-1 compression
697 * algorithms from the client, starting at q. */
698 s->s3->tmp.new_compression=NULL;
699 if (s->ctx->comp_methods != NULL)
700 { /* See if we have a match */
701 int m,nn,o,v,done=0;
702
703 nn=sk_num(s->ctx->comp_methods);
704 for (m=0; m<nn; m++)
705 {
706 comp=(SSL_COMP *)sk_value(s->ctx->comp_methods,m);
707 v=comp->id;
708 for (o=0; o<i; o++)
709 {
710 if (v == q[o])
711 {
712 done=1;
713 break;
714 }
715 }
716 if (done) break;
717 }
718 if (done)
719 s->s3->tmp.new_compression=comp;
720 else
721 comp=NULL;
722 }
723
724 /* TLS does not mind if there is extra stuff */
725 if (s->version == SSL3_VERSION)
726 {
727 if (p > (d+n))
728 {
729 /* wrong number of bytes,
730 * there could be more to follow */
731 al=SSL_AD_DECODE_ERROR;
732 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
733 goto f_err;
734 }
735 }
736
737 /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
738 * pick a cipher */
739
740 if (!s->hit)
741 {
742 s->session->compress_meth=(comp == NULL)?0:comp->id;
743 if (s->session->ciphers != NULL)
744 sk_free(s->session->ciphers);
745 s->session->ciphers=ciphers;
746 if (ciphers == NULL)
747 {
748 al=SSL_AD_ILLEGAL_PARAMETER;
749 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
750 goto f_err;
751 }
752 ciphers=NULL;
753 c=ssl3_choose_cipher(s,s->session->ciphers,
754 ssl_get_ciphers_by_id(s));
755
756 if (c == NULL)
757 {
758 al=SSL_AD_HANDSHAKE_FAILURE;
759 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
760 goto f_err;
761 }
762 s->s3->tmp.new_cipher=c;
763 }
764 else
765 {
766 /* Session-id reuse */
767 #ifdef REUSE_CIPHER_BUG
768 STACK *sk;
769 SSL_CIPHER *nc=NULL;
770 SSL_CIPHER *ec=NULL;
771
772 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
773 {
774 sk=s->session->ciphers;
775 for (i=0; i<sk_num(sk); i++)
776 {
777 c=(SSL_CIPHER *)sk_value(sk,i);
778 if (c->algorithms & SSL_eNULL)
779 nc=c;
780 if (SSL_C_IS_EXPORT(c))
781 ec=c;
782 }
783 if (nc != NULL)
784 s->s3->tmp.new_cipher=nc;
785 else if (ec != NULL)
786 s->s3->tmp.new_cipher=ec;
787 else
788 s->s3->tmp.new_cipher=s->session->cipher;
789 }
790 else
791 #endif
792 s->s3->tmp.new_cipher=s->session->cipher;
793 }
794
795 /* we now have the following setup.
796 * client_random
797 * cipher_list - our prefered list of ciphers
798 * ciphers - the clients prefered list of ciphers
799 * compression - basically ignored right now
800 * ssl version is set - sslv3
801 * s->session - The ssl session has been setup.
802 * s->hit - sesson reuse flag
803 * s->tmp.new_cipher - the new cipher to use.
804 */
805
806 ret=1;
807 if (0)
808 {
809 f_err:
810 ssl3_send_alert(s,SSL3_AL_FATAL,al);
811 }
812 err:
813 if (ciphers != NULL) sk_free(ciphers);
814 return(ret);
815 }
816
817 static int ssl3_send_server_hello(s)
818 SSL *s;
819 {
820 unsigned char *buf;
821 unsigned char *p,*d;
822 int i,sl;
823 unsigned long l,Time;
824
825 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
826 {
827 buf=(unsigned char *)s->init_buf->data;
828 p=s->s3->server_random;
829 Time=time(NULL); /* Time */
830 l2n(Time,p);
831 RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
832 /* Do the message type and length last */
833 d=p= &(buf[4]);
834
835 *(p++)=s->version>>8;
836 *(p++)=s->version&0xff;
837
838 /* Random stuff */
839 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
840 p+=SSL3_RANDOM_SIZE;
841
842 /* now in theory we have 3 options to sending back the
843 * session id. If it is a re-use, we send back the
844 * old session-id, if it is a new session, we send
845 * back the new session-id or we send back a 0 length
846 * session-id if we want it to be single use.
847 * Currently I will not implement the '0' length session-id
848 * 12-Jan-98 - I'll now support the '0' length stuff.
849 */
850 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
851 s->session->session_id_length=0;
852
853 sl=s->session->session_id_length;
854 *(p++)=sl;
855 memcpy(p,s->session->session_id,sl);
856 p+=sl;
857
858 /* put the cipher */
859 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
860 p+=i;
861
862 /* put the compression method */
863 if (s->s3->tmp.new_compression == NULL)
864 *(p++)=0;
865 else
866 *(p++)=s->s3->tmp.new_compression->id;
867
868 /* do the header */
869 l=(p-d);
870 d=buf;
871 *(d++)=SSL3_MT_SERVER_HELLO;
872 l2n3(l,d);
873
874 s->state=SSL3_ST_CW_CLNT_HELLO_B;
875 /* number of bytes to write */
876 s->init_num=p-buf;
877 s->init_off=0;
878 }
879
880 /* SSL3_ST_CW_CLNT_HELLO_B */
881 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
882 }
883
884 static int ssl3_send_server_done(s)
885 SSL *s;
886 {
887 unsigned char *p;
888
889 if (s->state == SSL3_ST_SW_SRVR_DONE_A)
890 {
891 p=(unsigned char *)s->init_buf->data;
892
893 /* do the header */
894 *(p++)=SSL3_MT_SERVER_DONE;
895 *(p++)=0;
896 *(p++)=0;
897 *(p++)=0;
898
899 s->state=SSL3_ST_SW_SRVR_DONE_B;
900 /* number of bytes to write */
901 s->init_num=4;
902 s->init_off=0;
903 }
904
905 /* SSL3_ST_CW_CLNT_HELLO_B */
906 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
907 }
908
909 static int ssl3_send_server_key_exchange(s)
910 SSL *s;
911 {
912 #ifndef NO_RSA
913 unsigned char *q;
914 int j,num;
915 RSA *rsa;
916 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
917 #endif
918 #ifndef NO_DH
919 DH *dh,*dhp;
920 #endif
921 EVP_PKEY *pkey;
922 unsigned char *p,*d;
923 int al,i;
924 unsigned long type;
925 int n;
926 CERT *cert;
927 BIGNUM *r[4];
928 int nr[4],kn;
929 BUF_MEM *buf;
930 EVP_MD_CTX md_ctx;
931
932 if (s->state == SSL3_ST_SW_KEY_EXCH_A)
933 {
934 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
935 cert=s->session->cert;
936
937 buf=s->init_buf;
938
939 r[0]=r[1]=r[2]=r[3]=NULL;
940 n=0;
941 #ifndef NO_RSA
942 if (type & SSL_kRSA)
943 {
944 rsa=cert->rsa_tmp;
945 if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
946 {
947 rsa=s->ctx->default_cert->rsa_tmp_cb(s,
948 !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher));
949 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
950 cert->rsa_tmp=rsa;
951 }
952 if (rsa == NULL)
953 {
954 al=SSL_AD_HANDSHAKE_FAILURE;
955 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
956 goto f_err;
957 }
958 r[0]=rsa->n;
959 r[1]=rsa->e;
960 s->s3->tmp.use_rsa_tmp=1;
961 }
962 else
963 #endif
964 #ifndef NO_DH
965 if (type & SSL_kEDH)
966 {
967 dhp=cert->dh_tmp;
968 if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
969 dhp=cert->dh_tmp_cb(s,
970 !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher));
971 if (dhp == NULL)
972 {
973 al=SSL_AD_HANDSHAKE_FAILURE;
974 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
975 goto f_err;
976 }
977 if ((dh=DHparams_dup(dhp)) == NULL)
978 {
979 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
980 goto err;
981 }
982
983 s->s3->tmp.dh=dh;
984 if ((dhp->pub_key == NULL ||
985 dhp->priv_key == NULL ||
986 (s->options & SSL_OP_SINGLE_DH_USE)))
987 {
988 if(!DH_generate_key(dh))
989 {
990 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
991 ERR_R_DH_LIB);
992 goto err;
993 }
994 }
995 else
996 {
997 dh->pub_key=BN_dup(dhp->pub_key);
998 dh->priv_key=BN_dup(dhp->priv_key);
999 if ((dh->pub_key == NULL) ||
1000 (dh->priv_key == NULL))
1001 {
1002 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1003 goto err;
1004 }
1005 }
1006 r[0]=dh->p;
1007 r[1]=dh->g;
1008 r[2]=dh->pub_key;
1009 }
1010 else
1011 #endif
1012 {
1013 al=SSL_AD_HANDSHAKE_FAILURE;
1014 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1015 goto f_err;
1016 }
1017 for (i=0; r[i] != NULL; i++)
1018 {
1019 nr[i]=BN_num_bytes(r[i]);
1020 n+=2+nr[i];
1021 }
1022
1023 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
1024 {
1025 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
1026 == NULL)
1027 {
1028 al=SSL_AD_DECODE_ERROR;
1029 goto f_err;
1030 }
1031 kn=EVP_PKEY_size(pkey);
1032 }
1033 else
1034 {
1035 pkey=NULL;
1036 kn=0;
1037 }
1038
1039 if (!BUF_MEM_grow(buf,n+4+kn))
1040 {
1041 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1042 goto err;
1043 }
1044 d=(unsigned char *)s->init_buf->data;
1045 p= &(d[4]);
1046
1047 for (i=0; r[i] != NULL; i++)
1048 {
1049 s2n(nr[i],p);
1050 BN_bn2bin(r[i],p);
1051 p+=nr[i];
1052 }
1053
1054 /* not anonymous */
1055 if (pkey != NULL)
1056 {
1057 /* n is the length of the params, they start at &(d[4])
1058 * and p points to the space at the end. */
1059 #ifndef NO_RSA
1060 if (pkey->type == EVP_PKEY_RSA)
1061 {
1062 q=md_buf;
1063 j=0;
1064 for (num=2; num > 0; num--)
1065 {
1066 EVP_DigestInit(&md_ctx,(num == 2)
1067 ?s->ctx->md5:s->ctx->sha1);
1068 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1069 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1070 EVP_DigestUpdate(&md_ctx,&(d[4]),n);
1071 EVP_DigestFinal(&md_ctx,q,
1072 (unsigned int *)&i);
1073 q+=i;
1074 j+=i;
1075 }
1076 i=RSA_private_encrypt(j,md_buf,&(p[2]),
1077 pkey->pkey.rsa,RSA_PKCS1_PADDING);
1078 if (i <= 0)
1079 {
1080 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1081 goto err;
1082 }
1083 s2n(i,p);
1084 n+=i+2;
1085 }
1086 else
1087 #endif
1088 #if !defined(NO_DSA)
1089 if (pkey->type == EVP_PKEY_DSA)
1090 {
1091 /* lets do DSS */
1092 EVP_SignInit(&md_ctx,EVP_dss1());
1093 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1094 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1095 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1096 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1097 (unsigned int *)&i,pkey))
1098 {
1099 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
1100 goto err;
1101 }
1102 s2n(i,p);
1103 n+=i+2;
1104 }
1105 else
1106 #endif
1107 {
1108 /* Is this error check actually needed? */
1109 al=SSL_AD_HANDSHAKE_FAILURE;
1110 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
1111 goto f_err;
1112 }
1113 }
1114
1115 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
1116 l2n3(n,d);
1117
1118 /* we should now have things packed up, so lets send
1119 * it off */
1120 s->init_num=n+4;
1121 s->init_off=0;
1122 }
1123
1124 /* SSL3_ST_SW_KEY_EXCH_B */
1125 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1126 f_err:
1127 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1128 err:
1129 return(-1);
1130 }
1131
1132 static int ssl3_send_certificate_request(s)
1133 SSL *s;
1134 {
1135 unsigned char *p,*d;
1136 int i,j,nl,off,n;
1137 STACK *sk=NULL;
1138 X509_NAME *name;
1139 BUF_MEM *buf;
1140
1141 if (s->state == SSL3_ST_SW_CERT_REQ_A)
1142 {
1143 buf=s->init_buf;
1144
1145 d=p=(unsigned char *)&(buf->data[4]);
1146
1147 /* get the list of acceptable cert types */
1148 p++;
1149 n=ssl3_get_req_cert_type(s,p);
1150 d[0]=n;
1151 p+=n;
1152 n++;
1153
1154 off=n;
1155 p+=2;
1156 n+=2;
1157
1158 sk=SSL_get_client_CA_list(s);
1159 nl=0;
1160 if (sk != NULL)
1161 {
1162 for (i=0; i<sk_num(sk); i++)
1163 {
1164 name=(X509_NAME *)sk_value(sk,i);
1165 j=i2d_X509_NAME(name,NULL);
1166 if (!BUF_MEM_grow(buf,4+n+j+2))
1167 {
1168 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1169 goto err;
1170 }
1171 p=(unsigned char *)&(buf->data[4+n]);
1172 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1173 {
1174 s2n(j,p);
1175 i2d_X509_NAME(name,&p);
1176 n+=2+j;
1177 nl+=2+j;
1178 }
1179 else
1180 {
1181 d=p;
1182 i2d_X509_NAME(name,&p);
1183 j-=2; s2n(j,d); j+=2;
1184 n+=j;
1185 nl+=j;
1186 }
1187 }
1188 }
1189 /* else no CA names */
1190 p=(unsigned char *)&(buf->data[4+off]);
1191 s2n(nl,p);
1192
1193 d=(unsigned char *)buf->data;
1194 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
1195 l2n3(n,d);
1196
1197 /* we should now have things packed up, so lets send
1198 * it off */
1199
1200 s->init_num=n+4;
1201 s->init_off=0;
1202 }
1203
1204 /* SSL3_ST_SW_CERT_REQ_B */
1205 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1206 err:
1207 return(-1);
1208 }
1209
1210 static int ssl3_get_client_key_exchange(s)
1211 SSL *s;
1212 {
1213 int i,al,ok;
1214 long n;
1215 unsigned long l;
1216 unsigned char *p;
1217 RSA *rsa=NULL;
1218 EVP_PKEY *pkey=NULL;
1219 #ifndef NO_DH
1220 BIGNUM *pub=NULL;
1221 DH *dh_srvr;
1222 #endif
1223
1224 n=ssl3_get_message(s,
1225 SSL3_ST_SR_KEY_EXCH_A,
1226 SSL3_ST_SR_KEY_EXCH_B,
1227 SSL3_MT_CLIENT_KEY_EXCHANGE,
1228 400, /* ???? */
1229 &ok);
1230
1231 if (!ok) return((int)n);
1232 p=(unsigned char *)s->init_buf->data;
1233
1234 l=s->s3->tmp.new_cipher->algorithms;
1235
1236 #ifndef NO_RSA
1237 if (l & SSL_kRSA)
1238 {
1239 /* FIX THIS UP EAY EAY EAY EAY */
1240 if (s->s3->tmp.use_rsa_tmp)
1241 {
1242 if ((s->session->cert != NULL) &&
1243 (s->session->cert->rsa_tmp != NULL))
1244 rsa=s->session->cert->rsa_tmp;
1245 else if ((s->ctx->default_cert != NULL) &&
1246 (s->ctx->default_cert->rsa_tmp != NULL))
1247 rsa=s->ctx->default_cert->rsa_tmp;
1248 /* Don't do a callback because rsa_tmp should
1249 * be sent already */
1250 if (rsa == NULL)
1251 {
1252 al=SSL_AD_HANDSHAKE_FAILURE;
1253 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
1254 goto f_err;
1255
1256 }
1257 }
1258 else
1259 {
1260 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1261 if ( (pkey == NULL) ||
1262 (pkey->type != EVP_PKEY_RSA) ||
1263 (pkey->pkey.rsa == NULL))
1264 {
1265 al=SSL_AD_HANDSHAKE_FAILURE;
1266 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
1267 goto f_err;
1268 }
1269 rsa=pkey->pkey.rsa;
1270 }
1271
1272 /* TLS */
1273 if (s->version > SSL3_VERSION)
1274 {
1275 n2s(p,i);
1276 if (n != i+2)
1277 {
1278 if (!(s->options & SSL_OP_TLS_D5_BUG))
1279 {
1280 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1281 goto err;
1282 }
1283 else
1284 p-=2;
1285 }
1286 else
1287 n=i;
1288 }
1289
1290 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
1291
1292 #if 1
1293 /* If a bad decrypt, use a random master key */
1294 if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
1295 ((p[0] != (s->client_version>>8)) ||
1296 (p[1] != (s->client_version & 0xff))))
1297 {
1298 int bad=1;
1299
1300 if ((i == SSL_MAX_MASTER_KEY_LENGTH) &&
1301 (p[0] == (s->version>>8)) &&
1302 (p[1] == 0))
1303 {
1304 if (s->options & SSL_OP_TLS_ROLLBACK_BUG)
1305 bad=0;
1306 }
1307 if (bad)
1308 {
1309 p[0]=(s->version>>8);
1310 p[1]=(s->version & 0xff);
1311 RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
1312 i=SSL_MAX_MASTER_KEY_LENGTH;
1313 }
1314 /* else, an SSLeay bug, ssl only server, tls client */
1315 }
1316 #else
1317 if (i != SSL_MAX_MASTER_KEY_LENGTH)
1318 {
1319 al=SSL_AD_DECODE_ERROR;
1320 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1321 goto f_err;
1322 }
1323
1324 if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff)))
1325 {
1326 al=SSL_AD_DECODE_ERROR;
1327 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1328 goto f_err;
1329 }
1330 #endif
1331
1332 s->session->master_key_length=
1333 s->method->ssl3_enc->generate_master_secret(s,
1334 s->session->master_key,
1335 p,i);
1336 memset(p,0,i);
1337 }
1338 else
1339 #endif
1340 #ifndef NO_DH
1341 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1342 {
1343 n2s(p,i);
1344 if (n != i+2)
1345 {
1346 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
1347 {
1348 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1349 goto err;
1350 }
1351 else
1352 {
1353 p-=2;
1354 i=(int)n;
1355 }
1356 }
1357
1358 if (n == 0L) /* the parameters are in the cert */
1359 {
1360 al=SSL_AD_HANDSHAKE_FAILURE;
1361 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1362 goto f_err;
1363 }
1364 else
1365 {
1366 if (s->s3->tmp.dh == NULL)
1367 {
1368 al=SSL_AD_HANDSHAKE_FAILURE;
1369 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1370 goto f_err;
1371 }
1372 else
1373 dh_srvr=s->s3->tmp.dh;
1374 }
1375
1376 pub=BN_bin2bn(p,i,NULL);
1377 if (pub == NULL)
1378 {
1379 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
1380 goto err;
1381 }
1382
1383 i=DH_compute_key(p,pub,dh_srvr);
1384
1385 if (i <= 0)
1386 {
1387 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1388 goto err;
1389 }
1390
1391 DH_free(s->s3->tmp.dh);
1392 s->s3->tmp.dh=NULL;
1393
1394 BN_clear_free(pub);
1395 pub=NULL;
1396 s->session->master_key_length=
1397 s->method->ssl3_enc->generate_master_secret(s,
1398 s->session->master_key,p,i);
1399 }
1400 else
1401 #endif
1402 {
1403 al=SSL_AD_HANDSHAKE_FAILURE;
1404 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
1405 goto f_err;
1406 }
1407
1408 return(1);
1409 f_err:
1410 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1411 #if !defined(NO_DH) || !defined(NO_RSA)
1412 err:
1413 #endif
1414 return(-1);
1415 }
1416
1417 static int ssl3_get_cert_verify(s)
1418 SSL *s;
1419 {
1420 EVP_PKEY *pkey=NULL;
1421 unsigned char *p;
1422 int al,ok,ret=0;
1423 long n;
1424 int type=0,i,j;
1425 X509 *peer;
1426
1427 n=ssl3_get_message(s,
1428 SSL3_ST_SR_CERT_VRFY_A,
1429 SSL3_ST_SR_CERT_VRFY_B,
1430 -1,
1431 512, /* 512? */
1432 &ok);
1433
1434 if (!ok) return((int)n);
1435
1436 if (s->session->peer != NULL)
1437 {
1438 peer=s->session->peer;
1439 pkey=X509_get_pubkey(peer);
1440 type=X509_certificate_type(peer,pkey);
1441 }
1442 else
1443 {
1444 peer=NULL;
1445 pkey=NULL;
1446 }
1447
1448 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
1449 {
1450 s->s3->tmp.reuse_message=1;
1451 if ((peer != NULL) && (type | EVP_PKT_SIGN))
1452 {
1453 al=SSL_AD_UNEXPECTED_MESSAGE;
1454 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
1455 goto f_err;
1456 }
1457 ret=1;
1458 goto end;
1459 }
1460
1461 if (peer == NULL)
1462 {
1463 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
1464 al=SSL_AD_UNEXPECTED_MESSAGE;
1465 goto f_err;
1466 }
1467
1468 if (!(type & EVP_PKT_SIGN))
1469 {
1470 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
1471 al=SSL_AD_ILLEGAL_PARAMETER;
1472 goto f_err;
1473 }
1474
1475 if (s->s3->change_cipher_spec)
1476 {
1477 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
1478 al=SSL_AD_UNEXPECTED_MESSAGE;
1479 goto f_err;
1480 }
1481
1482 /* we now have a signature that we need to verify */
1483 p=(unsigned char *)s->init_buf->data;
1484 n2s(p,i);
1485 n-=2;
1486 if (i > n)
1487 {
1488 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
1489 al=SSL_AD_DECODE_ERROR;
1490 goto f_err;
1491 }
1492
1493 j=EVP_PKEY_size(pkey);
1494 if ((i > j) || (n > j) || (n <= 0))
1495 {
1496 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
1497 al=SSL_AD_DECODE_ERROR;
1498 goto f_err;
1499 }
1500
1501 #ifndef NO_RSA
1502 if (pkey->type == EVP_PKEY_RSA)
1503 {
1504 i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING);
1505 if (i < 0)
1506 {
1507 al=SSL_AD_DECRYPT_ERROR;
1508 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
1509 goto f_err;
1510 }
1511 if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) ||
1512 memcmp(&(s->s3->tmp.finish_md[0]),p,
1513 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
1514 {
1515 al=SSL_AD_DECRYPT_ERROR;
1516 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
1517 goto f_err;
1518 }
1519 }
1520 else
1521 #endif
1522 #ifndef NO_DSA
1523 if (pkey->type == EVP_PKEY_DSA)
1524 {
1525 j=DSA_verify(pkey->save_type,
1526 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]),
1527 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
1528 if (j <= 0)
1529 {
1530 /* bad signature */
1531 al=SSL_AD_DECRYPT_ERROR;
1532 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
1533 goto f_err;
1534 }
1535 }
1536 else
1537 #endif
1538 {
1539 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
1540 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
1541 goto f_err;
1542 }
1543
1544
1545 ret=1;
1546 if (0)
1547 {
1548 f_err:
1549 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1550 }
1551 end:
1552 EVP_PKEY_free(pkey);
1553 return(ret);
1554 }
1555
1556 static int ssl3_get_client_certificate(s)
1557 SSL *s;
1558 {
1559 int i,ok,al,ret= -1;
1560 X509 *x=NULL;
1561 unsigned long l,nc,llen,n;
1562 unsigned char *p,*d,*q;
1563 STACK *sk=NULL;
1564
1565 n=ssl3_get_message(s,
1566 SSL3_ST_SR_CERT_A,
1567 SSL3_ST_SR_CERT_B,
1568 -1,
1569 #if defined(MSDOS) && !defined(WIN32)
1570 1024*30, /* 30k max cert list :-) */
1571 #else
1572 1024*100, /* 100k max cert list :-) */
1573 #endif
1574 &ok);
1575
1576 if (!ok) return((int)n);
1577
1578 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
1579 {
1580 if ( (s->verify_mode & SSL_VERIFY_PEER) &&
1581 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1582 {
1583 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1584 al=SSL_AD_HANDSHAKE_FAILURE;
1585 goto f_err;
1586 }
1587 /* If tls asked for a client cert we must return a 0 list */
1588 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
1589 {
1590 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
1591 al=SSL_AD_UNEXPECTED_MESSAGE;
1592 goto f_err;
1593 }
1594 s->s3->tmp.reuse_message=1;
1595 return(1);
1596 }
1597
1598 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1599 {
1600 al=SSL_AD_UNEXPECTED_MESSAGE;
1601 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
1602 goto f_err;
1603 }
1604 d=p=(unsigned char *)s->init_buf->data;
1605
1606 if ((sk=sk_new_null()) == NULL)
1607 {
1608 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1609 goto err;
1610 }
1611
1612 n2l3(p,llen);
1613 if (llen+3 != n)
1614 {
1615 al=SSL_AD_DECODE_ERROR;
1616 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1617 goto f_err;
1618 }
1619 for (nc=0; nc<llen; )
1620 {
1621 n2l3(p,l);
1622 if ((l+nc+3) > llen)
1623 {
1624 al=SSL_AD_DECODE_ERROR;
1625 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1626 goto f_err;
1627 }
1628
1629 q=p;
1630 x=d2i_X509(NULL,&p,l);
1631 if (x == NULL)
1632 {
1633 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
1634 goto err;
1635 }
1636 if (p != (q+l))
1637 {
1638 al=SSL_AD_DECODE_ERROR;
1639 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1640 goto f_err;
1641 }
1642 if (!sk_push(sk,(char *)x))
1643 {
1644 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1645 goto err;
1646 }
1647 x=NULL;
1648 nc+=l+3;
1649 }
1650
1651 if (sk_num(sk) <= 0)
1652 {
1653 /* TLS does not mind 0 certs returned */
1654 if (s->version == SSL3_VERSION)
1655 {
1656 al=SSL_AD_HANDSHAKE_FAILURE;
1657 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
1658 goto f_err;
1659 }
1660 /* Fail for TLS only if we required a certificate */
1661 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
1662 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1663 {
1664 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1665 al=SSL_AD_HANDSHAKE_FAILURE;
1666 goto f_err;
1667 }
1668 }
1669 else
1670 {
1671 i=ssl_verify_cert_chain(s,sk);
1672 if (!i)
1673 {
1674 al=ssl_verify_alarm_type(s->verify_result);
1675 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
1676 goto f_err;
1677 }
1678 }
1679
1680 /* This should not be needed */
1681 if (s->session->peer != NULL)
1682 X509_free(s->session->peer);
1683 s->session->peer=(X509 *)sk_shift(sk);
1684
1685 ret=1;
1686 if (0)
1687 {
1688 f_err:
1689 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1690 }
1691 err:
1692 if (x != NULL) X509_free(x);
1693 if (sk != NULL) sk_pop_free(sk,X509_free);
1694 return(ret);
1695 }
1696
1697 int ssl3_send_server_certificate(s)
1698 SSL *s;
1699 {
1700 unsigned long l;
1701 X509 *x;
1702
1703 if (s->state == SSL3_ST_SW_CERT_A)
1704 {
1705 x=ssl_get_server_send_cert(s);
1706 if (x == NULL)
1707 {
1708 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
1709 return(0);
1710 }
1711
1712 l=ssl3_output_cert_chain(s,x);
1713 s->state=SSL3_ST_SW_CERT_B;
1714 s->init_num=(int)l;
1715 s->init_off=0;
1716 }
1717
1718 /* SSL3_ST_SW_CERT_B */
1719 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1720 }
A mirror of the official openssl repository