Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 95c29f3cd1f6c08c6c0927868683392eea727ccb / . / ssl / s3_clnt.c
blob: 969891625a4102e93fa86b618d5f2162f2bdf98c [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame^]1/* ssl/s3_clnt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
150
151#include <stdio.h>
152
153#include <openssl/buf.h>
154#include <openssl/rand.h>
155#include <openssl/obj.h>
156#include <openssl/evp.h>
157#include <openssl/mem.h>
158#include <openssl/md5.h>
159#include <openssl/dh.h>
160#include <openssl/bn.h>
161#include <openssl/engine.h>
162#include <openssl/x509.h>
163
164#include "ssl_locl.h"
165#include "../crypto/dh/internal.h"
166
167static const SSL_METHOD *ssl3_get_client_method(int ver);
168
169static const SSL_METHOD *ssl3_get_client_method(int ver)
170 {
171 if (ver == SSL3_VERSION)
172 return(SSLv3_client_method());
173 else
174 return(NULL);
175 }
176
177IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
178 ssl_undefined_function,
179 ssl3_connect,
180 ssl3_get_client_method)
181
182int ssl3_connect(SSL *s)
183 {
184 BUF_MEM *buf=NULL;
185 void (*cb)(const SSL *ssl,int type,int val)=NULL;
186 int ret= -1;
187 int new_state,state,skip=0;
188
189 ERR_clear_error();
190 ERR_clear_system_error();
191
192 if (s->info_callback != NULL)
193 cb=s->info_callback;
194 else if (s->ctx->info_callback != NULL)
195 cb=s->ctx->info_callback;
196
197 s->in_handshake++;
198 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
199
200#ifndef OPENSSL_NO_HEARTBEATS
201 /* If we're awaiting a HeartbeatResponse, pretend we
202 * already got and don't await it anymore, because
203 * Heartbeats don't make sense during handshakes anyway.
204 */
205 if (s->tlsext_hb_pending)
206 {
207 s->tlsext_hb_pending = 0;
208 s->tlsext_hb_seq++;
209 }
210#endif
211
212 for (;;)
213 {
214 state=s->state;
215
216 switch(s->state)
217 {
218 case SSL_ST_RENEGOTIATE:
219 s->renegotiate=1;
220 s->state=SSL_ST_CONNECT;
221 s->ctx->stats.sess_connect_renegotiate++;
222 /* break */
223 case SSL_ST_BEFORE:
224 case SSL_ST_CONNECT:
225 case SSL_ST_BEFORE|SSL_ST_CONNECT:
226 case SSL_ST_OK|SSL_ST_CONNECT:
227
228 s->server=0;
229 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
230
231 if ((s->version & 0xff00 ) != 0x0300)
232 {
233 OPENSSL_PUT_ERROR(SSL, ssl3_connect, ERR_R_INTERNAL_ERROR);
234 ret = -1;
235 goto end;
236 }
237
238 /* s->version=SSL3_VERSION; */
239 s->type=SSL_ST_CONNECT;
240
241 if (s->init_buf == NULL)
242 {
243 if ((buf=BUF_MEM_new()) == NULL)
244 {
245 ret= -1;
246 goto end;
247 }
248 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
249 {
250 ret= -1;
251 goto end;
252 }
253 s->init_buf=buf;
254 buf=NULL;
255 }
256
257 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
258
259 /* setup buffing BIO */
260 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
261
262 /* don't push the buffering BIO quite yet */
263
264 ssl3_init_finished_mac(s);
265
266 s->state=SSL3_ST_CW_CLNT_HELLO_A;
267 s->ctx->stats.sess_connect++;
268 s->init_num=0;
269 break;
270
271 case SSL3_ST_CW_CLNT_HELLO_A:
272 case SSL3_ST_CW_CLNT_HELLO_B:
273
274 s->shutdown=0;
275 ret=ssl3_client_hello(s);
276 if (ret <= 0) goto end;
277 s->state=SSL3_ST_CR_SRVR_HELLO_A;
278 s->init_num=0;
279
280 /* turn on buffering for the next lot of output */
281 if (s->bbio != s->wbio)
282 s->wbio=BIO_push(s->bbio,s->wbio);
283
284 break;
285
286 case SSL3_ST_CR_SRVR_HELLO_A:
287 case SSL3_ST_CR_SRVR_HELLO_B:
288 ret=ssl3_get_server_hello(s);
289 if (ret <= 0) goto end;
290
291 if (s->hit)
292 {
293 s->state=SSL3_ST_CR_FINISHED_A;
294#ifndef OPENSSL_NO_TLSEXT
295 if (s->tlsext_ticket_expected)
296 {
297 /* receive renewed session ticket */
298 s->state=SSL3_ST_CR_SESSION_TICKET_A;
299 }
300#endif
301 }
302 else
303 {
304#ifndef OPENSSL_NO_TLSEXT
305 /* The server hello indicated that
306 * an audit proof would follow. */
307 if (s->s3->tlsext_authz_server_promised)
308 s->state=SSL3_ST_CR_SUPPLEMENTAL_DATA_A;
309 else
310#endif
311 s->state=SSL3_ST_CR_CERT_A;
312 }
313 s->init_num=0;
314 break;
315#ifndef OPENSSL_NO_TLSEXT
316 case SSL3_ST_CR_SUPPLEMENTAL_DATA_A:
317 case SSL3_ST_CR_SUPPLEMENTAL_DATA_B:
318 ret = tls1_get_server_supplemental_data(s);
319 if (ret <= 0) goto end;
320 s->state=SSL3_ST_CR_CERT_A;
321 s->init_num = 0;
322 break;
323#endif
324 case SSL3_ST_CR_CERT_A:
325 case SSL3_ST_CR_CERT_B:
326#ifndef OPENSSL_NO_TLSEXT
327 ret=ssl3_check_finished(s);
328 if (ret <= 0) goto end;
329 if (ret == 2)
330 {
331 s->hit = 1;
332 if (s->tlsext_ticket_expected)
333 s->state=SSL3_ST_CR_SESSION_TICKET_A;
334 else
335 s->state=SSL3_ST_CR_FINISHED_A;
336 s->init_num=0;
337 break;
338 }
339#endif
340 /* Check if it is anon DH/ECDH */
341 /* or PSK */
342 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
343 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
344 {
345 ret=ssl3_get_server_certificate(s);
346 if (ret <= 0) goto end;
347#ifndef OPENSSL_NO_TLSEXT
348 if (s->tlsext_status_expected)
349 s->state=SSL3_ST_CR_CERT_STATUS_A;
350 else
351 s->state=SSL3_ST_CR_KEY_EXCH_A;
352 }
353 else
354 {
355 skip = 1;
356 s->state=SSL3_ST_CR_KEY_EXCH_A;
357 }
358#else
359 }
360 else
361 skip=1;
362
363 s->state=SSL3_ST_CR_KEY_EXCH_A;
364#endif
365 s->init_num=0;
366 break;
367
368 case SSL3_ST_CR_KEY_EXCH_A:
369 case SSL3_ST_CR_KEY_EXCH_B:
370 ret=ssl3_get_key_exchange(s);
371 if (ret <= 0) goto end;
372 s->state=SSL3_ST_CR_CERT_REQ_A;
373 s->init_num=0;
374
375 /* at this point we check that we have the
376 * required stuff from the server */
377 if (!ssl3_check_cert_and_algorithm(s))
378 {
379 ret= -1;
380 goto end;
381 }
382 break;
383
384 case SSL3_ST_CR_CERT_REQ_A:
385 case SSL3_ST_CR_CERT_REQ_B:
386 ret=ssl3_get_certificate_request(s);
387 if (ret <= 0) goto end;
388 s->state=SSL3_ST_CR_SRVR_DONE_A;
389 s->init_num=0;
390 break;
391
392 case SSL3_ST_CR_SRVR_DONE_A:
393 case SSL3_ST_CR_SRVR_DONE_B:
394 ret=ssl3_get_server_done(s);
395 if (ret <= 0) goto end;
396 if (s->s3->tmp.cert_req)
397 s->state=SSL3_ST_CW_CERT_A;
398 else
399 s->state=SSL3_ST_CW_KEY_EXCH_A;
400 s->init_num=0;
401
402 break;
403
404 case SSL3_ST_CW_CERT_A:
405 case SSL3_ST_CW_CERT_B:
406 case SSL3_ST_CW_CERT_C:
407 case SSL3_ST_CW_CERT_D:
408 ret=ssl3_send_client_certificate(s);
409 if (ret <= 0) goto end;
410 s->state=SSL3_ST_CW_KEY_EXCH_A;
411 s->init_num=0;
412 break;
413
414 case SSL3_ST_CW_KEY_EXCH_A:
415 case SSL3_ST_CW_KEY_EXCH_B:
416 ret=ssl3_send_client_key_exchange(s);
417 if (ret <= 0) goto end;
418 /* EAY EAY EAY need to check for DH fix cert
419 * sent back */
420 /* For TLS, cert_req is set to 2, so a cert chain
421 * of nothing is sent, but no verify packet is sent */
422 /* XXX: For now, we do not support client
423 * authentication in ECDH cipher suites with
424 * ECDH (rather than ECDSA) certificates.
425 * We need to skip the certificate verify
426 * message when client's ECDH public key is sent
427 * inside the client certificate.
428 */
429 if (s->s3->tmp.cert_req == 1)
430 {
431 s->state=SSL3_ST_CW_CERT_VRFY_A;
432 }
433 else
434 {
435 s->state=SSL3_ST_CW_CHANGE_A;
436 s->s3->change_cipher_spec=0;
437 }
438 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
439 {
440 s->state=SSL3_ST_CW_CHANGE_A;
441 s->s3->change_cipher_spec=0;
442 }
443
444 s->init_num=0;
445 break;
446
447 case SSL3_ST_CW_CERT_VRFY_A:
448 case SSL3_ST_CW_CERT_VRFY_B:
449 ret=ssl3_send_client_verify(s);
450 if (ret <= 0) goto end;
451 s->state=SSL3_ST_CW_CHANGE_A;
452 s->init_num=0;
453 s->s3->change_cipher_spec=0;
454 break;
455
456 case SSL3_ST_CW_CHANGE_A:
457 case SSL3_ST_CW_CHANGE_B:
458 ret=ssl3_send_change_cipher_spec(s,
459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
460 if (ret <= 0) goto end;
461
462#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
463 s->state=SSL3_ST_CW_FINISHED_A;
464#else
465 if (s->s3->next_proto_neg_seen)
466 s->state=SSL3_ST_CW_NEXT_PROTO_A;
467 else
468 s->state=SSL3_ST_CW_FINISHED_A;
469#endif
470 s->init_num=0;
471
472 s->session->cipher=s->s3->tmp.new_cipher;
473 s->session->compress_meth=0;
474 if (!s->method->ssl3_enc->setup_key_block(s))
475 {
476 ret= -1;
477 goto end;
478 }
479
480 if (!s->method->ssl3_enc->change_cipher_state(s,
481 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
482 {
483 ret= -1;
484 goto end;
485 }
486
487 break;
488
489#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
490 case SSL3_ST_CW_NEXT_PROTO_A:
491 case SSL3_ST_CW_NEXT_PROTO_B:
492 ret=ssl3_send_next_proto(s);
493 if (ret <= 0) goto end;
494 s->state=SSL3_ST_CW_FINISHED_A;
495 break;
496#endif
497
498 case SSL3_ST_CW_FINISHED_A:
499 case SSL3_ST_CW_FINISHED_B:
500 ret=ssl3_send_finished(s,
501 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
502 s->method->ssl3_enc->client_finished_label,
503 s->method->ssl3_enc->client_finished_label_len);
504 if (ret <= 0) goto end;
505 s->state=SSL3_ST_CW_FLUSH;
506
507 /* clear flags */
508 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
509 if (s->hit)
510 {
511 s->s3->tmp.next_state=SSL_ST_OK;
512 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
513 {
514 s->state=SSL_ST_OK;
515 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
516 s->s3->delay_buf_pop_ret=0;
517 }
518 }
519 else
520 {
521#ifndef OPENSSL_NO_TLSEXT
522 /* Allow NewSessionTicket if ticket expected */
523 if (s->tlsext_ticket_expected)
524 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
525 else
526#endif
527
528 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
529 }
530 s->init_num=0;
531 break;
532
533#ifndef OPENSSL_NO_TLSEXT
534 case SSL3_ST_CR_SESSION_TICKET_A:
535 case SSL3_ST_CR_SESSION_TICKET_B:
536 ret=ssl3_get_new_session_ticket(s);
537 if (ret <= 0) goto end;
538 s->state=SSL3_ST_CR_FINISHED_A;
539 s->init_num=0;
540 break;
541
542 case SSL3_ST_CR_CERT_STATUS_A:
543 case SSL3_ST_CR_CERT_STATUS_B:
544 ret=ssl3_get_cert_status(s);
545 if (ret <= 0) goto end;
546 s->state=SSL3_ST_CR_KEY_EXCH_A;
547 s->init_num=0;
548 break;
549#endif
550
551 case SSL3_ST_CR_FINISHED_A:
552 case SSL3_ST_CR_FINISHED_B:
553
554 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
555 SSL3_ST_CR_FINISHED_B);
556 if (ret <= 0) goto end;
557
558 if (s->hit)
559 s->state=SSL3_ST_CW_CHANGE_A;
560 else
561 s->state=SSL_ST_OK;
562 s->init_num=0;
563 break;
564
565 case SSL3_ST_CW_FLUSH:
566 s->rwstate=SSL_WRITING;
567 if (BIO_flush(s->wbio) <= 0)
568 {
569 ret= -1;
570 goto end;
571 }
572 s->rwstate=SSL_NOTHING;
573 s->state=s->s3->tmp.next_state;
574 break;
575
576 case SSL_ST_OK:
577 /* clean a few things up */
578 ssl3_cleanup_key_block(s);
579
580 if (s->init_buf != NULL)
581 {
582 BUF_MEM_free(s->init_buf);
583 s->init_buf=NULL;
584 }
585
586 /* If we are not 'joining' the last two packets,
587 * remove the buffering now */
588 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
589 ssl_free_wbio_buffer(s);
590 /* else do it later in ssl3_write */
591
592 s->init_num=0;
593 s->renegotiate=0;
594 s->new_session=0;
595
596 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
597 if (s->hit) s->ctx->stats.sess_hit++;
598
599 ret=1;
600 /* s->server=0; */
601 s->handshake_func=ssl3_connect;
602 s->ctx->stats.sess_connect_good++;
603
604 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
605
606 goto end;
607 /* break; */
608
609 default:
610 OPENSSL_PUT_ERROR(SSL, ssl3_connect, SSL_R_UNKNOWN_STATE);
611 ret= -1;
612 goto end;
613 /* break; */
614 }
615
616 /* did we do anything */
617 if (!s->s3->tmp.reuse_message && !skip)
618 {
619 if (s->debug)
620 {
621 if ((ret=BIO_flush(s->wbio)) <= 0)
622 goto end;
623 }
624
625 if ((cb != NULL) && (s->state != state))
626 {
627 new_state=s->state;
628 s->state=state;
629 cb(s,SSL_CB_CONNECT_LOOP,1);
630 s->state=new_state;
631 }
632 }
633 skip=0;
634 }
635end:
636 s->in_handshake--;
637 if (buf != NULL)
638 BUF_MEM_free(buf);
639 if (cb != NULL)
640 cb(s,SSL_CB_CONNECT_EXIT,ret);
641 return(ret);
642 }
643
644
645int ssl3_client_hello(SSL *s)
646 {
647 unsigned char *buf;
648 unsigned char *p,*d;
649 int i;
650 unsigned long l;
651
652 buf=(unsigned char *)s->init_buf->data;
653 if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
654 {
655 SSL_SESSION *sess = s->session;
656 if ((sess == NULL) ||
657 (sess->ssl_version != s->version) ||
658#ifdef OPENSSL_NO_TLSEXT
659 !sess->session_id_length ||
660#else
661 (!sess->session_id_length && !sess->tlsext_tick) ||
662#endif
663 (sess->not_resumable))
664 {
665 if (!ssl_get_new_session(s,0))
666 goto err;
667 }
668 if (s->method->version == DTLS_ANY_VERSION)
669 {
670 /* Determine which DTLS version to use */
671 int options = s->options;
672 /* If DTLS 1.2 disabled correct the version number */
673 if (options & SSL_OP_NO_DTLSv1_2)
674 {
675 if (tls1_suiteb(s))
676 {
677 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
678 goto err;
679 }
680 /* Disabling all versions is silly: return an
681 * error.
682 */
683 if (options & SSL_OP_NO_DTLSv1)
684 {
685 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_WRONG_SSL_VERSION);
686 goto err;
687 }
688 /* Update method so we don't use any DTLS 1.2
689 * features.
690 */
691 s->method = DTLSv1_client_method();
692 s->version = DTLS1_VERSION;
693 }
694 else
695 {
696 /* We only support one version: update method */
697 if (options & SSL_OP_NO_DTLSv1)
698 s->method = DTLSv1_2_client_method();
699 s->version = DTLS1_2_VERSION;
700 }
701 s->client_version = s->version;
702 }
703 /* else use the pre-loaded session */
704
705 p=s->s3->client_random;
706
707 /* for DTLS if client_random is initialized, reuse it, we are
708 * required to use same upon reply to HelloVerify */
709 if (SSL_IS_DTLS(s))
710 {
711 size_t idx;
712 i = 1;
713 for (idx=0; idx < sizeof(s->s3->client_random); idx++)
714 {
715 if (p[idx])
716 {
717 i = 0;
718 break;
719 }
720 }
721 }
722 else
723 i = 1;
724
725 if (i)
726 ssl_fill_hello_random(s, 0, p,
727 sizeof(s->s3->client_random));
728
729 /* Do the message type and length last */
730 d=p= ssl_handshake_start(s);
731
732 /* version indicates the negotiated version: for example from
733 * an SSLv2/v3 compatible client hello). The client_version
734 * field is the maximum version we permit and it is also
735 * used in RSA encrypted premaster secrets. Some servers can
736 * choke if we initially report a higher version then
737 * renegotiate to a lower one in the premaster secret. This
738 * didn't happen with TLS 1.0 as most servers supported it
739 * but it can with TLS 1.1 or later if the server only supports
740 * 1.0.
741 *
742 * Possible scenario with previous logic:
743 * 1. Client hello indicates TLS 1.2
744 * 2. Server hello says TLS 1.0
745 * 3. RSA encrypted premaster secret uses 1.2.
746 * 4. Handhaked proceeds using TLS 1.0.
747 * 5. Server sends hello request to renegotiate.
748 * 6. Client hello indicates TLS v1.0 as we now
749 * know that is maximum server supports.
750 * 7. Server chokes on RSA encrypted premaster secret
751 * containing version 1.0.
752 *
753 * For interoperability it should be OK to always use the
754 * maximum version we support in client hello and then rely
755 * on the checking of version to ensure the servers isn't
756 * being inconsistent: for example initially negotiating with
757 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
758 * client_version in client hello and not resetting it to
759 * the negotiated version.
760 */
761#if 0
762 *(p++)=s->version>>8;
763 *(p++)=s->version&0xff;
764 s->client_version=s->version;
765#else
766 *(p++)=s->client_version>>8;
767 *(p++)=s->client_version&0xff;
768#endif
769
770 /* Random stuff */
771 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
772 p+=SSL3_RANDOM_SIZE;
773
774 /* Session ID */
775 if (s->new_session)
776 i=0;
777 else
778 i=s->session->session_id_length;
779 *(p++)=i;
780 if (i != 0)
781 {
782 if (i > (int)sizeof(s->session->session_id))
783 {
784 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, ERR_R_INTERNAL_ERROR);
785 goto err;
786 }
787 memcpy(p,s->session->session_id,i);
788 p+=i;
789 }
790
791 /* cookie stuff for DTLS */
792 if (SSL_IS_DTLS(s))
793 {
794 if ( s->d1->cookie_len > sizeof(s->d1->cookie))
795 {
796 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, ERR_R_INTERNAL_ERROR);
797 goto err;
798 }
799 *(p++) = s->d1->cookie_len;
800 memcpy(p, s->d1->cookie, s->d1->cookie_len);
801 p += s->d1->cookie_len;
802 }
803
804 /* Ciphers supported */
805 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
806 if (i == 0)
807 {
808 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_NO_CIPHERS_AVAILABLE);
809 goto err;
810 }
811#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
812 /* Some servers hang if client hello > 256 bytes
813 * as hack workaround chop number of supported ciphers
814 * to keep it well below this if we use TLS v1.2
815 */
816 if (TLS1_get_version(s) >= TLS1_2_VERSION
817 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
818 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
819#endif
820 s2n(i,p);
821 p+=i;
822
823 /* COMPRESSION */
824 *(p++)=1;
825 *(p++)=0; /* Add the NULL method */
826
827#ifndef OPENSSL_NO_TLSEXT
828 /* TLS extensions*/
829 if (ssl_prepare_clienthello_tlsext(s) <= 0)
830 {
831 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, SSL_R_CLIENTHELLO_TLSEXT);
832 goto err;
833 }
834 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
835 {
836 OPENSSL_PUT_ERROR(SSL, ssl3_client_hello, ERR_R_INTERNAL_ERROR);
837 goto err;
838 }
839#endif
840
841 l= p-d;
842 ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l);
843 s->state=SSL3_ST_CW_CLNT_HELLO_B;
844 }
845
846 /* SSL3_ST_CW_CLNT_HELLO_B */
847 return ssl_do_write(s);
848err:
849 return(-1);
850 }
851
852int ssl3_get_server_hello(SSL *s)
853 {
854 STACK_OF(SSL_CIPHER) *sk;
855 const SSL_CIPHER *c;
856 CERT *ct = s->cert;
857 unsigned char *p,*d;
858 int al=SSL_AD_INTERNAL_ERROR,ok;
859 unsigned int j;
860 long n;
861 /* Hello verify request and/or server hello version may not
862 * match so set first packet if we're negotiating version.
863 */
864 if (SSL_IS_DTLS(s))
865 s->first_packet = 1;
866
867 n=s->method->ssl_get_message(s,
868 SSL3_ST_CR_SRVR_HELLO_A,
869 SSL3_ST_CR_SRVR_HELLO_B,
870 -1,
871 20000, /* ?? */
872 &ok);
873
874 if (!ok) return((int)n);
875
876 if (SSL_IS_DTLS(s))
877 {
878 s->first_packet = 0;
879 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
880 {
881 if ( s->d1->send_cookie == 0)
882 {
883 s->s3->tmp.reuse_message = 1;
884 return 1;
885 }
886 else /* already sent a cookie */
887 {
888 al=SSL_AD_UNEXPECTED_MESSAGE;
889 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_MESSAGE_TYPE);
890 goto f_err;
891 }
892 }
893 }
894
895 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
896 {
897 al=SSL_AD_UNEXPECTED_MESSAGE;
898 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_MESSAGE_TYPE);
899 goto f_err;
900 }
901
902 d=p=(unsigned char *)s->init_msg;
903 if (s->method->version == DTLS_ANY_VERSION)
904 {
905 /* Work out correct protocol version to use */
906 int hversion = (p[0] << 8)|p[1];
907 int options = s->options;
908 if (hversion == DTLS1_2_VERSION
909 && !(options & SSL_OP_NO_DTLSv1_2))
910 s->method = DTLSv1_2_client_method();
911 else if (tls1_suiteb(s))
912 {
913 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
914 s->version = hversion;
915 al = SSL_AD_PROTOCOL_VERSION;
916 goto f_err;
917 }
918 else if (hversion == DTLS1_VERSION
919 && !(options & SSL_OP_NO_DTLSv1))
920 s->method = DTLSv1_client_method();
921 else
922 {
923 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_SSL_VERSION);
924 s->version = hversion;
925 al = SSL_AD_PROTOCOL_VERSION;
926 goto f_err;
927 }
928 s->version = s->client_version = s->method->version;
929 }
930
931 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
932 {
933 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_SSL_VERSION);
934 s->version=(s->version&0xff00)|p[1];
935 al=SSL_AD_PROTOCOL_VERSION;
936 goto f_err;
937 }
938 p+=2;
939
940 /* load the server hello data */
941 /* load the server random */
942 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
943 p+=SSL3_RANDOM_SIZE;
944
945 /* get the session-id */
946 j= *(p++);
947
948 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
949 {
950 al=SSL_AD_ILLEGAL_PARAMETER;
951 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_SSL3_SESSION_ID_TOO_LONG);
952 goto f_err;
953 }
954
955#ifndef OPENSSL_NO_TLSEXT
956 /* check if we want to resume the session based on external pre-shared secret */
957 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
958 {
959 SSL_CIPHER *pref_cipher=NULL;
960 s->session->master_key_length=sizeof(s->session->master_key);
961 if (s->tls_session_secret_cb(s, s->session->master_key,
962 &s->session->master_key_length,
963 NULL, &pref_cipher,
964 s->tls_session_secret_cb_arg))
965 {
966 s->session->cipher = pref_cipher ?
967 pref_cipher : ssl_get_cipher_by_char(s, p+j);
968 }
969 }
970#endif /* OPENSSL_NO_TLSEXT */
971
972 if (j != 0 && j == s->session->session_id_length
973 && memcmp(p,s->session->session_id,j) == 0)
974 {
975 if(s->sid_ctx_length != s->session->sid_ctx_length
976 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
977 {
978 /* actually a client application bug */
979 al=SSL_AD_ILLEGAL_PARAMETER;
980 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
981 goto f_err;
982 }
983 s->hit=1;
984 }
985 else /* a miss or crap from the other end */
986 {
987 /* If we were trying for session-id reuse, make a new
988 * SSL_SESSION so we don't stuff up other people */
989 s->hit=0;
990 if (s->session->session_id_length > 0)
991 {
992 if (!ssl_get_new_session(s,0))
993 {
994 goto f_err;
995 }
996 }
997 s->session->session_id_length=j;
998 memcpy(s->session->session_id,p,j); /* j could be 0 */
999 }
1000 p+=j;
1001 c=ssl_get_cipher_by_char(s,p);
1002 if (c == NULL)
1003 {
1004 /* unknown cipher */
1005 al=SSL_AD_ILLEGAL_PARAMETER;
1006 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNKNOWN_CIPHER_RETURNED);
1007 goto f_err;
1008 }
1009 /* If it is a disabled cipher we didn't send it in client hello,
1010 * so return an error.
1011 */
1012 if (c->algorithm_ssl & ct->mask_ssl ||
1013 c->algorithm_mkey & ct->mask_k ||
1014 c->algorithm_auth & ct->mask_a)
1015 {
1016 al=SSL_AD_ILLEGAL_PARAMETER;
1017 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
1018 goto f_err;
1019 }
1020 p+=ssl_put_cipher_by_char(s,NULL,NULL);
1021
1022 sk=ssl_get_ciphers_by_id(s);
1023 if (!sk_SSL_CIPHER_find(sk, NULL, c))
1024 {
1025 /* we did not say we would use this cipher */
1026 al=SSL_AD_ILLEGAL_PARAMETER;
1027 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_WRONG_CIPHER_RETURNED);
1028 goto f_err;
1029 }
1030
1031 /* Depending on the session caching (internal/external), the cipher
1032 and/or cipher_id values may not be set. Make sure that
1033 cipher_id is set and use it for comparison. */
1034 if (s->session->cipher)
1035 s->session->cipher_id = s->session->cipher->id;
1036 if (s->hit && (s->session->cipher_id != c->id))
1037 {
1038/* Workaround is now obsolete */
1039#if 0
1040 if (!(s->options &
1041 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
1042#endif
1043 {
1044 al=SSL_AD_ILLEGAL_PARAMETER;
1045 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1046 goto f_err;
1047 }
1048 }
1049 s->s3->tmp.new_cipher=c;
1050 /* Don't digest cached records if no sigalgs: we may need them for
1051 * client authentication.
1052 */
1053 if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s))
1054 goto f_err;
1055 /* lets get the compression algorithm */
1056 /* COMPRESSION */
1057 if (*(p++) != 0)
1058 {
1059 al=SSL_AD_ILLEGAL_PARAMETER;
1060 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1061 goto f_err;
1062 }
1063 /* If compression is disabled we'd better not try to resume a session
1064 * using compression.
1065 */
1066 if (s->session->compress_meth != 0)
1067 {
1068 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_INCONSISTENT_COMPRESSION);
1069 goto f_err;
1070 }
1071
1072#ifndef OPENSSL_NO_TLSEXT
1073 /* TLS extensions*/
1074 if (!ssl_parse_serverhello_tlsext(s,&p,d,n))
1075 {
1076 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_PARSE_TLSEXT);
1077 goto err;
1078 }
1079#endif
1080
1081 if (p != (d+n))
1082 {
1083 /* wrong packet length */
1084 al=SSL_AD_DECODE_ERROR;
1085 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello, SSL_R_BAD_PACKET_LENGTH);
1086 goto f_err;
1087 }
1088
1089 return(1);
1090f_err:
1091 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1092err:
1093 return(-1);
1094 }
1095
1096int ssl3_get_server_certificate(SSL *s)
1097 {
1098 int al,i,ok,ret= -1;
1099 unsigned long n,nc,llen,l;
1100 X509 *x=NULL;
1101 const unsigned char *q,*p;
1102 unsigned char *d;
1103 STACK_OF(X509) *sk=NULL;
1104 SESS_CERT *sc;
1105 EVP_PKEY *pkey=NULL;
1106 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
1107
1108 n=s->method->ssl_get_message(s,
1109 SSL3_ST_CR_CERT_A,
1110 SSL3_ST_CR_CERT_B,
1111 -1,
1112 s->max_cert_list,
1113 &ok);
1114
1115 if (!ok) return((int)n);
1116
1117 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
1118 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1119 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
1120 {
1121 s->s3->tmp.reuse_message=1;
1122 return(1);
1123 }
1124
1125 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1126 {
1127 al=SSL_AD_UNEXPECTED_MESSAGE;
1128 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_BAD_MESSAGE_TYPE);
1129 goto f_err;
1130 }
1131 p=d=(unsigned char *)s->init_msg;
1132
1133 if ((sk=sk_X509_new_null()) == NULL)
1134 {
1135 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
1136 goto err;
1137 }
1138
1139 n2l3(p,llen);
1140 if (llen+3 != n)
1141 {
1142 al=SSL_AD_DECODE_ERROR;
1143 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_LENGTH_MISMATCH);
1144 goto f_err;
1145 }
1146 for (nc=0; nc<llen; )
1147 {
1148 n2l3(p,l);
1149 if ((l+nc+3) > llen)
1150 {
1151 al=SSL_AD_DECODE_ERROR;
1152 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERT_LENGTH_MISMATCH);
1153 goto f_err;
1154 }
1155
1156 q=p;
1157 x=d2i_X509(NULL,&q,l);
1158 if (x == NULL)
1159 {
1160 al=SSL_AD_BAD_CERTIFICATE;
1161 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_ASN1_LIB);
1162 goto f_err;
1163 }
1164 if (q != (p+l))
1165 {
1166 al=SSL_AD_DECODE_ERROR;
1167 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERT_LENGTH_MISMATCH);
1168 goto f_err;
1169 }
1170 if (!sk_X509_push(sk,x))
1171 {
1172 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_MALLOC_FAILURE);
1173 goto err;
1174 }
1175 x=NULL;
1176 nc+=l+3;
1177 p=q;
1178 }
1179
1180 i=ssl_verify_cert_chain(s,sk);
1181 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1182 )
1183 {
1184 al=ssl_verify_alarm_type(s->verify_result);
1185 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_CERTIFICATE_VERIFY_FAILED);
1186 goto f_err;
1187 }
1188 ERR_clear_error(); /* but we keep s->verify_result */
1189
1190 sc=ssl_sess_cert_new();
1191 if (sc == NULL) goto err;
1192
1193 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
1194 s->session->sess_cert=sc;
1195
1196 sc->cert_chain=sk;
1197 /* Inconsistency alert: cert_chain does include the peer's
1198 * certificate, which we don't include in s3_srvr.c */
1199 x=sk_X509_value(sk,0);
1200 sk=NULL;
1201 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1202
1203 pkey=X509_get_pubkey(x);
1204
1205 /* VRS: allow null cert if auth == KRB5 */
1206 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1207 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1208 ? 0 : 1;
1209
1210#ifdef KSSL_DEBUG
1211 printf("pkey,x = %p, %p\n", pkey,x);
1212 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
1213 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
1214 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1215#endif /* KSSL_DEBUG */
1216
1217 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
1218 {
1219 x=NULL;
1220 al=SSL3_AL_FATAL;
1221 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1222 goto f_err;
1223 }
1224
1225 i=ssl_cert_type(x,pkey);
1226 if (need_cert && i < 0)
1227 {
1228 x=NULL;
1229 al=SSL3_AL_FATAL;
1230 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1231 goto f_err;
1232 }
1233
1234 if (need_cert)
1235 {
1236 int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
1237 if (exp_idx >= 0 && i != exp_idx)
1238 {
1239 x=NULL;
1240 al=SSL_AD_ILLEGAL_PARAMETER;
1241 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_WRONG_CERTIFICATE_TYPE);
1242 goto f_err;
1243 }
1244 sc->peer_cert_type=i;
1245 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1246 /* Why would the following ever happen?
1247 * We just created sc a couple of lines ago. */
1248 if (sc->peer_pkeys[i].x509 != NULL)
1249 X509_free(sc->peer_pkeys[i].x509);
1250 sc->peer_pkeys[i].x509=x;
1251 sc->peer_key= &(sc->peer_pkeys[i]);
1252
1253 if (s->session->peer != NULL)
1254 X509_free(s->session->peer);
1255 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1256 s->session->peer=x;
1257 }
1258 else
1259 {
1260 sc->peer_cert_type=i;
1261 sc->peer_key= NULL;
1262
1263 if (s->session->peer != NULL)
1264 X509_free(s->session->peer);
1265 s->session->peer=NULL;
1266 }
1267 s->session->verify_result = s->verify_result;
1268
1269 x=NULL;
1270#ifndef OPENSSL_NO_TLSEXT
1271 /* Check the audit proof. */
1272 if (s->ctx->tlsext_authz_server_audit_proof_cb)
1273 {
1274 ret = s->ctx->tlsext_authz_server_audit_proof_cb(s,
1275 s->ctx->tlsext_authz_server_audit_proof_cb_arg);
1276 if (ret <= 0)
1277 {
1278 al = SSL_AD_BAD_CERTIFICATE;
1279 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_INVALID_AUDIT_PROOF);
1280 goto f_err;
1281 }
1282 }
1283
1284#endif
1285 ret=1;
1286 if (0)
1287 {
1288f_err:
1289 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1290 }
1291err:
1292 EVP_PKEY_free(pkey);
1293 X509_free(x);
1294 sk_X509_pop_free(sk,X509_free);
1295 return(ret);
1296 }
1297
1298int ssl3_get_key_exchange(SSL *s)
1299 {
1300#ifndef OPENSSL_NO_RSA
1301 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1302#endif
1303 EVP_MD_CTX md_ctx;
1304 unsigned char *param,*p;
1305 int al,i,j,param_len,ok;
1306 long n,alg_k,alg_a;
1307 EVP_PKEY *pkey=NULL;
1308 const EVP_MD *md = NULL;
1309#ifndef OPENSSL_NO_RSA
1310 RSA *rsa=NULL;
1311#endif
1312#ifndef OPENSSL_NO_DH
1313 DH *dh=NULL;
1314#endif
1315#ifndef OPENSSL_NO_ECDH
1316 EC_KEY *ecdh = NULL;
1317 BN_CTX *bn_ctx = NULL;
1318 EC_POINT *srvr_ecpoint = NULL;
1319 int curve_nid = 0;
1320 int encoded_pt_len = 0;
1321#endif
1322
1323 /* use same message size as in ssl3_get_certificate_request()
1324 * as ServerKeyExchange message may be skipped */
1325 n=s->method->ssl_get_message(s,
1326 SSL3_ST_CR_KEY_EXCH_A,
1327 SSL3_ST_CR_KEY_EXCH_B,
1328 -1,
1329 s->max_cert_list,
1330 &ok);
1331 if (!ok) return((int)n);
1332
1333 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1334 {
1335#ifndef OPENSSL_NO_PSK
1336 /* In plain PSK ciphersuite, ServerKeyExchange can be
1337 omitted if no identity hint is sent. Set
1338 session->sess_cert anyway to avoid problems
1339 later.*/
1340 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
1341 {
1342 s->session->sess_cert=ssl_sess_cert_new();
1343 if (s->ctx->psk_identity_hint)
1344 OPENSSL_free(s->ctx->psk_identity_hint);
1345 s->ctx->psk_identity_hint = NULL;
1346 }
1347#endif
1348 s->s3->tmp.reuse_message=1;
1349 return(1);
1350 }
1351
1352 param=p=(unsigned char *)s->init_msg;
1353 if (s->session->sess_cert != NULL)
1354 {
1355#ifndef OPENSSL_NO_RSA
1356 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1357 {
1358 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1359 s->session->sess_cert->peer_rsa_tmp=NULL;
1360 }
1361#endif
1362#ifndef OPENSSL_NO_DH
1363 if (s->session->sess_cert->peer_dh_tmp)
1364 {
1365 DH_free(s->session->sess_cert->peer_dh_tmp);
1366 s->session->sess_cert->peer_dh_tmp=NULL;
1367 }
1368#endif
1369#ifndef OPENSSL_NO_ECDH
1370 if (s->session->sess_cert->peer_ecdh_tmp)
1371 {
1372 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1373 s->session->sess_cert->peer_ecdh_tmp=NULL;
1374 }
1375#endif
1376 }
1377 else
1378 {
1379 s->session->sess_cert=ssl_sess_cert_new();
1380 }
1381
1382 param_len=0;
1383 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1384 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
1385 EVP_MD_CTX_init(&md_ctx);
1386
1387#ifndef OPENSSL_NO_PSK
1388 if (alg_k & SSL_kPSK)
1389 {
1390 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
1391
1392 al=SSL_AD_HANDSHAKE_FAILURE;
1393 n2s(p,i);
1394 param_len=i+2;
1395 /* Store PSK identity hint for later use, hint is used
1396 * in ssl3_send_client_key_exchange. Assume that the
1397 * maximum length of a PSK identity hint can be as
1398 * long as the maximum length of a PSK identity. */
1399 if (i > PSK_MAX_IDENTITY_LEN)
1400 {
1401 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_DATA_LENGTH_TOO_LONG);
1402 goto f_err;
1403 }
1404 if (param_len > n)
1405 {
1406 al=SSL_AD_DECODE_ERROR;
1407 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1408 goto f_err;
1409 }
1410 /* If received PSK identity hint contains NULL
1411 * characters, the hint is truncated from the first
1412 * NULL. p may not be ending with NULL, so create a
1413 * NULL-terminated string. */
1414 memcpy(tmp_id_hint, p, i);
1415 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
1416 if (s->ctx->psk_identity_hint != NULL)
1417 OPENSSL_free(s->ctx->psk_identity_hint);
1418 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
1419 if (s->ctx->psk_identity_hint == NULL)
1420 {
1421 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_MALLOC_FAILURE);
1422 goto f_err;
1423 }
1424
1425 p+=i;
1426 n-=param_len;
1427 }
1428 else
1429#endif /* !OPENSSL_NO_PSK */
1430#ifndef OPENSSL_NO_RSA
1431 if (alg_k & SSL_kRSA)
1432 {
1433 if ((rsa=RSA_new()) == NULL)
1434 {
1435 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_MALLOC_FAILURE);
1436 goto err;
1437 }
1438 n2s(p,i);
1439 param_len=i+2;
1440 if (param_len > n)
1441 {
1442 al=SSL_AD_DECODE_ERROR;
1443 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_RSA_MODULUS_LENGTH);
1444 goto f_err;
1445 }
1446 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1447 {
1448 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1449 goto err;
1450 }
1451 p+=i;
1452
1453 n2s(p,i);
1454 param_len+=i+2;
1455 if (param_len > n)
1456 {
1457 al=SSL_AD_DECODE_ERROR;
1458 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_RSA_E_LENGTH);
1459 goto f_err;
1460 }
1461 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1462 {
1463 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1464 goto err;
1465 }
1466 p+=i;
1467 n-=param_len;
1468
1469 /* this should be because we are using an export cipher */
1470 if (alg_a & SSL_aRSA)
1471 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1472 else
1473 {
1474 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_INTERNAL_ERROR);
1475 goto err;
1476 }
1477 s->session->sess_cert->peer_rsa_tmp=rsa;
1478 rsa=NULL;
1479 }
1480#else /* OPENSSL_NO_RSA */
1481 if (0)
1482 ;
1483#endif
1484#ifndef OPENSSL_NO_DH
1485 else if (alg_k & SSL_kEDH)
1486 {
1487 if ((dh=DH_new()) == NULL)
1488 {
1489 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_DH_LIB);
1490 goto err;
1491 }
1492 n2s(p,i);
1493 param_len=i+2;
1494 if (param_len > n)
1495 {
1496 al=SSL_AD_DECODE_ERROR;
1497 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_DH_P_LENGTH);
1498 goto f_err;
1499 }
1500 if (!(dh->p=BN_bin2bn(p,i,NULL)))
1501 {
1502 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1503 goto err;
1504 }
1505 p+=i;
1506
1507 n2s(p,i);
1508 param_len+=i+2;
1509 if (param_len > n)
1510 {
1511 al=SSL_AD_DECODE_ERROR;
1512 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_DH_G_LENGTH);
1513 goto f_err;
1514 }
1515 if (!(dh->g=BN_bin2bn(p,i,NULL)))
1516 {
1517 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1518 goto err;
1519 }
1520 p+=i;
1521
1522 n2s(p,i);
1523 param_len+=i+2;
1524 if (param_len > n)
1525 {
1526 al=SSL_AD_DECODE_ERROR;
1527 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1528 goto f_err;
1529 }
1530 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1531 {
1532 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_BN_LIB);
1533 goto err;
1534 }
1535 p+=i;
1536 n-=param_len;
1537
1538#ifndef OPENSSL_NO_RSA
1539 if (alg_a & SSL_aRSA)
1540 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1541#else
1542 if (0)
1543 ;
1544#endif
1545#ifndef OPENSSL_NO_DSA
1546 else if (alg_a & SSL_aDSS)
1547 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1548#endif
1549 /* else anonymous DH, so no certificate or pkey. */
1550
1551 s->session->sess_cert->peer_dh_tmp=dh;
1552 dh=NULL;
1553 }
1554 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd))
1555 {
1556 al=SSL_AD_ILLEGAL_PARAMETER;
1557 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1558 goto f_err;
1559 }
1560#endif /* !OPENSSL_NO_DH */
1561
1562#ifndef OPENSSL_NO_ECDH
1563 else if (alg_k & SSL_kEECDH)
1564 {
1565 EC_GROUP *ngroup;
1566 const EC_GROUP *group;
1567
1568 if ((ecdh=EC_KEY_new()) == NULL)
1569 {
1570 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_MALLOC_FAILURE);
1571 goto err;
1572 }
1573
1574 /* Extract elliptic curve parameters and the
1575 * server's ephemeral ECDH public key.
1576 * Keep accumulating lengths of various components in
1577 * param_len and make sure it never exceeds n.
1578 */
1579
1580 /* XXX: For now we only support named (not generic) curves
1581 * and the ECParameters in this case is just three bytes.
1582 */
1583 param_len=3;
1584 /* Check curve is one of our prefrences, if not server has
1585 * sent an invalid curve.
1586 */
1587 if (!tls1_check_curve(s, p, param_len))
1588 {
1589 al=SSL_AD_DECODE_ERROR;
1590 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_WRONG_CURVE);
1591 goto f_err;
1592 }
1593
1594 if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)
1595 {
1596 al=SSL_AD_INTERNAL_ERROR;
1597 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1598 goto f_err;
1599 }
1600
1601 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1602 if (ngroup == NULL)
1603 {
1604 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_EC_LIB);
1605 goto err;
1606 }
1607 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1608 {
1609 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_EC_LIB);
1610 goto err;
1611 }
1612 EC_GROUP_free(ngroup);
1613
1614 group = EC_KEY_get0_group(ecdh);
1615
1616 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1617 (EC_GROUP_get_degree(group) > 163))
1618 {
1619 al=SSL_AD_EXPORT_RESTRICTION;
1620 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1621 goto f_err;
1622 }
1623
1624 p+=3;
1625
1626 /* Next, get the encoded ECPoint */
1627 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1628 ((bn_ctx = BN_CTX_new()) == NULL))
1629 {
1630 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_MALLOC_FAILURE);
1631 goto err;
1632 }
1633
1634 encoded_pt_len = *p; /* length of encoded point */
1635 p+=1;
1636 param_len += (1 + encoded_pt_len);
1637 if ((param_len > n) ||
1638 (EC_POINT_oct2point(group, srvr_ecpoint,
1639 p, encoded_pt_len, bn_ctx) == 0))
1640 {
1641 al=SSL_AD_DECODE_ERROR;
1642 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_ECPOINT);
1643 goto f_err;
1644 }
1645
1646 n-=param_len;
1647 p+=encoded_pt_len;
1648
1649 /* The ECC/TLS specification does not mention
1650 * the use of DSA to sign ECParameters in the server
1651 * key exchange message. We do support RSA and ECDSA.
1652 */
1653 if (0) ;
1654#ifndef OPENSSL_NO_RSA
1655 else if (alg_a & SSL_aRSA)
1656 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1657#endif
1658#ifndef OPENSSL_NO_ECDSA
1659 else if (alg_a & SSL_aECDSA)
1660 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1661#endif
1662 /* else anonymous ECDH, so no certificate or pkey. */
1663 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1664 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1665 ecdh=NULL;
1666 BN_CTX_free(bn_ctx);
1667 bn_ctx = NULL;
1668 EC_POINT_free(srvr_ecpoint);
1669 srvr_ecpoint = NULL;
1670 }
1671 else if (alg_k)
1672 {
1673 al=SSL_AD_UNEXPECTED_MESSAGE;
1674 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
1675 goto f_err;
1676 }
1677#endif /* !OPENSSL_NO_ECDH */
1678
1679
1680 /* p points to the next byte, there are 'n' bytes left */
1681
1682 /* if it was signed, check the signature */
1683 if (pkey != NULL)
1684 {
1685 if (SSL_USE_SIGALGS(s))
1686 {
1687 int rv = tls12_check_peer_sigalg(&md, s, p, pkey);
1688 if (rv == -1)
1689 goto err;
1690 else if (rv == 0)
1691 {
1692 al = SSL_AD_DECODE_ERROR;
1693 goto f_err;
1694 }
1695#ifdef SSL_DEBUG
1696fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1697#endif
1698 p += 2;
1699 n -= 2;
1700 }
1701 else
1702 md = EVP_sha1();
1703
1704 n2s(p,i);
1705 n-=2;
1706 j=EVP_PKEY_size(pkey);
1707
1708 if ((i != n) || (n > j) || (n <= 0))
1709 {
1710 /* wrong packet length */
1711 al=SSL_AD_DECODE_ERROR;
1712 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_WRONG_SIGNATURE_LENGTH);
1713 goto f_err;
1714 }
1715
1716#ifndef OPENSSL_NO_RSA
1717 if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s))
1718 {
1719 int num;
1720
1721 j=0;
1722 q=md_buf;
1723 for (num=2; num > 0; num--)
1724 {
1725 EVP_DigestInit_ex(&md_ctx,(num == 2)
1726 ?s->ctx->md5:s->ctx->sha1, NULL);
1727 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1728 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1729 EVP_DigestUpdate(&md_ctx,param,param_len);
1730 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1731 q+=i;
1732 j+=i;
1733 }
1734 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1735 pkey->pkey.rsa);
1736 if (i < 0)
1737 {
1738 al=SSL_AD_DECRYPT_ERROR;
1739 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_RSA_DECRYPT);
1740 goto f_err;
1741 }
1742 if (i == 0)
1743 {
1744 /* bad signature */
1745 al=SSL_AD_DECRYPT_ERROR;
1746 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_SIGNATURE);
1747 goto f_err;
1748 }
1749 }
1750 else
1751#endif
1752 {
1753 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1754 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1755 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1756 EVP_VerifyUpdate(&md_ctx,param,param_len);
1757 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1758 {
1759 /* bad signature */
1760 al=SSL_AD_DECRYPT_ERROR;
1761 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_BAD_SIGNATURE);
1762 goto f_err;
1763 }
1764 }
1765 }
1766 else
1767 {
1768 /* aNULL or kPSK do not need public keys */
1769 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
1770 {
1771 /* Might be wrong key type, check it */
1772 if (ssl3_check_cert_and_algorithm(s))
1773 /* Otherwise this shouldn't happen */
1774 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, ERR_R_INTERNAL_ERROR);
1775 goto err;
1776 }
1777 /* still data left over */
1778 if (n != 0)
1779 {
1780 al=SSL_AD_DECODE_ERROR;
1781 OPENSSL_PUT_ERROR(SSL, ssl3_get_key_exchange, SSL_R_EXTRA_DATA_IN_MESSAGE);
1782 goto f_err;
1783 }
1784 }
1785 EVP_PKEY_free(pkey);
1786 EVP_MD_CTX_cleanup(&md_ctx);
1787 return(1);
1788f_err:
1789 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1790err:
1791 EVP_PKEY_free(pkey);
1792#ifndef OPENSSL_NO_RSA
1793 if (rsa != NULL)
1794 RSA_free(rsa);
1795#endif
1796#ifndef OPENSSL_NO_DH
1797 if (dh != NULL)
1798 DH_free(dh);
1799#endif
1800#ifndef OPENSSL_NO_ECDH
1801 BN_CTX_free(bn_ctx);
1802 EC_POINT_free(srvr_ecpoint);
1803 if (ecdh != NULL)
1804 EC_KEY_free(ecdh);
1805#endif
1806 EVP_MD_CTX_cleanup(&md_ctx);
1807 return(-1);
1808 }
1809
1810static int ca_dn_cmp(const X509_NAME **a, const X509_NAME **b)
1811 {
1812 return(X509_NAME_cmp(*a,*b));
1813 }
1814
1815int ssl3_get_certificate_request(SSL *s)
1816 {
1817 int ok,ret=0;
1818 unsigned long n,nc,l;
1819 unsigned int llen, ctype_num,i;
1820 X509_NAME *xn=NULL;
1821 const unsigned char *p,*q;
1822 unsigned char *d;
1823 STACK_OF(X509_NAME) *ca_sk=NULL;
1824
1825 n=s->method->ssl_get_message(s,
1826 SSL3_ST_CR_CERT_REQ_A,
1827 SSL3_ST_CR_CERT_REQ_B,
1828 -1,
1829 s->max_cert_list,
1830 &ok);
1831
1832 if (!ok) return((int)n);
1833
1834 s->s3->tmp.cert_req=0;
1835
1836 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1837 {
1838 s->s3->tmp.reuse_message=1;
1839 /* If we get here we don't need any cached handshake records
1840 * as we wont be doing client auth.
1841 */
1842 if (s->s3->handshake_buffer)
1843 {
1844 if (!ssl3_digest_cached_records(s))
1845 goto err;
1846 }
1847 return(1);
1848 }
1849
1850 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1851 {
1852 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1853 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_WRONG_MESSAGE_TYPE);
1854 goto err;
1855 }
1856
1857 /* TLS does not like anon-DH with client cert */
1858 if (s->version > SSL3_VERSION)
1859 {
1860 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1861 {
1862 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1863 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1864 goto err;
1865 }
1866 }
1867
1868 p=d=(unsigned char *)s->init_msg;
1869
1870 ca_sk = sk_X509_NAME_new(ca_dn_cmp);
1871 if (ca_sk == NULL)
1872 {
1873 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_MALLOC_FAILURE);
1874 goto err;
1875 }
1876
1877 /* get the certificate types */
1878 ctype_num= *(p++);
1879 if (s->cert->ctypes)
1880 {
1881 OPENSSL_free(s->cert->ctypes);
1882 s->cert->ctypes = NULL;
1883 }
1884 if (ctype_num > SSL3_CT_NUMBER)
1885 {
1886 /* If we exceed static buffer copy all to cert structure */
1887 s->cert->ctypes = OPENSSL_malloc(ctype_num);
1888 memcpy(s->cert->ctypes, p, ctype_num);
1889 s->cert->ctype_num = (size_t)ctype_num;
1890 ctype_num=SSL3_CT_NUMBER;
1891 }
1892 for (i=0; i<ctype_num; i++)
1893 s->s3->tmp.ctype[i]= p[i];
1894 p+=p[-1];
1895 if (SSL_USE_SIGALGS(s))
1896 {
1897 n2s(p, llen);
1898 /* Check we have enough room for signature algorithms and
1899 * following length value.
1900 */
1901 if ((unsigned long)(p - d + llen + 2) > n)
1902 {
1903 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1904 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_DATA_LENGTH_TOO_LONG);
1905 goto err;
1906 }
1907 /* Clear certificate digests and validity flags */
1908 for (i = 0; i < SSL_PKEY_NUM; i++)
1909 {
1910 s->cert->pkeys[i].digest = NULL;
1911 s->cert->pkeys[i].valid_flags = 0;
1912 }
1913 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen))
1914 {
1915 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1916 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1917 goto err;
1918 }
1919 p += llen;
1920 }
1921
1922 /* get the CA RDNs */
1923 n2s(p,llen);
1924#if 0
1925{
1926FILE *out;
1927out=fopen("/tmp/vsign.der","w");
1928fwrite(p,1,llen,out);
1929fclose(out);
1930}
1931#endif
1932
1933 if ((unsigned long)(p - d + llen) != n)
1934 {
1935 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1936 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_LENGTH_MISMATCH);
1937 goto err;
1938 }
1939
1940 for (nc=0; nc<llen; )
1941 {
1942 n2s(p,l);
1943 if ((l+nc+2) > llen)
1944 {
1945 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1946 goto cont; /* netscape bugs */
1947 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1948 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_CA_DN_TOO_LONG);
1949 goto err;
1950 }
1951
1952 q=p;
1953
1954 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1955 {
1956 /* If netscape tolerance is on, ignore errors */
1957 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1958 goto cont;
1959 else
1960 {
1961 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1962 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_ASN1_LIB);
1963 goto err;
1964 }
1965 }
1966
1967 if (q != (p+l))
1968 {
1969 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1970 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, SSL_R_CA_DN_LENGTH_MISMATCH);
1971 goto err;
1972 }
1973 if (!sk_X509_NAME_push(ca_sk,xn))
1974 {
1975 OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_MALLOC_FAILURE);
1976 goto err;
1977 }
1978
1979 p+=l;
1980 nc+=l+2;
1981 }
1982
1983 if (0)
1984 {
1985cont:
1986 ERR_clear_error();
1987 }
1988
1989 /* we should setup a certificate to return.... */
1990 s->s3->tmp.cert_req=1;
1991 s->s3->tmp.ctype_num=ctype_num;
1992 if (s->s3->tmp.ca_names != NULL)
1993 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1994 s->s3->tmp.ca_names=ca_sk;
1995 ca_sk=NULL;
1996
1997 ret=1;
1998err:
1999 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
2000 return(ret);
2001 }
2002
2003#ifndef OPENSSL_NO_TLSEXT
2004int ssl3_get_new_session_ticket(SSL *s)
2005 {
2006 int ok,al,ret=0, ticklen;
2007 long n;
2008 const unsigned char *p;
2009 unsigned char *d;
2010
2011 n=s->method->ssl_get_message(s,
2012 SSL3_ST_CR_SESSION_TICKET_A,
2013 SSL3_ST_CR_SESSION_TICKET_B,
2014 -1,
2015 16384,
2016 &ok);
2017
2018 if (!ok)
2019 return((int)n);
2020
2021 if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
2022 {
2023 s->s3->tmp.reuse_message=1;
2024 return(1);
2025 }
2026 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET)
2027 {
2028 al=SSL_AD_UNEXPECTED_MESSAGE;
2029 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_BAD_MESSAGE_TYPE);
2030 goto f_err;
2031 }
2032 if (n < 6)
2033 {
2034 /* need at least ticket_lifetime_hint + ticket length */
2035 al = SSL_AD_DECODE_ERROR;
2036 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_LENGTH_MISMATCH);
2037 goto f_err;
2038 }
2039
2040 p=d=(unsigned char *)s->init_msg;
2041 n2l(p, s->session->tlsext_tick_lifetime_hint);
2042 n2s(p, ticklen);
2043 /* ticket_lifetime_hint + ticket_length + ticket */
2044 if (ticklen + 6 != n)
2045 {
2046 al = SSL_AD_DECODE_ERROR;
2047 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, SSL_R_LENGTH_MISMATCH);
2048 goto f_err;
2049 }
2050 if (s->session->tlsext_tick)
2051 {
2052 OPENSSL_free(s->session->tlsext_tick);
2053 s->session->tlsext_ticklen = 0;
2054 }
2055 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2056 if (!s->session->tlsext_tick)
2057 {
2058 OPENSSL_PUT_ERROR(SSL, ssl3_get_new_session_ticket, ERR_R_MALLOC_FAILURE);
2059 goto err;
2060 }
2061 memcpy(s->session->tlsext_tick, p, ticklen);
2062 s->session->tlsext_ticklen = ticklen;
2063 /* There are two ways to detect a resumed ticket sesion.
2064 * One is to set an appropriate session ID and then the server
2065 * must return a match in ServerHello. This allows the normal
2066 * client session ID matching to work and we know much
2067 * earlier that the ticket has been accepted.
2068 *
2069 * The other way is to set zero length session ID when the
2070 * ticket is presented and rely on the handshake to determine
2071 * session resumption.
2072 *
2073 * We choose the former approach because this fits in with
2074 * assumptions elsewhere in OpenSSL. The session ID is set
2075 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
2076 * ticket.
2077 */
2078 EVP_Digest(p, ticklen,
2079 s->session->session_id, &s->session->session_id_length,
2080#ifndef OPENSSL_NO_SHA256
2081 EVP_sha256(), NULL);
2082#else
2083 EVP_sha1(), NULL);
2084#endif
2085 ret=1;
2086 return(ret);
2087f_err:
2088 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2089err:
2090 return(-1);
2091 }
2092
2093int ssl3_get_cert_status(SSL *s)
2094 {
2095 int ok, al;
2096 unsigned long resplen,n;
2097 const unsigned char *p;
2098
2099 n=s->method->ssl_get_message(s,
2100 SSL3_ST_CR_CERT_STATUS_A,
2101 SSL3_ST_CR_CERT_STATUS_B,
2102 SSL3_MT_CERTIFICATE_STATUS,
2103 16384,
2104 &ok);
2105
2106 if (!ok) return((int)n);
2107 if (n < 4)
2108 {
2109 /* need at least status type + length */
2110 al = SSL_AD_DECODE_ERROR;
2111 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_LENGTH_MISMATCH);
2112 goto f_err;
2113 }
2114 p = (unsigned char *)s->init_msg;
2115 if (*p++ != TLSEXT_STATUSTYPE_ocsp)
2116 {
2117 al = SSL_AD_DECODE_ERROR;
2118 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_UNSUPPORTED_STATUS_TYPE);
2119 goto f_err;
2120 }
2121 n2l3(p, resplen);
2122 if (resplen + 4 != n)
2123 {
2124 al = SSL_AD_DECODE_ERROR;
2125 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_LENGTH_MISMATCH);
2126 goto f_err;
2127 }
2128 if (s->tlsext_ocsp_resp)
2129 OPENSSL_free(s->tlsext_ocsp_resp);
2130 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
2131 if (!s->tlsext_ocsp_resp)
2132 {
2133 al = SSL_AD_INTERNAL_ERROR;
2134 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, ERR_R_MALLOC_FAILURE);
2135 goto f_err;
2136 }
2137 s->tlsext_ocsp_resplen = resplen;
2138 if (s->ctx->tlsext_status_cb)
2139 {
2140 int ret;
2141 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2142 if (ret == 0)
2143 {
2144 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2145 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_INVALID_STATUS_RESPONSE);
2146 goto f_err;
2147 }
2148 if (ret < 0)
2149 {
2150 al = SSL_AD_INTERNAL_ERROR;
2151 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, ERR_R_MALLOC_FAILURE);
2152 goto f_err;
2153 }
2154 }
2155 return 1;
2156f_err:
2157 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2158 return(-1);
2159 }
2160#endif
2161
2162int ssl3_get_server_done(SSL *s)
2163 {
2164 int ok,ret=0;
2165 long n;
2166
2167 n=s->method->ssl_get_message(s,
2168 SSL3_ST_CR_SRVR_DONE_A,
2169 SSL3_ST_CR_SRVR_DONE_B,
2170 SSL3_MT_SERVER_DONE,
2171 30, /* should be very small, like 0 :-) */
2172 &ok);
2173
2174 if (!ok) return((int)n);
2175 if (n > 0)
2176 {
2177 /* should contain no data */
2178 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
2179 OPENSSL_PUT_ERROR(SSL, ssl3_get_server_done, SSL_R_LENGTH_MISMATCH);
2180 return -1;
2181 }
2182 ret=1;
2183 return(ret);
2184 }
2185
2186
2187int ssl3_send_client_key_exchange(SSL *s)
2188 {
2189 unsigned char *p;
2190 int n;
2191 unsigned long alg_k;
2192#ifndef OPENSSL_NO_RSA
2193 unsigned char *q;
2194 EVP_PKEY *pkey=NULL;
2195#endif
2196#ifndef OPENSSL_NO_ECDH
2197 EC_KEY *clnt_ecdh = NULL;
2198 const EC_POINT *srvr_ecpoint = NULL;
2199 EVP_PKEY *srvr_pub_pkey = NULL;
2200 unsigned char *encodedPoint = NULL;
2201 int encoded_pt_len = 0;
2202 BN_CTX * bn_ctx = NULL;
2203#endif
2204
2205 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
2206 {
2207 p = ssl_handshake_start(s);
2208
2209 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
2210
2211 /* Fool emacs indentation */
2212 if (0) {}
2213#ifndef OPENSSL_NO_RSA
2214 else if (alg_k & SSL_kRSA)
2215 {
2216 RSA *rsa;
2217 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2218
2219 if (s->session->sess_cert->peer_rsa_tmp != NULL)
2220 rsa=s->session->sess_cert->peer_rsa_tmp;
2221 else
2222 {
2223 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2224 if ((pkey == NULL) ||
2225 (pkey->type != EVP_PKEY_RSA) ||
2226 (pkey->pkey.rsa == NULL))
2227 {
2228 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2229 goto err;
2230 }
2231 rsa=pkey->pkey.rsa;
2232 EVP_PKEY_free(pkey);
2233 }
2234
2235 tmp_buf[0]=s->client_version>>8;
2236 tmp_buf[1]=s->client_version&0xff;
2237 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2238 goto err;
2239
2240 s->session->master_key_length=sizeof tmp_buf;
2241
2242 q=p;
2243 /* Fix buf for TLS and beyond */
2244 if (s->version > SSL3_VERSION)
2245 p+=2;
2246 n=RSA_public_encrypt(sizeof tmp_buf,
2247 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
2248#ifdef PKCS1_CHECK
2249 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
2250 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
2251#endif
2252 if (n <= 0)
2253 {
2254 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_RSA_ENCRYPT);
2255 goto err;
2256 }
2257
2258 /* Fix buf for TLS and beyond */
2259 if (s->version > SSL3_VERSION)
2260 {
2261 s2n(n,q);
2262 n+=2;
2263 }
2264
2265 s->session->master_key_length=
2266 s->method->ssl3_enc->generate_master_secret(s,
2267 s->session->master_key,
2268 tmp_buf,sizeof tmp_buf);
2269 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2270 }
2271#endif
2272#ifndef OPENSSL_NO_DH
2273 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2274 {
2275 DH *dh_srvr,*dh_clnt;
2276 SESS_CERT *scert = s->session->sess_cert;
2277
2278 if (scert == NULL)
2279 {
2280 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2281 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNEXPECTED_MESSAGE);
2282 goto err;
2283 }
2284
2285 if (scert->peer_dh_tmp != NULL)
2286 dh_srvr=scert->peer_dh_tmp;
2287 else
2288 {
2289 /* we get them from the cert */
2290 int idx = scert->peer_cert_type;
2291 EVP_PKEY *spkey = NULL;
2292 dh_srvr = NULL;
2293 if (idx >= 0)
2294 spkey = X509_get_pubkey(
2295 scert->peer_pkeys[idx].x509);
2296 if (spkey)
2297 {
2298 dh_srvr = EVP_PKEY_get1_DH(spkey);
2299 EVP_PKEY_free(spkey);
2300 }
2301 if (dh_srvr == NULL)
2302 {
2303 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2304 goto err;
2305 }
2306 }
2307 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
2308 {
2309 /* Use client certificate key */
2310 EVP_PKEY *clkey = s->cert->key->privatekey;
2311 dh_clnt = NULL;
2312 if (clkey)
2313 dh_clnt = EVP_PKEY_get1_DH(clkey);
2314 if (dh_clnt == NULL)
2315 {
2316 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2317 goto err;
2318 }
2319 }
2320 else
2321 {
2322 /* generate a new random key */
2323 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
2324 {
2325 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2326 goto err;
2327 }
2328 if (!DH_generate_key(dh_clnt))
2329 {
2330 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2331 DH_free(dh_clnt);
2332 goto err;
2333 }
2334 }
2335
2336 /* use the 'p' output buffer for the DH key, but
2337 * make sure to clear it out afterwards */
2338
2339 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
2340 if (scert->peer_dh_tmp == NULL)
2341 DH_free(dh_srvr);
2342
2343 if (n <= 0)
2344 {
2345 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_DH_LIB);
2346 DH_free(dh_clnt);
2347 goto err;
2348 }
2349
2350 /* generate master key from the result */
2351 s->session->master_key_length=
2352 s->method->ssl3_enc->generate_master_secret(s,
2353 s->session->master_key,p,n);
2354 /* clean up */
2355 memset(p,0,n);
2356
2357 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
2358 n = 0;
2359 else
2360 {
2361 /* send off the data */
2362 n=BN_num_bytes(dh_clnt->pub_key);
2363 s2n(n,p);
2364 BN_bn2bin(dh_clnt->pub_key,p);
2365 n+=2;
2366 }
2367
2368 DH_free(dh_clnt);
2369
2370 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2371 }
2372#endif
2373
2374#ifndef OPENSSL_NO_ECDH
2375 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
2376 {
2377 const EC_GROUP *srvr_group = NULL;
2378 EC_KEY *tkey;
2379 int ecdh_clnt_cert = 0;
2380 int field_size = 0;
2381
2382 /* Did we send out the client's
2383 * ECDH share for use in premaster
2384 * computation as part of client certificate?
2385 * If so, set ecdh_clnt_cert to 1.
2386 */
2387 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
2388 {
2389 /* XXX: For now, we do not support client
2390 * authentication using ECDH certificates.
2391 * To add such support, one needs to add
2392 * code that checks for appropriate
2393 * conditions and sets ecdh_clnt_cert to 1.
2394 * For example, the cert have an ECC
2395 * key on the same curve as the server's
2396 * and the key should be authorized for
2397 * key agreement.
2398 *
2399 * One also needs to add code in ssl3_connect
2400 * to skip sending the certificate verify
2401 * message.
2402 *
2403 * if ((s->cert->key->privatekey != NULL) &&
2404 * (s->cert->key->privatekey->type ==
2405 * EVP_PKEY_EC) && ...)
2406 * ecdh_clnt_cert = 1;
2407 */
2408 }
2409
2410 if (s->session->sess_cert->peer_ecdh_tmp != NULL)
2411 {
2412 tkey = s->session->sess_cert->peer_ecdh_tmp;
2413 }
2414 else
2415 {
2416 /* Get the Server Public Key from Cert */
2417 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2418 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2419 if ((srvr_pub_pkey == NULL) ||
2420 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2421 (srvr_pub_pkey->pkey.ec == NULL))
2422 {
2423 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2424 goto err;
2425 }
2426
2427 tkey = srvr_pub_pkey->pkey.ec;
2428 }
2429
2430 srvr_group = EC_KEY_get0_group(tkey);
2431 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2432
2433 if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
2434 {
2435 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2436 goto err;
2437 }
2438
2439 if ((clnt_ecdh=EC_KEY_new()) == NULL)
2440 {
2441 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2442 goto err;
2443 }
2444
2445 if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
2446 {
2447 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_EC_LIB);
2448 goto err;
2449 }
2450 if (ecdh_clnt_cert)
2451 {
2452 /* Reuse key info from our certificate
2453 * We only need our private key to perform
2454 * the ECDH computation.
2455 */
2456 const BIGNUM *priv_key;
2457 tkey = s->cert->key->privatekey->pkey.ec;
2458 priv_key = EC_KEY_get0_private_key(tkey);
2459 if (priv_key == NULL)
2460 {
2461 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2462 goto err;
2463 }
2464 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2465 {
2466 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_EC_LIB);
2467 goto err;
2468 }
2469 }
2470 else
2471 {
2472 /* Generate a new ECDH key pair */
2473 if (!(EC_KEY_generate_key(clnt_ecdh)))
2474 {
2475 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2476 goto err;
2477 }
2478 }
2479
2480 /* use the 'p' output buffer for the ECDH key, but
2481 * make sure to clear it out afterwards
2482 */
2483
2484 field_size = EC_GROUP_get_degree(srvr_group);
2485 if (field_size <= 0)
2486 {
2487 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2488 goto err;
2489 }
2490 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2491 if (n <= 0)
2492 {
2493 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_ECDH_LIB);
2494 goto err;
2495 }
2496
2497 /* generate master key from the result */
2498 s->session->master_key_length = s->method->ssl3_enc \
2499 -> generate_master_secret(s,
2500 s->session->master_key,
2501 p, n);
2502
2503 memset(p, 0, n); /* clean up */
2504
2505 if (ecdh_clnt_cert)
2506 {
2507 /* Send empty client key exch message */
2508 n = 0;
2509 }
2510 else
2511 {
2512 /* First check the size of encoding and
2513 * allocate memory accordingly.
2514 */
2515 encoded_pt_len =
2516 EC_POINT_point2oct(srvr_group,
2517 EC_KEY_get0_public_key(clnt_ecdh),
2518 POINT_CONVERSION_UNCOMPRESSED,
2519 NULL, 0, NULL);
2520
2521 encodedPoint = (unsigned char *)
2522 OPENSSL_malloc(encoded_pt_len *
2523 sizeof(unsigned char));
2524 bn_ctx = BN_CTX_new();
2525 if ((encodedPoint == NULL) ||
2526 (bn_ctx == NULL))
2527 {
2528 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2529 goto err;
2530 }
2531
2532 /* Encode the public key */
2533 n = EC_POINT_point2oct(srvr_group,
2534 EC_KEY_get0_public_key(clnt_ecdh),
2535 POINT_CONVERSION_UNCOMPRESSED,
2536 encodedPoint, encoded_pt_len, bn_ctx);
2537
2538 *p = n; /* length of encoded point */
2539 /* Encoded point will be copied here */
2540 p += 1;
2541 /* copy the point */
2542 memcpy((unsigned char *)p, encodedPoint, n);
2543 /* increment n to account for length field */
2544 n += 1;
2545 }
2546
2547 /* Free allocated memory */
2548 BN_CTX_free(bn_ctx);
2549 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2550 if (clnt_ecdh != NULL)
2551 EC_KEY_free(clnt_ecdh);
2552 EVP_PKEY_free(srvr_pub_pkey);
2553 }
2554#endif /* !OPENSSL_NO_ECDH */
2555 else if (alg_k & SSL_kGOST)
2556 {
2557 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_GOST_NOT_SUPPORTED);
2558 goto err;
2559 }
2560#ifndef OPENSSL_NO_PSK
2561 else if (alg_k & SSL_kPSK)
2562 {
2563 char identity[PSK_MAX_IDENTITY_LEN];
2564 unsigned char *t = NULL;
2565 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
2566 unsigned int pre_ms_len = 0, psk_len = 0;
2567 int psk_err = 1;
2568
2569 n = 0;
2570 if (s->psk_client_callback == NULL)
2571 {
2572 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_PSK_NO_CLIENT_CB);
2573 goto err;
2574 }
2575
2576 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
2577 identity, PSK_MAX_IDENTITY_LEN,
2578 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2579 if (psk_len > PSK_MAX_PSK_LEN)
2580 {
2581 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2582 goto psk_err;
2583 }
2584 else if (psk_len == 0)
2585 {
2586 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_PSK_IDENTITY_NOT_FOUND);
2587 goto psk_err;
2588 }
2589
2590 /* create PSK pre_master_secret */
2591 pre_ms_len = 2+psk_len+2+psk_len;
2592 t = psk_or_pre_ms;
2593 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
2594 s2n(psk_len, t);
2595 memset(t, 0, psk_len);
2596 t+=psk_len;
2597 s2n(psk_len, t);
2598
2599 if (s->session->psk_identity_hint != NULL)
2600 OPENSSL_free(s->session->psk_identity_hint);
2601 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2602 if (s->ctx->psk_identity_hint != NULL &&
2603 s->session->psk_identity_hint == NULL)
2604 {
2605 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2606 goto psk_err;
2607 }
2608
2609 if (s->session->psk_identity != NULL)
2610 OPENSSL_free(s->session->psk_identity);
2611 s->session->psk_identity = BUF_strdup(identity);
2612 if (s->session->psk_identity == NULL)
2613 {
2614 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
2615 goto psk_err;
2616 }
2617
2618 s->session->master_key_length =
2619 s->method->ssl3_enc->generate_master_secret(s,
2620 s->session->master_key,
2621 psk_or_pre_ms, pre_ms_len);
2622 n = strlen(identity);
2623 s2n(n, p);
2624 memcpy(p, identity, n);
2625 n+=2;
2626 psk_err = 0;
2627 psk_err:
2628 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2629 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2630 if (psk_err != 0)
2631 {
2632 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2633 goto err;
2634 }
2635 }
2636#endif
2637 else
2638 {
2639 ssl3_send_alert(s, SSL3_AL_FATAL,
2640 SSL_AD_HANDSHAKE_FAILURE);
2641 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2642 goto err;
2643 }
2644
2645 ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n);
2646 s->state=SSL3_ST_CW_KEY_EXCH_B;
2647 }
2648
2649 /* SSL3_ST_CW_KEY_EXCH_B */
2650 return ssl_do_write(s);
2651err:
2652#ifndef OPENSSL_NO_ECDH
2653 BN_CTX_free(bn_ctx);
2654 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2655 if (clnt_ecdh != NULL)
2656 EC_KEY_free(clnt_ecdh);
2657 EVP_PKEY_free(srvr_pub_pkey);
2658#endif
2659 return(-1);
2660 }
2661
2662int ssl3_send_client_verify(SSL *s)
2663 {
2664 unsigned char *p;
2665 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2666 EVP_PKEY *pkey;
2667 EVP_PKEY_CTX *pctx=NULL;
2668 EVP_MD_CTX mctx;
2669 unsigned u=0;
2670 unsigned long n;
2671 int j;
2672
2673 EVP_MD_CTX_init(&mctx);
2674
2675 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2676 {
2677 p= ssl_handshake_start(s);
2678 pkey=s->cert->key->privatekey;
2679/* Create context from key and test if sha1 is allowed as digest */
2680 pctx = EVP_PKEY_CTX_new(pkey,NULL);
2681 EVP_PKEY_sign_init(pctx);
2682 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
2683 {
2684 if (!SSL_USE_SIGALGS(s))
2685 s->method->ssl3_enc->cert_verify_mac(s,
2686 NID_sha1,
2687 &(data[MD5_DIGEST_LENGTH]));
2688 }
2689 else
2690 {
2691 ERR_clear_error();
2692 }
2693 /* For TLS v1.2 send signature algorithm and signature
2694 * using agreed digest and cached handshake records.
2695 */
2696 if (SSL_USE_SIGALGS(s))
2697 {
2698 long hdatalen = 0;
2699 char *hdata;
2700 const EVP_MD *md = s->cert->key->digest;
2701 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
2702 &hdata);
2703 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md))
2704 {
2705 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
2706 goto err;
2707 }
2708 p += 2;
2709#ifdef SSL_DEBUG
2710 fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
2711 EVP_MD_name(md));
2712#endif
2713 if (!EVP_SignInit_ex(&mctx, md, NULL)
2714 || !EVP_SignUpdate(&mctx, hdata, hdatalen)
2715 || !EVP_SignFinal(&mctx, p + 2, &u, pkey))
2716 {
2717 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_EVP_LIB);
2718 goto err;
2719 }
2720 s2n(u,p);
2721 n = u + 4;
2722 if (!ssl3_digest_cached_records(s))
2723 goto err;
2724 }
2725 else
2726#ifndef OPENSSL_NO_RSA
2727 if (pkey->type == EVP_PKEY_RSA)
2728 {
2729 s->method->ssl3_enc->cert_verify_mac(s,
2730 NID_md5,
2731 &(data[0]));
2732 if (RSA_sign(NID_md5_sha1, data,
2733 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2734 &(p[2]), &u, pkey->pkey.rsa) <= 0 )
2735 {
2736 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_RSA_LIB);
2737 goto err;
2738 }
2739 s2n(u,p);
2740 n=u+2;
2741 }
2742 else
2743#endif
2744#ifndef OPENSSL_NO_DSA
2745 if (pkey->type == EVP_PKEY_DSA)
2746 {
2747 if (!DSA_sign(pkey->save_type,
2748 &(data[MD5_DIGEST_LENGTH]),
2749 SHA_DIGEST_LENGTH,&(p[2]),
2750 (unsigned int *)&j,pkey->pkey.dsa))
2751 {
2752 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_DSA_LIB);
2753 goto err;
2754 }
2755 s2n(j,p);
2756 n=j+2;
2757 }
2758 else
2759#endif
2760#ifndef OPENSSL_NO_ECDSA
2761 if (pkey->type == EVP_PKEY_EC)
2762 {
2763 if (!ECDSA_sign(pkey->save_type,
2764 &(data[MD5_DIGEST_LENGTH]),
2765 SHA_DIGEST_LENGTH,&(p[2]),
2766 (unsigned int *)&j,pkey->pkey.ec))
2767 {
2768 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_ECDSA_LIB);
2769 goto err;
2770 }
2771 s2n(j,p);
2772 n=j+2;
2773 }
2774 else
2775#endif
2776 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001)
2777 {
2778 unsigned char signbuf[64];
2779 int i;
2780 size_t sigsize=64;
2781 s->method->ssl3_enc->cert_verify_mac(s,
2782 NID_id_GostR3411_94,
2783 data);
2784 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
2785 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
2786 goto err;
2787 }
2788 for (i=63,j=0; i>=0; j++, i--) {
2789 p[2+j]=signbuf[i];
2790 }
2791 s2n(j,p);
2792 n=j+2;
2793 }
2794 else
2795 {
2796 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_verify, ERR_R_INTERNAL_ERROR);
2797 goto err;
2798 }
2799 ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n);
2800 s->state=SSL3_ST_CW_CERT_VRFY_B;
2801 }
2802 EVP_MD_CTX_cleanup(&mctx);
2803 EVP_PKEY_CTX_free(pctx);
2804 return ssl_do_write(s);
2805err:
2806 EVP_MD_CTX_cleanup(&mctx);
2807 EVP_PKEY_CTX_free(pctx);
2808 return(-1);
2809 }
2810
2811/* Check a certificate can be used for client authentication. Currently
2812 * check cert exists, if we have a suitable digest for TLS 1.2 if
2813 * static DH client certificates can be used and optionally checks
2814 * suitability for Suite B.
2815 */
2816static int ssl3_check_client_certificate(SSL *s)
2817 {
2818 unsigned long alg_k;
2819 if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
2820 return 0;
2821 /* If no suitable signature algorithm can't use certificate */
2822 if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
2823 return 0;
2824 /* If strict mode check suitability of chain before using it.
2825 * This also adjusts suite B digest if necessary.
2826 */
2827 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
2828 !tls1_check_chain(s, NULL, NULL, NULL, -2))
2829 return 0;
2830 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
2831 /* See if we can use client certificate for fixed DH */
2832 if (alg_k & (SSL_kDHr|SSL_kDHd))
2833 {
2834 SESS_CERT *scert = s->session->sess_cert;
2835 int i = scert->peer_cert_type;
2836 EVP_PKEY *clkey = NULL, *spkey = NULL;
2837 clkey = s->cert->key->privatekey;
2838 /* If client key not DH assume it can be used */
2839 if (EVP_PKEY_id(clkey) != EVP_PKEY_DH)
2840 return 1;
2841 if (i >= 0)
2842 spkey = X509_get_pubkey(scert->peer_pkeys[i].x509);
2843 if (spkey)
2844 {
2845 /* Compare server and client parameters */
2846 i = EVP_PKEY_cmp_parameters(clkey, spkey);
2847 EVP_PKEY_free(spkey);
2848 if (i != 1)
2849 return 0;
2850 }
2851 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2852 }
2853 return 1;
2854 }
2855
2856int ssl3_send_client_certificate(SSL *s)
2857 {
2858 X509 *x509=NULL;
2859 EVP_PKEY *pkey=NULL;
2860 int i;
2861
2862 if (s->state == SSL3_ST_CW_CERT_A)
2863 {
2864 /* Let cert callback update client certificates if required */
2865 if (s->cert->cert_cb)
2866 {
2867 i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
2868 if (i < 0)
2869 {
2870 s->rwstate=SSL_X509_LOOKUP;
2871 return -1;
2872 }
2873 if (i == 0)
2874 {
2875 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
2876 return 0;
2877 }
2878 s->rwstate=SSL_NOTHING;
2879 }
2880 if (ssl3_check_client_certificate(s))
2881 s->state=SSL3_ST_CW_CERT_C;
2882 else
2883 s->state=SSL3_ST_CW_CERT_B;
2884 }
2885
2886 /* We need to get a client cert */
2887 if (s->state == SSL3_ST_CW_CERT_B)
2888 {
2889 /* If we get an error, we need to
2890 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2891 * We then get retied later */
2892 i=0;
2893 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2894 if (i < 0)
2895 {
2896 s->rwstate=SSL_X509_LOOKUP;
2897 return(-1);
2898 }
2899 s->rwstate=SSL_NOTHING;
2900 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2901 {
2902 s->state=SSL3_ST_CW_CERT_B;
2903 if ( !SSL_use_certificate(s,x509) ||
2904 !SSL_use_PrivateKey(s,pkey))
2905 i=0;
2906 }
2907 else if (i == 1)
2908 {
2909 i=0;
2910 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2911 }
2912
2913 if (x509 != NULL) X509_free(x509);
2914 if (pkey != NULL) EVP_PKEY_free(pkey);
2915 if (i && !ssl3_check_client_certificate(s))
2916 i = 0;
2917 if (i == 0)
2918 {
2919 if (s->version == SSL3_VERSION)
2920 {
2921 s->s3->tmp.cert_req=0;
2922 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2923 return(1);
2924 }
2925 else
2926 {
2927 s->s3->tmp.cert_req=2;
2928 }
2929 }
2930
2931 /* Ok, we have a cert */
2932 s->state=SSL3_ST_CW_CERT_C;
2933 }
2934
2935 if (s->state == SSL3_ST_CW_CERT_C)
2936 {
2937 s->state=SSL3_ST_CW_CERT_D;
2938 ssl3_output_cert_chain(s,
2939 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
2940 }
2941 /* SSL3_ST_CW_CERT_D */
2942 return ssl_do_write(s);
2943 }
2944
2945#define has_bits(i,m) (((i)&(m)) == (m))
2946
2947int ssl3_check_cert_and_algorithm(SSL *s)
2948 {
2949 int i,idx;
2950 long alg_k,alg_a;
2951 EVP_PKEY *pkey=NULL;
2952 SESS_CERT *sc;
2953#ifndef OPENSSL_NO_RSA
2954 RSA *rsa;
2955#endif
2956#ifndef OPENSSL_NO_DH
2957 DH *dh;
2958#endif
2959
2960 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
2961 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
2962
2963 /* we don't have a certificate */
2964 if ((alg_a & (SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
2965 return(1);
2966
2967 sc=s->session->sess_cert;
2968 if (sc == NULL)
2969 {
2970 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
2971 goto err;
2972 }
2973
2974#ifndef OPENSSL_NO_RSA
2975 rsa=s->session->sess_cert->peer_rsa_tmp;
2976#endif
2977#ifndef OPENSSL_NO_DH
2978 dh=s->session->sess_cert->peer_dh_tmp;
2979#endif
2980
2981 /* This is the passed certificate */
2982
2983 idx=sc->peer_cert_type;
2984#ifndef OPENSSL_NO_ECDH
2985 if (idx == SSL_PKEY_ECC)
2986 {
2987 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2988 s) == 0)
2989 { /* check failed */
2990 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_BAD_ECC_CERT);
2991 goto f_err;
2992 }
2993 else
2994 {
2995 return 1;
2996 }
2997 }
2998 else if (alg_a & SSL_aECDSA)
2999 {
3000 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_ECDSA_SIGNING_CERT);
3001 goto f_err;
3002 }
3003 else if (alg_k & (SSL_kECDHr|SSL_kECDHe))
3004 {
3005 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_ECDH_CERT);
3006 goto f_err;
3007 }
3008#endif
3009 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
3010 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
3011 EVP_PKEY_free(pkey);
3012
3013
3014 /* Check that we have a certificate if we require one */
3015 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
3016 {
3017 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_RSA_SIGNING_CERT);
3018 goto f_err;
3019 }
3020#ifndef OPENSSL_NO_DSA
3021 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
3022 {
3023 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DSA_SIGNING_CERT);
3024 goto f_err;
3025 }
3026#endif
3027#ifndef OPENSSL_NO_RSA
3028 if ((alg_k & SSL_kRSA) &&
3029 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
3030 {
3031 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3032 goto f_err;
3033 }
3034#endif
3035#ifndef OPENSSL_NO_DH
3036 if ((alg_k & SSL_kEDH) &&
3037 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
3038 {
3039 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DH_KEY);
3040 goto f_err;
3041 }
3042 else if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
3043 !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
3044 {
3045 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DH_RSA_CERT);
3046 goto f_err;
3047 }
3048#ifndef OPENSSL_NO_DSA
3049 else if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
3050 !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
3051 {
3052 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_DH_DSA_CERT);
3053 goto f_err;
3054 }
3055#endif
3056#endif
3057
3058 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
3059 {
3060#ifndef OPENSSL_NO_RSA
3061 if (alg_k & SSL_kRSA)
3062 {
3063 if (rsa == NULL
3064 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
3065 {
3066 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3067 goto f_err;
3068 }
3069 }
3070 else
3071#endif
3072#ifndef OPENSSL_NO_DH
3073 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
3074 {
3075 if (dh == NULL
3076 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
3077 {
3078 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3079 goto f_err;
3080 }
3081 }
3082 else
3083#endif
3084 {
3085 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
3086 goto f_err;
3087 }
3088 }
3089 return(1);
3090f_err:
3091 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
3092err:
3093 return(0);
3094 }
3095
3096#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
3097int ssl3_send_next_proto(SSL *s)
3098 {
3099 unsigned int len, padding_len;
3100 unsigned char *d;
3101
3102 if (s->state == SSL3_ST_CW_NEXT_PROTO_A)
3103 {
3104 len = s->next_proto_negotiated_len;
3105 padding_len = 32 - ((len + 2) % 32);
3106 d = (unsigned char *)s->init_buf->data;
3107 d[4] = len;
3108 memcpy(d + 5, s->next_proto_negotiated, len);
3109 d[5 + len] = padding_len;
3110 memset(d + 6 + len, 0, padding_len);
3111 *(d++)=SSL3_MT_NEXT_PROTO;
3112 l2n3(2 + len + padding_len, d);
3113 s->state = SSL3_ST_CW_NEXT_PROTO_B;
3114 s->init_num = 4 + 2 + len + padding_len;
3115 s->init_off = 0;
3116 }
3117
3118 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3119}
3120#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
3121
3122/* Check to see if handshake is full or resumed. Usually this is just a
3123 * case of checking to see if a cache hit has occurred. In the case of
3124 * session tickets we have to check the next message to be sure.
3125 */
3126
3127#ifndef OPENSSL_NO_TLSEXT
3128int ssl3_check_finished(SSL *s)
3129 {
3130 int ok;
3131 long n;
3132 /* If we have no ticket it cannot be a resumed session. */
3133 if (!s->session->tlsext_tick)
3134 return 1;
3135 /* this function is called when we really expect a Certificate
3136 * message, so permit appropriate message length */
3137 n=s->method->ssl_get_message(s,
3138 SSL3_ST_CR_CERT_A,
3139 SSL3_ST_CR_CERT_B,
3140 -1,
3141 s->max_cert_list,
3142 &ok);
3143 if (!ok) return((int)n);
3144 s->s3->tmp.reuse_message = 1;
3145 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
3146 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
3147 return 2;
3148
3149 return 1;
3150 }
3151#endif
3152
3153int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3154 {
3155 int i = 0;
3156 /* TODO(fork): remove */
3157#if 0
3158#ifndef OPENSSL_NO_ENGINE
3159 if (s->ctx->client_cert_engine)
3160 {
3161 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3162 SSL_get_client_CA_list(s),
3163 px509, ppkey, NULL, NULL, NULL);
3164 if (i != 0)
3165 return i;
3166 }
3167#endif
3168#endif
3169 if (s->ctx->client_cert_cb)
3170 i = s->ctx->client_cert_cb(s,px509,ppkey);
3171 return i;
3172 }
3173
3174#ifndef OPENSSL_NO_TLSEXT
3175int tls1_get_server_supplemental_data(SSL *s)
3176 {
3177 int al;
3178 int ok;
3179 unsigned long supp_data_len, authz_data_len;
3180 long n;
3181 unsigned short supp_data_type, authz_data_type, proof_len;
3182 const unsigned char *p;
3183 unsigned char *new_proof;
3184
3185 n=s->method->ssl_get_message(s,
3186 SSL3_ST_CR_SUPPLEMENTAL_DATA_A,
3187 SSL3_ST_CR_SUPPLEMENTAL_DATA_B,
3188 SSL3_MT_SUPPLEMENTAL_DATA,
3189 /* use default limit */
3190 TLSEXT_MAXLEN_supplemental_data,
3191 &ok);
3192
3193 if (!ok) return((int)n);
3194
3195 p = (unsigned char *)s->init_msg;
3196
3197 /* The message cannot be empty */
3198 if (n < 3)
3199 {
3200 al = SSL_AD_DECODE_ERROR;
3201 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_LENGTH_MISMATCH);
3202 goto f_err;
3203 }
3204 /* Length of supplemental data */
3205 n2l3(p,supp_data_len);
3206 n -= 3;
3207 /* We must have at least one supplemental data entry
3208 * with type (1 byte) and length (2 bytes). */
3209 if (supp_data_len != (unsigned long) n || n < 4)
3210 {
3211 al = SSL_AD_DECODE_ERROR;
3212 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_LENGTH_MISMATCH);
3213 goto f_err;
3214 }
3215 /* Supplemental data type: must be authz_data */
3216 n2s(p,supp_data_type);
3217 n -= 2;
3218 if (supp_data_type != TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
3219 {
3220 al = SSL_AD_UNEXPECTED_MESSAGE;
3221 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE);
3222 goto f_err;
3223 }
3224 /* Authz data length */
3225 n2s(p, authz_data_len);
3226 n -= 2;
3227 if (authz_data_len != (unsigned long) n || n < 1)
3228 {
3229 al = SSL_AD_DECODE_ERROR;
3230 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_LENGTH_MISMATCH);
3231 goto f_err;
3232 }
3233 /* Authz data type: must be audit_proof */
3234 authz_data_type = *(p++);
3235 n -= 1;
3236 if (authz_data_type != TLSEXT_AUTHZDATAFORMAT_audit_proof)
3237 {
3238 al=SSL_AD_UNEXPECTED_MESSAGE;
3239 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_UNKNOWN_AUTHZ_DATA_TYPE);
3240 goto f_err;
3241 }
3242 /* We have a proof: read its length */
3243 if (n < 2)
3244 {
3245 al = SSL_AD_DECODE_ERROR;
3246 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_LENGTH_MISMATCH);
3247 goto f_err;
3248 }
3249 n2s(p, proof_len);
3250 n -= 2;
3251 if (proof_len != (unsigned long) n)
3252 {
3253 al = SSL_AD_DECODE_ERROR;
3254 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, SSL_R_LENGTH_MISMATCH);
3255 goto f_err;
3256 }
3257 /* Store the proof */
3258 new_proof = OPENSSL_realloc(s->session->audit_proof,
3259 proof_len);
3260 if (new_proof == NULL)
3261 {
3262 OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
3263 return 0;
3264 }
3265 s->session->audit_proof_length = proof_len;
3266 s->session->audit_proof = new_proof;
3267 memcpy(s->session->audit_proof, p, proof_len);
3268
3269 /* Got the proof, but can't verify it yet. */
3270 return 1;
3271f_err:
3272 ssl3_send_alert(s,SSL3_AL_FATAL,al);
3273 return -1;
3274 }
3275#endif