Line data Source code
1 : /* ssl/s3_clnt.c */
2 : /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 : * All rights reserved.
4 : *
5 : * This package is an SSL implementation written
6 : * by Eric Young (eay@cryptsoft.com).
7 : * The implementation was written so as to conform with Netscapes SSL.
8 : *
9 : * This library is free for commercial and non-commercial use as long as
10 : * the following conditions are aheared to. The following conditions
11 : * apply to all code found in this distribution, be it the RC4, RSA,
12 : * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 : * included with this distribution is covered by the same copyright terms
14 : * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 : *
16 : * Copyright remains Eric Young's, and as such any Copyright notices in
17 : * the code are not to be removed.
18 : * If this package is used in a product, Eric Young should be given attribution
19 : * as the author of the parts of the library used.
20 : * This can be in the form of a textual message at program startup or
21 : * in documentation (online or textual) provided with the package.
22 : *
23 : * Redistribution and use in source and binary forms, with or without
24 : * modification, are permitted provided that the following conditions
25 : * are met:
26 : * 1. Redistributions of source code must retain the copyright
27 : * notice, this list of conditions and the following disclaimer.
28 : * 2. Redistributions in binary form must reproduce the above copyright
29 : * notice, this list of conditions and the following disclaimer in the
30 : * documentation and/or other materials provided with the distribution.
31 : * 3. All advertising materials mentioning features or use of this software
32 : * must display the following acknowledgement:
33 : * "This product includes cryptographic software written by
34 : * Eric Young (eay@cryptsoft.com)"
35 : * The word 'cryptographic' can be left out if the rouines from the library
36 : * being used are not cryptographic related :-).
37 : * 4. If you include any Windows specific code (or a derivative thereof) from
38 : * the apps directory (application code) you must include an acknowledgement:
39 : * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 : *
41 : * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 : * SUCH DAMAGE.
52 : *
53 : * The licence and distribution terms for any publically available version or
54 : * derivative of this code cannot be changed. i.e. this code cannot simply be
55 : * copied and put under another distribution licence
56 : * [including the GNU Public Licence.]
57 : */
58 : /* ====================================================================
59 : * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 : *
61 : * Redistribution and use in source and binary forms, with or without
62 : * modification, are permitted provided that the following conditions
63 : * are met:
64 : *
65 : * 1. Redistributions of source code must retain the above copyright
66 : * notice, this list of conditions and the following disclaimer.
67 : *
68 : * 2. Redistributions in binary form must reproduce the above copyright
69 : * notice, this list of conditions and the following disclaimer in
70 : * the documentation and/or other materials provided with the
71 : * distribution.
72 : *
73 : * 3. All advertising materials mentioning features or use of this
74 : * software must display the following acknowledgment:
75 : * "This product includes software developed by the OpenSSL Project
76 : * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 : *
78 : * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 : * endorse or promote products derived from this software without
80 : * prior written permission. For written permission, please contact
81 : * openssl-core@openssl.org.
82 : *
83 : * 5. Products derived from this software may not be called "OpenSSL"
84 : * nor may "OpenSSL" appear in their names without prior written
85 : * permission of the OpenSSL Project.
86 : *
87 : * 6. Redistributions of any form whatsoever must retain the following
88 : * acknowledgment:
89 : * "This product includes software developed by the OpenSSL Project
90 : * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 : *
92 : * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 : * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 : * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 : * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 : * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 : * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 : * OF THE POSSIBILITY OF SUCH DAMAGE.
104 : * ====================================================================
105 : *
106 : * This product includes cryptographic software written by Eric Young
107 : * (eay@cryptsoft.com). This product includes software written by Tim
108 : * Hudson (tjh@cryptsoft.com).
109 : *
110 : */
111 : /* ====================================================================
112 : * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 : *
114 : * Portions of the attached software ("Contribution") are developed by
115 : * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 : *
117 : * The Contribution is licensed pursuant to the OpenSSL open source
118 : * license provided above.
119 : *
120 : * ECC cipher suite support in OpenSSL originally written by
121 : * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 : *
123 : */
124 : /* ====================================================================
125 : * Copyright 2005 Nokia. All rights reserved.
126 : *
127 : * The portions of the attached software ("Contribution") is developed by
128 : * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 : * license.
130 : *
131 : * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 : * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 : * support (see RFC 4279) to OpenSSL.
134 : *
135 : * No patent licenses or other rights except those expressly stated in
136 : * the OpenSSL open source license shall be deemed granted or received
137 : * expressly, by implication, estoppel, or otherwise.
138 : *
139 : * No assurances are provided by Nokia that the Contribution does not
140 : * infringe the patent or other intellectual property rights of any third
141 : * party or that the license provides you with all the necessary rights
142 : * to make use of the Contribution.
143 : *
144 : * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 : * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 : * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 : * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 : * OTHERWISE.
149 : */
150 :
151 : #include <stdio.h>
152 : #include "ssl_locl.h"
153 : #include "kssl_lcl.h"
154 : #include <openssl/buffer.h>
155 : #include <openssl/rand.h>
156 : #include <openssl/objects.h>
157 : #include <openssl/evp.h>
158 : #include <openssl/md5.h>
159 : #ifdef OPENSSL_FIPS
160 : # include <openssl/fips.h>
161 : #endif
162 : #ifndef OPENSSL_NO_DH
163 : # include <openssl/dh.h>
164 : #endif
165 : #include <openssl/bn.h>
166 : #ifndef OPENSSL_NO_ENGINE
167 : # include <openssl/engine.h>
168 : #endif
169 :
170 : static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
171 : #ifndef OPENSSL_NO_TLSEXT
172 : static int ssl3_check_finished(SSL *s);
173 : #endif
174 :
175 : #ifndef OPENSSL_NO_SSL3_METHOD
176 0 : static const SSL_METHOD *ssl3_get_client_method(int ver)
177 : {
178 0 : if (ver == SSL3_VERSION)
179 : return (SSLv3_client_method());
180 : else
181 0 : return (NULL);
182 : }
183 :
184 0 : IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
185 : ssl_undefined_function,
186 : ssl3_connect, ssl3_get_client_method)
187 : #endif
188 1108 : int ssl3_connect(SSL *s)
189 : {
190 : BUF_MEM *buf = NULL;
191 1108 : unsigned long Time = (unsigned long)time(NULL);
192 : void (*cb) (const SSL *ssl, int type, int val) = NULL;
193 : int ret = -1;
194 : int new_state, state, skip = 0;
195 :
196 1108 : RAND_add(&Time, sizeof(Time), 0);
197 1108 : ERR_clear_error();
198 1108 : clear_sys_error();
199 :
200 1108 : if (s->info_callback != NULL)
201 : cb = s->info_callback;
202 0 : else if (s->ctx->info_callback != NULL)
203 : cb = s->ctx->info_callback;
204 :
205 1108 : s->in_handshake++;
206 1108 : if (!SSL_in_init(s) || SSL_in_before(s))
207 373 : SSL_clear(s);
208 :
209 : #ifndef OPENSSL_NO_HEARTBEATS
210 : /*
211 : * If we're awaiting a HeartbeatResponse, pretend we already got and
212 : * don't await it anymore, because Heartbeats don't make sense during
213 : * handshakes anyway.
214 : */
215 1108 : if (s->tlsext_hb_pending) {
216 0 : s->tlsext_hb_pending = 0;
217 0 : s->tlsext_hb_seq++;
218 : }
219 : #endif
220 :
221 : for (;;) {
222 5914 : state = s->state;
223 :
224 5914 : switch (s->state) {
225 : case SSL_ST_RENEGOTIATE:
226 0 : s->renegotiate = 1;
227 0 : s->state = SSL_ST_CONNECT;
228 0 : s->ctx->stats.sess_connect_renegotiate++;
229 : /* break */
230 : case SSL_ST_BEFORE:
231 : case SSL_ST_CONNECT:
232 : case SSL_ST_BEFORE | SSL_ST_CONNECT:
233 : case SSL_ST_OK | SSL_ST_CONNECT:
234 :
235 373 : s->server = 0;
236 373 : if (cb != NULL)
237 373 : cb(s, SSL_CB_HANDSHAKE_START, 1);
238 :
239 373 : if ((s->version & 0xff00) != 0x0300) {
240 0 : SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
241 0 : s->state = SSL_ST_ERR;
242 : ret = -1;
243 0 : goto end;
244 : }
245 :
246 : /* s->version=SSL3_VERSION; */
247 373 : s->type = SSL_ST_CONNECT;
248 :
249 373 : if (s->init_buf == NULL) {
250 373 : if ((buf = BUF_MEM_new()) == NULL) {
251 : ret = -1;
252 0 : s->state = SSL_ST_ERR;
253 0 : goto end;
254 : }
255 373 : if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
256 : ret = -1;
257 0 : s->state = SSL_ST_ERR;
258 0 : goto end;
259 : }
260 373 : s->init_buf = buf;
261 : buf = NULL;
262 : }
263 :
264 373 : if (!ssl3_setup_buffers(s)) {
265 : ret = -1;
266 : goto end;
267 : }
268 :
269 : /* setup buffing BIO */
270 373 : if (!ssl_init_wbio_buffer(s, 0)) {
271 : ret = -1;
272 0 : s->state = SSL_ST_ERR;
273 0 : goto end;
274 : }
275 :
276 : /* don't push the buffering BIO quite yet */
277 :
278 373 : ssl3_init_finished_mac(s);
279 :
280 373 : s->state = SSL3_ST_CW_CLNT_HELLO_A;
281 373 : s->ctx->stats.sess_connect++;
282 373 : s->init_num = 0;
283 373 : s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
284 : /*
285 : * Should have been reset by ssl3_get_finished, too.
286 : */
287 373 : s->s3->change_cipher_spec = 0;
288 373 : break;
289 :
290 : case SSL3_ST_CW_CLNT_HELLO_A:
291 : case SSL3_ST_CW_CLNT_HELLO_B:
292 :
293 373 : s->shutdown = 0;
294 373 : ret = ssl3_client_hello(s);
295 373 : if (ret <= 0)
296 : goto end;
297 373 : s->state = SSL3_ST_CR_SRVR_HELLO_A;
298 373 : s->init_num = 0;
299 :
300 : /* turn on buffering for the next lot of output */
301 373 : if (s->bbio != s->wbio)
302 373 : s->wbio = BIO_push(s->bbio, s->wbio);
303 :
304 : break;
305 :
306 : case SSL3_ST_CR_SRVR_HELLO_A:
307 : case SSL3_ST_CR_SRVR_HELLO_B:
308 743 : ret = ssl3_get_server_hello(s);
309 743 : if (ret <= 0)
310 : goto end;
311 :
312 370 : if (s->hit) {
313 0 : s->state = SSL3_ST_CR_FINISHED_A;
314 : #ifndef OPENSSL_NO_TLSEXT
315 0 : if (s->tlsext_ticket_expected) {
316 : /* receive renewed session ticket */
317 0 : s->state = SSL3_ST_CR_SESSION_TICKET_A;
318 : }
319 : #endif
320 : } else {
321 370 : s->state = SSL3_ST_CR_CERT_A;
322 : }
323 370 : s->init_num = 0;
324 370 : break;
325 : case SSL3_ST_CR_CERT_A:
326 : case SSL3_ST_CR_CERT_B:
327 : #ifndef OPENSSL_NO_TLSEXT
328 : /* Noop (ret = 0) for everything but EAP-FAST. */
329 370 : ret = ssl3_check_finished(s);
330 370 : if (ret < 0)
331 : goto end;
332 370 : if (ret == 1) {
333 0 : s->hit = 1;
334 0 : s->state = SSL3_ST_CR_FINISHED_A;
335 0 : s->init_num = 0;
336 0 : break;
337 : }
338 : #endif
339 : /* Check if it is anon DH/ECDH, SRP auth */
340 : /* or PSK */
341 370 : if (!
342 370 : (s->s3->tmp.
343 370 : new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
344 370 : && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
345 370 : ret = ssl3_get_server_certificate(s);
346 370 : if (ret <= 0)
347 : goto end;
348 : #ifndef OPENSSL_NO_TLSEXT
349 370 : if (s->tlsext_status_expected)
350 0 : s->state = SSL3_ST_CR_CERT_STATUS_A;
351 : else
352 370 : s->state = SSL3_ST_CR_KEY_EXCH_A;
353 : } else {
354 : skip = 1;
355 0 : s->state = SSL3_ST_CR_KEY_EXCH_A;
356 : }
357 : #else
358 : } else
359 : skip = 1;
360 :
361 : s->state = SSL3_ST_CR_KEY_EXCH_A;
362 : #endif
363 370 : s->init_num = 0;
364 370 : break;
365 :
366 : case SSL3_ST_CR_KEY_EXCH_A:
367 : case SSL3_ST_CR_KEY_EXCH_B:
368 370 : ret = ssl3_get_key_exchange(s);
369 370 : if (ret <= 0)
370 : goto end;
371 370 : s->state = SSL3_ST_CR_CERT_REQ_A;
372 370 : s->init_num = 0;
373 :
374 : /*
375 : * at this point we check that we have the required stuff from
376 : * the server
377 : */
378 370 : if (!ssl3_check_cert_and_algorithm(s)) {
379 : ret = -1;
380 0 : s->state = SSL_ST_ERR;
381 0 : goto end;
382 : }
383 : break;
384 :
385 : case SSL3_ST_CR_CERT_REQ_A:
386 : case SSL3_ST_CR_CERT_REQ_B:
387 370 : ret = ssl3_get_certificate_request(s);
388 370 : if (ret <= 0)
389 : goto end;
390 370 : s->state = SSL3_ST_CR_SRVR_DONE_A;
391 370 : s->init_num = 0;
392 370 : break;
393 :
394 : case SSL3_ST_CR_SRVR_DONE_A:
395 : case SSL3_ST_CR_SRVR_DONE_B:
396 370 : ret = ssl3_get_server_done(s);
397 370 : if (ret <= 0)
398 : goto end;
399 : #ifndef OPENSSL_NO_SRP
400 370 : if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
401 0 : if ((ret = SRP_Calc_A_param(s)) <= 0) {
402 0 : SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
403 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
404 0 : s->state = SSL_ST_ERR;
405 0 : goto end;
406 : }
407 : }
408 : #endif
409 370 : if (s->s3->tmp.cert_req)
410 0 : s->state = SSL3_ST_CW_CERT_A;
411 : else
412 370 : s->state = SSL3_ST_CW_KEY_EXCH_A;
413 370 : s->init_num = 0;
414 :
415 370 : break;
416 :
417 : case SSL3_ST_CW_CERT_A:
418 : case SSL3_ST_CW_CERT_B:
419 : case SSL3_ST_CW_CERT_C:
420 : case SSL3_ST_CW_CERT_D:
421 0 : ret = ssl3_send_client_certificate(s);
422 0 : if (ret <= 0)
423 : goto end;
424 0 : s->state = SSL3_ST_CW_KEY_EXCH_A;
425 0 : s->init_num = 0;
426 0 : break;
427 :
428 : case SSL3_ST_CW_KEY_EXCH_A:
429 : case SSL3_ST_CW_KEY_EXCH_B:
430 370 : ret = ssl3_send_client_key_exchange(s);
431 370 : if (ret <= 0)
432 : goto end;
433 : /*
434 : * EAY EAY EAY need to check for DH fix cert sent back
435 : */
436 : /*
437 : * For TLS, cert_req is set to 2, so a cert chain of nothing is
438 : * sent, but no verify packet is sent
439 : */
440 : /*
441 : * XXX: For now, we do not support client authentication in ECDH
442 : * cipher suites with ECDH (rather than ECDSA) certificates. We
443 : * need to skip the certificate verify message when client's
444 : * ECDH public key is sent inside the client certificate.
445 : */
446 370 : if (s->s3->tmp.cert_req == 1) {
447 0 : s->state = SSL3_ST_CW_CERT_VRFY_A;
448 : } else {
449 370 : s->state = SSL3_ST_CW_CHANGE_A;
450 : }
451 370 : if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
452 0 : s->state = SSL3_ST_CW_CHANGE_A;
453 : }
454 :
455 370 : s->init_num = 0;
456 370 : break;
457 :
458 : case SSL3_ST_CW_CERT_VRFY_A:
459 : case SSL3_ST_CW_CERT_VRFY_B:
460 0 : ret = ssl3_send_client_verify(s);
461 0 : if (ret <= 0)
462 : goto end;
463 0 : s->state = SSL3_ST_CW_CHANGE_A;
464 0 : s->init_num = 0;
465 0 : break;
466 :
467 : case SSL3_ST_CW_CHANGE_A:
468 : case SSL3_ST_CW_CHANGE_B:
469 370 : ret = ssl3_send_change_cipher_spec(s,
470 : SSL3_ST_CW_CHANGE_A,
471 : SSL3_ST_CW_CHANGE_B);
472 370 : if (ret <= 0)
473 : goto end;
474 :
475 : #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
476 : s->state = SSL3_ST_CW_FINISHED_A;
477 : #else
478 370 : if (s->s3->next_proto_neg_seen)
479 0 : s->state = SSL3_ST_CW_NEXT_PROTO_A;
480 : else
481 370 : s->state = SSL3_ST_CW_FINISHED_A;
482 : #endif
483 370 : s->init_num = 0;
484 :
485 370 : s->session->cipher = s->s3->tmp.new_cipher;
486 : #ifdef OPENSSL_NO_COMP
487 : s->session->compress_meth = 0;
488 : #else
489 370 : if (s->s3->tmp.new_compression == NULL)
490 370 : s->session->compress_meth = 0;
491 : else
492 0 : s->session->compress_meth = s->s3->tmp.new_compression->id;
493 : #endif
494 370 : if (!s->method->ssl3_enc->setup_key_block(s)) {
495 : ret = -1;
496 0 : s->state = SSL_ST_ERR;
497 0 : goto end;
498 : }
499 :
500 370 : if (!s->method->ssl3_enc->change_cipher_state(s,
501 : SSL3_CHANGE_CIPHER_CLIENT_WRITE))
502 : {
503 : ret = -1;
504 0 : s->state = SSL_ST_ERR;
505 0 : goto end;
506 : }
507 :
508 : break;
509 :
510 : #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
511 : case SSL3_ST_CW_NEXT_PROTO_A:
512 : case SSL3_ST_CW_NEXT_PROTO_B:
513 0 : ret = ssl3_send_next_proto(s);
514 0 : if (ret <= 0)
515 : goto end;
516 0 : s->state = SSL3_ST_CW_FINISHED_A;
517 0 : break;
518 : #endif
519 :
520 : case SSL3_ST_CW_FINISHED_A:
521 : case SSL3_ST_CW_FINISHED_B:
522 370 : ret = ssl3_send_finished(s,
523 : SSL3_ST_CW_FINISHED_A,
524 : SSL3_ST_CW_FINISHED_B,
525 : s->method->
526 : ssl3_enc->client_finished_label,
527 370 : s->method->
528 : ssl3_enc->client_finished_label_len);
529 370 : if (ret <= 0)
530 : goto end;
531 370 : s->state = SSL3_ST_CW_FLUSH;
532 :
533 : /* clear flags */
534 370 : s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
535 370 : if (s->hit) {
536 0 : s->s3->tmp.next_state = SSL_ST_OK;
537 0 : if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
538 0 : s->state = SSL_ST_OK;
539 0 : s->s3->flags |= SSL3_FLAGS_POP_BUFFER;
540 0 : s->s3->delay_buf_pop_ret = 0;
541 : }
542 : } else {
543 : #ifndef OPENSSL_NO_TLSEXT
544 : /*
545 : * Allow NewSessionTicket if ticket expected
546 : */
547 370 : if (s->tlsext_ticket_expected)
548 370 : s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
549 : else
550 : #endif
551 :
552 0 : s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
553 : }
554 370 : s->init_num = 0;
555 370 : break;
556 :
557 : #ifndef OPENSSL_NO_TLSEXT
558 : case SSL3_ST_CR_SESSION_TICKET_A:
559 : case SSL3_ST_CR_SESSION_TICKET_B:
560 735 : ret = ssl3_get_new_session_ticket(s);
561 735 : if (ret <= 0)
562 : goto end;
563 365 : s->state = SSL3_ST_CR_FINISHED_A;
564 365 : s->init_num = 0;
565 365 : break;
566 :
567 : case SSL3_ST_CR_CERT_STATUS_A:
568 : case SSL3_ST_CR_CERT_STATUS_B:
569 0 : ret = ssl3_get_cert_status(s);
570 0 : if (ret <= 0)
571 : goto end;
572 0 : s->state = SSL3_ST_CR_KEY_EXCH_A;
573 0 : s->init_num = 0;
574 0 : break;
575 : #endif
576 :
577 : case SSL3_ST_CR_FINISHED_A:
578 : case SSL3_ST_CR_FINISHED_B:
579 365 : if (!s->s3->change_cipher_spec)
580 365 : s->s3->flags |= SSL3_FLAGS_CCS_OK;
581 365 : ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
582 : SSL3_ST_CR_FINISHED_B);
583 365 : if (ret <= 0)
584 : goto end;
585 :
586 365 : if (s->hit)
587 0 : s->state = SSL3_ST_CW_CHANGE_A;
588 : else
589 365 : s->state = SSL_ST_OK;
590 365 : s->init_num = 0;
591 365 : break;
592 :
593 : case SSL3_ST_CW_FLUSH:
594 370 : s->rwstate = SSL_WRITING;
595 370 : if (BIO_flush(s->wbio) <= 0) {
596 : ret = -1;
597 : goto end;
598 : }
599 370 : s->rwstate = SSL_NOTHING;
600 370 : s->state = s->s3->tmp.next_state;
601 370 : break;
602 :
603 : case SSL_ST_OK:
604 : /* clean a few things up */
605 365 : ssl3_cleanup_key_block(s);
606 :
607 365 : if (s->init_buf != NULL) {
608 365 : BUF_MEM_free(s->init_buf);
609 365 : s->init_buf = NULL;
610 : }
611 :
612 : /*
613 : * If we are not 'joining' the last two packets, remove the
614 : * buffering now
615 : */
616 365 : if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
617 365 : ssl_free_wbio_buffer(s);
618 : /* else do it later in ssl3_write */
619 :
620 365 : s->init_num = 0;
621 365 : s->renegotiate = 0;
622 365 : s->new_session = 0;
623 :
624 365 : ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
625 365 : if (s->hit)
626 0 : s->ctx->stats.sess_hit++;
627 :
628 : ret = 1;
629 : /* s->server=0; */
630 365 : s->handshake_func = ssl3_connect;
631 365 : s->ctx->stats.sess_connect_good++;
632 :
633 365 : if (cb != NULL)
634 365 : cb(s, SSL_CB_HANDSHAKE_DONE, 1);
635 :
636 : goto end;
637 : /* break; */
638 :
639 : case SSL_ST_ERR:
640 : default:
641 0 : SSLerr(SSL_F_SSL3_CONNECT, SSL_R_UNKNOWN_STATE);
642 : ret = -1;
643 0 : goto end;
644 : /* break; */
645 : }
646 :
647 : /* did we do anything */
648 4806 : if (!s->s3->tmp.reuse_message && !skip) {
649 4436 : if (s->debug) {
650 0 : if ((ret = BIO_flush(s->wbio)) <= 0)
651 : goto end;
652 : }
653 :
654 4436 : if ((cb != NULL) && (s->state != state)) {
655 : new_state = s->state;
656 4436 : s->state = state;
657 4436 : cb(s, SSL_CB_CONNECT_LOOP, 1);
658 4436 : s->state = new_state;
659 : }
660 : }
661 : skip = 0;
662 : }
663 : end:
664 1108 : s->in_handshake--;
665 1108 : if (buf != NULL)
666 0 : BUF_MEM_free(buf);
667 1108 : if (cb != NULL)
668 1108 : cb(s, SSL_CB_CONNECT_EXIT, ret);
669 1108 : return (ret);
670 : }
671 :
672 373 : int ssl3_client_hello(SSL *s)
673 : {
674 : unsigned char *buf;
675 : unsigned char *p, *d;
676 : int i;
677 : unsigned long l;
678 373 : int al = 0;
679 : #ifndef OPENSSL_NO_COMP
680 : int j;
681 : SSL_COMP *comp;
682 : #endif
683 :
684 373 : buf = (unsigned char *)s->init_buf->data;
685 373 : if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
686 373 : SSL_SESSION *sess = s->session;
687 373 : if ((sess == NULL) || (sess->ssl_version != s->version) ||
688 : #ifdef OPENSSL_NO_TLSEXT
689 : !sess->session_id_length ||
690 : #else
691 : /*
692 : * In the case of EAP-FAST, we can have a pre-shared
693 : * "ticket" without a session ID.
694 : */
695 0 : (!sess->session_id_length && !sess->tlsext_tick) ||
696 : #endif
697 0 : (sess->not_resumable)) {
698 373 : if (!ssl_get_new_session(s, 0))
699 : goto err;
700 : }
701 373 : if (s->method->version == DTLS_ANY_VERSION) {
702 : /* Determine which DTLS version to use */
703 0 : int options = s->options;
704 : /* If DTLS 1.2 disabled correct the version number */
705 0 : if (options & SSL_OP_NO_DTLSv1_2) {
706 0 : if (tls1_suiteb(s)) {
707 0 : SSLerr(SSL_F_SSL3_CLIENT_HELLO,
708 : SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
709 0 : goto err;
710 : }
711 : /*
712 : * Disabling all versions is silly: return an error.
713 : */
714 0 : if (options & SSL_OP_NO_DTLSv1) {
715 0 : SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_WRONG_SSL_VERSION);
716 0 : goto err;
717 : }
718 : /*
719 : * Update method so we don't use any DTLS 1.2 features.
720 : */
721 0 : s->method = DTLSv1_client_method();
722 0 : s->version = DTLS1_VERSION;
723 : } else {
724 : /*
725 : * We only support one version: update method
726 : */
727 0 : if (options & SSL_OP_NO_DTLSv1)
728 0 : s->method = DTLSv1_2_client_method();
729 0 : s->version = DTLS1_2_VERSION;
730 : }
731 0 : s->client_version = s->version;
732 : }
733 : /* else use the pre-loaded session */
734 :
735 373 : p = s->s3->client_random;
736 :
737 : /*
738 : * for DTLS if client_random is initialized, reuse it, we are
739 : * required to use same upon reply to HelloVerify
740 : */
741 373 : if (SSL_IS_DTLS(s)) {
742 : size_t idx;
743 : i = 1;
744 0 : for (idx = 0; idx < sizeof(s->s3->client_random); idx++) {
745 0 : if (p[idx]) {
746 : i = 0;
747 : break;
748 : }
749 : }
750 : } else
751 : i = 1;
752 :
753 373 : if (i && ssl_fill_hello_random(s, 0, p,
754 : sizeof(s->s3->client_random)) <= 0)
755 : goto err;
756 :
757 : /* Do the message type and length last */
758 373 : d = p = ssl_handshake_start(s);
759 :
760 : /*-
761 : * version indicates the negotiated version: for example from
762 : * an SSLv2/v3 compatible client hello). The client_version
763 : * field is the maximum version we permit and it is also
764 : * used in RSA encrypted premaster secrets. Some servers can
765 : * choke if we initially report a higher version then
766 : * renegotiate to a lower one in the premaster secret. This
767 : * didn't happen with TLS 1.0 as most servers supported it
768 : * but it can with TLS 1.1 or later if the server only supports
769 : * 1.0.
770 : *
771 : * Possible scenario with previous logic:
772 : * 1. Client hello indicates TLS 1.2
773 : * 2. Server hello says TLS 1.0
774 : * 3. RSA encrypted premaster secret uses 1.2.
775 : * 4. Handhaked proceeds using TLS 1.0.
776 : * 5. Server sends hello request to renegotiate.
777 : * 6. Client hello indicates TLS v1.0 as we now
778 : * know that is maximum server supports.
779 : * 7. Server chokes on RSA encrypted premaster secret
780 : * containing version 1.0.
781 : *
782 : * For interoperability it should be OK to always use the
783 : * maximum version we support in client hello and then rely
784 : * on the checking of version to ensure the servers isn't
785 : * being inconsistent: for example initially negotiating with
786 : * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
787 : * client_version in client hello and not resetting it to
788 : * the negotiated version.
789 : */
790 : #if 0
791 : *(p++) = s->version >> 8;
792 : *(p++) = s->version & 0xff;
793 : s->client_version = s->version;
794 : #else
795 373 : *(p++) = s->client_version >> 8;
796 373 : *(p++) = s->client_version & 0xff;
797 : #endif
798 :
799 : /* Random stuff */
800 373 : memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
801 : p += SSL3_RANDOM_SIZE;
802 :
803 : /* Session ID */
804 373 : if (s->new_session)
805 : i = 0;
806 : else
807 373 : i = s->session->session_id_length;
808 373 : *(p++) = i;
809 373 : if (i != 0) {
810 0 : if (i > (int)sizeof(s->session->session_id)) {
811 0 : SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
812 0 : goto err;
813 : }
814 0 : memcpy(p, s->session->session_id, i);
815 0 : p += i;
816 : }
817 :
818 : /* cookie stuff for DTLS */
819 373 : if (SSL_IS_DTLS(s)) {
820 0 : if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
821 0 : SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
822 0 : goto err;
823 : }
824 0 : *(p++) = s->d1->cookie_len;
825 0 : memcpy(p, s->d1->cookie, s->d1->cookie_len);
826 0 : p += s->d1->cookie_len;
827 : }
828 :
829 : /* Ciphers supported */
830 373 : i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0);
831 373 : if (i == 0) {
832 0 : SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
833 0 : goto err;
834 : }
835 : #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
836 : /*
837 : * Some servers hang if client hello > 256 bytes as hack workaround
838 : * chop number of supported ciphers to keep it well below this if we
839 : * use TLS v1.2
840 : */
841 : if (TLS1_get_version(s) >= TLS1_2_VERSION
842 : && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
843 : i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
844 : #endif
845 373 : s2n(i, p);
846 373 : p += i;
847 :
848 : /* COMPRESSION */
849 : #ifdef OPENSSL_NO_COMP
850 : *(p++) = 1;
851 : #else
852 :
853 373 : if ((s->options & SSL_OP_NO_COMPRESSION)
854 373 : || !s->ctx->comp_methods)
855 : j = 0;
856 : else
857 373 : j = sk_SSL_COMP_num(s->ctx->comp_methods);
858 373 : *(p++) = 1 + j;
859 373 : for (i = 0; i < j; i++) {
860 0 : comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
861 0 : *(p++) = comp->id;
862 : }
863 : #endif
864 373 : *(p++) = 0; /* Add the NULL method */
865 :
866 : #ifndef OPENSSL_NO_TLSEXT
867 : /* TLS extensions */
868 373 : if (ssl_prepare_clienthello_tlsext(s) <= 0) {
869 0 : SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
870 0 : goto err;
871 : }
872 373 : if ((p =
873 373 : ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
874 : &al)) == NULL) {
875 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
876 0 : SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
877 0 : goto err;
878 : }
879 : #endif
880 :
881 373 : l = p - d;
882 373 : ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l);
883 373 : s->state = SSL3_ST_CW_CLNT_HELLO_B;
884 : }
885 :
886 : /* SSL3_ST_CW_CLNT_HELLO_B */
887 373 : return ssl_do_write(s);
888 : err:
889 0 : s->state = SSL_ST_ERR;
890 0 : return (-1);
891 : }
892 :
893 743 : int ssl3_get_server_hello(SSL *s)
894 : {
895 : STACK_OF(SSL_CIPHER) *sk;
896 : const SSL_CIPHER *c;
897 743 : CERT *ct = s->cert;
898 : unsigned char *p, *d;
899 : int i, al = SSL_AD_INTERNAL_ERROR, ok;
900 : unsigned int j;
901 : long n;
902 : #ifndef OPENSSL_NO_COMP
903 : SSL_COMP *comp;
904 : #endif
905 : /*
906 : * Hello verify request and/or server hello version may not match so set
907 : * first packet if we're negotiating version.
908 : */
909 743 : if (SSL_IS_DTLS(s))
910 0 : s->first_packet = 1;
911 :
912 743 : n = s->method->ssl_get_message(s,
913 : SSL3_ST_CR_SRVR_HELLO_A,
914 : SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, &ok);
915 :
916 743 : if (!ok)
917 373 : return ((int)n);
918 :
919 370 : if (SSL_IS_DTLS(s)) {
920 0 : s->first_packet = 0;
921 0 : if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
922 0 : if (s->d1->send_cookie == 0) {
923 0 : s->s3->tmp.reuse_message = 1;
924 0 : return 1;
925 : } else { /* already sent a cookie */
926 :
927 : al = SSL_AD_UNEXPECTED_MESSAGE;
928 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
929 0 : goto f_err;
930 : }
931 : }
932 : }
933 :
934 370 : if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) {
935 : al = SSL_AD_UNEXPECTED_MESSAGE;
936 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
937 0 : goto f_err;
938 : }
939 :
940 370 : d = p = (unsigned char *)s->init_msg;
941 370 : if (s->method->version == DTLS_ANY_VERSION) {
942 : /* Work out correct protocol version to use */
943 0 : int hversion = (p[0] << 8) | p[1];
944 0 : int options = s->options;
945 0 : if (hversion == DTLS1_2_VERSION && !(options & SSL_OP_NO_DTLSv1_2))
946 0 : s->method = DTLSv1_2_client_method();
947 0 : else if (tls1_suiteb(s)) {
948 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
949 : SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
950 0 : s->version = hversion;
951 : al = SSL_AD_PROTOCOL_VERSION;
952 0 : goto f_err;
953 0 : } else if (hversion == DTLS1_VERSION && !(options & SSL_OP_NO_DTLSv1))
954 0 : s->method = DTLSv1_client_method();
955 : else {
956 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
957 0 : s->version = hversion;
958 : al = SSL_AD_PROTOCOL_VERSION;
959 0 : goto f_err;
960 : }
961 0 : s->session->ssl_version = s->version = s->method->version;
962 : }
963 :
964 370 : if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) {
965 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
966 0 : s->version = (s->version & 0xff00) | p[1];
967 : al = SSL_AD_PROTOCOL_VERSION;
968 0 : goto f_err;
969 : }
970 370 : p += 2;
971 :
972 : /* load the server hello data */
973 : /* load the server random */
974 370 : memcpy(s->s3->server_random, p, SSL3_RANDOM_SIZE);
975 370 : p += SSL3_RANDOM_SIZE;
976 :
977 370 : s->hit = 0;
978 :
979 : /* get the session-id */
980 370 : j = *(p++);
981 :
982 370 : if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) {
983 : al = SSL_AD_ILLEGAL_PARAMETER;
984 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
985 0 : goto f_err;
986 : }
987 : #ifndef OPENSSL_NO_TLSEXT
988 : /*
989 : * Check if we can resume the session based on external pre-shared secret.
990 : * EAP-FAST (RFC 4851) supports two types of session resumption.
991 : * Resumption based on server-side state works with session IDs.
992 : * Resumption based on pre-shared Protected Access Credentials (PACs)
993 : * works by overriding the SessionTicket extension at the application
994 : * layer, and does not send a session ID. (We do not know whether EAP-FAST
995 : * servers would honour the session ID.) Therefore, the session ID alone
996 : * is not a reliable indicator of session resumption, so we first check if
997 : * we can resume, and later peek at the next handshake message to see if the
998 : * server wants to resume.
999 : */
1000 370 : if (s->version >= TLS1_VERSION && s->tls_session_secret_cb &&
1001 0 : s->session->tlsext_tick) {
1002 0 : SSL_CIPHER *pref_cipher = NULL;
1003 0 : s->session->master_key_length = sizeof(s->session->master_key);
1004 0 : if (s->tls_session_secret_cb(s, s->session->master_key,
1005 : &s->session->master_key_length,
1006 : NULL, &pref_cipher,
1007 : s->tls_session_secret_cb_arg)) {
1008 0 : s->session->cipher = pref_cipher ?
1009 0 : pref_cipher : ssl_get_cipher_by_char(s, p + j);
1010 : } else {
1011 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1012 : al = SSL_AD_INTERNAL_ERROR;
1013 0 : goto f_err;
1014 : }
1015 : }
1016 : #endif /* OPENSSL_NO_TLSEXT */
1017 :
1018 370 : if (j != 0 && j == s->session->session_id_length
1019 0 : && memcmp(p, s->session->session_id, j) == 0) {
1020 0 : if (s->sid_ctx_length != s->session->sid_ctx_length
1021 0 : || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
1022 : /* actually a client application bug */
1023 : al = SSL_AD_ILLEGAL_PARAMETER;
1024 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1025 : SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
1026 0 : goto f_err;
1027 : }
1028 0 : s->hit = 1;
1029 : } else {
1030 : /*
1031 : * If we were trying for session-id reuse but the server
1032 : * didn't echo the ID, make a new SSL_SESSION.
1033 : * In the case of EAP-FAST and PAC, we do not send a session ID,
1034 : * so the PAC-based session secret is always preserved. It'll be
1035 : * overwritten if the server refuses resumption.
1036 : */
1037 370 : if (s->session->session_id_length > 0) {
1038 0 : if (!ssl_get_new_session(s, 0)) {
1039 : goto f_err;
1040 : }
1041 : }
1042 370 : s->session->session_id_length = j;
1043 370 : memcpy(s->session->session_id, p, j); /* j could be 0 */
1044 : }
1045 370 : p += j;
1046 370 : c = ssl_get_cipher_by_char(s, p);
1047 370 : if (c == NULL) {
1048 : /* unknown cipher */
1049 : al = SSL_AD_ILLEGAL_PARAMETER;
1050 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
1051 0 : goto f_err;
1052 : }
1053 : /*
1054 : * If it is a disabled cipher we didn't send it in client hello, so
1055 : * return an error.
1056 : */
1057 740 : if (c->algorithm_ssl & ct->mask_ssl ||
1058 740 : c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a) {
1059 : al = SSL_AD_ILLEGAL_PARAMETER;
1060 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
1061 0 : goto f_err;
1062 : }
1063 370 : p += ssl_put_cipher_by_char(s, NULL, NULL);
1064 :
1065 370 : sk = ssl_get_ciphers_by_id(s);
1066 370 : i = sk_SSL_CIPHER_find(sk, c);
1067 370 : if (i < 0) {
1068 : /* we did not say we would use this cipher */
1069 : al = SSL_AD_ILLEGAL_PARAMETER;
1070 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
1071 0 : goto f_err;
1072 : }
1073 :
1074 : /*
1075 : * Depending on the session caching (internal/external), the cipher
1076 : * and/or cipher_id values may not be set. Make sure that cipher_id is
1077 : * set and use it for comparison.
1078 : */
1079 370 : if (s->session->cipher)
1080 0 : s->session->cipher_id = s->session->cipher->id;
1081 370 : if (s->hit && (s->session->cipher_id != c->id)) {
1082 : /* Workaround is now obsolete */
1083 : #if 0
1084 : if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
1085 : #endif
1086 : {
1087 : al = SSL_AD_ILLEGAL_PARAMETER;
1088 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1089 : SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1090 0 : goto f_err;
1091 : }
1092 : }
1093 370 : s->s3->tmp.new_cipher = c;
1094 : /*
1095 : * Don't digest cached records if no sigalgs: we may need them for client
1096 : * authentication.
1097 : */
1098 370 : if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s))
1099 : goto f_err;
1100 : /* lets get the compression algorithm */
1101 : /* COMPRESSION */
1102 : #ifdef OPENSSL_NO_COMP
1103 : if (*(p++) != 0) {
1104 : al = SSL_AD_ILLEGAL_PARAMETER;
1105 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1106 : SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1107 : goto f_err;
1108 : }
1109 : /*
1110 : * If compression is disabled we'd better not try to resume a session
1111 : * using compression.
1112 : */
1113 : if (s->session->compress_meth != 0) {
1114 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1115 : goto f_err;
1116 : }
1117 : #else
1118 370 : j = *(p++);
1119 370 : if (s->hit && j != s->session->compress_meth) {
1120 : al = SSL_AD_ILLEGAL_PARAMETER;
1121 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1122 : SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1123 0 : goto f_err;
1124 : }
1125 370 : if (j == 0)
1126 : comp = NULL;
1127 0 : else if (s->options & SSL_OP_NO_COMPRESSION) {
1128 : al = SSL_AD_ILLEGAL_PARAMETER;
1129 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED);
1130 0 : goto f_err;
1131 : } else
1132 0 : comp = ssl3_comp_find(s->ctx->comp_methods, j);
1133 :
1134 370 : if ((j != 0) && (comp == NULL)) {
1135 : al = SSL_AD_ILLEGAL_PARAMETER;
1136 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1137 : SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1138 0 : goto f_err;
1139 : } else {
1140 370 : s->s3->tmp.new_compression = comp;
1141 : }
1142 : #endif
1143 :
1144 : #ifndef OPENSSL_NO_TLSEXT
1145 : /* TLS extensions */
1146 370 : if (!ssl_parse_serverhello_tlsext(s, &p, d, n)) {
1147 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
1148 0 : goto err;
1149 : }
1150 : #endif
1151 :
1152 370 : if (p != (d + n)) {
1153 : /* wrong packet length */
1154 : al = SSL_AD_DECODE_ERROR;
1155 0 : SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
1156 0 : goto f_err;
1157 : }
1158 :
1159 : return (1);
1160 : f_err:
1161 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
1162 : err:
1163 0 : s->state = SSL_ST_ERR;
1164 0 : return (-1);
1165 : }
1166 :
1167 370 : int ssl3_get_server_certificate(SSL *s)
1168 : {
1169 : int al, i, ok, ret = -1;
1170 : unsigned long n, nc, llen, l;
1171 : X509 *x = NULL;
1172 : const unsigned char *q, *p;
1173 : unsigned char *d;
1174 : STACK_OF(X509) *sk = NULL;
1175 : SESS_CERT *sc;
1176 : EVP_PKEY *pkey = NULL;
1177 : int need_cert = 1; /* VRS: 0=> will allow null cert if auth ==
1178 : * KRB5 */
1179 :
1180 370 : n = s->method->ssl_get_message(s,
1181 : SSL3_ST_CR_CERT_A,
1182 : SSL3_ST_CR_CERT_B,
1183 : -1, s->max_cert_list, &ok);
1184 :
1185 370 : if (!ok)
1186 0 : return ((int)n);
1187 :
1188 740 : if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
1189 370 : ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1190 : (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) {
1191 0 : s->s3->tmp.reuse_message = 1;
1192 0 : return (1);
1193 : }
1194 :
1195 370 : if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
1196 : al = SSL_AD_UNEXPECTED_MESSAGE;
1197 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE);
1198 0 : goto f_err;
1199 : }
1200 370 : p = d = (unsigned char *)s->init_msg;
1201 :
1202 370 : if ((sk = sk_X509_new_null()) == NULL) {
1203 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1204 0 : goto err;
1205 : }
1206 :
1207 370 : n2l3(p, llen);
1208 370 : if (llen + 3 != n) {
1209 : al = SSL_AD_DECODE_ERROR;
1210 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
1211 0 : goto f_err;
1212 : }
1213 740 : for (nc = 0; nc < llen;) {
1214 370 : n2l3(p, l);
1215 370 : if ((l + nc + 3) > llen) {
1216 : al = SSL_AD_DECODE_ERROR;
1217 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1218 : SSL_R_CERT_LENGTH_MISMATCH);
1219 0 : goto f_err;
1220 : }
1221 :
1222 370 : q = p;
1223 370 : x = d2i_X509(NULL, &q, l);
1224 370 : if (x == NULL) {
1225 : al = SSL_AD_BAD_CERTIFICATE;
1226 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
1227 0 : goto f_err;
1228 : }
1229 370 : if (q != (p + l)) {
1230 : al = SSL_AD_DECODE_ERROR;
1231 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1232 : SSL_R_CERT_LENGTH_MISMATCH);
1233 0 : goto f_err;
1234 : }
1235 370 : if (!sk_X509_push(sk, x)) {
1236 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1237 0 : goto err;
1238 : }
1239 : x = NULL;
1240 : nc += l + 3;
1241 370 : p = q;
1242 : }
1243 :
1244 370 : i = ssl_verify_cert_chain(s, sk);
1245 370 : if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1246 : #ifndef OPENSSL_NO_KRB5
1247 : && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1248 : (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1249 : #endif /* OPENSSL_NO_KRB5 */
1250 : ) {
1251 0 : al = ssl_verify_alarm_type(s->verify_result);
1252 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1253 : SSL_R_CERTIFICATE_VERIFY_FAILED);
1254 0 : goto f_err;
1255 : }
1256 370 : ERR_clear_error(); /* but we keep s->verify_result */
1257 :
1258 370 : sc = ssl_sess_cert_new();
1259 370 : if (sc == NULL)
1260 : goto err;
1261 :
1262 370 : if (s->session->sess_cert)
1263 0 : ssl_sess_cert_free(s->session->sess_cert);
1264 370 : s->session->sess_cert = sc;
1265 :
1266 370 : sc->cert_chain = sk;
1267 : /*
1268 : * Inconsistency alert: cert_chain does include the peer's certificate,
1269 : * which we don't include in s3_srvr.c
1270 : */
1271 370 : x = sk_X509_value(sk, 0);
1272 : sk = NULL;
1273 : /*
1274 : * VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end
1275 : */
1276 :
1277 370 : pkey = X509_get_pubkey(x);
1278 :
1279 : /* VRS: allow null cert if auth == KRB5 */
1280 370 : need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1281 0 : (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1282 370 : ? 0 : 1;
1283 :
1284 : #ifdef KSSL_DEBUG
1285 : fprintf(stderr, "pkey,x = %p, %p\n", pkey, x);
1286 : fprintf(stderr, "ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x, pkey));
1287 : fprintf(stderr, "cipher, alg, nc = %s, %lx, %lx, %d\n",
1288 : s->s3->tmp.new_cipher->name,
1289 : s->s3->tmp.new_cipher->algorithm_mkey,
1290 : s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1291 : #endif /* KSSL_DEBUG */
1292 :
1293 370 : if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) {
1294 : x = NULL;
1295 : al = SSL3_AL_FATAL;
1296 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1297 : SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1298 0 : goto f_err;
1299 : }
1300 :
1301 370 : i = ssl_cert_type(x, pkey);
1302 370 : if (need_cert && i < 0) {
1303 : x = NULL;
1304 : al = SSL3_AL_FATAL;
1305 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1306 : SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1307 0 : goto f_err;
1308 : }
1309 :
1310 370 : if (need_cert) {
1311 370 : int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
1312 370 : if (exp_idx >= 0 && i != exp_idx) {
1313 : x = NULL;
1314 : al = SSL_AD_ILLEGAL_PARAMETER;
1315 0 : SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1316 : SSL_R_WRONG_CERTIFICATE_TYPE);
1317 0 : goto f_err;
1318 : }
1319 370 : sc->peer_cert_type = i;
1320 370 : CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1321 : /*
1322 : * Why would the following ever happen? We just created sc a couple
1323 : * of lines ago.
1324 : */
1325 370 : if (sc->peer_pkeys[i].x509 != NULL)
1326 0 : X509_free(sc->peer_pkeys[i].x509);
1327 370 : sc->peer_pkeys[i].x509 = x;
1328 370 : sc->peer_key = &(sc->peer_pkeys[i]);
1329 :
1330 370 : if (s->session->peer != NULL)
1331 0 : X509_free(s->session->peer);
1332 370 : CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1333 370 : s->session->peer = x;
1334 : } else {
1335 0 : sc->peer_cert_type = i;
1336 0 : sc->peer_key = NULL;
1337 :
1338 0 : if (s->session->peer != NULL)
1339 0 : X509_free(s->session->peer);
1340 0 : s->session->peer = NULL;
1341 : }
1342 370 : s->session->verify_result = s->verify_result;
1343 :
1344 : x = NULL;
1345 : ret = 1;
1346 : if (0) {
1347 : f_err:
1348 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
1349 : err:
1350 0 : s->state = SSL_ST_ERR;
1351 : }
1352 :
1353 370 : EVP_PKEY_free(pkey);
1354 370 : X509_free(x);
1355 370 : sk_X509_pop_free(sk, X509_free);
1356 370 : return (ret);
1357 : }
1358 :
1359 370 : int ssl3_get_key_exchange(SSL *s)
1360 : {
1361 : #ifndef OPENSSL_NO_RSA
1362 : unsigned char *q, md_buf[EVP_MAX_MD_SIZE * 2];
1363 : #endif
1364 : EVP_MD_CTX md_ctx;
1365 : unsigned char *param, *p;
1366 : int al, j, ok;
1367 : long i, param_len, n, alg_k, alg_a;
1368 : EVP_PKEY *pkey = NULL;
1369 370 : const EVP_MD *md = NULL;
1370 : #ifndef OPENSSL_NO_RSA
1371 : RSA *rsa = NULL;
1372 : #endif
1373 : #ifndef OPENSSL_NO_DH
1374 : DH *dh = NULL;
1375 : #endif
1376 : #ifndef OPENSSL_NO_ECDH
1377 : EC_KEY *ecdh = NULL;
1378 : BN_CTX *bn_ctx = NULL;
1379 : EC_POINT *srvr_ecpoint = NULL;
1380 : int curve_nid = 0;
1381 : int encoded_pt_len = 0;
1382 : #endif
1383 :
1384 370 : EVP_MD_CTX_init(&md_ctx);
1385 :
1386 : /*
1387 : * use same message size as in ssl3_get_certificate_request() as
1388 : * ServerKeyExchange message may be skipped
1389 : */
1390 370 : n = s->method->ssl_get_message(s,
1391 : SSL3_ST_CR_KEY_EXCH_A,
1392 : SSL3_ST_CR_KEY_EXCH_B,
1393 : -1, s->max_cert_list, &ok);
1394 370 : if (!ok)
1395 0 : return ((int)n);
1396 :
1397 370 : alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1398 :
1399 370 : if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1400 : /*
1401 : * Can't skip server key exchange if this is an ephemeral
1402 : * ciphersuite.
1403 : */
1404 0 : if (alg_k & (SSL_kDHE | SSL_kECDHE)) {
1405 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1406 0 : al = SSL_AD_UNEXPECTED_MESSAGE;
1407 0 : goto f_err;
1408 : }
1409 : #ifndef OPENSSL_NO_PSK
1410 : /*
1411 : * In plain PSK ciphersuite, ServerKeyExchange can be omitted if no
1412 : * identity hint is sent. Set session->sess_cert anyway to avoid
1413 : * problems later.
1414 : */
1415 0 : if (alg_k & SSL_kPSK) {
1416 0 : s->session->sess_cert = ssl_sess_cert_new();
1417 0 : if (s->ctx->psk_identity_hint)
1418 0 : OPENSSL_free(s->ctx->psk_identity_hint);
1419 0 : s->ctx->psk_identity_hint = NULL;
1420 : }
1421 : #endif
1422 0 : s->s3->tmp.reuse_message = 1;
1423 0 : return (1);
1424 : }
1425 :
1426 370 : param = p = (unsigned char *)s->init_msg;
1427 370 : if (s->session->sess_cert != NULL) {
1428 : #ifndef OPENSSL_NO_RSA
1429 370 : if (s->session->sess_cert->peer_rsa_tmp != NULL) {
1430 0 : RSA_free(s->session->sess_cert->peer_rsa_tmp);
1431 0 : s->session->sess_cert->peer_rsa_tmp = NULL;
1432 : }
1433 : #endif
1434 : #ifndef OPENSSL_NO_DH
1435 370 : if (s->session->sess_cert->peer_dh_tmp) {
1436 0 : DH_free(s->session->sess_cert->peer_dh_tmp);
1437 0 : s->session->sess_cert->peer_dh_tmp = NULL;
1438 : }
1439 : #endif
1440 : #ifndef OPENSSL_NO_ECDH
1441 370 : if (s->session->sess_cert->peer_ecdh_tmp) {
1442 0 : EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1443 0 : s->session->sess_cert->peer_ecdh_tmp = NULL;
1444 : }
1445 : #endif
1446 : } else {
1447 0 : s->session->sess_cert = ssl_sess_cert_new();
1448 : }
1449 :
1450 : /* Total length of the parameters including the length prefix */
1451 : param_len = 0;
1452 :
1453 370 : alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1454 :
1455 370 : al = SSL_AD_DECODE_ERROR;
1456 :
1457 : #ifndef OPENSSL_NO_PSK
1458 370 : if (alg_k & SSL_kPSK) {
1459 : param_len = 2;
1460 0 : if (param_len > n) {
1461 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1462 0 : goto f_err;
1463 : }
1464 0 : n2s(p, i);
1465 :
1466 : /*
1467 : * Store PSK identity hint for later use, hint is used in
1468 : * ssl3_send_client_key_exchange. Assume that the maximum length of
1469 : * a PSK identity hint can be as long as the maximum length of a PSK
1470 : * identity.
1471 : */
1472 0 : if (i > PSK_MAX_IDENTITY_LEN) {
1473 0 : al = SSL_AD_HANDSHAKE_FAILURE;
1474 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG);
1475 0 : goto f_err;
1476 : }
1477 0 : if (i > n - param_len) {
1478 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1479 : SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1480 0 : goto f_err;
1481 : }
1482 0 : param_len += i;
1483 :
1484 0 : s->session->psk_identity_hint = BUF_strndup((char *)p, i);
1485 0 : if (s->session->psk_identity_hint == NULL) {
1486 0 : al = SSL_AD_HANDSHAKE_FAILURE;
1487 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1488 0 : goto f_err;
1489 : }
1490 :
1491 0 : p += i;
1492 0 : n -= param_len;
1493 : } else
1494 : #endif /* !OPENSSL_NO_PSK */
1495 : #ifndef OPENSSL_NO_SRP
1496 370 : if (alg_k & SSL_kSRP) {
1497 : param_len = 2;
1498 0 : if (param_len > n) {
1499 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1500 0 : goto f_err;
1501 : }
1502 0 : n2s(p, i);
1503 :
1504 0 : if (i > n - param_len) {
1505 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);
1506 0 : goto f_err;
1507 : }
1508 0 : param_len += i;
1509 :
1510 0 : if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
1511 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1512 0 : goto err;
1513 : }
1514 0 : p += i;
1515 :
1516 0 : if (2 > n - param_len) {
1517 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1518 0 : goto f_err;
1519 : }
1520 0 : param_len += 2;
1521 :
1522 0 : n2s(p, i);
1523 :
1524 0 : if (i > n - param_len) {
1525 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);
1526 0 : goto f_err;
1527 : }
1528 0 : param_len += i;
1529 :
1530 0 : if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
1531 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1532 0 : goto err;
1533 : }
1534 0 : p += i;
1535 :
1536 0 : if (1 > n - param_len) {
1537 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1538 0 : goto f_err;
1539 : }
1540 0 : param_len += 1;
1541 :
1542 0 : i = (unsigned int)(p[0]);
1543 0 : p++;
1544 :
1545 0 : if (i > n - param_len) {
1546 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);
1547 0 : goto f_err;
1548 : }
1549 0 : param_len += i;
1550 :
1551 0 : if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
1552 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1553 0 : goto err;
1554 : }
1555 0 : p += i;
1556 :
1557 0 : if (2 > n - param_len) {
1558 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1559 0 : goto f_err;
1560 : }
1561 0 : param_len += 2;
1562 :
1563 0 : n2s(p, i);
1564 :
1565 0 : if (i > n - param_len) {
1566 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);
1567 0 : goto f_err;
1568 : }
1569 0 : param_len += i;
1570 :
1571 0 : if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
1572 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1573 0 : goto err;
1574 : }
1575 0 : p += i;
1576 0 : n -= param_len;
1577 :
1578 0 : if (!srp_verify_server_param(s, &al)) {
1579 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_PARAMETERS);
1580 0 : goto f_err;
1581 : }
1582 :
1583 : /* We must check if there is a certificate */
1584 : # ifndef OPENSSL_NO_RSA
1585 0 : if (alg_a & SSL_aRSA)
1586 0 : pkey =
1587 0 : X509_get_pubkey(s->session->
1588 : sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1589 : # else
1590 : if (0) ;
1591 : # endif
1592 : # ifndef OPENSSL_NO_DSA
1593 0 : else if (alg_a & SSL_aDSS)
1594 0 : pkey =
1595 0 : X509_get_pubkey(s->session->
1596 : sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].
1597 : x509);
1598 : # endif
1599 : } else
1600 : #endif /* !OPENSSL_NO_SRP */
1601 : #ifndef OPENSSL_NO_RSA
1602 370 : if (alg_k & SSL_kRSA) {
1603 : /* Temporary RSA keys only allowed in export ciphersuites */
1604 0 : if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
1605 0 : al = SSL_AD_UNEXPECTED_MESSAGE;
1606 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1607 0 : goto f_err;
1608 : }
1609 0 : if ((rsa = RSA_new()) == NULL) {
1610 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1611 0 : goto err;
1612 : }
1613 :
1614 : param_len = 2;
1615 0 : if (param_len > n) {
1616 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1617 0 : goto f_err;
1618 : }
1619 0 : n2s(p, i);
1620 :
1621 0 : if (i > n - param_len) {
1622 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_MODULUS_LENGTH);
1623 0 : goto f_err;
1624 : }
1625 0 : param_len += i;
1626 :
1627 0 : if (!(rsa->n = BN_bin2bn(p, i, rsa->n))) {
1628 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1629 0 : goto err;
1630 : }
1631 0 : p += i;
1632 :
1633 0 : if (2 > n - param_len) {
1634 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1635 0 : goto f_err;
1636 : }
1637 0 : param_len += 2;
1638 :
1639 0 : n2s(p, i);
1640 :
1641 0 : if (i > n - param_len) {
1642 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_E_LENGTH);
1643 0 : goto f_err;
1644 : }
1645 0 : param_len += i;
1646 :
1647 0 : if (!(rsa->e = BN_bin2bn(p, i, rsa->e))) {
1648 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1649 0 : goto err;
1650 : }
1651 0 : p += i;
1652 0 : n -= param_len;
1653 :
1654 : /* this should be because we are using an export cipher */
1655 0 : if (alg_a & SSL_aRSA)
1656 0 : pkey =
1657 0 : X509_get_pubkey(s->session->
1658 : sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1659 : else {
1660 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1661 0 : goto err;
1662 : }
1663 :
1664 0 : if (EVP_PKEY_bits(pkey) <= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
1665 0 : al = SSL_AD_UNEXPECTED_MESSAGE;
1666 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1667 0 : goto f_err;
1668 : }
1669 :
1670 0 : s->session->sess_cert->peer_rsa_tmp = rsa;
1671 : rsa = NULL;
1672 : }
1673 : #else /* OPENSSL_NO_RSA */
1674 : if (0) ;
1675 : #endif
1676 : #ifndef OPENSSL_NO_DH
1677 370 : else if (alg_k & SSL_kEDH) {
1678 0 : if ((dh = DH_new()) == NULL) {
1679 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
1680 0 : goto err;
1681 : }
1682 :
1683 : param_len = 2;
1684 0 : if (param_len > n) {
1685 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1686 0 : goto f_err;
1687 : }
1688 0 : n2s(p, i);
1689 :
1690 0 : if (i > n - param_len) {
1691 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
1692 0 : goto f_err;
1693 : }
1694 0 : param_len += i;
1695 :
1696 0 : if (!(dh->p = BN_bin2bn(p, i, NULL))) {
1697 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1698 0 : goto err;
1699 : }
1700 0 : p += i;
1701 :
1702 0 : if (2 > n - param_len) {
1703 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1704 0 : goto f_err;
1705 : }
1706 0 : param_len += 2;
1707 :
1708 0 : n2s(p, i);
1709 :
1710 0 : if (i > n - param_len) {
1711 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH);
1712 0 : goto f_err;
1713 : }
1714 0 : param_len += i;
1715 :
1716 0 : if (!(dh->g = BN_bin2bn(p, i, NULL))) {
1717 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1718 0 : goto err;
1719 : }
1720 0 : p += i;
1721 :
1722 0 : if (2 > n - param_len) {
1723 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1724 0 : goto f_err;
1725 : }
1726 0 : param_len += 2;
1727 :
1728 0 : n2s(p, i);
1729 :
1730 0 : if (i > n - param_len) {
1731 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1732 0 : goto f_err;
1733 : }
1734 0 : param_len += i;
1735 :
1736 0 : if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1737 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1738 0 : goto err;
1739 : }
1740 0 : p += i;
1741 0 : n -= param_len;
1742 :
1743 : # ifndef OPENSSL_NO_RSA
1744 0 : if (alg_a & SSL_aRSA)
1745 0 : pkey =
1746 0 : X509_get_pubkey(s->session->
1747 : sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1748 : # else
1749 : if (0) ;
1750 : # endif
1751 : # ifndef OPENSSL_NO_DSA
1752 0 : else if (alg_a & SSL_aDSS)
1753 0 : pkey =
1754 0 : X509_get_pubkey(s->session->
1755 : sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].
1756 : x509);
1757 : # endif
1758 : /* else anonymous DH, so no certificate or pkey. */
1759 :
1760 0 : s->session->sess_cert->peer_dh_tmp = dh;
1761 : dh = NULL;
1762 370 : } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
1763 0 : al = SSL_AD_ILLEGAL_PARAMETER;
1764 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1765 : SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1766 0 : goto f_err;
1767 : }
1768 : #endif /* !OPENSSL_NO_DH */
1769 :
1770 : #ifndef OPENSSL_NO_ECDH
1771 370 : else if (alg_k & SSL_kEECDH) {
1772 : EC_GROUP *ngroup;
1773 : const EC_GROUP *group;
1774 :
1775 370 : if ((ecdh = EC_KEY_new()) == NULL) {
1776 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1777 0 : goto err;
1778 : }
1779 :
1780 : /*
1781 : * Extract elliptic curve parameters and the server's ephemeral ECDH
1782 : * public key. Keep accumulating lengths of various components in
1783 : * param_len and make sure it never exceeds n.
1784 : */
1785 :
1786 : /*
1787 : * XXX: For now we only support named (not generic) curves and the
1788 : * ECParameters in this case is just three bytes. We also need one
1789 : * byte for the length of the encoded point
1790 : */
1791 : param_len = 4;
1792 370 : if (param_len > n) {
1793 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1794 0 : goto f_err;
1795 : }
1796 : /*
1797 : * Check curve is one of our preferences, if not server has sent an
1798 : * invalid curve. ECParameters is 3 bytes.
1799 : */
1800 370 : if (!tls1_check_curve(s, p, 3)) {
1801 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
1802 0 : goto f_err;
1803 : }
1804 :
1805 370 : if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) {
1806 0 : al = SSL_AD_INTERNAL_ERROR;
1807 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1808 : SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1809 0 : goto f_err;
1810 : }
1811 :
1812 370 : ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1813 370 : if (ngroup == NULL) {
1814 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1815 0 : goto err;
1816 : }
1817 370 : if (EC_KEY_set_group(ecdh, ngroup) == 0) {
1818 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1819 0 : goto err;
1820 : }
1821 370 : EC_GROUP_free(ngroup);
1822 :
1823 370 : group = EC_KEY_get0_group(ecdh);
1824 :
1825 370 : if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1826 0 : (EC_GROUP_get_degree(group) > 163)) {
1827 0 : al = SSL_AD_EXPORT_RESTRICTION;
1828 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1829 : SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1830 0 : goto f_err;
1831 : }
1832 :
1833 : p += 3;
1834 :
1835 : /* Next, get the encoded ECPoint */
1836 370 : if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1837 : ((bn_ctx = BN_CTX_new()) == NULL)) {
1838 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1839 0 : goto err;
1840 : }
1841 :
1842 370 : encoded_pt_len = *p; /* length of encoded point */
1843 370 : p += 1;
1844 :
1845 740 : if ((encoded_pt_len > n - param_len) ||
1846 370 : (EC_POINT_oct2point(group, srvr_ecpoint,
1847 : p, encoded_pt_len, bn_ctx) == 0)) {
1848 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
1849 0 : goto f_err;
1850 : }
1851 370 : param_len += encoded_pt_len;
1852 :
1853 370 : n -= param_len;
1854 370 : p += encoded_pt_len;
1855 :
1856 : /*
1857 : * The ECC/TLS specification does not mention the use of DSA to sign
1858 : * ECParameters in the server key exchange message. We do support RSA
1859 : * and ECDSA.
1860 : */
1861 : if (0) ;
1862 : # ifndef OPENSSL_NO_RSA
1863 370 : else if (alg_a & SSL_aRSA)
1864 370 : pkey =
1865 370 : X509_get_pubkey(s->session->
1866 : sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1867 : # endif
1868 : # ifndef OPENSSL_NO_ECDSA
1869 0 : else if (alg_a & SSL_aECDSA)
1870 0 : pkey =
1871 0 : X509_get_pubkey(s->session->
1872 : sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1873 : # endif
1874 : /* else anonymous ECDH, so no certificate or pkey. */
1875 370 : EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1876 370 : s->session->sess_cert->peer_ecdh_tmp = ecdh;
1877 : ecdh = NULL;
1878 370 : BN_CTX_free(bn_ctx);
1879 : bn_ctx = NULL;
1880 370 : EC_POINT_free(srvr_ecpoint);
1881 : srvr_ecpoint = NULL;
1882 0 : } else if (alg_k) {
1883 0 : al = SSL_AD_UNEXPECTED_MESSAGE;
1884 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1885 0 : goto f_err;
1886 : }
1887 : #endif /* !OPENSSL_NO_ECDH */
1888 :
1889 : /* p points to the next byte, there are 'n' bytes left */
1890 :
1891 : /* if it was signed, check the signature */
1892 370 : if (pkey != NULL) {
1893 370 : if (SSL_USE_SIGALGS(s)) {
1894 : int rv;
1895 370 : if (2 > n) {
1896 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1897 0 : goto f_err;
1898 : }
1899 370 : rv = tls12_check_peer_sigalg(&md, s, p, pkey);
1900 370 : if (rv == -1)
1901 : goto err;
1902 370 : else if (rv == 0) {
1903 : goto f_err;
1904 : }
1905 : #ifdef SSL_DEBUG
1906 : fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1907 : #endif
1908 370 : p += 2;
1909 370 : n -= 2;
1910 : } else
1911 0 : md = EVP_sha1();
1912 :
1913 370 : if (2 > n) {
1914 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1915 0 : goto f_err;
1916 : }
1917 370 : n2s(p, i);
1918 370 : n -= 2;
1919 370 : j = EVP_PKEY_size(pkey);
1920 :
1921 : /*
1922 : * Check signature length. If n is 0 then signature is empty
1923 : */
1924 370 : if ((i != n) || (n > j) || (n <= 0)) {
1925 : /* wrong packet length */
1926 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH);
1927 0 : goto f_err;
1928 : }
1929 : #ifndef OPENSSL_NO_RSA
1930 370 : if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) {
1931 : int num;
1932 : unsigned int size;
1933 :
1934 : j = 0;
1935 : q = md_buf;
1936 0 : for (num = 2; num > 0; num--) {
1937 0 : EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1938 0 : EVP_DigestInit_ex(&md_ctx, (num == 2)
1939 0 : ? s->ctx->md5 : s->ctx->sha1, NULL);
1940 0 : EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
1941 : SSL3_RANDOM_SIZE);
1942 0 : EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
1943 : SSL3_RANDOM_SIZE);
1944 0 : EVP_DigestUpdate(&md_ctx, param, param_len);
1945 0 : EVP_DigestFinal_ex(&md_ctx, q, &size);
1946 0 : q += size;
1947 0 : j += size;
1948 : }
1949 0 : i = RSA_verify(NID_md5_sha1, md_buf, j, p, n, pkey->pkey.rsa);
1950 0 : if (i < 0) {
1951 0 : al = SSL_AD_DECRYPT_ERROR;
1952 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_DECRYPT);
1953 0 : goto f_err;
1954 : }
1955 0 : if (i == 0) {
1956 : /* bad signature */
1957 0 : al = SSL_AD_DECRYPT_ERROR;
1958 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1959 0 : goto f_err;
1960 : }
1961 : } else
1962 : #endif
1963 : {
1964 370 : EVP_VerifyInit_ex(&md_ctx, md, NULL);
1965 370 : EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]),
1966 : SSL3_RANDOM_SIZE);
1967 370 : EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]),
1968 : SSL3_RANDOM_SIZE);
1969 370 : EVP_VerifyUpdate(&md_ctx, param, param_len);
1970 370 : if (EVP_VerifyFinal(&md_ctx, p, (int)n, pkey) <= 0) {
1971 : /* bad signature */
1972 0 : al = SSL_AD_DECRYPT_ERROR;
1973 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1974 0 : goto f_err;
1975 : }
1976 : }
1977 : } else {
1978 : /* aNULL, aSRP or kPSK do not need public keys */
1979 0 : if (!(alg_a & (SSL_aNULL | SSL_aSRP)) && !(alg_k & SSL_kPSK)) {
1980 : /* Might be wrong key type, check it */
1981 0 : if (ssl3_check_cert_and_algorithm(s))
1982 : /* Otherwise this shouldn't happen */
1983 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1984 : goto err;
1985 : }
1986 : /* still data left over */
1987 0 : if (n != 0) {
1988 0 : SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE);
1989 0 : goto f_err;
1990 : }
1991 : }
1992 370 : EVP_PKEY_free(pkey);
1993 370 : EVP_MD_CTX_cleanup(&md_ctx);
1994 370 : return (1);
1995 : f_err:
1996 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
1997 : err:
1998 0 : EVP_PKEY_free(pkey);
1999 : #ifndef OPENSSL_NO_RSA
2000 0 : if (rsa != NULL)
2001 0 : RSA_free(rsa);
2002 : #endif
2003 : #ifndef OPENSSL_NO_DH
2004 0 : if (dh != NULL)
2005 0 : DH_free(dh);
2006 : #endif
2007 : #ifndef OPENSSL_NO_ECDH
2008 0 : BN_CTX_free(bn_ctx);
2009 0 : EC_POINT_free(srvr_ecpoint);
2010 0 : if (ecdh != NULL)
2011 0 : EC_KEY_free(ecdh);
2012 : #endif
2013 0 : EVP_MD_CTX_cleanup(&md_ctx);
2014 0 : s->state = SSL_ST_ERR;
2015 0 : return (-1);
2016 : }
2017 :
2018 370 : int ssl3_get_certificate_request(SSL *s)
2019 : {
2020 : int ok, ret = 0;
2021 : unsigned long n, nc, l;
2022 : unsigned int llen, ctype_num, i;
2023 : X509_NAME *xn = NULL;
2024 : const unsigned char *p, *q;
2025 : unsigned char *d;
2026 : STACK_OF(X509_NAME) *ca_sk = NULL;
2027 :
2028 370 : n = s->method->ssl_get_message(s,
2029 : SSL3_ST_CR_CERT_REQ_A,
2030 : SSL3_ST_CR_CERT_REQ_B,
2031 : -1, s->max_cert_list, &ok);
2032 :
2033 370 : if (!ok)
2034 0 : return ((int)n);
2035 :
2036 370 : s->s3->tmp.cert_req = 0;
2037 :
2038 370 : if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) {
2039 370 : s->s3->tmp.reuse_message = 1;
2040 : /*
2041 : * If we get here we don't need any cached handshake records as we
2042 : * wont be doing client auth.
2043 : */
2044 370 : if (s->s3->handshake_buffer) {
2045 370 : if (!ssl3_digest_cached_records(s))
2046 : goto err;
2047 : }
2048 : return (1);
2049 : }
2050 :
2051 0 : if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
2052 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
2053 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_WRONG_MESSAGE_TYPE);
2054 0 : goto err;
2055 : }
2056 :
2057 : /* TLS does not like anon-DH with client cert */
2058 0 : if (s->version > SSL3_VERSION) {
2059 0 : if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
2060 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
2061 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
2062 : SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
2063 0 : goto err;
2064 : }
2065 : }
2066 :
2067 0 : p = d = (unsigned char *)s->init_msg;
2068 :
2069 0 : if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
2070 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
2071 0 : goto err;
2072 : }
2073 :
2074 : /* get the certificate types */
2075 0 : ctype_num = *(p++);
2076 0 : if (s->cert->ctypes) {
2077 0 : OPENSSL_free(s->cert->ctypes);
2078 0 : s->cert->ctypes = NULL;
2079 : }
2080 0 : if (ctype_num > SSL3_CT_NUMBER) {
2081 : /* If we exceed static buffer copy all to cert structure */
2082 0 : s->cert->ctypes = OPENSSL_malloc(ctype_num);
2083 0 : memcpy(s->cert->ctypes, p, ctype_num);
2084 0 : s->cert->ctype_num = (size_t)ctype_num;
2085 : ctype_num = SSL3_CT_NUMBER;
2086 : }
2087 0 : for (i = 0; i < ctype_num; i++)
2088 0 : s->s3->tmp.ctype[i] = p[i];
2089 0 : p += p[-1];
2090 0 : if (SSL_USE_SIGALGS(s)) {
2091 0 : n2s(p, llen);
2092 : /*
2093 : * Check we have enough room for signature algorithms and following
2094 : * length value.
2095 : */
2096 0 : if ((unsigned long)(p - d + llen + 2) > n) {
2097 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2098 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
2099 : SSL_R_DATA_LENGTH_TOO_LONG);
2100 0 : goto err;
2101 : }
2102 : /* Clear certificate digests and validity flags */
2103 0 : for (i = 0; i < SSL_PKEY_NUM; i++) {
2104 0 : s->cert->pkeys[i].digest = NULL;
2105 0 : s->cert->pkeys[i].valid_flags = 0;
2106 : }
2107 0 : if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) {
2108 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2109 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
2110 : SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2111 0 : goto err;
2112 : }
2113 0 : if (!tls1_process_sigalgs(s)) {
2114 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2115 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
2116 0 : goto err;
2117 : }
2118 0 : p += llen;
2119 : }
2120 :
2121 : /* get the CA RDNs */
2122 0 : n2s(p, llen);
2123 : #if 0
2124 : {
2125 : FILE *out;
2126 : out = fopen("/tmp/vsign.der", "w");
2127 : fwrite(p, 1, llen, out);
2128 : fclose(out);
2129 : }
2130 : #endif
2131 :
2132 0 : if ((unsigned long)(p - d + llen) != n) {
2133 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2134 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
2135 0 : goto err;
2136 : }
2137 :
2138 0 : for (nc = 0; nc < llen;) {
2139 0 : n2s(p, l);
2140 0 : if ((l + nc + 2) > llen) {
2141 0 : if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
2142 : goto cont; /* netscape bugs */
2143 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2144 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
2145 0 : goto err;
2146 : }
2147 :
2148 0 : q = p;
2149 :
2150 0 : if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
2151 : /* If netscape tolerance is on, ignore errors */
2152 0 : if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
2153 : goto cont;
2154 : else {
2155 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2156 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
2157 0 : goto err;
2158 : }
2159 : }
2160 :
2161 0 : if (q != (p + l)) {
2162 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2163 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
2164 : SSL_R_CA_DN_LENGTH_MISMATCH);
2165 0 : goto err;
2166 : }
2167 0 : if (!sk_X509_NAME_push(ca_sk, xn)) {
2168 0 : SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
2169 0 : goto err;
2170 : }
2171 :
2172 : p += l;
2173 : nc += l + 2;
2174 : }
2175 :
2176 : if (0) {
2177 : cont:
2178 0 : ERR_clear_error();
2179 : }
2180 :
2181 : /* we should setup a certificate to return.... */
2182 0 : s->s3->tmp.cert_req = 1;
2183 0 : s->s3->tmp.ctype_num = ctype_num;
2184 0 : if (s->s3->tmp.ca_names != NULL)
2185 0 : sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
2186 0 : s->s3->tmp.ca_names = ca_sk;
2187 : ca_sk = NULL;
2188 :
2189 : ret = 1;
2190 0 : goto done;
2191 : err:
2192 0 : s->state = SSL_ST_ERR;
2193 : done:
2194 0 : if (ca_sk != NULL)
2195 0 : sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2196 0 : return (ret);
2197 : }
2198 :
2199 0 : static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2200 : {
2201 0 : return (X509_NAME_cmp(*a, *b));
2202 : }
2203 :
2204 : #ifndef OPENSSL_NO_TLSEXT
2205 735 : int ssl3_get_new_session_ticket(SSL *s)
2206 : {
2207 : int ok, al, ret = 0, ticklen;
2208 : long n;
2209 : const unsigned char *p;
2210 : unsigned char *d;
2211 :
2212 735 : n = s->method->ssl_get_message(s,
2213 : SSL3_ST_CR_SESSION_TICKET_A,
2214 : SSL3_ST_CR_SESSION_TICKET_B,
2215 : SSL3_MT_NEWSESSION_TICKET, 16384, &ok);
2216 :
2217 735 : if (!ok)
2218 370 : return ((int)n);
2219 :
2220 365 : if (n < 6) {
2221 : /* need at least ticket_lifetime_hint + ticket length */
2222 : al = SSL_AD_DECODE_ERROR;
2223 0 : SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2224 0 : goto f_err;
2225 : }
2226 :
2227 365 : p = d = (unsigned char *)s->init_msg;
2228 :
2229 365 : if (s->session->session_id_length > 0) {
2230 0 : int i = s->session_ctx->session_cache_mode;
2231 : SSL_SESSION *new_sess;
2232 : /*
2233 : * We reused an existing session, so we need to replace it with a new
2234 : * one
2235 : */
2236 0 : if (i & SSL_SESS_CACHE_CLIENT) {
2237 : /*
2238 : * Remove the old session from the cache
2239 : */
2240 0 : if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE) {
2241 0 : if (s->session_ctx->remove_session_cb != NULL)
2242 0 : s->session_ctx->remove_session_cb(s->session_ctx,
2243 : s->session);
2244 : } else {
2245 : /* We carry on if this fails */
2246 0 : SSL_CTX_remove_session(s->session_ctx, s->session);
2247 : }
2248 : }
2249 :
2250 0 : if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
2251 : al = SSL_AD_INTERNAL_ERROR;
2252 0 : SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
2253 0 : goto f_err;
2254 : }
2255 :
2256 0 : SSL_SESSION_free(s->session);
2257 0 : s->session = new_sess;
2258 : }
2259 :
2260 365 : n2l(p, s->session->tlsext_tick_lifetime_hint);
2261 365 : n2s(p, ticklen);
2262 : /* ticket_lifetime_hint + ticket_length + ticket */
2263 365 : if (ticklen + 6 != n) {
2264 : al = SSL_AD_DECODE_ERROR;
2265 0 : SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2266 0 : goto f_err;
2267 : }
2268 365 : if (s->session->tlsext_tick) {
2269 0 : OPENSSL_free(s->session->tlsext_tick);
2270 0 : s->session->tlsext_ticklen = 0;
2271 : }
2272 365 : s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2273 365 : if (!s->session->tlsext_tick) {
2274 0 : SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
2275 0 : goto err;
2276 : }
2277 365 : memcpy(s->session->tlsext_tick, p, ticklen);
2278 365 : s->session->tlsext_ticklen = ticklen;
2279 : /*
2280 : * There are two ways to detect a resumed ticket session. One is to set
2281 : * an appropriate session ID and then the server must return a match in
2282 : * ServerHello. This allows the normal client session ID matching to work
2283 : * and we know much earlier that the ticket has been accepted. The
2284 : * other way is to set zero length session ID when the ticket is
2285 : * presented and rely on the handshake to determine session resumption.
2286 : * We choose the former approach because this fits in with assumptions
2287 : * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
2288 : * SHA256 is disabled) hash of the ticket.
2289 : */
2290 1095 : EVP_Digest(p, ticklen,
2291 730 : s->session->session_id, &s->session->session_id_length,
2292 : # ifndef OPENSSL_NO_SHA256
2293 : EVP_sha256(), NULL);
2294 : # else
2295 : EVP_sha1(), NULL);
2296 : # endif
2297 : ret = 1;
2298 365 : return (ret);
2299 : f_err:
2300 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
2301 : err:
2302 0 : s->state = SSL_ST_ERR;
2303 0 : return (-1);
2304 : }
2305 :
2306 0 : int ssl3_get_cert_status(SSL *s)
2307 : {
2308 : int ok, al;
2309 : unsigned long resplen, n;
2310 : const unsigned char *p;
2311 :
2312 0 : n = s->method->ssl_get_message(s,
2313 : SSL3_ST_CR_CERT_STATUS_A,
2314 : SSL3_ST_CR_CERT_STATUS_B,
2315 : SSL3_MT_CERTIFICATE_STATUS, 16384, &ok);
2316 :
2317 0 : if (!ok)
2318 0 : return ((int)n);
2319 0 : if (n < 4) {
2320 : /* need at least status type + length */
2321 : al = SSL_AD_DECODE_ERROR;
2322 0 : SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2323 0 : goto f_err;
2324 : }
2325 0 : p = (unsigned char *)s->init_msg;
2326 0 : if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
2327 : al = SSL_AD_DECODE_ERROR;
2328 0 : SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
2329 0 : goto f_err;
2330 : }
2331 0 : n2l3(p, resplen);
2332 0 : if (resplen + 4 != n) {
2333 : al = SSL_AD_DECODE_ERROR;
2334 0 : SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2335 0 : goto f_err;
2336 : }
2337 0 : if (s->tlsext_ocsp_resp)
2338 0 : OPENSSL_free(s->tlsext_ocsp_resp);
2339 0 : s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
2340 0 : if (!s->tlsext_ocsp_resp) {
2341 : al = SSL_AD_INTERNAL_ERROR;
2342 0 : SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2343 0 : goto f_err;
2344 : }
2345 0 : s->tlsext_ocsp_resplen = resplen;
2346 0 : if (s->ctx->tlsext_status_cb) {
2347 : int ret;
2348 0 : ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2349 0 : if (ret == 0) {
2350 : al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2351 0 : SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_INVALID_STATUS_RESPONSE);
2352 0 : goto f_err;
2353 : }
2354 0 : if (ret < 0) {
2355 : al = SSL_AD_INTERNAL_ERROR;
2356 0 : SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2357 0 : goto f_err;
2358 : }
2359 : }
2360 : return 1;
2361 : f_err:
2362 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
2363 0 : s->state = SSL_ST_ERR;
2364 0 : return (-1);
2365 : }
2366 : #endif
2367 :
2368 370 : int ssl3_get_server_done(SSL *s)
2369 : {
2370 : int ok, ret = 0;
2371 : long n;
2372 :
2373 : /* Second to last param should be very small, like 0 :-) */
2374 370 : n = s->method->ssl_get_message(s,
2375 : SSL3_ST_CR_SRVR_DONE_A,
2376 : SSL3_ST_CR_SRVR_DONE_B,
2377 : SSL3_MT_SERVER_DONE, 30, &ok);
2378 :
2379 370 : if (!ok)
2380 0 : return ((int)n);
2381 370 : if (n > 0) {
2382 : /* should contain no data */
2383 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2384 0 : SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
2385 0 : s->state = SSL_ST_ERR;
2386 0 : return -1;
2387 : }
2388 : ret = 1;
2389 : return (ret);
2390 : }
2391 :
2392 : #ifndef OPENSSL_NO_DH
2393 0 : static DH *get_server_static_dh_key(SESS_CERT *scert)
2394 : {
2395 : DH *dh_srvr = NULL;
2396 : EVP_PKEY *spkey = NULL;
2397 0 : int idx = scert->peer_cert_type;
2398 :
2399 0 : if (idx >= 0)
2400 0 : spkey = X509_get_pubkey(scert->peer_pkeys[idx].x509);
2401 0 : if (spkey) {
2402 0 : dh_srvr = EVP_PKEY_get1_DH(spkey);
2403 0 : EVP_PKEY_free(spkey);
2404 : }
2405 0 : if (dh_srvr == NULL)
2406 0 : SSLerr(SSL_F_GET_SERVER_STATIC_DH_KEY, ERR_R_INTERNAL_ERROR);
2407 0 : return dh_srvr;
2408 : }
2409 : #endif
2410 :
2411 370 : int ssl3_send_client_key_exchange(SSL *s)
2412 : {
2413 : unsigned char *p;
2414 : int n;
2415 : unsigned long alg_k;
2416 : #ifndef OPENSSL_NO_RSA
2417 : unsigned char *q;
2418 : EVP_PKEY *pkey = NULL;
2419 : #endif
2420 : #ifndef OPENSSL_NO_KRB5
2421 : KSSL_ERR kssl_err;
2422 : #endif /* OPENSSL_NO_KRB5 */
2423 : #ifndef OPENSSL_NO_ECDH
2424 : EC_KEY *clnt_ecdh = NULL;
2425 : const EC_POINT *srvr_ecpoint = NULL;
2426 : EVP_PKEY *srvr_pub_pkey = NULL;
2427 : unsigned char *encodedPoint = NULL;
2428 : int encoded_pt_len = 0;
2429 : BN_CTX *bn_ctx = NULL;
2430 : #endif
2431 :
2432 370 : if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
2433 370 : p = ssl_handshake_start(s);
2434 :
2435 370 : alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2436 :
2437 : /* Fool emacs indentation */
2438 : if (0) {
2439 : }
2440 : #ifndef OPENSSL_NO_RSA
2441 370 : else if (alg_k & SSL_kRSA) {
2442 : RSA *rsa;
2443 : unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2444 :
2445 0 : if (s->session->sess_cert == NULL) {
2446 : /*
2447 : * We should always have a server certificate with SSL_kRSA.
2448 : */
2449 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2450 : ERR_R_INTERNAL_ERROR);
2451 0 : goto err;
2452 : }
2453 :
2454 0 : if (s->session->sess_cert->peer_rsa_tmp != NULL)
2455 : rsa = s->session->sess_cert->peer_rsa_tmp;
2456 : else {
2457 0 : pkey =
2458 0 : X509_get_pubkey(s->session->
2459 : sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].
2460 : x509);
2461 0 : if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
2462 0 : || (pkey->pkey.rsa == NULL)) {
2463 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2464 : ERR_R_INTERNAL_ERROR);
2465 0 : goto err;
2466 : }
2467 : rsa = pkey->pkey.rsa;
2468 0 : EVP_PKEY_free(pkey);
2469 : }
2470 :
2471 0 : tmp_buf[0] = s->client_version >> 8;
2472 0 : tmp_buf[1] = s->client_version & 0xff;
2473 0 : if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2474 : goto err;
2475 :
2476 0 : s->session->master_key_length = sizeof tmp_buf;
2477 :
2478 : q = p;
2479 : /* Fix buf for TLS and beyond */
2480 0 : if (s->version > SSL3_VERSION)
2481 0 : p += 2;
2482 0 : n = RSA_public_encrypt(sizeof tmp_buf,
2483 : tmp_buf, p, rsa, RSA_PKCS1_PADDING);
2484 : # ifdef PKCS1_CHECK
2485 : if (s->options & SSL_OP_PKCS1_CHECK_1)
2486 : p[1]++;
2487 : if (s->options & SSL_OP_PKCS1_CHECK_2)
2488 : tmp_buf[0] = 0x70;
2489 : # endif
2490 0 : if (n <= 0) {
2491 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2492 : SSL_R_BAD_RSA_ENCRYPT);
2493 0 : goto err;
2494 : }
2495 :
2496 : /* Fix buf for TLS and beyond */
2497 0 : if (s->version > SSL3_VERSION) {
2498 0 : s2n(n, q);
2499 0 : n += 2;
2500 : }
2501 :
2502 0 : s->session->master_key_length =
2503 0 : s->method->ssl3_enc->generate_master_secret(s,
2504 0 : s->
2505 : session->master_key,
2506 : tmp_buf,
2507 : sizeof tmp_buf);
2508 0 : OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2509 : }
2510 : #endif
2511 : #ifndef OPENSSL_NO_KRB5
2512 : else if (alg_k & SSL_kKRB5) {
2513 : krb5_error_code krb5rc;
2514 : KSSL_CTX *kssl_ctx = s->kssl_ctx;
2515 : /* krb5_data krb5_ap_req; */
2516 : krb5_data *enc_ticket;
2517 : krb5_data authenticator, *authp = NULL;
2518 : EVP_CIPHER_CTX ciph_ctx;
2519 : const EVP_CIPHER *enc = NULL;
2520 : unsigned char iv[EVP_MAX_IV_LENGTH];
2521 : unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2522 : unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH + EVP_MAX_IV_LENGTH];
2523 : int padl, outl = sizeof(epms);
2524 :
2525 : EVP_CIPHER_CTX_init(&ciph_ctx);
2526 :
2527 : # ifdef KSSL_DEBUG
2528 : fprintf(stderr, "ssl3_send_client_key_exchange(%lx & %lx)\n",
2529 : alg_k, SSL_kKRB5);
2530 : # endif /* KSSL_DEBUG */
2531 :
2532 : authp = NULL;
2533 : # ifdef KRB5SENDAUTH
2534 : if (KRB5SENDAUTH)
2535 : authp = &authenticator;
2536 : # endif /* KRB5SENDAUTH */
2537 :
2538 : krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, &kssl_err);
2539 : enc = kssl_map_enc(kssl_ctx->enctype);
2540 : if (enc == NULL)
2541 : goto err;
2542 : # ifdef KSSL_DEBUG
2543 : {
2544 : fprintf(stderr, "kssl_cget_tkt rtn %d\n", krb5rc);
2545 : if (krb5rc && kssl_err.text)
2546 : fprintf(stderr, "kssl_cget_tkt kssl_err=%s\n",
2547 : kssl_err.text);
2548 : }
2549 : # endif /* KSSL_DEBUG */
2550 :
2551 : if (krb5rc) {
2552 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2553 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason);
2554 : goto err;
2555 : }
2556 :
2557 : /*-
2558 : * 20010406 VRS - Earlier versions used KRB5 AP_REQ
2559 : * in place of RFC 2712 KerberosWrapper, as in:
2560 : *
2561 : * Send ticket (copy to *p, set n = length)
2562 : * n = krb5_ap_req.length;
2563 : * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
2564 : * if (krb5_ap_req.data)
2565 : * kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
2566 : *
2567 : * Now using real RFC 2712 KerberosWrapper
2568 : * (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
2569 : * Note: 2712 "opaque" types are here replaced
2570 : * with a 2-byte length followed by the value.
2571 : * Example:
2572 : * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
2573 : * Where "xx xx" = length bytes. Shown here with
2574 : * optional authenticator omitted.
2575 : */
2576 :
2577 : /* KerberosWrapper.Ticket */
2578 : s2n(enc_ticket->length, p);
2579 : memcpy(p, enc_ticket->data, enc_ticket->length);
2580 : p += enc_ticket->length;
2581 : n = enc_ticket->length + 2;
2582 :
2583 : /* KerberosWrapper.Authenticator */
2584 : if (authp && authp->length) {
2585 : s2n(authp->length, p);
2586 : memcpy(p, authp->data, authp->length);
2587 : p += authp->length;
2588 : n += authp->length + 2;
2589 :
2590 : free(authp->data);
2591 : authp->data = NULL;
2592 : authp->length = 0;
2593 : } else {
2594 : s2n(0, p); /* null authenticator length */
2595 : n += 2;
2596 : }
2597 :
2598 : tmp_buf[0] = s->client_version >> 8;
2599 : tmp_buf[1] = s->client_version & 0xff;
2600 : if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2601 : goto err;
2602 :
2603 : /*-
2604 : * 20010420 VRS. Tried it this way; failed.
2605 : * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
2606 : * EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
2607 : * kssl_ctx->length);
2608 : * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2609 : */
2610 :
2611 : memset(iv, 0, sizeof iv); /* per RFC 1510 */
2612 : EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv);
2613 : EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
2614 : sizeof tmp_buf);
2615 : EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
2616 : outl += padl;
2617 : if (outl > (int)sizeof epms) {
2618 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2619 : ERR_R_INTERNAL_ERROR);
2620 : goto err;
2621 : }
2622 : EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2623 :
2624 : /* KerberosWrapper.EncryptedPreMasterSecret */
2625 : s2n(outl, p);
2626 : memcpy(p, epms, outl);
2627 : p += outl;
2628 : n += outl + 2;
2629 :
2630 : s->session->master_key_length =
2631 : s->method->ssl3_enc->generate_master_secret(s,
2632 : s->
2633 : session->master_key,
2634 : tmp_buf,
2635 : sizeof tmp_buf);
2636 :
2637 : OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2638 : OPENSSL_cleanse(epms, outl);
2639 : }
2640 : #endif
2641 : #ifndef OPENSSL_NO_DH
2642 370 : else if (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) {
2643 : DH *dh_srvr, *dh_clnt;
2644 0 : SESS_CERT *scert = s->session->sess_cert;
2645 :
2646 0 : if (scert == NULL) {
2647 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
2648 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2649 : SSL_R_UNEXPECTED_MESSAGE);
2650 0 : goto err;
2651 : }
2652 :
2653 0 : if (scert->peer_dh_tmp != NULL) {
2654 : dh_srvr = scert->peer_dh_tmp;
2655 : } else {
2656 0 : dh_srvr = get_server_static_dh_key(scert);
2657 0 : if (dh_srvr == NULL)
2658 : goto err;
2659 : }
2660 :
2661 0 : if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
2662 : /* Use client certificate key */
2663 0 : EVP_PKEY *clkey = s->cert->key->privatekey;
2664 : dh_clnt = NULL;
2665 0 : if (clkey)
2666 0 : dh_clnt = EVP_PKEY_get1_DH(clkey);
2667 0 : if (dh_clnt == NULL) {
2668 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2669 : ERR_R_INTERNAL_ERROR);
2670 0 : goto err;
2671 : }
2672 : } else {
2673 : /* generate a new random key */
2674 0 : if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
2675 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2676 0 : goto err;
2677 : }
2678 0 : if (!DH_generate_key(dh_clnt)) {
2679 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2680 0 : DH_free(dh_clnt);
2681 0 : goto err;
2682 : }
2683 : }
2684 :
2685 : /*
2686 : * use the 'p' output buffer for the DH key, but make sure to
2687 : * clear it out afterwards
2688 : */
2689 :
2690 0 : n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt);
2691 0 : if (scert->peer_dh_tmp == NULL)
2692 0 : DH_free(dh_srvr);
2693 :
2694 0 : if (n <= 0) {
2695 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2696 0 : DH_free(dh_clnt);
2697 0 : goto err;
2698 : }
2699 :
2700 : /* generate master key from the result */
2701 0 : s->session->master_key_length =
2702 0 : s->method->ssl3_enc->generate_master_secret(s,
2703 0 : s->
2704 : session->master_key,
2705 : p, n);
2706 : /* clean up */
2707 0 : memset(p, 0, n);
2708 :
2709 0 : if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
2710 : n = 0;
2711 : else {
2712 : /* send off the data */
2713 0 : n = BN_num_bytes(dh_clnt->pub_key);
2714 0 : s2n(n, p);
2715 0 : BN_bn2bin(dh_clnt->pub_key, p);
2716 0 : n += 2;
2717 : }
2718 :
2719 0 : DH_free(dh_clnt);
2720 : }
2721 : #endif
2722 :
2723 : #ifndef OPENSSL_NO_ECDH
2724 370 : else if (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) {
2725 : const EC_GROUP *srvr_group = NULL;
2726 : EC_KEY *tkey;
2727 : int ecdh_clnt_cert = 0;
2728 : int field_size = 0;
2729 :
2730 370 : if (s->session->sess_cert == NULL) {
2731 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
2732 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2733 : SSL_R_UNEXPECTED_MESSAGE);
2734 0 : goto err;
2735 : }
2736 :
2737 : /*
2738 : * Did we send out the client's ECDH share for use in premaster
2739 : * computation as part of client certificate? If so, set
2740 : * ecdh_clnt_cert to 1.
2741 : */
2742 : if ((alg_k & (SSL_kECDHr | SSL_kECDHe)) && (s->cert != NULL)) {
2743 : /*-
2744 : * XXX: For now, we do not support client
2745 : * authentication using ECDH certificates.
2746 : * To add such support, one needs to add
2747 : * code that checks for appropriate
2748 : * conditions and sets ecdh_clnt_cert to 1.
2749 : * For example, the cert have an ECC
2750 : * key on the same curve as the server's
2751 : * and the key should be authorized for
2752 : * key agreement.
2753 : *
2754 : * One also needs to add code in ssl3_connect
2755 : * to skip sending the certificate verify
2756 : * message.
2757 : *
2758 : * if ((s->cert->key->privatekey != NULL) &&
2759 : * (s->cert->key->privatekey->type ==
2760 : * EVP_PKEY_EC) && ...)
2761 : * ecdh_clnt_cert = 1;
2762 : */
2763 : }
2764 :
2765 370 : if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
2766 : tkey = s->session->sess_cert->peer_ecdh_tmp;
2767 : } else {
2768 : /* Get the Server Public Key from Cert */
2769 0 : srvr_pub_pkey =
2770 0 : X509_get_pubkey(s->session->
2771 : sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2772 0 : if ((srvr_pub_pkey == NULL)
2773 0 : || (srvr_pub_pkey->type != EVP_PKEY_EC)
2774 0 : || (srvr_pub_pkey->pkey.ec == NULL)) {
2775 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2776 : ERR_R_INTERNAL_ERROR);
2777 0 : goto err;
2778 : }
2779 :
2780 : tkey = srvr_pub_pkey->pkey.ec;
2781 : }
2782 :
2783 370 : srvr_group = EC_KEY_get0_group(tkey);
2784 370 : srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2785 :
2786 370 : if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
2787 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2788 : ERR_R_INTERNAL_ERROR);
2789 0 : goto err;
2790 : }
2791 :
2792 370 : if ((clnt_ecdh = EC_KEY_new()) == NULL) {
2793 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2794 : ERR_R_MALLOC_FAILURE);
2795 0 : goto err;
2796 : }
2797 :
2798 370 : if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
2799 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2800 0 : goto err;
2801 : }
2802 : if (ecdh_clnt_cert) {
2803 : /*
2804 : * Reuse key info from our certificate We only need our
2805 : * private key to perform the ECDH computation.
2806 : */
2807 : const BIGNUM *priv_key;
2808 : tkey = s->cert->key->privatekey->pkey.ec;
2809 : priv_key = EC_KEY_get0_private_key(tkey);
2810 : if (priv_key == NULL) {
2811 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2812 : ERR_R_MALLOC_FAILURE);
2813 : goto err;
2814 : }
2815 : if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) {
2816 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2817 : goto err;
2818 : }
2819 : } else {
2820 : /* Generate a new ECDH key pair */
2821 370 : if (!(EC_KEY_generate_key(clnt_ecdh))) {
2822 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2823 : ERR_R_ECDH_LIB);
2824 0 : goto err;
2825 : }
2826 : }
2827 :
2828 : /*
2829 : * use the 'p' output buffer for the ECDH key, but make sure to
2830 : * clear it out afterwards
2831 : */
2832 :
2833 370 : field_size = EC_GROUP_get_degree(srvr_group);
2834 370 : if (field_size <= 0) {
2835 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2836 0 : goto err;
2837 : }
2838 370 : n = ECDH_compute_key(p, (field_size + 7) / 8, srvr_ecpoint,
2839 : clnt_ecdh, NULL);
2840 370 : if (n <= 0) {
2841 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2842 0 : goto err;
2843 : }
2844 :
2845 : /* generate master key from the result */
2846 370 : s->session->master_key_length =
2847 740 : s->method->ssl3_enc->generate_master_secret(s,
2848 370 : s->
2849 : session->master_key,
2850 : p, n);
2851 :
2852 370 : memset(p, 0, n); /* clean up */
2853 :
2854 : if (ecdh_clnt_cert) {
2855 : /* Send empty client key exch message */
2856 : n = 0;
2857 : } else {
2858 : /*
2859 : * First check the size of encoding and allocate memory
2860 : * accordingly.
2861 : */
2862 370 : encoded_pt_len =
2863 370 : EC_POINT_point2oct(srvr_group,
2864 : EC_KEY_get0_public_key(clnt_ecdh),
2865 : POINT_CONVERSION_UNCOMPRESSED,
2866 : NULL, 0, NULL);
2867 :
2868 370 : encodedPoint = (unsigned char *)
2869 : OPENSSL_malloc(encoded_pt_len * sizeof(unsigned char));
2870 370 : bn_ctx = BN_CTX_new();
2871 370 : if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
2872 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2873 : ERR_R_MALLOC_FAILURE);
2874 0 : goto err;
2875 : }
2876 :
2877 : /* Encode the public key */
2878 370 : n = EC_POINT_point2oct(srvr_group,
2879 : EC_KEY_get0_public_key(clnt_ecdh),
2880 : POINT_CONVERSION_UNCOMPRESSED,
2881 : encodedPoint, encoded_pt_len, bn_ctx);
2882 :
2883 370 : *p = n; /* length of encoded point */
2884 : /* Encoded point will be copied here */
2885 370 : p += 1;
2886 : /* copy the point */
2887 370 : memcpy((unsigned char *)p, encodedPoint, n);
2888 : /* increment n to account for length field */
2889 370 : n += 1;
2890 : }
2891 :
2892 : /* Free allocated memory */
2893 370 : BN_CTX_free(bn_ctx);
2894 370 : if (encodedPoint != NULL)
2895 370 : OPENSSL_free(encodedPoint);
2896 370 : if (clnt_ecdh != NULL)
2897 370 : EC_KEY_free(clnt_ecdh);
2898 370 : EVP_PKEY_free(srvr_pub_pkey);
2899 : }
2900 : #endif /* !OPENSSL_NO_ECDH */
2901 0 : else if (alg_k & SSL_kGOST) {
2902 : /* GOST key exchange message creation */
2903 : EVP_PKEY_CTX *pkey_ctx;
2904 : X509 *peer_cert;
2905 : size_t msglen;
2906 : unsigned int md_len;
2907 : int keytype;
2908 : unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
2909 : EVP_MD_CTX *ukm_hash;
2910 : EVP_PKEY *pub_key;
2911 :
2912 : /*
2913 : * Get server sertificate PKEY and create ctx from it
2914 : */
2915 0 : peer_cert =
2916 0 : s->session->
2917 : sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST01)].x509;
2918 0 : if (!peer_cert)
2919 0 : peer_cert =
2920 : s->session->
2921 : sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST94)].x509;
2922 0 : if (!peer_cert) {
2923 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2924 : SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2925 0 : goto err;
2926 : }
2927 :
2928 0 : pkey_ctx = EVP_PKEY_CTX_new(pub_key =
2929 : X509_get_pubkey(peer_cert), NULL);
2930 : /*
2931 : * If we have send a certificate, and certificate key
2932 : *
2933 : * * parameters match those of server certificate, use
2934 : * certificate key for key exchange
2935 : */
2936 :
2937 : /* Otherwise, generate ephemeral key pair */
2938 :
2939 0 : EVP_PKEY_encrypt_init(pkey_ctx);
2940 : /* Generate session key */
2941 0 : if (RAND_bytes(premaster_secret, 32) <= 0) {
2942 0 : EVP_PKEY_CTX_free(pkey_ctx);
2943 0 : goto err;
2944 : }
2945 : /*
2946 : * If we have client certificate, use its secret as peer key
2947 : */
2948 0 : if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2949 0 : if (EVP_PKEY_derive_set_peer
2950 0 : (pkey_ctx, s->cert->key->privatekey) <= 0) {
2951 : /*
2952 : * If there was an error - just ignore it. Ephemeral key
2953 : * * would be used
2954 : */
2955 0 : ERR_clear_error();
2956 : }
2957 : }
2958 : /*
2959 : * Compute shared IV and store it in algorithm-specific context
2960 : * data
2961 : */
2962 0 : ukm_hash = EVP_MD_CTX_create();
2963 0 : EVP_DigestInit(ukm_hash,
2964 : EVP_get_digestbynid(NID_id_GostR3411_94));
2965 0 : EVP_DigestUpdate(ukm_hash, s->s3->client_random,
2966 : SSL3_RANDOM_SIZE);
2967 0 : EVP_DigestUpdate(ukm_hash, s->s3->server_random,
2968 : SSL3_RANDOM_SIZE);
2969 0 : EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
2970 0 : EVP_MD_CTX_destroy(ukm_hash);
2971 0 : if (EVP_PKEY_CTX_ctrl
2972 0 : (pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 8,
2973 : shared_ukm) < 0) {
2974 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2975 : SSL_R_LIBRARY_BUG);
2976 0 : goto err;
2977 : }
2978 : /* Make GOST keytransport blob message */
2979 : /*
2980 : * Encapsulate it into sequence
2981 : */
2982 0 : *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
2983 0 : msglen = 255;
2984 0 : if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, 32)
2985 : < 0) {
2986 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2987 : SSL_R_LIBRARY_BUG);
2988 0 : goto err;
2989 : }
2990 0 : if (msglen >= 0x80) {
2991 0 : *(p++) = 0x81;
2992 0 : *(p++) = msglen & 0xff;
2993 0 : n = msglen + 3;
2994 : } else {
2995 0 : *(p++) = msglen & 0xff;
2996 0 : n = msglen + 2;
2997 : }
2998 0 : memcpy(p, tmp, msglen);
2999 : /* Check if pubkey from client certificate was used */
3000 0 : if (EVP_PKEY_CTX_ctrl
3001 0 : (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) {
3002 : /* Set flag "skip certificate verify" */
3003 0 : s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
3004 : }
3005 0 : EVP_PKEY_CTX_free(pkey_ctx);
3006 0 : s->session->master_key_length =
3007 0 : s->method->ssl3_enc->generate_master_secret(s,
3008 0 : s->
3009 : session->master_key,
3010 : premaster_secret,
3011 : 32);
3012 0 : EVP_PKEY_free(pub_key);
3013 :
3014 : }
3015 : #ifndef OPENSSL_NO_SRP
3016 0 : else if (alg_k & SSL_kSRP) {
3017 0 : if (s->srp_ctx.A != NULL) {
3018 : /* send off the data */
3019 0 : n = BN_num_bytes(s->srp_ctx.A);
3020 0 : s2n(n, p);
3021 0 : BN_bn2bin(s->srp_ctx.A, p);
3022 0 : n += 2;
3023 : } else {
3024 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
3025 : ERR_R_INTERNAL_ERROR);
3026 0 : goto err;
3027 : }
3028 0 : if (s->session->srp_username != NULL)
3029 0 : OPENSSL_free(s->session->srp_username);
3030 0 : s->session->srp_username = BUF_strdup(s->srp_ctx.login);
3031 0 : if (s->session->srp_username == NULL) {
3032 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
3033 : ERR_R_MALLOC_FAILURE);
3034 0 : goto err;
3035 : }
3036 :
3037 0 : if ((s->session->master_key_length =
3038 0 : SRP_generate_client_master_secret(s,
3039 0 : s->session->master_key)) <
3040 : 0) {
3041 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
3042 : ERR_R_INTERNAL_ERROR);
3043 0 : goto err;
3044 : }
3045 : }
3046 : #endif
3047 : #ifndef OPENSSL_NO_PSK
3048 0 : else if (alg_k & SSL_kPSK) {
3049 : /*
3050 : * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
3051 : * \0-terminated identity. The last byte is for us for simulating
3052 : * strnlen.
3053 : */
3054 : char identity[PSK_MAX_IDENTITY_LEN + 2];
3055 : size_t identity_len;
3056 : unsigned char *t = NULL;
3057 : unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN * 2 + 4];
3058 : unsigned int pre_ms_len = 0, psk_len = 0;
3059 : int psk_err = 1;
3060 :
3061 : n = 0;
3062 0 : if (s->psk_client_callback == NULL) {
3063 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
3064 : SSL_R_PSK_NO_CLIENT_CB);
3065 0 : goto err;
3066 : }
3067 :
3068 : memset(identity, 0, sizeof(identity));
3069 0 : psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
3070 : identity, sizeof(identity) - 1,
3071 : psk_or_pre_ms,
3072 : sizeof(psk_or_pre_ms));
3073 0 : if (psk_len > PSK_MAX_PSK_LEN) {
3074 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
3075 : ERR_R_INTERNAL_ERROR);
3076 0 : goto psk_err;
3077 0 : } else if (psk_len == 0) {
3078 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
3079 : SSL_R_PSK_IDENTITY_NOT_FOUND);
3080 0 : goto psk_err;
3081 : }
3082 0 : identity[PSK_MAX_IDENTITY_LEN + 1] = '\0';
3083 0 : identity_len = strlen(identity);
3084 0 : if (identity_len > PSK_MAX_IDENTITY_LEN) {
3085 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
3086 : ERR_R_INTERNAL_ERROR);
3087 0 : goto psk_err;
3088 : }
3089 : /* create PSK pre_master_secret */
3090 0 : pre_ms_len = 2 + psk_len + 2 + psk_len;
3091 : t = psk_or_pre_ms;
3092 0 : memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
3093 0 : s2n(psk_len, t);
3094 : memset(t, 0, psk_len);
3095 0 : t += psk_len;
3096 0 : s2n(psk_len, t);
3097 :
3098 0 : if (s->session->psk_identity_hint != NULL)
3099 0 : OPENSSL_free(s->session->psk_identity_hint);
3100 0 : s->session->psk_identity_hint =
3101 0 : BUF_strdup(s->ctx->psk_identity_hint);
3102 0 : if (s->ctx->psk_identity_hint != NULL
3103 0 : && s->session->psk_identity_hint == NULL) {
3104 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
3105 : ERR_R_MALLOC_FAILURE);
3106 0 : goto psk_err;
3107 : }
3108 :
3109 0 : if (s->session->psk_identity != NULL)
3110 0 : OPENSSL_free(s->session->psk_identity);
3111 0 : s->session->psk_identity = BUF_strdup(identity);
3112 0 : if (s->session->psk_identity == NULL) {
3113 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
3114 : ERR_R_MALLOC_FAILURE);
3115 0 : goto psk_err;
3116 : }
3117 :
3118 0 : s->session->master_key_length =
3119 0 : s->method->ssl3_enc->generate_master_secret(s,
3120 0 : s->
3121 : session->master_key,
3122 : psk_or_pre_ms,
3123 : pre_ms_len);
3124 0 : s2n(identity_len, p);
3125 : memcpy(p, identity, identity_len);
3126 0 : n = 2 + identity_len;
3127 : psk_err = 0;
3128 : psk_err:
3129 0 : OPENSSL_cleanse(identity, sizeof(identity));
3130 0 : OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
3131 0 : if (psk_err != 0) {
3132 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
3133 0 : goto err;
3134 : }
3135 : }
3136 : #endif
3137 : else {
3138 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
3139 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
3140 0 : goto err;
3141 : }
3142 :
3143 370 : ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n);
3144 370 : s->state = SSL3_ST_CW_KEY_EXCH_B;
3145 : }
3146 :
3147 : /* SSL3_ST_CW_KEY_EXCH_B */
3148 370 : return ssl_do_write(s);
3149 : err:
3150 : #ifndef OPENSSL_NO_ECDH
3151 0 : BN_CTX_free(bn_ctx);
3152 0 : if (encodedPoint != NULL)
3153 0 : OPENSSL_free(encodedPoint);
3154 0 : if (clnt_ecdh != NULL)
3155 0 : EC_KEY_free(clnt_ecdh);
3156 0 : EVP_PKEY_free(srvr_pub_pkey);
3157 : #endif
3158 0 : s->state = SSL_ST_ERR;
3159 0 : return (-1);
3160 : }
3161 :
3162 0 : int ssl3_send_client_verify(SSL *s)
3163 : {
3164 : unsigned char *p;
3165 : unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
3166 : EVP_PKEY *pkey;
3167 : EVP_PKEY_CTX *pctx = NULL;
3168 : EVP_MD_CTX mctx;
3169 0 : unsigned u = 0;
3170 : unsigned long n;
3171 : int j;
3172 :
3173 0 : EVP_MD_CTX_init(&mctx);
3174 :
3175 0 : if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
3176 0 : p = ssl_handshake_start(s);
3177 0 : pkey = s->cert->key->privatekey;
3178 : /* Create context from key and test if sha1 is allowed as digest */
3179 0 : pctx = EVP_PKEY_CTX_new(pkey, NULL);
3180 0 : EVP_PKEY_sign_init(pctx);
3181 0 : if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
3182 0 : if (!SSL_USE_SIGALGS(s))
3183 0 : s->method->ssl3_enc->cert_verify_mac(s,
3184 : NID_sha1,
3185 : &(data
3186 : [MD5_DIGEST_LENGTH]));
3187 : } else {
3188 0 : ERR_clear_error();
3189 : }
3190 : /*
3191 : * For TLS v1.2 send signature algorithm and signature using agreed
3192 : * digest and cached handshake records.
3193 : */
3194 0 : if (SSL_USE_SIGALGS(s)) {
3195 : long hdatalen = 0;
3196 : void *hdata;
3197 0 : const EVP_MD *md = s->cert->key->digest;
3198 0 : hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
3199 0 : if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {
3200 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
3201 0 : goto err;
3202 : }
3203 : p += 2;
3204 : #ifdef SSL_DEBUG
3205 : fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
3206 : EVP_MD_name(md));
3207 : #endif
3208 0 : if (!EVP_SignInit_ex(&mctx, md, NULL)
3209 0 : || !EVP_SignUpdate(&mctx, hdata, hdatalen)
3210 0 : || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
3211 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_EVP_LIB);
3212 0 : goto err;
3213 : }
3214 0 : s2n(u, p);
3215 0 : n = u + 4;
3216 0 : if (!ssl3_digest_cached_records(s))
3217 : goto err;
3218 : } else
3219 : #ifndef OPENSSL_NO_RSA
3220 0 : if (pkey->type == EVP_PKEY_RSA) {
3221 0 : s->method->ssl3_enc->cert_verify_mac(s, NID_md5, &(data[0]));
3222 0 : if (RSA_sign(NID_md5_sha1, data,
3223 : MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
3224 0 : &(p[2]), &u, pkey->pkey.rsa) <= 0) {
3225 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB);
3226 0 : goto err;
3227 : }
3228 0 : s2n(u, p);
3229 0 : n = u + 2;
3230 : } else
3231 : #endif
3232 : #ifndef OPENSSL_NO_DSA
3233 0 : if (pkey->type == EVP_PKEY_DSA) {
3234 0 : if (!DSA_sign(pkey->save_type,
3235 : &(data[MD5_DIGEST_LENGTH]),
3236 : SHA_DIGEST_LENGTH, &(p[2]),
3237 0 : (unsigned int *)&j, pkey->pkey.dsa)) {
3238 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB);
3239 0 : goto err;
3240 : }
3241 0 : s2n(j, p);
3242 0 : n = j + 2;
3243 : } else
3244 : #endif
3245 : #ifndef OPENSSL_NO_ECDSA
3246 0 : if (pkey->type == EVP_PKEY_EC) {
3247 0 : if (!ECDSA_sign(pkey->save_type,
3248 : &(data[MD5_DIGEST_LENGTH]),
3249 : SHA_DIGEST_LENGTH, &(p[2]),
3250 0 : (unsigned int *)&j, pkey->pkey.ec)) {
3251 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_ECDSA_LIB);
3252 0 : goto err;
3253 : }
3254 0 : s2n(j, p);
3255 0 : n = j + 2;
3256 : } else
3257 : #endif
3258 0 : if (pkey->type == NID_id_GostR3410_94
3259 0 : || pkey->type == NID_id_GostR3410_2001) {
3260 : unsigned char signbuf[64];
3261 : int i;
3262 0 : size_t sigsize = 64;
3263 0 : s->method->ssl3_enc->cert_verify_mac(s,
3264 : NID_id_GostR3411_94, data);
3265 0 : if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
3266 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
3267 0 : goto err;
3268 : }
3269 0 : for (i = 63, j = 0; i >= 0; j++, i--) {
3270 0 : p[2 + j] = signbuf[i];
3271 : }
3272 0 : s2n(j, p);
3273 0 : n = j + 2;
3274 : } else {
3275 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
3276 0 : goto err;
3277 : }
3278 0 : ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n);
3279 0 : s->state = SSL3_ST_CW_CERT_VRFY_B;
3280 : }
3281 0 : EVP_MD_CTX_cleanup(&mctx);
3282 0 : EVP_PKEY_CTX_free(pctx);
3283 0 : return ssl_do_write(s);
3284 : err:
3285 0 : EVP_MD_CTX_cleanup(&mctx);
3286 0 : EVP_PKEY_CTX_free(pctx);
3287 0 : s->state = SSL_ST_ERR;
3288 0 : return (-1);
3289 : }
3290 :
3291 : /*
3292 : * Check a certificate can be used for client authentication. Currently check
3293 : * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
3294 : * certificates can be used and optionally checks suitability for Suite B.
3295 : */
3296 0 : static int ssl3_check_client_certificate(SSL *s)
3297 : {
3298 : unsigned long alg_k;
3299 0 : if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
3300 : return 0;
3301 : /* If no suitable signature algorithm can't use certificate */
3302 0 : if (SSL_USE_SIGALGS(s) && !s->cert->key->digest)
3303 : return 0;
3304 : /*
3305 : * If strict mode check suitability of chain before using it. This also
3306 : * adjusts suite B digest if necessary.
3307 : */
3308 0 : if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
3309 0 : !tls1_check_chain(s, NULL, NULL, NULL, -2))
3310 : return 0;
3311 0 : alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3312 : /* See if we can use client certificate for fixed DH */
3313 0 : if (alg_k & (SSL_kDHr | SSL_kDHd)) {
3314 0 : SESS_CERT *scert = s->session->sess_cert;
3315 0 : int i = scert->peer_cert_type;
3316 : EVP_PKEY *clkey = NULL, *spkey = NULL;
3317 0 : clkey = s->cert->key->privatekey;
3318 : /* If client key not DH assume it can be used */
3319 0 : if (EVP_PKEY_id(clkey) != EVP_PKEY_DH)
3320 : return 1;
3321 0 : if (i >= 0)
3322 0 : spkey = X509_get_pubkey(scert->peer_pkeys[i].x509);
3323 0 : if (spkey) {
3324 : /* Compare server and client parameters */
3325 0 : i = EVP_PKEY_cmp_parameters(clkey, spkey);
3326 0 : EVP_PKEY_free(spkey);
3327 0 : if (i != 1)
3328 : return 0;
3329 : }
3330 0 : s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
3331 : }
3332 : return 1;
3333 : }
3334 :
3335 0 : int ssl3_send_client_certificate(SSL *s)
3336 : {
3337 0 : X509 *x509 = NULL;
3338 0 : EVP_PKEY *pkey = NULL;
3339 : int i;
3340 :
3341 0 : if (s->state == SSL3_ST_CW_CERT_A) {
3342 : /* Let cert callback update client certificates if required */
3343 0 : if (s->cert->cert_cb) {
3344 0 : i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
3345 0 : if (i < 0) {
3346 0 : s->rwstate = SSL_X509_LOOKUP;
3347 0 : return -1;
3348 : }
3349 0 : if (i == 0) {
3350 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
3351 0 : s->state = SSL_ST_ERR;
3352 0 : return 0;
3353 : }
3354 0 : s->rwstate = SSL_NOTHING;
3355 : }
3356 0 : if (ssl3_check_client_certificate(s))
3357 0 : s->state = SSL3_ST_CW_CERT_C;
3358 : else
3359 0 : s->state = SSL3_ST_CW_CERT_B;
3360 : }
3361 :
3362 : /* We need to get a client cert */
3363 0 : if (s->state == SSL3_ST_CW_CERT_B) {
3364 : /*
3365 : * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
3366 : * return(-1); We then get retied later
3367 : */
3368 : i = 0;
3369 0 : i = ssl_do_client_cert_cb(s, &x509, &pkey);
3370 0 : if (i < 0) {
3371 0 : s->rwstate = SSL_X509_LOOKUP;
3372 0 : return (-1);
3373 : }
3374 0 : s->rwstate = SSL_NOTHING;
3375 0 : if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
3376 0 : s->state = SSL3_ST_CW_CERT_B;
3377 0 : if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
3378 : i = 0;
3379 0 : } else if (i == 1) {
3380 : i = 0;
3381 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,
3382 : SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3383 : }
3384 :
3385 0 : if (x509 != NULL)
3386 0 : X509_free(x509);
3387 0 : if (pkey != NULL)
3388 0 : EVP_PKEY_free(pkey);
3389 0 : if (i && !ssl3_check_client_certificate(s))
3390 : i = 0;
3391 0 : if (i == 0) {
3392 0 : if (s->version == SSL3_VERSION) {
3393 0 : s->s3->tmp.cert_req = 0;
3394 0 : ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
3395 0 : return (1);
3396 : } else {
3397 0 : s->s3->tmp.cert_req = 2;
3398 : }
3399 : }
3400 :
3401 : /* Ok, we have a cert */
3402 0 : s->state = SSL3_ST_CW_CERT_C;
3403 : }
3404 :
3405 0 : if (s->state == SSL3_ST_CW_CERT_C) {
3406 0 : s->state = SSL3_ST_CW_CERT_D;
3407 0 : if (!ssl3_output_cert_chain(s,
3408 0 : (s->s3->tmp.cert_req ==
3409 0 : 2) ? NULL : s->cert->key)) {
3410 0 : SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3411 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
3412 0 : s->state = SSL_ST_ERR;
3413 0 : return 0;
3414 : }
3415 : }
3416 : /* SSL3_ST_CW_CERT_D */
3417 0 : return ssl_do_write(s);
3418 : }
3419 :
3420 : #define has_bits(i,m) (((i)&(m)) == (m))
3421 :
3422 370 : int ssl3_check_cert_and_algorithm(SSL *s)
3423 : {
3424 : int i, idx;
3425 : long alg_k, alg_a;
3426 : EVP_PKEY *pkey = NULL;
3427 : int pkey_bits;
3428 : SESS_CERT *sc;
3429 : #ifndef OPENSSL_NO_RSA
3430 : RSA *rsa;
3431 : #endif
3432 : #ifndef OPENSSL_NO_DH
3433 : DH *dh;
3434 : #endif
3435 : int al = SSL_AD_HANDSHAKE_FAILURE;
3436 :
3437 370 : alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3438 370 : alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3439 :
3440 : /* we don't have a certificate */
3441 370 : if ((alg_a & (SSL_aNULL | SSL_aKRB5)) || (alg_k & SSL_kPSK))
3442 : return (1);
3443 :
3444 370 : sc = s->session->sess_cert;
3445 370 : if (sc == NULL) {
3446 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
3447 0 : goto err;
3448 : }
3449 : #ifndef OPENSSL_NO_RSA
3450 370 : rsa = s->session->sess_cert->peer_rsa_tmp;
3451 : #endif
3452 : #ifndef OPENSSL_NO_DH
3453 370 : dh = s->session->sess_cert->peer_dh_tmp;
3454 : #endif
3455 :
3456 : /* This is the passed certificate */
3457 :
3458 370 : idx = sc->peer_cert_type;
3459 : #ifndef OPENSSL_NO_ECDH
3460 370 : if (idx == SSL_PKEY_ECC) {
3461 0 : if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, s) == 0) {
3462 : /* check failed */
3463 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
3464 0 : goto f_err;
3465 : } else {
3466 : return 1;
3467 : }
3468 370 : } else if (alg_a & SSL_aECDSA) {
3469 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3470 : SSL_R_MISSING_ECDSA_SIGNING_CERT);
3471 0 : goto f_err;
3472 370 : } else if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
3473 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_ECDH_CERT);
3474 0 : goto f_err;
3475 : }
3476 : #endif
3477 370 : pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
3478 370 : pkey_bits = EVP_PKEY_bits(pkey);
3479 370 : i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
3480 370 : EVP_PKEY_free(pkey);
3481 :
3482 : /* Check that we have a certificate if we require one */
3483 370 : if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) {
3484 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3485 : SSL_R_MISSING_RSA_SIGNING_CERT);
3486 0 : goto f_err;
3487 : }
3488 : #ifndef OPENSSL_NO_DSA
3489 370 : else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA | EVP_PKT_SIGN)) {
3490 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3491 : SSL_R_MISSING_DSA_SIGNING_CERT);
3492 0 : goto f_err;
3493 : }
3494 : #endif
3495 : #ifndef OPENSSL_NO_RSA
3496 370 : if (alg_k & SSL_kRSA) {
3497 0 : if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
3498 0 : !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
3499 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3500 : SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3501 0 : goto f_err;
3502 0 : } else if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
3503 0 : if (pkey_bits <= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3504 0 : if (!has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
3505 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3506 : SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3507 0 : goto f_err;
3508 : }
3509 0 : if (rsa != NULL) {
3510 : /* server key exchange is not allowed. */
3511 : al = SSL_AD_INTERNAL_ERROR;
3512 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
3513 0 : goto f_err;
3514 : }
3515 : }
3516 : }
3517 : }
3518 : #endif
3519 : #ifndef OPENSSL_NO_DH
3520 370 : if ((alg_k & SSL_kEDH) && dh == NULL) {
3521 : al = SSL_AD_INTERNAL_ERROR;
3522 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
3523 0 : goto f_err;
3524 : }
3525 370 : if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
3526 0 : !has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) {
3527 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3528 : SSL_R_MISSING_DH_RSA_CERT);
3529 0 : goto f_err;
3530 : }
3531 : # ifndef OPENSSL_NO_DSA
3532 370 : if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
3533 0 : !has_bits(i, EVP_PK_DH | EVP_PKS_DSA)) {
3534 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3535 : SSL_R_MISSING_DH_DSA_CERT);
3536 0 : goto f_err;
3537 : }
3538 : # endif
3539 :
3540 370 : if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
3541 : int dh_size;
3542 0 : if (alg_k & SSL_kDHE) {
3543 0 : dh_size = BN_num_bits(dh->p);
3544 : } else {
3545 0 : DH *dh_srvr = get_server_static_dh_key(sc);
3546 0 : if (dh_srvr == NULL)
3547 : goto f_err;
3548 0 : dh_size = BN_num_bits(dh_srvr->p);
3549 0 : DH_free(dh_srvr);
3550 : }
3551 :
3552 0 : if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
3553 0 : || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
3554 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
3555 0 : goto f_err;
3556 : }
3557 : }
3558 : #endif /* !OPENSSL_NO_DH */
3559 :
3560 370 : if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
3561 0 : pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3562 : #ifndef OPENSSL_NO_RSA
3563 0 : if (alg_k & SSL_kRSA) {
3564 0 : if (rsa == NULL) {
3565 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3566 : SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3567 0 : goto f_err;
3568 0 : } else if (BN_num_bits(rsa->n) >
3569 0 : SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3570 : /* We have a temporary RSA key but it's too large. */
3571 : al = SSL_AD_EXPORT_RESTRICTION;
3572 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3573 : SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3574 0 : goto f_err;
3575 : }
3576 : } else
3577 : #endif
3578 : #ifndef OPENSSL_NO_DH
3579 0 : if (alg_k & SSL_kDHE) {
3580 0 : if (BN_num_bits(dh->p) >
3581 0 : SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3582 : /* We have a temporary DH key but it's too large. */
3583 : al = SSL_AD_EXPORT_RESTRICTION;
3584 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3585 : SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3586 0 : goto f_err;
3587 : }
3588 0 : } else if (alg_k & (SSL_kDHr | SSL_kDHd)) {
3589 : /* The cert should have had an export DH key. */
3590 : al = SSL_AD_EXPORT_RESTRICTION;
3591 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3592 : SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3593 0 : goto f_err;
3594 : } else
3595 : #endif
3596 : {
3597 0 : SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3598 : SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
3599 0 : goto f_err;
3600 : }
3601 : }
3602 : return (1);
3603 : f_err:
3604 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
3605 : err:
3606 : return (0);
3607 : }
3608 :
3609 : #ifndef OPENSSL_NO_TLSEXT
3610 : /*
3611 : * Normally, we can tell if the server is resuming the session from
3612 : * the session ID. EAP-FAST (RFC 4851), however, relies on the next server
3613 : * message after the ServerHello to determine if the server is resuming.
3614 : * Therefore, we allow EAP-FAST to peek ahead.
3615 : * ssl3_check_finished returns 1 if we are resuming from an external
3616 : * pre-shared secret, we have a "ticket" and the next server handshake message
3617 : * is Finished; and 0 otherwise. It returns -1 upon an error.
3618 : */
3619 370 : static int ssl3_check_finished(SSL *s)
3620 : {
3621 370 : int ok = 0;
3622 :
3623 370 : if (s->version < TLS1_VERSION || !s->tls_session_secret_cb ||
3624 0 : !s->session->tlsext_tick)
3625 : return 0;
3626 :
3627 : /* Need to permit this temporarily, in case the next message is Finished. */
3628 0 : s->s3->flags |= SSL3_FLAGS_CCS_OK;
3629 : /*
3630 : * This function is called when we might get a Certificate message instead,
3631 : * so permit appropriate message length.
3632 : * We ignore the return value as we're only interested in the message type
3633 : * and not its length.
3634 : */
3635 0 : s->method->ssl_get_message(s,
3636 : SSL3_ST_CR_CERT_A,
3637 : SSL3_ST_CR_CERT_B,
3638 : -1, s->max_cert_list, &ok);
3639 0 : s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
3640 :
3641 0 : if (!ok)
3642 : return -1;
3643 :
3644 0 : s->s3->tmp.reuse_message = 1;
3645 :
3646 0 : if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
3647 : return 1;
3648 :
3649 : /* If we're not done, then the CCS arrived early and we should bail. */
3650 0 : if (s->s3->change_cipher_spec) {
3651 0 : SSLerr(SSL_F_SSL3_CHECK_FINISHED, SSL_R_CCS_RECEIVED_EARLY);
3652 0 : ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
3653 0 : return -1;
3654 : }
3655 :
3656 : return 0;
3657 : }
3658 :
3659 : # ifndef OPENSSL_NO_NEXTPROTONEG
3660 0 : int ssl3_send_next_proto(SSL *s)
3661 : {
3662 : unsigned int len, padding_len;
3663 : unsigned char *d;
3664 :
3665 0 : if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {
3666 0 : len = s->next_proto_negotiated_len;
3667 0 : padding_len = 32 - ((len + 2) % 32);
3668 0 : d = (unsigned char *)s->init_buf->data;
3669 0 : d[4] = len;
3670 0 : memcpy(d + 5, s->next_proto_negotiated, len);
3671 0 : d[5 + len] = padding_len;
3672 0 : memset(d + 6 + len, 0, padding_len);
3673 0 : *(d++) = SSL3_MT_NEXT_PROTO;
3674 0 : l2n3(2 + len + padding_len, d);
3675 0 : s->state = SSL3_ST_CW_NEXT_PROTO_B;
3676 0 : s->init_num = 4 + 2 + len + padding_len;
3677 0 : s->init_off = 0;
3678 : }
3679 :
3680 0 : return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3681 : }
3682 : #endif /* !OPENSSL_NO_NEXTPROTONEG */
3683 : #endif /* !OPENSSL_NO_TLSEXT */
3684 :
3685 0 : int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3686 : {
3687 : int i = 0;
3688 : #ifndef OPENSSL_NO_ENGINE
3689 0 : if (s->ctx->client_cert_engine) {
3690 0 : i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3691 : SSL_get_client_CA_list(s),
3692 : px509, ppkey, NULL, NULL, NULL);
3693 0 : if (i != 0)
3694 : return i;
3695 : }
3696 : #endif
3697 0 : if (s->ctx->client_cert_cb)
3698 0 : i = s->ctx->client_cert_cb(s, px509, ppkey);
3699 0 : return i;
3700 : }
|