s3_srvr.c revision 264331
1/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124/* ==================================================================== 125 * Copyright 2005 Nokia. All rights reserved. 126 * 127 * The portions of the attached software ("Contribution") is developed by 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 129 * license. 130 * 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 133 * support (see RFC 4279) to OpenSSL. 134 * 135 * No patent licenses or other rights except those expressly stated in 136 * the OpenSSL open source license shall be deemed granted or received 137 * expressly, by implication, estoppel, or otherwise. 138 * 139 * No assurances are provided by Nokia that the Contribution does not 140 * infringe the patent or other intellectual property rights of any third 141 * party or that the license provides you with all the necessary rights 142 * to make use of the Contribution. 143 * 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 148 * OTHERWISE. 149 */ 150 151#define REUSE_CIPHER_BUG 152#define NETSCAPE_HANG_BUG 153 154#include <stdio.h> 155#include "ssl_locl.h" 156#include "kssl_lcl.h" 157#include <openssl/buffer.h> 158#include <openssl/rand.h> 159#include <openssl/objects.h> 160#include <openssl/evp.h> 161#include <openssl/hmac.h> 162#include <openssl/x509.h> 163#ifndef OPENSSL_NO_DH 164#include <openssl/dh.h> 165#endif 166#include <openssl/bn.h> 167#ifndef OPENSSL_NO_KRB5 168#include <openssl/krb5_asn.h> 169#endif 170#include <openssl/md5.h> 171 172static const SSL_METHOD *ssl3_get_server_method(int ver); 173 174static const SSL_METHOD *ssl3_get_server_method(int ver) 175 { 176 if (ver == SSL3_VERSION) 177 return(SSLv3_server_method()); 178 else 179 return(NULL); 180 } 181 182#ifndef OPENSSL_NO_SRP 183static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) 184 { 185 int ret = SSL_ERROR_NONE; 186 187 *al = SSL_AD_UNRECOGNIZED_NAME; 188 189 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 190 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) 191 { 192 if(s->srp_ctx.login == NULL) 193 { 194 /* RFC 5054 says SHOULD reject, 195 we do so if There is no srp login name */ 196 ret = SSL3_AL_FATAL; 197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 198 } 199 else 200 { 201 ret = SSL_srp_server_param_with_username(s,al); 202 } 203 } 204 return ret; 205 } 206#endif 207 208IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 209 ssl3_accept, 210 ssl_undefined_function, 211 ssl3_get_server_method) 212 213int ssl3_accept(SSL *s) 214 { 215 BUF_MEM *buf; 216 unsigned long alg_k,Time=(unsigned long)time(NULL); 217 void (*cb)(const SSL *ssl,int type,int val)=NULL; 218 int ret= -1; 219 int new_state,state,skip=0; 220 221 RAND_add(&Time,sizeof(Time),0); 222 ERR_clear_error(); 223 clear_sys_error(); 224 225 if (s->info_callback != NULL) 226 cb=s->info_callback; 227 else if (s->ctx->info_callback != NULL) 228 cb=s->ctx->info_callback; 229 230 /* init things to blank */ 231 s->in_handshake++; 232 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 233 234 if (s->cert == NULL) 235 { 236 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 237 return(-1); 238 } 239 240#ifndef OPENSSL_NO_HEARTBEATS 241 /* If we're awaiting a HeartbeatResponse, pretend we 242 * already got and don't await it anymore, because 243 * Heartbeats don't make sense during handshakes anyway. 244 */ 245 if (s->tlsext_hb_pending) 246 { 247 s->tlsext_hb_pending = 0; 248 s->tlsext_hb_seq++; 249 } 250#endif 251 252 for (;;) 253 { 254 state=s->state; 255 256 switch (s->state) 257 { 258 case SSL_ST_RENEGOTIATE: 259 s->renegotiate=1; 260 /* s->state=SSL_ST_ACCEPT; */ 261 262 case SSL_ST_BEFORE: 263 case SSL_ST_ACCEPT: 264 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 265 case SSL_ST_OK|SSL_ST_ACCEPT: 266 267 s->server=1; 268 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 269 270 if ((s->version>>8) != 3) 271 { 272 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 273 return -1; 274 } 275 s->type=SSL_ST_ACCEPT; 276 277 if (s->init_buf == NULL) 278 { 279 if ((buf=BUF_MEM_new()) == NULL) 280 { 281 ret= -1; 282 goto end; 283 } 284 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 285 { 286 ret= -1; 287 goto end; 288 } 289 s->init_buf=buf; 290 } 291 292 if (!ssl3_setup_buffers(s)) 293 { 294 ret= -1; 295 goto end; 296 } 297 298 s->init_num=0; 299 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 300 301 if (s->state != SSL_ST_RENEGOTIATE) 302 { 303 /* Ok, we now need to push on a buffering BIO so that 304 * the output is sent in a way that TCP likes :-) 305 */ 306 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 307 308 ssl3_init_finished_mac(s); 309 s->state=SSL3_ST_SR_CLNT_HELLO_A; 310 s->ctx->stats.sess_accept++; 311 } 312 else if (!s->s3->send_connection_binding && 313 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 314 { 315 /* Server attempting to renegotiate with 316 * client that doesn't support secure 317 * renegotiation. 318 */ 319 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 320 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 321 ret = -1; 322 goto end; 323 } 324 else 325 { 326 /* s->state == SSL_ST_RENEGOTIATE, 327 * we will just send a HelloRequest */ 328 s->ctx->stats.sess_accept_renegotiate++; 329 s->state=SSL3_ST_SW_HELLO_REQ_A; 330 } 331 break; 332 333 case SSL3_ST_SW_HELLO_REQ_A: 334 case SSL3_ST_SW_HELLO_REQ_B: 335 336 s->shutdown=0; 337 ret=ssl3_send_hello_request(s); 338 if (ret <= 0) goto end; 339 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 340 s->state=SSL3_ST_SW_FLUSH; 341 s->init_num=0; 342 343 ssl3_init_finished_mac(s); 344 break; 345 346 case SSL3_ST_SW_HELLO_REQ_C: 347 s->state=SSL_ST_OK; 348 break; 349 350 case SSL3_ST_SR_CLNT_HELLO_A: 351 case SSL3_ST_SR_CLNT_HELLO_B: 352 case SSL3_ST_SR_CLNT_HELLO_C: 353 354 s->shutdown=0; 355 if (s->rwstate != SSL_X509_LOOKUP) 356 { 357 ret=ssl3_get_client_hello(s); 358 if (ret <= 0) goto end; 359 } 360#ifndef OPENSSL_NO_SRP 361 { 362 int al; 363 if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0) 364 { 365 /* callback indicates firther work to be done */ 366 s->rwstate=SSL_X509_LOOKUP; 367 goto end; 368 } 369 if (ret != SSL_ERROR_NONE) 370 { 371 ssl3_send_alert(s,SSL3_AL_FATAL,al); 372 /* This is not really an error but the only means to 373 for a client to detect whether srp is supported. */ 374 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 375 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); 376 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 377 ret= -1; 378 goto end; 379 } 380 } 381#endif 382 383 s->renegotiate = 2; 384 s->state=SSL3_ST_SW_SRVR_HELLO_A; 385 s->init_num=0; 386 break; 387 388 case SSL3_ST_SW_SRVR_HELLO_A: 389 case SSL3_ST_SW_SRVR_HELLO_B: 390 ret=ssl3_send_server_hello(s); 391 if (ret <= 0) goto end; 392#ifndef OPENSSL_NO_TLSEXT 393 if (s->hit) 394 { 395 if (s->tlsext_ticket_expected) 396 s->state=SSL3_ST_SW_SESSION_TICKET_A; 397 else 398 s->state=SSL3_ST_SW_CHANGE_A; 399 } 400#else 401 if (s->hit) 402 s->state=SSL3_ST_SW_CHANGE_A; 403#endif 404 else 405 s->state=SSL3_ST_SW_CERT_A; 406 s->init_num=0; 407 break; 408 409 case SSL3_ST_SW_CERT_A: 410 case SSL3_ST_SW_CERT_B: 411 /* Check if it is anon DH or anon ECDH, */ 412 /* normal PSK or KRB5 or SRP */ 413 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 414 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 415 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 416 { 417 ret=ssl3_send_server_certificate(s); 418 if (ret <= 0) goto end; 419#ifndef OPENSSL_NO_TLSEXT 420 if (s->tlsext_status_expected) 421 s->state=SSL3_ST_SW_CERT_STATUS_A; 422 else 423 s->state=SSL3_ST_SW_KEY_EXCH_A; 424 } 425 else 426 { 427 skip = 1; 428 s->state=SSL3_ST_SW_KEY_EXCH_A; 429 } 430#else 431 } 432 else 433 skip=1; 434 435 s->state=SSL3_ST_SW_KEY_EXCH_A; 436#endif 437 s->init_num=0; 438 break; 439 440 case SSL3_ST_SW_KEY_EXCH_A: 441 case SSL3_ST_SW_KEY_EXCH_B: 442 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 443 444 /* clear this, it may get reset by 445 * send_server_key_exchange */ 446 if ((s->options & SSL_OP_EPHEMERAL_RSA) 447#ifndef OPENSSL_NO_KRB5 448 && !(alg_k & SSL_kKRB5) 449#endif /* OPENSSL_NO_KRB5 */ 450 ) 451 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 452 * even when forbidden by protocol specs 453 * (handshake may fail as clients are not required to 454 * be able to handle this) */ 455 s->s3->tmp.use_rsa_tmp=1; 456 else 457 s->s3->tmp.use_rsa_tmp=0; 458 459 460 /* only send if a DH key exchange, fortezza or 461 * RSA but we have a sign only certificate 462 * 463 * PSK: may send PSK identity hints 464 * 465 * For ECC ciphersuites, we send a serverKeyExchange 466 * message only if the cipher suite is either 467 * ECDH-anon or ECDHE. In other cases, the 468 * server certificate contains the server's 469 * public key for key exchange. 470 */ 471 if (s->s3->tmp.use_rsa_tmp 472 /* PSK: send ServerKeyExchange if PSK identity 473 * hint if provided */ 474#ifndef OPENSSL_NO_PSK 475 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 476#endif 477#ifndef OPENSSL_NO_SRP 478 /* SRP: send ServerKeyExchange */ 479 || (alg_k & SSL_kSRP) 480#endif 481 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 482 || (alg_k & SSL_kEECDH) 483 || ((alg_k & SSL_kRSA) 484 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 485 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 486 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 487 ) 488 ) 489 ) 490 ) 491 { 492 ret=ssl3_send_server_key_exchange(s); 493 if (ret <= 0) goto end; 494 } 495 else 496 skip=1; 497 498 s->state=SSL3_ST_SW_CERT_REQ_A; 499 s->init_num=0; 500 break; 501 502 case SSL3_ST_SW_CERT_REQ_A: 503 case SSL3_ST_SW_CERT_REQ_B: 504 if (/* don't request cert unless asked for it: */ 505 !(s->verify_mode & SSL_VERIFY_PEER) || 506 /* if SSL_VERIFY_CLIENT_ONCE is set, 507 * don't request cert during re-negotiation: */ 508 ((s->session->peer != NULL) && 509 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 510 /* never request cert in anonymous ciphersuites 511 * (see section "Certificate request" in SSL 3 drafts 512 * and in RFC 2246): */ 513 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 514 /* ... except when the application insists on verification 515 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 516 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 517 /* never request cert in Kerberos ciphersuites */ 518 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) 519 /* With normal PSK Certificates and 520 * Certificate Requests are omitted */ 521 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 522 { 523 /* no cert request */ 524 skip=1; 525 s->s3->tmp.cert_request=0; 526 s->state=SSL3_ST_SW_SRVR_DONE_A; 527 if (s->s3->handshake_buffer) 528 if (!ssl3_digest_cached_records(s)) 529 return -1; 530 } 531 else 532 { 533 s->s3->tmp.cert_request=1; 534 ret=ssl3_send_certificate_request(s); 535 if (ret <= 0) goto end; 536#ifndef NETSCAPE_HANG_BUG 537 s->state=SSL3_ST_SW_SRVR_DONE_A; 538#else 539 s->state=SSL3_ST_SW_FLUSH; 540 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 541#endif 542 s->init_num=0; 543 } 544 break; 545 546 case SSL3_ST_SW_SRVR_DONE_A: 547 case SSL3_ST_SW_SRVR_DONE_B: 548 ret=ssl3_send_server_done(s); 549 if (ret <= 0) goto end; 550 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 551 s->state=SSL3_ST_SW_FLUSH; 552 s->init_num=0; 553 break; 554 555 case SSL3_ST_SW_FLUSH: 556 557 /* This code originally checked to see if 558 * any data was pending using BIO_CTRL_INFO 559 * and then flushed. This caused problems 560 * as documented in PR#1939. The proposed 561 * fix doesn't completely resolve this issue 562 * as buggy implementations of BIO_CTRL_PENDING 563 * still exist. So instead we just flush 564 * unconditionally. 565 */ 566 567 s->rwstate=SSL_WRITING; 568 if (BIO_flush(s->wbio) <= 0) 569 { 570 ret= -1; 571 goto end; 572 } 573 s->rwstate=SSL_NOTHING; 574 575 s->state=s->s3->tmp.next_state; 576 break; 577 578 case SSL3_ST_SR_CERT_A: 579 case SSL3_ST_SR_CERT_B: 580 /* Check for second client hello (MS SGC) */ 581 ret = ssl3_check_client_hello(s); 582 if (ret <= 0) 583 goto end; 584 if (ret == 2) 585 s->state = SSL3_ST_SR_CLNT_HELLO_C; 586 else { 587 if (s->s3->tmp.cert_request) 588 { 589 ret=ssl3_get_client_certificate(s); 590 if (ret <= 0) goto end; 591 } 592 s->init_num=0; 593 s->state=SSL3_ST_SR_KEY_EXCH_A; 594 } 595 break; 596 597 case SSL3_ST_SR_KEY_EXCH_A: 598 case SSL3_ST_SR_KEY_EXCH_B: 599 ret=ssl3_get_client_key_exchange(s); 600 if (ret <= 0) 601 goto end; 602 if (ret == 2) 603 { 604 /* For the ECDH ciphersuites when 605 * the client sends its ECDH pub key in 606 * a certificate, the CertificateVerify 607 * message is not sent. 608 * Also for GOST ciphersuites when 609 * the client uses its key from the certificate 610 * for key exchange. 611 */ 612#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 613 s->state=SSL3_ST_SR_FINISHED_A; 614#else 615 if (s->s3->next_proto_neg_seen) 616 s->state=SSL3_ST_SR_NEXT_PROTO_A; 617 else 618 s->state=SSL3_ST_SR_FINISHED_A; 619#endif 620 s->init_num = 0; 621 } 622 else if (TLS1_get_version(s) >= TLS1_2_VERSION) 623 { 624 s->state=SSL3_ST_SR_CERT_VRFY_A; 625 s->init_num=0; 626 if (!s->session->peer) 627 break; 628 /* For TLS v1.2 freeze the handshake buffer 629 * at this point and digest cached records. 630 */ 631 if (!s->s3->handshake_buffer) 632 { 633 SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR); 634 return -1; 635 } 636 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 637 if (!ssl3_digest_cached_records(s)) 638 return -1; 639 } 640 else 641 { 642 int offset=0; 643 int dgst_num; 644 645 s->state=SSL3_ST_SR_CERT_VRFY_A; 646 s->init_num=0; 647 648 /* We need to get hashes here so if there is 649 * a client cert, it can be verified 650 * FIXME - digest processing for CertificateVerify 651 * should be generalized. But it is next step 652 */ 653 if (s->s3->handshake_buffer) 654 if (!ssl3_digest_cached_records(s)) 655 return -1; 656 for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) 657 if (s->s3->handshake_dgst[dgst_num]) 658 { 659 int dgst_size; 660 661 s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); 662 dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); 663 if (dgst_size < 0) 664 { 665 ret = -1; 666 goto end; 667 } 668 offset+=dgst_size; 669 } 670 } 671 break; 672 673 case SSL3_ST_SR_CERT_VRFY_A: 674 case SSL3_ST_SR_CERT_VRFY_B: 675 676 /* we should decide if we expected this one */ 677 ret=ssl3_get_cert_verify(s); 678 if (ret <= 0) goto end; 679 680#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 681 s->state=SSL3_ST_SR_FINISHED_A; 682#else 683 if (s->s3->next_proto_neg_seen) 684 s->state=SSL3_ST_SR_NEXT_PROTO_A; 685 else 686 s->state=SSL3_ST_SR_FINISHED_A; 687#endif 688 s->init_num=0; 689 break; 690 691#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 692 case SSL3_ST_SR_NEXT_PROTO_A: 693 case SSL3_ST_SR_NEXT_PROTO_B: 694 ret=ssl3_get_next_proto(s); 695 if (ret <= 0) goto end; 696 s->init_num = 0; 697 s->state=SSL3_ST_SR_FINISHED_A; 698 break; 699#endif 700 701 case SSL3_ST_SR_FINISHED_A: 702 case SSL3_ST_SR_FINISHED_B: 703 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 704 SSL3_ST_SR_FINISHED_B); 705 if (ret <= 0) goto end; 706 if (s->hit) 707 s->state=SSL_ST_OK; 708#ifndef OPENSSL_NO_TLSEXT 709 else if (s->tlsext_ticket_expected) 710 s->state=SSL3_ST_SW_SESSION_TICKET_A; 711#endif 712 else 713 s->state=SSL3_ST_SW_CHANGE_A; 714 s->init_num=0; 715 break; 716 717#ifndef OPENSSL_NO_TLSEXT 718 case SSL3_ST_SW_SESSION_TICKET_A: 719 case SSL3_ST_SW_SESSION_TICKET_B: 720 ret=ssl3_send_newsession_ticket(s); 721 if (ret <= 0) goto end; 722 s->state=SSL3_ST_SW_CHANGE_A; 723 s->init_num=0; 724 break; 725 726 case SSL3_ST_SW_CERT_STATUS_A: 727 case SSL3_ST_SW_CERT_STATUS_B: 728 ret=ssl3_send_cert_status(s); 729 if (ret <= 0) goto end; 730 s->state=SSL3_ST_SW_KEY_EXCH_A; 731 s->init_num=0; 732 break; 733 734#endif 735 736 case SSL3_ST_SW_CHANGE_A: 737 case SSL3_ST_SW_CHANGE_B: 738 739 s->session->cipher=s->s3->tmp.new_cipher; 740 if (!s->method->ssl3_enc->setup_key_block(s)) 741 { ret= -1; goto end; } 742 743 ret=ssl3_send_change_cipher_spec(s, 744 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 745 746 if (ret <= 0) goto end; 747 s->state=SSL3_ST_SW_FINISHED_A; 748 s->init_num=0; 749 750 if (!s->method->ssl3_enc->change_cipher_state(s, 751 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 752 { 753 ret= -1; 754 goto end; 755 } 756 757 break; 758 759 case SSL3_ST_SW_FINISHED_A: 760 case SSL3_ST_SW_FINISHED_B: 761 ret=ssl3_send_finished(s, 762 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 763 s->method->ssl3_enc->server_finished_label, 764 s->method->ssl3_enc->server_finished_label_len); 765 if (ret <= 0) goto end; 766 s->state=SSL3_ST_SW_FLUSH; 767 if (s->hit) 768 { 769#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 770 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 771#else 772 if (s->s3->next_proto_neg_seen) 773 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; 774 else 775 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 776#endif 777 } 778 else 779 s->s3->tmp.next_state=SSL_ST_OK; 780 s->init_num=0; 781 break; 782 783 case SSL_ST_OK: 784 /* clean a few things up */ 785 ssl3_cleanup_key_block(s); 786 787 BUF_MEM_free(s->init_buf); 788 s->init_buf=NULL; 789 790 /* remove buffering on output */ 791 ssl_free_wbio_buffer(s); 792 793 s->init_num=0; 794 795 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ 796 { 797 s->renegotiate=0; 798 s->new_session=0; 799 800 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 801 802 s->ctx->stats.sess_accept_good++; 803 /* s->server=1; */ 804 s->handshake_func=ssl3_accept; 805 806 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 807 } 808 809 ret = 1; 810 goto end; 811 /* break; */ 812 813 default: 814 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 815 ret= -1; 816 goto end; 817 /* break; */ 818 } 819 820 if (!s->s3->tmp.reuse_message && !skip) 821 { 822 if (s->debug) 823 { 824 if ((ret=BIO_flush(s->wbio)) <= 0) 825 goto end; 826 } 827 828 829 if ((cb != NULL) && (s->state != state)) 830 { 831 new_state=s->state; 832 s->state=state; 833 cb(s,SSL_CB_ACCEPT_LOOP,1); 834 s->state=new_state; 835 } 836 } 837 skip=0; 838 } 839end: 840 /* BIO_flush(s->wbio); */ 841 842 s->in_handshake--; 843 if (cb != NULL) 844 cb(s,SSL_CB_ACCEPT_EXIT,ret); 845 return(ret); 846 } 847 848int ssl3_send_hello_request(SSL *s) 849 { 850 unsigned char *p; 851 852 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 853 { 854 p=(unsigned char *)s->init_buf->data; 855 *(p++)=SSL3_MT_HELLO_REQUEST; 856 *(p++)=0; 857 *(p++)=0; 858 *(p++)=0; 859 860 s->state=SSL3_ST_SW_HELLO_REQ_B; 861 /* number of bytes to write */ 862 s->init_num=4; 863 s->init_off=0; 864 } 865 866 /* SSL3_ST_SW_HELLO_REQ_B */ 867 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 868 } 869 870int ssl3_check_client_hello(SSL *s) 871 { 872 int ok; 873 long n; 874 875 /* this function is called when we really expect a Certificate message, 876 * so permit appropriate message length */ 877 n=s->method->ssl_get_message(s, 878 SSL3_ST_SR_CERT_A, 879 SSL3_ST_SR_CERT_B, 880 -1, 881 s->max_cert_list, 882 &ok); 883 if (!ok) return((int)n); 884 s->s3->tmp.reuse_message = 1; 885 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 886 { 887 /* We only allow the client to restart the handshake once per 888 * negotiation. */ 889 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) 890 { 891 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 892 return -1; 893 } 894 /* Throw away what we have done so far in the current handshake, 895 * which will now be aborted. (A full SSL_clear would be too much.) */ 896#ifndef OPENSSL_NO_DH 897 if (s->s3->tmp.dh != NULL) 898 { 899 DH_free(s->s3->tmp.dh); 900 s->s3->tmp.dh = NULL; 901 } 902#endif 903#ifndef OPENSSL_NO_ECDH 904 if (s->s3->tmp.ecdh != NULL) 905 { 906 EC_KEY_free(s->s3->tmp.ecdh); 907 s->s3->tmp.ecdh = NULL; 908 } 909#endif 910 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 911 return 2; 912 } 913 return 1; 914} 915 916int ssl3_get_client_hello(SSL *s) 917 { 918 int i,j,ok,al,ret= -1; 919 unsigned int cookie_len; 920 long n; 921 unsigned long id; 922 unsigned char *p,*d,*q; 923 SSL_CIPHER *c; 924#ifndef OPENSSL_NO_COMP 925 SSL_COMP *comp=NULL; 926#endif 927 STACK_OF(SSL_CIPHER) *ciphers=NULL; 928 929 /* We do this so that we will respond with our native type. 930 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 931 * This down switching should be handled by a different method. 932 * If we are SSLv3, we will respond with SSLv3, even if prompted with 933 * TLSv1. 934 */ 935 if (s->state == SSL3_ST_SR_CLNT_HELLO_A 936 ) 937 { 938 s->state=SSL3_ST_SR_CLNT_HELLO_B; 939 } 940 s->first_packet=1; 941 n=s->method->ssl_get_message(s, 942 SSL3_ST_SR_CLNT_HELLO_B, 943 SSL3_ST_SR_CLNT_HELLO_C, 944 SSL3_MT_CLIENT_HELLO, 945 SSL3_RT_MAX_PLAIN_LENGTH, 946 &ok); 947 948 if (!ok) return((int)n); 949 s->first_packet=0; 950 d=p=(unsigned char *)s->init_msg; 951 952 /* use version from inside client hello, not from record header 953 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 954 s->client_version=(((int)p[0])<<8)|(int)p[1]; 955 p+=2; 956 957 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 958 (s->version != DTLS1_VERSION && s->client_version < s->version)) 959 { 960 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 961 if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 962 !s->enc_write_ctx && !s->write_hash) 963 { 964 /* similar to ssl3_get_record, send alert using remote version number */ 965 s->version = s->client_version; 966 } 967 al = SSL_AD_PROTOCOL_VERSION; 968 goto f_err; 969 } 970 971 /* If we require cookies and this ClientHello doesn't 972 * contain one, just return since we do not want to 973 * allocate any memory yet. So check cookie length... 974 */ 975 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) 976 { 977 unsigned int session_length, cookie_length; 978 979 session_length = *(p + SSL3_RANDOM_SIZE); 980 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 981 982 if (cookie_length == 0) 983 return 1; 984 } 985 986 /* load the client random */ 987 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 988 p+=SSL3_RANDOM_SIZE; 989 990 /* get the session-id */ 991 j= *(p++); 992 993 s->hit=0; 994 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation. 995 * 0.9.7 and later allow this by default, but optionally ignore resumption requests 996 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 997 * than a change to default behavior so that applications relying on this for security 998 * won't even compile against older library versions). 999 * 1000 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to request 1001 * renegotiation but not a new session (s->new_session remains unset): for servers, 1002 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1003 * setting will be ignored. 1004 */ 1005 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 1006 { 1007 if (!ssl_get_new_session(s,1)) 1008 goto err; 1009 } 1010 else 1011 { 1012 i=ssl_get_prev_session(s, p, j, d + n); 1013 if (i == 1) 1014 { /* previous session */ 1015 s->hit=1; 1016 } 1017 else if (i == -1) 1018 goto err; 1019 else /* i == 0 */ 1020 { 1021 if (!ssl_get_new_session(s,1)) 1022 goto err; 1023 } 1024 } 1025 1026 p+=j; 1027 1028 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 1029 { 1030 /* cookie stuff */ 1031 cookie_len = *(p++); 1032 1033 /* 1034 * The ClientHello may contain a cookie even if the 1035 * HelloVerify message has not been sent--make sure that it 1036 * does not cause an overflow. 1037 */ 1038 if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 1039 { 1040 /* too much data */ 1041 al = SSL_AD_DECODE_ERROR; 1042 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1043 goto f_err; 1044 } 1045 1046 /* verify the cookie if appropriate option is set. */ 1047 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 1048 cookie_len > 0) 1049 { 1050 memcpy(s->d1->rcvd_cookie, p, cookie_len); 1051 1052 if ( s->ctx->app_verify_cookie_cb != NULL) 1053 { 1054 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 1055 cookie_len) == 0) 1056 { 1057 al=SSL_AD_HANDSHAKE_FAILURE; 1058 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1059 SSL_R_COOKIE_MISMATCH); 1060 goto f_err; 1061 } 1062 /* else cookie verification succeeded */ 1063 } 1064 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, 1065 s->d1->cookie_len) != 0) /* default verification */ 1066 { 1067 al=SSL_AD_HANDSHAKE_FAILURE; 1068 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1069 SSL_R_COOKIE_MISMATCH); 1070 goto f_err; 1071 } 1072 1073 ret = 2; 1074 } 1075 1076 p += cookie_len; 1077 } 1078 1079 n2s(p,i); 1080 if ((i == 0) && (j != 0)) 1081 { 1082 /* we need a cipher if we are not resuming a session */ 1083 al=SSL_AD_ILLEGAL_PARAMETER; 1084 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 1085 goto f_err; 1086 } 1087 if ((p+i) >= (d+n)) 1088 { 1089 /* not enough data */ 1090 al=SSL_AD_DECODE_ERROR; 1091 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1092 goto f_err; 1093 } 1094 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 1095 == NULL)) 1096 { 1097 goto err; 1098 } 1099 p+=i; 1100 1101 /* If it is a hit, check that the cipher is in the list */ 1102 if ((s->hit) && (i > 0)) 1103 { 1104 j=0; 1105 id=s->session->cipher->id; 1106 1107#ifdef CIPHER_DEBUG 1108 printf("client sent %d ciphers\n",sk_num(ciphers)); 1109#endif 1110 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 1111 { 1112 c=sk_SSL_CIPHER_value(ciphers,i); 1113#ifdef CIPHER_DEBUG 1114 printf("client [%2d of %2d]:%s\n", 1115 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 1116#endif 1117 if (c->id == id) 1118 { 1119 j=1; 1120 break; 1121 } 1122 } 1123/* Disabled because it can be used in a ciphersuite downgrade 1124 * attack: CVE-2010-4180. 1125 */ 1126#if 0 1127 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 1128 { 1129 /* Special case as client bug workaround: the previously used cipher may 1130 * not be in the current list, the client instead might be trying to 1131 * continue using a cipher that before wasn't chosen due to server 1132 * preferences. We'll have to reject the connection if the cipher is not 1133 * enabled, though. */ 1134 c = sk_SSL_CIPHER_value(ciphers, 0); 1135 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 1136 { 1137 s->session->cipher = c; 1138 j = 1; 1139 } 1140 } 1141#endif 1142 if (j == 0) 1143 { 1144 /* we need to have the cipher in the cipher 1145 * list if we are asked to reuse it */ 1146 al=SSL_AD_ILLEGAL_PARAMETER; 1147 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 1148 goto f_err; 1149 } 1150 } 1151 1152 /* compression */ 1153 i= *(p++); 1154 if ((p+i) > (d+n)) 1155 { 1156 /* not enough data */ 1157 al=SSL_AD_DECODE_ERROR; 1158 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1159 goto f_err; 1160 } 1161 q=p; 1162 for (j=0; j<i; j++) 1163 { 1164 if (p[j] == 0) break; 1165 } 1166 1167 p+=i; 1168 if (j >= i) 1169 { 1170 /* no compress */ 1171 al=SSL_AD_DECODE_ERROR; 1172 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 1173 goto f_err; 1174 } 1175 1176#ifndef OPENSSL_NO_TLSEXT 1177 /* TLS extensions*/ 1178 if (s->version >= SSL3_VERSION) 1179 { 1180 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) 1181 { 1182 /* 'al' set by ssl_parse_clienthello_tlsext */ 1183 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 1184 goto f_err; 1185 } 1186 } 1187 if (ssl_check_clienthello_tlsext_early(s) <= 0) { 1188 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1189 goto err; 1190 } 1191 1192 /* Check if we want to use external pre-shared secret for this 1193 * handshake for not reused session only. We need to generate 1194 * server_random before calling tls_session_secret_cb in order to allow 1195 * SessionTicket processing to use it in key derivation. */ 1196 { 1197 unsigned char *pos; 1198 pos=s->s3->server_random; 1199 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) 1200 { 1201 al=SSL_AD_INTERNAL_ERROR; 1202 goto f_err; 1203 } 1204 } 1205 1206 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) 1207 { 1208 SSL_CIPHER *pref_cipher=NULL; 1209 1210 s->session->master_key_length=sizeof(s->session->master_key); 1211 if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, 1212 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) 1213 { 1214 s->hit=1; 1215 s->session->ciphers=ciphers; 1216 s->session->verify_result=X509_V_OK; 1217 1218 ciphers=NULL; 1219 1220 /* check if some cipher was preferred by call back */ 1221 pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 1222 if (pref_cipher == NULL) 1223 { 1224 al=SSL_AD_HANDSHAKE_FAILURE; 1225 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); 1226 goto f_err; 1227 } 1228 1229 s->session->cipher=pref_cipher; 1230 1231 if (s->cipher_list) 1232 sk_SSL_CIPHER_free(s->cipher_list); 1233 1234 if (s->cipher_list_by_id) 1235 sk_SSL_CIPHER_free(s->cipher_list_by_id); 1236 1237 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1238 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1239 } 1240 } 1241#endif 1242 1243 /* Worst case, we will use the NULL compression, but if we have other 1244 * options, we will now look for them. We have i-1 compression 1245 * algorithms from the client, starting at q. */ 1246 s->s3->tmp.new_compression=NULL; 1247#ifndef OPENSSL_NO_COMP 1248 /* This only happens if we have a cache hit */ 1249 if (s->session->compress_meth != 0) 1250 { 1251 int m, comp_id = s->session->compress_meth; 1252 /* Perform sanity checks on resumed compression algorithm */ 1253 /* Can't disable compression */ 1254 if (s->options & SSL_OP_NO_COMPRESSION) 1255 { 1256 al=SSL_AD_INTERNAL_ERROR; 1257 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION); 1258 goto f_err; 1259 } 1260 /* Look for resumed compression method */ 1261 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) 1262 { 1263 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1264 if (comp_id == comp->id) 1265 { 1266 s->s3->tmp.new_compression=comp; 1267 break; 1268 } 1269 } 1270 if (s->s3->tmp.new_compression == NULL) 1271 { 1272 al=SSL_AD_INTERNAL_ERROR; 1273 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM); 1274 goto f_err; 1275 } 1276 /* Look for resumed method in compression list */ 1277 for (m = 0; m < i; m++) 1278 { 1279 if (q[m] == comp_id) 1280 break; 1281 } 1282 if (m >= i) 1283 { 1284 al=SSL_AD_ILLEGAL_PARAMETER; 1285 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING); 1286 goto f_err; 1287 } 1288 } 1289 else if (s->hit) 1290 comp = NULL; 1291 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) 1292 { /* See if we have a match */ 1293 int m,nn,o,v,done=0; 1294 1295 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1296 for (m=0; m<nn; m++) 1297 { 1298 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1299 v=comp->id; 1300 for (o=0; o<i; o++) 1301 { 1302 if (v == q[o]) 1303 { 1304 done=1; 1305 break; 1306 } 1307 } 1308 if (done) break; 1309 } 1310 if (done) 1311 s->s3->tmp.new_compression=comp; 1312 else 1313 comp=NULL; 1314 } 1315#else 1316 /* If compression is disabled we'd better not try to resume a session 1317 * using compression. 1318 */ 1319 if (s->session->compress_meth != 0) 1320 { 1321 al=SSL_AD_INTERNAL_ERROR; 1322 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION); 1323 goto f_err; 1324 } 1325#endif 1326 1327 /* Given s->session->ciphers and SSL_get_ciphers, we must 1328 * pick a cipher */ 1329 1330 if (!s->hit) 1331 { 1332#ifdef OPENSSL_NO_COMP 1333 s->session->compress_meth=0; 1334#else 1335 s->session->compress_meth=(comp == NULL)?0:comp->id; 1336#endif 1337 if (s->session->ciphers != NULL) 1338 sk_SSL_CIPHER_free(s->session->ciphers); 1339 s->session->ciphers=ciphers; 1340 if (ciphers == NULL) 1341 { 1342 al=SSL_AD_ILLEGAL_PARAMETER; 1343 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED); 1344 goto f_err; 1345 } 1346 ciphers=NULL; 1347 c=ssl3_choose_cipher(s,s->session->ciphers, 1348 SSL_get_ciphers(s)); 1349 1350 if (c == NULL) 1351 { 1352 al=SSL_AD_HANDSHAKE_FAILURE; 1353 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); 1354 goto f_err; 1355 } 1356 s->s3->tmp.new_cipher=c; 1357 } 1358 else 1359 { 1360 /* Session-id reuse */ 1361#ifdef REUSE_CIPHER_BUG 1362 STACK_OF(SSL_CIPHER) *sk; 1363 SSL_CIPHER *nc=NULL; 1364 SSL_CIPHER *ec=NULL; 1365 1366 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1367 { 1368 sk=s->session->ciphers; 1369 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1370 { 1371 c=sk_SSL_CIPHER_value(sk,i); 1372 if (c->algorithm_enc & SSL_eNULL) 1373 nc=c; 1374 if (SSL_C_IS_EXPORT(c)) 1375 ec=c; 1376 } 1377 if (nc != NULL) 1378 s->s3->tmp.new_cipher=nc; 1379 else if (ec != NULL) 1380 s->s3->tmp.new_cipher=ec; 1381 else 1382 s->s3->tmp.new_cipher=s->session->cipher; 1383 } 1384 else 1385#endif 1386 s->s3->tmp.new_cipher=s->session->cipher; 1387 } 1388 1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) 1390 { 1391 if (!ssl3_digest_cached_records(s)) 1392 { 1393 al = SSL_AD_INTERNAL_ERROR; 1394 goto f_err; 1395 } 1396 } 1397 1398 /* we now have the following setup. 1399 * client_random 1400 * cipher_list - our prefered list of ciphers 1401 * ciphers - the clients prefered list of ciphers 1402 * compression - basically ignored right now 1403 * ssl version is set - sslv3 1404 * s->session - The ssl session has been setup. 1405 * s->hit - session reuse flag 1406 * s->tmp.new_cipher - the new cipher to use. 1407 */ 1408 1409 /* Handles TLS extensions that we couldn't check earlier */ 1410 if (s->version >= SSL3_VERSION) 1411 { 1412 if (ssl_check_clienthello_tlsext_late(s) <= 0) 1413 { 1414 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1415 goto err; 1416 } 1417 } 1418 1419 if (ret < 0) ret=1; 1420 if (0) 1421 { 1422f_err: 1423 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1424 } 1425err: 1426 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); 1427 return(ret); 1428 } 1429 1430int ssl3_send_server_hello(SSL *s) 1431 { 1432 unsigned char *buf; 1433 unsigned char *p,*d; 1434 int i,sl; 1435 unsigned long l; 1436 1437 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1438 { 1439 buf=(unsigned char *)s->init_buf->data; 1440#ifdef OPENSSL_NO_TLSEXT 1441 p=s->s3->server_random; 1442 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) 1443 return -1; 1444#endif 1445 /* Do the message type and length last */ 1446 d=p= &(buf[4]); 1447 1448 *(p++)=s->version>>8; 1449 *(p++)=s->version&0xff; 1450 1451 /* Random stuff */ 1452 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1453 p+=SSL3_RANDOM_SIZE; 1454 1455 /* There are several cases for the session ID to send 1456 * back in the server hello: 1457 * - For session reuse from the session cache, 1458 * we send back the old session ID. 1459 * - If stateless session reuse (using a session ticket) 1460 * is successful, we send back the client's "session ID" 1461 * (which doesn't actually identify the session). 1462 * - If it is a new session, we send back the new 1463 * session ID. 1464 * - However, if we want the new session to be single-use, 1465 * we send back a 0-length session ID. 1466 * s->hit is non-zero in either case of session reuse, 1467 * so the following won't overwrite an ID that we're supposed 1468 * to send back. 1469 */ 1470 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1471 && !s->hit) 1472 s->session->session_id_length=0; 1473 1474 sl=s->session->session_id_length; 1475 if (sl > (int)sizeof(s->session->session_id)) 1476 { 1477 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1478 return -1; 1479 } 1480 *(p++)=sl; 1481 memcpy(p,s->session->session_id,sl); 1482 p+=sl; 1483 1484 /* put the cipher */ 1485 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1486 p+=i; 1487 1488 /* put the compression method */ 1489#ifdef OPENSSL_NO_COMP 1490 *(p++)=0; 1491#else 1492 if (s->s3->tmp.new_compression == NULL) 1493 *(p++)=0; 1494 else 1495 *(p++)=s->s3->tmp.new_compression->id; 1496#endif 1497#ifndef OPENSSL_NO_TLSEXT 1498 if (ssl_prepare_serverhello_tlsext(s) <= 0) 1499 { 1500 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); 1501 return -1; 1502 } 1503 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1504 { 1505 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); 1506 return -1; 1507 } 1508#endif 1509 /* do the header */ 1510 l=(p-d); 1511 d=buf; 1512 *(d++)=SSL3_MT_SERVER_HELLO; 1513 l2n3(l,d); 1514 1515 s->state=SSL3_ST_SW_SRVR_HELLO_B; 1516 /* number of bytes to write */ 1517 s->init_num=p-buf; 1518 s->init_off=0; 1519 } 1520 1521 /* SSL3_ST_SW_SRVR_HELLO_B */ 1522 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1523 } 1524 1525int ssl3_send_server_done(SSL *s) 1526 { 1527 unsigned char *p; 1528 1529 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1530 { 1531 p=(unsigned char *)s->init_buf->data; 1532 1533 /* do the header */ 1534 *(p++)=SSL3_MT_SERVER_DONE; 1535 *(p++)=0; 1536 *(p++)=0; 1537 *(p++)=0; 1538 1539 s->state=SSL3_ST_SW_SRVR_DONE_B; 1540 /* number of bytes to write */ 1541 s->init_num=4; 1542 s->init_off=0; 1543 } 1544 1545 /* SSL3_ST_SW_SRVR_DONE_B */ 1546 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1547 } 1548 1549int ssl3_send_server_key_exchange(SSL *s) 1550 { 1551#ifndef OPENSSL_NO_RSA 1552 unsigned char *q; 1553 int j,num; 1554 RSA *rsa; 1555 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1556 unsigned int u; 1557#endif 1558#ifndef OPENSSL_NO_DH 1559 DH *dh=NULL,*dhp; 1560#endif 1561#ifndef OPENSSL_NO_ECDH 1562 EC_KEY *ecdh=NULL, *ecdhp; 1563 unsigned char *encodedPoint = NULL; 1564 int encodedlen = 0; 1565 int curve_id = 0; 1566 BN_CTX *bn_ctx = NULL; 1567#endif 1568 EVP_PKEY *pkey; 1569 const EVP_MD *md = NULL; 1570 unsigned char *p,*d; 1571 int al,i; 1572 unsigned long type; 1573 int n; 1574 CERT *cert; 1575 BIGNUM *r[4]; 1576 int nr[4],kn; 1577 BUF_MEM *buf; 1578 EVP_MD_CTX md_ctx; 1579 1580 EVP_MD_CTX_init(&md_ctx); 1581 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1582 { 1583 type=s->s3->tmp.new_cipher->algorithm_mkey; 1584 cert=s->cert; 1585 1586 buf=s->init_buf; 1587 1588 r[0]=r[1]=r[2]=r[3]=NULL; 1589 n=0; 1590#ifndef OPENSSL_NO_RSA 1591 if (type & SSL_kRSA) 1592 { 1593 rsa=cert->rsa_tmp; 1594 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1595 { 1596 rsa=s->cert->rsa_tmp_cb(s, 1597 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1598 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1599 if(rsa == NULL) 1600 { 1601 al=SSL_AD_HANDSHAKE_FAILURE; 1602 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1603 goto f_err; 1604 } 1605 RSA_up_ref(rsa); 1606 cert->rsa_tmp=rsa; 1607 } 1608 if (rsa == NULL) 1609 { 1610 al=SSL_AD_HANDSHAKE_FAILURE; 1611 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); 1612 goto f_err; 1613 } 1614 r[0]=rsa->n; 1615 r[1]=rsa->e; 1616 s->s3->tmp.use_rsa_tmp=1; 1617 } 1618 else 1619#endif 1620#ifndef OPENSSL_NO_DH 1621 if (type & SSL_kEDH) 1622 { 1623 dhp=cert->dh_tmp; 1624 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1625 dhp=s->cert->dh_tmp_cb(s, 1626 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1627 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1628 if (dhp == NULL) 1629 { 1630 al=SSL_AD_HANDSHAKE_FAILURE; 1631 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1632 goto f_err; 1633 } 1634 1635 if (s->s3->tmp.dh != NULL) 1636 { 1637 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1638 goto err; 1639 } 1640 1641 if ((dh=DHparams_dup(dhp)) == NULL) 1642 { 1643 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1644 goto err; 1645 } 1646 1647 s->s3->tmp.dh=dh; 1648 if ((dhp->pub_key == NULL || 1649 dhp->priv_key == NULL || 1650 (s->options & SSL_OP_SINGLE_DH_USE))) 1651 { 1652 if(!DH_generate_key(dh)) 1653 { 1654 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1655 ERR_R_DH_LIB); 1656 goto err; 1657 } 1658 } 1659 else 1660 { 1661 dh->pub_key=BN_dup(dhp->pub_key); 1662 dh->priv_key=BN_dup(dhp->priv_key); 1663 if ((dh->pub_key == NULL) || 1664 (dh->priv_key == NULL)) 1665 { 1666 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1667 goto err; 1668 } 1669 } 1670 r[0]=dh->p; 1671 r[1]=dh->g; 1672 r[2]=dh->pub_key; 1673 } 1674 else 1675#endif 1676#ifndef OPENSSL_NO_ECDH 1677 if (type & SSL_kEECDH) 1678 { 1679 const EC_GROUP *group; 1680 1681 ecdhp=cert->ecdh_tmp; 1682 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1683 { 1684 ecdhp=s->cert->ecdh_tmp_cb(s, 1685 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1686 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1687 } 1688 if (ecdhp == NULL) 1689 { 1690 al=SSL_AD_HANDSHAKE_FAILURE; 1691 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 1692 goto f_err; 1693 } 1694 1695 if (s->s3->tmp.ecdh != NULL) 1696 { 1697 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1698 goto err; 1699 } 1700 1701 /* Duplicate the ECDH structure. */ 1702 if (ecdhp == NULL) 1703 { 1704 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1705 goto err; 1706 } 1707 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) 1708 { 1709 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1710 goto err; 1711 } 1712 1713 s->s3->tmp.ecdh=ecdh; 1714 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1715 (EC_KEY_get0_private_key(ecdh) == NULL) || 1716 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1717 { 1718 if(!EC_KEY_generate_key(ecdh)) 1719 { 1720 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1721 goto err; 1722 } 1723 } 1724 1725 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1726 (EC_KEY_get0_public_key(ecdh) == NULL) || 1727 (EC_KEY_get0_private_key(ecdh) == NULL)) 1728 { 1729 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1730 goto err; 1731 } 1732 1733 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1734 (EC_GROUP_get_degree(group) > 163)) 1735 { 1736 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1737 goto err; 1738 } 1739 1740 /* XXX: For now, we only support ephemeral ECDH 1741 * keys over named (not generic) curves. For 1742 * supported named curves, curve_id is non-zero. 1743 */ 1744 if ((curve_id = 1745 tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) 1746 == 0) 1747 { 1748 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1749 goto err; 1750 } 1751 1752 /* Encode the public key. 1753 * First check the size of encoding and 1754 * allocate memory accordingly. 1755 */ 1756 encodedlen = EC_POINT_point2oct(group, 1757 EC_KEY_get0_public_key(ecdh), 1758 POINT_CONVERSION_UNCOMPRESSED, 1759 NULL, 0, NULL); 1760 1761 encodedPoint = (unsigned char *) 1762 OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 1763 bn_ctx = BN_CTX_new(); 1764 if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1765 { 1766 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1767 goto err; 1768 } 1769 1770 1771 encodedlen = EC_POINT_point2oct(group, 1772 EC_KEY_get0_public_key(ecdh), 1773 POINT_CONVERSION_UNCOMPRESSED, 1774 encodedPoint, encodedlen, bn_ctx); 1775 1776 if (encodedlen == 0) 1777 { 1778 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); 1779 goto err; 1780 } 1781 1782 BN_CTX_free(bn_ctx); bn_ctx=NULL; 1783 1784 /* XXX: For now, we only support named (not 1785 * generic) curves in ECDH ephemeral key exchanges. 1786 * In this situation, we need four additional bytes 1787 * to encode the entire ServerECDHParams 1788 * structure. 1789 */ 1790 n = 4 + encodedlen; 1791 1792 /* We'll generate the serverKeyExchange message 1793 * explicitly so we can set these to NULLs 1794 */ 1795 r[0]=NULL; 1796 r[1]=NULL; 1797 r[2]=NULL; 1798 r[3]=NULL; 1799 } 1800 else 1801#endif /* !OPENSSL_NO_ECDH */ 1802#ifndef OPENSSL_NO_PSK 1803 if (type & SSL_kPSK) 1804 { 1805 /* reserve size for record length and PSK identity hint*/ 1806 n+=2+strlen(s->ctx->psk_identity_hint); 1807 } 1808 else 1809#endif /* !OPENSSL_NO_PSK */ 1810#ifndef OPENSSL_NO_SRP 1811 if (type & SSL_kSRP) 1812 { 1813 if ((s->srp_ctx.N == NULL) || 1814 (s->srp_ctx.g == NULL) || 1815 (s->srp_ctx.s == NULL) || 1816 (s->srp_ctx.B == NULL)) 1817 { 1818 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_SRP_PARAM); 1819 goto err; 1820 } 1821 r[0]=s->srp_ctx.N; 1822 r[1]=s->srp_ctx.g; 1823 r[2]=s->srp_ctx.s; 1824 r[3]=s->srp_ctx.B; 1825 } 1826 else 1827#endif 1828 { 1829 al=SSL_AD_HANDSHAKE_FAILURE; 1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1831 goto f_err; 1832 } 1833 for (i=0; i < 4 && r[i] != NULL; i++) 1834 { 1835 nr[i]=BN_num_bytes(r[i]); 1836#ifndef OPENSSL_NO_SRP 1837 if ((i == 2) && (type & SSL_kSRP)) 1838 n+=1+nr[i]; 1839 else 1840#endif 1841 n+=2+nr[i]; 1842 } 1843 1844 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1845 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 1846 { 1847 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md)) 1848 == NULL) 1849 { 1850 al=SSL_AD_DECODE_ERROR; 1851 goto f_err; 1852 } 1853 kn=EVP_PKEY_size(pkey); 1854 } 1855 else 1856 { 1857 pkey=NULL; 1858 kn=0; 1859 } 1860 1861 if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1862 { 1863 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); 1864 goto err; 1865 } 1866 d=(unsigned char *)s->init_buf->data; 1867 p= &(d[4]); 1868 1869 for (i=0; i < 4 && r[i] != NULL; i++) 1870 { 1871#ifndef OPENSSL_NO_SRP 1872 if ((i == 2) && (type & SSL_kSRP)) 1873 { 1874 *p = nr[i]; 1875 p++; 1876 } 1877 else 1878#endif 1879 s2n(nr[i],p); 1880 BN_bn2bin(r[i],p); 1881 p+=nr[i]; 1882 } 1883 1884#ifndef OPENSSL_NO_ECDH 1885 if (type & SSL_kEECDH) 1886 { 1887 /* XXX: For now, we only support named (not generic) curves. 1888 * In this situation, the serverKeyExchange message has: 1889 * [1 byte CurveType], [2 byte CurveName] 1890 * [1 byte length of encoded point], followed by 1891 * the actual encoded point itself 1892 */ 1893 *p = NAMED_CURVE_TYPE; 1894 p += 1; 1895 *p = 0; 1896 p += 1; 1897 *p = curve_id; 1898 p += 1; 1899 *p = encodedlen; 1900 p += 1; 1901 memcpy((unsigned char*)p, 1902 (unsigned char *)encodedPoint, 1903 encodedlen); 1904 OPENSSL_free(encodedPoint); 1905 encodedPoint = NULL; 1906 p += encodedlen; 1907 } 1908#endif 1909 1910#ifndef OPENSSL_NO_PSK 1911 if (type & SSL_kPSK) 1912 { 1913 /* copy PSK identity hint */ 1914 s2n(strlen(s->ctx->psk_identity_hint), p); 1915 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); 1916 p+=strlen(s->ctx->psk_identity_hint); 1917 } 1918#endif 1919 1920 /* not anonymous */ 1921 if (pkey != NULL) 1922 { 1923 /* n is the length of the params, they start at &(d[4]) 1924 * and p points to the space at the end. */ 1925#ifndef OPENSSL_NO_RSA 1926 if (pkey->type == EVP_PKEY_RSA 1927 && TLS1_get_version(s) < TLS1_2_VERSION) 1928 { 1929 q=md_buf; 1930 j=0; 1931 for (num=2; num > 0; num--) 1932 { 1933 EVP_MD_CTX_set_flags(&md_ctx, 1934 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1935 EVP_DigestInit_ex(&md_ctx,(num == 2) 1936 ?s->ctx->md5:s->ctx->sha1, NULL); 1937 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1938 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1939 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1940 EVP_DigestFinal_ex(&md_ctx,q, 1941 (unsigned int *)&i); 1942 q+=i; 1943 j+=i; 1944 } 1945 if (RSA_sign(NID_md5_sha1, md_buf, j, 1946 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1947 { 1948 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); 1949 goto err; 1950 } 1951 s2n(u,p); 1952 n+=u+2; 1953 } 1954 else 1955#endif 1956 if (md) 1957 { 1958 /* For TLS1.2 and later send signature 1959 * algorithm */ 1960 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1961 { 1962 if (!tls12_get_sigandhash(p, pkey, md)) 1963 { 1964 /* Should never happen */ 1965 al=SSL_AD_INTERNAL_ERROR; 1966 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1967 goto f_err; 1968 } 1969 p+=2; 1970 } 1971#ifdef SSL_DEBUG 1972 fprintf(stderr, "Using hash %s\n", 1973 EVP_MD_name(md)); 1974#endif 1975 EVP_SignInit_ex(&md_ctx, md, NULL); 1976 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1977 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1978 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1979 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1980 (unsigned int *)&i,pkey)) 1981 { 1982 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_EVP); 1983 goto err; 1984 } 1985 s2n(i,p); 1986 n+=i+2; 1987 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1988 n+= 2; 1989 } 1990 else 1991 { 1992 /* Is this error check actually needed? */ 1993 al=SSL_AD_HANDSHAKE_FAILURE; 1994 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1995 goto f_err; 1996 } 1997 } 1998 1999 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 2000 l2n3(n,d); 2001 2002 /* we should now have things packed up, so lets send 2003 * it off */ 2004 s->init_num=n+4; 2005 s->init_off=0; 2006 } 2007 2008 s->state = SSL3_ST_SW_KEY_EXCH_B; 2009 EVP_MD_CTX_cleanup(&md_ctx); 2010 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2011f_err: 2012 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2013err: 2014#ifndef OPENSSL_NO_ECDH 2015 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2016 BN_CTX_free(bn_ctx); 2017#endif 2018 EVP_MD_CTX_cleanup(&md_ctx); 2019 return(-1); 2020 } 2021 2022int ssl3_send_certificate_request(SSL *s) 2023 { 2024 unsigned char *p,*d; 2025 int i,j,nl,off,n; 2026 STACK_OF(X509_NAME) *sk=NULL; 2027 X509_NAME *name; 2028 BUF_MEM *buf; 2029 2030 if (s->state == SSL3_ST_SW_CERT_REQ_A) 2031 { 2032 buf=s->init_buf; 2033 2034 d=p=(unsigned char *)&(buf->data[4]); 2035 2036 /* get the list of acceptable cert types */ 2037 p++; 2038 n=ssl3_get_req_cert_type(s,p); 2039 d[0]=n; 2040 p+=n; 2041 n++; 2042 2043 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2044 { 2045 nl = tls12_get_req_sig_algs(s, p + 2); 2046 s2n(nl, p); 2047 p += nl + 2; 2048 n += nl + 2; 2049 } 2050 2051 off=n; 2052 p+=2; 2053 n+=2; 2054 2055 sk=SSL_get_client_CA_list(s); 2056 nl=0; 2057 if (sk != NULL) 2058 { 2059 for (i=0; i<sk_X509_NAME_num(sk); i++) 2060 { 2061 name=sk_X509_NAME_value(sk,i); 2062 j=i2d_X509_NAME(name,NULL); 2063 if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 2064 { 2065 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 2066 goto err; 2067 } 2068 p=(unsigned char *)&(buf->data[4+n]); 2069 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 2070 { 2071 s2n(j,p); 2072 i2d_X509_NAME(name,&p); 2073 n+=2+j; 2074 nl+=2+j; 2075 } 2076 else 2077 { 2078 d=p; 2079 i2d_X509_NAME(name,&p); 2080 j-=2; s2n(j,d); j+=2; 2081 n+=j; 2082 nl+=j; 2083 } 2084 } 2085 } 2086 /* else no CA names */ 2087 p=(unsigned char *)&(buf->data[4+off]); 2088 s2n(nl,p); 2089 2090 d=(unsigned char *)buf->data; 2091 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 2092 l2n3(n,d); 2093 2094 /* we should now have things packed up, so lets send 2095 * it off */ 2096 2097 s->init_num=n+4; 2098 s->init_off=0; 2099#ifdef NETSCAPE_HANG_BUG 2100 p=(unsigned char *)s->init_buf->data + s->init_num; 2101 2102 /* do the header */ 2103 *(p++)=SSL3_MT_SERVER_DONE; 2104 *(p++)=0; 2105 *(p++)=0; 2106 *(p++)=0; 2107 s->init_num += 4; 2108#endif 2109 2110 s->state = SSL3_ST_SW_CERT_REQ_B; 2111 } 2112 2113 /* SSL3_ST_SW_CERT_REQ_B */ 2114 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2115err: 2116 return(-1); 2117 } 2118 2119int ssl3_get_client_key_exchange(SSL *s) 2120 { 2121 int i,al,ok; 2122 long n; 2123 unsigned long alg_k; 2124 unsigned char *p; 2125#ifndef OPENSSL_NO_RSA 2126 RSA *rsa=NULL; 2127 EVP_PKEY *pkey=NULL; 2128#endif 2129#ifndef OPENSSL_NO_DH 2130 BIGNUM *pub=NULL; 2131 DH *dh_srvr; 2132#endif 2133#ifndef OPENSSL_NO_KRB5 2134 KSSL_ERR kssl_err; 2135#endif /* OPENSSL_NO_KRB5 */ 2136 2137#ifndef OPENSSL_NO_ECDH 2138 EC_KEY *srvr_ecdh = NULL; 2139 EVP_PKEY *clnt_pub_pkey = NULL; 2140 EC_POINT *clnt_ecpoint = NULL; 2141 BN_CTX *bn_ctx = NULL; 2142#endif 2143 2144 n=s->method->ssl_get_message(s, 2145 SSL3_ST_SR_KEY_EXCH_A, 2146 SSL3_ST_SR_KEY_EXCH_B, 2147 SSL3_MT_CLIENT_KEY_EXCHANGE, 2148 2048, /* ??? */ 2149 &ok); 2150 2151 if (!ok) return((int)n); 2152 p=(unsigned char *)s->init_msg; 2153 2154 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2155 2156#ifndef OPENSSL_NO_RSA 2157 if (alg_k & SSL_kRSA) 2158 { 2159 /* FIX THIS UP EAY EAY EAY EAY */ 2160 if (s->s3->tmp.use_rsa_tmp) 2161 { 2162 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 2163 rsa=s->cert->rsa_tmp; 2164 /* Don't do a callback because rsa_tmp should 2165 * be sent already */ 2166 if (rsa == NULL) 2167 { 2168 al=SSL_AD_HANDSHAKE_FAILURE; 2169 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY); 2170 goto f_err; 2171 2172 } 2173 } 2174 else 2175 { 2176 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 2177 if ( (pkey == NULL) || 2178 (pkey->type != EVP_PKEY_RSA) || 2179 (pkey->pkey.rsa == NULL)) 2180 { 2181 al=SSL_AD_HANDSHAKE_FAILURE; 2182 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE); 2183 goto f_err; 2184 } 2185 rsa=pkey->pkey.rsa; 2186 } 2187 2188 /* TLS and [incidentally] DTLS{0xFEFF} */ 2189 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) 2190 { 2191 n2s(p,i); 2192 if (n != i+2) 2193 { 2194 if (!(s->options & SSL_OP_TLS_D5_BUG)) 2195 { 2196 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 2197 goto err; 2198 } 2199 else 2200 p-=2; 2201 } 2202 else 2203 n=i; 2204 } 2205 2206 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 2207 2208 al = -1; 2209 2210 if (i != SSL_MAX_MASTER_KEY_LENGTH) 2211 { 2212 al=SSL_AD_DECODE_ERROR; 2213 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 2214 } 2215 2216 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) 2217 { 2218 /* The premaster secret must contain the same version number as the 2219 * ClientHello to detect version rollback attacks (strangely, the 2220 * protocol does not offer such protection for DH ciphersuites). 2221 * However, buggy clients exist that send the negotiated protocol 2222 * version instead if the server does not support the requested 2223 * protocol version. 2224 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 2225 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 2226 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 2227 { 2228 al=SSL_AD_DECODE_ERROR; 2229 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 2230 2231 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 2232 * (http://eprint.iacr.org/2003/052/) exploits the version 2233 * number check as a "bad version oracle" -- an alert would 2234 * reveal that the plaintext corresponding to some ciphertext 2235 * made up by the adversary is properly formatted except 2236 * that the version number is wrong. To avoid such attacks, 2237 * we should treat this just like any other decryption error. */ 2238 } 2239 } 2240 2241 if (al != -1) 2242 { 2243 /* Some decryption failure -- use random value instead as countermeasure 2244 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 2245 * (see RFC 2246, section 7.4.7.1). */ 2246 ERR_clear_error(); 2247 i = SSL_MAX_MASTER_KEY_LENGTH; 2248 p[0] = s->client_version >> 8; 2249 p[1] = s->client_version & 0xff; 2250 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 2251 goto err; 2252 } 2253 2254 s->session->master_key_length= 2255 s->method->ssl3_enc->generate_master_secret(s, 2256 s->session->master_key, 2257 p,i); 2258 OPENSSL_cleanse(p,i); 2259 } 2260 else 2261#endif 2262#ifndef OPENSSL_NO_DH 2263 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2264 { 2265 n2s(p,i); 2266 if (n != i+2) 2267 { 2268 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) 2269 { 2270 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 2271 goto err; 2272 } 2273 else 2274 { 2275 p-=2; 2276 i=(int)n; 2277 } 2278 } 2279 2280 if (n == 0L) /* the parameters are in the cert */ 2281 { 2282 al=SSL_AD_HANDSHAKE_FAILURE; 2283 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 2284 goto f_err; 2285 } 2286 else 2287 { 2288 if (s->s3->tmp.dh == NULL) 2289 { 2290 al=SSL_AD_HANDSHAKE_FAILURE; 2291 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 2292 goto f_err; 2293 } 2294 else 2295 dh_srvr=s->s3->tmp.dh; 2296 } 2297 2298 pub=BN_bin2bn(p,i,NULL); 2299 if (pub == NULL) 2300 { 2301 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); 2302 goto err; 2303 } 2304 2305 i=DH_compute_key(p,pub,dh_srvr); 2306 2307 if (i <= 0) 2308 { 2309 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2310 BN_clear_free(pub); 2311 goto err; 2312 } 2313 2314 DH_free(s->s3->tmp.dh); 2315 s->s3->tmp.dh=NULL; 2316 2317 BN_clear_free(pub); 2318 pub=NULL; 2319 s->session->master_key_length= 2320 s->method->ssl3_enc->generate_master_secret(s, 2321 s->session->master_key,p,i); 2322 OPENSSL_cleanse(p,i); 2323 } 2324 else 2325#endif 2326#ifndef OPENSSL_NO_KRB5 2327 if (alg_k & SSL_kKRB5) 2328 { 2329 krb5_error_code krb5rc; 2330 krb5_data enc_ticket; 2331 krb5_data authenticator; 2332 krb5_data enc_pms; 2333 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2334 EVP_CIPHER_CTX ciph_ctx; 2335 const EVP_CIPHER *enc = NULL; 2336 unsigned char iv[EVP_MAX_IV_LENGTH]; 2337 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2338 + EVP_MAX_BLOCK_LENGTH]; 2339 int padl, outl; 2340 krb5_timestamp authtime = 0; 2341 krb5_ticket_times ttimes; 2342 2343 EVP_CIPHER_CTX_init(&ciph_ctx); 2344 2345 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2346 2347 n2s(p,i); 2348 enc_ticket.length = i; 2349 2350 if (n < (long)(enc_ticket.length + 6)) 2351 { 2352 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2353 SSL_R_DATA_LENGTH_TOO_LONG); 2354 goto err; 2355 } 2356 2357 enc_ticket.data = (char *)p; 2358 p+=enc_ticket.length; 2359 2360 n2s(p,i); 2361 authenticator.length = i; 2362 2363 if (n < (long)(enc_ticket.length + authenticator.length + 6)) 2364 { 2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2366 SSL_R_DATA_LENGTH_TOO_LONG); 2367 goto err; 2368 } 2369 2370 authenticator.data = (char *)p; 2371 p+=authenticator.length; 2372 2373 n2s(p,i); 2374 enc_pms.length = i; 2375 enc_pms.data = (char *)p; 2376 p+=enc_pms.length; 2377 2378 /* Note that the length is checked again below, 2379 ** after decryption 2380 */ 2381 if(enc_pms.length > sizeof pms) 2382 { 2383 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2384 SSL_R_DATA_LENGTH_TOO_LONG); 2385 goto err; 2386 } 2387 2388 if (n != (long)(enc_ticket.length + authenticator.length + 2389 enc_pms.length + 6)) 2390 { 2391 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2392 SSL_R_DATA_LENGTH_TOO_LONG); 2393 goto err; 2394 } 2395 2396 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2397 &kssl_err)) != 0) 2398 { 2399#ifdef KSSL_DEBUG 2400 printf("kssl_sget_tkt rtn %d [%d]\n", 2401 krb5rc, kssl_err.reason); 2402 if (kssl_err.text) 2403 printf("kssl_err text= %s\n", kssl_err.text); 2404#endif /* KSSL_DEBUG */ 2405 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2406 kssl_err.reason); 2407 goto err; 2408 } 2409 2410 /* Note: no authenticator is not considered an error, 2411 ** but will return authtime == 0. 2412 */ 2413 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2414 &authtime, &kssl_err)) != 0) 2415 { 2416#ifdef KSSL_DEBUG 2417 printf("kssl_check_authent rtn %d [%d]\n", 2418 krb5rc, kssl_err.reason); 2419 if (kssl_err.text) 2420 printf("kssl_err text= %s\n", kssl_err.text); 2421#endif /* KSSL_DEBUG */ 2422 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2423 kssl_err.reason); 2424 goto err; 2425 } 2426 2427 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2428 { 2429 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2430 goto err; 2431 } 2432 2433#ifdef KSSL_DEBUG 2434 kssl_ctx_show(kssl_ctx); 2435#endif /* KSSL_DEBUG */ 2436 2437 enc = kssl_map_enc(kssl_ctx->enctype); 2438 if (enc == NULL) 2439 goto err; 2440 2441 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2442 2443 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2444 { 2445 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2446 SSL_R_DECRYPTION_FAILED); 2447 goto err; 2448 } 2449 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2450 (unsigned char *)enc_pms.data, enc_pms.length)) 2451 { 2452 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2453 SSL_R_DECRYPTION_FAILED); 2454 goto err; 2455 } 2456 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2457 { 2458 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2459 SSL_R_DATA_LENGTH_TOO_LONG); 2460 goto err; 2461 } 2462 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2463 { 2464 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2465 SSL_R_DECRYPTION_FAILED); 2466 goto err; 2467 } 2468 outl += padl; 2469 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2470 { 2471 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2472 SSL_R_DATA_LENGTH_TOO_LONG); 2473 goto err; 2474 } 2475 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) 2476 { 2477 /* The premaster secret must contain the same version number as the 2478 * ClientHello to detect version rollback attacks (strangely, the 2479 * protocol does not offer such protection for DH ciphersuites). 2480 * However, buggy clients exist that send random bytes instead of 2481 * the protocol version. 2482 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2483 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2484 */ 2485 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2486 { 2487 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2488 SSL_AD_DECODE_ERROR); 2489 goto err; 2490 } 2491 } 2492 2493 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2494 2495 s->session->master_key_length= 2496 s->method->ssl3_enc->generate_master_secret(s, 2497 s->session->master_key, pms, outl); 2498 2499 if (kssl_ctx->client_princ) 2500 { 2501 size_t len = strlen(kssl_ctx->client_princ); 2502 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2503 { 2504 s->session->krb5_client_princ_len = len; 2505 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2506 } 2507 } 2508 2509 2510 /* Was doing kssl_ctx_free() here, 2511 ** but it caused problems for apache. 2512 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2513 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2514 */ 2515 } 2516 else 2517#endif /* OPENSSL_NO_KRB5 */ 2518 2519#ifndef OPENSSL_NO_ECDH 2520 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2521 { 2522 int ret = 1; 2523 int field_size = 0; 2524 const EC_KEY *tkey; 2525 const EC_GROUP *group; 2526 const BIGNUM *priv_key; 2527 2528 /* initialize structures for server's ECDH key pair */ 2529 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2530 { 2531 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2532 ERR_R_MALLOC_FAILURE); 2533 goto err; 2534 } 2535 2536 /* Let's get server private key and group information */ 2537 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) 2538 { 2539 /* use the certificate */ 2540 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2541 } 2542 else 2543 { 2544 /* use the ephermeral values we saved when 2545 * generating the ServerKeyExchange msg. 2546 */ 2547 tkey = s->s3->tmp.ecdh; 2548 } 2549 2550 group = EC_KEY_get0_group(tkey); 2551 priv_key = EC_KEY_get0_private_key(tkey); 2552 2553 if (!EC_KEY_set_group(srvr_ecdh, group) || 2554 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2555 { 2556 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2557 ERR_R_EC_LIB); 2558 goto err; 2559 } 2560 2561 /* Let's get client's public key */ 2562 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2563 { 2564 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2565 ERR_R_MALLOC_FAILURE); 2566 goto err; 2567 } 2568 2569 if (n == 0L) 2570 { 2571 /* Client Publickey was in Client Certificate */ 2572 2573 if (alg_k & SSL_kEECDH) 2574 { 2575 al=SSL_AD_HANDSHAKE_FAILURE; 2576 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2577 goto f_err; 2578 } 2579 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2580 == NULL) || 2581 (clnt_pub_pkey->type != EVP_PKEY_EC)) 2582 { 2583 /* XXX: For now, we do not support client 2584 * authentication using ECDH certificates 2585 * so this branch (n == 0L) of the code is 2586 * never executed. When that support is 2587 * added, we ought to ensure the key 2588 * received in the certificate is 2589 * authorized for key agreement. 2590 * ECDH_compute_key implicitly checks that 2591 * the two ECDH shares are for the same 2592 * group. 2593 */ 2594 al=SSL_AD_HANDSHAKE_FAILURE; 2595 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2596 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2597 goto f_err; 2598 } 2599 2600 if (EC_POINT_copy(clnt_ecpoint, 2601 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2602 { 2603 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2604 ERR_R_EC_LIB); 2605 goto err; 2606 } 2607 ret = 2; /* Skip certificate verify processing */ 2608 } 2609 else 2610 { 2611 /* Get client's public key from encoded point 2612 * in the ClientKeyExchange message. 2613 */ 2614 if ((bn_ctx = BN_CTX_new()) == NULL) 2615 { 2616 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2617 ERR_R_MALLOC_FAILURE); 2618 goto err; 2619 } 2620 2621 /* Get encoded point length */ 2622 i = *p; 2623 p += 1; 2624 if (n != 1 + i) 2625 { 2626 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2627 ERR_R_EC_LIB); 2628 goto err; 2629 } 2630 if (EC_POINT_oct2point(group, 2631 clnt_ecpoint, p, i, bn_ctx) == 0) 2632 { 2633 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2634 ERR_R_EC_LIB); 2635 goto err; 2636 } 2637 /* p is pointing to somewhere in the buffer 2638 * currently, so set it to the start 2639 */ 2640 p=(unsigned char *)s->init_buf->data; 2641 } 2642 2643 /* Compute the shared pre-master secret */ 2644 field_size = EC_GROUP_get_degree(group); 2645 if (field_size <= 0) 2646 { 2647 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2648 ERR_R_ECDH_LIB); 2649 goto err; 2650 } 2651 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2652 if (i <= 0) 2653 { 2654 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2655 ERR_R_ECDH_LIB); 2656 goto err; 2657 } 2658 2659 EVP_PKEY_free(clnt_pub_pkey); 2660 EC_POINT_free(clnt_ecpoint); 2661 EC_KEY_free(srvr_ecdh); 2662 BN_CTX_free(bn_ctx); 2663 EC_KEY_free(s->s3->tmp.ecdh); 2664 s->s3->tmp.ecdh = NULL; 2665 2666 /* Compute the master secret */ 2667 s->session->master_key_length = s->method->ssl3_enc-> \ 2668 generate_master_secret(s, s->session->master_key, p, i); 2669 2670 OPENSSL_cleanse(p, i); 2671 return (ret); 2672 } 2673 else 2674#endif 2675#ifndef OPENSSL_NO_PSK 2676 if (alg_k & SSL_kPSK) 2677 { 2678 unsigned char *t = NULL; 2679 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2680 unsigned int pre_ms_len = 0, psk_len = 0; 2681 int psk_err = 1; 2682 char tmp_id[PSK_MAX_IDENTITY_LEN+1]; 2683 2684 al=SSL_AD_HANDSHAKE_FAILURE; 2685 2686 n2s(p,i); 2687 if (n != i+2) 2688 { 2689 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2690 SSL_R_LENGTH_MISMATCH); 2691 goto psk_err; 2692 } 2693 if (i > PSK_MAX_IDENTITY_LEN) 2694 { 2695 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2696 SSL_R_DATA_LENGTH_TOO_LONG); 2697 goto psk_err; 2698 } 2699 if (s->psk_server_callback == NULL) 2700 { 2701 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2702 SSL_R_PSK_NO_SERVER_CB); 2703 goto psk_err; 2704 } 2705 2706 /* Create guaranteed NULL-terminated identity 2707 * string for the callback */ 2708 memcpy(tmp_id, p, i); 2709 memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 2710 psk_len = s->psk_server_callback(s, tmp_id, 2711 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2712 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); 2713 2714 if (psk_len > PSK_MAX_PSK_LEN) 2715 { 2716 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2717 ERR_R_INTERNAL_ERROR); 2718 goto psk_err; 2719 } 2720 else if (psk_len == 0) 2721 { 2722 /* PSK related to the given identity not found */ 2723 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2724 SSL_R_PSK_IDENTITY_NOT_FOUND); 2725 al=SSL_AD_UNKNOWN_PSK_IDENTITY; 2726 goto psk_err; 2727 } 2728 2729 /* create PSK pre_master_secret */ 2730 pre_ms_len=2+psk_len+2+psk_len; 2731 t = psk_or_pre_ms; 2732 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2733 s2n(psk_len, t); 2734 memset(t, 0, psk_len); 2735 t+=psk_len; 2736 s2n(psk_len, t); 2737 2738 if (s->session->psk_identity != NULL) 2739 OPENSSL_free(s->session->psk_identity); 2740 s->session->psk_identity = BUF_strdup((char *)p); 2741 if (s->session->psk_identity == NULL) 2742 { 2743 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2744 ERR_R_MALLOC_FAILURE); 2745 goto psk_err; 2746 } 2747 2748 if (s->session->psk_identity_hint != NULL) 2749 OPENSSL_free(s->session->psk_identity_hint); 2750 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2751 if (s->ctx->psk_identity_hint != NULL && 2752 s->session->psk_identity_hint == NULL) 2753 { 2754 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2755 ERR_R_MALLOC_FAILURE); 2756 goto psk_err; 2757 } 2758 2759 s->session->master_key_length= 2760 s->method->ssl3_enc->generate_master_secret(s, 2761 s->session->master_key, psk_or_pre_ms, pre_ms_len); 2762 psk_err = 0; 2763 psk_err: 2764 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2765 if (psk_err != 0) 2766 goto f_err; 2767 } 2768 else 2769#endif 2770#ifndef OPENSSL_NO_SRP 2771 if (alg_k & SSL_kSRP) 2772 { 2773 int param_len; 2774 2775 n2s(p,i); 2776 param_len=i+2; 2777 if (param_len > n) 2778 { 2779 al=SSL_AD_DECODE_ERROR; 2780 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH); 2781 goto f_err; 2782 } 2783 if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL))) 2784 { 2785 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB); 2786 goto err; 2787 } 2788 if (s->session->srp_username != NULL) 2789 OPENSSL_free(s->session->srp_username); 2790 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2791 if (s->session->srp_username == NULL) 2792 { 2793 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2794 ERR_R_MALLOC_FAILURE); 2795 goto err; 2796 } 2797 2798 if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0) 2799 { 2800 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2801 goto err; 2802 } 2803 2804 p+=i; 2805 } 2806 else 2807#endif /* OPENSSL_NO_SRP */ 2808 if (alg_k & SSL_kGOST) 2809 { 2810 int ret = 0; 2811 EVP_PKEY_CTX *pkey_ctx; 2812 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 2813 unsigned char premaster_secret[32], *start; 2814 size_t outlen=32, inlen; 2815 unsigned long alg_a; 2816 2817 /* Get our certificate private key*/ 2818 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2819 if (alg_a & SSL_aGOST94) 2820 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; 2821 else if (alg_a & SSL_aGOST01) 2822 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 2823 2824 pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); 2825 EVP_PKEY_decrypt_init(pkey_ctx); 2826 /* If client certificate is present and is of the same type, maybe 2827 * use it for key exchange. Don't mind errors from 2828 * EVP_PKEY_derive_set_peer, because it is completely valid to use 2829 * a client certificate for authorization only. */ 2830 client_pub_pkey = X509_get_pubkey(s->session->peer); 2831 if (client_pub_pkey) 2832 { 2833 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 2834 ERR_clear_error(); 2835 } 2836 /* Decrypt session key */ 2837 if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) 2838 { 2839 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2840 goto gerr; 2841 } 2842 if (p[1] == 0x81) 2843 { 2844 start = p+3; 2845 inlen = p[2]; 2846 } 2847 else if (p[1] < 0x80) 2848 { 2849 start = p+2; 2850 inlen = p[1]; 2851 } 2852 else 2853 { 2854 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2855 goto gerr; 2856 } 2857 if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 2858 2859 { 2860 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2861 goto gerr; 2862 } 2863 /* Generate master secret */ 2864 s->session->master_key_length= 2865 s->method->ssl3_enc->generate_master_secret(s, 2866 s->session->master_key,premaster_secret,32); 2867 /* Check if pubkey from client certificate was used */ 2868 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2869 ret = 2; 2870 else 2871 ret = 1; 2872 gerr: 2873 EVP_PKEY_free(client_pub_pkey); 2874 EVP_PKEY_CTX_free(pkey_ctx); 2875 if (ret) 2876 return ret; 2877 else 2878 goto err; 2879 } 2880 else 2881 { 2882 al=SSL_AD_HANDSHAKE_FAILURE; 2883 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2884 SSL_R_UNKNOWN_CIPHER_TYPE); 2885 goto f_err; 2886 } 2887 2888 return(1); 2889f_err: 2890 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2891#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP) 2892err: 2893#endif 2894#ifndef OPENSSL_NO_ECDH 2895 EVP_PKEY_free(clnt_pub_pkey); 2896 EC_POINT_free(clnt_ecpoint); 2897 if (srvr_ecdh != NULL) 2898 EC_KEY_free(srvr_ecdh); 2899 BN_CTX_free(bn_ctx); 2900#endif 2901 return(-1); 2902 } 2903 2904int ssl3_get_cert_verify(SSL *s) 2905 { 2906 EVP_PKEY *pkey=NULL; 2907 unsigned char *p; 2908 int al,ok,ret=0; 2909 long n; 2910 int type=0,i,j; 2911 X509 *peer; 2912 const EVP_MD *md = NULL; 2913 EVP_MD_CTX mctx; 2914 EVP_MD_CTX_init(&mctx); 2915 2916 n=s->method->ssl_get_message(s, 2917 SSL3_ST_SR_CERT_VRFY_A, 2918 SSL3_ST_SR_CERT_VRFY_B, 2919 -1, 2920 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ 2921 &ok); 2922 2923 if (!ok) return((int)n); 2924 2925 if (s->session->peer != NULL) 2926 { 2927 peer=s->session->peer; 2928 pkey=X509_get_pubkey(peer); 2929 type=X509_certificate_type(peer,pkey); 2930 } 2931 else 2932 { 2933 peer=NULL; 2934 pkey=NULL; 2935 } 2936 2937 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2938 { 2939 s->s3->tmp.reuse_message=1; 2940 if ((peer != NULL) && (type & EVP_PKT_SIGN)) 2941 { 2942 al=SSL_AD_UNEXPECTED_MESSAGE; 2943 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); 2944 goto f_err; 2945 } 2946 ret=1; 2947 goto end; 2948 } 2949 2950 if (peer == NULL) 2951 { 2952 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 2953 al=SSL_AD_UNEXPECTED_MESSAGE; 2954 goto f_err; 2955 } 2956 2957 if (!(type & EVP_PKT_SIGN)) 2958 { 2959 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2960 al=SSL_AD_ILLEGAL_PARAMETER; 2961 goto f_err; 2962 } 2963 2964 if (s->s3->change_cipher_spec) 2965 { 2966 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2967 al=SSL_AD_UNEXPECTED_MESSAGE; 2968 goto f_err; 2969 } 2970 2971 /* we now have a signature that we need to verify */ 2972 p=(unsigned char *)s->init_msg; 2973 /* Check for broken implementations of GOST ciphersuites */ 2974 /* If key is GOST and n is exactly 64, it is bare 2975 * signature without length field */ 2976 if (n==64 && (pkey->type==NID_id_GostR3410_94 || 2977 pkey->type == NID_id_GostR3410_2001) ) 2978 { 2979 i=64; 2980 } 2981 else 2982 { 2983 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2984 { 2985 int sigalg = tls12_get_sigid(pkey); 2986 /* Should never happen */ 2987 if (sigalg == -1) 2988 { 2989 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2990 al=SSL_AD_INTERNAL_ERROR; 2991 goto f_err; 2992 } 2993 /* Check key type is consistent with signature */ 2994 if (sigalg != (int)p[1]) 2995 { 2996 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE); 2997 al=SSL_AD_DECODE_ERROR; 2998 goto f_err; 2999 } 3000 md = tls12_get_hash(p[0]); 3001 if (md == NULL) 3002 { 3003 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST); 3004 al=SSL_AD_DECODE_ERROR; 3005 goto f_err; 3006 } 3007#ifdef SSL_DEBUG 3008fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 3009#endif 3010 p += 2; 3011 n -= 2; 3012 } 3013 n2s(p,i); 3014 n-=2; 3015 if (i > n) 3016 { 3017 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 3018 al=SSL_AD_DECODE_ERROR; 3019 goto f_err; 3020 } 3021 } 3022 j=EVP_PKEY_size(pkey); 3023 if ((i > j) || (n > j) || (n <= 0)) 3024 { 3025 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); 3026 al=SSL_AD_DECODE_ERROR; 3027 goto f_err; 3028 } 3029 3030 if (TLS1_get_version(s) >= TLS1_2_VERSION) 3031 { 3032 long hdatalen = 0; 3033 void *hdata; 3034 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 3035 if (hdatalen <= 0) 3036 { 3037 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 3038 al=SSL_AD_INTERNAL_ERROR; 3039 goto f_err; 3040 } 3041#ifdef SSL_DEBUG 3042 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n", 3043 EVP_MD_name(md)); 3044#endif 3045 if (!EVP_VerifyInit_ex(&mctx, md, NULL) 3046 || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) 3047 { 3048 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB); 3049 al=SSL_AD_INTERNAL_ERROR; 3050 goto f_err; 3051 } 3052 3053 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) 3054 { 3055 al=SSL_AD_DECRYPT_ERROR; 3056 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_SIGNATURE); 3057 goto f_err; 3058 } 3059 } 3060 else 3061#ifndef OPENSSL_NO_RSA 3062 if (pkey->type == EVP_PKEY_RSA) 3063 { 3064 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 3065 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 3066 pkey->pkey.rsa); 3067 if (i < 0) 3068 { 3069 al=SSL_AD_DECRYPT_ERROR; 3070 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); 3071 goto f_err; 3072 } 3073 if (i == 0) 3074 { 3075 al=SSL_AD_DECRYPT_ERROR; 3076 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); 3077 goto f_err; 3078 } 3079 } 3080 else 3081#endif 3082#ifndef OPENSSL_NO_DSA 3083 if (pkey->type == EVP_PKEY_DSA) 3084 { 3085 j=DSA_verify(pkey->save_type, 3086 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3087 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 3088 if (j <= 0) 3089 { 3090 /* bad signature */ 3091 al=SSL_AD_DECRYPT_ERROR; 3092 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 3093 goto f_err; 3094 } 3095 } 3096 else 3097#endif 3098#ifndef OPENSSL_NO_ECDSA 3099 if (pkey->type == EVP_PKEY_EC) 3100 { 3101 j=ECDSA_verify(pkey->save_type, 3102 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3103 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 3104 if (j <= 0) 3105 { 3106 /* bad signature */ 3107 al=SSL_AD_DECRYPT_ERROR; 3108 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 3109 SSL_R_BAD_ECDSA_SIGNATURE); 3110 goto f_err; 3111 } 3112 } 3113 else 3114#endif 3115 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 3116 { unsigned char signature[64]; 3117 int idx; 3118 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL); 3119 EVP_PKEY_verify_init(pctx); 3120 if (i!=64) { 3121 fprintf(stderr,"GOST signature length is %d",i); 3122 } 3123 for (idx=0;idx<64;idx++) { 3124 signature[63-idx]=p[idx]; 3125 } 3126 j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_verify_md,32); 3127 EVP_PKEY_CTX_free(pctx); 3128 if (j<=0) 3129 { 3130 al=SSL_AD_DECRYPT_ERROR; 3131 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 3132 SSL_R_BAD_ECDSA_SIGNATURE); 3133 goto f_err; 3134 } 3135 } 3136 else 3137 { 3138 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 3139 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 3140 goto f_err; 3141 } 3142 3143 3144 ret=1; 3145 if (0) 3146 { 3147f_err: 3148 ssl3_send_alert(s,SSL3_AL_FATAL,al); 3149 } 3150end: 3151 if (s->s3->handshake_buffer) 3152 { 3153 BIO_free(s->s3->handshake_buffer); 3154 s->s3->handshake_buffer = NULL; 3155 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; 3156 } 3157 EVP_MD_CTX_cleanup(&mctx); 3158 EVP_PKEY_free(pkey); 3159 return(ret); 3160 } 3161 3162int ssl3_get_client_certificate(SSL *s) 3163 { 3164 int i,ok,al,ret= -1; 3165 X509 *x=NULL; 3166 unsigned long l,nc,llen,n; 3167 const unsigned char *p,*q; 3168 unsigned char *d; 3169 STACK_OF(X509) *sk=NULL; 3170 3171 n=s->method->ssl_get_message(s, 3172 SSL3_ST_SR_CERT_A, 3173 SSL3_ST_SR_CERT_B, 3174 -1, 3175 s->max_cert_list, 3176 &ok); 3177 3178 if (!ok) return((int)n); 3179 3180 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 3181 { 3182 if ( (s->verify_mode & SSL_VERIFY_PEER) && 3183 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 3184 { 3185 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3186 al=SSL_AD_HANDSHAKE_FAILURE; 3187 goto f_err; 3188 } 3189 /* If tls asked for a client cert, the client must return a 0 list */ 3190 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 3191 { 3192 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 3193 al=SSL_AD_UNEXPECTED_MESSAGE; 3194 goto f_err; 3195 } 3196 s->s3->tmp.reuse_message=1; 3197 return(1); 3198 } 3199 3200 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 3201 { 3202 al=SSL_AD_UNEXPECTED_MESSAGE; 3203 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); 3204 goto f_err; 3205 } 3206 p=d=(unsigned char *)s->init_msg; 3207 3208 if ((sk=sk_X509_new_null()) == NULL) 3209 { 3210 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 3211 goto err; 3212 } 3213 3214 n2l3(p,llen); 3215 if (llen+3 != n) 3216 { 3217 al=SSL_AD_DECODE_ERROR; 3218 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 3219 goto f_err; 3220 } 3221 for (nc=0; nc<llen; ) 3222 { 3223 n2l3(p,l); 3224 if ((l+nc+3) > llen) 3225 { 3226 al=SSL_AD_DECODE_ERROR; 3227 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 3228 goto f_err; 3229 } 3230 3231 q=p; 3232 x=d2i_X509(NULL,&p,l); 3233 if (x == NULL) 3234 { 3235 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB); 3236 goto err; 3237 } 3238 if (p != (q+l)) 3239 { 3240 al=SSL_AD_DECODE_ERROR; 3241 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 3242 goto f_err; 3243 } 3244 if (!sk_X509_push(sk,x)) 3245 { 3246 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 3247 goto err; 3248 } 3249 x=NULL; 3250 nc+=l+3; 3251 } 3252 3253 if (sk_X509_num(sk) <= 0) 3254 { 3255 /* TLS does not mind 0 certs returned */ 3256 if (s->version == SSL3_VERSION) 3257 { 3258 al=SSL_AD_HANDSHAKE_FAILURE; 3259 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED); 3260 goto f_err; 3261 } 3262 /* Fail for TLS only if we required a certificate */ 3263 else if ((s->verify_mode & SSL_VERIFY_PEER) && 3264 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 3265 { 3266 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3267 al=SSL_AD_HANDSHAKE_FAILURE; 3268 goto f_err; 3269 } 3270 /* No client certificate so digest cached records */ 3271 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) 3272 { 3273 al=SSL_AD_INTERNAL_ERROR; 3274 goto f_err; 3275 } 3276 } 3277 else 3278 { 3279 i=ssl_verify_cert_chain(s,sk); 3280 if (i <= 0) 3281 { 3282 al=ssl_verify_alarm_type(s->verify_result); 3283 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); 3284 goto f_err; 3285 } 3286 } 3287 3288 if (s->session->peer != NULL) /* This should not be needed */ 3289 X509_free(s->session->peer); 3290 s->session->peer=sk_X509_shift(sk); 3291 s->session->verify_result = s->verify_result; 3292 3293 /* With the current implementation, sess_cert will always be NULL 3294 * when we arrive here. */ 3295 if (s->session->sess_cert == NULL) 3296 { 3297 s->session->sess_cert = ssl_sess_cert_new(); 3298 if (s->session->sess_cert == NULL) 3299 { 3300 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3301 goto err; 3302 } 3303 } 3304 if (s->session->sess_cert->cert_chain != NULL) 3305 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 3306 s->session->sess_cert->cert_chain=sk; 3307 /* Inconsistency alert: cert_chain does *not* include the 3308 * peer's own certificate, while we do include it in s3_clnt.c */ 3309 3310 sk=NULL; 3311 3312 ret=1; 3313 if (0) 3314 { 3315f_err: 3316 ssl3_send_alert(s,SSL3_AL_FATAL,al); 3317 } 3318err: 3319 if (x != NULL) X509_free(x); 3320 if (sk != NULL) sk_X509_pop_free(sk,X509_free); 3321 return(ret); 3322 } 3323 3324int ssl3_send_server_certificate(SSL *s) 3325 { 3326 unsigned long l; 3327 X509 *x; 3328 3329 if (s->state == SSL3_ST_SW_CERT_A) 3330 { 3331 x=ssl_get_server_send_cert(s); 3332 if (x == NULL) 3333 { 3334 /* VRS: allow null cert if auth == KRB5 */ 3335 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || 3336 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) 3337 { 3338 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 3339 return(0); 3340 } 3341 } 3342 3343 l=ssl3_output_cert_chain(s,x); 3344 s->state=SSL3_ST_SW_CERT_B; 3345 s->init_num=(int)l; 3346 s->init_off=0; 3347 } 3348 3349 /* SSL3_ST_SW_CERT_B */ 3350 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3351 } 3352 3353#ifndef OPENSSL_NO_TLSEXT 3354/* send a new session ticket (not necessarily for a new session) */ 3355int ssl3_send_newsession_ticket(SSL *s) 3356 { 3357 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 3358 { 3359 unsigned char *p, *senc, *macstart; 3360 const unsigned char *const_p; 3361 int len, slen_full, slen; 3362 SSL_SESSION *sess; 3363 unsigned int hlen; 3364 EVP_CIPHER_CTX ctx; 3365 HMAC_CTX hctx; 3366 SSL_CTX *tctx = s->initial_ctx; 3367 unsigned char iv[EVP_MAX_IV_LENGTH]; 3368 unsigned char key_name[16]; 3369 3370 /* get session encoding length */ 3371 slen_full = i2d_SSL_SESSION(s->session, NULL); 3372 /* Some length values are 16 bits, so forget it if session is 3373 * too long 3374 */ 3375 if (slen_full > 0xFF00) 3376 return -1; 3377 senc = OPENSSL_malloc(slen_full); 3378 if (!senc) 3379 return -1; 3380 p = senc; 3381 i2d_SSL_SESSION(s->session, &p); 3382 3383 /* create a fresh copy (not shared with other threads) to clean up */ 3384 const_p = senc; 3385 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3386 if (sess == NULL) 3387 { 3388 OPENSSL_free(senc); 3389 return -1; 3390 } 3391 sess->session_id_length = 0; /* ID is irrelevant for the ticket */ 3392 3393 slen = i2d_SSL_SESSION(sess, NULL); 3394 if (slen > slen_full) /* shouldn't ever happen */ 3395 { 3396 OPENSSL_free(senc); 3397 return -1; 3398 } 3399 p = senc; 3400 i2d_SSL_SESSION(sess, &p); 3401 SSL_SESSION_free(sess); 3402 3403 /* Grow buffer if need be: the length calculation is as 3404 * follows 1 (size of message name) + 3 (message length 3405 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 3406 * 16 (key name) + max_iv_len (iv length) + 3407 * session_length + max_enc_block_size (max encrypted session 3408 * length) + max_md_size (HMAC). 3409 */ 3410 if (!BUF_MEM_grow(s->init_buf, 3411 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3412 EVP_MAX_MD_SIZE + slen)) 3413 return -1; 3414 3415 p=(unsigned char *)s->init_buf->data; 3416 /* do the header */ 3417 *(p++)=SSL3_MT_NEWSESSION_TICKET; 3418 /* Skip message length for now */ 3419 p += 3; 3420 EVP_CIPHER_CTX_init(&ctx); 3421 HMAC_CTX_init(&hctx); 3422 /* Initialize HMAC and cipher contexts. If callback present 3423 * it does all the work otherwise use generated values 3424 * from parent ctx. 3425 */ 3426 if (tctx->tlsext_ticket_key_cb) 3427 { 3428 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3429 &hctx, 1) < 0) 3430 { 3431 OPENSSL_free(senc); 3432 return -1; 3433 } 3434 } 3435 else 3436 { 3437 RAND_pseudo_bytes(iv, 16); 3438 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 3439 tctx->tlsext_tick_aes_key, iv); 3440 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 3441 tlsext_tick_md(), NULL); 3442 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3443 } 3444 3445 /* Ticket lifetime hint (advisory only): 3446 * We leave this unspecified for resumed session (for simplicity), 3447 * and guess that tickets for new sessions will live as long 3448 * as their sessions. */ 3449 l2n(s->hit ? 0 : s->session->timeout, p); 3450 3451 /* Skip ticket length for now */ 3452 p += 2; 3453 /* Output key name */ 3454 macstart = p; 3455 memcpy(p, key_name, 16); 3456 p += 16; 3457 /* output IV */ 3458 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); 3459 p += EVP_CIPHER_CTX_iv_length(&ctx); 3460 /* Encrypt session data */ 3461 EVP_EncryptUpdate(&ctx, p, &len, senc, slen); 3462 p += len; 3463 EVP_EncryptFinal(&ctx, p, &len); 3464 p += len; 3465 EVP_CIPHER_CTX_cleanup(&ctx); 3466 3467 HMAC_Update(&hctx, macstart, p - macstart); 3468 HMAC_Final(&hctx, p, &hlen); 3469 HMAC_CTX_cleanup(&hctx); 3470 3471 p += hlen; 3472 /* Now write out lengths: p points to end of data written */ 3473 /* Total length */ 3474 len = p - (unsigned char *)s->init_buf->data; 3475 p=(unsigned char *)s->init_buf->data + 1; 3476 l2n3(len - 4, p); /* Message length */ 3477 p += 4; 3478 s2n(len - 10, p); /* Ticket length */ 3479 3480 /* number of bytes to write */ 3481 s->init_num= len; 3482 s->state=SSL3_ST_SW_SESSION_TICKET_B; 3483 s->init_off=0; 3484 OPENSSL_free(senc); 3485 } 3486 3487 /* SSL3_ST_SW_SESSION_TICKET_B */ 3488 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3489 } 3490 3491int ssl3_send_cert_status(SSL *s) 3492 { 3493 if (s->state == SSL3_ST_SW_CERT_STATUS_A) 3494 { 3495 unsigned char *p; 3496 /* Grow buffer if need be: the length calculation is as 3497 * follows 1 (message type) + 3 (message length) + 3498 * 1 (ocsp response type) + 3 (ocsp response length) 3499 * + (ocsp response) 3500 */ 3501 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 3502 return -1; 3503 3504 p=(unsigned char *)s->init_buf->data; 3505 3506 /* do the header */ 3507 *(p++)=SSL3_MT_CERTIFICATE_STATUS; 3508 /* message length */ 3509 l2n3(s->tlsext_ocsp_resplen + 4, p); 3510 /* status type */ 3511 *(p++)= s->tlsext_status_type; 3512 /* length of OCSP response */ 3513 l2n3(s->tlsext_ocsp_resplen, p); 3514 /* actual response */ 3515 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 3516 /* number of bytes to write */ 3517 s->init_num = 8 + s->tlsext_ocsp_resplen; 3518 s->state=SSL3_ST_SW_CERT_STATUS_B; 3519 s->init_off = 0; 3520 } 3521 3522 /* SSL3_ST_SW_CERT_STATUS_B */ 3523 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3524 } 3525 3526# ifndef OPENSSL_NO_NEXTPROTONEG 3527/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It 3528 * sets the next_proto member in s if found */ 3529int ssl3_get_next_proto(SSL *s) 3530 { 3531 int ok; 3532 int proto_len, padding_len; 3533 long n; 3534 const unsigned char *p; 3535 3536 /* Clients cannot send a NextProtocol message if we didn't see the 3537 * extension in their ClientHello */ 3538 if (!s->s3->next_proto_neg_seen) 3539 { 3540 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); 3541 return -1; 3542 } 3543 3544 n=s->method->ssl_get_message(s, 3545 SSL3_ST_SR_NEXT_PROTO_A, 3546 SSL3_ST_SR_NEXT_PROTO_B, 3547 SSL3_MT_NEXT_PROTO, 3548 514, /* See the payload format below */ 3549 &ok); 3550 3551 if (!ok) 3552 return((int)n); 3553 3554 /* s->state doesn't reflect whether ChangeCipherSpec has been received 3555 * in this handshake, but s->s3->change_cipher_spec does (will be reset 3556 * by ssl3_get_finished). */ 3557 if (!s->s3->change_cipher_spec) 3558 { 3559 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); 3560 return -1; 3561 } 3562 3563 if (n < 2) 3564 return 0; /* The body must be > 1 bytes long */ 3565 3566 p=(unsigned char *)s->init_msg; 3567 3568 /* The payload looks like: 3569 * uint8 proto_len; 3570 * uint8 proto[proto_len]; 3571 * uint8 padding_len; 3572 * uint8 padding[padding_len]; 3573 */ 3574 proto_len = p[0]; 3575 if (proto_len + 2 > s->init_num) 3576 return 0; 3577 padding_len = p[proto_len + 1]; 3578 if (proto_len + padding_len + 2 != s->init_num) 3579 return 0; 3580 3581 s->next_proto_negotiated = OPENSSL_malloc(proto_len); 3582 if (!s->next_proto_negotiated) 3583 { 3584 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE); 3585 return 0; 3586 } 3587 memcpy(s->next_proto_negotiated, p + 1, proto_len); 3588 s->next_proto_negotiated_len = proto_len; 3589 3590 return 1; 3591 } 3592# endif 3593#endif 3594