155714Skris/* ssl/s3_both.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 8296341Sdelphij * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15296341Sdelphij * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 22296341Sdelphij * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 37296341Sdelphij * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40296341Sdelphij * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 52296341Sdelphij * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5859191Skris/* ==================================================================== 59100928Snectar * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 6059191Skris * 6159191Skris * Redistribution and use in source and binary forms, with or without 6259191Skris * modification, are permitted provided that the following conditions 6359191Skris * are met: 6459191Skris * 6559191Skris * 1. Redistributions of source code must retain the above copyright 66296341Sdelphij * notice, this list of conditions and the following disclaimer. 6759191Skris * 6859191Skris * 2. Redistributions in binary form must reproduce the above copyright 6959191Skris * notice, this list of conditions and the following disclaimer in 7059191Skris * the documentation and/or other materials provided with the 7159191Skris * distribution. 7259191Skris * 7359191Skris * 3. All advertising materials mentioning features or use of this 7459191Skris * software must display the following acknowledgment: 7559191Skris * "This product includes software developed by the OpenSSL Project 7659191Skris * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 7759191Skris * 7859191Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 7959191Skris * endorse or promote products derived from this software without 8059191Skris * prior written permission. For written permission, please contact 8159191Skris * openssl-core@openssl.org. 8259191Skris * 8359191Skris * 5. Products derived from this software may not be called "OpenSSL" 8459191Skris * nor may "OpenSSL" appear in their names without prior written 8559191Skris * permission of the OpenSSL Project. 8659191Skris * 8759191Skris * 6. Redistributions of any form whatsoever must retain the following 8859191Skris * acknowledgment: 8959191Skris * "This product includes software developed by the OpenSSL Project 9059191Skris * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 9159191Skris * 9259191Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 9359191Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 9459191Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 9559191Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 9659191Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 9759191Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 9859191Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 9959191Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 10059191Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 10159191Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 10259191Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 10359191Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 10459191Skris * ==================================================================== 10559191Skris * 10659191Skris * This product includes cryptographic software written by Eric Young 10759191Skris * (eay@cryptsoft.com). This product includes software written by Tim 10859191Skris * Hudson (tjh@cryptsoft.com). 10959191Skris * 11059191Skris */ 111160814Ssimon/* ==================================================================== 112160814Ssimon * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113296341Sdelphij * ECC cipher suite support in OpenSSL originally developed by 114160814Ssimon * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115160814Ssimon */ 11655714Skris 117109998Smarkm#include <limits.h> 11859191Skris#include <string.h> 11955714Skris#include <stdio.h> 120109998Smarkm#include "ssl_locl.h" 12155714Skris#include <openssl/buffer.h> 12255714Skris#include <openssl/rand.h> 12355714Skris#include <openssl/objects.h> 12455714Skris#include <openssl/evp.h> 12555714Skris#include <openssl/x509.h> 12655714Skris 127296341Sdelphij/* 128296341Sdelphij * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 129296341Sdelphij * SSL3_RT_CHANGE_CIPHER_SPEC) 130296341Sdelphij */ 13159191Skrisint ssl3_do_write(SSL *s, int type) 132296341Sdelphij{ 133296341Sdelphij int ret; 13459191Skris 135296341Sdelphij ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], 136296341Sdelphij s->init_num); 137296341Sdelphij if (ret < 0) 138296341Sdelphij return (-1); 139296341Sdelphij if (type == SSL3_RT_HANDSHAKE) 140296341Sdelphij /* 141296341Sdelphij * should not be done for 'Hello Request's, but in that case we'll 142296341Sdelphij * ignore the result anyway 143296341Sdelphij */ 144296341Sdelphij ssl3_finish_mac(s, (unsigned char *)&s->init_buf->data[s->init_off], 145296341Sdelphij ret); 14659191Skris 147296341Sdelphij if (ret == s->init_num) { 148296341Sdelphij if (s->msg_callback) 149296341Sdelphij s->msg_callback(1, s->version, type, s->init_buf->data, 150296341Sdelphij (size_t)(s->init_off + s->init_num), s, 151296341Sdelphij s->msg_callback_arg); 152296341Sdelphij return (1); 153296341Sdelphij } 154296341Sdelphij s->init_off += ret; 155296341Sdelphij s->init_num -= ret; 156296341Sdelphij return (0); 157296341Sdelphij} 158296341Sdelphij 15959191Skrisint ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) 160296341Sdelphij{ 161296341Sdelphij unsigned char *p, *d; 162296341Sdelphij int i; 163296341Sdelphij unsigned long l; 16455714Skris 165296341Sdelphij if (s->state == a) { 166296341Sdelphij d = (unsigned char *)s->init_buf->data; 167296341Sdelphij p = &(d[4]); 16855714Skris 169296341Sdelphij i = s->method->ssl3_enc->final_finish_mac(s, 170296341Sdelphij sender, slen, 171296341Sdelphij s->s3->tmp.finish_md); 172296341Sdelphij if (i <= 0) 173296341Sdelphij return 0; 174296341Sdelphij s->s3->tmp.finish_md_len = i; 175296341Sdelphij memcpy(p, s->s3->tmp.finish_md, i); 176296341Sdelphij p += i; 177296341Sdelphij l = i; 17855714Skris 179296341Sdelphij /* 180296341Sdelphij * Copy the finished so we can use it for renegotiation checks 181296341Sdelphij */ 182296341Sdelphij if (s->type == SSL_ST_CONNECT) { 183296341Sdelphij OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 184296341Sdelphij memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, i); 185296341Sdelphij s->s3->previous_client_finished_len = i; 186296341Sdelphij } else { 187296341Sdelphij OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 188296341Sdelphij memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, i); 189296341Sdelphij s->s3->previous_server_finished_len = i; 190296341Sdelphij } 191205128Ssimon 192109998Smarkm#ifdef OPENSSL_SYS_WIN16 193296341Sdelphij /* 194296341Sdelphij * MSVC 1.5 does not clear the top bytes of the word unless I do 195296341Sdelphij * this. 196296341Sdelphij */ 197296341Sdelphij l &= 0xffff; 19855714Skris#endif 19955714Skris 200296341Sdelphij *(d++) = SSL3_MT_FINISHED; 201296341Sdelphij l2n3(l, d); 202296341Sdelphij s->init_num = (int)l + 4; 203296341Sdelphij s->init_off = 0; 20455714Skris 205296341Sdelphij s->state = b; 206296341Sdelphij } 20755714Skris 208296341Sdelphij /* SSL3_ST_SEND_xxxxxx_HELLO_B */ 209296341Sdelphij return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 210296341Sdelphij} 21155714Skris 212238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 213296341Sdelphij/* 214296341Sdelphij * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen 215296341Sdelphij * to far. 216296341Sdelphij */ 217246772Sjkimstatic void ssl3_take_mac(SSL *s) 218296341Sdelphij{ 219296341Sdelphij const char *sender; 220296341Sdelphij int slen; 221296341Sdelphij /* 222296341Sdelphij * If no new cipher setup return immediately: other functions will set 223296341Sdelphij * the appropriate error. 224296341Sdelphij */ 225296341Sdelphij if (s->s3->tmp.new_cipher == NULL) 226296341Sdelphij return; 227296341Sdelphij if (s->state & SSL_ST_CONNECT) { 228296341Sdelphij sender = s->method->ssl3_enc->server_finished_label; 229296341Sdelphij slen = s->method->ssl3_enc->server_finished_label_len; 230296341Sdelphij } else { 231296341Sdelphij sender = s->method->ssl3_enc->client_finished_label; 232296341Sdelphij slen = s->method->ssl3_enc->client_finished_label_len; 233296341Sdelphij } 234238405Sjkim 235296341Sdelphij s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 236296341Sdelphij sender, 237296341Sdelphij slen, 238296341Sdelphij s->s3->tmp.peer_finish_md); 239296341Sdelphij} 240238405Sjkim#endif 241238405Sjkim 24255714Skrisint ssl3_get_finished(SSL *s, int a, int b) 243296341Sdelphij{ 244296341Sdelphij int al, i, ok; 245296341Sdelphij long n; 246296341Sdelphij unsigned char *p; 24755714Skris 248238405Sjkim#ifdef OPENSSL_NO_NEXTPROTONEG 249296341Sdelphij /* 250296341Sdelphij * the mac has already been generated when we received the change cipher 251296341Sdelphij * spec message and is in s->s3->tmp.peer_finish_md. 252296341Sdelphij */ 253238405Sjkim#endif 25455714Skris 255296341Sdelphij /* 64 argument should actually be 36+4 :-) */ 256296341Sdelphij n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok); 25755714Skris 258296341Sdelphij if (!ok) 259296341Sdelphij return ((int)n); 26055714Skris 261296341Sdelphij /* If this occurs, we have missed a message */ 262296341Sdelphij if (!s->s3->change_cipher_spec) { 263296341Sdelphij al = SSL_AD_UNEXPECTED_MESSAGE; 264296341Sdelphij SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); 265296341Sdelphij goto f_err; 266296341Sdelphij } 267296341Sdelphij s->s3->change_cipher_spec = 0; 26855714Skris 269296341Sdelphij p = (unsigned char *)s->init_msg; 270296341Sdelphij i = s->s3->tmp.peer_finish_md_len; 27155714Skris 272296341Sdelphij if (i != n) { 273296341Sdelphij al = SSL_AD_DECODE_ERROR; 274296341Sdelphij SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH); 275296341Sdelphij goto f_err; 276296341Sdelphij } 27755714Skris 278296341Sdelphij if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) { 279296341Sdelphij al = SSL_AD_DECRYPT_ERROR; 280296341Sdelphij SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED); 281296341Sdelphij goto f_err; 282296341Sdelphij } 28355714Skris 284296341Sdelphij /* 285296341Sdelphij * Copy the finished so we can use it for renegotiation checks 286296341Sdelphij */ 287296341Sdelphij if (s->type == SSL_ST_ACCEPT) { 288296341Sdelphij OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 289296341Sdelphij memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, i); 290296341Sdelphij s->s3->previous_client_finished_len = i; 291296341Sdelphij } else { 292296341Sdelphij OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 293296341Sdelphij memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, i); 294296341Sdelphij s->s3->previous_server_finished_len = i; 295296341Sdelphij } 296205128Ssimon 297296341Sdelphij return (1); 298296341Sdelphij f_err: 299296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 300296341Sdelphij return (0); 301296341Sdelphij} 30255714Skris 303296341Sdelphij/*- 304296341Sdelphij * for these 2 messages, we need to 305296341Sdelphij * ssl->enc_read_ctx re-init 306296341Sdelphij * ssl->s3->read_sequence zero 307296341Sdelphij * ssl->s3->read_mac_secret re-init 308296341Sdelphij * ssl->session->read_sym_enc assign 309296341Sdelphij * ssl->session->read_compression assign 310296341Sdelphij * ssl->session->read_hash assign 31155714Skris */ 31255714Skrisint ssl3_send_change_cipher_spec(SSL *s, int a, int b) 313296341Sdelphij{ 314296341Sdelphij unsigned char *p; 31555714Skris 316296341Sdelphij if (s->state == a) { 317296341Sdelphij p = (unsigned char *)s->init_buf->data; 318296341Sdelphij *p = SSL3_MT_CCS; 319296341Sdelphij s->init_num = 1; 320296341Sdelphij s->init_off = 0; 32155714Skris 322296341Sdelphij s->state = b; 323296341Sdelphij } 32455714Skris 325296341Sdelphij /* SSL3_ST_CW_CHANGE_B */ 326296341Sdelphij return (ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC)); 327296341Sdelphij} 32855714Skris 329205128Ssimonstatic int ssl3_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) 330296341Sdelphij{ 331296341Sdelphij int n; 332296341Sdelphij unsigned char *p; 333205128Ssimon 334296341Sdelphij n = i2d_X509(x, NULL); 335296341Sdelphij if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { 336296341Sdelphij SSLerr(SSL_F_SSL3_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); 337296341Sdelphij return (-1); 338296341Sdelphij } 339296341Sdelphij p = (unsigned char *)&(buf->data[*l]); 340296341Sdelphij l2n3(n, p); 341296341Sdelphij i2d_X509(x, &p); 342296341Sdelphij *l += n + 3; 343205128Ssimon 344296341Sdelphij return (0); 345296341Sdelphij} 346205128Ssimon 34755714Skrisunsigned long ssl3_output_cert_chain(SSL *s, X509 *x) 348296341Sdelphij{ 349296341Sdelphij unsigned char *p; 350296341Sdelphij int i; 351296341Sdelphij unsigned long l = 7; 352296341Sdelphij BUF_MEM *buf; 353296341Sdelphij int no_chain; 354111147Snectar 355296341Sdelphij if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) 356296341Sdelphij no_chain = 1; 357296341Sdelphij else 358296341Sdelphij no_chain = 0; 359111147Snectar 360296341Sdelphij /* TLSv1 sends a chain with nothing in it, instead of an alert */ 361296341Sdelphij buf = s->init_buf; 362296341Sdelphij if (!BUF_MEM_grow_clean(buf, 10)) { 363296341Sdelphij SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB); 364296341Sdelphij return (0); 365296341Sdelphij } 366296341Sdelphij if (x != NULL) { 367296341Sdelphij if (no_chain) { 368296341Sdelphij if (ssl3_add_cert_to_buf(buf, &l, x)) 369296341Sdelphij return (0); 370296341Sdelphij } else { 371296341Sdelphij X509_STORE_CTX xs_ctx; 37255714Skris 373296341Sdelphij if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store, x, NULL)) { 374296341Sdelphij SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_X509_LIB); 375296341Sdelphij return (0); 376296341Sdelphij } 377296341Sdelphij X509_verify_cert(&xs_ctx); 378296341Sdelphij /* Don't leave errors in the queue */ 379296341Sdelphij ERR_clear_error(); 380296341Sdelphij for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) { 381296341Sdelphij x = sk_X509_value(xs_ctx.chain, i); 382111147Snectar 383296341Sdelphij if (ssl3_add_cert_to_buf(buf, &l, x)) { 384296341Sdelphij X509_STORE_CTX_cleanup(&xs_ctx); 385296341Sdelphij return 0; 386296341Sdelphij } 387296341Sdelphij } 388296341Sdelphij X509_STORE_CTX_cleanup(&xs_ctx); 389296341Sdelphij } 390296341Sdelphij } 391296341Sdelphij /* Thawte special :-) */ 392296341Sdelphij for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) { 393296341Sdelphij x = sk_X509_value(s->ctx->extra_certs, i); 394296341Sdelphij if (ssl3_add_cert_to_buf(buf, &l, x)) 395296341Sdelphij return (0); 396296341Sdelphij } 39755714Skris 398296341Sdelphij l -= 7; 399296341Sdelphij p = (unsigned char *)&(buf->data[4]); 400296341Sdelphij l2n3(l, p); 401296341Sdelphij l += 3; 402296341Sdelphij p = (unsigned char *)&(buf->data[0]); 403296341Sdelphij *(p++) = SSL3_MT_CERTIFICATE; 404296341Sdelphij l2n3(l, p); 405296341Sdelphij l += 4; 406296341Sdelphij return (l); 407296341Sdelphij} 40855714Skris 409296341Sdelphij/* 410296341Sdelphij * Obtain handshake message of message type 'mt' (any if mt == -1), maximum 411296341Sdelphij * acceptable body length 'max'. The first four bytes (msg_type and length) 412296341Sdelphij * are read in state 'st1', the body is read in state 'stn'. 41359191Skris */ 41455714Skrislong ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) 415296341Sdelphij{ 416296341Sdelphij unsigned char *p; 417296341Sdelphij unsigned long l; 418296341Sdelphij long n; 419296341Sdelphij int i, al; 42055714Skris 421296341Sdelphij if (s->s3->tmp.reuse_message) { 422296341Sdelphij s->s3->tmp.reuse_message = 0; 423296341Sdelphij if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { 424296341Sdelphij al = SSL_AD_UNEXPECTED_MESSAGE; 425296341Sdelphij SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 426296341Sdelphij goto f_err; 427296341Sdelphij } 428296341Sdelphij *ok = 1; 429296341Sdelphij s->state = stn; 430296341Sdelphij s->init_msg = s->init_buf->data + 4; 431296341Sdelphij s->init_num = (int)s->s3->tmp.message_size; 432296341Sdelphij return s->init_num; 433296341Sdelphij } 43455714Skris 435296341Sdelphij p = (unsigned char *)s->init_buf->data; 43655714Skris 437296341Sdelphij if (s->state == st1) { /* s->init_num < 4 */ 438296341Sdelphij int skip_message; 43959191Skris 440296341Sdelphij do { 441296341Sdelphij while (s->init_num < 4) { 442296341Sdelphij i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, 443296341Sdelphij &p[s->init_num], 444296341Sdelphij 4 - s->init_num, 0); 445296341Sdelphij if (i <= 0) { 446296341Sdelphij s->rwstate = SSL_READING; 447296341Sdelphij *ok = 0; 448296341Sdelphij return i; 449296341Sdelphij } 450296341Sdelphij s->init_num += i; 451296341Sdelphij } 452109998Smarkm 453296341Sdelphij skip_message = 0; 454296341Sdelphij if (!s->server) 455296341Sdelphij if (p[0] == SSL3_MT_HELLO_REQUEST) 456296341Sdelphij /* 457296341Sdelphij * The server may always send 'Hello Request' messages -- 458296341Sdelphij * we are doing a handshake anyway now, so ignore them if 459296341Sdelphij * their format is correct. Does not count for 'Finished' 460296341Sdelphij * MAC. 461296341Sdelphij */ 462296341Sdelphij if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 463296341Sdelphij s->init_num = 0; 464296341Sdelphij skip_message = 1; 46555714Skris 466296341Sdelphij if (s->msg_callback) 467296341Sdelphij s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 468296341Sdelphij p, 4, s, s->msg_callback_arg); 469296341Sdelphij } 470296341Sdelphij } 471296341Sdelphij while (skip_message); 47259191Skris 473296341Sdelphij /* s->init_num == 4 */ 47459191Skris 475296341Sdelphij if ((mt >= 0) && (*p != mt)) { 476296341Sdelphij al = SSL_AD_UNEXPECTED_MESSAGE; 477296341Sdelphij SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 478296341Sdelphij goto f_err; 479296341Sdelphij } 480296341Sdelphij if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) && 481296341Sdelphij (st1 == SSL3_ST_SR_CERT_A) && (stn == SSL3_ST_SR_CERT_B)) { 482296341Sdelphij /* 483296341Sdelphij * At this point we have got an MS SGC second client hello (maybe 484296341Sdelphij * we should always allow the client to start a new handshake?). 485296341Sdelphij * We need to restart the mac. Don't increment 486296341Sdelphij * {num,total}_renegotiations because we have not completed the 487296341Sdelphij * handshake. 488296341Sdelphij */ 489296341Sdelphij ssl3_init_finished_mac(s); 490296341Sdelphij } 49155714Skris 492296341Sdelphij s->s3->tmp.message_type = *(p++); 49355714Skris 494296341Sdelphij n2l3(p, l); 495296341Sdelphij if (l > (unsigned long)max) { 496296341Sdelphij al = SSL_AD_ILLEGAL_PARAMETER; 497296341Sdelphij SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE); 498296341Sdelphij goto f_err; 499296341Sdelphij } 500296341Sdelphij if (l > (INT_MAX - 4)) { /* BUF_MEM_grow takes an 'int' parameter */ 501296341Sdelphij al = SSL_AD_ILLEGAL_PARAMETER; 502296341Sdelphij SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE); 503296341Sdelphij goto f_err; 504296341Sdelphij } 505296341Sdelphij if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4)) { 506296341Sdelphij SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB); 507296341Sdelphij goto err; 508296341Sdelphij } 509296341Sdelphij s->s3->tmp.message_size = l; 510296341Sdelphij s->state = stn; 51155714Skris 512296341Sdelphij s->init_msg = s->init_buf->data + 4; 513296341Sdelphij s->init_num = 0; 514296341Sdelphij } 515246772Sjkim 516296341Sdelphij /* next state (stn) */ 517296341Sdelphij p = s->init_msg; 518296341Sdelphij n = s->s3->tmp.message_size - s->init_num; 519296341Sdelphij while (n > 0) { 520296341Sdelphij i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->init_num], 521296341Sdelphij n, 0); 522296341Sdelphij if (i <= 0) { 523296341Sdelphij s->rwstate = SSL_READING; 524296341Sdelphij *ok = 0; 525296341Sdelphij return i; 526296341Sdelphij } 527296341Sdelphij s->init_num += i; 528296341Sdelphij n -= i; 529296341Sdelphij } 530296341Sdelphij 531238405Sjkim#ifndef OPENSSL_NO_NEXTPROTONEG 532296341Sdelphij /* 533296341Sdelphij * If receiving Finished, record MAC of prior handshake messages for 534296341Sdelphij * Finished verification. 535296341Sdelphij */ 536296341Sdelphij if (*s->init_buf->data == SSL3_MT_FINISHED) 537296341Sdelphij ssl3_take_mac(s); 538238405Sjkim#endif 539246772Sjkim 540296341Sdelphij /* Feed this message into MAC computation. */ 541296341Sdelphij ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); 542296341Sdelphij if (s->msg_callback) 543296341Sdelphij s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 544296341Sdelphij (size_t)s->init_num + 4, s, s->msg_callback_arg); 545296341Sdelphij *ok = 1; 546296341Sdelphij return s->init_num; 547296341Sdelphij f_err: 548296341Sdelphij ssl3_send_alert(s, SSL3_AL_FATAL, al); 549296341Sdelphij err: 550296341Sdelphij *ok = 0; 551296341Sdelphij return (-1); 552296341Sdelphij} 55355714Skris 55455714Skrisint ssl_cert_type(X509 *x, EVP_PKEY *pkey) 555296341Sdelphij{ 556296341Sdelphij EVP_PKEY *pk; 557296341Sdelphij int ret = -1, i; 55855714Skris 559296341Sdelphij if (pkey == NULL) 560296341Sdelphij pk = X509_get_pubkey(x); 561296341Sdelphij else 562296341Sdelphij pk = pkey; 563296341Sdelphij if (pk == NULL) 564296341Sdelphij goto err; 56555714Skris 566296341Sdelphij i = pk->type; 567296341Sdelphij if (i == EVP_PKEY_RSA) { 568296341Sdelphij ret = SSL_PKEY_RSA_ENC; 569296341Sdelphij } else if (i == EVP_PKEY_DSA) { 570296341Sdelphij ret = SSL_PKEY_DSA_SIGN; 571296341Sdelphij } 572160814Ssimon#ifndef OPENSSL_NO_EC 573296341Sdelphij else if (i == EVP_PKEY_EC) { 574296341Sdelphij ret = SSL_PKEY_ECC; 575296341Sdelphij } 576238405Sjkim#endif 577296341Sdelphij else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) { 578296341Sdelphij ret = SSL_PKEY_GOST94; 579296341Sdelphij } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) { 580296341Sdelphij ret = SSL_PKEY_GOST01; 581296341Sdelphij } 582296341Sdelphij err: 583296341Sdelphij if (!pkey) 584296341Sdelphij EVP_PKEY_free(pk); 585296341Sdelphij return (ret); 586296341Sdelphij} 58755714Skris 58855714Skrisint ssl_verify_alarm_type(long type) 589296341Sdelphij{ 590296341Sdelphij int al; 59155714Skris 592296341Sdelphij switch (type) { 593296341Sdelphij case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 594296341Sdelphij case X509_V_ERR_UNABLE_TO_GET_CRL: 595296341Sdelphij case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 596296341Sdelphij al = SSL_AD_UNKNOWN_CA; 597296341Sdelphij break; 598296341Sdelphij case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 599296341Sdelphij case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 600296341Sdelphij case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 601296341Sdelphij case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 602296341Sdelphij case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 603296341Sdelphij case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 604296341Sdelphij case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 605296341Sdelphij case X509_V_ERR_CERT_NOT_YET_VALID: 606296341Sdelphij case X509_V_ERR_CRL_NOT_YET_VALID: 607296341Sdelphij case X509_V_ERR_CERT_UNTRUSTED: 608296341Sdelphij case X509_V_ERR_CERT_REJECTED: 609296341Sdelphij al = SSL_AD_BAD_CERTIFICATE; 610296341Sdelphij break; 611296341Sdelphij case X509_V_ERR_CERT_SIGNATURE_FAILURE: 612296341Sdelphij case X509_V_ERR_CRL_SIGNATURE_FAILURE: 613296341Sdelphij al = SSL_AD_DECRYPT_ERROR; 614296341Sdelphij break; 615296341Sdelphij case X509_V_ERR_CERT_HAS_EXPIRED: 616296341Sdelphij case X509_V_ERR_CRL_HAS_EXPIRED: 617296341Sdelphij al = SSL_AD_CERTIFICATE_EXPIRED; 618296341Sdelphij break; 619296341Sdelphij case X509_V_ERR_CERT_REVOKED: 620296341Sdelphij al = SSL_AD_CERTIFICATE_REVOKED; 621296341Sdelphij break; 622296341Sdelphij case X509_V_ERR_OUT_OF_MEM: 623296341Sdelphij al = SSL_AD_INTERNAL_ERROR; 624296341Sdelphij break; 625296341Sdelphij case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 626296341Sdelphij case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 627296341Sdelphij case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 628296341Sdelphij case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 629296341Sdelphij case X509_V_ERR_CERT_CHAIN_TOO_LONG: 630296341Sdelphij case X509_V_ERR_PATH_LENGTH_EXCEEDED: 631296341Sdelphij case X509_V_ERR_INVALID_CA: 632296341Sdelphij al = SSL_AD_UNKNOWN_CA; 633296341Sdelphij break; 634296341Sdelphij case X509_V_ERR_APPLICATION_VERIFICATION: 635296341Sdelphij al = SSL_AD_HANDSHAKE_FAILURE; 636296341Sdelphij break; 637296341Sdelphij case X509_V_ERR_INVALID_PURPOSE: 638296341Sdelphij al = SSL_AD_UNSUPPORTED_CERTIFICATE; 639296341Sdelphij break; 640296341Sdelphij default: 641296341Sdelphij al = SSL_AD_CERTIFICATE_UNKNOWN; 642296341Sdelphij break; 643296341Sdelphij } 644296341Sdelphij return (al); 645296341Sdelphij} 64655714Skris 647238405Sjkim#ifndef OPENSSL_NO_BUF_FREELISTS 648296341Sdelphij/*- 649296341Sdelphij * On some platforms, malloc() performance is bad enough that you can't just 650238405Sjkim * free() and malloc() buffers all the time, so we need to use freelists from 651238405Sjkim * unused buffers. Currently, each freelist holds memory chunks of only a 652238405Sjkim * given size (list->chunklen); other sized chunks are freed and malloced. 653238405Sjkim * This doesn't help much if you're using many different SSL option settings 654238405Sjkim * with a given context. (The options affecting buffer size are 655238405Sjkim * max_send_fragment, read buffer vs write buffer, 656238405Sjkim * SSL_OP_MICROSOFT_BIG_WRITE_BUFFER, SSL_OP_NO_COMPRESSION, and 657238405Sjkim * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.) Using a separate freelist for every 658238405Sjkim * possible size is not an option, since max_send_fragment can take on many 659238405Sjkim * different values. 660238405Sjkim * 661238405Sjkim * If you are on a platform with a slow malloc(), and you're using SSL 662238405Sjkim * connections with many different settings for these options, and you need to 663238405Sjkim * use the SSL_MOD_RELEASE_BUFFERS feature, you have a few options: 664238405Sjkim * - Link against a faster malloc implementation. 665238405Sjkim * - Use a separate SSL_CTX for each option set. 666238405Sjkim * - Improve this code. 667238405Sjkim */ 668296341Sdelphijstatic void *freelist_extract(SSL_CTX *ctx, int for_read, int sz) 669296341Sdelphij{ 670296341Sdelphij SSL3_BUF_FREELIST *list; 671296341Sdelphij SSL3_BUF_FREELIST_ENTRY *ent = NULL; 672296341Sdelphij void *result = NULL; 673238405Sjkim 674296341Sdelphij CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 675296341Sdelphij list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist; 676296341Sdelphij if (list != NULL && sz == (int)list->chunklen) 677296341Sdelphij ent = list->head; 678296341Sdelphij if (ent != NULL) { 679296341Sdelphij list->head = ent->next; 680296341Sdelphij result = ent; 681296341Sdelphij if (--list->len == 0) 682296341Sdelphij list->chunklen = 0; 683296341Sdelphij } 684296341Sdelphij CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 685296341Sdelphij if (!result) 686296341Sdelphij result = OPENSSL_malloc(sz); 687296341Sdelphij return result; 688238405Sjkim} 689238405Sjkim 690296341Sdelphijstatic void freelist_insert(SSL_CTX *ctx, int for_read, size_t sz, void *mem) 691296341Sdelphij{ 692296341Sdelphij SSL3_BUF_FREELIST *list; 693296341Sdelphij SSL3_BUF_FREELIST_ENTRY *ent; 694238405Sjkim 695296341Sdelphij CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 696296341Sdelphij list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist; 697296341Sdelphij if (list != NULL && 698296341Sdelphij (sz == list->chunklen || list->chunklen == 0) && 699296341Sdelphij list->len < ctx->freelist_max_len && sz >= sizeof(*ent)) { 700296341Sdelphij list->chunklen = sz; 701296341Sdelphij ent = mem; 702296341Sdelphij ent->next = list->head; 703296341Sdelphij list->head = ent; 704296341Sdelphij ++list->len; 705296341Sdelphij mem = NULL; 706296341Sdelphij } 707238405Sjkim 708296341Sdelphij CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 709296341Sdelphij if (mem) 710296341Sdelphij OPENSSL_free(mem); 711296341Sdelphij} 712238405Sjkim#else 713296341Sdelphij# define freelist_extract(c,fr,sz) OPENSSL_malloc(sz) 714296341Sdelphij# define freelist_insert(c,fr,sz,m) OPENSSL_free(m) 715238405Sjkim#endif 716238405Sjkim 717238405Sjkimint ssl3_setup_read_buffer(SSL *s) 718296341Sdelphij{ 719296341Sdelphij unsigned char *p; 720296341Sdelphij size_t len, align = 0, headerlen; 721205128Ssimon 722296341Sdelphij if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 723296341Sdelphij headerlen = DTLS1_RT_HEADER_LENGTH; 724296341Sdelphij else 725296341Sdelphij headerlen = SSL3_RT_HEADER_LENGTH; 726296341Sdelphij 727238405Sjkim#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 728296341Sdelphij align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 729238405Sjkim#endif 730238405Sjkim 731296341Sdelphij if (s->s3->rbuf.buf == NULL) { 732296341Sdelphij len = SSL3_RT_MAX_PLAIN_LENGTH 733296341Sdelphij + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; 734296341Sdelphij if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) { 735296341Sdelphij s->s3->init_extra = 1; 736296341Sdelphij len += SSL3_RT_MAX_EXTRA; 737296341Sdelphij } 738238405Sjkim#ifndef OPENSSL_NO_COMP 739296341Sdelphij if (!(s->options & SSL_OP_NO_COMPRESSION)) 740296341Sdelphij len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; 741238405Sjkim#endif 742296341Sdelphij if ((p = freelist_extract(s->ctx, 1, len)) == NULL) 743296341Sdelphij goto err; 744296341Sdelphij s->s3->rbuf.buf = p; 745296341Sdelphij s->s3->rbuf.len = len; 746296341Sdelphij } 74755714Skris 748296341Sdelphij s->packet = &(s->s3->rbuf.buf[0]); 749296341Sdelphij return 1; 750238405Sjkim 751296341Sdelphij err: 752296341Sdelphij SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER, ERR_R_MALLOC_FAILURE); 753296341Sdelphij return 0; 754296341Sdelphij} 755238405Sjkim 756238405Sjkimint ssl3_setup_write_buffer(SSL *s) 757296341Sdelphij{ 758296341Sdelphij unsigned char *p; 759296341Sdelphij size_t len, align = 0, headerlen; 760238405Sjkim 761296341Sdelphij if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 762296341Sdelphij headerlen = DTLS1_RT_HEADER_LENGTH + 1; 763296341Sdelphij else 764296341Sdelphij headerlen = SSL3_RT_HEADER_LENGTH; 765238405Sjkim 766238405Sjkim#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 767296341Sdelphij align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); 768238405Sjkim#endif 769238405Sjkim 770296341Sdelphij if (s->s3->wbuf.buf == NULL) { 771296341Sdelphij len = s->max_send_fragment 772296341Sdelphij + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; 773238405Sjkim#ifndef OPENSSL_NO_COMP 774296341Sdelphij if (!(s->options & SSL_OP_NO_COMPRESSION)) 775296341Sdelphij len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; 776238405Sjkim#endif 777296341Sdelphij if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 778296341Sdelphij len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; 779238405Sjkim 780296341Sdelphij if ((p = freelist_extract(s->ctx, 0, len)) == NULL) 781296341Sdelphij goto err; 782296341Sdelphij s->s3->wbuf.buf = p; 783296341Sdelphij s->s3->wbuf.len = len; 784296341Sdelphij } 785238405Sjkim 786296341Sdelphij return 1; 787238405Sjkim 788296341Sdelphij err: 789296341Sdelphij SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); 790296341Sdelphij return 0; 791296341Sdelphij} 792238405Sjkim 793238405Sjkimint ssl3_setup_buffers(SSL *s) 794296341Sdelphij{ 795296341Sdelphij if (!ssl3_setup_read_buffer(s)) 796296341Sdelphij return 0; 797296341Sdelphij if (!ssl3_setup_write_buffer(s)) 798296341Sdelphij return 0; 799296341Sdelphij return 1; 800296341Sdelphij} 801238405Sjkim 802238405Sjkimint ssl3_release_write_buffer(SSL *s) 803296341Sdelphij{ 804296341Sdelphij if (s->s3->wbuf.buf != NULL) { 805296341Sdelphij freelist_insert(s->ctx, 0, s->s3->wbuf.len, s->s3->wbuf.buf); 806296341Sdelphij s->s3->wbuf.buf = NULL; 807296341Sdelphij } 808296341Sdelphij return 1; 809296341Sdelphij} 810238405Sjkim 811238405Sjkimint ssl3_release_read_buffer(SSL *s) 812296341Sdelphij{ 813296341Sdelphij if (s->s3->rbuf.buf != NULL) { 814296341Sdelphij freelist_insert(s->ctx, 1, s->s3->rbuf.len, s->s3->rbuf.buf); 815296341Sdelphij s->s3->rbuf.buf = NULL; 816296341Sdelphij } 817296341Sdelphij return 1; 818296341Sdelphij} 819