diff options
| author | djm <> | 2008-09-06 12:17:54 +0000 | 
|---|---|---|
| committer | djm <> | 2008-09-06 12:17:54 +0000 | 
| commit | 38ce604e3cc97706b876b0525ddff0121115456d (patch) | |
| tree | 7ccc28afe1789ea3dbedf72365f955d5b8e105b5 /src/lib/libssl/s3_clnt.c | |
| parent | 12867252827c8efaa8ddd1fa3b3d6e321e2bcdef (diff) | |
| download | openbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.gz openbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.bz2 openbsd-38ce604e3cc97706b876b0525ddff0121115456d.zip | |
resolve conflicts
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 1021 | 
1 files changed, 877 insertions, 144 deletions
| diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 4163d97944..9a87c1cfb3 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -56,7 +56,7 @@ | |||
| 56 | * [including the GNU Public Licence.] | 56 | * [including the GNU Public Licence.] | 
| 57 | */ | 57 | */ | 
| 58 | /* ==================================================================== | 58 | /* ==================================================================== | 
| 59 | * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. | 59 | * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. | 
| 60 | * | 60 | * | 
| 61 | * Redistribution and use in source and binary forms, with or without | 61 | * Redistribution and use in source and binary forms, with or without | 
| 62 | * modification, are permitted provided that the following conditions | 62 | * modification, are permitted provided that the following conditions | 
| @@ -108,6 +108,19 @@ | |||
| 108 | * Hudson (tjh@cryptsoft.com). | 108 | * Hudson (tjh@cryptsoft.com). | 
| 109 | * | 109 | * | 
| 110 | */ | 110 | */ | 
| 111 | /* ==================================================================== | ||
| 112 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. | ||
| 113 | * | ||
| 114 | * Portions of the attached software ("Contribution") are developed by | ||
| 115 | * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. | ||
| 116 | * | ||
| 117 | * The Contribution is licensed pursuant to the OpenSSL open source | ||
| 118 | * license provided above. | ||
| 119 | * | ||
| 120 | * ECC cipher suite support in OpenSSL originally written by | ||
| 121 | * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. | ||
| 122 | * | ||
| 123 | */ | ||
| 111 | 124 | ||
| 112 | #include <stdio.h> | 125 | #include <stdio.h> | 
| 113 | #include "ssl_locl.h" | 126 | #include "ssl_locl.h" | 
| @@ -117,20 +130,22 @@ | |||
| 117 | #include <openssl/objects.h> | 130 | #include <openssl/objects.h> | 
| 118 | #include <openssl/evp.h> | 131 | #include <openssl/evp.h> | 
| 119 | #include <openssl/md5.h> | 132 | #include <openssl/md5.h> | 
| 120 | #include <openssl/fips.h> | 133 | #ifndef OPENSSL_NO_DH | 
| 134 | #include <openssl/dh.h> | ||
| 135 | #endif | ||
| 136 | #include <openssl/bn.h> | ||
| 121 | 137 | ||
| 122 | static SSL_METHOD *ssl3_get_client_method(int ver); | 138 | static SSL_METHOD *ssl3_get_client_method(int ver); | 
| 123 | static int ssl3_client_hello(SSL *s); | ||
| 124 | static int ssl3_get_server_hello(SSL *s); | ||
| 125 | static int ssl3_get_certificate_request(SSL *s); | ||
| 126 | static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); | 139 | static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); | 
| 127 | static int ssl3_get_server_done(SSL *s); | 140 | #ifndef OPENSSL_NO_TLSEXT | 
| 128 | static int ssl3_send_client_verify(SSL *s); | 141 | static int ssl3_check_finished(SSL *s); | 
| 129 | static int ssl3_send_client_certificate(SSL *s); | 142 | #endif | 
| 130 | static int ssl3_send_client_key_exchange(SSL *s); | 143 | |
| 131 | static int ssl3_get_key_exchange(SSL *s); | 144 | #ifndef OPENSSL_NO_ECDH | 
| 132 | static int ssl3_get_server_certificate(SSL *s); | 145 | static int curve_id2nid(int curve_id); | 
| 133 | static int ssl3_check_cert_and_algorithm(SSL *s); | 146 | int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs); | 
| 147 | #endif | ||
| 148 | |||
| 134 | static SSL_METHOD *ssl3_get_client_method(int ver) | 149 | static SSL_METHOD *ssl3_get_client_method(int ver) | 
| 135 | { | 150 | { | 
| 136 | if (ver == SSL3_VERSION) | 151 | if (ver == SSL3_VERSION) | 
| @@ -139,28 +154,10 @@ static SSL_METHOD *ssl3_get_client_method(int ver) | |||
| 139 | return(NULL); | 154 | return(NULL); | 
| 140 | } | 155 | } | 
| 141 | 156 | ||
| 142 | SSL_METHOD *SSLv3_client_method(void) | 157 | IMPLEMENT_ssl3_meth_func(SSLv3_client_method, | 
| 143 | { | 158 | ssl_undefined_function, | 
| 144 | static int init=1; | 159 | ssl3_connect, | 
| 145 | static SSL_METHOD SSLv3_client_data; | 160 | ssl3_get_client_method) | 
| 146 | |||
| 147 | if (init) | ||
| 148 | { | ||
| 149 | CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); | ||
| 150 | |||
| 151 | if (init) | ||
| 152 | { | ||
| 153 | memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), | ||
| 154 | sizeof(SSL_METHOD)); | ||
| 155 | SSLv3_client_data.ssl_connect=ssl3_connect; | ||
| 156 | SSLv3_client_data.get_ssl_method=ssl3_get_client_method; | ||
| 157 | init=0; | ||
| 158 | } | ||
| 159 | |||
| 160 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); | ||
| 161 | } | ||
| 162 | return(&SSLv3_client_data); | ||
| 163 | } | ||
| 164 | 161 | ||
| 165 | int ssl3_connect(SSL *s) | 162 | int ssl3_connect(SSL *s) | 
| 166 | { | 163 | { | 
| @@ -270,15 +267,43 @@ int ssl3_connect(SSL *s) | |||
| 270 | 267 | ||
| 271 | case SSL3_ST_CR_CERT_A: | 268 | case SSL3_ST_CR_CERT_A: | 
| 272 | case SSL3_ST_CR_CERT_B: | 269 | case SSL3_ST_CR_CERT_B: | 
| 273 | /* Check if it is anon DH */ | 270 | #ifndef OPENSSL_NO_TLSEXT | 
| 271 | ret=ssl3_check_finished(s); | ||
| 272 | if (ret <= 0) goto end; | ||
| 273 | if (ret == 2) | ||
| 274 | { | ||
| 275 | s->hit = 1; | ||
| 276 | if (s->tlsext_ticket_expected) | ||
| 277 | s->state=SSL3_ST_CR_SESSION_TICKET_A; | ||
| 278 | else | ||
| 279 | s->state=SSL3_ST_CR_FINISHED_A; | ||
| 280 | s->init_num=0; | ||
| 281 | break; | ||
| 282 | } | ||
| 283 | #endif | ||
| 284 | /* Check if it is anon DH/ECDH */ | ||
| 274 | if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) | 285 | if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) | 
| 275 | { | 286 | { | 
| 276 | ret=ssl3_get_server_certificate(s); | 287 | ret=ssl3_get_server_certificate(s); | 
| 277 | if (ret <= 0) goto end; | 288 | if (ret <= 0) goto end; | 
| 289 | #ifndef OPENSSL_NO_TLSEXT | ||
| 290 | if (s->tlsext_status_expected) | ||
| 291 | s->state=SSL3_ST_CR_CERT_STATUS_A; | ||
| 292 | else | ||
| 293 | s->state=SSL3_ST_CR_KEY_EXCH_A; | ||
| 294 | } | ||
| 295 | else | ||
| 296 | { | ||
| 297 | skip = 1; | ||
| 298 | s->state=SSL3_ST_CR_KEY_EXCH_A; | ||
| 299 | } | ||
| 300 | #else | ||
| 278 | } | 301 | } | 
| 279 | else | 302 | else | 
| 280 | skip=1; | 303 | skip=1; | 
| 304 | |||
| 281 | s->state=SSL3_ST_CR_KEY_EXCH_A; | 305 | s->state=SSL3_ST_CR_KEY_EXCH_A; | 
| 306 | #endif | ||
| 282 | s->init_num=0; | 307 | s->init_num=0; | 
| 283 | break; | 308 | break; | 
| 284 | 309 | ||
| @@ -337,6 +362,13 @@ int ssl3_connect(SSL *s) | |||
| 337 | * sent back */ | 362 | * sent back */ | 
| 338 | /* For TLS, cert_req is set to 2, so a cert chain | 363 | /* For TLS, cert_req is set to 2, so a cert chain | 
| 339 | * of nothing is sent, but no verify packet is sent */ | 364 | * of nothing is sent, but no verify packet is sent */ | 
| 365 | /* XXX: For now, we do not support client | ||
| 366 | * authentication in ECDH cipher suites with | ||
| 367 | * ECDH (rather than ECDSA) certificates. | ||
| 368 | * We need to skip the certificate verify | ||
| 369 | * message when client's ECDH public key is sent | ||
| 370 | * inside the client certificate. | ||
| 371 | */ | ||
| 340 | if (s->s3->tmp.cert_req == 1) | 372 | if (s->s3->tmp.cert_req == 1) | 
| 341 | { | 373 | { | 
| 342 | s->state=SSL3_ST_CW_CERT_VRFY_A; | 374 | s->state=SSL3_ST_CW_CERT_VRFY_A; | 
| @@ -368,11 +400,15 @@ int ssl3_connect(SSL *s) | |||
| 368 | s->init_num=0; | 400 | s->init_num=0; | 
| 369 | 401 | ||
| 370 | s->session->cipher=s->s3->tmp.new_cipher; | 402 | s->session->cipher=s->s3->tmp.new_cipher; | 
| 403 | #ifdef OPENSSL_NO_COMP | ||
| 404 | s->session->compress_meth=0; | ||
| 405 | #else | ||
| 371 | if (s->s3->tmp.new_compression == NULL) | 406 | if (s->s3->tmp.new_compression == NULL) | 
| 372 | s->session->compress_meth=0; | 407 | s->session->compress_meth=0; | 
| 373 | else | 408 | else | 
| 374 | s->session->compress_meth= | 409 | s->session->compress_meth= | 
| 375 | s->s3->tmp.new_compression->id; | 410 | s->s3->tmp.new_compression->id; | 
| 411 | #endif | ||
| 376 | if (!s->method->ssl3_enc->setup_key_block(s)) | 412 | if (!s->method->ssl3_enc->setup_key_block(s)) | 
| 377 | { | 413 | { | 
| 378 | ret= -1; | 414 | ret= -1; | 
| @@ -411,11 +447,36 @@ int ssl3_connect(SSL *s) | |||
| 411 | } | 447 | } | 
| 412 | else | 448 | else | 
| 413 | { | 449 | { | 
| 450 | #ifndef OPENSSL_NO_TLSEXT | ||
| 451 | /* Allow NewSessionTicket if ticket expected */ | ||
| 452 | if (s->tlsext_ticket_expected) | ||
| 453 | s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; | ||
| 454 | else | ||
| 455 | #endif | ||
| 456 | |||
| 414 | s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; | 457 | s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; | 
| 415 | } | 458 | } | 
| 416 | s->init_num=0; | 459 | s->init_num=0; | 
| 417 | break; | 460 | break; | 
| 418 | 461 | ||
| 462 | #ifndef OPENSSL_NO_TLSEXT | ||
| 463 | case SSL3_ST_CR_SESSION_TICKET_A: | ||
| 464 | case SSL3_ST_CR_SESSION_TICKET_B: | ||
| 465 | ret=ssl3_get_new_session_ticket(s); | ||
| 466 | if (ret <= 0) goto end; | ||
| 467 | s->state=SSL3_ST_CR_FINISHED_A; | ||
| 468 | s->init_num=0; | ||
| 469 | break; | ||
| 470 | |||
| 471 | case SSL3_ST_CR_CERT_STATUS_A: | ||
| 472 | case SSL3_ST_CR_CERT_STATUS_B: | ||
| 473 | ret=ssl3_get_cert_status(s); | ||
| 474 | if (ret <= 0) goto end; | ||
| 475 | s->state=SSL3_ST_CR_KEY_EXCH_A; | ||
| 476 | s->init_num=0; | ||
| 477 | break; | ||
| 478 | #endif | ||
| 479 | |||
| 419 | case SSL3_ST_CR_FINISHED_A: | 480 | case SSL3_ST_CR_FINISHED_A: | 
| 420 | case SSL3_ST_CR_FINISHED_B: | 481 | case SSL3_ST_CR_FINISHED_B: | 
| 421 | 482 | ||
| @@ -512,13 +573,16 @@ end: | |||
| 512 | } | 573 | } | 
| 513 | 574 | ||
| 514 | 575 | ||
| 515 | static int ssl3_client_hello(SSL *s) | 576 | int ssl3_client_hello(SSL *s) | 
| 516 | { | 577 | { | 
| 517 | unsigned char *buf; | 578 | unsigned char *buf; | 
| 518 | unsigned char *p,*d; | 579 | unsigned char *p,*d; | 
| 519 | int i,j; | 580 | int i; | 
| 520 | unsigned long Time,l; | 581 | unsigned long Time,l; | 
| 582 | #ifndef OPENSSL_NO_COMP | ||
| 583 | int j; | ||
| 521 | SSL_COMP *comp; | 584 | SSL_COMP *comp; | 
| 585 | #endif | ||
| 522 | 586 | ||
| 523 | buf=(unsigned char *)s->init_buf->data; | 587 | buf=(unsigned char *)s->init_buf->data; | 
| 524 | if (s->state == SSL3_ST_CW_CLNT_HELLO_A) | 588 | if (s->state == SSL3_ST_CW_CLNT_HELLO_A) | 
| @@ -535,8 +599,8 @@ static int ssl3_client_hello(SSL *s) | |||
| 535 | p=s->s3->client_random; | 599 | p=s->s3->client_random; | 
| 536 | Time=(unsigned long)time(NULL); /* Time */ | 600 | Time=(unsigned long)time(NULL); /* Time */ | 
| 537 | l2n(Time,p); | 601 | l2n(Time,p); | 
| 538 | if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) | 602 | if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) | 
| 539 | goto err; | 603 | goto err; | 
| 540 | 604 | ||
| 541 | /* Do the message type and length last */ | 605 | /* Do the message type and length last */ | 
| 542 | d=p= &(buf[4]); | 606 | d=p= &(buf[4]); | 
| @@ -557,7 +621,7 @@ static int ssl3_client_hello(SSL *s) | |||
| 557 | *(p++)=i; | 621 | *(p++)=i; | 
| 558 | if (i != 0) | 622 | if (i != 0) | 
| 559 | { | 623 | { | 
| 560 | if (i > sizeof s->session->session_id) | 624 | if (i > (int)sizeof(s->session->session_id)) | 
| 561 | { | 625 | { | 
| 562 | SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); | 626 | SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); | 
| 563 | goto err; | 627 | goto err; | 
| @@ -577,6 +641,9 @@ static int ssl3_client_hello(SSL *s) | |||
| 577 | p+=i; | 641 | p+=i; | 
| 578 | 642 | ||
| 579 | /* COMPRESSION */ | 643 | /* COMPRESSION */ | 
| 644 | #ifdef OPENSSL_NO_COMP | ||
| 645 | *(p++)=1; | ||
| 646 | #else | ||
| 580 | if (s->ctx->comp_methods == NULL) | 647 | if (s->ctx->comp_methods == NULL) | 
| 581 | j=0; | 648 | j=0; | 
| 582 | else | 649 | else | 
| @@ -587,8 +654,15 @@ static int ssl3_client_hello(SSL *s) | |||
| 587 | comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); | 654 | comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); | 
| 588 | *(p++)=comp->id; | 655 | *(p++)=comp->id; | 
| 589 | } | 656 | } | 
| 657 | #endif | ||
| 590 | *(p++)=0; /* Add the NULL method */ | 658 | *(p++)=0; /* Add the NULL method */ | 
| 591 | 659 | #ifndef OPENSSL_NO_TLSEXT | |
| 660 | if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) | ||
| 661 | { | ||
| 662 | SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); | ||
| 663 | goto err; | ||
| 664 | } | ||
| 665 | #endif | ||
| 592 | l=(p-d); | 666 | l=(p-d); | 
| 593 | d=buf; | 667 | d=buf; | 
| 594 | *(d++)=SSL3_MT_CLIENT_HELLO; | 668 | *(d++)=SSL3_MT_CLIENT_HELLO; | 
| @@ -606,7 +680,7 @@ err: | |||
| 606 | return(-1); | 680 | return(-1); | 
| 607 | } | 681 | } | 
| 608 | 682 | ||
| 609 | static int ssl3_get_server_hello(SSL *s) | 683 | int ssl3_get_server_hello(SSL *s) | 
| 610 | { | 684 | { | 
| 611 | STACK_OF(SSL_CIPHER) *sk; | 685 | STACK_OF(SSL_CIPHER) *sk; | 
| 612 | SSL_CIPHER *c; | 686 | SSL_CIPHER *c; | 
| @@ -614,16 +688,44 @@ static int ssl3_get_server_hello(SSL *s) | |||
| 614 | int i,al,ok; | 688 | int i,al,ok; | 
| 615 | unsigned int j; | 689 | unsigned int j; | 
| 616 | long n; | 690 | long n; | 
| 691 | #ifndef OPENSSL_NO_COMP | ||
| 617 | SSL_COMP *comp; | 692 | SSL_COMP *comp; | 
| 693 | #endif | ||
| 618 | 694 | ||
| 619 | n=ssl3_get_message(s, | 695 | n=s->method->ssl_get_message(s, | 
| 620 | SSL3_ST_CR_SRVR_HELLO_A, | 696 | SSL3_ST_CR_SRVR_HELLO_A, | 
| 621 | SSL3_ST_CR_SRVR_HELLO_B, | 697 | SSL3_ST_CR_SRVR_HELLO_B, | 
| 622 | SSL3_MT_SERVER_HELLO, | 698 | -1, | 
| 623 | 300, /* ?? */ | 699 | 20000, /* ?? */ | 
| 624 | &ok); | 700 | &ok); | 
| 625 | 701 | ||
| 626 | if (!ok) return((int)n); | 702 | if (!ok) return((int)n); | 
| 703 | |||
| 704 | if ( SSL_version(s) == DTLS1_VERSION) | ||
| 705 | { | ||
| 706 | if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) | ||
| 707 | { | ||
| 708 | if ( s->d1->send_cookie == 0) | ||
| 709 | { | ||
| 710 | s->s3->tmp.reuse_message = 1; | ||
| 711 | return 1; | ||
| 712 | } | ||
| 713 | else /* already sent a cookie */ | ||
| 714 | { | ||
| 715 | al=SSL_AD_UNEXPECTED_MESSAGE; | ||
| 716 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); | ||
| 717 | goto f_err; | ||
| 718 | } | ||
| 719 | } | ||
| 720 | } | ||
| 721 | |||
| 722 | if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) | ||
| 723 | { | ||
| 724 | al=SSL_AD_UNEXPECTED_MESSAGE; | ||
| 725 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); | ||
| 726 | goto f_err; | ||
| 727 | } | ||
| 728 | |||
| 627 | d=p=(unsigned char *)s->init_msg; | 729 | d=p=(unsigned char *)s->init_msg; | 
| 628 | 730 | ||
| 629 | if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) | 731 | if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) | 
| @@ -719,6 +821,14 @@ static int ssl3_get_server_hello(SSL *s) | |||
| 719 | 821 | ||
| 720 | /* lets get the compression algorithm */ | 822 | /* lets get the compression algorithm */ | 
| 721 | /* COMPRESSION */ | 823 | /* COMPRESSION */ | 
| 824 | #ifdef OPENSSL_NO_COMP | ||
| 825 | if (*(p++) != 0) | ||
| 826 | { | ||
| 827 | al=SSL_AD_ILLEGAL_PARAMETER; | ||
| 828 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); | ||
| 829 | goto f_err; | ||
| 830 | } | ||
| 831 | #else | ||
| 722 | j= *(p++); | 832 | j= *(p++); | 
| 723 | if (j == 0) | 833 | if (j == 0) | 
| 724 | comp=NULL; | 834 | comp=NULL; | 
| @@ -735,6 +845,25 @@ static int ssl3_get_server_hello(SSL *s) | |||
| 735 | { | 845 | { | 
| 736 | s->s3->tmp.new_compression=comp; | 846 | s->s3->tmp.new_compression=comp; | 
| 737 | } | 847 | } | 
| 848 | #endif | ||
| 849 | #ifndef OPENSSL_NO_TLSEXT | ||
| 850 | /* TLS extensions*/ | ||
| 851 | if (s->version > SSL3_VERSION) | ||
| 852 | { | ||
| 853 | if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) | ||
| 854 | { | ||
| 855 | /* 'al' set by ssl_parse_serverhello_tlsext */ | ||
| 856 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); | ||
| 857 | goto f_err; | ||
| 858 | } | ||
| 859 | if (ssl_check_serverhello_tlsext(s) <= 0) | ||
| 860 | { | ||
| 861 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); | ||
| 862 | goto err; | ||
| 863 | } | ||
| 864 | } | ||
| 865 | #endif | ||
| 866 | |||
| 738 | 867 | ||
| 739 | if (p != (d+n)) | 868 | if (p != (d+n)) | 
| 740 | { | 869 | { | 
| @@ -751,18 +880,19 @@ err: | |||
| 751 | return(-1); | 880 | return(-1); | 
| 752 | } | 881 | } | 
| 753 | 882 | ||
| 754 | static int ssl3_get_server_certificate(SSL *s) | 883 | int ssl3_get_server_certificate(SSL *s) | 
| 755 | { | 884 | { | 
| 756 | int al,i,ok,ret= -1; | 885 | int al,i,ok,ret= -1; | 
| 757 | unsigned long n,nc,llen,l; | 886 | unsigned long n,nc,llen,l; | 
| 758 | X509 *x=NULL; | 887 | X509 *x=NULL; | 
| 759 | unsigned char *p,*d,*q; | 888 | const unsigned char *q,*p; | 
| 889 | unsigned char *d; | ||
| 760 | STACK_OF(X509) *sk=NULL; | 890 | STACK_OF(X509) *sk=NULL; | 
| 761 | SESS_CERT *sc; | 891 | SESS_CERT *sc; | 
| 762 | EVP_PKEY *pkey=NULL; | 892 | EVP_PKEY *pkey=NULL; | 
| 763 | int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ | 893 | int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ | 
| 764 | 894 | ||
| 765 | n=ssl3_get_message(s, | 895 | n=s->method->ssl_get_message(s, | 
| 766 | SSL3_ST_CR_CERT_A, | 896 | SSL3_ST_CR_CERT_A, | 
| 767 | SSL3_ST_CR_CERT_B, | 897 | SSL3_ST_CR_CERT_B, | 
| 768 | -1, | 898 | -1, | 
| @@ -771,7 +901,9 @@ static int ssl3_get_server_certificate(SSL *s) | |||
| 771 | 901 | ||
| 772 | if (!ok) return((int)n); | 902 | if (!ok) return((int)n); | 
| 773 | 903 | ||
| 774 | if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) | 904 | if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || | 
| 905 | ((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) && | ||
| 906 | (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) | ||
| 775 | { | 907 | { | 
| 776 | s->s3->tmp.reuse_message=1; | 908 | s->s3->tmp.reuse_message=1; | 
| 777 | return(1); | 909 | return(1); | 
| @@ -783,7 +915,7 @@ static int ssl3_get_server_certificate(SSL *s) | |||
| 783 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); | 915 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); | 
| 784 | goto f_err; | 916 | goto f_err; | 
| 785 | } | 917 | } | 
| 786 | d=p=(unsigned char *)s->init_msg; | 918 | p=d=(unsigned char *)s->init_msg; | 
| 787 | 919 | ||
| 788 | if ((sk=sk_X509_new_null()) == NULL) | 920 | if ((sk=sk_X509_new_null()) == NULL) | 
| 789 | { | 921 | { | 
| @@ -835,10 +967,10 @@ static int ssl3_get_server_certificate(SSL *s) | |||
| 835 | i=ssl_verify_cert_chain(s,sk); | 967 | i=ssl_verify_cert_chain(s,sk); | 
| 836 | if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) | 968 | if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) | 
| 837 | #ifndef OPENSSL_NO_KRB5 | 969 | #ifndef OPENSSL_NO_KRB5 | 
| 838 | && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) | 970 | && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) | 
| 839 | != (SSL_aKRB5|SSL_kKRB5) | 971 | != (SSL_aKRB5|SSL_kKRB5) | 
| 840 | #endif /* OPENSSL_NO_KRB5 */ | 972 | #endif /* OPENSSL_NO_KRB5 */ | 
| 841 | ) | 973 | ) | 
| 842 | { | 974 | { | 
| 843 | al=ssl_verify_alarm_type(s->verify_result); | 975 | al=ssl_verify_alarm_type(s->verify_result); | 
| 844 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); | 976 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); | 
| @@ -861,16 +993,16 @@ static int ssl3_get_server_certificate(SSL *s) | |||
| 861 | 993 | ||
| 862 | pkey=X509_get_pubkey(x); | 994 | pkey=X509_get_pubkey(x); | 
| 863 | 995 | ||
| 864 | /* VRS: allow null cert if auth == KRB5 */ | 996 | /* VRS: allow null cert if auth == KRB5 */ | 
| 865 | need_cert = ((s->s3->tmp.new_cipher->algorithms | 997 | need_cert = ((s->s3->tmp.new_cipher->algorithms | 
| 866 | & (SSL_MKEY_MASK|SSL_AUTH_MASK)) | 998 | & (SSL_MKEY_MASK|SSL_AUTH_MASK)) | 
| 867 | == (SSL_aKRB5|SSL_kKRB5))? 0: 1; | 999 | == (SSL_aKRB5|SSL_kKRB5))? 0: 1; | 
| 868 | 1000 | ||
| 869 | #ifdef KSSL_DEBUG | 1001 | #ifdef KSSL_DEBUG | 
| 870 | printf("pkey,x = %p, %p\n", pkey,x); | 1002 | printf("pkey,x = %p, %p\n", pkey,x); | 
| 871 | printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); | 1003 | printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); | 
| 872 | printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, | 1004 | printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, | 
| 873 | s->s3->tmp.new_cipher->algorithms, need_cert); | 1005 | s->s3->tmp.new_cipher->algorithms, need_cert); | 
| 874 | #endif /* KSSL_DEBUG */ | 1006 | #endif /* KSSL_DEBUG */ | 
| 875 | 1007 | ||
| 876 | if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) | 1008 | if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) | 
| @@ -892,31 +1024,31 @@ static int ssl3_get_server_certificate(SSL *s) | |||
| 892 | goto f_err; | 1024 | goto f_err; | 
| 893 | } | 1025 | } | 
| 894 | 1026 | ||
| 895 | if (need_cert) | 1027 | if (need_cert) | 
| 896 | { | 1028 | { | 
| 897 | sc->peer_cert_type=i; | 1029 | sc->peer_cert_type=i; | 
| 898 | CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); | 1030 | CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); | 
| 899 | /* Why would the following ever happen? | 1031 | /* Why would the following ever happen? | 
| 900 | * We just created sc a couple of lines ago. */ | 1032 | * We just created sc a couple of lines ago. */ | 
| 901 | if (sc->peer_pkeys[i].x509 != NULL) | 1033 | if (sc->peer_pkeys[i].x509 != NULL) | 
| 902 | X509_free(sc->peer_pkeys[i].x509); | 1034 | X509_free(sc->peer_pkeys[i].x509); | 
| 903 | sc->peer_pkeys[i].x509=x; | 1035 | sc->peer_pkeys[i].x509=x; | 
| 904 | sc->peer_key= &(sc->peer_pkeys[i]); | 1036 | sc->peer_key= &(sc->peer_pkeys[i]); | 
| 905 | 1037 | ||
| 906 | if (s->session->peer != NULL) | 1038 | if (s->session->peer != NULL) | 
| 907 | X509_free(s->session->peer); | 1039 | X509_free(s->session->peer); | 
| 908 | CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); | 1040 | CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); | 
| 909 | s->session->peer=x; | 1041 | s->session->peer=x; | 
| 910 | } | 1042 | } | 
| 911 | else | 1043 | else | 
| 912 | { | 1044 | { | 
| 913 | sc->peer_cert_type=i; | 1045 | sc->peer_cert_type=i; | 
| 914 | sc->peer_key= NULL; | 1046 | sc->peer_key= NULL; | 
| 915 | 1047 | ||
| 916 | if (s->session->peer != NULL) | 1048 | if (s->session->peer != NULL) | 
| 917 | X509_free(s->session->peer); | 1049 | X509_free(s->session->peer); | 
| 918 | s->session->peer=NULL; | 1050 | s->session->peer=NULL; | 
| 919 | } | 1051 | } | 
| 920 | s->session->verify_result = s->verify_result; | 1052 | s->session->verify_result = s->verify_result; | 
| 921 | 1053 | ||
| 922 | x=NULL; | 1054 | x=NULL; | 
| @@ -934,7 +1066,7 @@ err: | |||
| 934 | return(ret); | 1066 | return(ret); | 
| 935 | } | 1067 | } | 
| 936 | 1068 | ||
| 937 | static int ssl3_get_key_exchange(SSL *s) | 1069 | int ssl3_get_key_exchange(SSL *s) | 
| 938 | { | 1070 | { | 
| 939 | #ifndef OPENSSL_NO_RSA | 1071 | #ifndef OPENSSL_NO_RSA | 
| 940 | unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; | 1072 | unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; | 
| @@ -950,10 +1082,17 @@ static int ssl3_get_key_exchange(SSL *s) | |||
| 950 | #ifndef OPENSSL_NO_DH | 1082 | #ifndef OPENSSL_NO_DH | 
| 951 | DH *dh=NULL; | 1083 | DH *dh=NULL; | 
| 952 | #endif | 1084 | #endif | 
| 1085 | #ifndef OPENSSL_NO_ECDH | ||
| 1086 | EC_KEY *ecdh = NULL; | ||
| 1087 | BN_CTX *bn_ctx = NULL; | ||
| 1088 | EC_POINT *srvr_ecpoint = NULL; | ||
| 1089 | int curve_nid = 0; | ||
| 1090 | int encoded_pt_len = 0; | ||
| 1091 | #endif | ||
| 953 | 1092 | ||
| 954 | /* use same message size as in ssl3_get_certificate_request() | 1093 | /* use same message size as in ssl3_get_certificate_request() | 
| 955 | * as ServerKeyExchange message may be skipped */ | 1094 | * as ServerKeyExchange message may be skipped */ | 
| 956 | n=ssl3_get_message(s, | 1095 | n=s->method->ssl_get_message(s, | 
| 957 | SSL3_ST_CR_KEY_EXCH_A, | 1096 | SSL3_ST_CR_KEY_EXCH_A, | 
| 958 | SSL3_ST_CR_KEY_EXCH_B, | 1097 | SSL3_ST_CR_KEY_EXCH_B, | 
| 959 | -1, | 1098 | -1, | 
| @@ -986,6 +1125,13 @@ static int ssl3_get_key_exchange(SSL *s) | |||
| 986 | s->session->sess_cert->peer_dh_tmp=NULL; | 1125 | s->session->sess_cert->peer_dh_tmp=NULL; | 
| 987 | } | 1126 | } | 
| 988 | #endif | 1127 | #endif | 
| 1128 | #ifndef OPENSSL_NO_ECDH | ||
| 1129 | if (s->session->sess_cert->peer_ecdh_tmp) | ||
| 1130 | { | ||
| 1131 | EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); | ||
| 1132 | s->session->sess_cert->peer_ecdh_tmp=NULL; | ||
| 1133 | } | ||
| 1134 | #endif | ||
| 989 | } | 1135 | } | 
| 990 | else | 1136 | else | 
| 991 | { | 1137 | { | 
| @@ -1127,6 +1273,114 @@ static int ssl3_get_key_exchange(SSL *s) | |||
| 1127 | goto f_err; | 1273 | goto f_err; | 
| 1128 | } | 1274 | } | 
| 1129 | #endif /* !OPENSSL_NO_DH */ | 1275 | #endif /* !OPENSSL_NO_DH */ | 
| 1276 | |||
| 1277 | #ifndef OPENSSL_NO_ECDH | ||
| 1278 | else if (alg & SSL_kECDHE) | ||
| 1279 | { | ||
| 1280 | EC_GROUP *ngroup; | ||
| 1281 | const EC_GROUP *group; | ||
| 1282 | |||
| 1283 | if ((ecdh=EC_KEY_new()) == NULL) | ||
| 1284 | { | ||
| 1285 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | ||
| 1286 | goto err; | ||
| 1287 | } | ||
| 1288 | |||
| 1289 | /* Extract elliptic curve parameters and the | ||
| 1290 | * server's ephemeral ECDH public key. | ||
| 1291 | * Keep accumulating lengths of various components in | ||
| 1292 | * param_len and make sure it never exceeds n. | ||
| 1293 | */ | ||
| 1294 | |||
| 1295 | /* XXX: For now we only support named (not generic) curves | ||
| 1296 | * and the ECParameters in this case is just three bytes. | ||
| 1297 | */ | ||
| 1298 | param_len=3; | ||
| 1299 | if ((param_len > n) || | ||
| 1300 | (*p != NAMED_CURVE_TYPE) || | ||
| 1301 | ((curve_nid = curve_id2nid(*(p + 2))) == 0)) | ||
| 1302 | { | ||
| 1303 | al=SSL_AD_INTERNAL_ERROR; | ||
| 1304 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); | ||
| 1305 | goto f_err; | ||
| 1306 | } | ||
| 1307 | |||
| 1308 | ngroup = EC_GROUP_new_by_curve_name(curve_nid); | ||
| 1309 | if (ngroup == NULL) | ||
| 1310 | { | ||
| 1311 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); | ||
| 1312 | goto err; | ||
| 1313 | } | ||
| 1314 | if (EC_KEY_set_group(ecdh, ngroup) == 0) | ||
| 1315 | { | ||
| 1316 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); | ||
| 1317 | goto err; | ||
| 1318 | } | ||
| 1319 | EC_GROUP_free(ngroup); | ||
| 1320 | |||
| 1321 | group = EC_KEY_get0_group(ecdh); | ||
| 1322 | |||
| 1323 | if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && | ||
| 1324 | (EC_GROUP_get_degree(group) > 163)) | ||
| 1325 | { | ||
| 1326 | al=SSL_AD_EXPORT_RESTRICTION; | ||
| 1327 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); | ||
| 1328 | goto f_err; | ||
| 1329 | } | ||
| 1330 | |||
| 1331 | p+=3; | ||
| 1332 | |||
| 1333 | /* Next, get the encoded ECPoint */ | ||
| 1334 | if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || | ||
| 1335 | ((bn_ctx = BN_CTX_new()) == NULL)) | ||
| 1336 | { | ||
| 1337 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | ||
| 1338 | goto err; | ||
| 1339 | } | ||
| 1340 | |||
| 1341 | encoded_pt_len = *p; /* length of encoded point */ | ||
| 1342 | p+=1; | ||
| 1343 | param_len += (1 + encoded_pt_len); | ||
| 1344 | if ((param_len > n) || | ||
| 1345 | (EC_POINT_oct2point(group, srvr_ecpoint, | ||
| 1346 | p, encoded_pt_len, bn_ctx) == 0)) | ||
| 1347 | { | ||
| 1348 | al=SSL_AD_DECODE_ERROR; | ||
| 1349 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); | ||
| 1350 | goto f_err; | ||
| 1351 | } | ||
| 1352 | |||
| 1353 | n-=param_len; | ||
| 1354 | p+=encoded_pt_len; | ||
| 1355 | |||
| 1356 | /* The ECC/TLS specification does not mention | ||
| 1357 | * the use of DSA to sign ECParameters in the server | ||
| 1358 | * key exchange message. We do support RSA and ECDSA. | ||
| 1359 | */ | ||
| 1360 | if (0) ; | ||
| 1361 | #ifndef OPENSSL_NO_RSA | ||
| 1362 | else if (alg & SSL_aRSA) | ||
| 1363 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | ||
| 1364 | #endif | ||
| 1365 | #ifndef OPENSSL_NO_ECDSA | ||
| 1366 | else if (alg & SSL_aECDSA) | ||
| 1367 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); | ||
| 1368 | #endif | ||
| 1369 | /* else anonymous ECDH, so no certificate or pkey. */ | ||
| 1370 | EC_KEY_set_public_key(ecdh, srvr_ecpoint); | ||
| 1371 | s->session->sess_cert->peer_ecdh_tmp=ecdh; | ||
| 1372 | ecdh=NULL; | ||
| 1373 | BN_CTX_free(bn_ctx); | ||
| 1374 | EC_POINT_free(srvr_ecpoint); | ||
| 1375 | srvr_ecpoint = NULL; | ||
| 1376 | } | ||
| 1377 | else if (alg & SSL_kECDH) | ||
| 1378 | { | ||
| 1379 | al=SSL_AD_UNEXPECTED_MESSAGE; | ||
| 1380 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); | ||
| 1381 | goto f_err; | ||
| 1382 | } | ||
| 1383 | #endif /* !OPENSSL_NO_ECDH */ | ||
| 1130 | if (alg & SSL_aFZA) | 1384 | if (alg & SSL_aFZA) | 
| 1131 | { | 1385 | { | 
| 1132 | al=SSL_AD_HANDSHAKE_FAILURE; | 1386 | al=SSL_AD_HANDSHAKE_FAILURE; | 
| @@ -1137,7 +1391,6 @@ static int ssl3_get_key_exchange(SSL *s) | |||
| 1137 | 1391 | ||
| 1138 | /* p points to the next byte, there are 'n' bytes left */ | 1392 | /* p points to the next byte, there are 'n' bytes left */ | 
| 1139 | 1393 | ||
| 1140 | |||
| 1141 | /* if it was signed, check the signature */ | 1394 | /* if it was signed, check the signature */ | 
| 1142 | if (pkey != NULL) | 1395 | if (pkey != NULL) | 
| 1143 | { | 1396 | { | 
| @@ -1162,14 +1415,11 @@ static int ssl3_get_key_exchange(SSL *s) | |||
| 1162 | q=md_buf; | 1415 | q=md_buf; | 
| 1163 | for (num=2; num > 0; num--) | 1416 | for (num=2; num > 0; num--) | 
| 1164 | { | 1417 | { | 
| 1165 | EVP_MD_CTX_set_flags(&md_ctx, | ||
| 1166 | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | ||
| 1167 | EVP_DigestInit_ex(&md_ctx,(num == 2) | 1418 | EVP_DigestInit_ex(&md_ctx,(num == 2) | 
| 1168 | ?s->ctx->md5:s->ctx->sha1, NULL); | 1419 | ?s->ctx->md5:s->ctx->sha1, NULL); | 
| 1169 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | 1420 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | 
| 1170 | EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | 1421 | EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | 
| 1171 | EVP_DigestUpdate(&md_ctx,param,param_len); | 1422 | EVP_DigestUpdate(&md_ctx,param,param_len); | 
| 1172 | |||
| 1173 | EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); | 1423 | EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); | 
| 1174 | q+=i; | 1424 | q+=i; | 
| 1175 | j+=i; | 1425 | j+=i; | 
| @@ -1210,6 +1460,24 @@ static int ssl3_get_key_exchange(SSL *s) | |||
| 1210 | } | 1460 | } | 
| 1211 | else | 1461 | else | 
| 1212 | #endif | 1462 | #endif | 
| 1463 | #ifndef OPENSSL_NO_ECDSA | ||
| 1464 | if (pkey->type == EVP_PKEY_EC) | ||
| 1465 | { | ||
| 1466 | /* let's do ECDSA */ | ||
| 1467 | EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL); | ||
| 1468 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | ||
| 1469 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | ||
| 1470 | EVP_VerifyUpdate(&md_ctx,param,param_len); | ||
| 1471 | if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) | ||
| 1472 | { | ||
| 1473 | /* bad signature */ | ||
| 1474 | al=SSL_AD_DECRYPT_ERROR; | ||
| 1475 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); | ||
| 1476 | goto f_err; | ||
| 1477 | } | ||
| 1478 | } | ||
| 1479 | else | ||
| 1480 | #endif | ||
| 1213 | { | 1481 | { | 
| 1214 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | 1482 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | 
| 1215 | goto err; | 1483 | goto err; | 
| @@ -1245,20 +1513,27 @@ err: | |||
| 1245 | if (dh != NULL) | 1513 | if (dh != NULL) | 
| 1246 | DH_free(dh); | 1514 | DH_free(dh); | 
| 1247 | #endif | 1515 | #endif | 
| 1516 | #ifndef OPENSSL_NO_ECDH | ||
| 1517 | BN_CTX_free(bn_ctx); | ||
| 1518 | EC_POINT_free(srvr_ecpoint); | ||
| 1519 | if (ecdh != NULL) | ||
| 1520 | EC_KEY_free(ecdh); | ||
| 1521 | #endif | ||
| 1248 | EVP_MD_CTX_cleanup(&md_ctx); | 1522 | EVP_MD_CTX_cleanup(&md_ctx); | 
| 1249 | return(-1); | 1523 | return(-1); | 
| 1250 | } | 1524 | } | 
| 1251 | 1525 | ||
| 1252 | static int ssl3_get_certificate_request(SSL *s) | 1526 | int ssl3_get_certificate_request(SSL *s) | 
| 1253 | { | 1527 | { | 
| 1254 | int ok,ret=0; | 1528 | int ok,ret=0; | 
| 1255 | unsigned long n,nc,l; | 1529 | unsigned long n,nc,l; | 
| 1256 | unsigned int llen,ctype_num,i; | 1530 | unsigned int llen,ctype_num,i; | 
| 1257 | X509_NAME *xn=NULL; | 1531 | X509_NAME *xn=NULL; | 
| 1258 | unsigned char *p,*d,*q; | 1532 | const unsigned char *p,*q; | 
| 1533 | unsigned char *d; | ||
| 1259 | STACK_OF(X509_NAME) *ca_sk=NULL; | 1534 | STACK_OF(X509_NAME) *ca_sk=NULL; | 
| 1260 | 1535 | ||
| 1261 | n=ssl3_get_message(s, | 1536 | n=s->method->ssl_get_message(s, | 
| 1262 | SSL3_ST_CR_CERT_REQ_A, | 1537 | SSL3_ST_CR_CERT_REQ_A, | 
| 1263 | SSL3_ST_CR_CERT_REQ_B, | 1538 | SSL3_ST_CR_CERT_REQ_B, | 
| 1264 | -1, | 1539 | -1, | 
| @@ -1294,7 +1569,7 @@ static int ssl3_get_certificate_request(SSL *s) | |||
| 1294 | } | 1569 | } | 
| 1295 | } | 1570 | } | 
| 1296 | 1571 | ||
| 1297 | d=p=(unsigned char *)s->init_msg; | 1572 | p=d=(unsigned char *)s->init_msg; | 
| 1298 | 1573 | ||
| 1299 | if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) | 1574 | if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) | 
| 1300 | { | 1575 | { | 
| @@ -1395,13 +1670,150 @@ static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) | |||
| 1395 | { | 1670 | { | 
| 1396 | return(X509_NAME_cmp(*a,*b)); | 1671 | return(X509_NAME_cmp(*a,*b)); | 
| 1397 | } | 1672 | } | 
| 1673 | #ifndef OPENSSL_NO_TLSEXT | ||
| 1674 | int ssl3_get_new_session_ticket(SSL *s) | ||
| 1675 | { | ||
| 1676 | int ok,al,ret=0, ticklen; | ||
| 1677 | long n; | ||
| 1678 | const unsigned char *p; | ||
| 1679 | unsigned char *d; | ||
| 1398 | 1680 | ||
| 1399 | static int ssl3_get_server_done(SSL *s) | 1681 | n=s->method->ssl_get_message(s, | 
| 1682 | SSL3_ST_CR_SESSION_TICKET_A, | ||
| 1683 | SSL3_ST_CR_SESSION_TICKET_B, | ||
| 1684 | -1, | ||
| 1685 | 16384, | ||
| 1686 | &ok); | ||
| 1687 | |||
| 1688 | if (!ok) | ||
| 1689 | return((int)n); | ||
| 1690 | |||
| 1691 | if (s->s3->tmp.message_type == SSL3_MT_FINISHED) | ||
| 1692 | { | ||
| 1693 | s->s3->tmp.reuse_message=1; | ||
| 1694 | return(1); | ||
| 1695 | } | ||
| 1696 | if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) | ||
| 1697 | { | ||
| 1698 | al=SSL_AD_UNEXPECTED_MESSAGE; | ||
| 1699 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); | ||
| 1700 | goto f_err; | ||
| 1701 | } | ||
| 1702 | if (n < 6) | ||
| 1703 | { | ||
| 1704 | /* need at least ticket_lifetime_hint + ticket length */ | ||
| 1705 | al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; | ||
| 1706 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); | ||
| 1707 | goto f_err; | ||
| 1708 | } | ||
| 1709 | p=d=(unsigned char *)s->init_msg; | ||
| 1710 | n2l(p, s->session->tlsext_tick_lifetime_hint); | ||
| 1711 | n2s(p, ticklen); | ||
| 1712 | /* ticket_lifetime_hint + ticket_length + ticket */ | ||
| 1713 | if (ticklen + 6 != n) | ||
| 1714 | { | ||
| 1715 | al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; | ||
| 1716 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); | ||
| 1717 | goto f_err; | ||
| 1718 | } | ||
| 1719 | if (s->session->tlsext_tick) | ||
| 1720 | { | ||
| 1721 | OPENSSL_free(s->session->tlsext_tick); | ||
| 1722 | s->session->tlsext_ticklen = 0; | ||
| 1723 | } | ||
| 1724 | s->session->tlsext_tick = OPENSSL_malloc(ticklen); | ||
| 1725 | if (!s->session->tlsext_tick) | ||
| 1726 | { | ||
| 1727 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); | ||
| 1728 | goto err; | ||
| 1729 | } | ||
| 1730 | memcpy(s->session->tlsext_tick, p, ticklen); | ||
| 1731 | s->session->tlsext_ticklen = ticklen; | ||
| 1732 | |||
| 1733 | ret=1; | ||
| 1734 | return(ret); | ||
| 1735 | f_err: | ||
| 1736 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | ||
| 1737 | err: | ||
| 1738 | return(-1); | ||
| 1739 | } | ||
| 1740 | |||
| 1741 | int ssl3_get_cert_status(SSL *s) | ||
| 1742 | { | ||
| 1743 | int ok, al; | ||
| 1744 | unsigned long resplen; | ||
| 1745 | long n; | ||
| 1746 | const unsigned char *p; | ||
| 1747 | |||
| 1748 | n=s->method->ssl_get_message(s, | ||
| 1749 | SSL3_ST_CR_CERT_STATUS_A, | ||
| 1750 | SSL3_ST_CR_CERT_STATUS_B, | ||
| 1751 | SSL3_MT_CERTIFICATE_STATUS, | ||
| 1752 | 16384, | ||
| 1753 | &ok); | ||
| 1754 | |||
| 1755 | if (!ok) return((int)n); | ||
| 1756 | if (n < 4) | ||
| 1757 | { | ||
| 1758 | /* need at least status type + length */ | ||
| 1759 | al = SSL_AD_DECODE_ERROR; | ||
| 1760 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); | ||
| 1761 | goto f_err; | ||
| 1762 | } | ||
| 1763 | p = (unsigned char *)s->init_msg; | ||
| 1764 | if (*p++ != TLSEXT_STATUSTYPE_ocsp) | ||
| 1765 | { | ||
| 1766 | al = SSL_AD_DECODE_ERROR; | ||
| 1767 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); | ||
| 1768 | goto f_err; | ||
| 1769 | } | ||
| 1770 | n2l3(p, resplen); | ||
| 1771 | if (resplen + 4 != n) | ||
| 1772 | { | ||
| 1773 | al = SSL_AD_DECODE_ERROR; | ||
| 1774 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); | ||
| 1775 | goto f_err; | ||
| 1776 | } | ||
| 1777 | if (s->tlsext_ocsp_resp) | ||
| 1778 | OPENSSL_free(s->tlsext_ocsp_resp); | ||
| 1779 | s->tlsext_ocsp_resp = BUF_memdup(p, resplen); | ||
| 1780 | if (!s->tlsext_ocsp_resp) | ||
| 1781 | { | ||
| 1782 | al = SSL_AD_INTERNAL_ERROR; | ||
| 1783 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); | ||
| 1784 | goto f_err; | ||
| 1785 | } | ||
| 1786 | s->tlsext_ocsp_resplen = resplen; | ||
| 1787 | if (s->ctx->tlsext_status_cb) | ||
| 1788 | { | ||
| 1789 | int ret; | ||
| 1790 | ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); | ||
| 1791 | if (ret == 0) | ||
| 1792 | { | ||
| 1793 | al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; | ||
| 1794 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); | ||
| 1795 | goto f_err; | ||
| 1796 | } | ||
| 1797 | if (ret < 0) | ||
| 1798 | { | ||
| 1799 | al = SSL_AD_INTERNAL_ERROR; | ||
| 1800 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); | ||
| 1801 | goto f_err; | ||
| 1802 | } | ||
| 1803 | } | ||
| 1804 | return 1; | ||
| 1805 | f_err: | ||
| 1806 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | ||
| 1807 | return(-1); | ||
| 1808 | } | ||
| 1809 | #endif | ||
| 1810 | |||
| 1811 | int ssl3_get_server_done(SSL *s) | ||
| 1400 | { | 1812 | { | 
| 1401 | int ok,ret=0; | 1813 | int ok,ret=0; | 
| 1402 | long n; | 1814 | long n; | 
| 1403 | 1815 | ||
| 1404 | n=ssl3_get_message(s, | 1816 | n=s->method->ssl_get_message(s, | 
| 1405 | SSL3_ST_CR_SRVR_DONE_A, | 1817 | SSL3_ST_CR_SRVR_DONE_A, | 
| 1406 | SSL3_ST_CR_SRVR_DONE_B, | 1818 | SSL3_ST_CR_SRVR_DONE_B, | 
| 1407 | SSL3_MT_SERVER_DONE, | 1819 | SSL3_MT_SERVER_DONE, | 
| @@ -1420,7 +1832,8 @@ static int ssl3_get_server_done(SSL *s) | |||
| 1420 | return(ret); | 1832 | return(ret); | 
| 1421 | } | 1833 | } | 
| 1422 | 1834 | ||
| 1423 | static int ssl3_send_client_key_exchange(SSL *s) | 1835 | |
| 1836 | int ssl3_send_client_key_exchange(SSL *s) | ||
| 1424 | { | 1837 | { | 
| 1425 | unsigned char *p,*d; | 1838 | unsigned char *p,*d; | 
| 1426 | int n; | 1839 | int n; | 
| @@ -1430,8 +1843,16 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||
| 1430 | EVP_PKEY *pkey=NULL; | 1843 | EVP_PKEY *pkey=NULL; | 
| 1431 | #endif | 1844 | #endif | 
| 1432 | #ifndef OPENSSL_NO_KRB5 | 1845 | #ifndef OPENSSL_NO_KRB5 | 
| 1433 | KSSL_ERR kssl_err; | 1846 | KSSL_ERR kssl_err; | 
| 1434 | #endif /* OPENSSL_NO_KRB5 */ | 1847 | #endif /* OPENSSL_NO_KRB5 */ | 
| 1848 | #ifndef OPENSSL_NO_ECDH | ||
| 1849 | EC_KEY *clnt_ecdh = NULL; | ||
| 1850 | const EC_POINT *srvr_ecpoint = NULL; | ||
| 1851 | EVP_PKEY *srvr_pub_pkey = NULL; | ||
| 1852 | unsigned char *encodedPoint = NULL; | ||
| 1853 | int encoded_pt_len = 0; | ||
| 1854 | BN_CTX * bn_ctx = NULL; | ||
| 1855 | #endif | ||
| 1435 | 1856 | ||
| 1436 | if (s->state == SSL3_ST_CW_KEY_EXCH_A) | 1857 | if (s->state == SSL3_ST_CW_KEY_EXCH_A) | 
| 1437 | { | 1858 | { | 
| @@ -1440,8 +1861,8 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||
| 1440 | 1861 | ||
| 1441 | l=s->s3->tmp.new_cipher->algorithms; | 1862 | l=s->s3->tmp.new_cipher->algorithms; | 
| 1442 | 1863 | ||
| 1443 | /* Fool emacs indentation */ | 1864 | /* Fool emacs indentation */ | 
| 1444 | if (0) {} | 1865 | if (0) {} | 
| 1445 | #ifndef OPENSSL_NO_RSA | 1866 | #ifndef OPENSSL_NO_RSA | 
| 1446 | else if (l & SSL_kRSA) | 1867 | else if (l & SSL_kRSA) | 
| 1447 | { | 1868 | { | 
| @@ -1503,12 +1924,12 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||
| 1503 | #endif | 1924 | #endif | 
| 1504 | #ifndef OPENSSL_NO_KRB5 | 1925 | #ifndef OPENSSL_NO_KRB5 | 
| 1505 | else if (l & SSL_kKRB5) | 1926 | else if (l & SSL_kKRB5) | 
| 1506 | { | 1927 | { | 
| 1507 | krb5_error_code krb5rc; | 1928 | krb5_error_code krb5rc; | 
| 1508 | KSSL_CTX *kssl_ctx = s->kssl_ctx; | 1929 | KSSL_CTX *kssl_ctx = s->kssl_ctx; | 
| 1509 | /* krb5_data krb5_ap_req; */ | 1930 | /* krb5_data krb5_ap_req; */ | 
| 1510 | krb5_data *enc_ticket; | 1931 | krb5_data *enc_ticket; | 
| 1511 | krb5_data authenticator, *authp = NULL; | 1932 | krb5_data authenticator, *authp = NULL; | 
| 1512 | EVP_CIPHER_CTX ciph_ctx; | 1933 | EVP_CIPHER_CTX ciph_ctx; | 
| 1513 | EVP_CIPHER *enc = NULL; | 1934 | EVP_CIPHER *enc = NULL; | 
| 1514 | unsigned char iv[EVP_MAX_IV_LENGTH]; | 1935 | unsigned char iv[EVP_MAX_IV_LENGTH]; | 
| @@ -1520,8 +1941,8 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||
| 1520 | EVP_CIPHER_CTX_init(&ciph_ctx); | 1941 | EVP_CIPHER_CTX_init(&ciph_ctx); | 
| 1521 | 1942 | ||
| 1522 | #ifdef KSSL_DEBUG | 1943 | #ifdef KSSL_DEBUG | 
| 1523 | printf("ssl3_send_client_key_exchange(%lx & %lx)\n", | 1944 | printf("ssl3_send_client_key_exchange(%lx & %lx)\n", | 
| 1524 | l, SSL_kKRB5); | 1945 | l, SSL_kKRB5); | 
| 1525 | #endif /* KSSL_DEBUG */ | 1946 | #endif /* KSSL_DEBUG */ | 
| 1526 | 1947 | ||
| 1527 | authp = NULL; | 1948 | authp = NULL; | 
| @@ -1529,37 +1950,37 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||
| 1529 | if (KRB5SENDAUTH) authp = &authenticator; | 1950 | if (KRB5SENDAUTH) authp = &authenticator; | 
| 1530 | #endif /* KRB5SENDAUTH */ | 1951 | #endif /* KRB5SENDAUTH */ | 
| 1531 | 1952 | ||
| 1532 | krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, | 1953 | krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, | 
| 1533 | &kssl_err); | 1954 | &kssl_err); | 
| 1534 | enc = kssl_map_enc(kssl_ctx->enctype); | 1955 | enc = kssl_map_enc(kssl_ctx->enctype); | 
| 1535 | if (enc == NULL) | 1956 | if (enc == NULL) | 
| 1536 | goto err; | 1957 | goto err; | 
| 1537 | #ifdef KSSL_DEBUG | 1958 | #ifdef KSSL_DEBUG | 
| 1538 | { | 1959 | { | 
| 1539 | printf("kssl_cget_tkt rtn %d\n", krb5rc); | 1960 | printf("kssl_cget_tkt rtn %d\n", krb5rc); | 
| 1540 | if (krb5rc && kssl_err.text) | 1961 | if (krb5rc && kssl_err.text) | 
| 1541 | printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); | 1962 | printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); | 
| 1542 | } | 1963 | } | 
| 1543 | #endif /* KSSL_DEBUG */ | 1964 | #endif /* KSSL_DEBUG */ | 
| 1544 | 1965 | ||
| 1545 | if (krb5rc) | 1966 | if (krb5rc) | 
| 1546 | { | 1967 | { | 
| 1547 | ssl3_send_alert(s,SSL3_AL_FATAL, | 1968 | ssl3_send_alert(s,SSL3_AL_FATAL, | 
| 1548 | SSL_AD_HANDSHAKE_FAILURE); | 1969 | SSL_AD_HANDSHAKE_FAILURE); | 
| 1549 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | 1970 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | 
| 1550 | kssl_err.reason); | 1971 | kssl_err.reason); | 
| 1551 | goto err; | 1972 | goto err; | 
| 1552 | } | 1973 | } | 
| 1553 | 1974 | ||
| 1554 | /* 20010406 VRS - Earlier versions used KRB5 AP_REQ | 1975 | /* 20010406 VRS - Earlier versions used KRB5 AP_REQ | 
| 1555 | ** in place of RFC 2712 KerberosWrapper, as in: | 1976 | ** in place of RFC 2712 KerberosWrapper, as in: | 
| 1556 | ** | 1977 | ** | 
| 1557 | ** Send ticket (copy to *p, set n = length) | 1978 | ** Send ticket (copy to *p, set n = length) | 
| 1558 | ** n = krb5_ap_req.length; | 1979 | ** n = krb5_ap_req.length; | 
| 1559 | ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); | 1980 | ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); | 
| 1560 | ** if (krb5_ap_req.data) | 1981 | ** if (krb5_ap_req.data) | 
| 1561 | ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); | 1982 | ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); | 
| 1562 | ** | 1983 | ** | 
| 1563 | ** Now using real RFC 2712 KerberosWrapper | 1984 | ** Now using real RFC 2712 KerberosWrapper | 
| 1564 | ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) | 1985 | ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) | 
| 1565 | ** Note: 2712 "opaque" types are here replaced | 1986 | ** Note: 2712 "opaque" types are here replaced | 
| @@ -1594,8 +2015,10 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||
| 1594 | n+=2; | 2015 | n+=2; | 
| 1595 | } | 2016 | } | 
| 1596 | 2017 | ||
| 1597 | if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0) | 2018 | tmp_buf[0]=s->client_version>>8; | 
| 1598 | goto err; | 2019 | tmp_buf[1]=s->client_version&0xff; | 
| 2020 | if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) | ||
| 2021 | goto err; | ||
| 1599 | 2022 | ||
| 1600 | /* 20010420 VRS. Tried it this way; failed. | 2023 | /* 20010420 VRS. Tried it this way; failed. | 
| 1601 | ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); | 2024 | ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); | 
| @@ -1624,20 +2047,27 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||
| 1624 | p+=outl; | 2047 | p+=outl; | 
| 1625 | n+=outl + 2; | 2048 | n+=outl + 2; | 
| 1626 | 2049 | ||
| 1627 | s->session->master_key_length= | 2050 | s->session->master_key_length= | 
| 1628 | s->method->ssl3_enc->generate_master_secret(s, | 2051 | s->method->ssl3_enc->generate_master_secret(s, | 
| 1629 | s->session->master_key, | 2052 | s->session->master_key, | 
| 1630 | tmp_buf, sizeof tmp_buf); | 2053 | tmp_buf, sizeof tmp_buf); | 
| 1631 | 2054 | ||
| 1632 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); | 2055 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); | 
| 1633 | OPENSSL_cleanse(epms, outl); | 2056 | OPENSSL_cleanse(epms, outl); | 
| 1634 | } | 2057 | } | 
| 1635 | #endif | 2058 | #endif | 
| 1636 | #ifndef OPENSSL_NO_DH | 2059 | #ifndef OPENSSL_NO_DH | 
| 1637 | else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) | 2060 | else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) | 
| 1638 | { | 2061 | { | 
| 1639 | DH *dh_srvr,*dh_clnt; | 2062 | DH *dh_srvr,*dh_clnt; | 
| 1640 | 2063 | ||
| 2064 | if (s->session->sess_cert == NULL) | ||
| 2065 | { | ||
| 2066 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); | ||
| 2067 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); | ||
| 2068 | goto err; | ||
| 2069 | } | ||
| 2070 | |||
| 1641 | if (s->session->sess_cert->peer_dh_tmp != NULL) | 2071 | if (s->session->sess_cert->peer_dh_tmp != NULL) | 
| 1642 | dh_srvr=s->session->sess_cert->peer_dh_tmp; | 2072 | dh_srvr=s->session->sess_cert->peer_dh_tmp; | 
| 1643 | else | 2073 | else | 
| @@ -1689,10 +2119,198 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||
| 1689 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ | 2119 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ | 
| 1690 | } | 2120 | } | 
| 1691 | #endif | 2121 | #endif | 
| 2122 | |||
| 2123 | #ifndef OPENSSL_NO_ECDH | ||
| 2124 | else if ((l & SSL_kECDH) || (l & SSL_kECDHE)) | ||
| 2125 | { | ||
| 2126 | const EC_GROUP *srvr_group = NULL; | ||
| 2127 | EC_KEY *tkey; | ||
| 2128 | int ecdh_clnt_cert = 0; | ||
| 2129 | int field_size = 0; | ||
| 2130 | |||
| 2131 | /* Did we send out the client's | ||
| 2132 | * ECDH share for use in premaster | ||
| 2133 | * computation as part of client certificate? | ||
| 2134 | * If so, set ecdh_clnt_cert to 1. | ||
| 2135 | */ | ||
| 2136 | if ((l & SSL_kECDH) && (s->cert != NULL)) | ||
| 2137 | { | ||
| 2138 | /* XXX: For now, we do not support client | ||
| 2139 | * authentication using ECDH certificates. | ||
| 2140 | * To add such support, one needs to add | ||
| 2141 | * code that checks for appropriate | ||
| 2142 | * conditions and sets ecdh_clnt_cert to 1. | ||
| 2143 | * For example, the cert have an ECC | ||
| 2144 | * key on the same curve as the server's | ||
| 2145 | * and the key should be authorized for | ||
| 2146 | * key agreement. | ||
| 2147 | * | ||
| 2148 | * One also needs to add code in ssl3_connect | ||
| 2149 | * to skip sending the certificate verify | ||
| 2150 | * message. | ||
| 2151 | * | ||
| 2152 | * if ((s->cert->key->privatekey != NULL) && | ||
| 2153 | * (s->cert->key->privatekey->type == | ||
| 2154 | * EVP_PKEY_EC) && ...) | ||
| 2155 | * ecdh_clnt_cert = 1; | ||
| 2156 | */ | ||
| 2157 | } | ||
| 2158 | |||
| 2159 | if (s->session->sess_cert->peer_ecdh_tmp != NULL) | ||
| 2160 | { | ||
| 2161 | tkey = s->session->sess_cert->peer_ecdh_tmp; | ||
| 2162 | } | ||
| 2163 | else | ||
| 2164 | { | ||
| 2165 | /* Get the Server Public Key from Cert */ | ||
| 2166 | srvr_pub_pkey = X509_get_pubkey(s->session-> \ | ||
| 2167 | sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); | ||
| 2168 | if ((srvr_pub_pkey == NULL) || | ||
| 2169 | (srvr_pub_pkey->type != EVP_PKEY_EC) || | ||
| 2170 | (srvr_pub_pkey->pkey.ec == NULL)) | ||
| 2171 | { | ||
| 2172 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2173 | ERR_R_INTERNAL_ERROR); | ||
| 2174 | goto err; | ||
| 2175 | } | ||
| 2176 | |||
| 2177 | tkey = srvr_pub_pkey->pkey.ec; | ||
| 2178 | } | ||
| 2179 | |||
| 2180 | srvr_group = EC_KEY_get0_group(tkey); | ||
| 2181 | srvr_ecpoint = EC_KEY_get0_public_key(tkey); | ||
| 2182 | |||
| 2183 | if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) | ||
| 2184 | { | ||
| 2185 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2186 | ERR_R_INTERNAL_ERROR); | ||
| 2187 | goto err; | ||
| 2188 | } | ||
| 2189 | |||
| 2190 | if ((clnt_ecdh=EC_KEY_new()) == NULL) | ||
| 2191 | { | ||
| 2192 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | ||
| 2193 | goto err; | ||
| 2194 | } | ||
| 2195 | |||
| 2196 | if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) | ||
| 2197 | { | ||
| 2198 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); | ||
| 2199 | goto err; | ||
| 2200 | } | ||
| 2201 | if (ecdh_clnt_cert) | ||
| 2202 | { | ||
| 2203 | /* Reuse key info from our certificate | ||
| 2204 | * We only need our private key to perform | ||
| 2205 | * the ECDH computation. | ||
| 2206 | */ | ||
| 2207 | const BIGNUM *priv_key; | ||
| 2208 | tkey = s->cert->key->privatekey->pkey.ec; | ||
| 2209 | priv_key = EC_KEY_get0_private_key(tkey); | ||
| 2210 | if (priv_key == NULL) | ||
| 2211 | { | ||
| 2212 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | ||
| 2213 | goto err; | ||
| 2214 | } | ||
| 2215 | if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) | ||
| 2216 | { | ||
| 2217 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); | ||
| 2218 | goto err; | ||
| 2219 | } | ||
| 2220 | } | ||
| 2221 | else | ||
| 2222 | { | ||
| 2223 | /* Generate a new ECDH key pair */ | ||
| 2224 | if (!(EC_KEY_generate_key(clnt_ecdh))) | ||
| 2225 | { | ||
| 2226 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); | ||
| 2227 | goto err; | ||
| 2228 | } | ||
| 2229 | } | ||
| 2230 | |||
| 2231 | /* use the 'p' output buffer for the ECDH key, but | ||
| 2232 | * make sure to clear it out afterwards | ||
| 2233 | */ | ||
| 2234 | |||
| 2235 | field_size = EC_GROUP_get_degree(srvr_group); | ||
| 2236 | if (field_size <= 0) | ||
| 2237 | { | ||
| 2238 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2239 | ERR_R_ECDH_LIB); | ||
| 2240 | goto err; | ||
| 2241 | } | ||
| 2242 | n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); | ||
| 2243 | if (n <= 0) | ||
| 2244 | { | ||
| 2245 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2246 | ERR_R_ECDH_LIB); | ||
| 2247 | goto err; | ||
| 2248 | } | ||
| 2249 | |||
| 2250 | /* generate master key from the result */ | ||
| 2251 | s->session->master_key_length = s->method->ssl3_enc \ | ||
| 2252 | -> generate_master_secret(s, | ||
| 2253 | s->session->master_key, | ||
| 2254 | p, n); | ||
| 2255 | |||
| 2256 | memset(p, 0, n); /* clean up */ | ||
| 2257 | |||
| 2258 | if (ecdh_clnt_cert) | ||
| 2259 | { | ||
| 2260 | /* Send empty client key exch message */ | ||
| 2261 | n = 0; | ||
| 2262 | } | ||
| 2263 | else | ||
| 2264 | { | ||
| 2265 | /* First check the size of encoding and | ||
| 2266 | * allocate memory accordingly. | ||
| 2267 | */ | ||
| 2268 | encoded_pt_len = | ||
| 2269 | EC_POINT_point2oct(srvr_group, | ||
| 2270 | EC_KEY_get0_public_key(clnt_ecdh), | ||
| 2271 | POINT_CONVERSION_UNCOMPRESSED, | ||
| 2272 | NULL, 0, NULL); | ||
| 2273 | |||
| 2274 | encodedPoint = (unsigned char *) | ||
| 2275 | OPENSSL_malloc(encoded_pt_len * | ||
| 2276 | sizeof(unsigned char)); | ||
| 2277 | bn_ctx = BN_CTX_new(); | ||
| 2278 | if ((encodedPoint == NULL) || | ||
| 2279 | (bn_ctx == NULL)) | ||
| 2280 | { | ||
| 2281 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | ||
| 2282 | goto err; | ||
| 2283 | } | ||
| 2284 | |||
| 2285 | /* Encode the public key */ | ||
| 2286 | n = EC_POINT_point2oct(srvr_group, | ||
| 2287 | EC_KEY_get0_public_key(clnt_ecdh), | ||
| 2288 | POINT_CONVERSION_UNCOMPRESSED, | ||
| 2289 | encodedPoint, encoded_pt_len, bn_ctx); | ||
| 2290 | |||
| 2291 | *p = n; /* length of encoded point */ | ||
| 2292 | /* Encoded point will be copied here */ | ||
| 2293 | p += 1; | ||
| 2294 | /* copy the point */ | ||
| 2295 | memcpy((unsigned char *)p, encodedPoint, n); | ||
| 2296 | /* increment n to account for length field */ | ||
| 2297 | n += 1; | ||
| 2298 | } | ||
| 2299 | |||
| 2300 | /* Free allocated memory */ | ||
| 2301 | BN_CTX_free(bn_ctx); | ||
| 2302 | if (encodedPoint != NULL) OPENSSL_free(encodedPoint); | ||
| 2303 | if (clnt_ecdh != NULL) | ||
| 2304 | EC_KEY_free(clnt_ecdh); | ||
| 2305 | EVP_PKEY_free(srvr_pub_pkey); | ||
| 2306 | } | ||
| 2307 | #endif /* !OPENSSL_NO_ECDH */ | ||
| 1692 | else | 2308 | else | 
| 1693 | { | 2309 | { | 
| 1694 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); | 2310 | ssl3_send_alert(s, SSL3_AL_FATAL, | 
| 1695 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | 2311 | SSL_AD_HANDSHAKE_FAILURE); | 
| 2312 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2313 | ERR_R_INTERNAL_ERROR); | ||
| 1696 | goto err; | 2314 | goto err; | 
| 1697 | } | 2315 | } | 
| 1698 | 2316 | ||
| @@ -1708,10 +2326,17 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||
| 1708 | /* SSL3_ST_CW_KEY_EXCH_B */ | 2326 | /* SSL3_ST_CW_KEY_EXCH_B */ | 
| 1709 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 2327 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 
| 1710 | err: | 2328 | err: | 
| 2329 | #ifndef OPENSSL_NO_ECDH | ||
| 2330 | BN_CTX_free(bn_ctx); | ||
| 2331 | if (encodedPoint != NULL) OPENSSL_free(encodedPoint); | ||
| 2332 | if (clnt_ecdh != NULL) | ||
| 2333 | EC_KEY_free(clnt_ecdh); | ||
| 2334 | EVP_PKEY_free(srvr_pub_pkey); | ||
| 2335 | #endif | ||
| 1711 | return(-1); | 2336 | return(-1); | 
| 1712 | } | 2337 | } | 
| 1713 | 2338 | ||
| 1714 | static int ssl3_send_client_verify(SSL *s) | 2339 | int ssl3_send_client_verify(SSL *s) | 
| 1715 | { | 2340 | { | 
| 1716 | unsigned char *p,*d; | 2341 | unsigned char *p,*d; | 
| 1717 | unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; | 2342 | unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; | 
| @@ -1720,7 +2345,7 @@ static int ssl3_send_client_verify(SSL *s) | |||
| 1720 | unsigned u=0; | 2345 | unsigned u=0; | 
| 1721 | #endif | 2346 | #endif | 
| 1722 | unsigned long n; | 2347 | unsigned long n; | 
| 1723 | #ifndef OPENSSL_NO_DSA | 2348 | #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) | 
| 1724 | int j; | 2349 | int j; | 
| 1725 | #endif | 2350 | #endif | 
| 1726 | 2351 | ||
| @@ -1766,6 +2391,23 @@ static int ssl3_send_client_verify(SSL *s) | |||
| 1766 | } | 2391 | } | 
| 1767 | else | 2392 | else | 
| 1768 | #endif | 2393 | #endif | 
| 2394 | #ifndef OPENSSL_NO_ECDSA | ||
| 2395 | if (pkey->type == EVP_PKEY_EC) | ||
| 2396 | { | ||
| 2397 | if (!ECDSA_sign(pkey->save_type, | ||
| 2398 | &(data[MD5_DIGEST_LENGTH]), | ||
| 2399 | SHA_DIGEST_LENGTH,&(p[2]), | ||
| 2400 | (unsigned int *)&j,pkey->pkey.ec)) | ||
| 2401 | { | ||
| 2402 | SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, | ||
| 2403 | ERR_R_ECDSA_LIB); | ||
| 2404 | goto err; | ||
| 2405 | } | ||
| 2406 | s2n(j,p); | ||
| 2407 | n=j+2; | ||
| 2408 | } | ||
| 2409 | else | ||
| 2410 | #endif | ||
| 1769 | { | 2411 | { | 
| 1770 | SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); | 2412 | SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); | 
| 1771 | goto err; | 2413 | goto err; | 
| @@ -1782,7 +2424,7 @@ err: | |||
| 1782 | return(-1); | 2424 | return(-1); | 
| 1783 | } | 2425 | } | 
| 1784 | 2426 | ||
| 1785 | static int ssl3_send_client_certificate(SSL *s) | 2427 | int ssl3_send_client_certificate(SSL *s) | 
| 1786 | { | 2428 | { | 
| 1787 | X509 *x509=NULL; | 2429 | X509 *x509=NULL; | 
| 1788 | EVP_PKEY *pkey=NULL; | 2430 | EVP_PKEY *pkey=NULL; | 
| @@ -1861,7 +2503,7 @@ static int ssl3_send_client_certificate(SSL *s) | |||
| 1861 | 2503 | ||
| 1862 | #define has_bits(i,m) (((i)&(m)) == (m)) | 2504 | #define has_bits(i,m) (((i)&(m)) == (m)) | 
| 1863 | 2505 | ||
| 1864 | static int ssl3_check_cert_and_algorithm(SSL *s) | 2506 | int ssl3_check_cert_and_algorithm(SSL *s) | 
| 1865 | { | 2507 | { | 
| 1866 | int i,idx; | 2508 | int i,idx; | 
| 1867 | long algs; | 2509 | long algs; | 
| @@ -1876,18 +2518,18 @@ static int ssl3_check_cert_and_algorithm(SSL *s) | |||
| 1876 | 2518 | ||
| 1877 | sc=s->session->sess_cert; | 2519 | sc=s->session->sess_cert; | 
| 1878 | 2520 | ||
| 1879 | if (sc == NULL) | ||
| 1880 | { | ||
| 1881 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); | ||
| 1882 | goto err; | ||
| 1883 | } | ||
| 1884 | |||
| 1885 | algs=s->s3->tmp.new_cipher->algorithms; | 2521 | algs=s->s3->tmp.new_cipher->algorithms; | 
| 1886 | 2522 | ||
| 1887 | /* we don't have a certificate */ | 2523 | /* we don't have a certificate */ | 
| 1888 | if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) | 2524 | if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) | 
| 1889 | return(1); | 2525 | return(1); | 
| 1890 | 2526 | ||
| 2527 | if (sc == NULL) | ||
| 2528 | { | ||
| 2529 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); | ||
| 2530 | goto err; | ||
| 2531 | } | ||
| 2532 | |||
| 1891 | #ifndef OPENSSL_NO_RSA | 2533 | #ifndef OPENSSL_NO_RSA | 
| 1892 | rsa=s->session->sess_cert->peer_rsa_tmp; | 2534 | rsa=s->session->sess_cert->peer_rsa_tmp; | 
| 1893 | #endif | 2535 | #endif | 
| @@ -1898,6 +2540,21 @@ static int ssl3_check_cert_and_algorithm(SSL *s) | |||
| 1898 | /* This is the passed certificate */ | 2540 | /* This is the passed certificate */ | 
| 1899 | 2541 | ||
| 1900 | idx=sc->peer_cert_type; | 2542 | idx=sc->peer_cert_type; | 
| 2543 | #ifndef OPENSSL_NO_ECDH | ||
| 2544 | if (idx == SSL_PKEY_ECC) | ||
| 2545 | { | ||
| 2546 | if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, | ||
| 2547 | s->s3->tmp.new_cipher) == 0) | ||
| 2548 | { /* check failed */ | ||
| 2549 | SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); | ||
| 2550 | goto f_err; | ||
| 2551 | } | ||
| 2552 | else | ||
| 2553 | { | ||
| 2554 | return 1; | ||
| 2555 | } | ||
| 2556 | } | ||
| 2557 | #endif | ||
| 1901 | pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); | 2558 | pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); | 
| 1902 | i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); | 2559 | i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); | 
| 1903 | EVP_PKEY_free(pkey); | 2560 | EVP_PKEY_free(pkey); | 
| @@ -1983,3 +2640,79 @@ err: | |||
| 1983 | return(0); | 2640 | return(0); | 
| 1984 | } | 2641 | } | 
| 1985 | 2642 | ||
| 2643 | |||
| 2644 | #ifndef OPENSSL_NO_ECDH | ||
| 2645 | /* This is the complement of nid2curve_id in s3_srvr.c. */ | ||
| 2646 | static int curve_id2nid(int curve_id) | ||
| 2647 | { | ||
| 2648 | /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) | ||
| 2649 | * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ | ||
| 2650 | static int nid_list[26] = | ||
| 2651 | { | ||
| 2652 | 0, | ||
| 2653 | NID_sect163k1, /* sect163k1 (1) */ | ||
| 2654 | NID_sect163r1, /* sect163r1 (2) */ | ||
| 2655 | NID_sect163r2, /* sect163r2 (3) */ | ||
| 2656 | NID_sect193r1, /* sect193r1 (4) */ | ||
| 2657 | NID_sect193r2, /* sect193r2 (5) */ | ||
| 2658 | NID_sect233k1, /* sect233k1 (6) */ | ||
| 2659 | NID_sect233r1, /* sect233r1 (7) */ | ||
| 2660 | NID_sect239k1, /* sect239k1 (8) */ | ||
| 2661 | NID_sect283k1, /* sect283k1 (9) */ | ||
| 2662 | NID_sect283r1, /* sect283r1 (10) */ | ||
| 2663 | NID_sect409k1, /* sect409k1 (11) */ | ||
| 2664 | NID_sect409r1, /* sect409r1 (12) */ | ||
| 2665 | NID_sect571k1, /* sect571k1 (13) */ | ||
| 2666 | NID_sect571r1, /* sect571r1 (14) */ | ||
| 2667 | NID_secp160k1, /* secp160k1 (15) */ | ||
| 2668 | NID_secp160r1, /* secp160r1 (16) */ | ||
| 2669 | NID_secp160r2, /* secp160r2 (17) */ | ||
| 2670 | NID_secp192k1, /* secp192k1 (18) */ | ||
| 2671 | NID_X9_62_prime192v1, /* secp192r1 (19) */ | ||
| 2672 | NID_secp224k1, /* secp224k1 (20) */ | ||
| 2673 | NID_secp224r1, /* secp224r1 (21) */ | ||
| 2674 | NID_secp256k1, /* secp256k1 (22) */ | ||
| 2675 | NID_X9_62_prime256v1, /* secp256r1 (23) */ | ||
| 2676 | NID_secp384r1, /* secp384r1 (24) */ | ||
| 2677 | NID_secp521r1 /* secp521r1 (25) */ | ||
| 2678 | }; | ||
| 2679 | |||
| 2680 | if ((curve_id < 1) || (curve_id > 25)) return 0; | ||
| 2681 | |||
| 2682 | return nid_list[curve_id]; | ||
| 2683 | } | ||
| 2684 | #endif | ||
| 2685 | |||
| 2686 | /* Check to see if handshake is full or resumed. Usually this is just a | ||
| 2687 | * case of checking to see if a cache hit has occurred. In the case of | ||
| 2688 | * session tickets we have to check the next message to be sure. | ||
| 2689 | */ | ||
| 2690 | |||
| 2691 | #ifndef OPENSSL_NO_TLSEXT | ||
| 2692 | static int ssl3_check_finished(SSL *s) | ||
| 2693 | { | ||
| 2694 | int ok; | ||
| 2695 | long n; | ||
| 2696 | /* If we have no ticket or session ID is non-zero length (a match of | ||
| 2697 | * a non-zero session length would never reach here) it cannot be a | ||
| 2698 | * resumed session. | ||
| 2699 | */ | ||
| 2700 | if (!s->session->tlsext_tick || s->session->session_id_length) | ||
| 2701 | return 1; | ||
| 2702 | /* this function is called when we really expect a Certificate | ||
| 2703 | * message, so permit appropriate message length */ | ||
| 2704 | n=s->method->ssl_get_message(s, | ||
| 2705 | SSL3_ST_CR_CERT_A, | ||
| 2706 | SSL3_ST_CR_CERT_B, | ||
| 2707 | -1, | ||
| 2708 | s->max_cert_list, | ||
| 2709 | &ok); | ||
| 2710 | if (!ok) return((int)n); | ||
| 2711 | s->s3->tmp.reuse_message = 1; | ||
| 2712 | if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) | ||
| 2713 | || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) | ||
| 2714 | return 2; | ||
| 2715 | |||
| 2716 | return 1; | ||
| 2717 | } | ||
| 2718 | #endif | ||
