summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
authordjm <>2010-10-01 22:59:01 +0000
committerdjm <>2010-10-01 22:59:01 +0000
commit8922d4bc4a8b8893d72a48deb2cdf58215f98505 (patch)
tree939b752540947d33507b3acc48d76a8bfb7c3dc3 /src/lib/libssl/s3_srvr.c
parent76262f7bf9262f965142b1b2b2105cb279c5c696 (diff)
downloadopenbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.gz
openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.tar.bz2
openbsd-8922d4bc4a8b8893d72a48deb2cdf58215f98505.zip
resolve conflicts, fix local changes
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s3_srvr.c863
1 files changed, 595 insertions, 268 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 79f3706c31..92f73b6681 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* ssl/s3_srvr.c */ 1/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -121,6 +121,32 @@
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 * 122 *
123 */ 123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
124 150
125#define REUSE_CIPHER_BUG 151#define REUSE_CIPHER_BUG
126#define NETSCAPE_HANG_BUG 152#define NETSCAPE_HANG_BUG
@@ -143,12 +169,9 @@
143#endif 169#endif
144#include <openssl/md5.h> 170#include <openssl/md5.h>
145 171
146static SSL_METHOD *ssl3_get_server_method(int ver); 172static const SSL_METHOD *ssl3_get_server_method(int ver);
147#ifndef OPENSSL_NO_ECDH
148static int nid2curve_id(int nid);
149#endif
150 173
151static SSL_METHOD *ssl3_get_server_method(int ver) 174static const SSL_METHOD *ssl3_get_server_method(int ver)
152 { 175 {
153 if (ver == SSL3_VERSION) 176 if (ver == SSL3_VERSION)
154 return(SSLv3_server_method()); 177 return(SSLv3_server_method());
@@ -164,9 +187,8 @@ IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
164int ssl3_accept(SSL *s) 187int ssl3_accept(SSL *s)
165 { 188 {
166 BUF_MEM *buf; 189 BUF_MEM *buf;
167 unsigned long l,Time=(unsigned long)time(NULL); 190 unsigned long alg_k,Time=(unsigned long)time(NULL);
168 void (*cb)(const SSL *ssl,int type,int val)=NULL; 191 void (*cb)(const SSL *ssl,int type,int val)=NULL;
169 long num1;
170 int ret= -1; 192 int ret= -1;
171 int new_state,state,skip=0; 193 int new_state,state,skip=0;
172 194
@@ -248,6 +270,18 @@ int ssl3_accept(SSL *s)
248 s->state=SSL3_ST_SR_CLNT_HELLO_A; 270 s->state=SSL3_ST_SR_CLNT_HELLO_A;
249 s->ctx->stats.sess_accept++; 271 s->ctx->stats.sess_accept++;
250 } 272 }
273 else if (!s->s3->send_connection_binding &&
274 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
275 {
276 /* Server attempting to renegotiate with
277 * client that doesn't support secure
278 * renegotiation.
279 */
280 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
281 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
282 ret = -1;
283 goto end;
284 }
251 else 285 else
252 { 286 {
253 /* s->state == SSL_ST_RENEGOTIATE, 287 /* s->state == SSL_ST_RENEGOTIATE,
@@ -281,6 +315,7 @@ int ssl3_accept(SSL *s)
281 s->shutdown=0; 315 s->shutdown=0;
282 ret=ssl3_get_client_hello(s); 316 ret=ssl3_get_client_hello(s);
283 if (ret <= 0) goto end; 317 if (ret <= 0) goto end;
318
284 s->new_session = 2; 319 s->new_session = 2;
285 s->state=SSL3_ST_SW_SRVR_HELLO_A; 320 s->state=SSL3_ST_SW_SRVR_HELLO_A;
286 s->init_num=0; 321 s->init_num=0;
@@ -309,9 +344,11 @@ int ssl3_accept(SSL *s)
309 344
310 case SSL3_ST_SW_CERT_A: 345 case SSL3_ST_SW_CERT_A:
311 case SSL3_ST_SW_CERT_B: 346 case SSL3_ST_SW_CERT_B:
312 /* Check if it is anon DH or anon ECDH or KRB5 */ 347 /* Check if it is anon DH or anon ECDH, */
313 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) 348 /* normal PSK or KRB5 */
314 && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 349 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
350 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
351 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
315 { 352 {
316 ret=ssl3_send_server_certificate(s); 353 ret=ssl3_send_server_certificate(s);
317 if (ret <= 0) goto end; 354 if (ret <= 0) goto end;
@@ -338,13 +375,13 @@ int ssl3_accept(SSL *s)
338 375
339 case SSL3_ST_SW_KEY_EXCH_A: 376 case SSL3_ST_SW_KEY_EXCH_A:
340 case SSL3_ST_SW_KEY_EXCH_B: 377 case SSL3_ST_SW_KEY_EXCH_B:
341 l=s->s3->tmp.new_cipher->algorithms; 378 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
342 379
343 /* clear this, it may get reset by 380 /* clear this, it may get reset by
344 * send_server_key_exchange */ 381 * send_server_key_exchange */
345 if ((s->options & SSL_OP_EPHEMERAL_RSA) 382 if ((s->options & SSL_OP_EPHEMERAL_RSA)
346#ifndef OPENSSL_NO_KRB5 383#ifndef OPENSSL_NO_KRB5
347 && !(l & SSL_KRB5) 384 && !(alg_k & SSL_kKRB5)
348#endif /* OPENSSL_NO_KRB5 */ 385#endif /* OPENSSL_NO_KRB5 */
349 ) 386 )
350 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 387 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
@@ -359,16 +396,23 @@ int ssl3_accept(SSL *s)
359 /* only send if a DH key exchange, fortezza or 396 /* only send if a DH key exchange, fortezza or
360 * RSA but we have a sign only certificate 397 * RSA but we have a sign only certificate
361 * 398 *
399 * PSK: may send PSK identity hints
400 *
362 * For ECC ciphersuites, we send a serverKeyExchange 401 * For ECC ciphersuites, we send a serverKeyExchange
363 * message only if the cipher suite is either 402 * message only if the cipher suite is either
364 * ECDH-anon or ECDHE. In other cases, the 403 * ECDH-anon or ECDHE. In other cases, the
365 * server certificate contains the server's 404 * server certificate contains the server's
366 * public key for key exchange. 405 * public key for key exchange.
367 */ 406 */
368 if (s->s3->tmp.use_rsa_tmp 407 if (s->s3->tmp.use_rsa_tmp
369 || (l & SSL_kECDHE) 408 /* PSK: send ServerKeyExchange if PSK identity
370 || (l & (SSL_DH|SSL_kFZA)) 409 * hint if provided */
371 || ((l & SSL_kRSA) 410#ifndef OPENSSL_NO_PSK
411 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
412#endif
413 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
414 || (alg_k & SSL_kEECDH)
415 || ((alg_k & SSL_kRSA)
372 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 416 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
373 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 417 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
374 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 418 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
@@ -398,12 +442,15 @@ int ssl3_accept(SSL *s)
398 /* never request cert in anonymous ciphersuites 442 /* never request cert in anonymous ciphersuites
399 * (see section "Certificate request" in SSL 3 drafts 443 * (see section "Certificate request" in SSL 3 drafts
400 * and in RFC 2246): */ 444 * and in RFC 2246): */
401 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && 445 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
402 /* ... except when the application insists on verification 446 /* ... except when the application insists on verification
403 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 447 * (against the specs, but s3_clnt.c accepts this for SSL 3) */
404 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 448 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
405 /* never request cert in Kerberos ciphersuites */ 449 /* never request cert in Kerberos ciphersuites */
406 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 450 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
451 /* With normal PSK Certificates and
452 * Certificate Requests are omitted */
453 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
407 { 454 {
408 /* no cert request */ 455 /* no cert request */
409 skip=1; 456 skip=1;
@@ -435,15 +482,24 @@ int ssl3_accept(SSL *s)
435 break; 482 break;
436 483
437 case SSL3_ST_SW_FLUSH: 484 case SSL3_ST_SW_FLUSH:
438 /* number of bytes to be flushed */ 485
439 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 486 /* This code originally checked to see if
440 if (num1 > 0) 487 * any data was pending using BIO_CTRL_INFO
488 * and then flushed. This caused problems
489 * as documented in PR#1939. The proposed
490 * fix doesn't completely resolve this issue
491 * as buggy implementations of BIO_CTRL_PENDING
492 * still exist. So instead we just flush
493 * unconditionally.
494 */
495
496 s->rwstate=SSL_WRITING;
497 if (BIO_flush(s->wbio) <= 0)
441 { 498 {
442 s->rwstate=SSL_WRITING; 499 ret= -1;
443 num1=BIO_flush(s->wbio); 500 goto end;
444 if (num1 <= 0) { ret= -1; goto end; }
445 s->rwstate=SSL_NOTHING;
446 } 501 }
502 s->rwstate=SSL_NOTHING;
447 503
448 s->state=s->s3->tmp.next_state; 504 s->state=s->s3->tmp.next_state;
449 break; 505 break;
@@ -470,7 +526,7 @@ int ssl3_accept(SSL *s)
470 case SSL3_ST_SR_KEY_EXCH_A: 526 case SSL3_ST_SR_KEY_EXCH_A:
471 case SSL3_ST_SR_KEY_EXCH_B: 527 case SSL3_ST_SR_KEY_EXCH_B:
472 ret=ssl3_get_client_key_exchange(s); 528 ret=ssl3_get_client_key_exchange(s);
473 if (ret <= 0) 529 if (ret <= 0)
474 goto end; 530 goto end;
475 if (ret == 2) 531 if (ret == 2)
476 { 532 {
@@ -478,24 +534,43 @@ int ssl3_accept(SSL *s)
478 * the client sends its ECDH pub key in 534 * the client sends its ECDH pub key in
479 * a certificate, the CertificateVerify 535 * a certificate, the CertificateVerify
480 * message is not sent. 536 * message is not sent.
537 * Also for GOST ciphersuites when
538 * the client uses its key from the certificate
539 * for key exchange.
481 */ 540 */
482 s->state=SSL3_ST_SR_FINISHED_A; 541 s->state=SSL3_ST_SR_FINISHED_A;
483 s->init_num = 0; 542 s->init_num = 0;
484 } 543 }
485 else 544 else
486 { 545 {
546 int offset=0;
547 int dgst_num;
548
487 s->state=SSL3_ST_SR_CERT_VRFY_A; 549 s->state=SSL3_ST_SR_CERT_VRFY_A;
488 s->init_num=0; 550 s->init_num=0;
489 551
490 /* We need to get hashes here so if there is 552 /* We need to get hashes here so if there is
491 * a client cert, it can be verified 553 * a client cert, it can be verified
492 */ 554 * FIXME - digest processing for CertificateVerify
493 s->method->ssl3_enc->cert_verify_mac(s, 555 * should be generalized. But it is next step
494 &(s->s3->finish_dgst1), 556 */
495 &(s->s3->tmp.cert_verify_md[0])); 557 if (s->s3->handshake_buffer)
496 s->method->ssl3_enc->cert_verify_mac(s, 558 if (!ssl3_digest_cached_records(s))
497 &(s->s3->finish_dgst2), 559 return -1;
498 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 560 for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)
561 if (s->s3->handshake_dgst[dgst_num])
562 {
563 int dgst_size;
564
565 s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset]));
566 dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
567 if (dgst_size < 0)
568 {
569 ret = -1;
570 goto end;
571 }
572 offset+=dgst_size;
573 }
499 } 574 }
500 break; 575 break;
501 576
@@ -515,11 +590,14 @@ int ssl3_accept(SSL *s)
515 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 590 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
516 SSL3_ST_SR_FINISHED_B); 591 SSL3_ST_SR_FINISHED_B);
517 if (ret <= 0) goto end; 592 if (ret <= 0) goto end;
518 if (s->hit)
519 s->state=SSL_ST_OK;
520#ifndef OPENSSL_NO_TLSEXT 593#ifndef OPENSSL_NO_TLSEXT
521 else if (s->tlsext_ticket_expected) 594 if (s->tlsext_ticket_expected)
522 s->state=SSL3_ST_SW_SESSION_TICKET_A; 595 s->state=SSL3_ST_SW_SESSION_TICKET_A;
596 else if (s->hit)
597 s->state=SSL_ST_OK;
598#else
599 if (s->hit)
600 s->state=SSL_ST_OK;
523#endif 601#endif
524 else 602 else
525 s->state=SSL3_ST_SW_CHANGE_A; 603 s->state=SSL3_ST_SW_CHANGE_A;
@@ -718,14 +796,6 @@ int ssl3_get_client_hello(SSL *s)
718#endif 796#endif
719 STACK_OF(SSL_CIPHER) *ciphers=NULL; 797 STACK_OF(SSL_CIPHER) *ciphers=NULL;
720 798
721 if (s->new_session
722 && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
723 {
724 al=SSL_AD_HANDSHAKE_FAILURE;
725 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
726 goto f_err;
727 }
728
729 /* We do this so that we will respond with our native type. 799 /* We do this so that we will respond with our native type.
730 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 800 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
731 * This down switching should be handled by a different method. 801 * This down switching should be handled by a different method.
@@ -757,7 +827,7 @@ int ssl3_get_client_hello(SSL *s)
757 (s->version != DTLS1_VERSION && s->client_version < s->version)) 827 (s->version != DTLS1_VERSION && s->client_version < s->version))
758 { 828 {
759 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 829 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
760 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 830 if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
761 { 831 {
762 /* similar to ssl3_get_record, send alert using remote version number */ 832 /* similar to ssl3_get_record, send alert using remote version number */
763 s->version = s->client_version; 833 s->version = s->client_version;
@@ -766,6 +836,21 @@ int ssl3_get_client_hello(SSL *s)
766 goto f_err; 836 goto f_err;
767 } 837 }
768 838
839 /* If we require cookies and this ClientHello doesn't
840 * contain one, just return since we do not want to
841 * allocate any memory yet. So check cookie length...
842 */
843 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)
844 {
845 unsigned int session_length, cookie_length;
846
847 session_length = *(p + SSL3_RANDOM_SIZE);
848 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
849
850 if (cookie_length == 0)
851 return 1;
852 }
853
769 /* load the client random */ 854 /* load the client random */
770 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 855 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
771 p+=SSL3_RANDOM_SIZE; 856 p+=SSL3_RANDOM_SIZE;
@@ -805,23 +890,11 @@ int ssl3_get_client_hello(SSL *s)
805 890
806 p+=j; 891 p+=j;
807 892
808 if (s->version == DTLS1_VERSION) 893 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
809 { 894 {
810 /* cookie stuff */ 895 /* cookie stuff */
811 cookie_len = *(p++); 896 cookie_len = *(p++);
812 897
813 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
814 s->d1->send_cookie == 0)
815 {
816 /* HelloVerifyMessage has already been sent */
817 if ( cookie_len != s->d1->cookie_len)
818 {
819 al = SSL_AD_HANDSHAKE_FAILURE;
820 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
821 goto f_err;
822 }
823 }
824
825 /* 898 /*
826 * The ClientHello may contain a cookie even if the 899 * The ClientHello may contain a cookie even if the
827 * HelloVerify message has not been sent--make sure that it 900 * HelloVerify message has not been sent--make sure that it
@@ -836,7 +909,7 @@ int ssl3_get_client_hello(SSL *s)
836 } 909 }
837 910
838 /* verify the cookie if appropriate option is set. */ 911 /* verify the cookie if appropriate option is set. */
839 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 912 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
840 cookie_len > 0) 913 cookie_len > 0)
841 { 914 {
842 memcpy(s->d1->rcvd_cookie, p, cookie_len); 915 memcpy(s->d1->rcvd_cookie, p, cookie_len);
@@ -861,6 +934,8 @@ int ssl3_get_client_hello(SSL *s)
861 SSL_R_COOKIE_MISMATCH); 934 SSL_R_COOKIE_MISMATCH);
862 goto f_err; 935 goto f_err;
863 } 936 }
937
938 ret = 2;
864 } 939 }
865 940
866 p += cookie_len; 941 p += cookie_len;
@@ -960,7 +1035,7 @@ int ssl3_get_client_hello(SSL *s)
960 1035
961#ifndef OPENSSL_NO_TLSEXT 1036#ifndef OPENSSL_NO_TLSEXT
962 /* TLS extensions*/ 1037 /* TLS extensions*/
963 if (s->version > SSL3_VERSION) 1038 if (s->version >= SSL3_VERSION)
964 { 1039 {
965 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) 1040 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
966 { 1041 {
@@ -973,13 +1048,110 @@ int ssl3_get_client_hello(SSL *s)
973 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1048 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
974 goto err; 1049 goto err;
975 } 1050 }
1051
1052 /* Check if we want to use external pre-shared secret for this
1053 * handshake for not reused session only. We need to generate
1054 * server_random before calling tls_session_secret_cb in order to allow
1055 * SessionTicket processing to use it in key derivation. */
1056 {
1057 unsigned long Time;
1058 unsigned char *pos;
1059 Time=(unsigned long)time(NULL); /* Time */
1060 pos=s->s3->server_random;
1061 l2n(Time,pos);
1062 if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
1063 {
1064 al=SSL_AD_INTERNAL_ERROR;
1065 goto f_err;
1066 }
1067 }
1068
1069 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
1070 {
1071 SSL_CIPHER *pref_cipher=NULL;
1072
1073 s->session->master_key_length=sizeof(s->session->master_key);
1074 if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
1075 ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
1076 {
1077 s->hit=1;
1078 s->session->ciphers=ciphers;
1079 s->session->verify_result=X509_V_OK;
1080
1081 ciphers=NULL;
1082
1083 /* check if some cipher was preferred by call back */
1084 pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1085 if (pref_cipher == NULL)
1086 {
1087 al=SSL_AD_HANDSHAKE_FAILURE;
1088 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1089 goto f_err;
1090 }
1091
1092 s->session->cipher=pref_cipher;
1093
1094 if (s->cipher_list)
1095 sk_SSL_CIPHER_free(s->cipher_list);
1096
1097 if (s->cipher_list_by_id)
1098 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1099
1100 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1101 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1102 }
1103 }
976#endif 1104#endif
1105
977 /* Worst case, we will use the NULL compression, but if we have other 1106 /* Worst case, we will use the NULL compression, but if we have other
978 * options, we will now look for them. We have i-1 compression 1107 * options, we will now look for them. We have i-1 compression
979 * algorithms from the client, starting at q. */ 1108 * algorithms from the client, starting at q. */
980 s->s3->tmp.new_compression=NULL; 1109 s->s3->tmp.new_compression=NULL;
981#ifndef OPENSSL_NO_COMP 1110#ifndef OPENSSL_NO_COMP
982 if (s->ctx->comp_methods != NULL) 1111 /* This only happens if we have a cache hit */
1112 if (s->session->compress_meth != 0)
1113 {
1114 int m, comp_id = s->session->compress_meth;
1115 /* Perform sanity checks on resumed compression algorithm */
1116 /* Can't disable compression */
1117 if (s->options & SSL_OP_NO_COMPRESSION)
1118 {
1119 al=SSL_AD_INTERNAL_ERROR;
1120 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1121 goto f_err;
1122 }
1123 /* Look for resumed compression method */
1124 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++)
1125 {
1126 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
1127 if (comp_id == comp->id)
1128 {
1129 s->s3->tmp.new_compression=comp;
1130 break;
1131 }
1132 }
1133 if (s->s3->tmp.new_compression == NULL)
1134 {
1135 al=SSL_AD_INTERNAL_ERROR;
1136 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM);
1137 goto f_err;
1138 }
1139 /* Look for resumed method in compression list */
1140 for (m = 0; m < i; m++)
1141 {
1142 if (q[m] == comp_id)
1143 break;
1144 }
1145 if (m >= i)
1146 {
1147 al=SSL_AD_ILLEGAL_PARAMETER;
1148 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1149 goto f_err;
1150 }
1151 }
1152 else if (s->hit)
1153 comp = NULL;
1154 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
983 { /* See if we have a match */ 1155 { /* See if we have a match */
984 int m,nn,o,v,done=0; 1156 int m,nn,o,v,done=0;
985 1157
@@ -1003,22 +1175,15 @@ int ssl3_get_client_hello(SSL *s)
1003 else 1175 else
1004 comp=NULL; 1176 comp=NULL;
1005 } 1177 }
1006#endif 1178#else
1007 1179 /* If compression is disabled we'd better not try to resume a session
1008 /* TLS does not mind if there is extra stuff */ 1180 * using compression.
1009#if 0 /* SSL 3.0 does not mind either, so we should disable this test 1181 */
1010 * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, 1182 if (s->session->compress_meth != 0)
1011 * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
1012 if (s->version == SSL3_VERSION)
1013 { 1183 {
1014 if (p < (d+n)) 1184 al=SSL_AD_INTERNAL_ERROR;
1015 { 1185 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1016 /* wrong number of bytes, 1186 goto f_err;
1017 * there could be more to follow */
1018 al=SSL_AD_DECODE_ERROR;
1019 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
1020 goto f_err;
1021 }
1022 } 1187 }
1023#endif 1188#endif
1024 1189
@@ -1067,7 +1232,7 @@ int ssl3_get_client_hello(SSL *s)
1067 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1232 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1068 { 1233 {
1069 c=sk_SSL_CIPHER_value(sk,i); 1234 c=sk_SSL_CIPHER_value(sk,i);
1070 if (c->algorithms & SSL_eNULL) 1235 if (c->algorithm_enc & SSL_eNULL)
1071 nc=c; 1236 nc=c;
1072 if (SSL_C_IS_EXPORT(c)) 1237 if (SSL_C_IS_EXPORT(c))
1073 ec=c; 1238 ec=c;
@@ -1083,6 +1248,9 @@ int ssl3_get_client_hello(SSL *s)
1083#endif 1248#endif
1084 s->s3->tmp.new_cipher=s->session->cipher; 1249 s->s3->tmp.new_cipher=s->session->cipher;
1085 } 1250 }
1251
1252 if (!ssl3_digest_cached_records(s))
1253 goto f_err;
1086 1254
1087 /* we now have the following setup. 1255 /* we now have the following setup.
1088 * client_random 1256 * client_random
@@ -1095,7 +1263,7 @@ int ssl3_get_client_hello(SSL *s)
1095 * s->tmp.new_cipher - the new cipher to use. 1263 * s->tmp.new_cipher - the new cipher to use.
1096 */ 1264 */
1097 1265
1098 ret=1; 1266 if (ret < 0) ret=1;
1099 if (0) 1267 if (0)
1100 { 1268 {
1101f_err: 1269f_err:
@@ -1111,16 +1279,22 @@ int ssl3_send_server_hello(SSL *s)
1111 unsigned char *buf; 1279 unsigned char *buf;
1112 unsigned char *p,*d; 1280 unsigned char *p,*d;
1113 int i,sl; 1281 int i,sl;
1114 unsigned long l,Time; 1282 unsigned long l;
1283#ifdef OPENSSL_NO_TLSEXT
1284 unsigned long Time;
1285#endif
1115 1286
1116 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1287 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
1117 { 1288 {
1118 buf=(unsigned char *)s->init_buf->data; 1289 buf=(unsigned char *)s->init_buf->data;
1290#ifdef OPENSSL_NO_TLSEXT
1119 p=s->s3->server_random; 1291 p=s->s3->server_random;
1292 /* Generate server_random if it was not needed previously */
1120 Time=(unsigned long)time(NULL); /* Time */ 1293 Time=(unsigned long)time(NULL); /* Time */
1121 l2n(Time,p); 1294 l2n(Time,p);
1122 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 1295 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
1123 return -1; 1296 return -1;
1297#endif
1124 /* Do the message type and length last */ 1298 /* Do the message type and length last */
1125 d=p= &(buf[4]); 1299 d=p= &(buf[4]);
1126 1300
@@ -1174,6 +1348,11 @@ int ssl3_send_server_hello(SSL *s)
1174 *(p++)=s->s3->tmp.new_compression->id; 1348 *(p++)=s->s3->tmp.new_compression->id;
1175#endif 1349#endif
1176#ifndef OPENSSL_NO_TLSEXT 1350#ifndef OPENSSL_NO_TLSEXT
1351 if (ssl_prepare_serverhello_tlsext(s) <= 0)
1352 {
1353 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1354 return -1;
1355 }
1177 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1356 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
1178 { 1357 {
1179 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); 1358 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
@@ -1253,7 +1432,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1253 EVP_MD_CTX_init(&md_ctx); 1432 EVP_MD_CTX_init(&md_ctx);
1254 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1433 if (s->state == SSL3_ST_SW_KEY_EXCH_A)
1255 { 1434 {
1256 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 1435 type=s->s3->tmp.new_cipher->algorithm_mkey;
1257 cert=s->cert; 1436 cert=s->cert;
1258 1437
1259 buf=s->init_buf; 1438 buf=s->init_buf;
@@ -1348,7 +1527,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1348 else 1527 else
1349#endif 1528#endif
1350#ifndef OPENSSL_NO_ECDH 1529#ifndef OPENSSL_NO_ECDH
1351 if (type & SSL_kECDHE) 1530 if (type & SSL_kEECDH)
1352 { 1531 {
1353 const EC_GROUP *group; 1532 const EC_GROUP *group;
1354 1533
@@ -1418,7 +1597,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1418 * supported named curves, curve_id is non-zero. 1597 * supported named curves, curve_id is non-zero.
1419 */ 1598 */
1420 if ((curve_id = 1599 if ((curve_id =
1421 nid2curve_id(EC_GROUP_get_curve_name(group))) 1600 tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
1422 == 0) 1601 == 0)
1423 { 1602 {
1424 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1603 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
@@ -1475,6 +1654,14 @@ int ssl3_send_server_key_exchange(SSL *s)
1475 } 1654 }
1476 else 1655 else
1477#endif /* !OPENSSL_NO_ECDH */ 1656#endif /* !OPENSSL_NO_ECDH */
1657#ifndef OPENSSL_NO_PSK
1658 if (type & SSL_kPSK)
1659 {
1660 /* reserve size for record length and PSK identity hint*/
1661 n+=2+strlen(s->ctx->psk_identity_hint);
1662 }
1663 else
1664#endif /* !OPENSSL_NO_PSK */
1478 { 1665 {
1479 al=SSL_AD_HANDSHAKE_FAILURE; 1666 al=SSL_AD_HANDSHAKE_FAILURE;
1480 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1667 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
@@ -1486,7 +1673,8 @@ int ssl3_send_server_key_exchange(SSL *s)
1486 n+=2+nr[i]; 1673 n+=2+nr[i];
1487 } 1674 }
1488 1675
1489 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 1676 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1677 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
1490 { 1678 {
1491 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1679 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
1492 == NULL) 1680 == NULL)
@@ -1518,7 +1706,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1518 } 1706 }
1519 1707
1520#ifndef OPENSSL_NO_ECDH 1708#ifndef OPENSSL_NO_ECDH
1521 if (type & SSL_kECDHE) 1709 if (type & SSL_kEECDH)
1522 { 1710 {
1523 /* XXX: For now, we only support named (not generic) curves. 1711 /* XXX: For now, we only support named (not generic) curves.
1524 * In this situation, the serverKeyExchange message has: 1712 * In this situation, the serverKeyExchange message has:
@@ -1542,6 +1730,16 @@ int ssl3_send_server_key_exchange(SSL *s)
1542 } 1730 }
1543#endif 1731#endif
1544 1732
1733#ifndef OPENSSL_NO_PSK
1734 if (type & SSL_kPSK)
1735 {
1736 /* copy PSK identity hint */
1737 s2n(strlen(s->ctx->psk_identity_hint), p);
1738 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
1739 p+=strlen(s->ctx->psk_identity_hint);
1740 }
1741#endif
1742
1545 /* not anonymous */ 1743 /* not anonymous */
1546 if (pkey != NULL) 1744 if (pkey != NULL)
1547 { 1745 {
@@ -1554,8 +1752,6 @@ int ssl3_send_server_key_exchange(SSL *s)
1554 j=0; 1752 j=0;
1555 for (num=2; num > 0; num--) 1753 for (num=2; num > 0; num--)
1556 { 1754 {
1557 EVP_MD_CTX_set_flags(&md_ctx,
1558 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1559 EVP_DigestInit_ex(&md_ctx,(num == 2) 1755 EVP_DigestInit_ex(&md_ctx,(num == 2)
1560 ?s->ctx->md5:s->ctx->sha1, NULL); 1756 ?s->ctx->md5:s->ctx->sha1, NULL);
1561 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1757 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1739,7 +1935,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1739 { 1935 {
1740 int i,al,ok; 1936 int i,al,ok;
1741 long n; 1937 long n;
1742 unsigned long l; 1938 unsigned long alg_k;
1743 unsigned char *p; 1939 unsigned char *p;
1744#ifndef OPENSSL_NO_RSA 1940#ifndef OPENSSL_NO_RSA
1745 RSA *rsa=NULL; 1941 RSA *rsa=NULL;
@@ -1750,7 +1946,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1750 DH *dh_srvr; 1946 DH *dh_srvr;
1751#endif 1947#endif
1752#ifndef OPENSSL_NO_KRB5 1948#ifndef OPENSSL_NO_KRB5
1753 KSSL_ERR kssl_err; 1949 KSSL_ERR kssl_err;
1754#endif /* OPENSSL_NO_KRB5 */ 1950#endif /* OPENSSL_NO_KRB5 */
1755 1951
1756#ifndef OPENSSL_NO_ECDH 1952#ifndef OPENSSL_NO_ECDH
@@ -1770,10 +1966,10 @@ int ssl3_get_client_key_exchange(SSL *s)
1770 if (!ok) return((int)n); 1966 if (!ok) return((int)n);
1771 p=(unsigned char *)s->init_msg; 1967 p=(unsigned char *)s->init_msg;
1772 1968
1773 l=s->s3->tmp.new_cipher->algorithms; 1969 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1774 1970
1775#ifndef OPENSSL_NO_RSA 1971#ifndef OPENSSL_NO_RSA
1776 if (l & SSL_kRSA) 1972 if (alg_k & SSL_kRSA)
1777 { 1973 {
1778 /* FIX THIS UP EAY EAY EAY EAY */ 1974 /* FIX THIS UP EAY EAY EAY EAY */
1779 if (s->s3->tmp.use_rsa_tmp) 1975 if (s->s3->tmp.use_rsa_tmp)
@@ -1804,9 +2000,8 @@ int ssl3_get_client_key_exchange(SSL *s)
1804 rsa=pkey->pkey.rsa; 2000 rsa=pkey->pkey.rsa;
1805 } 2001 }
1806 2002
1807 /* TLS and [incidentally] DTLS, including pre-0.9.8f */ 2003 /* TLS and [incidentally] DTLS{0xFEFF} */
1808 if (s->version > SSL3_VERSION && 2004 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER)
1809 s->client_version != DTLS1_BAD_VER)
1810 { 2005 {
1811 n2s(p,i); 2006 n2s(p,i);
1812 if (n != i+2) 2007 if (n != i+2)
@@ -1880,7 +2075,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1880 else 2075 else
1881#endif 2076#endif
1882#ifndef OPENSSL_NO_DH 2077#ifndef OPENSSL_NO_DH
1883 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2078 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1884 { 2079 {
1885 n2s(p,i); 2080 n2s(p,i);
1886 if (n != i+2) 2081 if (n != i+2)
@@ -1943,30 +2138,30 @@ int ssl3_get_client_key_exchange(SSL *s)
1943 else 2138 else
1944#endif 2139#endif
1945#ifndef OPENSSL_NO_KRB5 2140#ifndef OPENSSL_NO_KRB5
1946 if (l & SSL_kKRB5) 2141 if (alg_k & SSL_kKRB5)
1947 { 2142 {
1948 krb5_error_code krb5rc; 2143 krb5_error_code krb5rc;
1949 krb5_data enc_ticket; 2144 krb5_data enc_ticket;
1950 krb5_data authenticator; 2145 krb5_data authenticator;
1951 krb5_data enc_pms; 2146 krb5_data enc_pms;
1952 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2147 KSSL_CTX *kssl_ctx = s->kssl_ctx;
1953 EVP_CIPHER_CTX ciph_ctx; 2148 EVP_CIPHER_CTX ciph_ctx;
1954 EVP_CIPHER *enc = NULL; 2149 const EVP_CIPHER *enc = NULL;
1955 unsigned char iv[EVP_MAX_IV_LENGTH]; 2150 unsigned char iv[EVP_MAX_IV_LENGTH];
1956 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2151 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
1957 + EVP_MAX_BLOCK_LENGTH]; 2152 + EVP_MAX_BLOCK_LENGTH];
1958 int padl, outl; 2153 int padl, outl;
1959 krb5_timestamp authtime = 0; 2154 krb5_timestamp authtime = 0;
1960 krb5_ticket_times ttimes; 2155 krb5_ticket_times ttimes;
1961 2156
1962 EVP_CIPHER_CTX_init(&ciph_ctx); 2157 EVP_CIPHER_CTX_init(&ciph_ctx);
1963 2158
1964 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2159 if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
1965 2160
1966 n2s(p,i); 2161 n2s(p,i);
1967 enc_ticket.length = i; 2162 enc_ticket.length = i;
1968 2163
1969 if (n < (int)enc_ticket.length + 6) 2164 if (n < (long)(enc_ticket.length + 6))
1970 { 2165 {
1971 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2166 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1972 SSL_R_DATA_LENGTH_TOO_LONG); 2167 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1979,7 +2174,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1979 n2s(p,i); 2174 n2s(p,i);
1980 authenticator.length = i; 2175 authenticator.length = i;
1981 2176
1982 if (n < (int)(enc_ticket.length + authenticator.length) + 6) 2177 if (n < (long)(enc_ticket.length + authenticator.length + 6))
1983 { 2178 {
1984 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2179 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1985 SSL_R_DATA_LENGTH_TOO_LONG); 2180 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -2012,19 +2207,19 @@ int ssl3_get_client_key_exchange(SSL *s)
2012 goto err; 2207 goto err;
2013 } 2208 }
2014 2209
2015 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2210 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
2016 &kssl_err)) != 0) 2211 &kssl_err)) != 0)
2017 { 2212 {
2018#ifdef KSSL_DEBUG 2213#ifdef KSSL_DEBUG
2019 printf("kssl_sget_tkt rtn %d [%d]\n", 2214 printf("kssl_sget_tkt rtn %d [%d]\n",
2020 krb5rc, kssl_err.reason); 2215 krb5rc, kssl_err.reason);
2021 if (kssl_err.text) 2216 if (kssl_err.text)
2022 printf("kssl_err text= %s\n", kssl_err.text); 2217 printf("kssl_err text= %s\n", kssl_err.text);
2023#endif /* KSSL_DEBUG */ 2218#endif /* KSSL_DEBUG */
2024 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2219 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2025 kssl_err.reason); 2220 kssl_err.reason);
2026 goto err; 2221 goto err;
2027 } 2222 }
2028 2223
2029 /* Note: no authenticator is not considered an error, 2224 /* Note: no authenticator is not considered an error,
2030 ** but will return authtime == 0. 2225 ** but will return authtime == 0.
@@ -2033,29 +2228,29 @@ int ssl3_get_client_key_exchange(SSL *s)
2033 &authtime, &kssl_err)) != 0) 2228 &authtime, &kssl_err)) != 0)
2034 { 2229 {
2035#ifdef KSSL_DEBUG 2230#ifdef KSSL_DEBUG
2036 printf("kssl_check_authent rtn %d [%d]\n", 2231 printf("kssl_check_authent rtn %d [%d]\n",
2037 krb5rc, kssl_err.reason); 2232 krb5rc, kssl_err.reason);
2038 if (kssl_err.text) 2233 if (kssl_err.text)
2039 printf("kssl_err text= %s\n", kssl_err.text); 2234 printf("kssl_err text= %s\n", kssl_err.text);
2040#endif /* KSSL_DEBUG */ 2235#endif /* KSSL_DEBUG */
2041 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2236 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2042 kssl_err.reason); 2237 kssl_err.reason);
2043 goto err; 2238 goto err;
2044 } 2239 }
2045 2240
2046 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2241 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
2047 { 2242 {
2048 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2243 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
2049 goto err; 2244 goto err;
2050 } 2245 }
2051 2246
2052#ifdef KSSL_DEBUG 2247#ifdef KSSL_DEBUG
2053 kssl_ctx_show(kssl_ctx); 2248 kssl_ctx_show(kssl_ctx);
2054#endif /* KSSL_DEBUG */ 2249#endif /* KSSL_DEBUG */
2055 2250
2056 enc = kssl_map_enc(kssl_ctx->enctype); 2251 enc = kssl_map_enc(kssl_ctx->enctype);
2057 if (enc == NULL) 2252 if (enc == NULL)
2058 goto err; 2253 goto err;
2059 2254
2060 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2255 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2061 2256
@@ -2102,7 +2297,7 @@ int ssl3_get_client_key_exchange(SSL *s)
2102 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2297 * (Perhaps we should have a separate BUG value for the Kerberos cipher)
2103 */ 2298 */
2104 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2299 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
2105 { 2300 {
2106 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2301 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2107 SSL_AD_DECODE_ERROR); 2302 SSL_AD_DECODE_ERROR);
2108 goto err; 2303 goto err;
@@ -2111,32 +2306,32 @@ int ssl3_get_client_key_exchange(SSL *s)
2111 2306
2112 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2307 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2113 2308
2114 s->session->master_key_length= 2309 s->session->master_key_length=
2115 s->method->ssl3_enc->generate_master_secret(s, 2310 s->method->ssl3_enc->generate_master_secret(s,
2116 s->session->master_key, pms, outl); 2311 s->session->master_key, pms, outl);
2117 2312
2118 if (kssl_ctx->client_princ) 2313 if (kssl_ctx->client_princ)
2119 { 2314 {
2120 size_t len = strlen(kssl_ctx->client_princ); 2315 size_t len = strlen(kssl_ctx->client_princ);
2121 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2316 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
2122 { 2317 {
2123 s->session->krb5_client_princ_len = len; 2318 s->session->krb5_client_princ_len = len;
2124 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2319 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
2125 } 2320 }
2126 } 2321 }
2127 2322
2128 2323
2129 /* Was doing kssl_ctx_free() here, 2324 /* Was doing kssl_ctx_free() here,
2130 ** but it caused problems for apache. 2325 ** but it caused problems for apache.
2131 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2326 ** kssl_ctx = kssl_ctx_free(kssl_ctx);
2132 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2327 ** if (s->kssl_ctx) s->kssl_ctx = NULL;
2133 */ 2328 */
2134 } 2329 }
2135 else 2330 else
2136#endif /* OPENSSL_NO_KRB5 */ 2331#endif /* OPENSSL_NO_KRB5 */
2137 2332
2138#ifndef OPENSSL_NO_ECDH 2333#ifndef OPENSSL_NO_ECDH
2139 if ((l & SSL_kECDH) || (l & SSL_kECDHE)) 2334 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
2140 { 2335 {
2141 int ret = 1; 2336 int ret = 1;
2142 int field_size = 0; 2337 int field_size = 0;
@@ -2144,18 +2339,18 @@ int ssl3_get_client_key_exchange(SSL *s)
2144 const EC_GROUP *group; 2339 const EC_GROUP *group;
2145 const BIGNUM *priv_key; 2340 const BIGNUM *priv_key;
2146 2341
2147 /* initialize structures for server's ECDH key pair */ 2342 /* initialize structures for server's ECDH key pair */
2148 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2343 if ((srvr_ecdh = EC_KEY_new()) == NULL)
2149 { 2344 {
2150 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2345 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2151 ERR_R_MALLOC_FAILURE); 2346 ERR_R_MALLOC_FAILURE);
2152 goto err; 2347 goto err;
2153 } 2348 }
2154 2349
2155 /* Let's get server private key and group information */ 2350 /* Let's get server private key and group information */
2156 if (l & SSL_kECDH) 2351 if (alg_k & (SSL_kECDHr|SSL_kECDHe))
2157 { 2352 {
2158 /* use the certificate */ 2353 /* use the certificate */
2159 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2354 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2160 } 2355 }
2161 else 2356 else
@@ -2185,20 +2380,20 @@ int ssl3_get_client_key_exchange(SSL *s)
2185 goto err; 2380 goto err;
2186 } 2381 }
2187 2382
2188 if (n == 0L) 2383 if (n == 0L)
2189 { 2384 {
2190 /* Client Publickey was in Client Certificate */ 2385 /* Client Publickey was in Client Certificate */
2191 2386
2192 if (l & SSL_kECDHE) 2387 if (alg_k & SSL_kEECDH)
2193 { 2388 {
2194 al=SSL_AD_HANDSHAKE_FAILURE; 2389 al=SSL_AD_HANDSHAKE_FAILURE;
2195 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2390 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
2196 goto f_err; 2391 goto f_err;
2197 } 2392 }
2198 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2393 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
2199 == NULL) || 2394 == NULL) ||
2200 (clnt_pub_pkey->type != EVP_PKEY_EC)) 2395 (clnt_pub_pkey->type != EVP_PKEY_EC))
2201 { 2396 {
2202 /* XXX: For now, we do not support client 2397 /* XXX: For now, we do not support client
2203 * authentication using ECDH certificates 2398 * authentication using ECDH certificates
2204 * so this branch (n == 0L) of the code is 2399 * so this branch (n == 0L) of the code is
@@ -2210,11 +2405,11 @@ int ssl3_get_client_key_exchange(SSL *s)
2210 * the two ECDH shares are for the same 2405 * the two ECDH shares are for the same
2211 * group. 2406 * group.
2212 */ 2407 */
2213 al=SSL_AD_HANDSHAKE_FAILURE; 2408 al=SSL_AD_HANDSHAKE_FAILURE;
2214 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2409 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2215 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2410 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2216 goto f_err; 2411 goto f_err;
2217 } 2412 }
2218 2413
2219 if (EC_POINT_copy(clnt_ecpoint, 2414 if (EC_POINT_copy(clnt_ecpoint,
2220 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2415 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
@@ -2223,10 +2418,10 @@ int ssl3_get_client_key_exchange(SSL *s)
2223 ERR_R_EC_LIB); 2418 ERR_R_EC_LIB);
2224 goto err; 2419 goto err;
2225 } 2420 }
2226 ret = 2; /* Skip certificate verify processing */ 2421 ret = 2; /* Skip certificate verify processing */
2227 } 2422 }
2228 else 2423 else
2229 { 2424 {
2230 /* Get client's public key from encoded point 2425 /* Get client's public key from encoded point
2231 * in the ClientKeyExchange message. 2426 * in the ClientKeyExchange message.
2232 */ 2427 */
@@ -2237,21 +2432,21 @@ int ssl3_get_client_key_exchange(SSL *s)
2237 goto err; 2432 goto err;
2238 } 2433 }
2239 2434
2240 /* Get encoded point length */ 2435 /* Get encoded point length */
2241 i = *p; 2436 i = *p;
2242 p += 1; 2437 p += 1;
2243 if (EC_POINT_oct2point(group, 2438 if (EC_POINT_oct2point(group,
2244 clnt_ecpoint, p, i, bn_ctx) == 0) 2439 clnt_ecpoint, p, i, bn_ctx) == 0)
2245 { 2440 {
2246 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2441 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2247 ERR_R_EC_LIB); 2442 ERR_R_EC_LIB);
2248 goto err; 2443 goto err;
2249 } 2444 }
2250 /* p is pointing to somewhere in the buffer 2445 /* p is pointing to somewhere in the buffer
2251 * currently, so set it to the start 2446 * currently, so set it to the start
2252 */ 2447 */
2253 p=(unsigned char *)s->init_buf->data; 2448 p=(unsigned char *)s->init_buf->data;
2254 } 2449 }
2255 2450
2256 /* Compute the shared pre-master secret */ 2451 /* Compute the shared pre-master secret */
2257 field_size = EC_GROUP_get_degree(group); 2452 field_size = EC_GROUP_get_degree(group);
@@ -2262,28 +2457,190 @@ int ssl3_get_client_key_exchange(SSL *s)
2262 goto err; 2457 goto err;
2263 } 2458 }
2264 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2459 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
2265 if (i <= 0) 2460 if (i <= 0)
2266 { 2461 {
2267 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2462 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2268 ERR_R_ECDH_LIB); 2463 ERR_R_ECDH_LIB);
2269 goto err; 2464 goto err;
2270 } 2465 }
2271 2466
2272 EVP_PKEY_free(clnt_pub_pkey); 2467 EVP_PKEY_free(clnt_pub_pkey);
2273 EC_POINT_free(clnt_ecpoint); 2468 EC_POINT_free(clnt_ecpoint);
2274 if (srvr_ecdh != NULL) 2469 EC_KEY_free(srvr_ecdh);
2275 EC_KEY_free(srvr_ecdh);
2276 BN_CTX_free(bn_ctx); 2470 BN_CTX_free(bn_ctx);
2471 EC_KEY_free(s->s3->tmp.ecdh);
2472 s->s3->tmp.ecdh = NULL;
2277 2473
2278 /* Compute the master secret */ 2474 /* Compute the master secret */
2279 s->session->master_key_length = s->method->ssl3_enc-> \ 2475 s->session->master_key_length = s->method->ssl3_enc-> \
2280 generate_master_secret(s, s->session->master_key, p, i); 2476 generate_master_secret(s, s->session->master_key, p, i);
2281 2477
2282 OPENSSL_cleanse(p, i); 2478 OPENSSL_cleanse(p, i);
2283 return (ret); 2479 return (ret);
2284 } 2480 }
2285 else 2481 else
2286#endif 2482#endif
2483#ifndef OPENSSL_NO_PSK
2484 if (alg_k & SSL_kPSK)
2485 {
2486 unsigned char *t = NULL;
2487 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
2488 unsigned int pre_ms_len = 0, psk_len = 0;
2489 int psk_err = 1;
2490 char tmp_id[PSK_MAX_IDENTITY_LEN+1];
2491
2492 al=SSL_AD_HANDSHAKE_FAILURE;
2493
2494 n2s(p,i);
2495 if (n != i+2)
2496 {
2497 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2498 SSL_R_LENGTH_MISMATCH);
2499 goto psk_err;
2500 }
2501 if (i > PSK_MAX_IDENTITY_LEN)
2502 {
2503 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2504 SSL_R_DATA_LENGTH_TOO_LONG);
2505 goto psk_err;
2506 }
2507 if (s->psk_server_callback == NULL)
2508 {
2509 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2510 SSL_R_PSK_NO_SERVER_CB);
2511 goto psk_err;
2512 }
2513
2514 /* Create guaranteed NULL-terminated identity
2515 * string for the callback */
2516 memcpy(tmp_id, p, i);
2517 memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
2518 psk_len = s->psk_server_callback(s, tmp_id,
2519 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2520 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1);
2521
2522 if (psk_len > PSK_MAX_PSK_LEN)
2523 {
2524 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2525 ERR_R_INTERNAL_ERROR);
2526 goto psk_err;
2527 }
2528 else if (psk_len == 0)
2529 {
2530 /* PSK related to the given identity not found */
2531 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2532 SSL_R_PSK_IDENTITY_NOT_FOUND);
2533 al=SSL_AD_UNKNOWN_PSK_IDENTITY;
2534 goto psk_err;
2535 }
2536
2537 /* create PSK pre_master_secret */
2538 pre_ms_len=2+psk_len+2+psk_len;
2539 t = psk_or_pre_ms;
2540 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
2541 s2n(psk_len, t);
2542 memset(t, 0, psk_len);
2543 t+=psk_len;
2544 s2n(psk_len, t);
2545
2546 if (s->session->psk_identity != NULL)
2547 OPENSSL_free(s->session->psk_identity);
2548 s->session->psk_identity = BUF_strdup((char *)p);
2549 if (s->session->psk_identity == NULL)
2550 {
2551 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2552 ERR_R_MALLOC_FAILURE);
2553 goto psk_err;
2554 }
2555
2556 if (s->session->psk_identity_hint != NULL)
2557 OPENSSL_free(s->session->psk_identity_hint);
2558 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2559 if (s->ctx->psk_identity_hint != NULL &&
2560 s->session->psk_identity_hint == NULL)
2561 {
2562 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2563 ERR_R_MALLOC_FAILURE);
2564 goto psk_err;
2565 }
2566
2567 s->session->master_key_length=
2568 s->method->ssl3_enc->generate_master_secret(s,
2569 s->session->master_key, psk_or_pre_ms, pre_ms_len);
2570 psk_err = 0;
2571 psk_err:
2572 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2573 if (psk_err != 0)
2574 goto f_err;
2575 }
2576 else
2577#endif
2578 if (alg_k & SSL_kGOST)
2579 {
2580 int ret = 0;
2581 EVP_PKEY_CTX *pkey_ctx;
2582 EVP_PKEY *client_pub_pkey = NULL;
2583 unsigned char premaster_secret[32], *start;
2584 size_t outlen=32, inlen;
2585
2586 /* Get our certificate private key*/
2587 pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL);
2588 EVP_PKEY_decrypt_init(pkey_ctx);
2589 /* If client certificate is present and is of the same type, maybe
2590 * use it for key exchange. Don't mind errors from
2591 * EVP_PKEY_derive_set_peer, because it is completely valid to use
2592 * a client certificate for authorization only. */
2593 client_pub_pkey = X509_get_pubkey(s->session->peer);
2594 if (client_pub_pkey)
2595 {
2596 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
2597 ERR_clear_error();
2598 }
2599 /* Decrypt session key */
2600 if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED)))
2601 {
2602 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
2603 goto gerr;
2604 }
2605 if (p[1] == 0x81)
2606 {
2607 start = p+3;
2608 inlen = p[2];
2609 }
2610 else if (p[1] < 0x80)
2611 {
2612 start = p+2;
2613 inlen = p[1];
2614 }
2615 else
2616 {
2617 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
2618 goto gerr;
2619 }
2620 if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0)
2621
2622 {
2623 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
2624 goto gerr;
2625 }
2626 /* Generate master secret */
2627 s->session->master_key_length=
2628 s->method->ssl3_enc->generate_master_secret(s,
2629 s->session->master_key,premaster_secret,32);
2630 /* Check if pubkey from client certificate was used */
2631 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2632 ret = 2;
2633 else
2634 ret = 1;
2635 gerr:
2636 EVP_PKEY_free(client_pub_pkey);
2637 EVP_PKEY_CTX_free(pkey_ctx);
2638 if (ret)
2639 return ret;
2640 else
2641 goto err;
2642 }
2643 else
2287 { 2644 {
2288 al=SSL_AD_HANDSHAKE_FAILURE; 2645 al=SSL_AD_HANDSHAKE_FAILURE;
2289 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2646 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2373,15 +2730,25 @@ int ssl3_get_cert_verify(SSL *s)
2373 2730
2374 /* we now have a signature that we need to verify */ 2731 /* we now have a signature that we need to verify */
2375 p=(unsigned char *)s->init_msg; 2732 p=(unsigned char *)s->init_msg;
2376 n2s(p,i); 2733 /* Check for broken implementations of GOST ciphersuites */
2377 n-=2; 2734 /* If key is GOST and n is exactly 64, it is bare
2378 if (i > n) 2735 * signature without length field */
2736 if (n==64 && (pkey->type==NID_id_GostR3410_94 ||
2737 pkey->type == NID_id_GostR3410_2001) )
2379 { 2738 {
2380 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2739 i=64;
2381 al=SSL_AD_DECODE_ERROR; 2740 }
2382 goto f_err; 2741 else
2383 } 2742 {
2384 2743 n2s(p,i);
2744 n-=2;
2745 if (i > n)
2746 {
2747 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
2748 al=SSL_AD_DECODE_ERROR;
2749 goto f_err;
2750 }
2751 }
2385 j=EVP_PKEY_size(pkey); 2752 j=EVP_PKEY_size(pkey);
2386 if ((i > j) || (n > j) || (n <= 0)) 2753 if ((i > j) || (n > j) || (n <= 0))
2387 { 2754 {
@@ -2444,6 +2811,28 @@ int ssl3_get_cert_verify(SSL *s)
2444 } 2811 }
2445 else 2812 else
2446#endif 2813#endif
2814 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001)
2815 { unsigned char signature[64];
2816 int idx;
2817 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL);
2818 EVP_PKEY_verify_init(pctx);
2819 if (i!=64) {
2820 fprintf(stderr,"GOST signature length is %d",i);
2821 }
2822 for (idx=0;idx<64;idx++) {
2823 signature[63-idx]=p[idx];
2824 }
2825 j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_verify_md,32);
2826 EVP_PKEY_CTX_free(pctx);
2827 if (j<=0)
2828 {
2829 al=SSL_AD_DECRYPT_ERROR;
2830 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2831 SSL_R_BAD_ECDSA_SIGNATURE);
2832 goto f_err;
2833 }
2834 }
2835 else
2447 { 2836 {
2448 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2837 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
2449 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 2838 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
@@ -2626,14 +3015,15 @@ int ssl3_send_server_certificate(SSL *s)
2626 if (s->state == SSL3_ST_SW_CERT_A) 3015 if (s->state == SSL3_ST_SW_CERT_A)
2627 { 3016 {
2628 x=ssl_get_server_send_cert(s); 3017 x=ssl_get_server_send_cert(s);
2629 if (x == NULL && 3018 if (x == NULL)
2630 /* VRS: allow null cert if auth == KRB5 */
2631 (s->s3->tmp.new_cipher->algorithms
2632 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
2633 != (SSL_aKRB5|SSL_kKRB5))
2634 { 3019 {
2635 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 3020 /* VRS: allow null cert if auth == KRB5 */
2636 return(0); 3021 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
3022 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5))
3023 {
3024 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
3025 return(0);
3026 }
2637 } 3027 }
2638 3028
2639 l=ssl3_output_cert_chain(s,x); 3029 l=ssl3_output_cert_chain(s,x);
@@ -2645,70 +3035,6 @@ int ssl3_send_server_certificate(SSL *s)
2645 /* SSL3_ST_SW_CERT_B */ 3035 /* SSL3_ST_SW_CERT_B */
2646 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3036 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2647 } 3037 }
2648
2649
2650#ifndef OPENSSL_NO_ECDH
2651/* This is the complement of curve_id2nid in s3_clnt.c. */
2652static int nid2curve_id(int nid)
2653{
2654 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2655 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2656 switch (nid) {
2657 case NID_sect163k1: /* sect163k1 (1) */
2658 return 1;
2659 case NID_sect163r1: /* sect163r1 (2) */
2660 return 2;
2661 case NID_sect163r2: /* sect163r2 (3) */
2662 return 3;
2663 case NID_sect193r1: /* sect193r1 (4) */
2664 return 4;
2665 case NID_sect193r2: /* sect193r2 (5) */
2666 return 5;
2667 case NID_sect233k1: /* sect233k1 (6) */
2668 return 6;
2669 case NID_sect233r1: /* sect233r1 (7) */
2670 return 7;
2671 case NID_sect239k1: /* sect239k1 (8) */
2672 return 8;
2673 case NID_sect283k1: /* sect283k1 (9) */
2674 return 9;
2675 case NID_sect283r1: /* sect283r1 (10) */
2676 return 10;
2677 case NID_sect409k1: /* sect409k1 (11) */
2678 return 11;
2679 case NID_sect409r1: /* sect409r1 (12) */
2680 return 12;
2681 case NID_sect571k1: /* sect571k1 (13) */
2682 return 13;
2683 case NID_sect571r1: /* sect571r1 (14) */
2684 return 14;
2685 case NID_secp160k1: /* secp160k1 (15) */
2686 return 15;
2687 case NID_secp160r1: /* secp160r1 (16) */
2688 return 16;
2689 case NID_secp160r2: /* secp160r2 (17) */
2690 return 17;
2691 case NID_secp192k1: /* secp192k1 (18) */
2692 return 18;
2693 case NID_X9_62_prime192v1: /* secp192r1 (19) */
2694 return 19;
2695 case NID_secp224k1: /* secp224k1 (20) */
2696 return 20;
2697 case NID_secp224r1: /* secp224r1 (21) */
2698 return 21;
2699 case NID_secp256k1: /* secp256k1 (22) */
2700 return 22;
2701 case NID_X9_62_prime256v1: /* secp256r1 (23) */
2702 return 23;
2703 case NID_secp384r1: /* secp384r1 (24) */
2704 return 24;
2705 case NID_secp521r1: /* secp521r1 (25) */
2706 return 25;
2707 default:
2708 return 0;
2709 }
2710}
2711#endif
2712#ifndef OPENSSL_NO_TLSEXT 3038#ifndef OPENSSL_NO_TLSEXT
2713int ssl3_send_newsession_ticket(SSL *s) 3039int ssl3_send_newsession_ticket(SSL *s)
2714 { 3040 {
@@ -2719,6 +3045,7 @@ int ssl3_send_newsession_ticket(SSL *s)
2719 unsigned int hlen; 3045 unsigned int hlen;
2720 EVP_CIPHER_CTX ctx; 3046 EVP_CIPHER_CTX ctx;
2721 HMAC_CTX hctx; 3047 HMAC_CTX hctx;
3048 SSL_CTX *tctx = s->initial_ctx;
2722 unsigned char iv[EVP_MAX_IV_LENGTH]; 3049 unsigned char iv[EVP_MAX_IV_LENGTH];
2723 unsigned char key_name[16]; 3050 unsigned char key_name[16];
2724 3051
@@ -2757,9 +3084,9 @@ int ssl3_send_newsession_ticket(SSL *s)
2757 * it does all the work otherwise use generated values 3084 * it does all the work otherwise use generated values
2758 * from parent ctx. 3085 * from parent ctx.
2759 */ 3086 */
2760 if (s->ctx->tlsext_ticket_key_cb) 3087 if (tctx->tlsext_ticket_key_cb)
2761 { 3088 {
2762 if (s->ctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3089 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
2763 &hctx, 1) < 0) 3090 &hctx, 1) < 0)
2764 { 3091 {
2765 OPENSSL_free(senc); 3092 OPENSSL_free(senc);
@@ -2770,10 +3097,10 @@ int ssl3_send_newsession_ticket(SSL *s)
2770 { 3097 {
2771 RAND_pseudo_bytes(iv, 16); 3098 RAND_pseudo_bytes(iv, 16);
2772 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 3099 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2773 s->ctx->tlsext_tick_aes_key, iv); 3100 tctx->tlsext_tick_aes_key, iv);
2774 HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16, 3101 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2775 tlsext_tick_md(), NULL); 3102 tlsext_tick_md(), NULL);
2776 memcpy(key_name, s->ctx->tlsext_tick_key_name, 16); 3103 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
2777 } 3104 }
2778 l2n(s->session->tlsext_tick_lifetime_hint, p); 3105 l2n(s->session->tlsext_tick_lifetime_hint, p);
2779 /* Skip ticket length for now */ 3106 /* Skip ticket length for now */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-03 17:45:29 +0000