summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
authordjm <>2008-09-06 12:15:56 +0000
committerdjm <>2008-09-06 12:15:56 +0000
commit5a3c0a05c7f2c5d3c584b7c8d6aec836dd724c80 (patch)
treeaba68249883aa9d2361d92eef69a81d0c4961732 /src/lib/libssl/s3_srvr.c
parentf6198d4d0ab97685dc56be2d48715ed39fcc74b9 (diff)
downloadopenbsd-5a3c0a05c7f2c5d3c584b7c8d6aec836dd724c80.tar.gz
openbsd-5a3c0a05c7f2c5d3c584b7c8d6aec836dd724c80.tar.bz2
openbsd-5a3c0a05c7f2c5d3c584b7c8d6aec836dd724c80.zip
import of OpenSSL 0.9.8h
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
-rw-r--r--src/lib/libssl/s3_srvr.c937
1 files changed, 846 insertions, 91 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 36fc39d7f8..903522ab59 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -108,11 +108,23 @@
108 * Hudson (tjh@cryptsoft.com). 108 * Hudson (tjh@cryptsoft.com).
109 * 109 *
110 */ 110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
111 124
112#define REUSE_CIPHER_BUG 125#define REUSE_CIPHER_BUG
113#define NETSCAPE_HANG_BUG 126#define NETSCAPE_HANG_BUG
114 127
115
116#include <stdio.h> 128#include <stdio.h>
117#include "ssl_locl.h" 129#include "ssl_locl.h"
118#include "kssl_lcl.h" 130#include "kssl_lcl.h"
@@ -120,24 +132,21 @@
120#include <openssl/rand.h> 132#include <openssl/rand.h>
121#include <openssl/objects.h> 133#include <openssl/objects.h>
122#include <openssl/evp.h> 134#include <openssl/evp.h>
135#include <openssl/hmac.h>
123#include <openssl/x509.h> 136#include <openssl/x509.h>
137#ifndef OPENSSL_NO_DH
138#include <openssl/dh.h>
139#endif
140#include <openssl/bn.h>
124#ifndef OPENSSL_NO_KRB5 141#ifndef OPENSSL_NO_KRB5
125#include <openssl/krb5_asn.h> 142#include <openssl/krb5_asn.h>
126#endif 143#endif
127#include <openssl/md5.h> 144#include <openssl/md5.h>
128#include <openssl/fips.h>
129 145
130static SSL_METHOD *ssl3_get_server_method(int ver); 146static SSL_METHOD *ssl3_get_server_method(int ver);
131static int ssl3_get_client_hello(SSL *s); 147#ifndef OPENSSL_NO_ECDH
132static int ssl3_check_client_hello(SSL *s); 148static int nid2curve_id(int nid);
133static int ssl3_send_server_hello(SSL *s); 149#endif
134static int ssl3_send_server_key_exchange(SSL *s);
135static int ssl3_send_certificate_request(SSL *s);
136static int ssl3_send_server_done(SSL *s);
137static int ssl3_get_client_key_exchange(SSL *s);
138static int ssl3_get_client_certificate(SSL *s);
139static int ssl3_get_cert_verify(SSL *s);
140static int ssl3_send_hello_request(SSL *s);
141 150
142static SSL_METHOD *ssl3_get_server_method(int ver) 151static SSL_METHOD *ssl3_get_server_method(int ver)
143 { 152 {
@@ -147,28 +156,10 @@ static SSL_METHOD *ssl3_get_server_method(int ver)
147 return(NULL); 156 return(NULL);
148 } 157 }
149 158
150SSL_METHOD *SSLv3_server_method(void) 159IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
151 { 160 ssl3_accept,
152 static int init=1; 161 ssl_undefined_function,
153 static SSL_METHOD SSLv3_server_data; 162 ssl3_get_server_method)
154
155 if (init)
156 {
157 CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
158
159 if (init)
160 {
161 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
162 sizeof(SSL_METHOD));
163 SSLv3_server_data.ssl_accept=ssl3_accept;
164 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
165 init=0;
166 }
167
168 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
169 }
170 return(&SSLv3_server_data);
171 }
172 163
173int ssl3_accept(SSL *s) 164int ssl3_accept(SSL *s)
174 { 165 {
@@ -299,9 +290,18 @@ int ssl3_accept(SSL *s)
299 case SSL3_ST_SW_SRVR_HELLO_B: 290 case SSL3_ST_SW_SRVR_HELLO_B:
300 ret=ssl3_send_server_hello(s); 291 ret=ssl3_send_server_hello(s);
301 if (ret <= 0) goto end; 292 if (ret <= 0) goto end;
302 293#ifndef OPENSSL_NO_TLSEXT
303 if (s->hit) 294 if (s->hit)
304 s->state=SSL3_ST_SW_CHANGE_A; 295 {
296 if (s->tlsext_ticket_expected)
297 s->state=SSL3_ST_SW_SESSION_TICKET_A;
298 else
299 s->state=SSL3_ST_SW_CHANGE_A;
300 }
301#else
302 if (s->hit)
303 s->state=SSL3_ST_SW_CHANGE_A;
304#endif
305 else 305 else
306 s->state=SSL3_ST_SW_CERT_A; 306 s->state=SSL3_ST_SW_CERT_A;
307 s->init_num=0; 307 s->init_num=0;
@@ -309,15 +309,30 @@ int ssl3_accept(SSL *s)
309 309
310 case SSL3_ST_SW_CERT_A: 310 case SSL3_ST_SW_CERT_A:
311 case SSL3_ST_SW_CERT_B: 311 case SSL3_ST_SW_CERT_B:
312 /* Check if it is anon DH */ 312 /* Check if it is anon DH or anon ECDH or KRB5 */
313 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 313 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
314 && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
314 { 315 {
315 ret=ssl3_send_server_certificate(s); 316 ret=ssl3_send_server_certificate(s);
316 if (ret <= 0) goto end; 317 if (ret <= 0) goto end;
318#ifndef OPENSSL_NO_TLSEXT
319 if (s->tlsext_status_expected)
320 s->state=SSL3_ST_SW_CERT_STATUS_A;
321 else
322 s->state=SSL3_ST_SW_KEY_EXCH_A;
323 }
324 else
325 {
326 skip = 1;
327 s->state=SSL3_ST_SW_KEY_EXCH_A;
328 }
329#else
317 } 330 }
318 else 331 else
319 skip=1; 332 skip=1;
333
320 s->state=SSL3_ST_SW_KEY_EXCH_A; 334 s->state=SSL3_ST_SW_KEY_EXCH_A;
335#endif
321 s->init_num=0; 336 s->init_num=0;
322 break; 337 break;
323 338
@@ -340,9 +355,18 @@ int ssl3_accept(SSL *s)
340 else 355 else
341 s->s3->tmp.use_rsa_tmp=0; 356 s->s3->tmp.use_rsa_tmp=0;
342 357
358
343 /* only send if a DH key exchange, fortezza or 359 /* only send if a DH key exchange, fortezza or
344 * RSA but we have a sign only certificate */ 360 * RSA but we have a sign only certificate
361 *
362 * For ECC ciphersuites, we send a serverKeyExchange
363 * message only if the cipher suite is either
364 * ECDH-anon or ECDHE. In other cases, the
365 * server certificate contains the server's
366 * public key for key exchange.
367 */
345 if (s->s3->tmp.use_rsa_tmp 368 if (s->s3->tmp.use_rsa_tmp
369 || (l & SSL_kECDHE)
346 || (l & (SSL_DH|SSL_kFZA)) 370 || (l & (SSL_DH|SSL_kFZA))
347 || ((l & SSL_kRSA) 371 || ((l & SSL_kRSA)
348 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 372 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
@@ -446,19 +470,33 @@ int ssl3_accept(SSL *s)
446 case SSL3_ST_SR_KEY_EXCH_A: 470 case SSL3_ST_SR_KEY_EXCH_A:
447 case SSL3_ST_SR_KEY_EXCH_B: 471 case SSL3_ST_SR_KEY_EXCH_B:
448 ret=ssl3_get_client_key_exchange(s); 472 ret=ssl3_get_client_key_exchange(s);
449 if (ret <= 0) goto end; 473 if (ret <= 0)
450 s->state=SSL3_ST_SR_CERT_VRFY_A; 474 goto end;
451 s->init_num=0; 475 if (ret == 2)
452 476 {
453 /* We need to get hashes here so if there is 477 /* For the ECDH ciphersuites when
454 * a client cert, it can be verified */ 478 * the client sends its ECDH pub key in
455 s->method->ssl3_enc->cert_verify_mac(s, 479 * a certificate, the CertificateVerify
456 &(s->s3->finish_dgst1), 480 * message is not sent.
457 &(s->s3->tmp.cert_verify_md[0])); 481 */
458 s->method->ssl3_enc->cert_verify_mac(s, 482 s->state=SSL3_ST_SR_FINISHED_A;
459 &(s->s3->finish_dgst2), 483 s->init_num = 0;
460 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 484 }
485 else
486 {
487 s->state=SSL3_ST_SR_CERT_VRFY_A;
488 s->init_num=0;
461 489
490 /* We need to get hashes here so if there is
491 * a client cert, it can be verified
492 */
493 s->method->ssl3_enc->cert_verify_mac(s,
494 &(s->s3->finish_dgst1),
495 &(s->s3->tmp.cert_verify_md[0]));
496 s->method->ssl3_enc->cert_verify_mac(s,
497 &(s->s3->finish_dgst2),
498 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
499 }
462 break; 500 break;
463 501
464 case SSL3_ST_SR_CERT_VRFY_A: 502 case SSL3_ST_SR_CERT_VRFY_A:
@@ -479,11 +517,34 @@ int ssl3_accept(SSL *s)
479 if (ret <= 0) goto end; 517 if (ret <= 0) goto end;
480 if (s->hit) 518 if (s->hit)
481 s->state=SSL_ST_OK; 519 s->state=SSL_ST_OK;
520#ifndef OPENSSL_NO_TLSEXT
521 else if (s->tlsext_ticket_expected)
522 s->state=SSL3_ST_SW_SESSION_TICKET_A;
523#endif
482 else 524 else
483 s->state=SSL3_ST_SW_CHANGE_A; 525 s->state=SSL3_ST_SW_CHANGE_A;
484 s->init_num=0; 526 s->init_num=0;
485 break; 527 break;
486 528
529#ifndef OPENSSL_NO_TLSEXT
530 case SSL3_ST_SW_SESSION_TICKET_A:
531 case SSL3_ST_SW_SESSION_TICKET_B:
532 ret=ssl3_send_newsession_ticket(s);
533 if (ret <= 0) goto end;
534 s->state=SSL3_ST_SW_CHANGE_A;
535 s->init_num=0;
536 break;
537
538 case SSL3_ST_SW_CERT_STATUS_A:
539 case SSL3_ST_SW_CERT_STATUS_B:
540 ret=ssl3_send_cert_status(s);
541 if (ret <= 0) goto end;
542 s->state=SSL3_ST_SW_KEY_EXCH_A;
543 s->init_num=0;
544 break;
545
546#endif
547
487 case SSL3_ST_SW_CHANGE_A: 548 case SSL3_ST_SW_CHANGE_A:
488 case SSL3_ST_SW_CHANGE_B: 549 case SSL3_ST_SW_CHANGE_B:
489 550
@@ -589,7 +650,7 @@ end:
589 return(ret); 650 return(ret);
590 } 651 }
591 652
592static int ssl3_send_hello_request(SSL *s) 653int ssl3_send_hello_request(SSL *s)
593 { 654 {
594 unsigned char *p; 655 unsigned char *p;
595 656
@@ -611,14 +672,14 @@ static int ssl3_send_hello_request(SSL *s)
611 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 672 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
612 } 673 }
613 674
614static int ssl3_check_client_hello(SSL *s) 675int ssl3_check_client_hello(SSL *s)
615 { 676 {
616 int ok; 677 int ok;
617 long n; 678 long n;
618 679
619 /* this function is called when we really expect a Certificate message, 680 /* this function is called when we really expect a Certificate message,
620 * so permit appropriate message length */ 681 * so permit appropriate message length */
621 n=ssl3_get_message(s, 682 n=s->method->ssl_get_message(s,
622 SSL3_ST_SR_CERT_A, 683 SSL3_ST_SR_CERT_A,
623 SSL3_ST_SR_CERT_B, 684 SSL3_ST_SR_CERT_B,
624 -1, 685 -1,
@@ -644,14 +705,17 @@ static int ssl3_check_client_hello(SSL *s)
644 return 1; 705 return 1;
645} 706}
646 707
647static int ssl3_get_client_hello(SSL *s) 708int ssl3_get_client_hello(SSL *s)
648 { 709 {
649 int i,j,ok,al,ret= -1; 710 int i,j,ok,al,ret= -1;
711 unsigned int cookie_len;
650 long n; 712 long n;
651 unsigned long id; 713 unsigned long id;
652 unsigned char *p,*d,*q; 714 unsigned char *p,*d,*q;
653 SSL_CIPHER *c; 715 SSL_CIPHER *c;
716#ifndef OPENSSL_NO_COMP
654 SSL_COMP *comp=NULL; 717 SSL_COMP *comp=NULL;
718#endif
655 STACK_OF(SSL_CIPHER) *ciphers=NULL; 719 STACK_OF(SSL_CIPHER) *ciphers=NULL;
656 720
657 /* We do this so that we will respond with our native type. 721 /* We do this so that we will respond with our native type.
@@ -662,10 +726,10 @@ static int ssl3_get_client_hello(SSL *s)
662 */ 726 */
663 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) 727 if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
664 { 728 {
665 s->first_packet=1;
666 s->state=SSL3_ST_SR_CLNT_HELLO_B; 729 s->state=SSL3_ST_SR_CLNT_HELLO_B;
667 } 730 }
668 n=ssl3_get_message(s, 731 s->first_packet=1;
732 n=s->method->ssl_get_message(s,
669 SSL3_ST_SR_CLNT_HELLO_B, 733 SSL3_ST_SR_CLNT_HELLO_B,
670 SSL3_ST_SR_CLNT_HELLO_C, 734 SSL3_ST_SR_CLNT_HELLO_C,
671 SSL3_MT_CLIENT_HELLO, 735 SSL3_MT_CLIENT_HELLO,
@@ -673,6 +737,7 @@ static int ssl3_get_client_hello(SSL *s)
673 &ok); 737 &ok);
674 738
675 if (!ok) return((int)n); 739 if (!ok) return((int)n);
740 s->first_packet=0;
676 d=p=(unsigned char *)s->init_msg; 741 d=p=(unsigned char *)s->init_msg;
677 742
678 /* use version from inside client hello, not from record header 743 /* use version from inside client hello, not from record header
@@ -680,7 +745,8 @@ static int ssl3_get_client_hello(SSL *s)
680 s->client_version=(((int)p[0])<<8)|(int)p[1]; 745 s->client_version=(((int)p[0])<<8)|(int)p[1];
681 p+=2; 746 p+=2;
682 747
683 if (s->client_version < s->version) 748 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
749 (s->version != DTLS1_VERSION && s->client_version < s->version))
684 { 750 {
685 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 751 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
686 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 752 if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
@@ -708,14 +774,14 @@ static int ssl3_get_client_hello(SSL *s)
708 * might be written that become totally unsecure when compiled with 774 * might be written that become totally unsecure when compiled with
709 * an earlier library version) 775 * an earlier library version)
710 */ 776 */
711 if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 777 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
712 { 778 {
713 if (!ssl_get_new_session(s,1)) 779 if (!ssl_get_new_session(s,1))
714 goto err; 780 goto err;
715 } 781 }
716 else 782 else
717 { 783 {
718 i=ssl_get_prev_session(s,p,j); 784 i=ssl_get_prev_session(s, p, j, d + n);
719 if (i == 1) 785 if (i == 1)
720 { /* previous session */ 786 { /* previous session */
721 s->hit=1; 787 s->hit=1;
@@ -730,6 +796,68 @@ static int ssl3_get_client_hello(SSL *s)
730 } 796 }
731 797
732 p+=j; 798 p+=j;
799
800 if (s->version == DTLS1_VERSION)
801 {
802 /* cookie stuff */
803 cookie_len = *(p++);
804
805 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
806 s->d1->send_cookie == 0)
807 {
808 /* HelloVerifyMessage has already been sent */
809 if ( cookie_len != s->d1->cookie_len)
810 {
811 al = SSL_AD_HANDSHAKE_FAILURE;
812 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
813 goto f_err;
814 }
815 }
816
817 /*
818 * The ClientHello may contain a cookie even if the
819 * HelloVerify message has not been sent--make sure that it
820 * does not cause an overflow.
821 */
822 if ( cookie_len > sizeof(s->d1->rcvd_cookie))
823 {
824 /* too much data */
825 al = SSL_AD_DECODE_ERROR;
826 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
827 goto f_err;
828 }
829
830 /* verify the cookie if appropriate option is set. */
831 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
832 cookie_len > 0)
833 {
834 memcpy(s->d1->rcvd_cookie, p, cookie_len);
835
836 if ( s->ctx->app_verify_cookie_cb != NULL)
837 {
838 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
839 cookie_len) == 0)
840 {
841 al=SSL_AD_HANDSHAKE_FAILURE;
842 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
843 SSL_R_COOKIE_MISMATCH);
844 goto f_err;
845 }
846 /* else cookie verification succeeded */
847 }
848 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie,
849 s->d1->cookie_len) != 0) /* default verification */
850 {
851 al=SSL_AD_HANDSHAKE_FAILURE;
852 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
853 SSL_R_COOKIE_MISMATCH);
854 goto f_err;
855 }
856 }
857
858 p += cookie_len;
859 }
860
733 n2s(p,i); 861 n2s(p,i);
734 if ((i == 0) && (j != 0)) 862 if ((i == 0) && (j != 0))
735 { 863 {
@@ -779,8 +907,7 @@ static int ssl3_get_client_hello(SSL *s)
779 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 907 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
780 { 908 {
781 /* Very bad for multi-threading.... */ 909 /* Very bad for multi-threading.... */
782 s->session->cipher=sk_SSL_CIPHER_value(ciphers, 910 s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0);
783 0);
784 } 911 }
785 else 912 else
786 { 913 {
@@ -817,10 +944,27 @@ static int ssl3_get_client_hello(SSL *s)
817 goto f_err; 944 goto f_err;
818 } 945 }
819 946
947#ifndef OPENSSL_NO_TLSEXT
948 /* TLS extensions*/
949 if (s->version > SSL3_VERSION)
950 {
951 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
952 {
953 /* 'al' set by ssl_parse_clienthello_tlsext */
954 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
955 goto f_err;
956 }
957 }
958 if (ssl_check_clienthello_tlsext(s) <= 0) {
959 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
960 goto err;
961 }
962#endif
820 /* Worst case, we will use the NULL compression, but if we have other 963 /* Worst case, we will use the NULL compression, but if we have other
821 * options, we will now look for them. We have i-1 compression 964 * options, we will now look for them. We have i-1 compression
822 * algorithms from the client, starting at q. */ 965 * algorithms from the client, starting at q. */
823 s->s3->tmp.new_compression=NULL; 966 s->s3->tmp.new_compression=NULL;
967#ifndef OPENSSL_NO_COMP
824 if (s->ctx->comp_methods != NULL) 968 if (s->ctx->comp_methods != NULL)
825 { /* See if we have a match */ 969 { /* See if we have a match */
826 int m,nn,o,v,done=0; 970 int m,nn,o,v,done=0;
@@ -845,6 +989,7 @@ static int ssl3_get_client_hello(SSL *s)
845 else 989 else
846 comp=NULL; 990 comp=NULL;
847 } 991 }
992#endif
848 993
849 /* TLS does not mind if there is extra stuff */ 994 /* TLS does not mind if there is extra stuff */
850#if 0 /* SSL 3.0 does not mind either, so we should disable this test 995#if 0 /* SSL 3.0 does not mind either, so we should disable this test
@@ -868,7 +1013,11 @@ static int ssl3_get_client_hello(SSL *s)
868 1013
869 if (!s->hit) 1014 if (!s->hit)
870 { 1015 {
1016#ifdef OPENSSL_NO_COMP
1017 s->session->compress_meth=0;
1018#else
871 s->session->compress_meth=(comp == NULL)?0:comp->id; 1019 s->session->compress_meth=(comp == NULL)?0:comp->id;
1020#endif
872 if (s->session->ciphers != NULL) 1021 if (s->session->ciphers != NULL)
873 sk_SSL_CIPHER_free(s->session->ciphers); 1022 sk_SSL_CIPHER_free(s->session->ciphers);
874 s->session->ciphers=ciphers; 1023 s->session->ciphers=ciphers;
@@ -943,7 +1092,7 @@ err:
943 return(ret); 1092 return(ret);
944 } 1093 }
945 1094
946static int ssl3_send_server_hello(SSL *s) 1095int ssl3_send_server_hello(SSL *s)
947 { 1096 {
948 unsigned char *buf; 1097 unsigned char *buf;
949 unsigned char *p,*d; 1098 unsigned char *p,*d;
@@ -956,7 +1105,7 @@ static int ssl3_send_server_hello(SSL *s)
956 p=s->s3->server_random; 1105 p=s->s3->server_random;
957 Time=(unsigned long)time(NULL); /* Time */ 1106 Time=(unsigned long)time(NULL); /* Time */
958 l2n(Time,p); 1107 l2n(Time,p);
959 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 1108 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
960 return -1; 1109 return -1;
961 /* Do the message type and length last */ 1110 /* Do the message type and length last */
962 d=p= &(buf[4]); 1111 d=p= &(buf[4]);
@@ -975,12 +1124,20 @@ static int ssl3_send_server_hello(SSL *s)
975 * session-id if we want it to be single use. 1124 * session-id if we want it to be single use.
976 * Currently I will not implement the '0' length session-id 1125 * Currently I will not implement the '0' length session-id
977 * 12-Jan-98 - I'll now support the '0' length stuff. 1126 * 12-Jan-98 - I'll now support the '0' length stuff.
1127 *
1128 * We also have an additional case where stateless session
1129 * resumption is successful: we always send back the old
1130 * session id. In this case s->hit is non zero: this can
1131 * only happen if stateless session resumption is succesful
1132 * if session caching is disabled so existing functionality
1133 * is unaffected.
978 */ 1134 */
979 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) 1135 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1136 && !s->hit)
980 s->session->session_id_length=0; 1137 s->session->session_id_length=0;
981 1138
982 sl=s->session->session_id_length; 1139 sl=s->session->session_id_length;
983 if (sl > sizeof s->session->session_id) 1140 if (sl > (int)sizeof(s->session->session_id))
984 { 1141 {
985 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1142 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
986 return -1; 1143 return -1;
@@ -994,11 +1151,21 @@ static int ssl3_send_server_hello(SSL *s)
994 p+=i; 1151 p+=i;
995 1152
996 /* put the compression method */ 1153 /* put the compression method */
1154#ifdef OPENSSL_NO_COMP
1155 *(p++)=0;
1156#else
997 if (s->s3->tmp.new_compression == NULL) 1157 if (s->s3->tmp.new_compression == NULL)
998 *(p++)=0; 1158 *(p++)=0;
999 else 1159 else
1000 *(p++)=s->s3->tmp.new_compression->id; 1160 *(p++)=s->s3->tmp.new_compression->id;
1001 1161#endif
1162#ifndef OPENSSL_NO_TLSEXT
1163 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
1164 {
1165 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
1166 return -1;
1167 }
1168#endif
1002 /* do the header */ 1169 /* do the header */
1003 l=(p-d); 1170 l=(p-d);
1004 d=buf; 1171 d=buf;
@@ -1015,7 +1182,7 @@ static int ssl3_send_server_hello(SSL *s)
1015 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1182 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1016 } 1183 }
1017 1184
1018static int ssl3_send_server_done(SSL *s) 1185int ssl3_send_server_done(SSL *s)
1019 { 1186 {
1020 unsigned char *p; 1187 unsigned char *p;
1021 1188
@@ -1039,7 +1206,7 @@ static int ssl3_send_server_done(SSL *s)
1039 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1206 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1040 } 1207 }
1041 1208
1042static int ssl3_send_server_key_exchange(SSL *s) 1209int ssl3_send_server_key_exchange(SSL *s)
1043 { 1210 {
1044#ifndef OPENSSL_NO_RSA 1211#ifndef OPENSSL_NO_RSA
1045 unsigned char *q; 1212 unsigned char *q;
@@ -1051,6 +1218,13 @@ static int ssl3_send_server_key_exchange(SSL *s)
1051#ifndef OPENSSL_NO_DH 1218#ifndef OPENSSL_NO_DH
1052 DH *dh=NULL,*dhp; 1219 DH *dh=NULL,*dhp;
1053#endif 1220#endif
1221#ifndef OPENSSL_NO_ECDH
1222 EC_KEY *ecdh=NULL, *ecdhp;
1223 unsigned char *encodedPoint = NULL;
1224 int encodedlen = 0;
1225 int curve_id = 0;
1226 BN_CTX *bn_ctx = NULL;
1227#endif
1054 EVP_PKEY *pkey; 1228 EVP_PKEY *pkey;
1055 unsigned char *p,*d; 1229 unsigned char *p,*d;
1056 int al,i; 1230 int al,i;
@@ -1159,6 +1333,134 @@ static int ssl3_send_server_key_exchange(SSL *s)
1159 } 1333 }
1160 else 1334 else
1161#endif 1335#endif
1336#ifndef OPENSSL_NO_ECDH
1337 if (type & SSL_kECDHE)
1338 {
1339 const EC_GROUP *group;
1340
1341 ecdhp=cert->ecdh_tmp;
1342 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
1343 {
1344 ecdhp=s->cert->ecdh_tmp_cb(s,
1345 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1346 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1347 }
1348 if (ecdhp == NULL)
1349 {
1350 al=SSL_AD_HANDSHAKE_FAILURE;
1351 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
1352 goto f_err;
1353 }
1354
1355 if (s->s3->tmp.ecdh != NULL)
1356 {
1357 EC_KEY_free(s->s3->tmp.ecdh);
1358 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1359 goto err;
1360 }
1361
1362 /* Duplicate the ECDH structure. */
1363 if (ecdhp == NULL)
1364 {
1365 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1366 goto err;
1367 }
1368 if (!EC_KEY_up_ref(ecdhp))
1369 {
1370 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1371 goto err;
1372 }
1373 ecdh = ecdhp;
1374
1375 s->s3->tmp.ecdh=ecdh;
1376 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1377 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1378 (s->options & SSL_OP_SINGLE_ECDH_USE))
1379 {
1380 if(!EC_KEY_generate_key(ecdh))
1381 {
1382 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1383 goto err;
1384 }
1385 }
1386
1387 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1388 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1389 (EC_KEY_get0_private_key(ecdh) == NULL))
1390 {
1391 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1392 goto err;
1393 }
1394
1395 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1396 (EC_GROUP_get_degree(group) > 163))
1397 {
1398 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1399 goto err;
1400 }
1401
1402 /* XXX: For now, we only support ephemeral ECDH
1403 * keys over named (not generic) curves. For
1404 * supported named curves, curve_id is non-zero.
1405 */
1406 if ((curve_id =
1407 nid2curve_id(EC_GROUP_get_curve_name(group)))
1408 == 0)
1409 {
1410 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1411 goto err;
1412 }
1413
1414 /* Encode the public key.
1415 * First check the size of encoding and
1416 * allocate memory accordingly.
1417 */
1418 encodedlen = EC_POINT_point2oct(group,
1419 EC_KEY_get0_public_key(ecdh),
1420 POINT_CONVERSION_UNCOMPRESSED,
1421 NULL, 0, NULL);
1422
1423 encodedPoint = (unsigned char *)
1424 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1425 bn_ctx = BN_CTX_new();
1426 if ((encodedPoint == NULL) || (bn_ctx == NULL))
1427 {
1428 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1429 goto err;
1430 }
1431
1432
1433 encodedlen = EC_POINT_point2oct(group,
1434 EC_KEY_get0_public_key(ecdh),
1435 POINT_CONVERSION_UNCOMPRESSED,
1436 encodedPoint, encodedlen, bn_ctx);
1437
1438 if (encodedlen == 0)
1439 {
1440 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1441 goto err;
1442 }
1443
1444 BN_CTX_free(bn_ctx); bn_ctx=NULL;
1445
1446 /* XXX: For now, we only support named (not
1447 * generic) curves in ECDH ephemeral key exchanges.
1448 * In this situation, we need four additional bytes
1449 * to encode the entire ServerECDHParams
1450 * structure.
1451 */
1452 n = 4 + encodedlen;
1453
1454 /* We'll generate the serverKeyExchange message
1455 * explicitly so we can set these to NULLs
1456 */
1457 r[0]=NULL;
1458 r[1]=NULL;
1459 r[2]=NULL;
1460 r[3]=NULL;
1461 }
1462 else
1463#endif /* !OPENSSL_NO_ECDH */
1162 { 1464 {
1163 al=SSL_AD_HANDSHAKE_FAILURE; 1465 al=SSL_AD_HANDSHAKE_FAILURE;
1164 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1466 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
@@ -1201,6 +1503,31 @@ static int ssl3_send_server_key_exchange(SSL *s)
1201 p+=nr[i]; 1503 p+=nr[i];
1202 } 1504 }
1203 1505
1506#ifndef OPENSSL_NO_ECDH
1507 if (type & SSL_kECDHE)
1508 {
1509 /* XXX: For now, we only support named (not generic) curves.
1510 * In this situation, the serverKeyExchange message has:
1511 * [1 byte CurveType], [2 byte CurveName]
1512 * [1 byte length of encoded point], followed by
1513 * the actual encoded point itself
1514 */
1515 *p = NAMED_CURVE_TYPE;
1516 p += 1;
1517 *p = 0;
1518 p += 1;
1519 *p = curve_id;
1520 p += 1;
1521 *p = encodedlen;
1522 p += 1;
1523 memcpy((unsigned char*)p,
1524 (unsigned char *)encodedPoint,
1525 encodedlen);
1526 OPENSSL_free(encodedPoint);
1527 p += encodedlen;
1528 }
1529#endif
1530
1204 /* not anonymous */ 1531 /* not anonymous */
1205 if (pkey != NULL) 1532 if (pkey != NULL)
1206 { 1533 {
@@ -1213,8 +1540,6 @@ static int ssl3_send_server_key_exchange(SSL *s)
1213 j=0; 1540 j=0;
1214 for (num=2; num > 0; num--) 1541 for (num=2; num > 0; num--)
1215 { 1542 {
1216 EVP_MD_CTX_set_flags(&md_ctx,
1217 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1218 EVP_DigestInit_ex(&md_ctx,(num == 2) 1543 EVP_DigestInit_ex(&md_ctx,(num == 2)
1219 ?s->ctx->md5:s->ctx->sha1, NULL); 1544 ?s->ctx->md5:s->ctx->sha1, NULL);
1220 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1545 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1255,6 +1580,25 @@ static int ssl3_send_server_key_exchange(SSL *s)
1255 } 1580 }
1256 else 1581 else
1257#endif 1582#endif
1583#if !defined(OPENSSL_NO_ECDSA)
1584 if (pkey->type == EVP_PKEY_EC)
1585 {
1586 /* let's do ECDSA */
1587 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1588 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1589 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1590 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1591 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1592 (unsigned int *)&i,pkey))
1593 {
1594 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA);
1595 goto err;
1596 }
1597 s2n(i,p);
1598 n+=i+2;
1599 }
1600 else
1601#endif
1258 { 1602 {
1259 /* Is this error check actually needed? */ 1603 /* Is this error check actually needed? */
1260 al=SSL_AD_HANDSHAKE_FAILURE; 1604 al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1278,11 +1622,15 @@ static int ssl3_send_server_key_exchange(SSL *s)
1278f_err: 1622f_err:
1279 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1623 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1280err: 1624err:
1625#ifndef OPENSSL_NO_ECDH
1626 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
1627 BN_CTX_free(bn_ctx);
1628#endif
1281 EVP_MD_CTX_cleanup(&md_ctx); 1629 EVP_MD_CTX_cleanup(&md_ctx);
1282 return(-1); 1630 return(-1);
1283 } 1631 }
1284 1632
1285static int ssl3_send_certificate_request(SSL *s) 1633int ssl3_send_certificate_request(SSL *s)
1286 { 1634 {
1287 unsigned char *p,*d; 1635 unsigned char *p,*d;
1288 int i,j,nl,off,n; 1636 int i,j,nl,off,n;
@@ -1371,7 +1719,7 @@ err:
1371 return(-1); 1719 return(-1);
1372 } 1720 }
1373 1721
1374static int ssl3_get_client_key_exchange(SSL *s) 1722int ssl3_get_client_key_exchange(SSL *s)
1375 { 1723 {
1376 int i,al,ok; 1724 int i,al,ok;
1377 long n; 1725 long n;
@@ -1389,7 +1737,14 @@ static int ssl3_get_client_key_exchange(SSL *s)
1389 KSSL_ERR kssl_err; 1737 KSSL_ERR kssl_err;
1390#endif /* OPENSSL_NO_KRB5 */ 1738#endif /* OPENSSL_NO_KRB5 */
1391 1739
1392 n=ssl3_get_message(s, 1740#ifndef OPENSSL_NO_ECDH
1741 EC_KEY *srvr_ecdh = NULL;
1742 EVP_PKEY *clnt_pub_pkey = NULL;
1743 EC_POINT *clnt_ecpoint = NULL;
1744 BN_CTX *bn_ctx = NULL;
1745#endif
1746
1747 n=s->method->ssl_get_message(s,
1393 SSL3_ST_SR_KEY_EXCH_A, 1748 SSL3_ST_SR_KEY_EXCH_A,
1394 SSL3_ST_SR_KEY_EXCH_B, 1749 SSL3_ST_SR_KEY_EXCH_B,
1395 SSL3_MT_CLIENT_KEY_EXCHANGE, 1750 SSL3_MT_CLIENT_KEY_EXCHANGE,
@@ -1433,8 +1788,9 @@ static int ssl3_get_client_key_exchange(SSL *s)
1433 rsa=pkey->pkey.rsa; 1788 rsa=pkey->pkey.rsa;
1434 } 1789 }
1435 1790
1436 /* TLS */ 1791 /* TLS and [incidentally] DTLS, including pre-0.9.8f */
1437 if (s->version > SSL3_VERSION) 1792 if (s->version > SSL3_VERSION &&
1793 s->client_version != DTLS1_BAD_VER)
1438 { 1794 {
1439 n2s(p,i); 1795 n2s(p,i);
1440 if (n != i+2) 1796 if (n != i+2)
@@ -1495,7 +1851,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1495 i = SSL_MAX_MASTER_KEY_LENGTH; 1851 i = SSL_MAX_MASTER_KEY_LENGTH;
1496 p[0] = s->client_version >> 8; 1852 p[0] = s->client_version >> 8;
1497 p[1] = s->client_version & 0xff; 1853 p[1] = s->client_version & 0xff;
1498 if(RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 1854 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
1499 goto err; 1855 goto err;
1500 } 1856 }
1501 1857
@@ -1594,7 +1950,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1594 n2s(p,i); 1950 n2s(p,i);
1595 enc_ticket.length = i; 1951 enc_ticket.length = i;
1596 1952
1597 if (n < (long)enc_ticket.length + 6) 1953 if (n < (int)enc_ticket.length + 6)
1598 { 1954 {
1599 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1955 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1600 SSL_R_DATA_LENGTH_TOO_LONG); 1956 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1607,7 +1963,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1607 n2s(p,i); 1963 n2s(p,i);
1608 authenticator.length = i; 1964 authenticator.length = i;
1609 1965
1610 if (n < (long)(enc_ticket.length + authenticator.length + 6)) 1966 if (n < (int)(enc_ticket.length + authenticator.length) + 6)
1611 { 1967 {
1612 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1968 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1613 SSL_R_DATA_LENGTH_TOO_LONG); 1969 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1649,7 +2005,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1649 if (kssl_err.text) 2005 if (kssl_err.text)
1650 printf("kssl_err text= %s\n", kssl_err.text); 2006 printf("kssl_err text= %s\n", kssl_err.text);
1651#endif /* KSSL_DEBUG */ 2007#endif /* KSSL_DEBUG */
1652 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2008 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1653 kssl_err.reason); 2009 kssl_err.reason);
1654 goto err; 2010 goto err;
1655 } 2011 }
@@ -1666,14 +2022,14 @@ static int ssl3_get_client_key_exchange(SSL *s)
1666 if (kssl_err.text) 2022 if (kssl_err.text)
1667 printf("kssl_err text= %s\n", kssl_err.text); 2023 printf("kssl_err text= %s\n", kssl_err.text);
1668#endif /* KSSL_DEBUG */ 2024#endif /* KSSL_DEBUG */
1669 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2025 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1670 kssl_err.reason); 2026 kssl_err.reason);
1671 goto err; 2027 goto err;
1672 } 2028 }
1673 2029
1674 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2030 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
1675 { 2031 {
1676 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc); 2032 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
1677 goto err; 2033 goto err;
1678 } 2034 }
1679 2035
@@ -1719,6 +2075,24 @@ static int ssl3_get_client_key_exchange(SSL *s)
1719 SSL_R_DATA_LENGTH_TOO_LONG); 2075 SSL_R_DATA_LENGTH_TOO_LONG);
1720 goto err; 2076 goto err;
1721 } 2077 }
2078 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))
2079 {
2080 /* The premaster secret must contain the same version number as the
2081 * ClientHello to detect version rollback attacks (strangely, the
2082 * protocol does not offer such protection for DH ciphersuites).
2083 * However, buggy clients exist that send random bytes instead of
2084 * the protocol version.
2085 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
2086 * (Perhaps we should have a separate BUG value for the Kerberos cipher)
2087 */
2088 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
2089 {
2090 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2091 SSL_AD_DECODE_ERROR);
2092 goto err;
2093 }
2094 }
2095
1722 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2096 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
1723 2097
1724 s->session->master_key_length= 2098 s->session->master_key_length=
@@ -1727,7 +2101,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1727 2101
1728 if (kssl_ctx->client_princ) 2102 if (kssl_ctx->client_princ)
1729 { 2103 {
1730 int len = strlen(kssl_ctx->client_princ); 2104 size_t len = strlen(kssl_ctx->client_princ);
1731 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2105 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
1732 { 2106 {
1733 s->session->krb5_client_princ_len = len; 2107 s->session->krb5_client_princ_len = len;
@@ -1744,6 +2118,156 @@ static int ssl3_get_client_key_exchange(SSL *s)
1744 } 2118 }
1745 else 2119 else
1746#endif /* OPENSSL_NO_KRB5 */ 2120#endif /* OPENSSL_NO_KRB5 */
2121
2122#ifndef OPENSSL_NO_ECDH
2123 if ((l & SSL_kECDH) || (l & SSL_kECDHE))
2124 {
2125 int ret = 1;
2126 int field_size = 0;
2127 const EC_KEY *tkey;
2128 const EC_GROUP *group;
2129 const BIGNUM *priv_key;
2130
2131 /* initialize structures for server's ECDH key pair */
2132 if ((srvr_ecdh = EC_KEY_new()) == NULL)
2133 {
2134 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2135 ERR_R_MALLOC_FAILURE);
2136 goto err;
2137 }
2138
2139 /* Let's get server private key and group information */
2140 if (l & SSL_kECDH)
2141 {
2142 /* use the certificate */
2143 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2144 }
2145 else
2146 {
2147 /* use the ephermeral values we saved when
2148 * generating the ServerKeyExchange msg.
2149 */
2150 tkey = s->s3->tmp.ecdh;
2151 }
2152
2153 group = EC_KEY_get0_group(tkey);
2154 priv_key = EC_KEY_get0_private_key(tkey);
2155
2156 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2157 !EC_KEY_set_private_key(srvr_ecdh, priv_key))
2158 {
2159 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2160 ERR_R_EC_LIB);
2161 goto err;
2162 }
2163
2164 /* Let's get client's public key */
2165 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL)
2166 {
2167 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2168 ERR_R_MALLOC_FAILURE);
2169 goto err;
2170 }
2171
2172 if (n == 0L)
2173 {
2174 /* Client Publickey was in Client Certificate */
2175
2176 if (l & SSL_kECDHE)
2177 {
2178 al=SSL_AD_HANDSHAKE_FAILURE;
2179 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
2180 goto f_err;
2181 }
2182 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
2183 == NULL) ||
2184 (clnt_pub_pkey->type != EVP_PKEY_EC))
2185 {
2186 /* XXX: For now, we do not support client
2187 * authentication using ECDH certificates
2188 * so this branch (n == 0L) of the code is
2189 * never executed. When that support is
2190 * added, we ought to ensure the key
2191 * received in the certificate is
2192 * authorized for key agreement.
2193 * ECDH_compute_key implicitly checks that
2194 * the two ECDH shares are for the same
2195 * group.
2196 */
2197 al=SSL_AD_HANDSHAKE_FAILURE;
2198 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2199 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2200 goto f_err;
2201 }
2202
2203 if (EC_POINT_copy(clnt_ecpoint,
2204 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
2205 {
2206 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2207 ERR_R_EC_LIB);
2208 goto err;
2209 }
2210 ret = 2; /* Skip certificate verify processing */
2211 }
2212 else
2213 {
2214 /* Get client's public key from encoded point
2215 * in the ClientKeyExchange message.
2216 */
2217 if ((bn_ctx = BN_CTX_new()) == NULL)
2218 {
2219 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2220 ERR_R_MALLOC_FAILURE);
2221 goto err;
2222 }
2223
2224 /* Get encoded point length */
2225 i = *p;
2226 p += 1;
2227 if (EC_POINT_oct2point(group,
2228 clnt_ecpoint, p, i, bn_ctx) == 0)
2229 {
2230 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2231 ERR_R_EC_LIB);
2232 goto err;
2233 }
2234 /* p is pointing to somewhere in the buffer
2235 * currently, so set it to the start
2236 */
2237 p=(unsigned char *)s->init_buf->data;
2238 }
2239
2240 /* Compute the shared pre-master secret */
2241 field_size = EC_GROUP_get_degree(group);
2242 if (field_size <= 0)
2243 {
2244 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2245 ERR_R_ECDH_LIB);
2246 goto err;
2247 }
2248 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
2249 if (i <= 0)
2250 {
2251 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2252 ERR_R_ECDH_LIB);
2253 goto err;
2254 }
2255
2256 EVP_PKEY_free(clnt_pub_pkey);
2257 EC_POINT_free(clnt_ecpoint);
2258 if (srvr_ecdh != NULL)
2259 EC_KEY_free(srvr_ecdh);
2260 BN_CTX_free(bn_ctx);
2261
2262 /* Compute the master secret */
2263 s->session->master_key_length = s->method->ssl3_enc-> \
2264 generate_master_secret(s, s->session->master_key, p, i);
2265
2266 OPENSSL_cleanse(p, i);
2267 return (ret);
2268 }
2269 else
2270#endif
1747 { 2271 {
1748 al=SSL_AD_HANDSHAKE_FAILURE; 2272 al=SSL_AD_HANDSHAKE_FAILURE;
1749 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2273 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -1754,13 +2278,20 @@ static int ssl3_get_client_key_exchange(SSL *s)
1754 return(1); 2278 return(1);
1755f_err: 2279f_err:
1756 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2280 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1757#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) 2281#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH)
1758err: 2282err:
1759#endif 2283#endif
2284#ifndef OPENSSL_NO_ECDH
2285 EVP_PKEY_free(clnt_pub_pkey);
2286 EC_POINT_free(clnt_ecpoint);
2287 if (srvr_ecdh != NULL)
2288 EC_KEY_free(srvr_ecdh);
2289 BN_CTX_free(bn_ctx);
2290#endif
1760 return(-1); 2291 return(-1);
1761 } 2292 }
1762 2293
1763static int ssl3_get_cert_verify(SSL *s) 2294int ssl3_get_cert_verify(SSL *s)
1764 { 2295 {
1765 EVP_PKEY *pkey=NULL; 2296 EVP_PKEY *pkey=NULL;
1766 unsigned char *p; 2297 unsigned char *p;
@@ -1769,7 +2300,7 @@ static int ssl3_get_cert_verify(SSL *s)
1769 int type=0,i,j; 2300 int type=0,i,j;
1770 X509 *peer; 2301 X509 *peer;
1771 2302
1772 n=ssl3_get_message(s, 2303 n=s->method->ssl_get_message(s,
1773 SSL3_ST_SR_CERT_VRFY_A, 2304 SSL3_ST_SR_CERT_VRFY_A,
1774 SSL3_ST_SR_CERT_VRFY_B, 2305 SSL3_ST_SR_CERT_VRFY_B,
1775 -1, 2306 -1,
@@ -1880,6 +2411,23 @@ static int ssl3_get_cert_verify(SSL *s)
1880 } 2411 }
1881 else 2412 else
1882#endif 2413#endif
2414#ifndef OPENSSL_NO_ECDSA
2415 if (pkey->type == EVP_PKEY_EC)
2416 {
2417 j=ECDSA_verify(pkey->save_type,
2418 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2419 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec);
2420 if (j <= 0)
2421 {
2422 /* bad signature */
2423 al=SSL_AD_DECRYPT_ERROR;
2424 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2425 SSL_R_BAD_ECDSA_SIGNATURE);
2426 goto f_err;
2427 }
2428 }
2429 else
2430#endif
1883 { 2431 {
1884 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2432 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
1885 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 2433 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
@@ -1898,15 +2446,16 @@ end:
1898 return(ret); 2446 return(ret);
1899 } 2447 }
1900 2448
1901static int ssl3_get_client_certificate(SSL *s) 2449int ssl3_get_client_certificate(SSL *s)
1902 { 2450 {
1903 int i,ok,al,ret= -1; 2451 int i,ok,al,ret= -1;
1904 X509 *x=NULL; 2452 X509 *x=NULL;
1905 unsigned long l,nc,llen,n; 2453 unsigned long l,nc,llen,n;
1906 unsigned char *p,*d,*q; 2454 const unsigned char *p,*q;
2455 unsigned char *d;
1907 STACK_OF(X509) *sk=NULL; 2456 STACK_OF(X509) *sk=NULL;
1908 2457
1909 n=ssl3_get_message(s, 2458 n=s->method->ssl_get_message(s,
1910 SSL3_ST_SR_CERT_A, 2459 SSL3_ST_SR_CERT_A,
1911 SSL3_ST_SR_CERT_B, 2460 SSL3_ST_SR_CERT_B,
1912 -1, 2461 -1,
@@ -1941,7 +2490,7 @@ static int ssl3_get_client_certificate(SSL *s)
1941 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); 2490 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
1942 goto f_err; 2491 goto f_err;
1943 } 2492 }
1944 d=p=(unsigned char *)s->init_msg; 2493 p=d=(unsigned char *)s->init_msg;
1945 2494
1946 if ((sk=sk_X509_new_null()) == NULL) 2495 if ((sk=sk_X509_new_null()) == NULL)
1947 { 2496 {
@@ -2080,3 +2629,209 @@ int ssl3_send_server_certificate(SSL *s)
2080 /* SSL3_ST_SW_CERT_B */ 2629 /* SSL3_ST_SW_CERT_B */
2081 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2630 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2082 } 2631 }
2632
2633
2634#ifndef OPENSSL_NO_ECDH
2635/* This is the complement of curve_id2nid in s3_clnt.c. */
2636static int nid2curve_id(int nid)
2637{
2638 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2639 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2640 switch (nid) {
2641 case NID_sect163k1: /* sect163k1 (1) */
2642 return 1;
2643 case NID_sect163r1: /* sect163r1 (2) */
2644 return 2;
2645 case NID_sect163r2: /* sect163r2 (3) */
2646 return 3;
2647 case NID_sect193r1: /* sect193r1 (4) */
2648 return 4;
2649 case NID_sect193r2: /* sect193r2 (5) */
2650 return 5;
2651 case NID_sect233k1: /* sect233k1 (6) */
2652 return 6;
2653 case NID_sect233r1: /* sect233r1 (7) */
2654 return 7;
2655 case NID_sect239k1: /* sect239k1 (8) */
2656 return 8;
2657 case NID_sect283k1: /* sect283k1 (9) */
2658 return 9;
2659 case NID_sect283r1: /* sect283r1 (10) */
2660 return 10;
2661 case NID_sect409k1: /* sect409k1 (11) */
2662 return 11;
2663 case NID_sect409r1: /* sect409r1 (12) */
2664 return 12;
2665 case NID_sect571k1: /* sect571k1 (13) */
2666 return 13;
2667 case NID_sect571r1: /* sect571r1 (14) */
2668 return 14;
2669 case NID_secp160k1: /* secp160k1 (15) */
2670 return 15;
2671 case NID_secp160r1: /* secp160r1 (16) */
2672 return 16;
2673 case NID_secp160r2: /* secp160r2 (17) */
2674 return 17;
2675 case NID_secp192k1: /* secp192k1 (18) */
2676 return 18;
2677 case NID_X9_62_prime192v1: /* secp192r1 (19) */
2678 return 19;
2679 case NID_secp224k1: /* secp224k1 (20) */
2680 return 20;
2681 case NID_secp224r1: /* secp224r1 (21) */
2682 return 21;
2683 case NID_secp256k1: /* secp256k1 (22) */
2684 return 22;
2685 case NID_X9_62_prime256v1: /* secp256r1 (23) */
2686 return 23;
2687 case NID_secp384r1: /* secp384r1 (24) */
2688 return 24;
2689 case NID_secp521r1: /* secp521r1 (25) */
2690 return 25;
2691 default:
2692 return 0;
2693 }
2694}
2695#endif
2696#ifndef OPENSSL_NO_TLSEXT
2697int ssl3_send_newsession_ticket(SSL *s)
2698 {
2699 if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
2700 {
2701 unsigned char *p, *senc, *macstart;
2702 int len, slen;
2703 unsigned int hlen;
2704 EVP_CIPHER_CTX ctx;
2705 HMAC_CTX hctx;
2706 unsigned char iv[EVP_MAX_IV_LENGTH];
2707 unsigned char key_name[16];
2708
2709 /* get session encoding length */
2710 slen = i2d_SSL_SESSION(s->session, NULL);
2711 /* Some length values are 16 bits, so forget it if session is
2712 * too long
2713 */
2714 if (slen > 0xFF00)
2715 return -1;
2716 /* Grow buffer if need be: the length calculation is as
2717 * follows 1 (size of message name) + 3 (message length
2718 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
2719 * 16 (key name) + max_iv_len (iv length) +
2720 * session_length + max_enc_block_size (max encrypted session
2721 * length) + max_md_size (HMAC).
2722 */
2723 if (!BUF_MEM_grow(s->init_buf,
2724 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
2725 EVP_MAX_MD_SIZE + slen))
2726 return -1;
2727 senc = OPENSSL_malloc(slen);
2728 if (!senc)
2729 return -1;
2730 p = senc;
2731 i2d_SSL_SESSION(s->session, &p);
2732
2733 p=(unsigned char *)s->init_buf->data;
2734 /* do the header */
2735 *(p++)=SSL3_MT_NEWSESSION_TICKET;
2736 /* Skip message length for now */
2737 p += 3;
2738 EVP_CIPHER_CTX_init(&ctx);
2739 HMAC_CTX_init(&hctx);
2740 /* Initialize HMAC and cipher contexts. If callback present
2741 * it does all the work otherwise use generated values
2742 * from parent ctx.
2743 */
2744 if (s->ctx->tlsext_ticket_key_cb)
2745 {
2746 if (s->ctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
2747 &hctx, 1) < 0)
2748 {
2749 OPENSSL_free(senc);
2750 return -1;
2751 }
2752 }
2753 else
2754 {
2755 RAND_pseudo_bytes(iv, 16);
2756 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2757 s->ctx->tlsext_tick_aes_key, iv);
2758 HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
2759 tlsext_tick_md(), NULL);
2760 memcpy(key_name, s->ctx->tlsext_tick_key_name, 16);
2761 }
2762 l2n(s->session->tlsext_tick_lifetime_hint, p);
2763 /* Skip ticket length for now */
2764 p += 2;
2765 /* Output key name */
2766 macstart = p;
2767 memcpy(p, key_name, 16);
2768 p += 16;
2769 /* output IV */
2770 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
2771 p += EVP_CIPHER_CTX_iv_length(&ctx);
2772 /* Encrypt session data */
2773 EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
2774 p += len;
2775 EVP_EncryptFinal(&ctx, p, &len);
2776 p += len;
2777 EVP_CIPHER_CTX_cleanup(&ctx);
2778
2779 HMAC_Update(&hctx, macstart, p - macstart);
2780 HMAC_Final(&hctx, p, &hlen);
2781 HMAC_CTX_cleanup(&hctx);
2782
2783 p += hlen;
2784 /* Now write out lengths: p points to end of data written */
2785 /* Total length */
2786 len = p - (unsigned char *)s->init_buf->data;
2787 p=(unsigned char *)s->init_buf->data + 1;
2788 l2n3(len - 4, p); /* Message length */
2789 p += 4;
2790 s2n(len - 10, p); /* Ticket length */
2791
2792 /* number of bytes to write */
2793 s->init_num= len;
2794 s->state=SSL3_ST_SW_SESSION_TICKET_B;
2795 s->init_off=0;
2796 OPENSSL_free(senc);
2797 }
2798
2799 /* SSL3_ST_SW_SESSION_TICKET_B */
2800 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2801 }
2802
2803int ssl3_send_cert_status(SSL *s)
2804 {
2805 if (s->state == SSL3_ST_SW_CERT_STATUS_A)
2806 {
2807 unsigned char *p;
2808 /* Grow buffer if need be: the length calculation is as
2809 * follows 1 (message type) + 3 (message length) +
2810 * 1 (ocsp response type) + 3 (ocsp response length)
2811 * + (ocsp response)
2812 */
2813 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
2814 return -1;
2815
2816 p=(unsigned char *)s->init_buf->data;
2817
2818 /* do the header */
2819 *(p++)=SSL3_MT_CERTIFICATE_STATUS;
2820 /* message length */
2821 l2n3(s->tlsext_ocsp_resplen + 4, p);
2822 /* status type */
2823 *(p++)= s->tlsext_status_type;
2824 /* length of OCSP response */
2825 l2n3(s->tlsext_ocsp_resplen, p);
2826 /* actual response */
2827 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
2828 /* number of bytes to write */
2829 s->init_num = 8 + s->tlsext_ocsp_resplen;
2830 s->state=SSL3_ST_SW_CERT_STATUS_B;
2831 s->init_off = 0;
2832 }
2833
2834 /* SSL3_ST_SW_CERT_STATUS_B */
2835 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2836 }
2837#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 19:51:02 +0000