diff options
| author | beck <> | 2000-03-19 11:13:58 +0000 |
|---|---|---|
| committer | beck <> | 2000-03-19 11:13:58 +0000 |
| commit | 796d609550df3a33fc11468741c5d2f6d3df4c11 (patch) | |
| tree | 6c6d539061caa20372dad0ac4ddb1dfae2fbe7fe /src/lib/libssl/s3_srvr.c | |
| parent | 5be3114c1fd7e0dfea1e38d3abb4cbba75244419 (diff) | |
| download | openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.tar.gz openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.tar.bz2 openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.zip | |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 185 |
1 files changed, 120 insertions, 65 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index e003d88357..90806e2d99 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -57,6 +57,8 @@ | |||
| 57 | */ | 57 | */ |
| 58 | 58 | ||
| 59 | #define REUSE_CIPHER_BUG | 59 | #define REUSE_CIPHER_BUG |
| 60 | #define NETSCAPE_HANG_BUG | ||
| 61 | |||
| 60 | 62 | ||
| 61 | #include <stdio.h> | 63 | #include <stdio.h> |
| 62 | #include <openssl/buffer.h> | 64 | #include <openssl/buffer.h> |
| @@ -70,13 +72,14 @@ | |||
| 70 | 72 | ||
| 71 | static SSL_METHOD *ssl3_get_server_method(int ver); | 73 | static SSL_METHOD *ssl3_get_server_method(int ver); |
| 72 | static int ssl3_get_client_hello(SSL *s); | 74 | static int ssl3_get_client_hello(SSL *s); |
| 75 | static int ssl3_check_client_hello(SSL *s); | ||
| 73 | static int ssl3_send_server_hello(SSL *s); | 76 | static int ssl3_send_server_hello(SSL *s); |
| 74 | static int ssl3_send_server_key_exchange(SSL *s); | 77 | static int ssl3_send_server_key_exchange(SSL *s); |
| 75 | static int ssl3_send_certificate_request(SSL *s); | 78 | static int ssl3_send_certificate_request(SSL *s); |
| 76 | static int ssl3_send_server_done(SSL *s); | 79 | static int ssl3_send_server_done(SSL *s); |
| 77 | static int ssl3_get_cert_verify(SSL *s); | ||
| 78 | static int ssl3_get_client_key_exchange(SSL *s); | 80 | static int ssl3_get_client_key_exchange(SSL *s); |
| 79 | static int ssl3_get_client_certificate(SSL *s); | 81 | static int ssl3_get_client_certificate(SSL *s); |
| 82 | static int ssl3_get_cert_verify(SSL *s); | ||
| 80 | static int ssl3_send_hello_request(SSL *s); | 83 | static int ssl3_send_hello_request(SSL *s); |
| 81 | 84 | ||
| 82 | static SSL_METHOD *ssl3_get_server_method(int ver) | 85 | static SSL_METHOD *ssl3_get_server_method(int ver) |
| @@ -112,7 +115,7 @@ int ssl3_accept(SSL *s) | |||
| 112 | int ret= -1; | 115 | int ret= -1; |
| 113 | int new_state,state,skip=0; | 116 | int new_state,state,skip=0; |
| 114 | 117 | ||
| 115 | RAND_seed(&Time,sizeof(Time)); | 118 | RAND_add(&Time,sizeof(Time),0); |
| 116 | ERR_clear_error(); | 119 | ERR_clear_error(); |
| 117 | clear_sys_error(); | 120 | clear_sys_error(); |
| 118 | 121 | ||
| @@ -151,7 +154,6 @@ int ssl3_accept(SSL *s) | |||
| 151 | 154 | ||
| 152 | if ((s->version>>8) != 3) | 155 | if ((s->version>>8) != 3) |
| 153 | abort(); | 156 | abort(); |
| 154 | /* s->version=SSL3_VERSION; */ | ||
| 155 | s->type=SSL_ST_ACCEPT; | 157 | s->type=SSL_ST_ACCEPT; |
| 156 | 158 | ||
| 157 | if (s->init_buf == NULL) | 159 | if (s->init_buf == NULL) |
| @@ -184,8 +186,8 @@ int ssl3_accept(SSL *s) | |||
| 184 | 186 | ||
| 185 | if (s->state != SSL_ST_RENEGOTIATE) | 187 | if (s->state != SSL_ST_RENEGOTIATE) |
| 186 | { | 188 | { |
| 187 | s->state=SSL3_ST_SR_CLNT_HELLO_A; | ||
| 188 | ssl3_init_finished_mac(s); | 189 | ssl3_init_finished_mac(s); |
| 190 | s->state=SSL3_ST_SR_CLNT_HELLO_A; | ||
| 189 | s->ctx->stats.sess_accept++; | 191 | s->ctx->stats.sess_accept++; |
| 190 | } | 192 | } |
| 191 | else | 193 | else |
| @@ -268,8 +270,8 @@ int ssl3_accept(SSL *s) | |||
| 268 | || (l & (SSL_DH|SSL_kFZA)) | 270 | || (l & (SSL_DH|SSL_kFZA)) |
| 269 | || ((l & SSL_kRSA) | 271 | || ((l & SSL_kRSA) |
| 270 | && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL | 272 | && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL |
| 271 | || (SSL_IS_EXPORT(l) | 273 | || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) |
| 272 | && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l) | 274 | && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) |
| 273 | ) | 275 | ) |
| 274 | ) | 276 | ) |
| 275 | ) | 277 | ) |
| @@ -287,9 +289,19 @@ int ssl3_accept(SSL *s) | |||
| 287 | 289 | ||
| 288 | case SSL3_ST_SW_CERT_REQ_A: | 290 | case SSL3_ST_SW_CERT_REQ_A: |
| 289 | case SSL3_ST_SW_CERT_REQ_B: | 291 | case SSL3_ST_SW_CERT_REQ_B: |
| 290 | if (!(s->verify_mode & SSL_VERIFY_PEER) || | 292 | if (/* don't request cert unless asked for it: */ |
| 293 | !(s->verify_mode & SSL_VERIFY_PEER) || | ||
| 294 | /* if SSL_VERIFY_CLIENT_ONCE is set, | ||
| 295 | * don't request cert during re-negotiation: */ | ||
| 291 | ((s->session->peer != NULL) && | 296 | ((s->session->peer != NULL) && |
| 292 | (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) | 297 | (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || |
| 298 | /* never request cert in anonymous ciphersuites | ||
| 299 | * (see section "Certificate request" in SSL 3 drafts | ||
| 300 | * and in RFC 2246): */ | ||
| 301 | ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && | ||
| 302 | /* ... except when the application insists on verification | ||
| 303 | * (against the specs, but s3_clnt.c accepts this for SSL 3) */ | ||
| 304 | !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) | ||
| 293 | { | 305 | { |
| 294 | /* no cert request */ | 306 | /* no cert request */ |
| 295 | skip=1; | 307 | skip=1; |
| @@ -301,7 +313,12 @@ int ssl3_accept(SSL *s) | |||
| 301 | s->s3->tmp.cert_request=1; | 313 | s->s3->tmp.cert_request=1; |
| 302 | ret=ssl3_send_certificate_request(s); | 314 | ret=ssl3_send_certificate_request(s); |
| 303 | if (ret <= 0) goto end; | 315 | if (ret <= 0) goto end; |
| 316 | #ifndef NETSCAPE_HANG_BUG | ||
| 304 | s->state=SSL3_ST_SW_SRVR_DONE_A; | 317 | s->state=SSL3_ST_SW_SRVR_DONE_A; |
| 318 | #else | ||
| 319 | s->state=SSL3_ST_SW_FLUSH; | ||
| 320 | s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; | ||
| 321 | #endif | ||
| 305 | s->init_num=0; | 322 | s->init_num=0; |
| 306 | } | 323 | } |
| 307 | break; | 324 | break; |
| @@ -331,12 +348,20 @@ int ssl3_accept(SSL *s) | |||
| 331 | 348 | ||
| 332 | case SSL3_ST_SR_CERT_A: | 349 | case SSL3_ST_SR_CERT_A: |
| 333 | case SSL3_ST_SR_CERT_B: | 350 | case SSL3_ST_SR_CERT_B: |
| 334 | /* could be sent for a DH cert, even if we | 351 | /* Check for second client hello (MS SGC) */ |
| 335 | * have not asked for it :-) */ | 352 | ret = ssl3_check_client_hello(s); |
| 336 | ret=ssl3_get_client_certificate(s); | 353 | if (ret <= 0) |
| 337 | if (ret <= 0) goto end; | 354 | goto end; |
| 338 | s->init_num=0; | 355 | if (ret == 2) |
| 339 | s->state=SSL3_ST_SR_KEY_EXCH_A; | 356 | s->state = SSL3_ST_SR_CLNT_HELLO_C; |
| 357 | else { | ||
| 358 | /* could be sent for a DH cert, even if we | ||
| 359 | * have not asked for it :-) */ | ||
| 360 | ret=ssl3_get_client_certificate(s); | ||
| 361 | if (ret <= 0) goto end; | ||
| 362 | s->init_num=0; | ||
| 363 | s->state=SSL3_ST_SR_KEY_EXCH_A; | ||
| 364 | } | ||
| 340 | break; | 365 | break; |
| 341 | 366 | ||
| 342 | case SSL3_ST_SR_KEY_EXCH_A: | 367 | case SSL3_ST_SR_KEY_EXCH_A: |
| @@ -350,10 +375,10 @@ int ssl3_accept(SSL *s) | |||
| 350 | * a client cert, it can be verified */ | 375 | * a client cert, it can be verified */ |
| 351 | s->method->ssl3_enc->cert_verify_mac(s, | 376 | s->method->ssl3_enc->cert_verify_mac(s, |
| 352 | &(s->s3->finish_dgst1), | 377 | &(s->s3->finish_dgst1), |
| 353 | &(s->s3->tmp.finish_md[0])); | 378 | &(s->s3->tmp.cert_verify_md[0])); |
| 354 | s->method->ssl3_enc->cert_verify_mac(s, | 379 | s->method->ssl3_enc->cert_verify_mac(s, |
| 355 | &(s->s3->finish_dgst2), | 380 | &(s->s3->finish_dgst2), |
| 356 | &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH])); | 381 | &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); |
| 357 | 382 | ||
| 358 | break; | 383 | break; |
| 359 | 384 | ||
| @@ -407,8 +432,8 @@ int ssl3_accept(SSL *s) | |||
| 407 | case SSL3_ST_SW_FINISHED_B: | 432 | case SSL3_ST_SW_FINISHED_B: |
| 408 | ret=ssl3_send_finished(s, | 433 | ret=ssl3_send_finished(s, |
| 409 | SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, | 434 | SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, |
| 410 | s->method->ssl3_enc->server_finished, | 435 | s->method->ssl3_enc->server_finished_label, |
| 411 | s->method->ssl3_enc->server_finished_len); | 436 | s->method->ssl3_enc->server_finished_label_len); |
| 412 | if (ret <= 0) goto end; | 437 | if (ret <= 0) goto end; |
| 413 | s->state=SSL3_ST_SW_FLUSH; | 438 | s->state=SSL3_ST_SW_FLUSH; |
| 414 | if (s->hit) | 439 | if (s->hit) |
| @@ -485,7 +510,7 @@ static int ssl3_send_hello_request(SSL *s) | |||
| 485 | if (s->state == SSL3_ST_SW_HELLO_REQ_A) | 510 | if (s->state == SSL3_ST_SW_HELLO_REQ_A) |
| 486 | { | 511 | { |
| 487 | p=(unsigned char *)s->init_buf->data; | 512 | p=(unsigned char *)s->init_buf->data; |
| 488 | *(p++)=SSL3_MT_CLIENT_REQUEST; | 513 | *(p++)=SSL3_MT_HELLO_REQUEST; |
| 489 | *(p++)=0; | 514 | *(p++)=0; |
| 490 | *(p++)=0; | 515 | *(p++)=0; |
| 491 | *(p++)=0; | 516 | *(p++)=0; |
| @@ -500,6 +525,37 @@ static int ssl3_send_hello_request(SSL *s) | |||
| 500 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 525 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
| 501 | } | 526 | } |
| 502 | 527 | ||
| 528 | static int ssl3_check_client_hello(SSL *s) | ||
| 529 | { | ||
| 530 | int ok; | ||
| 531 | long n; | ||
| 532 | |||
| 533 | n=ssl3_get_message(s, | ||
| 534 | SSL3_ST_SR_CERT_A, | ||
| 535 | SSL3_ST_SR_CERT_B, | ||
| 536 | -1, | ||
| 537 | SSL3_RT_MAX_PLAIN_LENGTH, | ||
| 538 | &ok); | ||
| 539 | if (!ok) return((int)n); | ||
| 540 | s->s3->tmp.reuse_message = 1; | ||
| 541 | if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) | ||
| 542 | { | ||
| 543 | /* Throw away what we have done so far in the current handshake, | ||
| 544 | * which will now be aborted. (A full SSL_clear would be too much.) | ||
| 545 | * I hope that tmp.dh is the only thing that may need to be cleared | ||
| 546 | * when a handshake is not completed ... */ | ||
| 547 | #ifndef NO_DH | ||
| 548 | if (s->s3->tmp.dh != NULL) | ||
| 549 | { | ||
| 550 | DH_free(s->s3->tmp.dh); | ||
| 551 | s->s3->tmp.dh = NULL; | ||
| 552 | } | ||
| 553 | #endif | ||
| 554 | return 2; | ||
| 555 | } | ||
| 556 | return 1; | ||
| 557 | } | ||
| 558 | |||
| 503 | static int ssl3_get_client_hello(SSL *s) | 559 | static int ssl3_get_client_hello(SSL *s) |
| 504 | { | 560 | { |
| 505 | int i,j,ok,al,ret= -1; | 561 | int i,j,ok,al,ret= -1; |
| @@ -531,10 +587,9 @@ static int ssl3_get_client_hello(SSL *s) | |||
| 531 | if (!ok) return((int)n); | 587 | if (!ok) return((int)n); |
| 532 | d=p=(unsigned char *)s->init_buf->data; | 588 | d=p=(unsigned char *)s->init_buf->data; |
| 533 | 589 | ||
| 534 | /* The version number has already been checked in ssl3_get_message. | 590 | /* use version from inside client hello, not from record header |
| 535 | * I a native TLSv1/SSLv3 method, the match must be correct except | 591 | * (may differ: see RFC 2246, Appendix E, second paragraph) */ |
| 536 | * perhaps for the first message */ | 592 | s->client_version=(((int)p[0])<<8)|(int)p[1]; |
| 537 | /* s->client_version=(((int)p[0])<<8)|(int)p[1]; */ | ||
| 538 | p+=2; | 593 | p+=2; |
| 539 | 594 | ||
| 540 | /* load the client random */ | 595 | /* load the client random */ |
| @@ -754,7 +809,7 @@ static int ssl3_get_client_hello(SSL *s) | |||
| 754 | * compression - basically ignored right now | 809 | * compression - basically ignored right now |
| 755 | * ssl version is set - sslv3 | 810 | * ssl version is set - sslv3 |
| 756 | * s->session - The ssl session has been setup. | 811 | * s->session - The ssl session has been setup. |
| 757 | * s->hit - sesson reuse flag | 812 | * s->hit - session reuse flag |
| 758 | * s->tmp.new_cipher - the new cipher to use. | 813 | * s->tmp.new_cipher - the new cipher to use. |
| 759 | */ | 814 | */ |
| 760 | 815 | ||
| @@ -782,7 +837,7 @@ static int ssl3_send_server_hello(SSL *s) | |||
| 782 | p=s->s3->server_random; | 837 | p=s->s3->server_random; |
| 783 | Time=time(NULL); /* Time */ | 838 | Time=time(NULL); /* Time */ |
| 784 | l2n(Time,p); | 839 | l2n(Time,p); |
| 785 | RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); | 840 | RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); |
| 786 | /* Do the message type and length last */ | 841 | /* Do the message type and length last */ |
| 787 | d=p= &(buf[4]); | 842 | d=p= &(buf[4]); |
| 788 | 843 | ||
| @@ -866,9 +921,10 @@ static int ssl3_send_server_key_exchange(SSL *s) | |||
| 866 | int j,num; | 921 | int j,num; |
| 867 | RSA *rsa; | 922 | RSA *rsa; |
| 868 | unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; | 923 | unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; |
| 924 | unsigned int u; | ||
| 869 | #endif | 925 | #endif |
| 870 | #ifndef NO_DH | 926 | #ifndef NO_DH |
| 871 | DH *dh,*dhp; | 927 | DH *dh=NULL,*dhp; |
| 872 | #endif | 928 | #endif |
| 873 | EVP_PKEY *pkey; | 929 | EVP_PKEY *pkey; |
| 874 | unsigned char *p,*d; | 930 | unsigned char *p,*d; |
| @@ -899,6 +955,12 @@ static int ssl3_send_server_key_exchange(SSL *s) | |||
| 899 | rsa=s->cert->rsa_tmp_cb(s, | 955 | rsa=s->cert->rsa_tmp_cb(s, |
| 900 | SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), | 956 | SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), |
| 901 | SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); | 957 | SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); |
| 958 | if(rsa == NULL) | ||
| 959 | { | ||
| 960 | al=SSL_AD_HANDSHAKE_FAILURE; | ||
| 961 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); | ||
| 962 | goto f_err; | ||
| 963 | } | ||
| 902 | CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); | 964 | CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); |
| 903 | cert->rsa_tmp=rsa; | 965 | cert->rsa_tmp=rsa; |
| 904 | } | 966 | } |
| @@ -928,6 +990,14 @@ static int ssl3_send_server_key_exchange(SSL *s) | |||
| 928 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); | 990 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); |
| 929 | goto f_err; | 991 | goto f_err; |
| 930 | } | 992 | } |
| 993 | |||
| 994 | if (s->s3->tmp.dh != NULL) | ||
| 995 | { | ||
| 996 | DH_free(dh); | ||
| 997 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR); | ||
| 998 | goto err; | ||
| 999 | } | ||
| 1000 | |||
| 931 | if ((dh=DHparams_dup(dhp)) == NULL) | 1001 | if ((dh=DHparams_dup(dhp)) == NULL) |
| 932 | { | 1002 | { |
| 933 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); | 1003 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); |
| @@ -1027,15 +1097,14 @@ static int ssl3_send_server_key_exchange(SSL *s) | |||
| 1027 | q+=i; | 1097 | q+=i; |
| 1028 | j+=i; | 1098 | j+=i; |
| 1029 | } | 1099 | } |
| 1030 | i=RSA_private_encrypt(j,md_buf,&(p[2]), | 1100 | if (RSA_sign(NID_md5_sha1, md_buf, j, |
| 1031 | pkey->pkey.rsa,RSA_PKCS1_PADDING); | 1101 | &(p[2]), &u, pkey->pkey.rsa) <= 0) |
| 1032 | if (i <= 0) | ||
| 1033 | { | 1102 | { |
| 1034 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); | 1103 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); |
| 1035 | goto err; | 1104 | goto err; |
| 1036 | } | 1105 | } |
| 1037 | s2n(i,p); | 1106 | s2n(u,p); |
| 1038 | n+=i+2; | 1107 | n+=u+2; |
| 1039 | } | 1108 | } |
| 1040 | else | 1109 | else |
| 1041 | #endif | 1110 | #endif |
| @@ -1075,7 +1144,7 @@ static int ssl3_send_server_key_exchange(SSL *s) | |||
| 1075 | s->init_off=0; | 1144 | s->init_off=0; |
| 1076 | } | 1145 | } |
| 1077 | 1146 | ||
| 1078 | /* SSL3_ST_SW_KEY_EXCH_B */ | 1147 | s->state = SSL3_ST_SW_KEY_EXCH_B; |
| 1079 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 1148 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
| 1080 | f_err: | 1149 | f_err: |
| 1081 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | 1150 | ssl3_send_alert(s,SSL3_AL_FATAL,al); |
| @@ -1152,6 +1221,17 @@ static int ssl3_send_certificate_request(SSL *s) | |||
| 1152 | 1221 | ||
| 1153 | s->init_num=n+4; | 1222 | s->init_num=n+4; |
| 1154 | s->init_off=0; | 1223 | s->init_off=0; |
| 1224 | #ifdef NETSCAPE_HANG_BUG | ||
| 1225 | p=(unsigned char *)s->init_buf->data + s->init_num; | ||
| 1226 | |||
| 1227 | /* do the header */ | ||
| 1228 | *(p++)=SSL3_MT_SERVER_DONE; | ||
| 1229 | *(p++)=0; | ||
| 1230 | *(p++)=0; | ||
| 1231 | *(p++)=0; | ||
| 1232 | s->init_num += 4; | ||
| 1233 | #endif | ||
| 1234 | |||
| 1155 | } | 1235 | } |
| 1156 | 1236 | ||
| 1157 | /* SSL3_ST_SW_CERT_REQ_B */ | 1237 | /* SSL3_ST_SW_CERT_REQ_B */ |
| @@ -1239,31 +1319,6 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1239 | 1319 | ||
| 1240 | i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); | 1320 | i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); |
| 1241 | 1321 | ||
| 1242 | #if 1 | ||
| 1243 | /* If a bad decrypt, use a random master key */ | ||
| 1244 | if ((i != SSL_MAX_MASTER_KEY_LENGTH) || | ||
| 1245 | ((p[0] != (s->client_version>>8)) || | ||
| 1246 | (p[1] != (s->client_version & 0xff)))) | ||
| 1247 | { | ||
| 1248 | int bad=1; | ||
| 1249 | |||
| 1250 | if ((i == SSL_MAX_MASTER_KEY_LENGTH) && | ||
| 1251 | (p[0] == (s->version>>8)) && | ||
| 1252 | (p[1] == 0)) | ||
| 1253 | { | ||
| 1254 | if (s->options & SSL_OP_TLS_ROLLBACK_BUG) | ||
| 1255 | bad=0; | ||
| 1256 | } | ||
| 1257 | if (bad) | ||
| 1258 | { | ||
| 1259 | p[0]=(s->version>>8); | ||
| 1260 | p[1]=(s->version & 0xff); | ||
| 1261 | RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2); | ||
| 1262 | i=SSL_MAX_MASTER_KEY_LENGTH; | ||
| 1263 | } | ||
| 1264 | /* else, an SSLeay bug, ssl only server, tls client */ | ||
| 1265 | } | ||
| 1266 | #else | ||
| 1267 | if (i != SSL_MAX_MASTER_KEY_LENGTH) | 1322 | if (i != SSL_MAX_MASTER_KEY_LENGTH) |
| 1268 | { | 1323 | { |
| 1269 | al=SSL_AD_DECODE_ERROR; | 1324 | al=SSL_AD_DECODE_ERROR; |
| @@ -1271,13 +1326,12 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1271 | goto f_err; | 1326 | goto f_err; |
| 1272 | } | 1327 | } |
| 1273 | 1328 | ||
| 1274 | if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff))) | 1329 | if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff))) |
| 1275 | { | 1330 | { |
| 1276 | al=SSL_AD_DECODE_ERROR; | 1331 | al=SSL_AD_DECODE_ERROR; |
| 1277 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); | 1332 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); |
| 1278 | goto f_err; | 1333 | goto f_err; |
| 1279 | } | 1334 | } |
| 1280 | #endif | ||
| 1281 | 1335 | ||
| 1282 | s->session->master_key_length= | 1336 | s->session->master_key_length= |
| 1283 | s->method->ssl3_enc->generate_master_secret(s, | 1337 | s->method->ssl3_enc->generate_master_secret(s, |
| @@ -1450,16 +1504,16 @@ static int ssl3_get_cert_verify(SSL *s) | |||
| 1450 | #ifndef NO_RSA | 1504 | #ifndef NO_RSA |
| 1451 | if (pkey->type == EVP_PKEY_RSA) | 1505 | if (pkey->type == EVP_PKEY_RSA) |
| 1452 | { | 1506 | { |
| 1453 | i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING); | 1507 | i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, |
| 1508 | MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, | ||
| 1509 | pkey->pkey.rsa); | ||
| 1454 | if (i < 0) | 1510 | if (i < 0) |
| 1455 | { | 1511 | { |
| 1456 | al=SSL_AD_DECRYPT_ERROR; | 1512 | al=SSL_AD_DECRYPT_ERROR; |
| 1457 | SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); | 1513 | SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); |
| 1458 | goto f_err; | 1514 | goto f_err; |
| 1459 | } | 1515 | } |
| 1460 | if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) || | 1516 | if (i == 0) |
| 1461 | memcmp(&(s->s3->tmp.finish_md[0]),p, | ||
| 1462 | MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) | ||
| 1463 | { | 1517 | { |
| 1464 | al=SSL_AD_DECRYPT_ERROR; | 1518 | al=SSL_AD_DECRYPT_ERROR; |
| 1465 | SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); | 1519 | SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); |
| @@ -1472,7 +1526,7 @@ static int ssl3_get_cert_verify(SSL *s) | |||
| 1472 | if (pkey->type == EVP_PKEY_DSA) | 1526 | if (pkey->type == EVP_PKEY_DSA) |
| 1473 | { | 1527 | { |
| 1474 | j=DSA_verify(pkey->save_type, | 1528 | j=DSA_verify(pkey->save_type, |
| 1475 | &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]), | 1529 | &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), |
| 1476 | SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); | 1530 | SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); |
| 1477 | if (j <= 0) | 1531 | if (j <= 0) |
| 1478 | { | 1532 | { |
| @@ -1532,7 +1586,7 @@ static int ssl3_get_client_certificate(SSL *s) | |||
| 1532 | al=SSL_AD_HANDSHAKE_FAILURE; | 1586 | al=SSL_AD_HANDSHAKE_FAILURE; |
| 1533 | goto f_err; | 1587 | goto f_err; |
| 1534 | } | 1588 | } |
| 1535 | /* If tls asked for a client cert we must return a 0 list */ | 1589 | /* If tls asked for a client cert, the client must return a 0 list */ |
| 1536 | if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) | 1590 | if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) |
| 1537 | { | 1591 | { |
| 1538 | SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); | 1592 | SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); |
| @@ -1628,6 +1682,7 @@ static int ssl3_get_client_certificate(SSL *s) | |||
| 1628 | if (s->session->peer != NULL) /* This should not be needed */ | 1682 | if (s->session->peer != NULL) /* This should not be needed */ |
| 1629 | X509_free(s->session->peer); | 1683 | X509_free(s->session->peer); |
| 1630 | s->session->peer=sk_X509_shift(sk); | 1684 | s->session->peer=sk_X509_shift(sk); |
| 1685 | s->session->verify_result = s->verify_result; | ||
| 1631 | 1686 | ||
| 1632 | /* With the current implementation, sess_cert will always be NULL | 1687 | /* With the current implementation, sess_cert will always be NULL |
| 1633 | * when we arrive here. */ | 1688 | * when we arrive here. */ |