summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
authordjm <>2010-10-01 22:54:21 +0000
committerdjm <>2010-10-01 22:54:21 +0000
commit829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2 (patch)
treee03b9f1bd051e844b971936729e9df549a209130 /src/lib/libssl/s3_srvr.c
parente6b755d2a53d3cac7a344dfdd6bf7c951cac754c (diff)
downloadopenbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.tar.gz
openbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.tar.bz2
openbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.zip
import OpenSSL-1.0.0a
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
-rw-r--r--src/lib/libssl/s3_srvr.c855
1 files changed, 595 insertions, 260 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 80b45eb86f..92f73b6681 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* ssl/s3_srvr.c */ 1/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -121,6 +121,32 @@
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 * 122 *
123 */ 123 */
124/* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
124 150
125#define REUSE_CIPHER_BUG 151#define REUSE_CIPHER_BUG
126#define NETSCAPE_HANG_BUG 152#define NETSCAPE_HANG_BUG
@@ -143,12 +169,9 @@
143#endif 169#endif
144#include <openssl/md5.h> 170#include <openssl/md5.h>
145 171
146static SSL_METHOD *ssl3_get_server_method(int ver); 172static const SSL_METHOD *ssl3_get_server_method(int ver);
147#ifndef OPENSSL_NO_ECDH
148static int nid2curve_id(int nid);
149#endif
150 173
151static SSL_METHOD *ssl3_get_server_method(int ver) 174static const SSL_METHOD *ssl3_get_server_method(int ver)
152 { 175 {
153 if (ver == SSL3_VERSION) 176 if (ver == SSL3_VERSION)
154 return(SSLv3_server_method()); 177 return(SSLv3_server_method());
@@ -164,9 +187,8 @@ IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
164int ssl3_accept(SSL *s) 187int ssl3_accept(SSL *s)
165 { 188 {
166 BUF_MEM *buf; 189 BUF_MEM *buf;
167 unsigned long l,Time=(unsigned long)time(NULL); 190 unsigned long alg_k,Time=(unsigned long)time(NULL);
168 void (*cb)(const SSL *ssl,int type,int val)=NULL; 191 void (*cb)(const SSL *ssl,int type,int val)=NULL;
169 long num1;
170 int ret= -1; 192 int ret= -1;
171 int new_state,state,skip=0; 193 int new_state,state,skip=0;
172 194
@@ -248,6 +270,18 @@ int ssl3_accept(SSL *s)
248 s->state=SSL3_ST_SR_CLNT_HELLO_A; 270 s->state=SSL3_ST_SR_CLNT_HELLO_A;
249 s->ctx->stats.sess_accept++; 271 s->ctx->stats.sess_accept++;
250 } 272 }
273 else if (!s->s3->send_connection_binding &&
274 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
275 {
276 /* Server attempting to renegotiate with
277 * client that doesn't support secure
278 * renegotiation.
279 */
280 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
281 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
282 ret = -1;
283 goto end;
284 }
251 else 285 else
252 { 286 {
253 /* s->state == SSL_ST_RENEGOTIATE, 287 /* s->state == SSL_ST_RENEGOTIATE,
@@ -281,6 +315,7 @@ int ssl3_accept(SSL *s)
281 s->shutdown=0; 315 s->shutdown=0;
282 ret=ssl3_get_client_hello(s); 316 ret=ssl3_get_client_hello(s);
283 if (ret <= 0) goto end; 317 if (ret <= 0) goto end;
318
284 s->new_session = 2; 319 s->new_session = 2;
285 s->state=SSL3_ST_SW_SRVR_HELLO_A; 320 s->state=SSL3_ST_SW_SRVR_HELLO_A;
286 s->init_num=0; 321 s->init_num=0;
@@ -309,9 +344,11 @@ int ssl3_accept(SSL *s)
309 344
310 case SSL3_ST_SW_CERT_A: 345 case SSL3_ST_SW_CERT_A:
311 case SSL3_ST_SW_CERT_B: 346 case SSL3_ST_SW_CERT_B:
312 /* Check if it is anon DH or anon ECDH or KRB5 */ 347 /* Check if it is anon DH or anon ECDH, */
313 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) 348 /* normal PSK or KRB5 */
314 && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 349 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
350 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
351 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
315 { 352 {
316 ret=ssl3_send_server_certificate(s); 353 ret=ssl3_send_server_certificate(s);
317 if (ret <= 0) goto end; 354 if (ret <= 0) goto end;
@@ -338,13 +375,13 @@ int ssl3_accept(SSL *s)
338 375
339 case SSL3_ST_SW_KEY_EXCH_A: 376 case SSL3_ST_SW_KEY_EXCH_A:
340 case SSL3_ST_SW_KEY_EXCH_B: 377 case SSL3_ST_SW_KEY_EXCH_B:
341 l=s->s3->tmp.new_cipher->algorithms; 378 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
342 379
343 /* clear this, it may get reset by 380 /* clear this, it may get reset by
344 * send_server_key_exchange */ 381 * send_server_key_exchange */
345 if ((s->options & SSL_OP_EPHEMERAL_RSA) 382 if ((s->options & SSL_OP_EPHEMERAL_RSA)
346#ifndef OPENSSL_NO_KRB5 383#ifndef OPENSSL_NO_KRB5
347 && !(l & SSL_KRB5) 384 && !(alg_k & SSL_kKRB5)
348#endif /* OPENSSL_NO_KRB5 */ 385#endif /* OPENSSL_NO_KRB5 */
349 ) 386 )
350 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 387 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
@@ -359,16 +396,23 @@ int ssl3_accept(SSL *s)
359 /* only send if a DH key exchange, fortezza or 396 /* only send if a DH key exchange, fortezza or
360 * RSA but we have a sign only certificate 397 * RSA but we have a sign only certificate
361 * 398 *
399 * PSK: may send PSK identity hints
400 *
362 * For ECC ciphersuites, we send a serverKeyExchange 401 * For ECC ciphersuites, we send a serverKeyExchange
363 * message only if the cipher suite is either 402 * message only if the cipher suite is either
364 * ECDH-anon or ECDHE. In other cases, the 403 * ECDH-anon or ECDHE. In other cases, the
365 * server certificate contains the server's 404 * server certificate contains the server's
366 * public key for key exchange. 405 * public key for key exchange.
367 */ 406 */
368 if (s->s3->tmp.use_rsa_tmp 407 if (s->s3->tmp.use_rsa_tmp
369 || (l & SSL_kECDHE) 408 /* PSK: send ServerKeyExchange if PSK identity
370 || (l & (SSL_DH|SSL_kFZA)) 409 * hint if provided */
371 || ((l & SSL_kRSA) 410#ifndef OPENSSL_NO_PSK
411 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
412#endif
413 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
414 || (alg_k & SSL_kEECDH)
415 || ((alg_k & SSL_kRSA)
372 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 416 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
373 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 417 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
374 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 418 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
@@ -398,12 +442,15 @@ int ssl3_accept(SSL *s)
398 /* never request cert in anonymous ciphersuites 442 /* never request cert in anonymous ciphersuites
399 * (see section "Certificate request" in SSL 3 drafts 443 * (see section "Certificate request" in SSL 3 drafts
400 * and in RFC 2246): */ 444 * and in RFC 2246): */
401 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && 445 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
402 /* ... except when the application insists on verification 446 /* ... except when the application insists on verification
403 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 447 * (against the specs, but s3_clnt.c accepts this for SSL 3) */
404 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 448 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
405 /* never request cert in Kerberos ciphersuites */ 449 /* never request cert in Kerberos ciphersuites */
406 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 450 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
451 /* With normal PSK Certificates and
452 * Certificate Requests are omitted */
453 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
407 { 454 {
408 /* no cert request */ 455 /* no cert request */
409 skip=1; 456 skip=1;
@@ -435,15 +482,24 @@ int ssl3_accept(SSL *s)
435 break; 482 break;
436 483
437 case SSL3_ST_SW_FLUSH: 484 case SSL3_ST_SW_FLUSH:
438 /* number of bytes to be flushed */ 485
439 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 486 /* This code originally checked to see if
440 if (num1 > 0) 487 * any data was pending using BIO_CTRL_INFO
488 * and then flushed. This caused problems
489 * as documented in PR#1939. The proposed
490 * fix doesn't completely resolve this issue
491 * as buggy implementations of BIO_CTRL_PENDING
492 * still exist. So instead we just flush
493 * unconditionally.
494 */
495
496 s->rwstate=SSL_WRITING;
497 if (BIO_flush(s->wbio) <= 0)
441 { 498 {
442 s->rwstate=SSL_WRITING; 499 ret= -1;
443 num1=BIO_flush(s->wbio); 500 goto end;
444 if (num1 <= 0) { ret= -1; goto end; }
445 s->rwstate=SSL_NOTHING;
446 } 501 }
502 s->rwstate=SSL_NOTHING;
447 503
448 s->state=s->s3->tmp.next_state; 504 s->state=s->s3->tmp.next_state;
449 break; 505 break;
@@ -470,7 +526,7 @@ int ssl3_accept(SSL *s)
470 case SSL3_ST_SR_KEY_EXCH_A: 526 case SSL3_ST_SR_KEY_EXCH_A:
471 case SSL3_ST_SR_KEY_EXCH_B: 527 case SSL3_ST_SR_KEY_EXCH_B:
472 ret=ssl3_get_client_key_exchange(s); 528 ret=ssl3_get_client_key_exchange(s);
473 if (ret <= 0) 529 if (ret <= 0)
474 goto end; 530 goto end;
475 if (ret == 2) 531 if (ret == 2)
476 { 532 {
@@ -478,24 +534,43 @@ int ssl3_accept(SSL *s)
478 * the client sends its ECDH pub key in 534 * the client sends its ECDH pub key in
479 * a certificate, the CertificateVerify 535 * a certificate, the CertificateVerify
480 * message is not sent. 536 * message is not sent.
537 * Also for GOST ciphersuites when
538 * the client uses its key from the certificate
539 * for key exchange.
481 */ 540 */
482 s->state=SSL3_ST_SR_FINISHED_A; 541 s->state=SSL3_ST_SR_FINISHED_A;
483 s->init_num = 0; 542 s->init_num = 0;
484 } 543 }
485 else 544 else
486 { 545 {
546 int offset=0;
547 int dgst_num;
548
487 s->state=SSL3_ST_SR_CERT_VRFY_A; 549 s->state=SSL3_ST_SR_CERT_VRFY_A;
488 s->init_num=0; 550 s->init_num=0;
489 551
490 /* We need to get hashes here so if there is 552 /* We need to get hashes here so if there is
491 * a client cert, it can be verified 553 * a client cert, it can be verified
492 */ 554 * FIXME - digest processing for CertificateVerify
493 s->method->ssl3_enc->cert_verify_mac(s, 555 * should be generalized. But it is next step
494 &(s->s3->finish_dgst1), 556 */
495 &(s->s3->tmp.cert_verify_md[0])); 557 if (s->s3->handshake_buffer)
496 s->method->ssl3_enc->cert_verify_mac(s, 558 if (!ssl3_digest_cached_records(s))
497 &(s->s3->finish_dgst2), 559 return -1;
498 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 560 for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)
561 if (s->s3->handshake_dgst[dgst_num])
562 {
563 int dgst_size;
564
565 s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset]));
566 dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
567 if (dgst_size < 0)
568 {
569 ret = -1;
570 goto end;
571 }
572 offset+=dgst_size;
573 }
499 } 574 }
500 break; 575 break;
501 576
@@ -515,11 +590,14 @@ int ssl3_accept(SSL *s)
515 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 590 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
516 SSL3_ST_SR_FINISHED_B); 591 SSL3_ST_SR_FINISHED_B);
517 if (ret <= 0) goto end; 592 if (ret <= 0) goto end;
518 if (s->hit)
519 s->state=SSL_ST_OK;
520#ifndef OPENSSL_NO_TLSEXT 593#ifndef OPENSSL_NO_TLSEXT
521 else if (s->tlsext_ticket_expected) 594 if (s->tlsext_ticket_expected)
522 s->state=SSL3_ST_SW_SESSION_TICKET_A; 595 s->state=SSL3_ST_SW_SESSION_TICKET_A;
596 else if (s->hit)
597 s->state=SSL_ST_OK;
598#else
599 if (s->hit)
600 s->state=SSL_ST_OK;
523#endif 601#endif
524 else 602 else
525 s->state=SSL3_ST_SW_CHANGE_A; 603 s->state=SSL3_ST_SW_CHANGE_A;
@@ -749,7 +827,7 @@ int ssl3_get_client_hello(SSL *s)
749 (s->version != DTLS1_VERSION && s->client_version < s->version)) 827 (s->version != DTLS1_VERSION && s->client_version < s->version))
750 { 828 {
751 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 829 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
752 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 830 if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
753 { 831 {
754 /* similar to ssl3_get_record, send alert using remote version number */ 832 /* similar to ssl3_get_record, send alert using remote version number */
755 s->version = s->client_version; 833 s->version = s->client_version;
@@ -758,6 +836,21 @@ int ssl3_get_client_hello(SSL *s)
758 goto f_err; 836 goto f_err;
759 } 837 }
760 838
839 /* If we require cookies and this ClientHello doesn't
840 * contain one, just return since we do not want to
841 * allocate any memory yet. So check cookie length...
842 */
843 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)
844 {
845 unsigned int session_length, cookie_length;
846
847 session_length = *(p + SSL3_RANDOM_SIZE);
848 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
849
850 if (cookie_length == 0)
851 return 1;
852 }
853
761 /* load the client random */ 854 /* load the client random */
762 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 855 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
763 p+=SSL3_RANDOM_SIZE; 856 p+=SSL3_RANDOM_SIZE;
@@ -797,23 +890,11 @@ int ssl3_get_client_hello(SSL *s)
797 890
798 p+=j; 891 p+=j;
799 892
800 if (s->version == DTLS1_VERSION) 893 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
801 { 894 {
802 /* cookie stuff */ 895 /* cookie stuff */
803 cookie_len = *(p++); 896 cookie_len = *(p++);
804 897
805 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
806 s->d1->send_cookie == 0)
807 {
808 /* HelloVerifyMessage has already been sent */
809 if ( cookie_len != s->d1->cookie_len)
810 {
811 al = SSL_AD_HANDSHAKE_FAILURE;
812 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
813 goto f_err;
814 }
815 }
816
817 /* 898 /*
818 * The ClientHello may contain a cookie even if the 899 * The ClientHello may contain a cookie even if the
819 * HelloVerify message has not been sent--make sure that it 900 * HelloVerify message has not been sent--make sure that it
@@ -828,7 +909,7 @@ int ssl3_get_client_hello(SSL *s)
828 } 909 }
829 910
830 /* verify the cookie if appropriate option is set. */ 911 /* verify the cookie if appropriate option is set. */
831 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 912 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
832 cookie_len > 0) 913 cookie_len > 0)
833 { 914 {
834 memcpy(s->d1->rcvd_cookie, p, cookie_len); 915 memcpy(s->d1->rcvd_cookie, p, cookie_len);
@@ -853,6 +934,8 @@ int ssl3_get_client_hello(SSL *s)
853 SSL_R_COOKIE_MISMATCH); 934 SSL_R_COOKIE_MISMATCH);
854 goto f_err; 935 goto f_err;
855 } 936 }
937
938 ret = 2;
856 } 939 }
857 940
858 p += cookie_len; 941 p += cookie_len;
@@ -952,7 +1035,7 @@ int ssl3_get_client_hello(SSL *s)
952 1035
953#ifndef OPENSSL_NO_TLSEXT 1036#ifndef OPENSSL_NO_TLSEXT
954 /* TLS extensions*/ 1037 /* TLS extensions*/
955 if (s->version > SSL3_VERSION) 1038 if (s->version >= SSL3_VERSION)
956 { 1039 {
957 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) 1040 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
958 { 1041 {
@@ -965,13 +1048,110 @@ int ssl3_get_client_hello(SSL *s)
965 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1048 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
966 goto err; 1049 goto err;
967 } 1050 }
1051
1052 /* Check if we want to use external pre-shared secret for this
1053 * handshake for not reused session only. We need to generate
1054 * server_random before calling tls_session_secret_cb in order to allow
1055 * SessionTicket processing to use it in key derivation. */
1056 {
1057 unsigned long Time;
1058 unsigned char *pos;
1059 Time=(unsigned long)time(NULL); /* Time */
1060 pos=s->s3->server_random;
1061 l2n(Time,pos);
1062 if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
1063 {
1064 al=SSL_AD_INTERNAL_ERROR;
1065 goto f_err;
1066 }
1067 }
1068
1069 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
1070 {
1071 SSL_CIPHER *pref_cipher=NULL;
1072
1073 s->session->master_key_length=sizeof(s->session->master_key);
1074 if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
1075 ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
1076 {
1077 s->hit=1;
1078 s->session->ciphers=ciphers;
1079 s->session->verify_result=X509_V_OK;
1080
1081 ciphers=NULL;
1082
1083 /* check if some cipher was preferred by call back */
1084 pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1085 if (pref_cipher == NULL)
1086 {
1087 al=SSL_AD_HANDSHAKE_FAILURE;
1088 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1089 goto f_err;
1090 }
1091
1092 s->session->cipher=pref_cipher;
1093
1094 if (s->cipher_list)
1095 sk_SSL_CIPHER_free(s->cipher_list);
1096
1097 if (s->cipher_list_by_id)
1098 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1099
1100 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1101 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1102 }
1103 }
968#endif 1104#endif
1105
969 /* Worst case, we will use the NULL compression, but if we have other 1106 /* Worst case, we will use the NULL compression, but if we have other
970 * options, we will now look for them. We have i-1 compression 1107 * options, we will now look for them. We have i-1 compression
971 * algorithms from the client, starting at q. */ 1108 * algorithms from the client, starting at q. */
972 s->s3->tmp.new_compression=NULL; 1109 s->s3->tmp.new_compression=NULL;
973#ifndef OPENSSL_NO_COMP 1110#ifndef OPENSSL_NO_COMP
974 if (s->ctx->comp_methods != NULL) 1111 /* This only happens if we have a cache hit */
1112 if (s->session->compress_meth != 0)
1113 {
1114 int m, comp_id = s->session->compress_meth;
1115 /* Perform sanity checks on resumed compression algorithm */
1116 /* Can't disable compression */
1117 if (s->options & SSL_OP_NO_COMPRESSION)
1118 {
1119 al=SSL_AD_INTERNAL_ERROR;
1120 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1121 goto f_err;
1122 }
1123 /* Look for resumed compression method */
1124 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++)
1125 {
1126 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
1127 if (comp_id == comp->id)
1128 {
1129 s->s3->tmp.new_compression=comp;
1130 break;
1131 }
1132 }
1133 if (s->s3->tmp.new_compression == NULL)
1134 {
1135 al=SSL_AD_INTERNAL_ERROR;
1136 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM);
1137 goto f_err;
1138 }
1139 /* Look for resumed method in compression list */
1140 for (m = 0; m < i; m++)
1141 {
1142 if (q[m] == comp_id)
1143 break;
1144 }
1145 if (m >= i)
1146 {
1147 al=SSL_AD_ILLEGAL_PARAMETER;
1148 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1149 goto f_err;
1150 }
1151 }
1152 else if (s->hit)
1153 comp = NULL;
1154 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
975 { /* See if we have a match */ 1155 { /* See if we have a match */
976 int m,nn,o,v,done=0; 1156 int m,nn,o,v,done=0;
977 1157
@@ -995,22 +1175,15 @@ int ssl3_get_client_hello(SSL *s)
995 else 1175 else
996 comp=NULL; 1176 comp=NULL;
997 } 1177 }
998#endif 1178#else
999 1179 /* If compression is disabled we'd better not try to resume a session
1000 /* TLS does not mind if there is extra stuff */ 1180 * using compression.
1001#if 0 /* SSL 3.0 does not mind either, so we should disable this test 1181 */
1002 * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, 1182 if (s->session->compress_meth != 0)
1003 * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
1004 if (s->version == SSL3_VERSION)
1005 { 1183 {
1006 if (p < (d+n)) 1184 al=SSL_AD_INTERNAL_ERROR;
1007 { 1185 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1008 /* wrong number of bytes, 1186 goto f_err;
1009 * there could be more to follow */
1010 al=SSL_AD_DECODE_ERROR;
1011 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
1012 goto f_err;
1013 }
1014 } 1187 }
1015#endif 1188#endif
1016 1189
@@ -1059,7 +1232,7 @@ int ssl3_get_client_hello(SSL *s)
1059 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1232 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1060 { 1233 {
1061 c=sk_SSL_CIPHER_value(sk,i); 1234 c=sk_SSL_CIPHER_value(sk,i);
1062 if (c->algorithms & SSL_eNULL) 1235 if (c->algorithm_enc & SSL_eNULL)
1063 nc=c; 1236 nc=c;
1064 if (SSL_C_IS_EXPORT(c)) 1237 if (SSL_C_IS_EXPORT(c))
1065 ec=c; 1238 ec=c;
@@ -1075,6 +1248,9 @@ int ssl3_get_client_hello(SSL *s)
1075#endif 1248#endif
1076 s->s3->tmp.new_cipher=s->session->cipher; 1249 s->s3->tmp.new_cipher=s->session->cipher;
1077 } 1250 }
1251
1252 if (!ssl3_digest_cached_records(s))
1253 goto f_err;
1078 1254
1079 /* we now have the following setup. 1255 /* we now have the following setup.
1080 * client_random 1256 * client_random
@@ -1087,7 +1263,7 @@ int ssl3_get_client_hello(SSL *s)
1087 * s->tmp.new_cipher - the new cipher to use. 1263 * s->tmp.new_cipher - the new cipher to use.
1088 */ 1264 */
1089 1265
1090 ret=1; 1266 if (ret < 0) ret=1;
1091 if (0) 1267 if (0)
1092 { 1268 {
1093f_err: 1269f_err:
@@ -1103,16 +1279,22 @@ int ssl3_send_server_hello(SSL *s)
1103 unsigned char *buf; 1279 unsigned char *buf;
1104 unsigned char *p,*d; 1280 unsigned char *p,*d;
1105 int i,sl; 1281 int i,sl;
1106 unsigned long l,Time; 1282 unsigned long l;
1283#ifdef OPENSSL_NO_TLSEXT
1284 unsigned long Time;
1285#endif
1107 1286
1108 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1287 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
1109 { 1288 {
1110 buf=(unsigned char *)s->init_buf->data; 1289 buf=(unsigned char *)s->init_buf->data;
1290#ifdef OPENSSL_NO_TLSEXT
1111 p=s->s3->server_random; 1291 p=s->s3->server_random;
1292 /* Generate server_random if it was not needed previously */
1112 Time=(unsigned long)time(NULL); /* Time */ 1293 Time=(unsigned long)time(NULL); /* Time */
1113 l2n(Time,p); 1294 l2n(Time,p);
1114 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 1295 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
1115 return -1; 1296 return -1;
1297#endif
1116 /* Do the message type and length last */ 1298 /* Do the message type and length last */
1117 d=p= &(buf[4]); 1299 d=p= &(buf[4]);
1118 1300
@@ -1166,6 +1348,11 @@ int ssl3_send_server_hello(SSL *s)
1166 *(p++)=s->s3->tmp.new_compression->id; 1348 *(p++)=s->s3->tmp.new_compression->id;
1167#endif 1349#endif
1168#ifndef OPENSSL_NO_TLSEXT 1350#ifndef OPENSSL_NO_TLSEXT
1351 if (ssl_prepare_serverhello_tlsext(s) <= 0)
1352 {
1353 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1354 return -1;
1355 }
1169 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1356 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
1170 { 1357 {
1171 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); 1358 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
@@ -1245,7 +1432,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1245 EVP_MD_CTX_init(&md_ctx); 1432 EVP_MD_CTX_init(&md_ctx);
1246 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1433 if (s->state == SSL3_ST_SW_KEY_EXCH_A)
1247 { 1434 {
1248 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 1435 type=s->s3->tmp.new_cipher->algorithm_mkey;
1249 cert=s->cert; 1436 cert=s->cert;
1250 1437
1251 buf=s->init_buf; 1438 buf=s->init_buf;
@@ -1340,7 +1527,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1340 else 1527 else
1341#endif 1528#endif
1342#ifndef OPENSSL_NO_ECDH 1529#ifndef OPENSSL_NO_ECDH
1343 if (type & SSL_kECDHE) 1530 if (type & SSL_kEECDH)
1344 { 1531 {
1345 const EC_GROUP *group; 1532 const EC_GROUP *group;
1346 1533
@@ -1410,7 +1597,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1410 * supported named curves, curve_id is non-zero. 1597 * supported named curves, curve_id is non-zero.
1411 */ 1598 */
1412 if ((curve_id = 1599 if ((curve_id =
1413 nid2curve_id(EC_GROUP_get_curve_name(group))) 1600 tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
1414 == 0) 1601 == 0)
1415 { 1602 {
1416 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1603 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
@@ -1467,6 +1654,14 @@ int ssl3_send_server_key_exchange(SSL *s)
1467 } 1654 }
1468 else 1655 else
1469#endif /* !OPENSSL_NO_ECDH */ 1656#endif /* !OPENSSL_NO_ECDH */
1657#ifndef OPENSSL_NO_PSK
1658 if (type & SSL_kPSK)
1659 {
1660 /* reserve size for record length and PSK identity hint*/
1661 n+=2+strlen(s->ctx->psk_identity_hint);
1662 }
1663 else
1664#endif /* !OPENSSL_NO_PSK */
1470 { 1665 {
1471 al=SSL_AD_HANDSHAKE_FAILURE; 1666 al=SSL_AD_HANDSHAKE_FAILURE;
1472 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1667 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
@@ -1478,7 +1673,8 @@ int ssl3_send_server_key_exchange(SSL *s)
1478 n+=2+nr[i]; 1673 n+=2+nr[i];
1479 } 1674 }
1480 1675
1481 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 1676 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1677 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
1482 { 1678 {
1483 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1679 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
1484 == NULL) 1680 == NULL)
@@ -1510,7 +1706,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1510 } 1706 }
1511 1707
1512#ifndef OPENSSL_NO_ECDH 1708#ifndef OPENSSL_NO_ECDH
1513 if (type & SSL_kECDHE) 1709 if (type & SSL_kEECDH)
1514 { 1710 {
1515 /* XXX: For now, we only support named (not generic) curves. 1711 /* XXX: For now, we only support named (not generic) curves.
1516 * In this situation, the serverKeyExchange message has: 1712 * In this situation, the serverKeyExchange message has:
@@ -1534,6 +1730,16 @@ int ssl3_send_server_key_exchange(SSL *s)
1534 } 1730 }
1535#endif 1731#endif
1536 1732
1733#ifndef OPENSSL_NO_PSK
1734 if (type & SSL_kPSK)
1735 {
1736 /* copy PSK identity hint */
1737 s2n(strlen(s->ctx->psk_identity_hint), p);
1738 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
1739 p+=strlen(s->ctx->psk_identity_hint);
1740 }
1741#endif
1742
1537 /* not anonymous */ 1743 /* not anonymous */
1538 if (pkey != NULL) 1744 if (pkey != NULL)
1539 { 1745 {
@@ -1546,8 +1752,6 @@ int ssl3_send_server_key_exchange(SSL *s)
1546 j=0; 1752 j=0;
1547 for (num=2; num > 0; num--) 1753 for (num=2; num > 0; num--)
1548 { 1754 {
1549 EVP_MD_CTX_set_flags(&md_ctx,
1550 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1551 EVP_DigestInit_ex(&md_ctx,(num == 2) 1755 EVP_DigestInit_ex(&md_ctx,(num == 2)
1552 ?s->ctx->md5:s->ctx->sha1, NULL); 1756 ?s->ctx->md5:s->ctx->sha1, NULL);
1553 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1757 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1731,7 +1935,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1731 { 1935 {
1732 int i,al,ok; 1936 int i,al,ok;
1733 long n; 1937 long n;
1734 unsigned long l; 1938 unsigned long alg_k;
1735 unsigned char *p; 1939 unsigned char *p;
1736#ifndef OPENSSL_NO_RSA 1940#ifndef OPENSSL_NO_RSA
1737 RSA *rsa=NULL; 1941 RSA *rsa=NULL;
@@ -1742,7 +1946,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1742 DH *dh_srvr; 1946 DH *dh_srvr;
1743#endif 1947#endif
1744#ifndef OPENSSL_NO_KRB5 1948#ifndef OPENSSL_NO_KRB5
1745 KSSL_ERR kssl_err; 1949 KSSL_ERR kssl_err;
1746#endif /* OPENSSL_NO_KRB5 */ 1950#endif /* OPENSSL_NO_KRB5 */
1747 1951
1748#ifndef OPENSSL_NO_ECDH 1952#ifndef OPENSSL_NO_ECDH
@@ -1762,10 +1966,10 @@ int ssl3_get_client_key_exchange(SSL *s)
1762 if (!ok) return((int)n); 1966 if (!ok) return((int)n);
1763 p=(unsigned char *)s->init_msg; 1967 p=(unsigned char *)s->init_msg;
1764 1968
1765 l=s->s3->tmp.new_cipher->algorithms; 1969 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1766 1970
1767#ifndef OPENSSL_NO_RSA 1971#ifndef OPENSSL_NO_RSA
1768 if (l & SSL_kRSA) 1972 if (alg_k & SSL_kRSA)
1769 { 1973 {
1770 /* FIX THIS UP EAY EAY EAY EAY */ 1974 /* FIX THIS UP EAY EAY EAY EAY */
1771 if (s->s3->tmp.use_rsa_tmp) 1975 if (s->s3->tmp.use_rsa_tmp)
@@ -1796,9 +2000,8 @@ int ssl3_get_client_key_exchange(SSL *s)
1796 rsa=pkey->pkey.rsa; 2000 rsa=pkey->pkey.rsa;
1797 } 2001 }
1798 2002
1799 /* TLS and [incidentally] DTLS, including pre-0.9.8f */ 2003 /* TLS and [incidentally] DTLS{0xFEFF} */
1800 if (s->version > SSL3_VERSION && 2004 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER)
1801 s->client_version != DTLS1_BAD_VER)
1802 { 2005 {
1803 n2s(p,i); 2006 n2s(p,i);
1804 if (n != i+2) 2007 if (n != i+2)
@@ -1872,7 +2075,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1872 else 2075 else
1873#endif 2076#endif
1874#ifndef OPENSSL_NO_DH 2077#ifndef OPENSSL_NO_DH
1875 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2078 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1876 { 2079 {
1877 n2s(p,i); 2080 n2s(p,i);
1878 if (n != i+2) 2081 if (n != i+2)
@@ -1935,30 +2138,30 @@ int ssl3_get_client_key_exchange(SSL *s)
1935 else 2138 else
1936#endif 2139#endif
1937#ifndef OPENSSL_NO_KRB5 2140#ifndef OPENSSL_NO_KRB5
1938 if (l & SSL_kKRB5) 2141 if (alg_k & SSL_kKRB5)
1939 { 2142 {
1940 krb5_error_code krb5rc; 2143 krb5_error_code krb5rc;
1941 krb5_data enc_ticket; 2144 krb5_data enc_ticket;
1942 krb5_data authenticator; 2145 krb5_data authenticator;
1943 krb5_data enc_pms; 2146 krb5_data enc_pms;
1944 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2147 KSSL_CTX *kssl_ctx = s->kssl_ctx;
1945 EVP_CIPHER_CTX ciph_ctx; 2148 EVP_CIPHER_CTX ciph_ctx;
1946 EVP_CIPHER *enc = NULL; 2149 const EVP_CIPHER *enc = NULL;
1947 unsigned char iv[EVP_MAX_IV_LENGTH]; 2150 unsigned char iv[EVP_MAX_IV_LENGTH];
1948 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2151 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
1949 + EVP_MAX_BLOCK_LENGTH]; 2152 + EVP_MAX_BLOCK_LENGTH];
1950 int padl, outl; 2153 int padl, outl;
1951 krb5_timestamp authtime = 0; 2154 krb5_timestamp authtime = 0;
1952 krb5_ticket_times ttimes; 2155 krb5_ticket_times ttimes;
1953 2156
1954 EVP_CIPHER_CTX_init(&ciph_ctx); 2157 EVP_CIPHER_CTX_init(&ciph_ctx);
1955 2158
1956 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2159 if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
1957 2160
1958 n2s(p,i); 2161 n2s(p,i);
1959 enc_ticket.length = i; 2162 enc_ticket.length = i;
1960 2163
1961 if (n < (int)enc_ticket.length + 6) 2164 if (n < (long)(enc_ticket.length + 6))
1962 { 2165 {
1963 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2166 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1964 SSL_R_DATA_LENGTH_TOO_LONG); 2167 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1971,7 +2174,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1971 n2s(p,i); 2174 n2s(p,i);
1972 authenticator.length = i; 2175 authenticator.length = i;
1973 2176
1974 if (n < (int)(enc_ticket.length + authenticator.length) + 6) 2177 if (n < (long)(enc_ticket.length + authenticator.length + 6))
1975 { 2178 {
1976 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2179 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1977 SSL_R_DATA_LENGTH_TOO_LONG); 2180 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -2004,19 +2207,19 @@ int ssl3_get_client_key_exchange(SSL *s)
2004 goto err; 2207 goto err;
2005 } 2208 }
2006 2209
2007 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2210 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
2008 &kssl_err)) != 0) 2211 &kssl_err)) != 0)
2009 { 2212 {
2010#ifdef KSSL_DEBUG 2213#ifdef KSSL_DEBUG
2011 printf("kssl_sget_tkt rtn %d [%d]\n", 2214 printf("kssl_sget_tkt rtn %d [%d]\n",
2012 krb5rc, kssl_err.reason); 2215 krb5rc, kssl_err.reason);
2013 if (kssl_err.text) 2216 if (kssl_err.text)
2014 printf("kssl_err text= %s\n", kssl_err.text); 2217 printf("kssl_err text= %s\n", kssl_err.text);
2015#endif /* KSSL_DEBUG */ 2218#endif /* KSSL_DEBUG */
2016 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2219 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2017 kssl_err.reason); 2220 kssl_err.reason);
2018 goto err; 2221 goto err;
2019 } 2222 }
2020 2223
2021 /* Note: no authenticator is not considered an error, 2224 /* Note: no authenticator is not considered an error,
2022 ** but will return authtime == 0. 2225 ** but will return authtime == 0.
@@ -2025,29 +2228,29 @@ int ssl3_get_client_key_exchange(SSL *s)
2025 &authtime, &kssl_err)) != 0) 2228 &authtime, &kssl_err)) != 0)
2026 { 2229 {
2027#ifdef KSSL_DEBUG 2230#ifdef KSSL_DEBUG
2028 printf("kssl_check_authent rtn %d [%d]\n", 2231 printf("kssl_check_authent rtn %d [%d]\n",
2029 krb5rc, kssl_err.reason); 2232 krb5rc, kssl_err.reason);
2030 if (kssl_err.text) 2233 if (kssl_err.text)
2031 printf("kssl_err text= %s\n", kssl_err.text); 2234 printf("kssl_err text= %s\n", kssl_err.text);
2032#endif /* KSSL_DEBUG */ 2235#endif /* KSSL_DEBUG */
2033 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2236 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2034 kssl_err.reason); 2237 kssl_err.reason);
2035 goto err; 2238 goto err;
2036 } 2239 }
2037 2240
2038 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2241 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
2039 { 2242 {
2040 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2243 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
2041 goto err; 2244 goto err;
2042 } 2245 }
2043 2246
2044#ifdef KSSL_DEBUG 2247#ifdef KSSL_DEBUG
2045 kssl_ctx_show(kssl_ctx); 2248 kssl_ctx_show(kssl_ctx);
2046#endif /* KSSL_DEBUG */ 2249#endif /* KSSL_DEBUG */
2047 2250
2048 enc = kssl_map_enc(kssl_ctx->enctype); 2251 enc = kssl_map_enc(kssl_ctx->enctype);
2049 if (enc == NULL) 2252 if (enc == NULL)
2050 goto err; 2253 goto err;
2051 2254
2052 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2255 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2053 2256
@@ -2094,7 +2297,7 @@ int ssl3_get_client_key_exchange(SSL *s)
2094 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2297 * (Perhaps we should have a separate BUG value for the Kerberos cipher)
2095 */ 2298 */
2096 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2299 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
2097 { 2300 {
2098 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2301 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2099 SSL_AD_DECODE_ERROR); 2302 SSL_AD_DECODE_ERROR);
2100 goto err; 2303 goto err;
@@ -2103,32 +2306,32 @@ int ssl3_get_client_key_exchange(SSL *s)
2103 2306
2104 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2307 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2105 2308
2106 s->session->master_key_length= 2309 s->session->master_key_length=
2107 s->method->ssl3_enc->generate_master_secret(s, 2310 s->method->ssl3_enc->generate_master_secret(s,
2108 s->session->master_key, pms, outl); 2311 s->session->master_key, pms, outl);
2109 2312
2110 if (kssl_ctx->client_princ) 2313 if (kssl_ctx->client_princ)
2111 { 2314 {
2112 size_t len = strlen(kssl_ctx->client_princ); 2315 size_t len = strlen(kssl_ctx->client_princ);
2113 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2316 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
2114 { 2317 {
2115 s->session->krb5_client_princ_len = len; 2318 s->session->krb5_client_princ_len = len;
2116 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2319 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
2117 } 2320 }
2118 } 2321 }
2119 2322
2120 2323
2121 /* Was doing kssl_ctx_free() here, 2324 /* Was doing kssl_ctx_free() here,
2122 ** but it caused problems for apache. 2325 ** but it caused problems for apache.
2123 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2326 ** kssl_ctx = kssl_ctx_free(kssl_ctx);
2124 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2327 ** if (s->kssl_ctx) s->kssl_ctx = NULL;
2125 */ 2328 */
2126 } 2329 }
2127 else 2330 else
2128#endif /* OPENSSL_NO_KRB5 */ 2331#endif /* OPENSSL_NO_KRB5 */
2129 2332
2130#ifndef OPENSSL_NO_ECDH 2333#ifndef OPENSSL_NO_ECDH
2131 if ((l & SSL_kECDH) || (l & SSL_kECDHE)) 2334 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
2132 { 2335 {
2133 int ret = 1; 2336 int ret = 1;
2134 int field_size = 0; 2337 int field_size = 0;
@@ -2136,18 +2339,18 @@ int ssl3_get_client_key_exchange(SSL *s)
2136 const EC_GROUP *group; 2339 const EC_GROUP *group;
2137 const BIGNUM *priv_key; 2340 const BIGNUM *priv_key;
2138 2341
2139 /* initialize structures for server's ECDH key pair */ 2342 /* initialize structures for server's ECDH key pair */
2140 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2343 if ((srvr_ecdh = EC_KEY_new()) == NULL)
2141 { 2344 {
2142 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2345 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2143 ERR_R_MALLOC_FAILURE); 2346 ERR_R_MALLOC_FAILURE);
2144 goto err; 2347 goto err;
2145 } 2348 }
2146 2349
2147 /* Let's get server private key and group information */ 2350 /* Let's get server private key and group information */
2148 if (l & SSL_kECDH) 2351 if (alg_k & (SSL_kECDHr|SSL_kECDHe))
2149 { 2352 {
2150 /* use the certificate */ 2353 /* use the certificate */
2151 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2354 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2152 } 2355 }
2153 else 2356 else
@@ -2177,20 +2380,20 @@ int ssl3_get_client_key_exchange(SSL *s)
2177 goto err; 2380 goto err;
2178 } 2381 }
2179 2382
2180 if (n == 0L) 2383 if (n == 0L)
2181 { 2384 {
2182 /* Client Publickey was in Client Certificate */ 2385 /* Client Publickey was in Client Certificate */
2183 2386
2184 if (l & SSL_kECDHE) 2387 if (alg_k & SSL_kEECDH)
2185 { 2388 {
2186 al=SSL_AD_HANDSHAKE_FAILURE; 2389 al=SSL_AD_HANDSHAKE_FAILURE;
2187 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2390 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
2188 goto f_err; 2391 goto f_err;
2189 } 2392 }
2190 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2393 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
2191 == NULL) || 2394 == NULL) ||
2192 (clnt_pub_pkey->type != EVP_PKEY_EC)) 2395 (clnt_pub_pkey->type != EVP_PKEY_EC))
2193 { 2396 {
2194 /* XXX: For now, we do not support client 2397 /* XXX: For now, we do not support client
2195 * authentication using ECDH certificates 2398 * authentication using ECDH certificates
2196 * so this branch (n == 0L) of the code is 2399 * so this branch (n == 0L) of the code is
@@ -2202,11 +2405,11 @@ int ssl3_get_client_key_exchange(SSL *s)
2202 * the two ECDH shares are for the same 2405 * the two ECDH shares are for the same
2203 * group. 2406 * group.
2204 */ 2407 */
2205 al=SSL_AD_HANDSHAKE_FAILURE; 2408 al=SSL_AD_HANDSHAKE_FAILURE;
2206 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2409 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2207 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2410 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2208 goto f_err; 2411 goto f_err;
2209 } 2412 }
2210 2413
2211 if (EC_POINT_copy(clnt_ecpoint, 2414 if (EC_POINT_copy(clnt_ecpoint,
2212 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2415 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
@@ -2215,10 +2418,10 @@ int ssl3_get_client_key_exchange(SSL *s)
2215 ERR_R_EC_LIB); 2418 ERR_R_EC_LIB);
2216 goto err; 2419 goto err;
2217 } 2420 }
2218 ret = 2; /* Skip certificate verify processing */ 2421 ret = 2; /* Skip certificate verify processing */
2219 } 2422 }
2220 else 2423 else
2221 { 2424 {
2222 /* Get client's public key from encoded point 2425 /* Get client's public key from encoded point
2223 * in the ClientKeyExchange message. 2426 * in the ClientKeyExchange message.
2224 */ 2427 */
@@ -2229,21 +2432,21 @@ int ssl3_get_client_key_exchange(SSL *s)
2229 goto err; 2432 goto err;
2230 } 2433 }
2231 2434
2232 /* Get encoded point length */ 2435 /* Get encoded point length */
2233 i = *p; 2436 i = *p;
2234 p += 1; 2437 p += 1;
2235 if (EC_POINT_oct2point(group, 2438 if (EC_POINT_oct2point(group,
2236 clnt_ecpoint, p, i, bn_ctx) == 0) 2439 clnt_ecpoint, p, i, bn_ctx) == 0)
2237 { 2440 {
2238 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2441 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2239 ERR_R_EC_LIB); 2442 ERR_R_EC_LIB);
2240 goto err; 2443 goto err;
2241 } 2444 }
2242 /* p is pointing to somewhere in the buffer 2445 /* p is pointing to somewhere in the buffer
2243 * currently, so set it to the start 2446 * currently, so set it to the start
2244 */ 2447 */
2245 p=(unsigned char *)s->init_buf->data; 2448 p=(unsigned char *)s->init_buf->data;
2246 } 2449 }
2247 2450
2248 /* Compute the shared pre-master secret */ 2451 /* Compute the shared pre-master secret */
2249 field_size = EC_GROUP_get_degree(group); 2452 field_size = EC_GROUP_get_degree(group);
@@ -2254,28 +2457,190 @@ int ssl3_get_client_key_exchange(SSL *s)
2254 goto err; 2457 goto err;
2255 } 2458 }
2256 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2459 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
2257 if (i <= 0) 2460 if (i <= 0)
2258 { 2461 {
2259 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2462 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2260 ERR_R_ECDH_LIB); 2463 ERR_R_ECDH_LIB);
2261 goto err; 2464 goto err;
2262 } 2465 }
2263 2466
2264 EVP_PKEY_free(clnt_pub_pkey); 2467 EVP_PKEY_free(clnt_pub_pkey);
2265 EC_POINT_free(clnt_ecpoint); 2468 EC_POINT_free(clnt_ecpoint);
2266 if (srvr_ecdh != NULL) 2469 EC_KEY_free(srvr_ecdh);
2267 EC_KEY_free(srvr_ecdh);
2268 BN_CTX_free(bn_ctx); 2470 BN_CTX_free(bn_ctx);
2471 EC_KEY_free(s->s3->tmp.ecdh);
2472 s->s3->tmp.ecdh = NULL;
2269 2473
2270 /* Compute the master secret */ 2474 /* Compute the master secret */
2271 s->session->master_key_length = s->method->ssl3_enc-> \ 2475 s->session->master_key_length = s->method->ssl3_enc-> \
2272 generate_master_secret(s, s->session->master_key, p, i); 2476 generate_master_secret(s, s->session->master_key, p, i);
2273 2477
2274 OPENSSL_cleanse(p, i); 2478 OPENSSL_cleanse(p, i);
2275 return (ret); 2479 return (ret);
2276 } 2480 }
2277 else 2481 else
2278#endif 2482#endif
2483#ifndef OPENSSL_NO_PSK
2484 if (alg_k & SSL_kPSK)
2485 {
2486 unsigned char *t = NULL;
2487 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
2488 unsigned int pre_ms_len = 0, psk_len = 0;
2489 int psk_err = 1;
2490 char tmp_id[PSK_MAX_IDENTITY_LEN+1];
2491
2492 al=SSL_AD_HANDSHAKE_FAILURE;
2493
2494 n2s(p,i);
2495 if (n != i+2)
2496 {
2497 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2498 SSL_R_LENGTH_MISMATCH);
2499 goto psk_err;
2500 }
2501 if (i > PSK_MAX_IDENTITY_LEN)
2502 {
2503 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2504 SSL_R_DATA_LENGTH_TOO_LONG);
2505 goto psk_err;
2506 }
2507 if (s->psk_server_callback == NULL)
2508 {
2509 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2510 SSL_R_PSK_NO_SERVER_CB);
2511 goto psk_err;
2512 }
2513
2514 /* Create guaranteed NULL-terminated identity
2515 * string for the callback */
2516 memcpy(tmp_id, p, i);
2517 memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
2518 psk_len = s->psk_server_callback(s, tmp_id,
2519 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2520 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1);
2521
2522 if (psk_len > PSK_MAX_PSK_LEN)
2523 {
2524 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2525 ERR_R_INTERNAL_ERROR);
2526 goto psk_err;
2527 }
2528 else if (psk_len == 0)
2529 {
2530 /* PSK related to the given identity not found */
2531 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2532 SSL_R_PSK_IDENTITY_NOT_FOUND);
2533 al=SSL_AD_UNKNOWN_PSK_IDENTITY;
2534 goto psk_err;
2535 }
2536
2537 /* create PSK pre_master_secret */
2538 pre_ms_len=2+psk_len+2+psk_len;
2539 t = psk_or_pre_ms;
2540 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
2541 s2n(psk_len, t);
2542 memset(t, 0, psk_len);
2543 t+=psk_len;
2544 s2n(psk_len, t);
2545
2546 if (s->session->psk_identity != NULL)
2547 OPENSSL_free(s->session->psk_identity);
2548 s->session->psk_identity = BUF_strdup((char *)p);
2549 if (s->session->psk_identity == NULL)
2550 {
2551 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2552 ERR_R_MALLOC_FAILURE);
2553 goto psk_err;
2554 }
2555
2556 if (s->session->psk_identity_hint != NULL)
2557 OPENSSL_free(s->session->psk_identity_hint);
2558 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2559 if (s->ctx->psk_identity_hint != NULL &&
2560 s->session->psk_identity_hint == NULL)
2561 {
2562 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2563 ERR_R_MALLOC_FAILURE);
2564 goto psk_err;
2565 }
2566
2567 s->session->master_key_length=
2568 s->method->ssl3_enc->generate_master_secret(s,
2569 s->session->master_key, psk_or_pre_ms, pre_ms_len);
2570 psk_err = 0;
2571 psk_err:
2572 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2573 if (psk_err != 0)
2574 goto f_err;
2575 }
2576 else
2577#endif
2578 if (alg_k & SSL_kGOST)
2579 {
2580 int ret = 0;
2581 EVP_PKEY_CTX *pkey_ctx;
2582 EVP_PKEY *client_pub_pkey = NULL;
2583 unsigned char premaster_secret[32], *start;
2584 size_t outlen=32, inlen;
2585
2586 /* Get our certificate private key*/
2587 pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL);
2588 EVP_PKEY_decrypt_init(pkey_ctx);
2589 /* If client certificate is present and is of the same type, maybe
2590 * use it for key exchange. Don't mind errors from
2591 * EVP_PKEY_derive_set_peer, because it is completely valid to use
2592 * a client certificate for authorization only. */
2593 client_pub_pkey = X509_get_pubkey(s->session->peer);
2594 if (client_pub_pkey)
2595 {
2596 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
2597 ERR_clear_error();
2598 }
2599 /* Decrypt session key */
2600 if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED)))
2601 {
2602 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
2603 goto gerr;
2604 }
2605 if (p[1] == 0x81)
2606 {
2607 start = p+3;
2608 inlen = p[2];
2609 }
2610 else if (p[1] < 0x80)
2611 {
2612 start = p+2;
2613 inlen = p[1];
2614 }
2615 else
2616 {
2617 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
2618 goto gerr;
2619 }
2620 if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0)
2621
2622 {
2623 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
2624 goto gerr;
2625 }
2626 /* Generate master secret */
2627 s->session->master_key_length=
2628 s->method->ssl3_enc->generate_master_secret(s,
2629 s->session->master_key,premaster_secret,32);
2630 /* Check if pubkey from client certificate was used */
2631 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2632 ret = 2;
2633 else
2634 ret = 1;
2635 gerr:
2636 EVP_PKEY_free(client_pub_pkey);
2637 EVP_PKEY_CTX_free(pkey_ctx);
2638 if (ret)
2639 return ret;
2640 else
2641 goto err;
2642 }
2643 else
2279 { 2644 {
2280 al=SSL_AD_HANDSHAKE_FAILURE; 2645 al=SSL_AD_HANDSHAKE_FAILURE;
2281 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2646 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2365,15 +2730,25 @@ int ssl3_get_cert_verify(SSL *s)
2365 2730
2366 /* we now have a signature that we need to verify */ 2731 /* we now have a signature that we need to verify */
2367 p=(unsigned char *)s->init_msg; 2732 p=(unsigned char *)s->init_msg;
2368 n2s(p,i); 2733 /* Check for broken implementations of GOST ciphersuites */
2369 n-=2; 2734 /* If key is GOST and n is exactly 64, it is bare
2370 if (i > n) 2735 * signature without length field */
2736 if (n==64 && (pkey->type==NID_id_GostR3410_94 ||
2737 pkey->type == NID_id_GostR3410_2001) )
2371 { 2738 {
2372 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2739 i=64;
2373 al=SSL_AD_DECODE_ERROR; 2740 }
2374 goto f_err; 2741 else
2375 } 2742 {
2376 2743 n2s(p,i);
2744 n-=2;
2745 if (i > n)
2746 {
2747 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
2748 al=SSL_AD_DECODE_ERROR;
2749 goto f_err;
2750 }
2751 }
2377 j=EVP_PKEY_size(pkey); 2752 j=EVP_PKEY_size(pkey);
2378 if ((i > j) || (n > j) || (n <= 0)) 2753 if ((i > j) || (n > j) || (n <= 0))
2379 { 2754 {
@@ -2436,6 +2811,28 @@ int ssl3_get_cert_verify(SSL *s)
2436 } 2811 }
2437 else 2812 else
2438#endif 2813#endif
2814 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001)
2815 { unsigned char signature[64];
2816 int idx;
2817 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL);
2818 EVP_PKEY_verify_init(pctx);
2819 if (i!=64) {
2820 fprintf(stderr,"GOST signature length is %d",i);
2821 }
2822 for (idx=0;idx<64;idx++) {
2823 signature[63-idx]=p[idx];
2824 }
2825 j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_verify_md,32);
2826 EVP_PKEY_CTX_free(pctx);
2827 if (j<=0)
2828 {
2829 al=SSL_AD_DECRYPT_ERROR;
2830 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2831 SSL_R_BAD_ECDSA_SIGNATURE);
2832 goto f_err;
2833 }
2834 }
2835 else
2439 { 2836 {
2440 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2837 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
2441 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 2838 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
@@ -2618,14 +3015,15 @@ int ssl3_send_server_certificate(SSL *s)
2618 if (s->state == SSL3_ST_SW_CERT_A) 3015 if (s->state == SSL3_ST_SW_CERT_A)
2619 { 3016 {
2620 x=ssl_get_server_send_cert(s); 3017 x=ssl_get_server_send_cert(s);
2621 if (x == NULL && 3018 if (x == NULL)
2622 /* VRS: allow null cert if auth == KRB5 */
2623 (s->s3->tmp.new_cipher->algorithms
2624 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
2625 != (SSL_aKRB5|SSL_kKRB5))
2626 { 3019 {
2627 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 3020 /* VRS: allow null cert if auth == KRB5 */
2628 return(0); 3021 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
3022 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5))
3023 {
3024 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
3025 return(0);
3026 }
2629 } 3027 }
2630 3028
2631 l=ssl3_output_cert_chain(s,x); 3029 l=ssl3_output_cert_chain(s,x);
@@ -2637,70 +3035,6 @@ int ssl3_send_server_certificate(SSL *s)
2637 /* SSL3_ST_SW_CERT_B */ 3035 /* SSL3_ST_SW_CERT_B */
2638 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3036 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2639 } 3037 }
2640
2641
2642#ifndef OPENSSL_NO_ECDH
2643/* This is the complement of curve_id2nid in s3_clnt.c. */
2644static int nid2curve_id(int nid)
2645{
2646 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2647 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2648 switch (nid) {
2649 case NID_sect163k1: /* sect163k1 (1) */
2650 return 1;
2651 case NID_sect163r1: /* sect163r1 (2) */
2652 return 2;
2653 case NID_sect163r2: /* sect163r2 (3) */
2654 return 3;
2655 case NID_sect193r1: /* sect193r1 (4) */
2656 return 4;
2657 case NID_sect193r2: /* sect193r2 (5) */
2658 return 5;
2659 case NID_sect233k1: /* sect233k1 (6) */
2660 return 6;
2661 case NID_sect233r1: /* sect233r1 (7) */
2662 return 7;
2663 case NID_sect239k1: /* sect239k1 (8) */
2664 return 8;
2665 case NID_sect283k1: /* sect283k1 (9) */
2666 return 9;
2667 case NID_sect283r1: /* sect283r1 (10) */
2668 return 10;
2669 case NID_sect409k1: /* sect409k1 (11) */
2670 return 11;
2671 case NID_sect409r1: /* sect409r1 (12) */
2672 return 12;
2673 case NID_sect571k1: /* sect571k1 (13) */
2674 return 13;
2675 case NID_sect571r1: /* sect571r1 (14) */
2676 return 14;
2677 case NID_secp160k1: /* secp160k1 (15) */
2678 return 15;
2679 case NID_secp160r1: /* secp160r1 (16) */
2680 return 16;
2681 case NID_secp160r2: /* secp160r2 (17) */
2682 return 17;
2683 case NID_secp192k1: /* secp192k1 (18) */
2684 return 18;
2685 case NID_X9_62_prime192v1: /* secp192r1 (19) */
2686 return 19;
2687 case NID_secp224k1: /* secp224k1 (20) */
2688 return 20;
2689 case NID_secp224r1: /* secp224r1 (21) */
2690 return 21;
2691 case NID_secp256k1: /* secp256k1 (22) */
2692 return 22;
2693 case NID_X9_62_prime256v1: /* secp256r1 (23) */
2694 return 23;
2695 case NID_secp384r1: /* secp384r1 (24) */
2696 return 24;
2697 case NID_secp521r1: /* secp521r1 (25) */
2698 return 25;
2699 default:
2700 return 0;
2701 }
2702}
2703#endif
2704#ifndef OPENSSL_NO_TLSEXT 3038#ifndef OPENSSL_NO_TLSEXT
2705int ssl3_send_newsession_ticket(SSL *s) 3039int ssl3_send_newsession_ticket(SSL *s)
2706 { 3040 {
@@ -2711,6 +3045,7 @@ int ssl3_send_newsession_ticket(SSL *s)
2711 unsigned int hlen; 3045 unsigned int hlen;
2712 EVP_CIPHER_CTX ctx; 3046 EVP_CIPHER_CTX ctx;
2713 HMAC_CTX hctx; 3047 HMAC_CTX hctx;
3048 SSL_CTX *tctx = s->initial_ctx;
2714 unsigned char iv[EVP_MAX_IV_LENGTH]; 3049 unsigned char iv[EVP_MAX_IV_LENGTH];
2715 unsigned char key_name[16]; 3050 unsigned char key_name[16];
2716 3051
@@ -2749,9 +3084,9 @@ int ssl3_send_newsession_ticket(SSL *s)
2749 * it does all the work otherwise use generated values 3084 * it does all the work otherwise use generated values
2750 * from parent ctx. 3085 * from parent ctx.
2751 */ 3086 */
2752 if (s->ctx->tlsext_ticket_key_cb) 3087 if (tctx->tlsext_ticket_key_cb)
2753 { 3088 {
2754 if (s->ctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3089 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
2755 &hctx, 1) < 0) 3090 &hctx, 1) < 0)
2756 { 3091 {
2757 OPENSSL_free(senc); 3092 OPENSSL_free(senc);
@@ -2762,10 +3097,10 @@ int ssl3_send_newsession_ticket(SSL *s)
2762 { 3097 {
2763 RAND_pseudo_bytes(iv, 16); 3098 RAND_pseudo_bytes(iv, 16);
2764 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 3099 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2765 s->ctx->tlsext_tick_aes_key, iv); 3100 tctx->tlsext_tick_aes_key, iv);
2766 HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16, 3101 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
2767 tlsext_tick_md(), NULL); 3102 tlsext_tick_md(), NULL);
2768 memcpy(key_name, s->ctx->tlsext_tick_key_name, 16); 3103 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
2769 } 3104 }
2770 l2n(s->session->tlsext_tick_lifetime_hint, p); 3105 l2n(s->session->tlsext_tick_lifetime_hint, p);
2771 /* Skip ticket length for now */ 3106 /* Skip ticket length for now */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 22:52:20 +0000