summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
authorryker <>1998-10-05 20:13:14 +0000
committerryker <>1998-10-05 20:13:14 +0000
commitaeeae06a79815dc190061534d47236cec09f9e32 (patch)
tree851692b9c2f9c04f077666855641900f19fdb217 /src/lib/libssl/s3_srvr.c
parenta4f79641824cbf9f60ca9d1168d1fcc46717a82a (diff)
downloadopenbsd-aeeae06a79815dc190061534d47236cec09f9e32.tar.gz
openbsd-aeeae06a79815dc190061534d47236cec09f9e32.tar.bz2
openbsd-aeeae06a79815dc190061534d47236cec09f9e32.zip
Import of SSLeay-0.9.0b with RSA and IDEA stubbed + OpenBSD build
functionality for shared libs. Note that routines such as sslv2_init and friends that use RSA will not work due to lack of RSA in this library. Needs documentation and help from ports for easy upgrade to full functionality where legally possible.
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
-rw-r--r--src/lib/libssl/s3_srvr.c1675
1 files changed, 1675 insertions, 0 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
new file mode 100644
index 0000000000..64903af151
--- /dev/null
+++ b/src/lib/libssl/s3_srvr.c
@@ -0,0 +1,1675 @@
1/* ssl/s3_srvr.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#define REUSE_CIPHER_BUG
60
61#include <stdio.h>
62#include "buffer.h"
63#include "rand.h"
64#include "objects.h"
65#include "evp.h"
66#include "x509.h"
67#include "ssl_locl.h"
68
69#define BREAK break
70/* SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_MALLOC_FAILURE);
71 * SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
72 * SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
73 * SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_MALLOC_FAILURE);
74 * SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
75 */
76
77#ifndef NOPROTO
78static int ssl3_get_client_hello(SSL *s);
79static int ssl3_send_server_hello(SSL *s);
80static int ssl3_send_server_key_exchange(SSL *s);
81static int ssl3_send_certificate_request(SSL *s);
82static int ssl3_send_server_done(SSL *s);
83static int ssl3_get_cert_verify(SSL *s);
84static int ssl3_get_client_key_exchange(SSL *s);
85static int ssl3_get_client_certificate(SSL *s);
86static int ssl3_send_hello_request(SSL *s);
87
88#else
89
90static int ssl3_get_client_hello();
91static int ssl3_send_server_hello();
92static int ssl3_send_server_key_exchange();
93static int ssl3_send_certificate_request();
94static int ssl3_send_server_done();
95static int ssl3_get_cert_verify();
96static int ssl3_get_client_key_exchange();
97static int ssl3_get_client_certificate();
98static int ssl3_send_hello_request();
99
100#endif
101
102static SSL_METHOD *ssl3_get_server_method(ver)
103int ver;
104 {
105 if (ver == SSL3_VERSION)
106 return(SSLv3_server_method());
107 else
108 return(NULL);
109 }
110
111SSL_METHOD *SSLv3_server_method()
112 {
113 static int init=1;
114 static SSL_METHOD SSLv3_server_data;
115
116 if (init)
117 {
118 init=0;
119 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
120 sizeof(SSL_METHOD));
121 SSLv3_server_data.ssl_accept=ssl3_accept;
122 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
123 }
124 return(&SSLv3_server_data);
125 }
126
127int ssl3_accept(s)
128SSL *s;
129 {
130 BUF_MEM *buf;
131 unsigned long l,Time=time(NULL);
132 void (*cb)()=NULL;
133 long num1;
134 int ret= -1;
135 CERT *ct;
136 BIO *under;
137 int new_state,state,skip=0;
138
139 RAND_seed((unsigned char *)&Time,sizeof(Time));
140 ERR_clear_error();
141 clear_sys_error();
142
143 if (s->info_callback != NULL)
144 cb=s->info_callback;
145 else if (s->ctx->info_callback != NULL)
146 cb=s->ctx->info_callback;
147
148 /* init things to blank */
149 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
150 s->in_handshake++;
151
152#ifdef undef
153 /* FIX THIS EAY EAY EAY */
154 /* we don't actually need a cert, we just need a cert or a DH_tmp */
155 if (((s->session == NULL) || (s->session->cert == NULL)) &&
156 (s->cert == NULL))
157 {
158 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
159 ret= -1;
160 goto end;
161 }
162#endif
163
164 for (;;)
165 {
166 state=s->state;
167
168 switch (s->state)
169 {
170 case SSL_ST_RENEGOTIATE:
171 s->new_session=1;
172 /* s->state=SSL_ST_ACCEPT; */
173
174 case SSL_ST_BEFORE:
175 case SSL_ST_ACCEPT:
176 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
177 case SSL_ST_OK|SSL_ST_ACCEPT:
178
179 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
180
181 if ((s->version>>8) != 3)
182 abort();
183 /* s->version=SSL3_VERSION; */
184 s->type=SSL_ST_ACCEPT;
185
186 if (s->init_buf == NULL)
187 {
188 if ((buf=BUF_MEM_new()) == NULL)
189 {
190 ret= -1;
191 goto end;
192 }
193 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
194 {
195 ret= -1;
196 goto end;
197 }
198 s->init_buf=buf;
199 }
200
201 if (!ssl3_setup_buffers(s))
202 {
203 ret= -1;
204 goto end;
205 }
206
207 /* Ok, we now need to push on a buffering BIO so that
208 * the output is sent in a way that TCP likes :-)
209 */
210 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
211
212 s->init_num=0;
213
214 if (s->state != SSL_ST_RENEGOTIATE)
215 {
216 s->state=SSL3_ST_SR_CLNT_HELLO_A;
217 ssl3_init_finished_mac(s);
218 s->ctx->sess_accept++;
219 }
220 else
221 {
222 s->ctx->sess_accept_renegotiate++;
223 s->state=SSL3_ST_SW_HELLO_REQ_A;
224 }
225 break;
226
227 case SSL3_ST_SW_HELLO_REQ_A:
228 case SSL3_ST_SW_HELLO_REQ_B:
229
230 s->shutdown=0;
231 ret=ssl3_send_hello_request(s);
232 if (ret <= 0) goto end;
233 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
234 s->state=SSL3_ST_SW_FLUSH;
235 s->init_num=0;
236
237 ssl3_init_finished_mac(s);
238 break;
239
240 case SSL3_ST_SW_HELLO_REQ_C:
241 /* remove buffering on output */
242 under=BIO_pop(s->wbio);
243 if (under != NULL)
244 s->wbio=under;
245 else
246 abort(); /* ok */
247 BIO_free(s->bbio);
248 s->bbio=NULL;
249
250 s->state=SSL_ST_OK;
251 ret=1;
252 goto end;
253 /* break; */
254
255 case SSL3_ST_SR_CLNT_HELLO_A:
256 case SSL3_ST_SR_CLNT_HELLO_B:
257 case SSL3_ST_SR_CLNT_HELLO_C:
258
259 s->shutdown=0;
260 ret=ssl3_get_client_hello(s);
261 if (ret <= 0) goto end;
262 s->state=SSL3_ST_SW_SRVR_HELLO_A;
263 s->init_num=0;
264 break;
265
266 case SSL3_ST_SW_SRVR_HELLO_A:
267 case SSL3_ST_SW_SRVR_HELLO_B:
268 ret=ssl3_send_server_hello(s);
269 if (ret <= 0) goto end;
270
271 if (s->hit)
272 s->state=SSL3_ST_SW_CHANGE_A;
273 else
274 s->state=SSL3_ST_SW_CERT_A;
275 s->init_num=0;
276 break;
277
278 case SSL3_ST_SW_CERT_A:
279 case SSL3_ST_SW_CERT_B:
280 /* Check if it is anon DH */
281 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
282 {
283 ret=ssl3_send_server_certificate(s);
284 if (ret <= 0) goto end;
285 }
286 else
287 skip=1;
288 s->state=SSL3_ST_SW_KEY_EXCH_A;
289 s->init_num=0;
290 break;
291
292 case SSL3_ST_SW_KEY_EXCH_A:
293 case SSL3_ST_SW_KEY_EXCH_B:
294 l=s->s3->tmp.new_cipher->algorithms;
295 if (s->session->cert == NULL)
296 {
297 if (s->cert != NULL)
298 {
299 CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
300 s->session->cert=s->cert;
301 }
302 else
303 {
304 CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT);
305 s->session->cert=s->ctx->default_cert;
306 }
307 }
308 ct=s->session->cert;
309
310 /* clear this, it may get reset by
311 * send_server_key_exchange */
312 if (s->options & SSL_OP_EPHEMERAL_RSA)
313 s->s3->tmp.use_rsa_tmp=1;
314 else
315 s->s3->tmp.use_rsa_tmp=0;
316
317 /* only send if a DH key exchange, fortezza or
318 * RSA but we have a sign only certificate */
319 if ( s->s3->tmp.use_rsa_tmp ||
320 (l & (SSL_DH|SSL_kFZA)) ||
321 ((l & SSL_kRSA) &&
322 ((ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)||
323 ((l & SSL_EXPORT) &&
324 (EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > 512)
325 )
326 )
327 )
328 )
329 {
330 ret=ssl3_send_server_key_exchange(s);
331 if (ret <= 0) goto end;
332 }
333 else
334 skip=1;
335
336 s->state=SSL3_ST_SW_CERT_REQ_A;
337 s->init_num=0;
338 break;
339
340 case SSL3_ST_SW_CERT_REQ_A:
341 case SSL3_ST_SW_CERT_REQ_B:
342 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
343 ((s->session->peer != NULL) &&
344 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
345 {
346 /* no cert request */
347 skip=1;
348 s->s3->tmp.cert_request=0;
349 s->state=SSL3_ST_SW_SRVR_DONE_A;
350 }
351 else
352 {
353 s->s3->tmp.cert_request=1;
354 ret=ssl3_send_certificate_request(s);
355 if (ret <= 0) goto end;
356 s->state=SSL3_ST_SW_SRVR_DONE_A;
357 s->init_num=0;
358 }
359 break;
360
361 case SSL3_ST_SW_SRVR_DONE_A:
362 case SSL3_ST_SW_SRVR_DONE_B:
363 ret=ssl3_send_server_done(s);
364 if (ret <= 0) goto end;
365 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
366 s->state=SSL3_ST_SW_FLUSH;
367 s->init_num=0;
368 break;
369
370 case SSL3_ST_SW_FLUSH:
371 /* number of bytes to be flushed */
372 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
373 if (num1 > 0)
374 {
375 s->rwstate=SSL_WRITING;
376 num1=BIO_flush(s->wbio);
377 if (num1 <= 0) { ret= -1; goto end; }
378 s->rwstate=SSL_NOTHING;
379 }
380
381 s->state=s->s3->tmp.next_state;
382 break;
383
384 case SSL3_ST_SR_CERT_A:
385 case SSL3_ST_SR_CERT_B:
386 /* could be sent for a DH cert, even if we
387 * have not asked for it :-) */
388 ret=ssl3_get_client_certificate(s);
389 if (ret <= 0) goto end;
390 s->init_num=0;
391 s->state=SSL3_ST_SR_KEY_EXCH_A;
392 break;
393
394 case SSL3_ST_SR_KEY_EXCH_A:
395 case SSL3_ST_SR_KEY_EXCH_B:
396 ret=ssl3_get_client_key_exchange(s);
397 if (ret <= 0) goto end;
398 s->state=SSL3_ST_SR_CERT_VRFY_A;
399 s->init_num=0;
400
401 /* We need to get hashes here so if there is
402 * a client cert, it can be verified */
403 s->method->ssl3_enc->cert_verify_mac(s,
404 &(s->s3->finish_dgst1),
405 &(s->s3->tmp.finish_md[0]));
406 s->method->ssl3_enc->cert_verify_mac(s,
407 &(s->s3->finish_dgst2),
408 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]));
409
410 break;
411
412 case SSL3_ST_SR_CERT_VRFY_A:
413 case SSL3_ST_SR_CERT_VRFY_B:
414
415 /* we should decide if we expected this one */
416 ret=ssl3_get_cert_verify(s);
417 if (ret <= 0) goto end;
418
419 s->state=SSL3_ST_SR_FINISHED_A;
420 s->init_num=0;
421 break;
422
423 case SSL3_ST_SR_FINISHED_A:
424 case SSL3_ST_SR_FINISHED_B:
425 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
426 SSL3_ST_SR_FINISHED_B);
427 if (ret <= 0) goto end;
428 if (s->hit)
429 s->state=SSL_ST_OK;
430 else
431 s->state=SSL3_ST_SW_CHANGE_A;
432 s->init_num=0;
433 break;
434
435 case SSL3_ST_SW_CHANGE_A:
436 case SSL3_ST_SW_CHANGE_B:
437
438 s->session->cipher=s->s3->tmp.new_cipher;
439 if (!s->method->ssl3_enc->setup_key_block(s))
440 { ret= -1; goto end; }
441
442 ret=ssl3_send_change_cipher_spec(s,
443 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
444
445 if (ret <= 0) goto end;
446 s->state=SSL3_ST_SW_FINISHED_A;
447 s->init_num=0;
448
449 if (!s->method->ssl3_enc->change_cipher_state(s,
450 SSL3_CHANGE_CIPHER_SERVER_WRITE))
451 {
452 ret= -1;
453 goto end;
454 }
455
456 break;
457
458 case SSL3_ST_SW_FINISHED_A:
459 case SSL3_ST_SW_FINISHED_B:
460 ret=ssl3_send_finished(s,
461 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
462 s->method->ssl3_enc->server_finished,
463 s->method->ssl3_enc->server_finished_len);
464 if (ret <= 0) goto end;
465 s->state=SSL3_ST_SW_FLUSH;
466 if (s->hit)
467 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
468 else
469 s->s3->tmp.next_state=SSL_ST_OK;
470 s->init_num=0;
471 break;
472
473 case SSL_ST_OK:
474 /* clean a few things up */
475 ssl3_cleanup_key_block(s);
476
477 BUF_MEM_free(s->init_buf);
478 s->init_buf=NULL;
479
480 /* remove buffering on output */
481 under=BIO_pop(s->wbio);
482 if (under != NULL)
483 s->wbio=under;
484 else
485 abort(); /* ok */
486 BIO_free(s->bbio);
487 s->bbio=NULL;
488
489 s->new_session=0;
490 s->init_num=0;
491
492 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
493
494 s->ctx->sess_accept_good++;
495 /* s->server=1; */
496 s->handshake_func=ssl3_accept;
497 ret=1;
498
499 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
500
501 goto end;
502 /* break; */
503
504 default:
505 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
506 ret= -1;
507 goto end;
508 /* break; */
509 }
510
511 if (!s->s3->tmp.reuse_message && !skip)
512 {
513 if (s->debug)
514 {
515 if ((ret=BIO_flush(s->wbio)) <= 0)
516 goto end;
517 }
518
519
520 if ((cb != NULL) && (s->state != state))
521 {
522 new_state=s->state;
523 s->state=state;
524 cb(s,SSL_CB_ACCEPT_LOOP,1);
525 s->state=new_state;
526 }
527 }
528 skip=0;
529 }
530end:
531 /* BIO_flush(s->wbio); */
532
533 if (cb != NULL)
534 cb(s,SSL_CB_ACCEPT_EXIT,ret);
535 s->in_handshake--;
536 return(ret);
537 }
538
539static int ssl3_send_hello_request(s)
540SSL *s;
541 {
542 unsigned char *p;
543
544 if (s->state == SSL3_ST_SW_HELLO_REQ_A)
545 {
546 p=(unsigned char *)s->init_buf->data;
547 *(p++)=SSL3_MT_CLIENT_REQUEST;
548 *(p++)=0;
549 *(p++)=0;
550 *(p++)=0;
551
552 s->state=SSL3_ST_SW_HELLO_REQ_B;
553 /* number of bytes to write */
554 s->init_num=4;
555 s->init_off=0;
556 }
557
558 /* SSL3_ST_SW_HELLO_REQ_B */
559 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
560 }
561
562static int ssl3_get_client_hello(s)
563SSL *s;
564 {
565 int i,j,ok,al,ret= -1;
566 long n;
567 unsigned long id;
568 unsigned char *p,*d;
569 SSL_CIPHER *c;
570 STACK *ciphers=NULL;
571
572 /* We do this so that we will respond with our native type.
573 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
574 * This down switching should be handled by a different method.
575 * If we are SSLv3, we will respond with SSLv3, even if prompted with
576 * TLSv1.
577 */
578 if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
579 {
580 s->first_packet=1;
581 s->state=SSL3_ST_SR_CLNT_HELLO_B;
582 }
583 n=ssl3_get_message(s,
584 SSL3_ST_SR_CLNT_HELLO_B,
585 SSL3_ST_SR_CLNT_HELLO_C,
586 SSL3_MT_CLIENT_HELLO,
587 SSL3_RT_MAX_PLAIN_LENGTH,
588 &ok);
589
590 if (!ok) return((int)n);
591 d=p=(unsigned char *)s->init_buf->data;
592
593 /* The version number has already been checked in ssl3_get_message.
594 * I a native TLSv1/SSLv3 method, the match must be correct except
595 * perhaps for the first message */
596 p+=2;
597
598 /* load the client random */
599 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
600 p+=SSL3_RANDOM_SIZE;
601
602 /* get the session-id */
603 j= *(p++);
604
605 s->hit=0;
606 if (j == 0)
607 {
608 if (!ssl_get_new_session(s,1))
609 goto err;
610 }
611 else
612 {
613 i=ssl_get_prev_session(s,p,j);
614 if (i == 1)
615 { /* previous session */
616 s->hit=1;
617 }
618 else
619 {
620 if (!ssl_get_new_session(s,1))
621 goto err;
622 }
623 }
624
625 p+=j;
626 n2s(p,i);
627 if ((i == 0) && (j != 0))
628 {
629 /* we need a cipher if we are not resuming a session */
630 al=SSL_AD_ILLEGAL_PARAMETER;
631 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
632 goto f_err;
633 }
634 if ((i+p) > (d+n))
635 {
636 /* not enough data */
637 al=SSL_AD_DECODE_ERROR;
638 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
639 goto f_err;
640 }
641 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
642 == NULL))
643 {
644 goto err;
645 }
646 p+=i;
647
648 /* If it is a hit, check that the cipher is in the list */
649 if ((s->hit) && (i > 0))
650 {
651 j=0;
652 id=s->session->cipher->id;
653
654 for (i=0; i<sk_num(ciphers); i++)
655 {
656 c=(SSL_CIPHER *)sk_value(ciphers,i);
657 if (c->id == id)
658 {
659 j=1;
660 break;
661 }
662 }
663 if (j == 0)
664 {
665 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_num(ciphers) == 1))
666 {
667 /* Very bad for multi-threading.... */
668 s->session->cipher=
669 (SSL_CIPHER *)sk_value(ciphers,0);
670 }
671 else
672 {
673 /* we need to have the cipher in the cipher
674 * list if we are asked to reuse it */
675 al=SSL_AD_ILLEGAL_PARAMETER;
676 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
677 goto f_err;
678 }
679 }
680 }
681
682 /* compression */
683 i= *(p++);
684 for (j=0; j<i; j++)
685 if (p[j] == 0) break;
686
687 p+=i;
688 if (j >= i)
689 {
690 /* no compress */
691 al=SSL_AD_DECODE_ERROR;
692 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
693 goto f_err;
694 }
695
696 /* TLS does not mind if there is extra stuff */
697 if (s->version == SSL3_VERSION)
698 {
699 if (p > (d+n))
700 {
701 /* wrong number of bytes,
702 * there could be more to follow */
703 al=SSL_AD_DECODE_ERROR;
704 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
705 goto f_err;
706 }
707 }
708
709 /* do nothing with compression */
710
711 /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
712 * pick a cipher */
713
714 if (!s->hit)
715 {
716 if (s->session->ciphers != NULL)
717 sk_free(s->session->ciphers);
718 s->session->ciphers=ciphers;
719 if (ciphers == NULL)
720 {
721 al=SSL_AD_ILLEGAL_PARAMETER;
722 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
723 goto f_err;
724 }
725 ciphers=NULL;
726 c=ssl3_choose_cipher(s,s->session->ciphers,
727 ssl_get_ciphers_by_id(s));
728
729 if (c == NULL)
730 {
731 al=SSL_AD_HANDSHAKE_FAILURE;
732 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
733 goto f_err;
734 }
735 s->s3->tmp.new_cipher=c;
736 }
737 else
738 {
739 /* Session-id reuse */
740#ifdef REUSE_CIPHER_BUG
741 STACK *sk;
742 SSL_CIPHER *nc=NULL;
743 SSL_CIPHER *ec=NULL;
744
745 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
746 {
747 sk=s->session->ciphers;
748 for (i=0; i<sk_num(sk); i++)
749 {
750 c=(SSL_CIPHER *)sk_value(sk,i);
751 if (c->algorithms & SSL_eNULL)
752 nc=c;
753 if (c->algorithms & SSL_EXP)
754 ec=c;
755 }
756 if (nc != NULL)
757 s->s3->tmp.new_cipher=nc;
758 else if (ec != NULL)
759 s->s3->tmp.new_cipher=ec;
760 else
761 s->s3->tmp.new_cipher=s->session->cipher;
762 }
763 else
764#endif
765 s->s3->tmp.new_cipher=s->session->cipher;
766 }
767
768 /* we now have the following setup.
769 * client_random
770 * cipher_list - our prefered list of ciphers
771 * ciphers - the clients prefered list of ciphers
772 * compression - basically ignored right now
773 * ssl version is set - sslv3
774 * s->session - The ssl session has been setup.
775 * s->hit - sesson reuse flag
776 * s->tmp.new_cipher - the new cipher to use.
777 */
778
779 ret=1;
780 if (0)
781 {
782f_err:
783 ssl3_send_alert(s,SSL3_AL_FATAL,al);
784 }
785err:
786 if (ciphers != NULL) sk_free(ciphers);
787 return(ret);
788 }
789
790static int ssl3_send_server_hello(s)
791SSL *s;
792 {
793 unsigned char *buf;
794 unsigned char *p,*d;
795 int i,sl;
796 unsigned long l,Time;
797
798 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
799 {
800 buf=(unsigned char *)s->init_buf->data;
801 p=s->s3->server_random;
802 Time=time(NULL); /* Time */
803 l2n(Time,p);
804 RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
805 /* Do the message type and length last */
806 d=p= &(buf[4]);
807
808 *(p++)=s->version>>8;
809 *(p++)=s->version&0xff;
810
811 /* Random stuff */
812 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
813 p+=SSL3_RANDOM_SIZE;
814
815 /* now in theory we have 3 options to sending back the
816 * session id. If it is a re-use, we send back the
817 * old session-id, if it is a new session, we send
818 * back the new session-id or we send back a 0 length
819 * session-id if we want it to be single use.
820 * Currently I will not implement the '0' length session-id
821 * 12-Jan-98 - I'll now support the '0' length stuff.
822 */
823 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
824 s->session->session_id_length=0;
825
826 sl=s->session->session_id_length;
827 *(p++)=sl;
828 memcpy(p,s->session->session_id,sl);
829 p+=sl;
830
831 /* put the cipher */
832 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
833 p+=i;
834
835 /* put the compression method */
836 *(p++)=0;
837
838 /* do the header */
839 l=(p-d);
840 d=buf;
841 *(d++)=SSL3_MT_SERVER_HELLO;
842 l2n3(l,d);
843
844 s->state=SSL3_ST_CW_CLNT_HELLO_B;
845 /* number of bytes to write */
846 s->init_num=p-buf;
847 s->init_off=0;
848 }
849
850 /* SSL3_ST_CW_CLNT_HELLO_B */
851 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
852 }
853
854static int ssl3_send_server_done(s)
855SSL *s;
856 {
857 unsigned char *p;
858
859 if (s->state == SSL3_ST_SW_SRVR_DONE_A)
860 {
861 p=(unsigned char *)s->init_buf->data;
862
863 /* do the header */
864 *(p++)=SSL3_MT_SERVER_DONE;
865 *(p++)=0;
866 *(p++)=0;
867 *(p++)=0;
868
869 s->state=SSL3_ST_SW_SRVR_DONE_B;
870 /* number of bytes to write */
871 s->init_num=4;
872 s->init_off=0;
873 }
874
875 /* SSL3_ST_CW_CLNT_HELLO_B */
876 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
877 }
878
879static int ssl3_send_server_key_exchange(s)
880SSL *s;
881 {
882#ifndef NO_RSA
883 unsigned char *q;
884 int j,num;
885 RSA *rsa;
886 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
887#endif
888#ifndef NO_DH
889 DH *dh,*dhp;
890#endif
891 EVP_PKEY *pkey;
892 unsigned char *p,*d;
893 int al,i;
894 unsigned long type;
895 int n;
896 CERT *cert;
897 BIGNUM *r[4];
898 int nr[4],kn;
899 BUF_MEM *buf;
900 EVP_MD_CTX md_ctx;
901
902 if (s->state == SSL3_ST_SW_KEY_EXCH_A)
903 {
904 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
905 cert=s->session->cert;
906
907 buf=s->init_buf;
908
909 r[0]=r[1]=r[2]=r[3]=NULL;
910 n=0;
911#ifndef NO_RSA
912 if (type & SSL_kRSA)
913 {
914 rsa=cert->rsa_tmp;
915 if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
916 {
917 rsa=s->ctx->default_cert->rsa_tmp_cb(s,
918 (s->s3->tmp.new_cipher->algorithms|
919 SSL_NOT_EXP)?0:1);
920 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
921 cert->rsa_tmp=rsa;
922 }
923 if (rsa == NULL)
924 {
925 al=SSL_AD_HANDSHAKE_FAILURE;
926 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
927 goto f_err;
928 }
929 r[0]=rsa->n;
930 r[1]=rsa->e;
931 s->s3->tmp.use_rsa_tmp=1;
932 }
933 else
934#endif
935#ifndef NO_DH
936 if (type & SSL_kEDH)
937 {
938 dhp=cert->dh_tmp;
939 if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
940 dhp=cert->dh_tmp_cb(s,
941 (s->s3->tmp.new_cipher->algorithms|
942 SSL_NOT_EXP)?0:1);
943 if (dhp == NULL)
944 {
945 al=SSL_AD_HANDSHAKE_FAILURE;
946 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
947 goto f_err;
948 }
949 if ((dh=DHparams_dup(dhp)) == NULL)
950 {
951 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
952 goto err;
953 }
954
955 s->s3->tmp.dh=dh;
956 if (((dhp->pub_key == NULL) ||
957 (dhp->priv_key == NULL) ||
958 (s->options & SSL_OP_SINGLE_DH_USE)) &&
959 (!DH_generate_key(dh)))
960 {
961 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
962 goto err;
963 }
964 else
965 {
966 dh->pub_key=BN_dup(dhp->pub_key);
967 dh->priv_key=BN_dup(dhp->priv_key);
968 if ((dh->pub_key == NULL) ||
969 (dh->priv_key == NULL))
970 {
971 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
972 goto err;
973 }
974 }
975 r[0]=dh->p;
976 r[1]=dh->g;
977 r[2]=dh->pub_key;
978 }
979 else
980#endif
981 {
982 al=SSL_AD_HANDSHAKE_FAILURE;
983 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
984 goto f_err;
985 }
986 for (i=0; r[i] != NULL; i++)
987 {
988 nr[i]=BN_num_bytes(r[i]);
989 n+=2+nr[i];
990 }
991
992 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
993 {
994 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
995 == NULL)
996 {
997 al=SSL_AD_DECODE_ERROR;
998 goto f_err;
999 }
1000 kn=EVP_PKEY_size(pkey);
1001 }
1002 else
1003 {
1004 pkey=NULL;
1005 kn=0;
1006 }
1007
1008 if (!BUF_MEM_grow(buf,n+4+kn))
1009 {
1010 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1011 goto err;
1012 }
1013 d=(unsigned char *)s->init_buf->data;
1014 p= &(d[4]);
1015
1016 for (i=0; r[i] != NULL; i++)
1017 {
1018 s2n(nr[i],p);
1019 BN_bn2bin(r[i],p);
1020 p+=nr[i];
1021 }
1022
1023 /* not anonymous */
1024 if (pkey != NULL)
1025 {
1026 /* n is the length of the params, they start at &(d[4])
1027 * and p points to the space at the end. */
1028#ifndef NO_RSA
1029 if (pkey->type == EVP_PKEY_RSA)
1030 {
1031 q=md_buf;
1032 j=0;
1033 for (num=2; num > 0; num--)
1034 {
1035 EVP_DigestInit(&md_ctx,(num == 2)
1036 ?s->ctx->md5:s->ctx->sha1);
1037 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1038 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1039 EVP_DigestUpdate(&md_ctx,&(d[4]),n);
1040 EVP_DigestFinal(&md_ctx,q,
1041 (unsigned int *)&i);
1042 q+=i;
1043 j+=i;
1044 }
1045 i=RSA_private_encrypt(j,md_buf,&(p[2]),
1046 pkey->pkey.rsa,RSA_PKCS1_PADDING);
1047 if (i <= 0)
1048 {
1049 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1050 goto err;
1051 }
1052 s2n(i,p);
1053 n+=i+2;
1054 }
1055 else
1056#endif
1057#if !defined(NO_DSA)
1058 if (pkey->type == EVP_PKEY_DSA)
1059 {
1060 /* lets do DSS */
1061 EVP_SignInit(&md_ctx,EVP_dss1());
1062 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1063 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1064 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1065 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1066 (unsigned int *)&i,pkey))
1067 {
1068 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
1069 goto err;
1070 }
1071 s2n(i,p);
1072 n+=i+2;
1073 }
1074 else
1075#endif
1076 {
1077 /* Is this error check actually needed? */
1078 al=SSL_AD_HANDSHAKE_FAILURE;
1079 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
1080 goto f_err;
1081 }
1082 }
1083
1084 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
1085 l2n3(n,d);
1086
1087 /* we should now have things packed up, so lets send
1088 * it off */
1089 s->init_num=n+4;
1090 s->init_off=0;
1091 }
1092
1093 /* SSL3_ST_SW_KEY_EXCH_B */
1094 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1095f_err:
1096 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1097err:
1098 return(-1);
1099 }
1100
1101static int ssl3_send_certificate_request(s)
1102SSL *s;
1103 {
1104 unsigned char *p,*d;
1105 int i,j,nl,off,n;
1106 STACK *sk=NULL;
1107 X509_NAME *name;
1108 BUF_MEM *buf;
1109
1110 if (s->state == SSL3_ST_SW_CERT_REQ_A)
1111 {
1112 buf=s->init_buf;
1113
1114 d=p=(unsigned char *)&(buf->data[4]);
1115
1116 /* get the list of acceptable cert types */
1117 p++;
1118 n=ssl3_get_req_cert_type(s,p);
1119 d[0]=n;
1120 p+=n;
1121 n++;
1122
1123 off=n;
1124 p+=2;
1125 n+=2;
1126
1127 sk=SSL_get_client_CA_list(s);
1128 nl=0;
1129 if (sk != NULL)
1130 {
1131 for (i=0; i<sk_num(sk); i++)
1132 {
1133 name=(X509_NAME *)sk_value(sk,i);
1134 j=i2d_X509_NAME(name,NULL);
1135 if (!BUF_MEM_grow(buf,4+n+j+2))
1136 {
1137 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1138 goto err;
1139 }
1140 p=(unsigned char *)&(buf->data[4+n]);
1141 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1142 {
1143 s2n(j,p);
1144 i2d_X509_NAME(name,&p);
1145 n+=2+j;
1146 nl+=2+j;
1147 }
1148 else
1149 {
1150 d=p;
1151 i2d_X509_NAME(name,&p);
1152 j-=2; s2n(j,d); j+=2;
1153 n+=j;
1154 nl+=j;
1155 }
1156 }
1157 }
1158 /* else no CA names */
1159 p=(unsigned char *)&(buf->data[4+off]);
1160 s2n(nl,p);
1161
1162 d=(unsigned char *)buf->data;
1163 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
1164 l2n3(n,d);
1165
1166 /* we should now have things packed up, so lets send
1167 * it off */
1168
1169 s->init_num=n+4;
1170 s->init_off=0;
1171 }
1172
1173 /* SSL3_ST_SW_CERT_REQ_B */
1174 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1175err:
1176 return(-1);
1177 }
1178
1179static int ssl3_get_client_key_exchange(s)
1180SSL *s;
1181 {
1182 int i,al,ok;
1183 long n;
1184 unsigned long l;
1185 unsigned char *p;
1186 RSA *rsa=NULL;
1187 EVP_PKEY *pkey=NULL;
1188#ifndef NO_DH
1189 BIGNUM *pub=NULL;
1190 DH *dh_srvr;
1191#endif
1192
1193 n=ssl3_get_message(s,
1194 SSL3_ST_SR_KEY_EXCH_A,
1195 SSL3_ST_SR_KEY_EXCH_B,
1196 SSL3_MT_CLIENT_KEY_EXCHANGE,
1197 400, /* ???? */
1198 &ok);
1199
1200 if (!ok) return((int)n);
1201 p=(unsigned char *)s->init_buf->data;
1202
1203 l=s->s3->tmp.new_cipher->algorithms;
1204
1205#ifndef NO_RSA
1206 if (l & SSL_kRSA)
1207 {
1208 /* FIX THIS UP EAY EAY EAY EAY */
1209 if (s->s3->tmp.use_rsa_tmp)
1210 {
1211 if ((s->session->cert != NULL) &&
1212 (s->session->cert->rsa_tmp != NULL))
1213 rsa=s->session->cert->rsa_tmp;
1214 else if ((s->ctx->default_cert != NULL) &&
1215 (s->ctx->default_cert->rsa_tmp != NULL))
1216 rsa=s->ctx->default_cert->rsa_tmp;
1217 /* Don't do a callback because rsa_tmp should
1218 * be sent already */
1219 if (rsa == NULL)
1220 {
1221 al=SSL_AD_HANDSHAKE_FAILURE;
1222 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
1223 goto f_err;
1224
1225 }
1226 }
1227 else
1228 {
1229 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1230 if ( (pkey == NULL) ||
1231 (pkey->type != EVP_PKEY_RSA) ||
1232 (pkey->pkey.rsa == NULL))
1233 {
1234 al=SSL_AD_HANDSHAKE_FAILURE;
1235 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
1236 goto f_err;
1237 }
1238 rsa=pkey->pkey.rsa;
1239 }
1240
1241 /* TLS */
1242 if (s->version > SSL3_VERSION)
1243 {
1244 n2s(p,i);
1245 if (n != i+2)
1246 {
1247 if (!(s->options & SSL_OP_TLS_D5_BUG))
1248 {
1249 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1250 goto err;
1251 }
1252 else
1253 p-=2;
1254 }
1255 else
1256 n=i;
1257 }
1258
1259 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
1260
1261#if 1
1262 /* If a bad decrypt, use a dud master key */
1263 if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
1264 ((p[0] != (s->version>>8)) ||
1265 (p[1] != (s->version & 0xff))))
1266 {
1267 p[0]=(s->version>>8);
1268 p[1]=(s->version & 0xff);
1269 RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
1270 i=SSL_MAX_MASTER_KEY_LENGTH;
1271 }
1272#else
1273 if (i != SSL_MAX_MASTER_KEY_LENGTH)
1274 {
1275 al=SSL_AD_DECODE_ERROR;
1276 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1277 goto f_err;
1278 }
1279
1280 if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff)))
1281 {
1282 al=SSL_AD_DECODE_ERROR;
1283 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1284 goto f_err;
1285 }
1286#endif
1287
1288 s->session->master_key_length=
1289 s->method->ssl3_enc->generate_master_secret(s,
1290 s->session->master_key,
1291 p,i);
1292 memset(p,0,i);
1293 }
1294 else
1295#endif
1296#ifndef NO_DH
1297 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1298 {
1299 n2s(p,i);
1300 if (n != i+2)
1301 {
1302 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
1303 {
1304 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1305 goto err;
1306 }
1307 else
1308 {
1309 p-=2;
1310 i=(int)n;
1311 }
1312 }
1313
1314 if (n == 0L) /* the parameters are in the cert */
1315 {
1316 al=SSL_AD_HANDSHAKE_FAILURE;
1317 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1318 goto f_err;
1319 }
1320 else
1321 {
1322 if (s->s3->tmp.dh == NULL)
1323 {
1324 al=SSL_AD_HANDSHAKE_FAILURE;
1325 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1326 goto f_err;
1327 }
1328 else
1329 dh_srvr=s->s3->tmp.dh;
1330 }
1331
1332 pub=BN_bin2bn(p,i,NULL);
1333 if (pub == NULL)
1334 {
1335 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
1336 goto err;
1337 }
1338
1339 i=DH_compute_key(p,pub,dh_srvr);
1340
1341 if (i <= 0)
1342 {
1343 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1344 goto err;
1345 }
1346
1347 DH_free(s->s3->tmp.dh);
1348 s->s3->tmp.dh=NULL;
1349
1350 BN_clear_free(pub);
1351 pub=NULL;
1352 s->session->master_key_length=
1353 s->method->ssl3_enc->generate_master_secret(s,
1354 s->session->master_key,p,i);
1355 }
1356 else
1357#endif
1358 {
1359 al=SSL_AD_HANDSHAKE_FAILURE;
1360 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
1361 goto f_err;
1362 }
1363
1364 return(1);
1365f_err:
1366 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1367#if !defined(NO_DH) || !defined(NO_RSA)
1368err:
1369#endif
1370 return(-1);
1371 }
1372
1373static int ssl3_get_cert_verify(s)
1374SSL *s;
1375 {
1376 EVP_PKEY *pkey=NULL;
1377 unsigned char *p;
1378 int al,ok,ret=0;
1379 long n;
1380 int type=0,i,j;
1381 X509 *peer;
1382
1383 n=ssl3_get_message(s,
1384 SSL3_ST_SR_CERT_VRFY_A,
1385 SSL3_ST_SR_CERT_VRFY_B,
1386 -1,
1387 512, /* 512? */
1388 &ok);
1389
1390 if (!ok) return((int)n);
1391
1392 if (s->session->peer != NULL)
1393 {
1394 peer=s->session->peer;
1395 pkey=X509_get_pubkey(peer);
1396 type=X509_certificate_type(peer,pkey);
1397 }
1398 else
1399 {
1400 peer=NULL;
1401 pkey=NULL;
1402 }
1403
1404 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
1405 {
1406 s->s3->tmp.reuse_message=1;
1407 if ((peer != NULL) && (type | EVP_PKT_SIGN))
1408 {
1409 al=SSL_AD_UNEXPECTED_MESSAGE;
1410 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
1411 goto f_err;
1412 }
1413 ret=1;
1414 goto end;
1415 }
1416
1417 if (peer == NULL)
1418 {
1419 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
1420 al=SSL_AD_UNEXPECTED_MESSAGE;
1421 goto f_err;
1422 }
1423
1424 if (!(type & EVP_PKT_SIGN))
1425 {
1426 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
1427 al=SSL_AD_ILLEGAL_PARAMETER;
1428 goto f_err;
1429 }
1430
1431 if (s->s3->change_cipher_spec)
1432 {
1433 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
1434 al=SSL_AD_UNEXPECTED_MESSAGE;
1435 goto f_err;
1436 }
1437
1438 /* we now have a signature that we need to verify */
1439 p=(unsigned char *)s->init_buf->data;
1440 n2s(p,i);
1441 n-=2;
1442 if (i > n)
1443 {
1444 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
1445 al=SSL_AD_DECODE_ERROR;
1446 goto f_err;
1447 }
1448
1449 j=EVP_PKEY_size(pkey);
1450 if ((i > j) || (n > j) || (n <= 0))
1451 {
1452 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
1453 al=SSL_AD_DECODE_ERROR;
1454 goto f_err;
1455 }
1456
1457#ifndef NO_RSA
1458 if (pkey->type == EVP_PKEY_RSA)
1459 {
1460 i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING);
1461 if (i < 0)
1462 {
1463 al=SSL_AD_DECRYPT_ERROR;
1464 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
1465 goto f_err;
1466 }
1467 if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) ||
1468 memcmp(&(s->s3->tmp.finish_md[0]),p,
1469 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
1470 {
1471 al=SSL_AD_DECRYPT_ERROR;
1472 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
1473 goto f_err;
1474 }
1475 }
1476 else
1477#endif
1478#ifndef NO_DSA
1479 if (pkey->type == EVP_PKEY_DSA)
1480 {
1481 j=DSA_verify(pkey->save_type,
1482 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]),
1483 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
1484 if (j <= 0)
1485 {
1486 /* bad signature */
1487 al=SSL_AD_DECRYPT_ERROR;
1488 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
1489 goto f_err;
1490 }
1491 }
1492 else
1493#endif
1494 {
1495 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
1496 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
1497 goto f_err;
1498 }
1499
1500
1501 ret=1;
1502 if (0)
1503 {
1504f_err:
1505 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1506 }
1507end:
1508 return(ret);
1509 }
1510
1511static int ssl3_get_client_certificate(s)
1512SSL *s;
1513 {
1514 int i,ok,al,ret= -1;
1515 X509 *x=NULL;
1516 unsigned long l,nc,llen,n;
1517 unsigned char *p,*d,*q;
1518 STACK *sk=NULL;
1519
1520 n=ssl3_get_message(s,
1521 SSL3_ST_SR_CERT_A,
1522 SSL3_ST_SR_CERT_B,
1523 -1,
1524#if defined(MSDOS) && !defined(WIN32)
1525 1024*30, /* 30k max cert list :-) */
1526#else
1527 1024*100, /* 100k max cert list :-) */
1528#endif
1529 &ok);
1530
1531 if (!ok) return((int)n);
1532
1533 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
1534 {
1535 if ( (s->verify_mode & SSL_VERIFY_PEER) &&
1536 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1537 {
1538 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1539 al=SSL_AD_HANDSHAKE_FAILURE;
1540 goto f_err;
1541 }
1542 /* If tls asked for a client cert we must return a 0 list */
1543 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
1544 {
1545 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
1546 al=SSL_AD_UNEXPECTED_MESSAGE;
1547 goto f_err;
1548 }
1549 s->s3->tmp.reuse_message=1;
1550 return(1);
1551 }
1552
1553 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1554 {
1555 al=SSL_AD_UNEXPECTED_MESSAGE;
1556 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
1557 goto f_err;
1558 }
1559 d=p=(unsigned char *)s->init_buf->data;
1560
1561 if ((sk=sk_new_null()) == NULL)
1562 {
1563 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1564 goto err;
1565 }
1566
1567 n2l3(p,llen);
1568 if (llen+3 != n)
1569 {
1570 al=SSL_AD_DECODE_ERROR;
1571 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1572 goto f_err;
1573 }
1574 for (nc=0; nc<llen; )
1575 {
1576 n2l3(p,l);
1577 if ((l+nc+3) > llen)
1578 {
1579 al=SSL_AD_DECODE_ERROR;
1580 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1581 goto f_err;
1582 }
1583
1584 q=p;
1585 x=d2i_X509(NULL,&p,l);
1586 if (x == NULL)
1587 {
1588 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
1589 goto err;
1590 }
1591 if (p != (q+l))
1592 {
1593 al=SSL_AD_DECODE_ERROR;
1594 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1595 goto f_err;
1596 }
1597 if (!sk_push(sk,(char *)x))
1598 {
1599 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1600 goto err;
1601 }
1602 x=NULL;
1603 nc+=l+3;
1604 }
1605
1606 if (sk_num(sk) <= 0)
1607 {
1608 /* TLS does not mind 0 certs returned */
1609 if (s->version == SSL3_VERSION)
1610 {
1611 al=SSL_AD_HANDSHAKE_FAILURE;
1612 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
1613 goto f_err;
1614 }
1615 /* Fail for TLS only if we required a certificate */
1616 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
1617 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1618 {
1619 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1620 al=SSL_AD_HANDSHAKE_FAILURE;
1621 goto f_err;
1622 }
1623 }
1624 else
1625 {
1626 i=ssl_verify_cert_chain(s,sk);
1627 if (!i)
1628 {
1629 al=ssl_verify_alarm_type(s->verify_result);
1630 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
1631 goto f_err;
1632 }
1633 }
1634
1635 /* This should not be needed */
1636 if (s->session->peer != NULL)
1637 X509_free(s->session->peer);
1638 s->session->peer=(X509 *)sk_shift(sk);
1639
1640 ret=1;
1641 if (0)
1642 {
1643f_err:
1644 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1645 }
1646err:
1647 if (x != NULL) X509_free(x);
1648 if (sk != NULL) sk_pop_free(sk,X509_free);
1649 return(ret);
1650 }
1651
1652int ssl3_send_server_certificate(s)
1653SSL *s;
1654 {
1655 unsigned long l;
1656 X509 *x;
1657
1658 if (s->state == SSL3_ST_SW_CERT_A)
1659 {
1660 x=ssl_get_server_send_cert(s);
1661 if (x == NULL)
1662 {
1663 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
1664 return(0);
1665 }
1666
1667 l=ssl3_output_cert_chain(s,x);
1668 s->state=SSL3_ST_SW_CERT_B;
1669 s->init_num=(int)l;
1670 s->init_off=0;
1671 }
1672
1673 /* SSL3_ST_SW_CERT_B */
1674 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1675 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 07:12:40 +0000