summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_clnt.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
-rw-r--r--src/lib/libssl/s3_clnt.c397
1 files changed, 38 insertions, 359 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index b80d052e1f..53223bd38d 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -156,9 +156,6 @@
156#include <openssl/objects.h> 156#include <openssl/objects.h>
157#include <openssl/evp.h> 157#include <openssl/evp.h>
158#include <openssl/md5.h> 158#include <openssl/md5.h>
159#ifdef OPENSSL_FIPS
160#include <openssl/fips.h>
161#endif
162#ifndef OPENSSL_NO_DH 159#ifndef OPENSSL_NO_DH
163#include <openssl/dh.h> 160#include <openssl/dh.h>
164#endif 161#endif
@@ -203,18 +200,6 @@ int ssl3_connect(SSL *s)
203 s->in_handshake++; 200 s->in_handshake++;
204 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 201 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
205 202
206#ifndef OPENSSL_NO_HEARTBEATS
207 /* If we're awaiting a HeartbeatResponse, pretend we
208 * already got and don't await it anymore, because
209 * Heartbeats don't make sense during handshakes anyway.
210 */
211 if (s->tlsext_hb_pending)
212 {
213 s->tlsext_hb_pending = 0;
214 s->tlsext_hb_seq++;
215 }
216#endif
217
218 for (;;) 203 for (;;)
219 { 204 {
220 state=s->state; 205 state=s->state;
@@ -222,7 +207,7 @@ int ssl3_connect(SSL *s)
222 switch(s->state) 207 switch(s->state)
223 { 208 {
224 case SSL_ST_RENEGOTIATE: 209 case SSL_ST_RENEGOTIATE:
225 s->renegotiate=1; 210 s->new_session=1;
226 s->state=SSL_ST_CONNECT; 211 s->state=SSL_ST_CONNECT;
227 s->ctx->stats.sess_connect_renegotiate++; 212 s->ctx->stats.sess_connect_renegotiate++;
228 /* break */ 213 /* break */
@@ -295,16 +280,7 @@ int ssl3_connect(SSL *s)
295 if (ret <= 0) goto end; 280 if (ret <= 0) goto end;
296 281
297 if (s->hit) 282 if (s->hit)
298 {
299 s->state=SSL3_ST_CR_FINISHED_A; 283 s->state=SSL3_ST_CR_FINISHED_A;
300#ifndef OPENSSL_NO_TLSEXT
301 if (s->tlsext_ticket_expected)
302 {
303 /* receive renewed session ticket */
304 s->state=SSL3_ST_CR_SESSION_TICKET_A;
305 }
306#endif
307 }
308 else 284 else
309 s->state=SSL3_ST_CR_CERT_A; 285 s->state=SSL3_ST_CR_CERT_A;
310 s->init_num=0; 286 s->init_num=0;
@@ -382,17 +358,6 @@ int ssl3_connect(SSL *s)
382 case SSL3_ST_CR_SRVR_DONE_B: 358 case SSL3_ST_CR_SRVR_DONE_B:
383 ret=ssl3_get_server_done(s); 359 ret=ssl3_get_server_done(s);
384 if (ret <= 0) goto end; 360 if (ret <= 0) goto end;
385#ifndef OPENSSL_NO_SRP
386 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP)
387 {
388 if ((ret = SRP_Calc_A_param(s))<=0)
389 {
390 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC);
391 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
392 goto end;
393 }
394 }
395#endif
396 if (s->s3->tmp.cert_req) 361 if (s->s3->tmp.cert_req)
397 s->state=SSL3_ST_CW_CERT_A; 362 s->state=SSL3_ST_CW_CERT_A;
398 else 363 else
@@ -458,16 +423,7 @@ int ssl3_connect(SSL *s)
458 ret=ssl3_send_change_cipher_spec(s, 423 ret=ssl3_send_change_cipher_spec(s,
459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 424 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
460 if (ret <= 0) goto end; 425 if (ret <= 0) goto end;
461
462
463#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
464 s->state=SSL3_ST_CW_FINISHED_A; 426 s->state=SSL3_ST_CW_FINISHED_A;
465#else
466 if (s->s3->next_proto_neg_seen)
467 s->state=SSL3_ST_CW_NEXT_PROTO_A;
468 else
469 s->state=SSL3_ST_CW_FINISHED_A;
470#endif
471 s->init_num=0; 427 s->init_num=0;
472 428
473 s->session->cipher=s->s3->tmp.new_cipher; 429 s->session->cipher=s->s3->tmp.new_cipher;
@@ -495,15 +451,6 @@ int ssl3_connect(SSL *s)
495 451
496 break; 452 break;
497 453
498#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
499 case SSL3_ST_CW_NEXT_PROTO_A:
500 case SSL3_ST_CW_NEXT_PROTO_B:
501 ret=ssl3_send_next_proto(s);
502 if (ret <= 0) goto end;
503 s->state=SSL3_ST_CW_FINISHED_A;
504 break;
505#endif
506
507 case SSL3_ST_CW_FINISHED_A: 454 case SSL3_ST_CW_FINISHED_A:
508 case SSL3_ST_CW_FINISHED_B: 455 case SSL3_ST_CW_FINISHED_B:
509 ret=ssl3_send_finished(s, 456 ret=ssl3_send_finished(s,
@@ -599,7 +546,6 @@ int ssl3_connect(SSL *s)
599 /* else do it later in ssl3_write */ 546 /* else do it later in ssl3_write */
600 547
601 s->init_num=0; 548 s->init_num=0;
602 s->renegotiate=0;
603 s->new_session=0; 549 s->new_session=0;
604 550
605 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 551 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
@@ -689,43 +635,9 @@ int ssl3_client_hello(SSL *s)
689 /* Do the message type and length last */ 635 /* Do the message type and length last */
690 d=p= &(buf[4]); 636 d=p= &(buf[4]);
691 637
692 /* version indicates the negotiated version: for example from
693 * an SSLv2/v3 compatible client hello). The client_version
694 * field is the maximum version we permit and it is also
695 * used in RSA encrypted premaster secrets. Some servers can
696 * choke if we initially report a higher version then
697 * renegotiate to a lower one in the premaster secret. This
698 * didn't happen with TLS 1.0 as most servers supported it
699 * but it can with TLS 1.1 or later if the server only supports
700 * 1.0.
701 *
702 * Possible scenario with previous logic:
703 * 1. Client hello indicates TLS 1.2
704 * 2. Server hello says TLS 1.0
705 * 3. RSA encrypted premaster secret uses 1.2.
706 * 4. Handhaked proceeds using TLS 1.0.
707 * 5. Server sends hello request to renegotiate.
708 * 6. Client hello indicates TLS v1.0 as we now
709 * know that is maximum server supports.
710 * 7. Server chokes on RSA encrypted premaster secret
711 * containing version 1.0.
712 *
713 * For interoperability it should be OK to always use the
714 * maximum version we support in client hello and then rely
715 * on the checking of version to ensure the servers isn't
716 * being inconsistent: for example initially negotiating with
717 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
718 * client_version in client hello and not resetting it to
719 * the negotiated version.
720 */
721#if 0
722 *(p++)=s->version>>8; 638 *(p++)=s->version>>8;
723 *(p++)=s->version&0xff; 639 *(p++)=s->version&0xff;
724 s->client_version=s->version; 640 s->client_version=s->version;
725#else
726 *(p++)=s->client_version>>8;
727 *(p++)=s->client_version&0xff;
728#endif
729 641
730 /* Random stuff */ 642 /* Random stuff */
731 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 643 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
@@ -755,15 +667,6 @@ int ssl3_client_hello(SSL *s)
755 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 667 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
756 goto err; 668 goto err;
757 } 669 }
758#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
759 /* Some servers hang if client hello > 256 bytes
760 * as hack workaround chop number of supported ciphers
761 * to keep it well below this if we use TLS v1.2
762 */
763 if (TLS1_get_version(s) >= TLS1_2_VERSION
764 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
765 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
766#endif
767 s2n(i,p); 670 s2n(i,p);
768 p+=i; 671 p+=i;
769 672
@@ -944,14 +847,6 @@ int ssl3_get_server_hello(SSL *s)
944 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 847 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
945 goto f_err; 848 goto f_err;
946 } 849 }
947 /* TLS v1.2 only ciphersuites require v1.2 or later */
948 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
949 (TLS1_get_version(s) < TLS1_2_VERSION))
950 {
951 al=SSL_AD_ILLEGAL_PARAMETER;
952 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
953 goto f_err;
954 }
955 p+=ssl_put_cipher_by_char(s,NULL,NULL); 850 p+=ssl_put_cipher_by_char(s,NULL,NULL);
956 851
957 sk=ssl_get_ciphers_by_id(s); 852 sk=ssl_get_ciphers_by_id(s);
@@ -983,11 +878,9 @@ int ssl3_get_server_hello(SSL *s)
983 } 878 }
984 } 879 }
985 s->s3->tmp.new_cipher=c; 880 s->s3->tmp.new_cipher=c;
986 /* Don't digest cached records if TLS v1.2: we may need them for 881 if (!ssl3_digest_cached_records(s))
987 * client authentication.
988 */
989 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
990 goto f_err; 882 goto f_err;
883
991 /* lets get the compression algorithm */ 884 /* lets get the compression algorithm */
992 /* COMPRESSION */ 885 /* COMPRESSION */
993#ifdef OPENSSL_NO_COMP 886#ifdef OPENSSL_NO_COMP
@@ -1266,7 +1159,6 @@ int ssl3_get_key_exchange(SSL *s)
1266 int al,i,j,param_len,ok; 1159 int al,i,j,param_len,ok;
1267 long n,alg_k,alg_a; 1160 long n,alg_k,alg_a;
1268 EVP_PKEY *pkey=NULL; 1161 EVP_PKEY *pkey=NULL;
1269 const EVP_MD *md = NULL;
1270#ifndef OPENSSL_NO_RSA 1162#ifndef OPENSSL_NO_RSA
1271 RSA *rsa=NULL; 1163 RSA *rsa=NULL;
1272#endif 1164#endif
@@ -1390,86 +1282,6 @@ int ssl3_get_key_exchange(SSL *s)
1390 } 1282 }
1391 else 1283 else
1392#endif /* !OPENSSL_NO_PSK */ 1284#endif /* !OPENSSL_NO_PSK */
1393#ifndef OPENSSL_NO_SRP
1394 if (alg_k & SSL_kSRP)
1395 {
1396 n2s(p,i);
1397 param_len=i+2;
1398 if (param_len > n)
1399 {
1400 al=SSL_AD_DECODE_ERROR;
1401 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH);
1402 goto f_err;
1403 }
1404 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL)))
1405 {
1406 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1407 goto err;
1408 }
1409 p+=i;
1410
1411 n2s(p,i);
1412 param_len+=i+2;
1413 if (param_len > n)
1414 {
1415 al=SSL_AD_DECODE_ERROR;
1416 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH);
1417 goto f_err;
1418 }
1419 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL)))
1420 {
1421 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1422 goto err;
1423 }
1424 p+=i;
1425
1426 i = (unsigned int)(p[0]);
1427 p++;
1428 param_len+=i+1;
1429 if (param_len > n)
1430 {
1431 al=SSL_AD_DECODE_ERROR;
1432 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH);
1433 goto f_err;
1434 }
1435 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL)))
1436 {
1437 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1438 goto err;
1439 }
1440 p+=i;
1441
1442 n2s(p,i);
1443 param_len+=i+2;
1444 if (param_len > n)
1445 {
1446 al=SSL_AD_DECODE_ERROR;
1447 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH);
1448 goto f_err;
1449 }
1450 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL)))
1451 {
1452 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1453 goto err;
1454 }
1455 p+=i;
1456 n-=param_len;
1457
1458/* We must check if there is a certificate */
1459#ifndef OPENSSL_NO_RSA
1460 if (alg_a & SSL_aRSA)
1461 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1462#else
1463 if (0)
1464 ;
1465#endif
1466#ifndef OPENSSL_NO_DSA
1467 else if (alg_a & SSL_aDSS)
1468 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1469#endif
1470 }
1471 else
1472#endif /* !OPENSSL_NO_SRP */
1473#ifndef OPENSSL_NO_RSA 1285#ifndef OPENSSL_NO_RSA
1474 if (alg_k & SSL_kRSA) 1286 if (alg_k & SSL_kRSA)
1475 { 1287 {
@@ -1717,38 +1529,6 @@ int ssl3_get_key_exchange(SSL *s)
1717 /* if it was signed, check the signature */ 1529 /* if it was signed, check the signature */
1718 if (pkey != NULL) 1530 if (pkey != NULL)
1719 { 1531 {
1720 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1721 {
1722 int sigalg = tls12_get_sigid(pkey);
1723 /* Should never happen */
1724 if (sigalg == -1)
1725 {
1726 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1727 goto err;
1728 }
1729 /* Check key type is consistent with signature */
1730 if (sigalg != (int)p[1])
1731 {
1732 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE);
1733 al=SSL_AD_DECODE_ERROR;
1734 goto f_err;
1735 }
1736 md = tls12_get_hash(p[0]);
1737 if (md == NULL)
1738 {
1739 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST);
1740 al=SSL_AD_DECODE_ERROR;
1741 goto f_err;
1742 }
1743#ifdef SSL_DEBUG
1744fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1745#endif
1746 p += 2;
1747 n -= 2;
1748 }
1749 else
1750 md = EVP_sha1();
1751
1752 n2s(p,i); 1532 n2s(p,i);
1753 n-=2; 1533 n-=2;
1754 j=EVP_PKEY_size(pkey); 1534 j=EVP_PKEY_size(pkey);
@@ -1762,7 +1542,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1762 } 1542 }
1763 1543
1764#ifndef OPENSSL_NO_RSA 1544#ifndef OPENSSL_NO_RSA
1765 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) 1545 if (pkey->type == EVP_PKEY_RSA)
1766 { 1546 {
1767 int num; 1547 int num;
1768 1548
@@ -1770,8 +1550,6 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1770 q=md_buf; 1550 q=md_buf;
1771 for (num=2; num > 0; num--) 1551 for (num=2; num > 0; num--)
1772 { 1552 {
1773 EVP_MD_CTX_set_flags(&md_ctx,
1774 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1775 EVP_DigestInit_ex(&md_ctx,(num == 2) 1553 EVP_DigestInit_ex(&md_ctx,(num == 2)
1776 ?s->ctx->md5:s->ctx->sha1, NULL); 1554 ?s->ctx->md5:s->ctx->sha1, NULL);
1777 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1555 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1799,8 +1577,29 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1799 } 1577 }
1800 else 1578 else
1801#endif 1579#endif
1580#ifndef OPENSSL_NO_DSA
1581 if (pkey->type == EVP_PKEY_DSA)
1582 {
1583 /* lets do DSS */
1584 EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1585 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1586 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1587 EVP_VerifyUpdate(&md_ctx,param,param_len);
1588 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1589 {
1590 /* bad signature */
1591 al=SSL_AD_DECRYPT_ERROR;
1592 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1593 goto f_err;
1594 }
1595 }
1596 else
1597#endif
1598#ifndef OPENSSL_NO_ECDSA
1599 if (pkey->type == EVP_PKEY_EC)
1802 { 1600 {
1803 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1601 /* let's do ECDSA */
1602 EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1804 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1603 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1805 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1604 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1806 EVP_VerifyUpdate(&md_ctx,param,param_len); 1605 EVP_VerifyUpdate(&md_ctx,param,param_len);
@@ -1812,6 +1611,12 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1812 goto f_err; 1611 goto f_err;
1813 } 1612 }
1814 } 1613 }
1614 else
1615#endif
1616 {
1617 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1618 goto err;
1619 }
1815 } 1620 }
1816 else 1621 else
1817 { 1622 {
@@ -1858,7 +1663,7 @@ int ssl3_get_certificate_request(SSL *s)
1858 { 1663 {
1859 int ok,ret=0; 1664 int ok,ret=0;
1860 unsigned long n,nc,l; 1665 unsigned long n,nc,l;
1861 unsigned int llen, ctype_num,i; 1666 unsigned int llen,ctype_num,i;
1862 X509_NAME *xn=NULL; 1667 X509_NAME *xn=NULL;
1863 const unsigned char *p,*q; 1668 const unsigned char *p,*q;
1864 unsigned char *d; 1669 unsigned char *d;
@@ -1878,14 +1683,6 @@ int ssl3_get_certificate_request(SSL *s)
1878 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1683 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1879 { 1684 {
1880 s->s3->tmp.reuse_message=1; 1685 s->s3->tmp.reuse_message=1;
1881 /* If we get here we don't need any cached handshake records
1882 * as we wont be doing client auth.
1883 */
1884 if (s->s3->handshake_buffer)
1885 {
1886 if (!ssl3_digest_cached_records(s))
1887 goto err;
1888 }
1889 return(1); 1686 return(1);
1890 } 1687 }
1891 1688
@@ -1922,26 +1719,6 @@ int ssl3_get_certificate_request(SSL *s)
1922 for (i=0; i<ctype_num; i++) 1719 for (i=0; i<ctype_num; i++)
1923 s->s3->tmp.ctype[i]= p[i]; 1720 s->s3->tmp.ctype[i]= p[i];
1924 p+=ctype_num; 1721 p+=ctype_num;
1925 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1926 {
1927 n2s(p, llen);
1928 /* Check we have enough room for signature algorithms and
1929 * following length value.
1930 */
1931 if ((unsigned long)(p - d + llen + 2) > n)
1932 {
1933 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1934 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG);
1935 goto err;
1936 }
1937 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen))
1938 {
1939 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1940 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1941 goto err;
1942 }
1943 p += llen;
1944 }
1945 1722
1946 /* get the CA RDNs */ 1723 /* get the CA RDNs */
1947 n2s(p,llen); 1724 n2s(p,llen);
@@ -1954,7 +1731,7 @@ fclose(out);
1954} 1731}
1955#endif 1732#endif
1956 1733
1957 if ((unsigned long)(p - d + llen) != n) 1734 if ((llen+ctype_num+2+1) != n)
1958 { 1735 {
1959 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1736 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1960 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 1737 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
@@ -2776,39 +2553,6 @@ int ssl3_send_client_key_exchange(SSL *s)
2776 EVP_PKEY_free(pub_key); 2553 EVP_PKEY_free(pub_key);
2777 2554
2778 } 2555 }
2779#ifndef OPENSSL_NO_SRP
2780 else if (alg_k & SSL_kSRP)
2781 {
2782 if (s->srp_ctx.A != NULL)
2783 {
2784 /* send off the data */
2785 n=BN_num_bytes(s->srp_ctx.A);
2786 s2n(n,p);
2787 BN_bn2bin(s->srp_ctx.A,p);
2788 n+=2;
2789 }
2790 else
2791 {
2792 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2793 goto err;
2794 }
2795 if (s->session->srp_username != NULL)
2796 OPENSSL_free(s->session->srp_username);
2797 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2798 if (s->session->srp_username == NULL)
2799 {
2800 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2801 ERR_R_MALLOC_FAILURE);
2802 goto err;
2803 }
2804
2805 if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0)
2806 {
2807 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2808 goto err;
2809 }
2810 }
2811#endif
2812#ifndef OPENSSL_NO_PSK 2556#ifndef OPENSSL_NO_PSK
2813 else if (alg_k & SSL_kPSK) 2557 else if (alg_k & SSL_kPSK)
2814 { 2558 {
@@ -2928,13 +2672,12 @@ int ssl3_send_client_verify(SSL *s)
2928 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 2672 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2929 EVP_PKEY *pkey; 2673 EVP_PKEY *pkey;
2930 EVP_PKEY_CTX *pctx=NULL; 2674 EVP_PKEY_CTX *pctx=NULL;
2931 EVP_MD_CTX mctx; 2675#ifndef OPENSSL_NO_RSA
2932 unsigned u=0; 2676 unsigned u=0;
2677#endif
2933 unsigned long n; 2678 unsigned long n;
2934 int j; 2679 int j;
2935 2680
2936 EVP_MD_CTX_init(&mctx);
2937
2938 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 2681 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2939 { 2682 {
2940 d=(unsigned char *)s->init_buf->data; 2683 d=(unsigned char *)s->init_buf->data;
@@ -2945,8 +2688,7 @@ int ssl3_send_client_verify(SSL *s)
2945 EVP_PKEY_sign_init(pctx); 2688 EVP_PKEY_sign_init(pctx);
2946 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 2689 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
2947 { 2690 {
2948 if (TLS1_get_version(s) < TLS1_2_VERSION) 2691 s->method->ssl3_enc->cert_verify_mac(s,
2949 s->method->ssl3_enc->cert_verify_mac(s,
2950 NID_sha1, 2692 NID_sha1,
2951 &(data[MD5_DIGEST_LENGTH])); 2693 &(data[MD5_DIGEST_LENGTH]));
2952 } 2694 }
@@ -2954,41 +2696,6 @@ int ssl3_send_client_verify(SSL *s)
2954 { 2696 {
2955 ERR_clear_error(); 2697 ERR_clear_error();
2956 } 2698 }
2957 /* For TLS v1.2 send signature algorithm and signature
2958 * using agreed digest and cached handshake records.
2959 */
2960 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2961 {
2962 long hdatalen = 0;
2963 void *hdata;
2964 const EVP_MD *md = s->cert->key->digest;
2965 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
2966 &hdata);
2967 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md))
2968 {
2969 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2970 ERR_R_INTERNAL_ERROR);
2971 goto err;
2972 }
2973 p += 2;
2974#ifdef SSL_DEBUG
2975 fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
2976 EVP_MD_name(md));
2977#endif
2978 if (!EVP_SignInit_ex(&mctx, md, NULL)
2979 || !EVP_SignUpdate(&mctx, hdata, hdatalen)
2980 || !EVP_SignFinal(&mctx, p + 2, &u, pkey))
2981 {
2982 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2983 ERR_R_EVP_LIB);
2984 goto err;
2985 }
2986 s2n(u,p);
2987 n = u + 4;
2988 if (!ssl3_digest_cached_records(s))
2989 goto err;
2990 }
2991 else
2992#ifndef OPENSSL_NO_RSA 2699#ifndef OPENSSL_NO_RSA
2993 if (pkey->type == EVP_PKEY_RSA) 2700 if (pkey->type == EVP_PKEY_RSA)
2994 { 2701 {
@@ -3071,11 +2778,9 @@ int ssl3_send_client_verify(SSL *s)
3071 s->init_num=(int)n+4; 2778 s->init_num=(int)n+4;
3072 s->init_off=0; 2779 s->init_off=0;
3073 } 2780 }
3074 EVP_MD_CTX_cleanup(&mctx);
3075 EVP_PKEY_CTX_free(pctx); 2781 EVP_PKEY_CTX_free(pctx);
3076 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2782 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3077err: 2783err:
3078 EVP_MD_CTX_cleanup(&mctx);
3079 EVP_PKEY_CTX_free(pctx); 2784 EVP_PKEY_CTX_free(pctx);
3080 return(-1); 2785 return(-1);
3081 } 2786 }
@@ -3199,7 +2904,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
3199 if (idx == SSL_PKEY_ECC) 2904 if (idx == SSL_PKEY_ECC)
3200 { 2905 {
3201 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 2906 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
3202 s) == 0) 2907 s->s3->tmp.new_cipher) == 0)
3203 { /* check failed */ 2908 { /* check failed */
3204 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 2909 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
3205 goto f_err; 2910 goto f_err;
@@ -3295,32 +3000,6 @@ err:
3295 return(0); 3000 return(0);
3296 } 3001 }
3297 3002
3298#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
3299int ssl3_send_next_proto(SSL *s)
3300 {
3301 unsigned int len, padding_len;
3302 unsigned char *d;
3303
3304 if (s->state == SSL3_ST_CW_NEXT_PROTO_A)
3305 {
3306 len = s->next_proto_negotiated_len;
3307 padding_len = 32 - ((len + 2) % 32);
3308 d = (unsigned char *)s->init_buf->data;
3309 d[4] = len;
3310 memcpy(d + 5, s->next_proto_negotiated, len);
3311 d[5 + len] = padding_len;
3312 memset(d + 6 + len, 0, padding_len);
3313 *(d++)=SSL3_MT_NEXT_PROTO;
3314 l2n3(2 + len + padding_len, d);
3315 s->state = SSL3_ST_CW_NEXT_PROTO_B;
3316 s->init_num = 4 + 2 + len + padding_len;
3317 s->init_off = 0;
3318 }
3319
3320 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3321}
3322#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
3323
3324/* Check to see if handshake is full or resumed. Usually this is just a 3003/* Check to see if handshake is full or resumed. Usually this is just a
3325 * case of checking to see if a cache hit has occurred. In the case of 3004 * case of checking to see if a cache hit has occurred. In the case of
3326 * session tickets we have to check the next message to be sure. 3005 * session tickets we have to check the next message to be sure.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 13:13:22 +0000