summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s3_srvr.c890
1 files changed, 624 insertions, 266 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 64903af151..99b6a86983 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -55,52 +55,88 @@
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58 111
59#define REUSE_CIPHER_BUG 112#define REUSE_CIPHER_BUG
113#define NETSCAPE_HANG_BUG
114
60 115
61#include <stdio.h> 116#include <stdio.h>
62#include "buffer.h" 117#include <openssl/buffer.h>
63#include "rand.h" 118#include <openssl/rand.h>
64#include "objects.h" 119#include <openssl/objects.h>
65#include "evp.h" 120#include <openssl/evp.h>
66#include "x509.h" 121#include <openssl/x509.h>
122#include <openssl/krb5_asn.h>
67#include "ssl_locl.h" 123#include "ssl_locl.h"
124#include "kssl_lcl.h"
125#include <openssl/md5.h>
68 126
69#define BREAK break 127static SSL_METHOD *ssl3_get_server_method(int ver);
70/* SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_MALLOC_FAILURE);
71 * SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
72 * SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
73 * SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_MALLOC_FAILURE);
74 * SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
75 */
76
77#ifndef NOPROTO
78static int ssl3_get_client_hello(SSL *s); 128static int ssl3_get_client_hello(SSL *s);
129static int ssl3_check_client_hello(SSL *s);
79static int ssl3_send_server_hello(SSL *s); 130static int ssl3_send_server_hello(SSL *s);
80static int ssl3_send_server_key_exchange(SSL *s); 131static int ssl3_send_server_key_exchange(SSL *s);
81static int ssl3_send_certificate_request(SSL *s); 132static int ssl3_send_certificate_request(SSL *s);
82static int ssl3_send_server_done(SSL *s); 133static int ssl3_send_server_done(SSL *s);
83static int ssl3_get_cert_verify(SSL *s);
84static int ssl3_get_client_key_exchange(SSL *s); 134static int ssl3_get_client_key_exchange(SSL *s);
85static int ssl3_get_client_certificate(SSL *s); 135static int ssl3_get_client_certificate(SSL *s);
136static int ssl3_get_cert_verify(SSL *s);
86static int ssl3_send_hello_request(SSL *s); 137static int ssl3_send_hello_request(SSL *s);
87 138
88#else 139static SSL_METHOD *ssl3_get_server_method(int ver)
89
90static int ssl3_get_client_hello();
91static int ssl3_send_server_hello();
92static int ssl3_send_server_key_exchange();
93static int ssl3_send_certificate_request();
94static int ssl3_send_server_done();
95static int ssl3_get_cert_verify();
96static int ssl3_get_client_key_exchange();
97static int ssl3_get_client_certificate();
98static int ssl3_send_hello_request();
99
100#endif
101
102static SSL_METHOD *ssl3_get_server_method(ver)
103int ver;
104 { 140 {
105 if (ver == SSL3_VERSION) 141 if (ver == SSL3_VERSION)
106 return(SSLv3_server_method()); 142 return(SSLv3_server_method());
@@ -108,35 +144,32 @@ int ver;
108 return(NULL); 144 return(NULL);
109 } 145 }
110 146
111SSL_METHOD *SSLv3_server_method() 147SSL_METHOD *SSLv3_server_method(void)
112 { 148 {
113 static int init=1; 149 static int init=1;
114 static SSL_METHOD SSLv3_server_data; 150 static SSL_METHOD SSLv3_server_data;
115 151
116 if (init) 152 if (init)
117 { 153 {
118 init=0;
119 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), 154 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
120 sizeof(SSL_METHOD)); 155 sizeof(SSL_METHOD));
121 SSLv3_server_data.ssl_accept=ssl3_accept; 156 SSLv3_server_data.ssl_accept=ssl3_accept;
122 SSLv3_server_data.get_ssl_method=ssl3_get_server_method; 157 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
158 init=0;
123 } 159 }
124 return(&SSLv3_server_data); 160 return(&SSLv3_server_data);
125 } 161 }
126 162
127int ssl3_accept(s) 163int ssl3_accept(SSL *s)
128SSL *s;
129 { 164 {
130 BUF_MEM *buf; 165 BUF_MEM *buf;
131 unsigned long l,Time=time(NULL); 166 unsigned long l,Time=time(NULL);
132 void (*cb)()=NULL; 167 void (*cb)(const SSL *ssl,int type,int val)=NULL;
133 long num1; 168 long num1;
134 int ret= -1; 169 int ret= -1;
135 CERT *ct;
136 BIO *under;
137 int new_state,state,skip=0; 170 int new_state,state,skip=0;
138 171
139 RAND_seed((unsigned char *)&Time,sizeof(Time)); 172 RAND_add(&Time,sizeof(Time),0);
140 ERR_clear_error(); 173 ERR_clear_error();
141 clear_sys_error(); 174 clear_sys_error();
142 175
@@ -146,20 +179,14 @@ SSL *s;
146 cb=s->ctx->info_callback; 179 cb=s->ctx->info_callback;
147 180
148 /* init things to blank */ 181 /* init things to blank */
149 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
150 s->in_handshake++; 182 s->in_handshake++;
183 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
151 184
152#ifdef undef 185 if (s->cert == NULL)
153 /* FIX THIS EAY EAY EAY */
154 /* we don't actually need a cert, we just need a cert or a DH_tmp */
155 if (((s->session == NULL) || (s->session->cert == NULL)) &&
156 (s->cert == NULL))
157 { 186 {
158 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 187 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
159 ret= -1; 188 return(-1);
160 goto end;
161 } 189 }
162#endif
163 190
164 for (;;) 191 for (;;)
165 { 192 {
@@ -176,11 +203,14 @@ SSL *s;
176 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 203 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
177 case SSL_ST_OK|SSL_ST_ACCEPT: 204 case SSL_ST_OK|SSL_ST_ACCEPT:
178 205
206 s->server=1;
179 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 207 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
180 208
181 if ((s->version>>8) != 3) 209 if ((s->version>>8) != 3)
182 abort(); 210 {
183 /* s->version=SSL3_VERSION; */ 211 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
212 return -1;
213 }
184 s->type=SSL_ST_ACCEPT; 214 s->type=SSL_ST_ACCEPT;
185 215
186 if (s->init_buf == NULL) 216 if (s->init_buf == NULL)
@@ -204,22 +234,24 @@ SSL *s;
204 goto end; 234 goto end;
205 } 235 }
206 236
207 /* Ok, we now need to push on a buffering BIO so that
208 * the output is sent in a way that TCP likes :-)
209 */
210 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
211
212 s->init_num=0; 237 s->init_num=0;
213 238
214 if (s->state != SSL_ST_RENEGOTIATE) 239 if (s->state != SSL_ST_RENEGOTIATE)
215 { 240 {
216 s->state=SSL3_ST_SR_CLNT_HELLO_A; 241 /* Ok, we now need to push on a buffering BIO so that
242 * the output is sent in a way that TCP likes :-)
243 */
244 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
245
217 ssl3_init_finished_mac(s); 246 ssl3_init_finished_mac(s);
218 s->ctx->sess_accept++; 247 s->state=SSL3_ST_SR_CLNT_HELLO_A;
248 s->ctx->stats.sess_accept++;
219 } 249 }
220 else 250 else
221 { 251 {
222 s->ctx->sess_accept_renegotiate++; 252 /* s->state == SSL_ST_RENEGOTIATE,
253 * we will just send a HelloRequest */
254 s->ctx->stats.sess_accept_renegotiate++;
223 s->state=SSL3_ST_SW_HELLO_REQ_A; 255 s->state=SSL3_ST_SW_HELLO_REQ_A;
224 } 256 }
225 break; 257 break;
@@ -238,19 +270,8 @@ SSL *s;
238 break; 270 break;
239 271
240 case SSL3_ST_SW_HELLO_REQ_C: 272 case SSL3_ST_SW_HELLO_REQ_C:
241 /* remove buffering on output */
242 under=BIO_pop(s->wbio);
243 if (under != NULL)
244 s->wbio=under;
245 else
246 abort(); /* ok */
247 BIO_free(s->bbio);
248 s->bbio=NULL;
249
250 s->state=SSL_ST_OK; 273 s->state=SSL_ST_OK;
251 ret=1; 274 break;
252 goto end;
253 /* break; */
254 275
255 case SSL3_ST_SR_CLNT_HELLO_A: 276 case SSL3_ST_SR_CLNT_HELLO_A:
256 case SSL3_ST_SR_CLNT_HELLO_B: 277 case SSL3_ST_SR_CLNT_HELLO_B:
@@ -259,6 +280,7 @@ SSL *s;
259 s->shutdown=0; 280 s->shutdown=0;
260 ret=ssl3_get_client_hello(s); 281 ret=ssl3_get_client_hello(s);
261 if (ret <= 0) goto end; 282 if (ret <= 0) goto end;
283 s->new_session = 2;
262 s->state=SSL3_ST_SW_SRVR_HELLO_A; 284 s->state=SSL3_ST_SW_SRVR_HELLO_A;
263 s->init_num=0; 285 s->init_num=0;
264 break; 286 break;
@@ -292,40 +314,34 @@ SSL *s;
292 case SSL3_ST_SW_KEY_EXCH_A: 314 case SSL3_ST_SW_KEY_EXCH_A:
293 case SSL3_ST_SW_KEY_EXCH_B: 315 case SSL3_ST_SW_KEY_EXCH_B:
294 l=s->s3->tmp.new_cipher->algorithms; 316 l=s->s3->tmp.new_cipher->algorithms;
295 if (s->session->cert == NULL)
296 {
297 if (s->cert != NULL)
298 {
299 CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
300 s->session->cert=s->cert;
301 }
302 else
303 {
304 CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT);
305 s->session->cert=s->ctx->default_cert;
306 }
307 }
308 ct=s->session->cert;
309 317
310 /* clear this, it may get reset by 318 /* clear this, it may get reset by
311 * send_server_key_exchange */ 319 * send_server_key_exchange */
312 if (s->options & SSL_OP_EPHEMERAL_RSA) 320 if ((s->options & SSL_OP_EPHEMERAL_RSA)
321#ifndef OPENSSL_NO_KRB5
322 && !(l & SSL_KRB5)
323#endif /* OPENSSL_NO_KRB5 */
324 )
325 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
326 * even when forbidden by protocol specs
327 * (handshake may fail as clients are not required to
328 * be able to handle this) */
313 s->s3->tmp.use_rsa_tmp=1; 329 s->s3->tmp.use_rsa_tmp=1;
314 else 330 else
315 s->s3->tmp.use_rsa_tmp=0; 331 s->s3->tmp.use_rsa_tmp=0;
316 332
317 /* only send if a DH key exchange, fortezza or 333 /* only send if a DH key exchange, fortezza or
318 * RSA but we have a sign only certificate */ 334 * RSA but we have a sign only certificate */
319 if ( s->s3->tmp.use_rsa_tmp || 335 if (s->s3->tmp.use_rsa_tmp
320 (l & (SSL_DH|SSL_kFZA)) || 336 || (l & (SSL_DH|SSL_kFZA))
321 ((l & SSL_kRSA) && 337 || ((l & SSL_kRSA)
322 ((ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)|| 338 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
323 ((l & SSL_EXPORT) && 339 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
324 (EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > 512) 340 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
325 ) 341 )
326 ) 342 )
343 )
327 ) 344 )
328 )
329 { 345 {
330 ret=ssl3_send_server_key_exchange(s); 346 ret=ssl3_send_server_key_exchange(s);
331 if (ret <= 0) goto end; 347 if (ret <= 0) goto end;
@@ -339,9 +355,21 @@ SSL *s;
339 355
340 case SSL3_ST_SW_CERT_REQ_A: 356 case SSL3_ST_SW_CERT_REQ_A:
341 case SSL3_ST_SW_CERT_REQ_B: 357 case SSL3_ST_SW_CERT_REQ_B:
342 if (!(s->verify_mode & SSL_VERIFY_PEER) || 358 if (/* don't request cert unless asked for it: */
359 !(s->verify_mode & SSL_VERIFY_PEER) ||
360 /* if SSL_VERIFY_CLIENT_ONCE is set,
361 * don't request cert during re-negotiation: */
343 ((s->session->peer != NULL) && 362 ((s->session->peer != NULL) &&
344 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) 363 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
364 /* never request cert in anonymous ciphersuites
365 * (see section "Certificate request" in SSL 3 drafts
366 * and in RFC 2246): */
367 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
368 /* ... except when the application insists on verification
369 * (against the specs, but s3_clnt.c accepts this for SSL 3) */
370 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
371 /* never request cert in Kerberos ciphersuites */
372 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
345 { 373 {
346 /* no cert request */ 374 /* no cert request */
347 skip=1; 375 skip=1;
@@ -353,7 +381,12 @@ SSL *s;
353 s->s3->tmp.cert_request=1; 381 s->s3->tmp.cert_request=1;
354 ret=ssl3_send_certificate_request(s); 382 ret=ssl3_send_certificate_request(s);
355 if (ret <= 0) goto end; 383 if (ret <= 0) goto end;
384#ifndef NETSCAPE_HANG_BUG
356 s->state=SSL3_ST_SW_SRVR_DONE_A; 385 s->state=SSL3_ST_SW_SRVR_DONE_A;
386#else
387 s->state=SSL3_ST_SW_FLUSH;
388 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
389#endif
357 s->init_num=0; 390 s->init_num=0;
358 } 391 }
359 break; 392 break;
@@ -383,12 +416,20 @@ SSL *s;
383 416
384 case SSL3_ST_SR_CERT_A: 417 case SSL3_ST_SR_CERT_A:
385 case SSL3_ST_SR_CERT_B: 418 case SSL3_ST_SR_CERT_B:
386 /* could be sent for a DH cert, even if we 419 /* Check for second client hello (MS SGC) */
387 * have not asked for it :-) */ 420 ret = ssl3_check_client_hello(s);
388 ret=ssl3_get_client_certificate(s); 421 if (ret <= 0)
389 if (ret <= 0) goto end; 422 goto end;
390 s->init_num=0; 423 if (ret == 2)
391 s->state=SSL3_ST_SR_KEY_EXCH_A; 424 s->state = SSL3_ST_SR_CLNT_HELLO_C;
425 else {
426 /* could be sent for a DH cert, even if we
427 * have not asked for it :-) */
428 ret=ssl3_get_client_certificate(s);
429 if (ret <= 0) goto end;
430 s->init_num=0;
431 s->state=SSL3_ST_SR_KEY_EXCH_A;
432 }
392 break; 433 break;
393 434
394 case SSL3_ST_SR_KEY_EXCH_A: 435 case SSL3_ST_SR_KEY_EXCH_A:
@@ -402,10 +443,10 @@ SSL *s;
402 * a client cert, it can be verified */ 443 * a client cert, it can be verified */
403 s->method->ssl3_enc->cert_verify_mac(s, 444 s->method->ssl3_enc->cert_verify_mac(s,
404 &(s->s3->finish_dgst1), 445 &(s->s3->finish_dgst1),
405 &(s->s3->tmp.finish_md[0])); 446 &(s->s3->tmp.cert_verify_md[0]));
406 s->method->ssl3_enc->cert_verify_mac(s, 447 s->method->ssl3_enc->cert_verify_mac(s,
407 &(s->s3->finish_dgst2), 448 &(s->s3->finish_dgst2),
408 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH])); 449 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
409 450
410 break; 451 break;
411 452
@@ -459,8 +500,8 @@ SSL *s;
459 case SSL3_ST_SW_FINISHED_B: 500 case SSL3_ST_SW_FINISHED_B:
460 ret=ssl3_send_finished(s, 501 ret=ssl3_send_finished(s,
461 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 502 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
462 s->method->ssl3_enc->server_finished, 503 s->method->ssl3_enc->server_finished_label,
463 s->method->ssl3_enc->server_finished_len); 504 s->method->ssl3_enc->server_finished_label_len);
464 if (ret <= 0) goto end; 505 if (ret <= 0) goto end;
465 s->state=SSL3_ST_SW_FLUSH; 506 s->state=SSL3_ST_SW_FLUSH;
466 if (s->hit) 507 if (s->hit)
@@ -478,26 +519,27 @@ SSL *s;
478 s->init_buf=NULL; 519 s->init_buf=NULL;
479 520
480 /* remove buffering on output */ 521 /* remove buffering on output */
481 under=BIO_pop(s->wbio); 522 ssl_free_wbio_buffer(s);
482 if (under != NULL)
483 s->wbio=under;
484 else
485 abort(); /* ok */
486 BIO_free(s->bbio);
487 s->bbio=NULL;
488 523
489 s->new_session=0;
490 s->init_num=0; 524 s->init_num=0;
491 525
492 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 526 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
493 527 {
494 s->ctx->sess_accept_good++; 528 /* actually not necessarily a 'new' session unless
495 /* s->server=1; */ 529 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
496 s->handshake_func=ssl3_accept; 530
497 ret=1; 531 s->new_session=0;
498 532
499 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 533 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
500 534
535 s->ctx->stats.sess_accept_good++;
536 /* s->server=1; */
537 s->handshake_func=ssl3_accept;
538
539 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
540 }
541
542 ret = 1;
501 goto end; 543 goto end;
502 /* break; */ 544 /* break; */
503 545
@@ -530,21 +572,20 @@ SSL *s;
530end: 572end:
531 /* BIO_flush(s->wbio); */ 573 /* BIO_flush(s->wbio); */
532 574
575 s->in_handshake--;
533 if (cb != NULL) 576 if (cb != NULL)
534 cb(s,SSL_CB_ACCEPT_EXIT,ret); 577 cb(s,SSL_CB_ACCEPT_EXIT,ret);
535 s->in_handshake--;
536 return(ret); 578 return(ret);
537 } 579 }
538 580
539static int ssl3_send_hello_request(s) 581static int ssl3_send_hello_request(SSL *s)
540SSL *s;
541 { 582 {
542 unsigned char *p; 583 unsigned char *p;
543 584
544 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 585 if (s->state == SSL3_ST_SW_HELLO_REQ_A)
545 { 586 {
546 p=(unsigned char *)s->init_buf->data; 587 p=(unsigned char *)s->init_buf->data;
547 *(p++)=SSL3_MT_CLIENT_REQUEST; 588 *(p++)=SSL3_MT_HELLO_REQUEST;
548 *(p++)=0; 589 *(p++)=0;
549 *(p++)=0; 590 *(p++)=0;
550 *(p++)=0; 591 *(p++)=0;
@@ -559,15 +600,48 @@ SSL *s;
559 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 600 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
560 } 601 }
561 602
562static int ssl3_get_client_hello(s) 603static int ssl3_check_client_hello(SSL *s)
563SSL *s; 604 {
605 int ok;
606 long n;
607
608 /* this function is called when we really expect a Certificate message,
609 * so permit appropriate message length */
610 n=ssl3_get_message(s,
611 SSL3_ST_SR_CERT_A,
612 SSL3_ST_SR_CERT_B,
613 -1,
614 s->max_cert_list,
615 &ok);
616 if (!ok) return((int)n);
617 s->s3->tmp.reuse_message = 1;
618 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
619 {
620 /* Throw away what we have done so far in the current handshake,
621 * which will now be aborted. (A full SSL_clear would be too much.)
622 * I hope that tmp.dh is the only thing that may need to be cleared
623 * when a handshake is not completed ... */
624#ifndef OPENSSL_NO_DH
625 if (s->s3->tmp.dh != NULL)
626 {
627 DH_free(s->s3->tmp.dh);
628 s->s3->tmp.dh = NULL;
629 }
630#endif
631 return 2;
632 }
633 return 1;
634}
635
636static int ssl3_get_client_hello(SSL *s)
564 { 637 {
565 int i,j,ok,al,ret= -1; 638 int i,j,ok,al,ret= -1;
566 long n; 639 long n;
567 unsigned long id; 640 unsigned long id;
568 unsigned char *p,*d; 641 unsigned char *p,*d,*q;
569 SSL_CIPHER *c; 642 SSL_CIPHER *c;
570 STACK *ciphers=NULL; 643 SSL_COMP *comp=NULL;
644 STACK_OF(SSL_CIPHER) *ciphers=NULL;
571 645
572 /* We do this so that we will respond with our native type. 646 /* We do this so that we will respond with our native type.
573 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 647 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
@@ -588,13 +662,25 @@ SSL *s;
588 &ok); 662 &ok);
589 663
590 if (!ok) return((int)n); 664 if (!ok) return((int)n);
591 d=p=(unsigned char *)s->init_buf->data; 665 d=p=(unsigned char *)s->init_msg;
592 666
593 /* The version number has already been checked in ssl3_get_message. 667 /* use version from inside client hello, not from record header
594 * I a native TLSv1/SSLv3 method, the match must be correct except 668 * (may differ: see RFC 2246, Appendix E, second paragraph) */
595 * perhaps for the first message */ 669 s->client_version=(((int)p[0])<<8)|(int)p[1];
596 p+=2; 670 p+=2;
597 671
672 if (s->client_version < s->version)
673 {
674 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
675 if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
676 {
677 /* similar to ssl3_get_record, send alert using remote version number */
678 s->version = s->client_version;
679 }
680 al = SSL_AD_PROTOCOL_VERSION;
681 goto f_err;
682 }
683
598 /* load the client random */ 684 /* load the client random */
599 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 685 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
600 p+=SSL3_RANDOM_SIZE; 686 p+=SSL3_RANDOM_SIZE;
@@ -603,7 +689,15 @@ SSL *s;
603 j= *(p++); 689 j= *(p++);
604 690
605 s->hit=0; 691 s->hit=0;
606 if (j == 0) 692 /* Versions before 0.9.7 always allow session reuse during renegotiation
693 * (i.e. when s->new_session is true), option
694 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
695 * Maybe this optional behaviour should always have been the default,
696 * but we cannot safely change the default behaviour (or new applications
697 * might be written that become totally unsecure when compiled with
698 * an earlier library version)
699 */
700 if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
607 { 701 {
608 if (!ssl_get_new_session(s,1)) 702 if (!ssl_get_new_session(s,1))
609 goto err; 703 goto err;
@@ -615,7 +709,9 @@ SSL *s;
615 { /* previous session */ 709 { /* previous session */
616 s->hit=1; 710 s->hit=1;
617 } 711 }
618 else 712 else if (i == -1)
713 goto err;
714 else /* i == 0 */
619 { 715 {
620 if (!ssl_get_new_session(s,1)) 716 if (!ssl_get_new_session(s,1))
621 goto err; 717 goto err;
@@ -631,7 +727,7 @@ SSL *s;
631 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 727 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
632 goto f_err; 728 goto f_err;
633 } 729 }
634 if ((i+p) > (d+n)) 730 if ((p+i) >= (d+n))
635 { 731 {
636 /* not enough data */ 732 /* not enough data */
637 al=SSL_AD_DECODE_ERROR; 733 al=SSL_AD_DECODE_ERROR;
@@ -651,9 +747,16 @@ SSL *s;
651 j=0; 747 j=0;
652 id=s->session->cipher->id; 748 id=s->session->cipher->id;
653 749
654 for (i=0; i<sk_num(ciphers); i++) 750#ifdef CIPHER_DEBUG
751 printf("client sent %d ciphers\n",sk_num(ciphers));
752#endif
753 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
655 { 754 {
656 c=(SSL_CIPHER *)sk_value(ciphers,i); 755 c=sk_SSL_CIPHER_value(ciphers,i);
756#ifdef CIPHER_DEBUG
757 printf("client [%2d of %2d]:%s\n",
758 i,sk_num(ciphers),SSL_CIPHER_get_name(c));
759#endif
657 if (c->id == id) 760 if (c->id == id)
658 { 761 {
659 j=1; 762 j=1;
@@ -662,11 +765,11 @@ SSL *s;
662 } 765 }
663 if (j == 0) 766 if (j == 0)
664 { 767 {
665 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_num(ciphers) == 1)) 768 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
666 { 769 {
667 /* Very bad for multi-threading.... */ 770 /* Very bad for multi-threading.... */
668 s->session->cipher= 771 s->session->cipher=sk_SSL_CIPHER_value(ciphers,
669 (SSL_CIPHER *)sk_value(ciphers,0); 772 0);
670 } 773 }
671 else 774 else
672 { 775 {
@@ -681,8 +784,18 @@ SSL *s;
681 784
682 /* compression */ 785 /* compression */
683 i= *(p++); 786 i= *(p++);
787 if ((p+i) > (d+n))
788 {
789 /* not enough data */
790 al=SSL_AD_DECODE_ERROR;
791 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
792 goto f_err;
793 }
794 q=p;
684 for (j=0; j<i; j++) 795 for (j=0; j<i; j++)
796 {
685 if (p[j] == 0) break; 797 if (p[j] == 0) break;
798 }
686 799
687 p+=i; 800 p+=i;
688 if (j >= i) 801 if (j >= i)
@@ -693,10 +806,39 @@ SSL *s;
693 goto f_err; 806 goto f_err;
694 } 807 }
695 808
809 /* Worst case, we will use the NULL compression, but if we have other
810 * options, we will now look for them. We have i-1 compression
811 * algorithms from the client, starting at q. */
812 s->s3->tmp.new_compression=NULL;
813 if (s->ctx->comp_methods != NULL)
814 { /* See if we have a match */
815 int m,nn,o,v,done=0;
816
817 nn=sk_SSL_COMP_num(s->ctx->comp_methods);
818 for (m=0; m<nn; m++)
819 {
820 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
821 v=comp->id;
822 for (o=0; o<i; o++)
823 {
824 if (v == q[o])
825 {
826 done=1;
827 break;
828 }
829 }
830 if (done) break;
831 }
832 if (done)
833 s->s3->tmp.new_compression=comp;
834 else
835 comp=NULL;
836 }
837
696 /* TLS does not mind if there is extra stuff */ 838 /* TLS does not mind if there is extra stuff */
697 if (s->version == SSL3_VERSION) 839 if (s->version == SSL3_VERSION)
698 { 840 {
699 if (p > (d+n)) 841 if (p < (d+n))
700 { 842 {
701 /* wrong number of bytes, 843 /* wrong number of bytes,
702 * there could be more to follow */ 844 * there could be more to follow */
@@ -706,15 +848,14 @@ SSL *s;
706 } 848 }
707 } 849 }
708 850
709 /* do nothing with compression */ 851 /* Given s->session->ciphers and SSL_get_ciphers, we must
710
711 /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
712 * pick a cipher */ 852 * pick a cipher */
713 853
714 if (!s->hit) 854 if (!s->hit)
715 { 855 {
856 s->session->compress_meth=(comp == NULL)?0:comp->id;
716 if (s->session->ciphers != NULL) 857 if (s->session->ciphers != NULL)
717 sk_free(s->session->ciphers); 858 sk_SSL_CIPHER_free(s->session->ciphers);
718 s->session->ciphers=ciphers; 859 s->session->ciphers=ciphers;
719 if (ciphers == NULL) 860 if (ciphers == NULL)
720 { 861 {
@@ -724,7 +865,7 @@ SSL *s;
724 } 865 }
725 ciphers=NULL; 866 ciphers=NULL;
726 c=ssl3_choose_cipher(s,s->session->ciphers, 867 c=ssl3_choose_cipher(s,s->session->ciphers,
727 ssl_get_ciphers_by_id(s)); 868 SSL_get_ciphers(s));
728 869
729 if (c == NULL) 870 if (c == NULL)
730 { 871 {
@@ -738,19 +879,19 @@ SSL *s;
738 { 879 {
739 /* Session-id reuse */ 880 /* Session-id reuse */
740#ifdef REUSE_CIPHER_BUG 881#ifdef REUSE_CIPHER_BUG
741 STACK *sk; 882 STACK_OF(SSL_CIPHER) *sk;
742 SSL_CIPHER *nc=NULL; 883 SSL_CIPHER *nc=NULL;
743 SSL_CIPHER *ec=NULL; 884 SSL_CIPHER *ec=NULL;
744 885
745 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 886 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
746 { 887 {
747 sk=s->session->ciphers; 888 sk=s->session->ciphers;
748 for (i=0; i<sk_num(sk); i++) 889 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
749 { 890 {
750 c=(SSL_CIPHER *)sk_value(sk,i); 891 c=sk_SSL_CIPHER_value(sk,i);
751 if (c->algorithms & SSL_eNULL) 892 if (c->algorithms & SSL_eNULL)
752 nc=c; 893 nc=c;
753 if (c->algorithms & SSL_EXP) 894 if (SSL_C_IS_EXPORT(c))
754 ec=c; 895 ec=c;
755 } 896 }
756 if (nc != NULL) 897 if (nc != NULL)
@@ -772,7 +913,7 @@ SSL *s;
772 * compression - basically ignored right now 913 * compression - basically ignored right now
773 * ssl version is set - sslv3 914 * ssl version is set - sslv3
774 * s->session - The ssl session has been setup. 915 * s->session - The ssl session has been setup.
775 * s->hit - sesson reuse flag 916 * s->hit - session reuse flag
776 * s->tmp.new_cipher - the new cipher to use. 917 * s->tmp.new_cipher - the new cipher to use.
777 */ 918 */
778 919
@@ -783,12 +924,11 @@ f_err:
783 ssl3_send_alert(s,SSL3_AL_FATAL,al); 924 ssl3_send_alert(s,SSL3_AL_FATAL,al);
784 } 925 }
785err: 926err:
786 if (ciphers != NULL) sk_free(ciphers); 927 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
787 return(ret); 928 return(ret);
788 } 929 }
789 930
790static int ssl3_send_server_hello(s) 931static int ssl3_send_server_hello(SSL *s)
791SSL *s;
792 { 932 {
793 unsigned char *buf; 933 unsigned char *buf;
794 unsigned char *p,*d; 934 unsigned char *p,*d;
@@ -801,7 +941,7 @@ SSL *s;
801 p=s->s3->server_random; 941 p=s->s3->server_random;
802 Time=time(NULL); /* Time */ 942 Time=time(NULL); /* Time */
803 l2n(Time,p); 943 l2n(Time,p);
804 RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 944 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
805 /* Do the message type and length last */ 945 /* Do the message type and length last */
806 d=p= &(buf[4]); 946 d=p= &(buf[4]);
807 947
@@ -833,7 +973,10 @@ SSL *s;
833 p+=i; 973 p+=i;
834 974
835 /* put the compression method */ 975 /* put the compression method */
836 *(p++)=0; 976 if (s->s3->tmp.new_compression == NULL)
977 *(p++)=0;
978 else
979 *(p++)=s->s3->tmp.new_compression->id;
837 980
838 /* do the header */ 981 /* do the header */
839 l=(p-d); 982 l=(p-d);
@@ -851,8 +994,7 @@ SSL *s;
851 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 994 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
852 } 995 }
853 996
854static int ssl3_send_server_done(s) 997static int ssl3_send_server_done(SSL *s)
855SSL *s;
856 { 998 {
857 unsigned char *p; 999 unsigned char *p;
858 1000
@@ -876,17 +1018,17 @@ SSL *s;
876 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1018 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
877 } 1019 }
878 1020
879static int ssl3_send_server_key_exchange(s) 1021static int ssl3_send_server_key_exchange(SSL *s)
880SSL *s;
881 { 1022 {
882#ifndef NO_RSA 1023#ifndef OPENSSL_NO_RSA
883 unsigned char *q; 1024 unsigned char *q;
884 int j,num; 1025 int j,num;
885 RSA *rsa; 1026 RSA *rsa;
886 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1027 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
1028 unsigned int u;
887#endif 1029#endif
888#ifndef NO_DH 1030#ifndef OPENSSL_NO_DH
889 DH *dh,*dhp; 1031 DH *dh=NULL,*dhp;
890#endif 1032#endif
891 EVP_PKEY *pkey; 1033 EVP_PKEY *pkey;
892 unsigned char *p,*d; 1034 unsigned char *p,*d;
@@ -899,25 +1041,32 @@ SSL *s;
899 BUF_MEM *buf; 1041 BUF_MEM *buf;
900 EVP_MD_CTX md_ctx; 1042 EVP_MD_CTX md_ctx;
901 1043
1044 EVP_MD_CTX_init(&md_ctx);
902 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1045 if (s->state == SSL3_ST_SW_KEY_EXCH_A)
903 { 1046 {
904 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 1047 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
905 cert=s->session->cert; 1048 cert=s->cert;
906 1049
907 buf=s->init_buf; 1050 buf=s->init_buf;
908 1051
909 r[0]=r[1]=r[2]=r[3]=NULL; 1052 r[0]=r[1]=r[2]=r[3]=NULL;
910 n=0; 1053 n=0;
911#ifndef NO_RSA 1054#ifndef OPENSSL_NO_RSA
912 if (type & SSL_kRSA) 1055 if (type & SSL_kRSA)
913 { 1056 {
914 rsa=cert->rsa_tmp; 1057 rsa=cert->rsa_tmp;
915 if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL)) 1058 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
1059 {
1060 rsa=s->cert->rsa_tmp_cb(s,
1061 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1062 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1063 if(rsa == NULL)
916 { 1064 {
917 rsa=s->ctx->default_cert->rsa_tmp_cb(s, 1065 al=SSL_AD_HANDSHAKE_FAILURE;
918 (s->s3->tmp.new_cipher->algorithms| 1066 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
919 SSL_NOT_EXP)?0:1); 1067 goto f_err;
920 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); 1068 }
1069 RSA_up_ref(rsa);
921 cert->rsa_tmp=rsa; 1070 cert->rsa_tmp=rsa;
922 } 1071 }
923 if (rsa == NULL) 1072 if (rsa == NULL)
@@ -932,20 +1081,28 @@ SSL *s;
932 } 1081 }
933 else 1082 else
934#endif 1083#endif
935#ifndef NO_DH 1084#ifndef OPENSSL_NO_DH
936 if (type & SSL_kEDH) 1085 if (type & SSL_kEDH)
937 { 1086 {
938 dhp=cert->dh_tmp; 1087 dhp=cert->dh_tmp;
939 if ((dhp == NULL) && (cert->dh_tmp_cb != NULL)) 1088 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
940 dhp=cert->dh_tmp_cb(s, 1089 dhp=s->cert->dh_tmp_cb(s,
941 (s->s3->tmp.new_cipher->algorithms| 1090 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
942 SSL_NOT_EXP)?0:1); 1091 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
943 if (dhp == NULL) 1092 if (dhp == NULL)
944 { 1093 {
945 al=SSL_AD_HANDSHAKE_FAILURE; 1094 al=SSL_AD_HANDSHAKE_FAILURE;
946 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 1095 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
947 goto f_err; 1096 goto f_err;
948 } 1097 }
1098
1099 if (s->s3->tmp.dh != NULL)
1100 {
1101 DH_free(dh);
1102 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1103 goto err;
1104 }
1105
949 if ((dh=DHparams_dup(dhp)) == NULL) 1106 if ((dh=DHparams_dup(dhp)) == NULL)
950 { 1107 {
951 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1108 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
@@ -953,13 +1110,16 @@ SSL *s;
953 } 1110 }
954 1111
955 s->s3->tmp.dh=dh; 1112 s->s3->tmp.dh=dh;
956 if (((dhp->pub_key == NULL) || 1113 if ((dhp->pub_key == NULL ||
957 (dhp->priv_key == NULL) || 1114 dhp->priv_key == NULL ||
958 (s->options & SSL_OP_SINGLE_DH_USE)) && 1115 (s->options & SSL_OP_SINGLE_DH_USE)))
959 (!DH_generate_key(dh)))
960 { 1116 {
961 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 1117 if(!DH_generate_key(dh))
962 goto err; 1118 {
1119 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1120 ERR_R_DH_LIB);
1121 goto err;
1122 }
963 } 1123 }
964 else 1124 else
965 { 1125 {
@@ -1025,40 +1185,39 @@ SSL *s;
1025 { 1185 {
1026 /* n is the length of the params, they start at &(d[4]) 1186 /* n is the length of the params, they start at &(d[4])
1027 * and p points to the space at the end. */ 1187 * and p points to the space at the end. */
1028#ifndef NO_RSA 1188#ifndef OPENSSL_NO_RSA
1029 if (pkey->type == EVP_PKEY_RSA) 1189 if (pkey->type == EVP_PKEY_RSA)
1030 { 1190 {
1031 q=md_buf; 1191 q=md_buf;
1032 j=0; 1192 j=0;
1033 for (num=2; num > 0; num--) 1193 for (num=2; num > 0; num--)
1034 { 1194 {
1035 EVP_DigestInit(&md_ctx,(num == 2) 1195 EVP_DigestInit_ex(&md_ctx,(num == 2)
1036 ?s->ctx->md5:s->ctx->sha1); 1196 ?s->ctx->md5:s->ctx->sha1, NULL);
1037 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1197 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1038 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1198 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1039 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1199 EVP_DigestUpdate(&md_ctx,&(d[4]),n);
1040 EVP_DigestFinal(&md_ctx,q, 1200 EVP_DigestFinal_ex(&md_ctx,q,
1041 (unsigned int *)&i); 1201 (unsigned int *)&i);
1042 q+=i; 1202 q+=i;
1043 j+=i; 1203 j+=i;
1044 } 1204 }
1045 i=RSA_private_encrypt(j,md_buf,&(p[2]), 1205 if (RSA_sign(NID_md5_sha1, md_buf, j,
1046 pkey->pkey.rsa,RSA_PKCS1_PADDING); 1206 &(p[2]), &u, pkey->pkey.rsa) <= 0)
1047 if (i <= 0)
1048 { 1207 {
1049 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); 1208 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1050 goto err; 1209 goto err;
1051 } 1210 }
1052 s2n(i,p); 1211 s2n(u,p);
1053 n+=i+2; 1212 n+=u+2;
1054 } 1213 }
1055 else 1214 else
1056#endif 1215#endif
1057#if !defined(NO_DSA) 1216#if !defined(OPENSSL_NO_DSA)
1058 if (pkey->type == EVP_PKEY_DSA) 1217 if (pkey->type == EVP_PKEY_DSA)
1059 { 1218 {
1060 /* lets do DSS */ 1219 /* lets do DSS */
1061 EVP_SignInit(&md_ctx,EVP_dss1()); 1220 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
1062 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1221 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1063 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1222 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1064 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1223 EVP_SignUpdate(&md_ctx,&(d[4]),n);
@@ -1090,20 +1249,21 @@ SSL *s;
1090 s->init_off=0; 1249 s->init_off=0;
1091 } 1250 }
1092 1251
1093 /* SSL3_ST_SW_KEY_EXCH_B */ 1252 s->state = SSL3_ST_SW_KEY_EXCH_B;
1253 EVP_MD_CTX_cleanup(&md_ctx);
1094 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1254 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1095f_err: 1255f_err:
1096 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1256 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1097err: 1257err:
1258 EVP_MD_CTX_cleanup(&md_ctx);
1098 return(-1); 1259 return(-1);
1099 } 1260 }
1100 1261
1101static int ssl3_send_certificate_request(s) 1262static int ssl3_send_certificate_request(SSL *s)
1102SSL *s;
1103 { 1263 {
1104 unsigned char *p,*d; 1264 unsigned char *p,*d;
1105 int i,j,nl,off,n; 1265 int i,j,nl,off,n;
1106 STACK *sk=NULL; 1266 STACK_OF(X509_NAME) *sk=NULL;
1107 X509_NAME *name; 1267 X509_NAME *name;
1108 BUF_MEM *buf; 1268 BUF_MEM *buf;
1109 1269
@@ -1128,9 +1288,9 @@ SSL *s;
1128 nl=0; 1288 nl=0;
1129 if (sk != NULL) 1289 if (sk != NULL)
1130 { 1290 {
1131 for (i=0; i<sk_num(sk); i++) 1291 for (i=0; i<sk_X509_NAME_num(sk); i++)
1132 { 1292 {
1133 name=(X509_NAME *)sk_value(sk,i); 1293 name=sk_X509_NAME_value(sk,i);
1134 j=i2d_X509_NAME(name,NULL); 1294 j=i2d_X509_NAME(name,NULL);
1135 if (!BUF_MEM_grow(buf,4+n+j+2)) 1295 if (!BUF_MEM_grow(buf,4+n+j+2))
1136 { 1296 {
@@ -1168,6 +1328,17 @@ SSL *s;
1168 1328
1169 s->init_num=n+4; 1329 s->init_num=n+4;
1170 s->init_off=0; 1330 s->init_off=0;
1331#ifdef NETSCAPE_HANG_BUG
1332 p=(unsigned char *)s->init_buf->data + s->init_num;
1333
1334 /* do the header */
1335 *(p++)=SSL3_MT_SERVER_DONE;
1336 *(p++)=0;
1337 *(p++)=0;
1338 *(p++)=0;
1339 s->init_num += 4;
1340#endif
1341
1171 } 1342 }
1172 1343
1173 /* SSL3_ST_SW_CERT_REQ_B */ 1344 /* SSL3_ST_SW_CERT_REQ_B */
@@ -1176,44 +1347,44 @@ err:
1176 return(-1); 1347 return(-1);
1177 } 1348 }
1178 1349
1179static int ssl3_get_client_key_exchange(s) 1350static int ssl3_get_client_key_exchange(SSL *s)
1180SSL *s;
1181 { 1351 {
1182 int i,al,ok; 1352 int i,al,ok;
1183 long n; 1353 long n;
1184 unsigned long l; 1354 unsigned long l;
1185 unsigned char *p; 1355 unsigned char *p;
1356#ifndef OPENSSL_NO_RSA
1186 RSA *rsa=NULL; 1357 RSA *rsa=NULL;
1187 EVP_PKEY *pkey=NULL; 1358 EVP_PKEY *pkey=NULL;
1188#ifndef NO_DH 1359#endif
1360#ifndef OPENSSL_NO_DH
1189 BIGNUM *pub=NULL; 1361 BIGNUM *pub=NULL;
1190 DH *dh_srvr; 1362 DH *dh_srvr;
1191#endif 1363#endif
1364#ifndef OPENSSL_NO_KRB5
1365 KSSL_ERR kssl_err;
1366#endif /* OPENSSL_NO_KRB5 */
1192 1367
1193 n=ssl3_get_message(s, 1368 n=ssl3_get_message(s,
1194 SSL3_ST_SR_KEY_EXCH_A, 1369 SSL3_ST_SR_KEY_EXCH_A,
1195 SSL3_ST_SR_KEY_EXCH_B, 1370 SSL3_ST_SR_KEY_EXCH_B,
1196 SSL3_MT_CLIENT_KEY_EXCHANGE, 1371 SSL3_MT_CLIENT_KEY_EXCHANGE,
1197 400, /* ???? */ 1372 2048, /* ??? */
1198 &ok); 1373 &ok);
1199 1374
1200 if (!ok) return((int)n); 1375 if (!ok) return((int)n);
1201 p=(unsigned char *)s->init_buf->data; 1376 p=(unsigned char *)s->init_msg;
1202 1377
1203 l=s->s3->tmp.new_cipher->algorithms; 1378 l=s->s3->tmp.new_cipher->algorithms;
1204 1379
1205#ifndef NO_RSA 1380#ifndef OPENSSL_NO_RSA
1206 if (l & SSL_kRSA) 1381 if (l & SSL_kRSA)
1207 { 1382 {
1208 /* FIX THIS UP EAY EAY EAY EAY */ 1383 /* FIX THIS UP EAY EAY EAY EAY */
1209 if (s->s3->tmp.use_rsa_tmp) 1384 if (s->s3->tmp.use_rsa_tmp)
1210 { 1385 {
1211 if ((s->session->cert != NULL) && 1386 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
1212 (s->session->cert->rsa_tmp != NULL)) 1387 rsa=s->cert->rsa_tmp;
1213 rsa=s->session->cert->rsa_tmp;
1214 else if ((s->ctx->default_cert != NULL) &&
1215 (s->ctx->default_cert->rsa_tmp != NULL))
1216 rsa=s->ctx->default_cert->rsa_tmp;
1217 /* Don't do a callback because rsa_tmp should 1388 /* Don't do a callback because rsa_tmp should
1218 * be sent already */ 1389 * be sent already */
1219 if (rsa == NULL) 1390 if (rsa == NULL)
@@ -1258,33 +1429,53 @@ SSL *s;
1258 1429
1259 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 1430 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
1260 1431
1261#if 1 1432 al = -1;
1262 /* If a bad decrypt, use a dud master key */ 1433
1263 if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
1264 ((p[0] != (s->version>>8)) ||
1265 (p[1] != (s->version & 0xff))))
1266 {
1267 p[0]=(s->version>>8);
1268 p[1]=(s->version & 0xff);
1269 RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
1270 i=SSL_MAX_MASTER_KEY_LENGTH;
1271 }
1272#else
1273 if (i != SSL_MAX_MASTER_KEY_LENGTH) 1434 if (i != SSL_MAX_MASTER_KEY_LENGTH)
1274 { 1435 {
1275 al=SSL_AD_DECODE_ERROR; 1436 al=SSL_AD_DECODE_ERROR;
1276 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 1437 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1277 goto f_err;
1278 } 1438 }
1279 1439
1280 if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff))) 1440 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
1281 { 1441 {
1282 al=SSL_AD_DECODE_ERROR; 1442 /* The premaster secret must contain the same version number as the
1283 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1443 * ClientHello to detect version rollback attacks (strangely, the
1284 goto f_err; 1444 * protocol does not offer such protection for DH ciphersuites).
1445 * However, buggy clients exist that send the negotiated protocol
1446 * version instead if the server does not support the requested
1447 * protocol version.
1448 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
1449 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
1450 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
1451 {
1452 al=SSL_AD_DECODE_ERROR;
1453 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1454 goto f_err;
1455 }
1285 } 1456 }
1286#endif
1287 1457
1458 if (al != -1)
1459 {
1460#if 0
1461 goto f_err;
1462#else
1463 /* Some decryption failure -- use random value instead as countermeasure
1464 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
1465 * (see RFC 2246, section 7.4.7.1).
1466 * But note that due to length and protocol version checking, the
1467 * attack is impractical anyway (see section 5 in D. Bleichenbacher:
1468 * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
1469 * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
1470 */
1471 ERR_clear_error();
1472 i = SSL_MAX_MASTER_KEY_LENGTH;
1473 p[0] = s->client_version >> 8;
1474 p[1] = s->client_version & 0xff;
1475 RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
1476#endif
1477 }
1478
1288 s->session->master_key_length= 1479 s->session->master_key_length=
1289 s->method->ssl3_enc->generate_master_secret(s, 1480 s->method->ssl3_enc->generate_master_secret(s,
1290 s->session->master_key, 1481 s->session->master_key,
@@ -1293,7 +1484,7 @@ SSL *s;
1293 } 1484 }
1294 else 1485 else
1295#endif 1486#endif
1296#ifndef NO_DH 1487#ifndef OPENSSL_NO_DH
1297 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1488 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1298 { 1489 {
1299 n2s(p,i); 1490 n2s(p,i);
@@ -1352,26 +1543,175 @@ SSL *s;
1352 s->session->master_key_length= 1543 s->session->master_key_length=
1353 s->method->ssl3_enc->generate_master_secret(s, 1544 s->method->ssl3_enc->generate_master_secret(s,
1354 s->session->master_key,p,i); 1545 s->session->master_key,p,i);
1546 memset(p,0,i);
1355 } 1547 }
1356 else 1548 else
1357#endif 1549#endif
1550#ifndef OPENSSL_NO_KRB5
1551 if (l & SSL_kKRB5)
1552 {
1553 krb5_error_code krb5rc;
1554 krb5_data enc_ticket;
1555 krb5_data authenticator;
1556 krb5_data enc_pms;
1557 KSSL_CTX *kssl_ctx = s->kssl_ctx;
1558 EVP_CIPHER_CTX ciph_ctx;
1559 EVP_CIPHER *enc = NULL;
1560 unsigned char iv[EVP_MAX_IV_LENGTH];
1561 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
1562 + EVP_MAX_IV_LENGTH + 1];
1563 int padl, outl = sizeof(pms);
1564 krb5_timestamp authtime = 0;
1565 krb5_ticket_times ttimes;
1566
1567 EVP_CIPHER_CTX_init(&ciph_ctx);
1568
1569 if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
1570
1571 n2s(p,i);
1572 enc_ticket.length = i;
1573 enc_ticket.data = (char *)p;
1574 p+=enc_ticket.length;
1575
1576 n2s(p,i);
1577 authenticator.length = i;
1578 authenticator.data = (char *)p;
1579 p+=authenticator.length;
1580
1581 n2s(p,i);
1582 enc_pms.length = i;
1583 enc_pms.data = (char *)p;
1584 p+=enc_pms.length;
1585
1586 if (n != enc_ticket.length + authenticator.length +
1587 enc_pms.length + 6)
1588 {
1589 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1590 SSL_R_DATA_LENGTH_TOO_LONG);
1591 goto err;
1592 }
1593
1594 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
1595 &kssl_err)) != 0)
1596 {
1597#ifdef KSSL_DEBUG
1598 printf("kssl_sget_tkt rtn %d [%d]\n",
1599 krb5rc, kssl_err.reason);
1600 if (kssl_err.text)
1601 printf("kssl_err text= %s\n", kssl_err.text);
1602#endif /* KSSL_DEBUG */
1603 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1604 kssl_err.reason);
1605 goto err;
1606 }
1607
1608 /* Note: no authenticator is not considered an error,
1609 ** but will return authtime == 0.
1610 */
1611 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
1612 &authtime, &kssl_err)) != 0)
1613 {
1614#ifdef KSSL_DEBUG
1615 printf("kssl_check_authent rtn %d [%d]\n",
1616 krb5rc, kssl_err.reason);
1617 if (kssl_err.text)
1618 printf("kssl_err text= %s\n", kssl_err.text);
1619#endif /* KSSL_DEBUG */
1620 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1621 kssl_err.reason);
1622 goto err;
1623 }
1624
1625 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
1626 {
1627 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc);
1628 goto err;
1629 }
1630
1631#ifdef KSSL_DEBUG
1632 kssl_ctx_show(kssl_ctx);
1633#endif /* KSSL_DEBUG */
1634
1635 enc = kssl_map_enc(kssl_ctx->enctype);
1636 if (enc == NULL)
1637 goto err;
1638
1639 memset(iv, 0, EVP_MAX_IV_LENGTH); /* per RFC 1510 */
1640
1641 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
1642 {
1643 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1644 SSL_R_DECRYPTION_FAILED);
1645 goto err;
1646 }
1647 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
1648 (unsigned char *)enc_pms.data, enc_pms.length))
1649 {
1650 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1651 SSL_R_DECRYPTION_FAILED);
1652 goto err;
1653 }
1654 if (outl > SSL_MAX_MASTER_KEY_LENGTH)
1655 {
1656 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1657 SSL_R_DATA_LENGTH_TOO_LONG);
1658 goto err;
1659 }
1660 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl))
1661 {
1662 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1663 SSL_R_DECRYPTION_FAILED);
1664 goto err;
1665 }
1666 outl += padl;
1667 if (outl > SSL_MAX_MASTER_KEY_LENGTH)
1668 {
1669 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1670 SSL_R_DATA_LENGTH_TOO_LONG);
1671 goto err;
1672 }
1673 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
1674
1675 s->session->master_key_length=
1676 s->method->ssl3_enc->generate_master_secret(s,
1677 s->session->master_key, pms, outl);
1678
1679 if (kssl_ctx->client_princ)
1680 {
1681 int len = strlen(kssl_ctx->client_princ);
1682 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
1683 {
1684 s->session->krb5_client_princ_len = len;
1685 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
1686 }
1687 }
1688
1689
1690 /* Was doing kssl_ctx_free() here,
1691 ** but it caused problems for apache.
1692 ** kssl_ctx = kssl_ctx_free(kssl_ctx);
1693 ** if (s->kssl_ctx) s->kssl_ctx = NULL;
1694 */
1695 }
1696 else
1697#endif /* OPENSSL_NO_KRB5 */
1358 { 1698 {
1359 al=SSL_AD_HANDSHAKE_FAILURE; 1699 al=SSL_AD_HANDSHAKE_FAILURE;
1360 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE); 1700 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1701 SSL_R_UNKNOWN_CIPHER_TYPE);
1361 goto f_err; 1702 goto f_err;
1362 } 1703 }
1363 1704
1364 return(1); 1705 return(1);
1365f_err: 1706f_err:
1366 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1707 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1367#if !defined(NO_DH) || !defined(NO_RSA) 1708#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA)
1368err: 1709err:
1369#endif 1710#endif
1370 return(-1); 1711 return(-1);
1371 } 1712 }
1372 1713
1373static int ssl3_get_cert_verify(s) 1714static int ssl3_get_cert_verify(SSL *s)
1374SSL *s;
1375 { 1715 {
1376 EVP_PKEY *pkey=NULL; 1716 EVP_PKEY *pkey=NULL;
1377 unsigned char *p; 1717 unsigned char *p;
@@ -1436,7 +1776,7 @@ SSL *s;
1436 } 1776 }
1437 1777
1438 /* we now have a signature that we need to verify */ 1778 /* we now have a signature that we need to verify */
1439 p=(unsigned char *)s->init_buf->data; 1779 p=(unsigned char *)s->init_msg;
1440 n2s(p,i); 1780 n2s(p,i);
1441 n-=2; 1781 n-=2;
1442 if (i > n) 1782 if (i > n)
@@ -1454,19 +1794,19 @@ SSL *s;
1454 goto f_err; 1794 goto f_err;
1455 } 1795 }
1456 1796
1457#ifndef NO_RSA 1797#ifndef OPENSSL_NO_RSA
1458 if (pkey->type == EVP_PKEY_RSA) 1798 if (pkey->type == EVP_PKEY_RSA)
1459 { 1799 {
1460 i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING); 1800 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
1801 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i,
1802 pkey->pkey.rsa);
1461 if (i < 0) 1803 if (i < 0)
1462 { 1804 {
1463 al=SSL_AD_DECRYPT_ERROR; 1805 al=SSL_AD_DECRYPT_ERROR;
1464 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT); 1806 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
1465 goto f_err; 1807 goto f_err;
1466 } 1808 }
1467 if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) || 1809 if (i == 0)
1468 memcmp(&(s->s3->tmp.finish_md[0]),p,
1469 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
1470 { 1810 {
1471 al=SSL_AD_DECRYPT_ERROR; 1811 al=SSL_AD_DECRYPT_ERROR;
1472 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE); 1812 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
@@ -1475,11 +1815,11 @@ SSL *s;
1475 } 1815 }
1476 else 1816 else
1477#endif 1817#endif
1478#ifndef NO_DSA 1818#ifndef OPENSSL_NO_DSA
1479 if (pkey->type == EVP_PKEY_DSA) 1819 if (pkey->type == EVP_PKEY_DSA)
1480 { 1820 {
1481 j=DSA_verify(pkey->save_type, 1821 j=DSA_verify(pkey->save_type,
1482 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]), 1822 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
1483 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 1823 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
1484 if (j <= 0) 1824 if (j <= 0)
1485 { 1825 {
@@ -1492,7 +1832,7 @@ SSL *s;
1492 else 1832 else
1493#endif 1833#endif
1494 { 1834 {
1495 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR); 1835 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
1496 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 1836 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
1497 goto f_err; 1837 goto f_err;
1498 } 1838 }
@@ -1505,27 +1845,23 @@ f_err:
1505 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1845 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1506 } 1846 }
1507end: 1847end:
1848 EVP_PKEY_free(pkey);
1508 return(ret); 1849 return(ret);
1509 } 1850 }
1510 1851
1511static int ssl3_get_client_certificate(s) 1852static int ssl3_get_client_certificate(SSL *s)
1512SSL *s;
1513 { 1853 {
1514 int i,ok,al,ret= -1; 1854 int i,ok,al,ret= -1;
1515 X509 *x=NULL; 1855 X509 *x=NULL;
1516 unsigned long l,nc,llen,n; 1856 unsigned long l,nc,llen,n;
1517 unsigned char *p,*d,*q; 1857 unsigned char *p,*d,*q;
1518 STACK *sk=NULL; 1858 STACK_OF(X509) *sk=NULL;
1519 1859
1520 n=ssl3_get_message(s, 1860 n=ssl3_get_message(s,
1521 SSL3_ST_SR_CERT_A, 1861 SSL3_ST_SR_CERT_A,
1522 SSL3_ST_SR_CERT_B, 1862 SSL3_ST_SR_CERT_B,
1523 -1, 1863 -1,
1524#if defined(MSDOS) && !defined(WIN32) 1864 s->max_cert_list,
1525 1024*30, /* 30k max cert list :-) */
1526#else
1527 1024*100, /* 100k max cert list :-) */
1528#endif
1529 &ok); 1865 &ok);
1530 1866
1531 if (!ok) return((int)n); 1867 if (!ok) return((int)n);
@@ -1539,7 +1875,7 @@ SSL *s;
1539 al=SSL_AD_HANDSHAKE_FAILURE; 1875 al=SSL_AD_HANDSHAKE_FAILURE;
1540 goto f_err; 1876 goto f_err;
1541 } 1877 }
1542 /* If tls asked for a client cert we must return a 0 list */ 1878 /* If tls asked for a client cert, the client must return a 0 list */
1543 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 1879 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
1544 { 1880 {
1545 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 1881 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
@@ -1556,9 +1892,9 @@ SSL *s;
1556 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); 1892 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
1557 goto f_err; 1893 goto f_err;
1558 } 1894 }
1559 d=p=(unsigned char *)s->init_buf->data; 1895 d=p=(unsigned char *)s->init_msg;
1560 1896
1561 if ((sk=sk_new_null()) == NULL) 1897 if ((sk=sk_X509_new_null()) == NULL)
1562 { 1898 {
1563 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1899 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1564 goto err; 1900 goto err;
@@ -1594,7 +1930,7 @@ SSL *s;
1594 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1930 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1595 goto f_err; 1931 goto f_err;
1596 } 1932 }
1597 if (!sk_push(sk,(char *)x)) 1933 if (!sk_X509_push(sk,x))
1598 { 1934 {
1599 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1935 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1600 goto err; 1936 goto err;
@@ -1603,7 +1939,7 @@ SSL *s;
1603 nc+=l+3; 1939 nc+=l+3;
1604 } 1940 }
1605 1941
1606 if (sk_num(sk) <= 0) 1942 if (sk_X509_num(sk) <= 0)
1607 { 1943 {
1608 /* TLS does not mind 0 certs returned */ 1944 /* TLS does not mind 0 certs returned */
1609 if (s->version == SSL3_VERSION) 1945 if (s->version == SSL3_VERSION)
@@ -1632,10 +1968,29 @@ SSL *s;
1632 } 1968 }
1633 } 1969 }
1634 1970
1635 /* This should not be needed */ 1971 if (s->session->peer != NULL) /* This should not be needed */
1636 if (s->session->peer != NULL)
1637 X509_free(s->session->peer); 1972 X509_free(s->session->peer);
1638 s->session->peer=(X509 *)sk_shift(sk); 1973 s->session->peer=sk_X509_shift(sk);
1974 s->session->verify_result = s->verify_result;
1975
1976 /* With the current implementation, sess_cert will always be NULL
1977 * when we arrive here. */
1978 if (s->session->sess_cert == NULL)
1979 {
1980 s->session->sess_cert = ssl_sess_cert_new();
1981 if (s->session->sess_cert == NULL)
1982 {
1983 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1984 goto err;
1985 }
1986 }
1987 if (s->session->sess_cert->cert_chain != NULL)
1988 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
1989 s->session->sess_cert->cert_chain=sk;
1990 /* Inconsistency alert: cert_chain does *not* include the
1991 * peer's own certificate, while we do include it in s3_clnt.c */
1992
1993 sk=NULL;
1639 1994
1640 ret=1; 1995 ret=1;
1641 if (0) 1996 if (0)
@@ -1645,12 +2000,11 @@ f_err:
1645 } 2000 }
1646err: 2001err:
1647 if (x != NULL) X509_free(x); 2002 if (x != NULL) X509_free(x);
1648 if (sk != NULL) sk_pop_free(sk,X509_free); 2003 if (sk != NULL) sk_X509_pop_free(sk,X509_free);
1649 return(ret); 2004 return(ret);
1650 } 2005 }
1651 2006
1652int ssl3_send_server_certificate(s) 2007int ssl3_send_server_certificate(SSL *s)
1653SSL *s;
1654 { 2008 {
1655 unsigned long l; 2009 unsigned long l;
1656 X509 *x; 2010 X509 *x;
@@ -1658,9 +2012,13 @@ SSL *s;
1658 if (s->state == SSL3_ST_SW_CERT_A) 2012 if (s->state == SSL3_ST_SW_CERT_A)
1659 { 2013 {
1660 x=ssl_get_server_send_cert(s); 2014 x=ssl_get_server_send_cert(s);
1661 if (x == NULL) 2015 if (x == NULL &&
2016 /* VRS: allow null cert if auth == KRB5 */
2017 (s->s3->tmp.new_cipher->algorithms
2018 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
2019 != (SSL_aKRB5|SSL_kKRB5))
1662 { 2020 {
1663 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR); 2021 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
1664 return(0); 2022 return(0);
1665 } 2023 }
1666 2024
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-25 16:38:39 +0000