summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
-rw-r--r--src/lib/libssl/s3_srvr.c937
1 files changed, 91 insertions, 846 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 903522ab59..36fc39d7f8 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -108,23 +108,11 @@
108 * Hudson (tjh@cryptsoft.com). 108 * Hudson (tjh@cryptsoft.com).
109 * 109 *
110 */ 110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124 111
125#define REUSE_CIPHER_BUG 112#define REUSE_CIPHER_BUG
126#define NETSCAPE_HANG_BUG 113#define NETSCAPE_HANG_BUG
127 114
115
128#include <stdio.h> 116#include <stdio.h>
129#include "ssl_locl.h" 117#include "ssl_locl.h"
130#include "kssl_lcl.h" 118#include "kssl_lcl.h"
@@ -132,21 +120,24 @@
132#include <openssl/rand.h> 120#include <openssl/rand.h>
133#include <openssl/objects.h> 121#include <openssl/objects.h>
134#include <openssl/evp.h> 122#include <openssl/evp.h>
135#include <openssl/hmac.h>
136#include <openssl/x509.h> 123#include <openssl/x509.h>
137#ifndef OPENSSL_NO_DH
138#include <openssl/dh.h>
139#endif
140#include <openssl/bn.h>
141#ifndef OPENSSL_NO_KRB5 124#ifndef OPENSSL_NO_KRB5
142#include <openssl/krb5_asn.h> 125#include <openssl/krb5_asn.h>
143#endif 126#endif
144#include <openssl/md5.h> 127#include <openssl/md5.h>
128#include <openssl/fips.h>
145 129
146static SSL_METHOD *ssl3_get_server_method(int ver); 130static SSL_METHOD *ssl3_get_server_method(int ver);
147#ifndef OPENSSL_NO_ECDH 131static int ssl3_get_client_hello(SSL *s);
148static int nid2curve_id(int nid); 132static int ssl3_check_client_hello(SSL *s);
149#endif 133static int ssl3_send_server_hello(SSL *s);
134static int ssl3_send_server_key_exchange(SSL *s);
135static int ssl3_send_certificate_request(SSL *s);
136static int ssl3_send_server_done(SSL *s);
137static int ssl3_get_client_key_exchange(SSL *s);
138static int ssl3_get_client_certificate(SSL *s);
139static int ssl3_get_cert_verify(SSL *s);
140static int ssl3_send_hello_request(SSL *s);
150 141
151static SSL_METHOD *ssl3_get_server_method(int ver) 142static SSL_METHOD *ssl3_get_server_method(int ver)
152 { 143 {
@@ -156,10 +147,28 @@ static SSL_METHOD *ssl3_get_server_method(int ver)
156 return(NULL); 147 return(NULL);
157 } 148 }
158 149
159IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 150SSL_METHOD *SSLv3_server_method(void)
160 ssl3_accept, 151 {
161 ssl_undefined_function, 152 static int init=1;
162 ssl3_get_server_method) 153 static SSL_METHOD SSLv3_server_data;
154
155 if (init)
156 {
157 CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
158
159 if (init)
160 {
161 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
162 sizeof(SSL_METHOD));
163 SSLv3_server_data.ssl_accept=ssl3_accept;
164 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
165 init=0;
166 }
167
168 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
169 }
170 return(&SSLv3_server_data);
171 }
163 172
164int ssl3_accept(SSL *s) 173int ssl3_accept(SSL *s)
165 { 174 {
@@ -290,18 +299,9 @@ int ssl3_accept(SSL *s)
290 case SSL3_ST_SW_SRVR_HELLO_B: 299 case SSL3_ST_SW_SRVR_HELLO_B:
291 ret=ssl3_send_server_hello(s); 300 ret=ssl3_send_server_hello(s);
292 if (ret <= 0) goto end; 301 if (ret <= 0) goto end;
293#ifndef OPENSSL_NO_TLSEXT 302
294 if (s->hit)
295 {
296 if (s->tlsext_ticket_expected)
297 s->state=SSL3_ST_SW_SESSION_TICKET_A;
298 else
299 s->state=SSL3_ST_SW_CHANGE_A;
300 }
301#else
302 if (s->hit) 303 if (s->hit)
303 s->state=SSL3_ST_SW_CHANGE_A; 304 s->state=SSL3_ST_SW_CHANGE_A;
304#endif
305 else 305 else
306 s->state=SSL3_ST_SW_CERT_A; 306 s->state=SSL3_ST_SW_CERT_A;
307 s->init_num=0; 307 s->init_num=0;
@@ -309,30 +309,15 @@ int ssl3_accept(SSL *s)
309 309
310 case SSL3_ST_SW_CERT_A: 310 case SSL3_ST_SW_CERT_A:
311 case SSL3_ST_SW_CERT_B: 311 case SSL3_ST_SW_CERT_B:
312 /* Check if it is anon DH or anon ECDH or KRB5 */ 312 /* Check if it is anon DH */
313 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) 313 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
314 && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
315 { 314 {
316 ret=ssl3_send_server_certificate(s); 315 ret=ssl3_send_server_certificate(s);
317 if (ret <= 0) goto end; 316 if (ret <= 0) goto end;
318#ifndef OPENSSL_NO_TLSEXT
319 if (s->tlsext_status_expected)
320 s->state=SSL3_ST_SW_CERT_STATUS_A;
321 else
322 s->state=SSL3_ST_SW_KEY_EXCH_A;
323 }
324 else
325 {
326 skip = 1;
327 s->state=SSL3_ST_SW_KEY_EXCH_A;
328 }
329#else
330 } 317 }
331 else 318 else
332 skip=1; 319 skip=1;
333
334 s->state=SSL3_ST_SW_KEY_EXCH_A; 320 s->state=SSL3_ST_SW_KEY_EXCH_A;
335#endif
336 s->init_num=0; 321 s->init_num=0;
337 break; 322 break;
338 323
@@ -355,18 +340,9 @@ int ssl3_accept(SSL *s)
355 else 340 else
356 s->s3->tmp.use_rsa_tmp=0; 341 s->s3->tmp.use_rsa_tmp=0;
357 342
358
359 /* only send if a DH key exchange, fortezza or 343 /* only send if a DH key exchange, fortezza or
360 * RSA but we have a sign only certificate 344 * RSA but we have a sign only certificate */
361 *
362 * For ECC ciphersuites, we send a serverKeyExchange
363 * message only if the cipher suite is either
364 * ECDH-anon or ECDHE. In other cases, the
365 * server certificate contains the server's
366 * public key for key exchange.
367 */
368 if (s->s3->tmp.use_rsa_tmp 345 if (s->s3->tmp.use_rsa_tmp
369 || (l & SSL_kECDHE)
370 || (l & (SSL_DH|SSL_kFZA)) 346 || (l & (SSL_DH|SSL_kFZA))
371 || ((l & SSL_kRSA) 347 || ((l & SSL_kRSA)
372 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 348 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
@@ -470,33 +446,19 @@ int ssl3_accept(SSL *s)
470 case SSL3_ST_SR_KEY_EXCH_A: 446 case SSL3_ST_SR_KEY_EXCH_A:
471 case SSL3_ST_SR_KEY_EXCH_B: 447 case SSL3_ST_SR_KEY_EXCH_B:
472 ret=ssl3_get_client_key_exchange(s); 448 ret=ssl3_get_client_key_exchange(s);
473 if (ret <= 0) 449 if (ret <= 0) goto end;
474 goto end; 450 s->state=SSL3_ST_SR_CERT_VRFY_A;
475 if (ret == 2) 451 s->init_num=0;
476 { 452
477 /* For the ECDH ciphersuites when 453 /* We need to get hashes here so if there is
478 * the client sends its ECDH pub key in 454 * a client cert, it can be verified */
479 * a certificate, the CertificateVerify 455 s->method->ssl3_enc->cert_verify_mac(s,
480 * message is not sent. 456 &(s->s3->finish_dgst1),
481 */ 457 &(s->s3->tmp.cert_verify_md[0]));
482 s->state=SSL3_ST_SR_FINISHED_A; 458 s->method->ssl3_enc->cert_verify_mac(s,
483 s->init_num = 0; 459 &(s->s3->finish_dgst2),
484 } 460 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
485 else
486 {
487 s->state=SSL3_ST_SR_CERT_VRFY_A;
488 s->init_num=0;
489 461
490 /* We need to get hashes here so if there is
491 * a client cert, it can be verified
492 */
493 s->method->ssl3_enc->cert_verify_mac(s,
494 &(s->s3->finish_dgst1),
495 &(s->s3->tmp.cert_verify_md[0]));
496 s->method->ssl3_enc->cert_verify_mac(s,
497 &(s->s3->finish_dgst2),
498 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
499 }
500 break; 462 break;
501 463
502 case SSL3_ST_SR_CERT_VRFY_A: 464 case SSL3_ST_SR_CERT_VRFY_A:
@@ -517,34 +479,11 @@ int ssl3_accept(SSL *s)
517 if (ret <= 0) goto end; 479 if (ret <= 0) goto end;
518 if (s->hit) 480 if (s->hit)
519 s->state=SSL_ST_OK; 481 s->state=SSL_ST_OK;
520#ifndef OPENSSL_NO_TLSEXT
521 else if (s->tlsext_ticket_expected)
522 s->state=SSL3_ST_SW_SESSION_TICKET_A;
523#endif
524 else 482 else
525 s->state=SSL3_ST_SW_CHANGE_A; 483 s->state=SSL3_ST_SW_CHANGE_A;
526 s->init_num=0; 484 s->init_num=0;
527 break; 485 break;
528 486
529#ifndef OPENSSL_NO_TLSEXT
530 case SSL3_ST_SW_SESSION_TICKET_A:
531 case SSL3_ST_SW_SESSION_TICKET_B:
532 ret=ssl3_send_newsession_ticket(s);
533 if (ret <= 0) goto end;
534 s->state=SSL3_ST_SW_CHANGE_A;
535 s->init_num=0;
536 break;
537
538 case SSL3_ST_SW_CERT_STATUS_A:
539 case SSL3_ST_SW_CERT_STATUS_B:
540 ret=ssl3_send_cert_status(s);
541 if (ret <= 0) goto end;
542 s->state=SSL3_ST_SW_KEY_EXCH_A;
543 s->init_num=0;
544 break;
545
546#endif
547
548 case SSL3_ST_SW_CHANGE_A: 487 case SSL3_ST_SW_CHANGE_A:
549 case SSL3_ST_SW_CHANGE_B: 488 case SSL3_ST_SW_CHANGE_B:
550 489
@@ -650,7 +589,7 @@ end:
650 return(ret); 589 return(ret);
651 } 590 }
652 591
653int ssl3_send_hello_request(SSL *s) 592static int ssl3_send_hello_request(SSL *s)
654 { 593 {
655 unsigned char *p; 594 unsigned char *p;
656 595
@@ -672,14 +611,14 @@ int ssl3_send_hello_request(SSL *s)
672 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 611 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
673 } 612 }
674 613
675int ssl3_check_client_hello(SSL *s) 614static int ssl3_check_client_hello(SSL *s)
676 { 615 {
677 int ok; 616 int ok;
678 long n; 617 long n;
679 618
680 /* this function is called when we really expect a Certificate message, 619 /* this function is called when we really expect a Certificate message,
681 * so permit appropriate message length */ 620 * so permit appropriate message length */
682 n=s->method->ssl_get_message(s, 621 n=ssl3_get_message(s,
683 SSL3_ST_SR_CERT_A, 622 SSL3_ST_SR_CERT_A,
684 SSL3_ST_SR_CERT_B, 623 SSL3_ST_SR_CERT_B,
685 -1, 624 -1,
@@ -705,17 +644,14 @@ int ssl3_check_client_hello(SSL *s)
705 return 1; 644 return 1;
706} 645}
707 646
708int ssl3_get_client_hello(SSL *s) 647static int ssl3_get_client_hello(SSL *s)
709 { 648 {
710 int i,j,ok,al,ret= -1; 649 int i,j,ok,al,ret= -1;
711 unsigned int cookie_len;
712 long n; 650 long n;
713 unsigned long id; 651 unsigned long id;
714 unsigned char *p,*d,*q; 652 unsigned char *p,*d,*q;
715 SSL_CIPHER *c; 653 SSL_CIPHER *c;
716#ifndef OPENSSL_NO_COMP
717 SSL_COMP *comp=NULL; 654 SSL_COMP *comp=NULL;
718#endif
719 STACK_OF(SSL_CIPHER) *ciphers=NULL; 655 STACK_OF(SSL_CIPHER) *ciphers=NULL;
720 656
721 /* We do this so that we will respond with our native type. 657 /* We do this so that we will respond with our native type.
@@ -726,10 +662,10 @@ int ssl3_get_client_hello(SSL *s)
726 */ 662 */
727 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) 663 if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
728 { 664 {
665 s->first_packet=1;
729 s->state=SSL3_ST_SR_CLNT_HELLO_B; 666 s->state=SSL3_ST_SR_CLNT_HELLO_B;
730 } 667 }
731 s->first_packet=1; 668 n=ssl3_get_message(s,
732 n=s->method->ssl_get_message(s,
733 SSL3_ST_SR_CLNT_HELLO_B, 669 SSL3_ST_SR_CLNT_HELLO_B,
734 SSL3_ST_SR_CLNT_HELLO_C, 670 SSL3_ST_SR_CLNT_HELLO_C,
735 SSL3_MT_CLIENT_HELLO, 671 SSL3_MT_CLIENT_HELLO,
@@ -737,7 +673,6 @@ int ssl3_get_client_hello(SSL *s)
737 &ok); 673 &ok);
738 674
739 if (!ok) return((int)n); 675 if (!ok) return((int)n);
740 s->first_packet=0;
741 d=p=(unsigned char *)s->init_msg; 676 d=p=(unsigned char *)s->init_msg;
742 677
743 /* use version from inside client hello, not from record header 678 /* use version from inside client hello, not from record header
@@ -745,8 +680,7 @@ int ssl3_get_client_hello(SSL *s)
745 s->client_version=(((int)p[0])<<8)|(int)p[1]; 680 s->client_version=(((int)p[0])<<8)|(int)p[1];
746 p+=2; 681 p+=2;
747 682
748 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 683 if (s->client_version < s->version)
749 (s->version != DTLS1_VERSION && s->client_version < s->version))
750 { 684 {
751 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 685 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
752 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 686 if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
@@ -774,14 +708,14 @@ int ssl3_get_client_hello(SSL *s)
774 * might be written that become totally unsecure when compiled with 708 * might be written that become totally unsecure when compiled with
775 * an earlier library version) 709 * an earlier library version)
776 */ 710 */
777 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 711 if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
778 { 712 {
779 if (!ssl_get_new_session(s,1)) 713 if (!ssl_get_new_session(s,1))
780 goto err; 714 goto err;
781 } 715 }
782 else 716 else
783 { 717 {
784 i=ssl_get_prev_session(s, p, j, d + n); 718 i=ssl_get_prev_session(s,p,j);
785 if (i == 1) 719 if (i == 1)
786 { /* previous session */ 720 { /* previous session */
787 s->hit=1; 721 s->hit=1;
@@ -796,68 +730,6 @@ int ssl3_get_client_hello(SSL *s)
796 } 730 }
797 731
798 p+=j; 732 p+=j;
799
800 if (s->version == DTLS1_VERSION)
801 {
802 /* cookie stuff */
803 cookie_len = *(p++);
804
805 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
806 s->d1->send_cookie == 0)
807 {
808 /* HelloVerifyMessage has already been sent */
809 if ( cookie_len != s->d1->cookie_len)
810 {
811 al = SSL_AD_HANDSHAKE_FAILURE;
812 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
813 goto f_err;
814 }
815 }
816
817 /*
818 * The ClientHello may contain a cookie even if the
819 * HelloVerify message has not been sent--make sure that it
820 * does not cause an overflow.
821 */
822 if ( cookie_len > sizeof(s->d1->rcvd_cookie))
823 {
824 /* too much data */
825 al = SSL_AD_DECODE_ERROR;
826 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
827 goto f_err;
828 }
829
830 /* verify the cookie if appropriate option is set. */
831 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
832 cookie_len > 0)
833 {
834 memcpy(s->d1->rcvd_cookie, p, cookie_len);
835
836 if ( s->ctx->app_verify_cookie_cb != NULL)
837 {
838 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
839 cookie_len) == 0)
840 {
841 al=SSL_AD_HANDSHAKE_FAILURE;
842 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
843 SSL_R_COOKIE_MISMATCH);
844 goto f_err;
845 }
846 /* else cookie verification succeeded */
847 }
848 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie,
849 s->d1->cookie_len) != 0) /* default verification */
850 {
851 al=SSL_AD_HANDSHAKE_FAILURE;
852 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
853 SSL_R_COOKIE_MISMATCH);
854 goto f_err;
855 }
856 }
857
858 p += cookie_len;
859 }
860
861 n2s(p,i); 733 n2s(p,i);
862 if ((i == 0) && (j != 0)) 734 if ((i == 0) && (j != 0))
863 { 735 {
@@ -907,7 +779,8 @@ int ssl3_get_client_hello(SSL *s)
907 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 779 if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
908 { 780 {
909 /* Very bad for multi-threading.... */ 781 /* Very bad for multi-threading.... */
910 s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0); 782 s->session->cipher=sk_SSL_CIPHER_value(ciphers,
783 0);
911 } 784 }
912 else 785 else
913 { 786 {
@@ -944,27 +817,10 @@ int ssl3_get_client_hello(SSL *s)
944 goto f_err; 817 goto f_err;
945 } 818 }
946 819
947#ifndef OPENSSL_NO_TLSEXT
948 /* TLS extensions*/
949 if (s->version > SSL3_VERSION)
950 {
951 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
952 {
953 /* 'al' set by ssl_parse_clienthello_tlsext */
954 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
955 goto f_err;
956 }
957 }
958 if (ssl_check_clienthello_tlsext(s) <= 0) {
959 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
960 goto err;
961 }
962#endif
963 /* Worst case, we will use the NULL compression, but if we have other 820 /* Worst case, we will use the NULL compression, but if we have other
964 * options, we will now look for them. We have i-1 compression 821 * options, we will now look for them. We have i-1 compression
965 * algorithms from the client, starting at q. */ 822 * algorithms from the client, starting at q. */
966 s->s3->tmp.new_compression=NULL; 823 s->s3->tmp.new_compression=NULL;
967#ifndef OPENSSL_NO_COMP
968 if (s->ctx->comp_methods != NULL) 824 if (s->ctx->comp_methods != NULL)
969 { /* See if we have a match */ 825 { /* See if we have a match */
970 int m,nn,o,v,done=0; 826 int m,nn,o,v,done=0;
@@ -989,7 +845,6 @@ int ssl3_get_client_hello(SSL *s)
989 else 845 else
990 comp=NULL; 846 comp=NULL;
991 } 847 }
992#endif
993 848
994 /* TLS does not mind if there is extra stuff */ 849 /* TLS does not mind if there is extra stuff */
995#if 0 /* SSL 3.0 does not mind either, so we should disable this test 850#if 0 /* SSL 3.0 does not mind either, so we should disable this test
@@ -1013,11 +868,7 @@ int ssl3_get_client_hello(SSL *s)
1013 868
1014 if (!s->hit) 869 if (!s->hit)
1015 { 870 {
1016#ifdef OPENSSL_NO_COMP
1017 s->session->compress_meth=0;
1018#else
1019 s->session->compress_meth=(comp == NULL)?0:comp->id; 871 s->session->compress_meth=(comp == NULL)?0:comp->id;
1020#endif
1021 if (s->session->ciphers != NULL) 872 if (s->session->ciphers != NULL)
1022 sk_SSL_CIPHER_free(s->session->ciphers); 873 sk_SSL_CIPHER_free(s->session->ciphers);
1023 s->session->ciphers=ciphers; 874 s->session->ciphers=ciphers;
@@ -1092,7 +943,7 @@ err:
1092 return(ret); 943 return(ret);
1093 } 944 }
1094 945
1095int ssl3_send_server_hello(SSL *s) 946static int ssl3_send_server_hello(SSL *s)
1096 { 947 {
1097 unsigned char *buf; 948 unsigned char *buf;
1098 unsigned char *p,*d; 949 unsigned char *p,*d;
@@ -1105,7 +956,7 @@ int ssl3_send_server_hello(SSL *s)
1105 p=s->s3->server_random; 956 p=s->s3->server_random;
1106 Time=(unsigned long)time(NULL); /* Time */ 957 Time=(unsigned long)time(NULL); /* Time */
1107 l2n(Time,p); 958 l2n(Time,p);
1108 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 959 if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
1109 return -1; 960 return -1;
1110 /* Do the message type and length last */ 961 /* Do the message type and length last */
1111 d=p= &(buf[4]); 962 d=p= &(buf[4]);
@@ -1124,20 +975,12 @@ int ssl3_send_server_hello(SSL *s)
1124 * session-id if we want it to be single use. 975 * session-id if we want it to be single use.
1125 * Currently I will not implement the '0' length session-id 976 * Currently I will not implement the '0' length session-id
1126 * 12-Jan-98 - I'll now support the '0' length stuff. 977 * 12-Jan-98 - I'll now support the '0' length stuff.
1127 *
1128 * We also have an additional case where stateless session
1129 * resumption is successful: we always send back the old
1130 * session id. In this case s->hit is non zero: this can
1131 * only happen if stateless session resumption is succesful
1132 * if session caching is disabled so existing functionality
1133 * is unaffected.
1134 */ 978 */
1135 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 979 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
1136 && !s->hit)
1137 s->session->session_id_length=0; 980 s->session->session_id_length=0;
1138 981
1139 sl=s->session->session_id_length; 982 sl=s->session->session_id_length;
1140 if (sl > (int)sizeof(s->session->session_id)) 983 if (sl > sizeof s->session->session_id)
1141 { 984 {
1142 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 985 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1143 return -1; 986 return -1;
@@ -1151,21 +994,11 @@ int ssl3_send_server_hello(SSL *s)
1151 p+=i; 994 p+=i;
1152 995
1153 /* put the compression method */ 996 /* put the compression method */
1154#ifdef OPENSSL_NO_COMP
1155 *(p++)=0;
1156#else
1157 if (s->s3->tmp.new_compression == NULL) 997 if (s->s3->tmp.new_compression == NULL)
1158 *(p++)=0; 998 *(p++)=0;
1159 else 999 else
1160 *(p++)=s->s3->tmp.new_compression->id; 1000 *(p++)=s->s3->tmp.new_compression->id;
1161#endif 1001
1162#ifndef OPENSSL_NO_TLSEXT
1163 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
1164 {
1165 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
1166 return -1;
1167 }
1168#endif
1169 /* do the header */ 1002 /* do the header */
1170 l=(p-d); 1003 l=(p-d);
1171 d=buf; 1004 d=buf;
@@ -1182,7 +1015,7 @@ int ssl3_send_server_hello(SSL *s)
1182 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1015 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1183 } 1016 }
1184 1017
1185int ssl3_send_server_done(SSL *s) 1018static int ssl3_send_server_done(SSL *s)
1186 { 1019 {
1187 unsigned char *p; 1020 unsigned char *p;
1188 1021
@@ -1206,7 +1039,7 @@ int ssl3_send_server_done(SSL *s)
1206 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1039 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1207 } 1040 }
1208 1041
1209int ssl3_send_server_key_exchange(SSL *s) 1042static int ssl3_send_server_key_exchange(SSL *s)
1210 { 1043 {
1211#ifndef OPENSSL_NO_RSA 1044#ifndef OPENSSL_NO_RSA
1212 unsigned char *q; 1045 unsigned char *q;
@@ -1218,13 +1051,6 @@ int ssl3_send_server_key_exchange(SSL *s)
1218#ifndef OPENSSL_NO_DH 1051#ifndef OPENSSL_NO_DH
1219 DH *dh=NULL,*dhp; 1052 DH *dh=NULL,*dhp;
1220#endif 1053#endif
1221#ifndef OPENSSL_NO_ECDH
1222 EC_KEY *ecdh=NULL, *ecdhp;
1223 unsigned char *encodedPoint = NULL;
1224 int encodedlen = 0;
1225 int curve_id = 0;
1226 BN_CTX *bn_ctx = NULL;
1227#endif
1228 EVP_PKEY *pkey; 1054 EVP_PKEY *pkey;
1229 unsigned char *p,*d; 1055 unsigned char *p,*d;
1230 int al,i; 1056 int al,i;
@@ -1333,134 +1159,6 @@ int ssl3_send_server_key_exchange(SSL *s)
1333 } 1159 }
1334 else 1160 else
1335#endif 1161#endif
1336#ifndef OPENSSL_NO_ECDH
1337 if (type & SSL_kECDHE)
1338 {
1339 const EC_GROUP *group;
1340
1341 ecdhp=cert->ecdh_tmp;
1342 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
1343 {
1344 ecdhp=s->cert->ecdh_tmp_cb(s,
1345 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1346 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1347 }
1348 if (ecdhp == NULL)
1349 {
1350 al=SSL_AD_HANDSHAKE_FAILURE;
1351 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
1352 goto f_err;
1353 }
1354
1355 if (s->s3->tmp.ecdh != NULL)
1356 {
1357 EC_KEY_free(s->s3->tmp.ecdh);
1358 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1359 goto err;
1360 }
1361
1362 /* Duplicate the ECDH structure. */
1363 if (ecdhp == NULL)
1364 {
1365 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1366 goto err;
1367 }
1368 if (!EC_KEY_up_ref(ecdhp))
1369 {
1370 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1371 goto err;
1372 }
1373 ecdh = ecdhp;
1374
1375 s->s3->tmp.ecdh=ecdh;
1376 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1377 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1378 (s->options & SSL_OP_SINGLE_ECDH_USE))
1379 {
1380 if(!EC_KEY_generate_key(ecdh))
1381 {
1382 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1383 goto err;
1384 }
1385 }
1386
1387 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1388 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1389 (EC_KEY_get0_private_key(ecdh) == NULL))
1390 {
1391 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1392 goto err;
1393 }
1394
1395 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1396 (EC_GROUP_get_degree(group) > 163))
1397 {
1398 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1399 goto err;
1400 }
1401
1402 /* XXX: For now, we only support ephemeral ECDH
1403 * keys over named (not generic) curves. For
1404 * supported named curves, curve_id is non-zero.
1405 */
1406 if ((curve_id =
1407 nid2curve_id(EC_GROUP_get_curve_name(group)))
1408 == 0)
1409 {
1410 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1411 goto err;
1412 }
1413
1414 /* Encode the public key.
1415 * First check the size of encoding and
1416 * allocate memory accordingly.
1417 */
1418 encodedlen = EC_POINT_point2oct(group,
1419 EC_KEY_get0_public_key(ecdh),
1420 POINT_CONVERSION_UNCOMPRESSED,
1421 NULL, 0, NULL);
1422
1423 encodedPoint = (unsigned char *)
1424 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1425 bn_ctx = BN_CTX_new();
1426 if ((encodedPoint == NULL) || (bn_ctx == NULL))
1427 {
1428 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1429 goto err;
1430 }
1431
1432
1433 encodedlen = EC_POINT_point2oct(group,
1434 EC_KEY_get0_public_key(ecdh),
1435 POINT_CONVERSION_UNCOMPRESSED,
1436 encodedPoint, encodedlen, bn_ctx);
1437
1438 if (encodedlen == 0)
1439 {
1440 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1441 goto err;
1442 }
1443
1444 BN_CTX_free(bn_ctx); bn_ctx=NULL;
1445
1446 /* XXX: For now, we only support named (not
1447 * generic) curves in ECDH ephemeral key exchanges.
1448 * In this situation, we need four additional bytes
1449 * to encode the entire ServerECDHParams
1450 * structure.
1451 */
1452 n = 4 + encodedlen;
1453
1454 /* We'll generate the serverKeyExchange message
1455 * explicitly so we can set these to NULLs
1456 */
1457 r[0]=NULL;
1458 r[1]=NULL;
1459 r[2]=NULL;
1460 r[3]=NULL;
1461 }
1462 else
1463#endif /* !OPENSSL_NO_ECDH */
1464 { 1162 {
1465 al=SSL_AD_HANDSHAKE_FAILURE; 1163 al=SSL_AD_HANDSHAKE_FAILURE;
1466 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1164 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
@@ -1503,31 +1201,6 @@ int ssl3_send_server_key_exchange(SSL *s)
1503 p+=nr[i]; 1201 p+=nr[i];
1504 } 1202 }
1505 1203
1506#ifndef OPENSSL_NO_ECDH
1507 if (type & SSL_kECDHE)
1508 {
1509 /* XXX: For now, we only support named (not generic) curves.
1510 * In this situation, the serverKeyExchange message has:
1511 * [1 byte CurveType], [2 byte CurveName]
1512 * [1 byte length of encoded point], followed by
1513 * the actual encoded point itself
1514 */
1515 *p = NAMED_CURVE_TYPE;
1516 p += 1;
1517 *p = 0;
1518 p += 1;
1519 *p = curve_id;
1520 p += 1;
1521 *p = encodedlen;
1522 p += 1;
1523 memcpy((unsigned char*)p,
1524 (unsigned char *)encodedPoint,
1525 encodedlen);
1526 OPENSSL_free(encodedPoint);
1527 p += encodedlen;
1528 }
1529#endif
1530
1531 /* not anonymous */ 1204 /* not anonymous */
1532 if (pkey != NULL) 1205 if (pkey != NULL)
1533 { 1206 {
@@ -1540,6 +1213,8 @@ int ssl3_send_server_key_exchange(SSL *s)
1540 j=0; 1213 j=0;
1541 for (num=2; num > 0; num--) 1214 for (num=2; num > 0; num--)
1542 { 1215 {
1216 EVP_MD_CTX_set_flags(&md_ctx,
1217 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1543 EVP_DigestInit_ex(&md_ctx,(num == 2) 1218 EVP_DigestInit_ex(&md_ctx,(num == 2)
1544 ?s->ctx->md5:s->ctx->sha1, NULL); 1219 ?s->ctx->md5:s->ctx->sha1, NULL);
1545 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1220 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1580,25 +1255,6 @@ int ssl3_send_server_key_exchange(SSL *s)
1580 } 1255 }
1581 else 1256 else
1582#endif 1257#endif
1583#if !defined(OPENSSL_NO_ECDSA)
1584 if (pkey->type == EVP_PKEY_EC)
1585 {
1586 /* let's do ECDSA */
1587 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1588 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1589 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1590 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1591 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1592 (unsigned int *)&i,pkey))
1593 {
1594 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA);
1595 goto err;
1596 }
1597 s2n(i,p);
1598 n+=i+2;
1599 }
1600 else
1601#endif
1602 { 1258 {
1603 /* Is this error check actually needed? */ 1259 /* Is this error check actually needed? */
1604 al=SSL_AD_HANDSHAKE_FAILURE; 1260 al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1622,15 +1278,11 @@ int ssl3_send_server_key_exchange(SSL *s)
1622f_err: 1278f_err:
1623 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1279 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1624err: 1280err:
1625#ifndef OPENSSL_NO_ECDH
1626 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
1627 BN_CTX_free(bn_ctx);
1628#endif
1629 EVP_MD_CTX_cleanup(&md_ctx); 1281 EVP_MD_CTX_cleanup(&md_ctx);
1630 return(-1); 1282 return(-1);
1631 } 1283 }
1632 1284
1633int ssl3_send_certificate_request(SSL *s) 1285static int ssl3_send_certificate_request(SSL *s)
1634 { 1286 {
1635 unsigned char *p,*d; 1287 unsigned char *p,*d;
1636 int i,j,nl,off,n; 1288 int i,j,nl,off,n;
@@ -1719,7 +1371,7 @@ err:
1719 return(-1); 1371 return(-1);
1720 } 1372 }
1721 1373
1722int ssl3_get_client_key_exchange(SSL *s) 1374static int ssl3_get_client_key_exchange(SSL *s)
1723 { 1375 {
1724 int i,al,ok; 1376 int i,al,ok;
1725 long n; 1377 long n;
@@ -1737,14 +1389,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1737 KSSL_ERR kssl_err; 1389 KSSL_ERR kssl_err;
1738#endif /* OPENSSL_NO_KRB5 */ 1390#endif /* OPENSSL_NO_KRB5 */
1739 1391
1740#ifndef OPENSSL_NO_ECDH 1392 n=ssl3_get_message(s,
1741 EC_KEY *srvr_ecdh = NULL;
1742 EVP_PKEY *clnt_pub_pkey = NULL;
1743 EC_POINT *clnt_ecpoint = NULL;
1744 BN_CTX *bn_ctx = NULL;
1745#endif
1746
1747 n=s->method->ssl_get_message(s,
1748 SSL3_ST_SR_KEY_EXCH_A, 1393 SSL3_ST_SR_KEY_EXCH_A,
1749 SSL3_ST_SR_KEY_EXCH_B, 1394 SSL3_ST_SR_KEY_EXCH_B,
1750 SSL3_MT_CLIENT_KEY_EXCHANGE, 1395 SSL3_MT_CLIENT_KEY_EXCHANGE,
@@ -1788,9 +1433,8 @@ int ssl3_get_client_key_exchange(SSL *s)
1788 rsa=pkey->pkey.rsa; 1433 rsa=pkey->pkey.rsa;
1789 } 1434 }
1790 1435
1791 /* TLS and [incidentally] DTLS, including pre-0.9.8f */ 1436 /* TLS */
1792 if (s->version > SSL3_VERSION && 1437 if (s->version > SSL3_VERSION)
1793 s->client_version != DTLS1_BAD_VER)
1794 { 1438 {
1795 n2s(p,i); 1439 n2s(p,i);
1796 if (n != i+2) 1440 if (n != i+2)
@@ -1851,7 +1495,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1851 i = SSL_MAX_MASTER_KEY_LENGTH; 1495 i = SSL_MAX_MASTER_KEY_LENGTH;
1852 p[0] = s->client_version >> 8; 1496 p[0] = s->client_version >> 8;
1853 p[1] = s->client_version & 0xff; 1497 p[1] = s->client_version & 0xff;
1854 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 1498 if(RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
1855 goto err; 1499 goto err;
1856 } 1500 }
1857 1501
@@ -1950,7 +1594,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1950 n2s(p,i); 1594 n2s(p,i);
1951 enc_ticket.length = i; 1595 enc_ticket.length = i;
1952 1596
1953 if (n < (int)enc_ticket.length + 6) 1597 if (n < (long)enc_ticket.length + 6)
1954 { 1598 {
1955 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1599 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1956 SSL_R_DATA_LENGTH_TOO_LONG); 1600 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1963,7 +1607,7 @@ int ssl3_get_client_key_exchange(SSL *s)
1963 n2s(p,i); 1607 n2s(p,i);
1964 authenticator.length = i; 1608 authenticator.length = i;
1965 1609
1966 if (n < (int)(enc_ticket.length + authenticator.length) + 6) 1610 if (n < (long)(enc_ticket.length + authenticator.length + 6))
1967 { 1611 {
1968 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1612 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1969 SSL_R_DATA_LENGTH_TOO_LONG); 1613 SSL_R_DATA_LENGTH_TOO_LONG);
@@ -2005,7 +1649,7 @@ int ssl3_get_client_key_exchange(SSL *s)
2005 if (kssl_err.text) 1649 if (kssl_err.text)
2006 printf("kssl_err text= %s\n", kssl_err.text); 1650 printf("kssl_err text= %s\n", kssl_err.text);
2007#endif /* KSSL_DEBUG */ 1651#endif /* KSSL_DEBUG */
2008 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1652 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2009 kssl_err.reason); 1653 kssl_err.reason);
2010 goto err; 1654 goto err;
2011 } 1655 }
@@ -2022,14 +1666,14 @@ int ssl3_get_client_key_exchange(SSL *s)
2022 if (kssl_err.text) 1666 if (kssl_err.text)
2023 printf("kssl_err text= %s\n", kssl_err.text); 1667 printf("kssl_err text= %s\n", kssl_err.text);
2024#endif /* KSSL_DEBUG */ 1668#endif /* KSSL_DEBUG */
2025 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1669 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2026 kssl_err.reason); 1670 kssl_err.reason);
2027 goto err; 1671 goto err;
2028 } 1672 }
2029 1673
2030 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 1674 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
2031 { 1675 {
2032 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 1676 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc);
2033 goto err; 1677 goto err;
2034 } 1678 }
2035 1679
@@ -2075,24 +1719,6 @@ int ssl3_get_client_key_exchange(SSL *s)
2075 SSL_R_DATA_LENGTH_TOO_LONG); 1719 SSL_R_DATA_LENGTH_TOO_LONG);
2076 goto err; 1720 goto err;
2077 } 1721 }
2078 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))
2079 {
2080 /* The premaster secret must contain the same version number as the
2081 * ClientHello to detect version rollback attacks (strangely, the
2082 * protocol does not offer such protection for DH ciphersuites).
2083 * However, buggy clients exist that send random bytes instead of
2084 * the protocol version.
2085 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
2086 * (Perhaps we should have a separate BUG value for the Kerberos cipher)
2087 */
2088 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
2089 {
2090 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2091 SSL_AD_DECODE_ERROR);
2092 goto err;
2093 }
2094 }
2095
2096 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 1722 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2097 1723
2098 s->session->master_key_length= 1724 s->session->master_key_length=
@@ -2101,7 +1727,7 @@ int ssl3_get_client_key_exchange(SSL *s)
2101 1727
2102 if (kssl_ctx->client_princ) 1728 if (kssl_ctx->client_princ)
2103 { 1729 {
2104 size_t len = strlen(kssl_ctx->client_princ); 1730 int len = strlen(kssl_ctx->client_princ);
2105 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 1731 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
2106 { 1732 {
2107 s->session->krb5_client_princ_len = len; 1733 s->session->krb5_client_princ_len = len;
@@ -2118,156 +1744,6 @@ int ssl3_get_client_key_exchange(SSL *s)
2118 } 1744 }
2119 else 1745 else
2120#endif /* OPENSSL_NO_KRB5 */ 1746#endif /* OPENSSL_NO_KRB5 */
2121
2122#ifndef OPENSSL_NO_ECDH
2123 if ((l & SSL_kECDH) || (l & SSL_kECDHE))
2124 {
2125 int ret = 1;
2126 int field_size = 0;
2127 const EC_KEY *tkey;
2128 const EC_GROUP *group;
2129 const BIGNUM *priv_key;
2130
2131 /* initialize structures for server's ECDH key pair */
2132 if ((srvr_ecdh = EC_KEY_new()) == NULL)
2133 {
2134 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2135 ERR_R_MALLOC_FAILURE);
2136 goto err;
2137 }
2138
2139 /* Let's get server private key and group information */
2140 if (l & SSL_kECDH)
2141 {
2142 /* use the certificate */
2143 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2144 }
2145 else
2146 {
2147 /* use the ephermeral values we saved when
2148 * generating the ServerKeyExchange msg.
2149 */
2150 tkey = s->s3->tmp.ecdh;
2151 }
2152
2153 group = EC_KEY_get0_group(tkey);
2154 priv_key = EC_KEY_get0_private_key(tkey);
2155
2156 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2157 !EC_KEY_set_private_key(srvr_ecdh, priv_key))
2158 {
2159 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2160 ERR_R_EC_LIB);
2161 goto err;
2162 }
2163
2164 /* Let's get client's public key */
2165 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL)
2166 {
2167 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2168 ERR_R_MALLOC_FAILURE);
2169 goto err;
2170 }
2171
2172 if (n == 0L)
2173 {
2174 /* Client Publickey was in Client Certificate */
2175
2176 if (l & SSL_kECDHE)
2177 {
2178 al=SSL_AD_HANDSHAKE_FAILURE;
2179 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
2180 goto f_err;
2181 }
2182 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
2183 == NULL) ||
2184 (clnt_pub_pkey->type != EVP_PKEY_EC))
2185 {
2186 /* XXX: For now, we do not support client
2187 * authentication using ECDH certificates
2188 * so this branch (n == 0L) of the code is
2189 * never executed. When that support is
2190 * added, we ought to ensure the key
2191 * received in the certificate is
2192 * authorized for key agreement.
2193 * ECDH_compute_key implicitly checks that
2194 * the two ECDH shares are for the same
2195 * group.
2196 */
2197 al=SSL_AD_HANDSHAKE_FAILURE;
2198 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2199 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2200 goto f_err;
2201 }
2202
2203 if (EC_POINT_copy(clnt_ecpoint,
2204 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
2205 {
2206 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2207 ERR_R_EC_LIB);
2208 goto err;
2209 }
2210 ret = 2; /* Skip certificate verify processing */
2211 }
2212 else
2213 {
2214 /* Get client's public key from encoded point
2215 * in the ClientKeyExchange message.
2216 */
2217 if ((bn_ctx = BN_CTX_new()) == NULL)
2218 {
2219 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2220 ERR_R_MALLOC_FAILURE);
2221 goto err;
2222 }
2223
2224 /* Get encoded point length */
2225 i = *p;
2226 p += 1;
2227 if (EC_POINT_oct2point(group,
2228 clnt_ecpoint, p, i, bn_ctx) == 0)
2229 {
2230 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2231 ERR_R_EC_LIB);
2232 goto err;
2233 }
2234 /* p is pointing to somewhere in the buffer
2235 * currently, so set it to the start
2236 */
2237 p=(unsigned char *)s->init_buf->data;
2238 }
2239
2240 /* Compute the shared pre-master secret */
2241 field_size = EC_GROUP_get_degree(group);
2242 if (field_size <= 0)
2243 {
2244 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2245 ERR_R_ECDH_LIB);
2246 goto err;
2247 }
2248 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
2249 if (i <= 0)
2250 {
2251 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2252 ERR_R_ECDH_LIB);
2253 goto err;
2254 }
2255
2256 EVP_PKEY_free(clnt_pub_pkey);
2257 EC_POINT_free(clnt_ecpoint);
2258 if (srvr_ecdh != NULL)
2259 EC_KEY_free(srvr_ecdh);
2260 BN_CTX_free(bn_ctx);
2261
2262 /* Compute the master secret */
2263 s->session->master_key_length = s->method->ssl3_enc-> \
2264 generate_master_secret(s, s->session->master_key, p, i);
2265
2266 OPENSSL_cleanse(p, i);
2267 return (ret);
2268 }
2269 else
2270#endif
2271 { 1747 {
2272 al=SSL_AD_HANDSHAKE_FAILURE; 1748 al=SSL_AD_HANDSHAKE_FAILURE;
2273 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 1749 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2278,20 +1754,13 @@ int ssl3_get_client_key_exchange(SSL *s)
2278 return(1); 1754 return(1);
2279f_err: 1755f_err:
2280 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1756 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2281#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) 1757#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA)
2282err: 1758err:
2283#endif 1759#endif
2284#ifndef OPENSSL_NO_ECDH
2285 EVP_PKEY_free(clnt_pub_pkey);
2286 EC_POINT_free(clnt_ecpoint);
2287 if (srvr_ecdh != NULL)
2288 EC_KEY_free(srvr_ecdh);
2289 BN_CTX_free(bn_ctx);
2290#endif
2291 return(-1); 1760 return(-1);
2292 } 1761 }
2293 1762
2294int ssl3_get_cert_verify(SSL *s) 1763static int ssl3_get_cert_verify(SSL *s)
2295 { 1764 {
2296 EVP_PKEY *pkey=NULL; 1765 EVP_PKEY *pkey=NULL;
2297 unsigned char *p; 1766 unsigned char *p;
@@ -2300,7 +1769,7 @@ int ssl3_get_cert_verify(SSL *s)
2300 int type=0,i,j; 1769 int type=0,i,j;
2301 X509 *peer; 1770 X509 *peer;
2302 1771
2303 n=s->method->ssl_get_message(s, 1772 n=ssl3_get_message(s,
2304 SSL3_ST_SR_CERT_VRFY_A, 1773 SSL3_ST_SR_CERT_VRFY_A,
2305 SSL3_ST_SR_CERT_VRFY_B, 1774 SSL3_ST_SR_CERT_VRFY_B,
2306 -1, 1775 -1,
@@ -2411,23 +1880,6 @@ int ssl3_get_cert_verify(SSL *s)
2411 } 1880 }
2412 else 1881 else
2413#endif 1882#endif
2414#ifndef OPENSSL_NO_ECDSA
2415 if (pkey->type == EVP_PKEY_EC)
2416 {
2417 j=ECDSA_verify(pkey->save_type,
2418 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2419 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec);
2420 if (j <= 0)
2421 {
2422 /* bad signature */
2423 al=SSL_AD_DECRYPT_ERROR;
2424 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2425 SSL_R_BAD_ECDSA_SIGNATURE);
2426 goto f_err;
2427 }
2428 }
2429 else
2430#endif
2431 { 1883 {
2432 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 1884 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
2433 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 1885 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
@@ -2446,16 +1898,15 @@ end:
2446 return(ret); 1898 return(ret);
2447 } 1899 }
2448 1900
2449int ssl3_get_client_certificate(SSL *s) 1901static int ssl3_get_client_certificate(SSL *s)
2450 { 1902 {
2451 int i,ok,al,ret= -1; 1903 int i,ok,al,ret= -1;
2452 X509 *x=NULL; 1904 X509 *x=NULL;
2453 unsigned long l,nc,llen,n; 1905 unsigned long l,nc,llen,n;
2454 const unsigned char *p,*q; 1906 unsigned char *p,*d,*q;
2455 unsigned char *d;
2456 STACK_OF(X509) *sk=NULL; 1907 STACK_OF(X509) *sk=NULL;
2457 1908
2458 n=s->method->ssl_get_message(s, 1909 n=ssl3_get_message(s,
2459 SSL3_ST_SR_CERT_A, 1910 SSL3_ST_SR_CERT_A,
2460 SSL3_ST_SR_CERT_B, 1911 SSL3_ST_SR_CERT_B,
2461 -1, 1912 -1,
@@ -2490,7 +1941,7 @@ int ssl3_get_client_certificate(SSL *s)
2490 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); 1941 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
2491 goto f_err; 1942 goto f_err;
2492 } 1943 }
2493 p=d=(unsigned char *)s->init_msg; 1944 d=p=(unsigned char *)s->init_msg;
2494 1945
2495 if ((sk=sk_X509_new_null()) == NULL) 1946 if ((sk=sk_X509_new_null()) == NULL)
2496 { 1947 {
@@ -2629,209 +2080,3 @@ int ssl3_send_server_certificate(SSL *s)
2629 /* SSL3_ST_SW_CERT_B */ 2080 /* SSL3_ST_SW_CERT_B */
2630 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2081 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2631 } 2082 }
2632
2633
2634#ifndef OPENSSL_NO_ECDH
2635/* This is the complement of curve_id2nid in s3_clnt.c. */
2636static int nid2curve_id(int nid)
2637{
2638 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2639 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2640 switch (nid) {
2641 case NID_sect163k1: /* sect163k1 (1) */
2642 return 1;
2643 case NID_sect163r1: /* sect163r1 (2) */
2644 return 2;
2645 case NID_sect163r2: /* sect163r2 (3) */
2646 return 3;
2647 case NID_sect193r1: /* sect193r1 (4) */
2648 return 4;
2649 case NID_sect193r2: /* sect193r2 (5) */
2650 return 5;
2651 case NID_sect233k1: /* sect233k1 (6) */
2652 return 6;
2653 case NID_sect233r1: /* sect233r1 (7) */
2654 return 7;
2655 case NID_sect239k1: /* sect239k1 (8) */
2656 return 8;
2657 case NID_sect283k1: /* sect283k1 (9) */
2658 return 9;
2659 case NID_sect283r1: /* sect283r1 (10) */
2660 return 10;
2661 case NID_sect409k1: /* sect409k1 (11) */
2662 return 11;
2663 case NID_sect409r1: /* sect409r1 (12) */
2664 return 12;
2665 case NID_sect571k1: /* sect571k1 (13) */
2666 return 13;
2667 case NID_sect571r1: /* sect571r1 (14) */
2668 return 14;
2669 case NID_secp160k1: /* secp160k1 (15) */
2670 return 15;
2671 case NID_secp160r1: /* secp160r1 (16) */
2672 return 16;
2673 case NID_secp160r2: /* secp160r2 (17) */
2674 return 17;
2675 case NID_secp192k1: /* secp192k1 (18) */
2676 return 18;
2677 case NID_X9_62_prime192v1: /* secp192r1 (19) */
2678 return 19;
2679 case NID_secp224k1: /* secp224k1 (20) */
2680 return 20;
2681 case NID_secp224r1: /* secp224r1 (21) */
2682 return 21;
2683 case NID_secp256k1: /* secp256k1 (22) */
2684 return 22;
2685 case NID_X9_62_prime256v1: /* secp256r1 (23) */
2686 return 23;
2687 case NID_secp384r1: /* secp384r1 (24) */
2688 return 24;
2689 case NID_secp521r1: /* secp521r1 (25) */
2690 return 25;
2691 default:
2692 return 0;
2693 }
2694}
2695#endif
2696#ifndef OPENSSL_NO_TLSEXT
2697int ssl3_send_newsession_ticket(SSL *s)
2698 {
2699 if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
2700 {
2701 unsigned char *p, *senc, *macstart;
2702 int len, slen;
2703 unsigned int hlen;
2704 EVP_CIPHER_CTX ctx;
2705 HMAC_CTX hctx;
2706 unsigned char iv[EVP_MAX_IV_LENGTH];
2707 unsigned char key_name[16];
2708
2709 /* get session encoding length */
2710 slen = i2d_SSL_SESSION(s->session, NULL);
2711 /* Some length values are 16 bits, so forget it if session is
2712 * too long
2713 */
2714 if (slen > 0xFF00)
2715 return -1;
2716 /* Grow buffer if need be: the length calculation is as
2717 * follows 1 (size of message name) + 3 (message length
2718 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
2719 * 16 (key name) + max_iv_len (iv length) +
2720 * session_length + max_enc_block_size (max encrypted session
2721 * length) + max_md_size (HMAC).
2722 */
2723 if (!BUF_MEM_grow(s->init_buf,
2724 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
2725 EVP_MAX_MD_SIZE + slen))
2726 return -1;
2727 senc = OPENSSL_malloc(slen);
2728 if (!senc)
2729 return -1;
2730 p = senc;
2731 i2d_SSL_SESSION(s->session, &p);
2732
2733 p=(unsigned char *)s->init_buf->data;
2734 /* do the header */
2735 *(p++)=SSL3_MT_NEWSESSION_TICKET;
2736 /* Skip message length for now */
2737 p += 3;
2738 EVP_CIPHER_CTX_init(&ctx);
2739 HMAC_CTX_init(&hctx);
2740 /* Initialize HMAC and cipher contexts. If callback present
2741 * it does all the work otherwise use generated values
2742 * from parent ctx.
2743 */
2744 if (s->ctx->tlsext_ticket_key_cb)
2745 {
2746 if (s->ctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
2747 &hctx, 1) < 0)
2748 {
2749 OPENSSL_free(senc);
2750 return -1;
2751 }
2752 }
2753 else
2754 {
2755 RAND_pseudo_bytes(iv, 16);
2756 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
2757 s->ctx->tlsext_tick_aes_key, iv);
2758 HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
2759 tlsext_tick_md(), NULL);
2760 memcpy(key_name, s->ctx->tlsext_tick_key_name, 16);
2761 }
2762 l2n(s->session->tlsext_tick_lifetime_hint, p);
2763 /* Skip ticket length for now */
2764 p += 2;
2765 /* Output key name */
2766 macstart = p;
2767 memcpy(p, key_name, 16);
2768 p += 16;
2769 /* output IV */
2770 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
2771 p += EVP_CIPHER_CTX_iv_length(&ctx);
2772 /* Encrypt session data */
2773 EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
2774 p += len;
2775 EVP_EncryptFinal(&ctx, p, &len);
2776 p += len;
2777 EVP_CIPHER_CTX_cleanup(&ctx);
2778
2779 HMAC_Update(&hctx, macstart, p - macstart);
2780 HMAC_Final(&hctx, p, &hlen);
2781 HMAC_CTX_cleanup(&hctx);
2782
2783 p += hlen;
2784 /* Now write out lengths: p points to end of data written */
2785 /* Total length */
2786 len = p - (unsigned char *)s->init_buf->data;
2787 p=(unsigned char *)s->init_buf->data + 1;
2788 l2n3(len - 4, p); /* Message length */
2789 p += 4;
2790 s2n(len - 10, p); /* Ticket length */
2791
2792 /* number of bytes to write */
2793 s->init_num= len;
2794 s->state=SSL3_ST_SW_SESSION_TICKET_B;
2795 s->init_off=0;
2796 OPENSSL_free(senc);
2797 }
2798
2799 /* SSL3_ST_SW_SESSION_TICKET_B */
2800 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2801 }
2802
2803int ssl3_send_cert_status(SSL *s)
2804 {
2805 if (s->state == SSL3_ST_SW_CERT_STATUS_A)
2806 {
2807 unsigned char *p;
2808 /* Grow buffer if need be: the length calculation is as
2809 * follows 1 (message type) + 3 (message length) +
2810 * 1 (ocsp response type) + 3 (ocsp response length)
2811 * + (ocsp response)
2812 */
2813 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
2814 return -1;
2815
2816 p=(unsigned char *)s->init_buf->data;
2817
2818 /* do the header */
2819 *(p++)=SSL3_MT_CERTIFICATE_STATUS;
2820 /* message length */
2821 l2n3(s->tlsext_ocsp_resplen + 4, p);
2822 /* status type */
2823 *(p++)= s->tlsext_status_type;
2824 /* length of OCSP response */
2825 l2n3(s->tlsext_ocsp_resplen, p);
2826 /* actual response */
2827 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
2828 /* number of bytes to write */
2829 s->init_num = 8 + s->tlsext_ocsp_resplen;
2830 s->state=SSL3_ST_SW_CERT_STATUS_B;
2831 s->init_off = 0;
2832 }
2833
2834 /* SSL3_ST_SW_CERT_STATUS_B */
2835 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2836 }
2837#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 21:51:23 +0000