1 /* ssl/s3_clnt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  *
114  * Portions of the attached software ("Contribution") are developed by
115  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116  *
117  * The Contribution is licensed pursuant to the OpenSSL open source
118  * license provided above.
119  *
120  * ECC cipher suite support in OpenSSL originally written by
121  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122  *
123  */
124 
125 #include <stdio.h>
126 #include "ssl_locl.h"
127 #include "kssl_lcl.h"
128 #include <openssl/buffer.h>
129 #include <openssl/rand.h>
130 #include <openssl/objects.h>
131 #include <openssl/evp.h>
132 #include <openssl/md5.h>
133 #ifdef OPENSSL_FIPS
134 #include <openssl/fips.h>
135 #endif
136 
137 #ifndef OPENSSL_NO_DH
138 #include <openssl/dh.h>
139 #endif
140 #include <openssl/bn.h>
141 #ifndef OPENSSL_NO_ENGINE
142 #include <openssl/engine.h>
143 #endif
144 
145 static SSL_METHOD *ssl3_get_client_method(int ver);
146 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
147 #ifndef OPENSSL_NO_TLSEXT
148 static int ssl3_check_finished(SSL *s);
149 #endif
150 
151 #ifndef OPENSSL_NO_ECDH
152 static int curve_id2nid(int curve_id);
153 int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
154 #endif
155 
ssl3_get_client_method(int ver)156 static SSL_METHOD *ssl3_get_client_method(int ver)
157 	{
158 	if (ver == SSL3_VERSION)
159 		return(SSLv3_client_method());
160 	else
161 		return(NULL);
162 	}
163 
IMPLEMENT_ssl3_meth_func(SSLv3_client_method,ssl_undefined_function,ssl3_connect,ssl3_get_client_method)164 IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
165 			ssl_undefined_function,
166 			ssl3_connect,
167 			ssl3_get_client_method)
168 
169 int ssl3_connect(SSL *s)
170 	{
171 	BUF_MEM *buf=NULL;
172 	unsigned long Time=(unsigned long)time(NULL),l;
173 	long num1;
174 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
175 	int ret= -1;
176 	int new_state,state,skip=0;
177 
178 	RAND_add(&Time,sizeof(Time),0);
179 	ERR_clear_error();
180 	clear_sys_error();
181 
182 	if (s->info_callback != NULL)
183 		cb=s->info_callback;
184 	else if (s->ctx->info_callback != NULL)
185 		cb=s->ctx->info_callback;
186 
187 	s->in_handshake++;
188 	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
189 
190 	for (;;)
191 		{
192 		state=s->state;
193 
194 		switch(s->state)
195 			{
196 		case SSL_ST_RENEGOTIATE:
197 			s->new_session=1;
198 			s->state=SSL_ST_CONNECT;
199 			s->ctx->stats.sess_connect_renegotiate++;
200 			/* break */
201 		case SSL_ST_BEFORE:
202 		case SSL_ST_CONNECT:
203 		case SSL_ST_BEFORE|SSL_ST_CONNECT:
204 		case SSL_ST_OK|SSL_ST_CONNECT:
205 
206 			s->server=0;
207 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
208 
209 			if ((s->version & 0xff00 ) != 0x0300)
210 				{
211 				SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
212 				ret = -1;
213 				goto end;
214 				}
215 
216 			/* s->version=SSL3_VERSION; */
217 			s->type=SSL_ST_CONNECT;
218 
219 			if (s->init_buf == NULL)
220 				{
221 				if ((buf=BUF_MEM_new()) == NULL)
222 					{
223 					ret= -1;
224 					goto end;
225 					}
226 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
227 					{
228 					ret= -1;
229 					goto end;
230 					}
231 				s->init_buf=buf;
232 				buf=NULL;
233 				}
234 
235 			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
236 
237 			/* setup buffing BIO */
238 			if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
239 
240 			/* don't push the buffering BIO quite yet */
241 
242 			ssl3_init_finished_mac(s);
243 
244 			s->state=SSL3_ST_CW_CLNT_HELLO_A;
245 			s->ctx->stats.sess_connect++;
246 			s->init_num=0;
247 			break;
248 
249 		case SSL3_ST_CW_CLNT_HELLO_A:
250 		case SSL3_ST_CW_CLNT_HELLO_B:
251 
252 			s->shutdown=0;
253 			ret=ssl3_client_hello(s);
254 			if (ret <= 0) goto end;
255 			s->state=SSL3_ST_CR_SRVR_HELLO_A;
256 			s->init_num=0;
257 
258 			/* turn on buffering for the next lot of output */
259 			if (s->bbio != s->wbio)
260 				s->wbio=BIO_push(s->bbio,s->wbio);
261 
262 			break;
263 
264 		case SSL3_ST_CR_SRVR_HELLO_A:
265 		case SSL3_ST_CR_SRVR_HELLO_B:
266 			ret=ssl3_get_server_hello(s);
267 			if (ret <= 0) goto end;
268 			if (s->hit)
269 				s->state=SSL3_ST_CR_FINISHED_A;
270 			else
271 				s->state=SSL3_ST_CR_CERT_A;
272 			s->init_num=0;
273 			break;
274 
275 		case SSL3_ST_CR_CERT_A:
276 		case SSL3_ST_CR_CERT_B:
277 #ifndef OPENSSL_NO_TLSEXT
278 			ret=ssl3_check_finished(s);
279 			if (ret <= 0) goto end;
280 			if (ret == 2)
281 				{
282 				s->hit = 1;
283 				if (s->tlsext_ticket_expected)
284 					s->state=SSL3_ST_CR_SESSION_TICKET_A;
285 				else
286 					s->state=SSL3_ST_CR_FINISHED_A;
287 				s->init_num=0;
288 				break;
289 				}
290 #endif
291 			/* Check if it is anon DH/ECDH */
292 			if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
293 				{
294 				ret=ssl3_get_server_certificate(s);
295 				if (ret <= 0) goto end;
296 #ifndef OPENSSL_NO_TLSEXT
297 				if (s->tlsext_status_expected)
298 					s->state=SSL3_ST_CR_CERT_STATUS_A;
299 				else
300 					s->state=SSL3_ST_CR_KEY_EXCH_A;
301 				}
302 			else
303 				{
304 				skip = 1;
305 				s->state=SSL3_ST_CR_KEY_EXCH_A;
306 				}
307 #else
308 				}
309 			else
310 				skip=1;
311 
312 			s->state=SSL3_ST_CR_KEY_EXCH_A;
313 #endif
314 			s->init_num=0;
315 			break;
316 
317 		case SSL3_ST_CR_KEY_EXCH_A:
318 		case SSL3_ST_CR_KEY_EXCH_B:
319 			ret=ssl3_get_key_exchange(s);
320 			if (ret <= 0) goto end;
321 			s->state=SSL3_ST_CR_CERT_REQ_A;
322 			s->init_num=0;
323 
324 			/* at this point we check that we have the
325 			 * required stuff from the server */
326 			if (!ssl3_check_cert_and_algorithm(s))
327 				{
328 				ret= -1;
329 				goto end;
330 				}
331 			break;
332 
333 		case SSL3_ST_CR_CERT_REQ_A:
334 		case SSL3_ST_CR_CERT_REQ_B:
335 			ret=ssl3_get_certificate_request(s);
336 			if (ret <= 0) goto end;
337 			s->state=SSL3_ST_CR_SRVR_DONE_A;
338 			s->init_num=0;
339 			break;
340 
341 		case SSL3_ST_CR_SRVR_DONE_A:
342 		case SSL3_ST_CR_SRVR_DONE_B:
343 			ret=ssl3_get_server_done(s);
344 			if (ret <= 0) goto end;
345 			if (s->s3->tmp.cert_req)
346 				s->state=SSL3_ST_CW_CERT_A;
347 			else
348 				s->state=SSL3_ST_CW_KEY_EXCH_A;
349 			s->init_num=0;
350 
351 			break;
352 
353 		case SSL3_ST_CW_CERT_A:
354 		case SSL3_ST_CW_CERT_B:
355 		case SSL3_ST_CW_CERT_C:
356 		case SSL3_ST_CW_CERT_D:
357 			ret=ssl3_send_client_certificate(s);
358 			if (ret <= 0) goto end;
359 			s->state=SSL3_ST_CW_KEY_EXCH_A;
360 			s->init_num=0;
361 			break;
362 
363 		case SSL3_ST_CW_KEY_EXCH_A:
364 		case SSL3_ST_CW_KEY_EXCH_B:
365 			ret=ssl3_send_client_key_exchange(s);
366 			if (ret <= 0) goto end;
367 			l=s->s3->tmp.new_cipher->algorithms;
368 			/* EAY EAY EAY need to check for DH fix cert
369 			 * sent back */
370 			/* For TLS, cert_req is set to 2, so a cert chain
371 			 * of nothing is sent, but no verify packet is sent */
372 			/* XXX: For now, we do not support client
373 			 * authentication in ECDH cipher suites with
374 			 * ECDH (rather than ECDSA) certificates.
375 			 * We need to skip the certificate verify
376 			 * message when client's ECDH public key is sent
377 			 * inside the client certificate.
378 			 */
379 			if (s->s3->tmp.cert_req == 1)
380 				{
381 				s->state=SSL3_ST_CW_CERT_VRFY_A;
382 				}
383 			else
384 				{
385 				s->state=SSL3_ST_CW_CHANGE_A;
386 				s->s3->change_cipher_spec=0;
387 				}
388 
389 			s->init_num=0;
390 			break;
391 
392 		case SSL3_ST_CW_CERT_VRFY_A:
393 		case SSL3_ST_CW_CERT_VRFY_B:
394 			ret=ssl3_send_client_verify(s);
395 			if (ret <= 0) goto end;
396 			s->state=SSL3_ST_CW_CHANGE_A;
397 			s->init_num=0;
398 			s->s3->change_cipher_spec=0;
399 			break;
400 
401 		case SSL3_ST_CW_CHANGE_A:
402 		case SSL3_ST_CW_CHANGE_B:
403 			ret=ssl3_send_change_cipher_spec(s,
404 				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
405 			if (ret <= 0) goto end;
406 			s->state=SSL3_ST_CW_FINISHED_A;
407 			s->init_num=0;
408 
409 			s->session->cipher=s->s3->tmp.new_cipher;
410 #ifdef OPENSSL_NO_COMP
411 			s->session->compress_meth=0;
412 #else
413 			if (s->s3->tmp.new_compression == NULL)
414 				s->session->compress_meth=0;
415 			else
416 				s->session->compress_meth=
417 					s->s3->tmp.new_compression->id;
418 #endif
419 			if (!s->method->ssl3_enc->setup_key_block(s))
420 				{
421 				ret= -1;
422 				goto end;
423 				}
424 
425 			if (!s->method->ssl3_enc->change_cipher_state(s,
426 				SSL3_CHANGE_CIPHER_CLIENT_WRITE))
427 				{
428 				ret= -1;
429 				goto end;
430 				}
431 
432 			break;
433 
434 		case SSL3_ST_CW_FINISHED_A:
435 		case SSL3_ST_CW_FINISHED_B:
436 			ret=ssl3_send_finished(s,
437 				SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
438 				s->method->ssl3_enc->client_finished_label,
439 				s->method->ssl3_enc->client_finished_label_len);
440 			if (ret <= 0) goto end;
441 			s->state=SSL3_ST_CW_FLUSH;
442 
443 			/* clear flags */
444 			s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
445 			if (s->hit)
446 				{
447 				s->s3->tmp.next_state=SSL_ST_OK;
448 				if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
449 					{
450 					s->state=SSL_ST_OK;
451 					s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
452 					s->s3->delay_buf_pop_ret=0;
453 					}
454 				}
455 			else
456 				{
457 #ifndef OPENSSL_NO_TLSEXT
458 				/* Allow NewSessionTicket if ticket expected */
459 				if (s->tlsext_ticket_expected)
460 					s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
461 				else
462 #endif
463 
464 				s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
465 				}
466 			s->init_num=0;
467 			break;
468 
469 #ifndef OPENSSL_NO_TLSEXT
470 		case SSL3_ST_CR_SESSION_TICKET_A:
471 		case SSL3_ST_CR_SESSION_TICKET_B:
472 			ret=ssl3_get_new_session_ticket(s);
473 			if (ret <= 0) goto end;
474 			s->state=SSL3_ST_CR_FINISHED_A;
475 			s->init_num=0;
476 		break;
477 
478 		case SSL3_ST_CR_CERT_STATUS_A:
479 		case SSL3_ST_CR_CERT_STATUS_B:
480 			ret=ssl3_get_cert_status(s);
481 			if (ret <= 0) goto end;
482 			s->state=SSL3_ST_CR_KEY_EXCH_A;
483 			s->init_num=0;
484 		break;
485 #endif
486 
487 		case SSL3_ST_CR_FINISHED_A:
488 		case SSL3_ST_CR_FINISHED_B:
489 
490 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
491 				SSL3_ST_CR_FINISHED_B);
492 			if (ret <= 0) goto end;
493 
494 			if (s->hit)
495 				s->state=SSL3_ST_CW_CHANGE_A;
496 			else
497 				s->state=SSL_ST_OK;
498 			s->init_num=0;
499 			break;
500 
501 		case SSL3_ST_CW_FLUSH:
502 			/* number of bytes to be flushed */
503 			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
504 			if (num1 > 0)
505 				{
506 				s->rwstate=SSL_WRITING;
507 				num1=BIO_flush(s->wbio);
508 				if (num1 <= 0) { ret= -1; goto end; }
509 				s->rwstate=SSL_NOTHING;
510 				}
511 
512 			s->state=s->s3->tmp.next_state;
513 			break;
514 
515 		case SSL_ST_OK:
516 			/* clean a few things up */
517 			ssl3_cleanup_key_block(s);
518 
519 			if (s->init_buf != NULL)
520 				{
521 				BUF_MEM_free(s->init_buf);
522 				s->init_buf=NULL;
523 				}
524 
525 			/* If we are not 'joining' the last two packets,
526 			 * remove the buffering now */
527 			if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
528 				ssl_free_wbio_buffer(s);
529 			/* else do it later in ssl3_write */
530 
531 			s->init_num=0;
532 			s->new_session=0;
533 
534 			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
535 			if (s->hit) s->ctx->stats.sess_hit++;
536 
537 			ret=1;
538 			/* s->server=0; */
539 			s->handshake_func=ssl3_connect;
540 			s->ctx->stats.sess_connect_good++;
541 
542 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
543 
544 			goto end;
545 			/* break; */
546 
547 		default:
548 			SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
549 			ret= -1;
550 			goto end;
551 			/* break; */
552 			}
553 
554 		/* did we do anything */
555 		if (!s->s3->tmp.reuse_message && !skip)
556 			{
557 			if (s->debug)
558 				{
559 				if ((ret=BIO_flush(s->wbio)) <= 0)
560 					goto end;
561 				}
562 
563 			if ((cb != NULL) && (s->state != state))
564 				{
565 				new_state=s->state;
566 				s->state=state;
567 				cb(s,SSL_CB_CONNECT_LOOP,1);
568 				s->state=new_state;
569 				}
570 			}
571 		skip=0;
572 		}
573 end:
574 	s->in_handshake--;
575 	if (buf != NULL)
576 		BUF_MEM_free(buf);
577 	if (cb != NULL)
578 		cb(s,SSL_CB_CONNECT_EXIT,ret);
579 	return(ret);
580 	}
581 
582 
ssl3_client_hello(SSL * s)583 int ssl3_client_hello(SSL *s)
584 	{
585 	unsigned char *buf;
586 	unsigned char *p,*d;
587 	int i;
588 	unsigned long Time,l;
589 #ifndef OPENSSL_NO_COMP
590 	int j;
591 	SSL_COMP *comp;
592 #endif
593 
594 	buf=(unsigned char *)s->init_buf->data;
595 	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
596 		{
597 		if ((s->session == NULL) ||
598 			(s->session->ssl_version != s->version) ||
599 			(s->session->not_resumable))
600 			{
601 			if (!ssl_get_new_session(s,0))
602 				goto err;
603 			}
604 		/* else use the pre-loaded session */
605 
606 		p=s->s3->client_random;
607 		Time=(unsigned long)time(NULL);			/* Time */
608 		l2n(Time,p);
609 		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
610 			goto err;
611 
612 		/* Do the message type and length last */
613 		d=p= &(buf[4]);
614 
615 		*(p++)=s->version>>8;
616 		*(p++)=s->version&0xff;
617 		s->client_version=s->version;
618 
619 		/* Random stuff */
620 		memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
621 		p+=SSL3_RANDOM_SIZE;
622 
623 		/* Session ID */
624 		if (s->new_session)
625 			i=0;
626 		else
627 			i=s->session->session_id_length;
628 		*(p++)=i;
629 		if (i != 0)
630 			{
631 			if (i > (int)sizeof(s->session->session_id))
632 				{
633 				SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
634 				goto err;
635 				}
636 			memcpy(p,s->session->session_id,i);
637 			p+=i;
638 			}
639 
640 		/* Ciphers supported */
641 		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
642 		if (i == 0)
643 			{
644 			SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
645 			goto err;
646 			}
647 		s2n(i,p);
648 		p+=i;
649 
650 		/* COMPRESSION */
651 #ifdef OPENSSL_NO_COMP
652 		*(p++)=1;
653 #else
654 		if (s->ctx->comp_methods == NULL)
655 			j=0;
656 		else
657 			j=sk_SSL_COMP_num(s->ctx->comp_methods);
658 		*(p++)=1+j;
659 		for (i=0; i<j; i++)
660 			{
661 			comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
662 			*(p++)=comp->id;
663 			}
664 #endif
665 		*(p++)=0; /* Add the NULL method */
666 #ifndef OPENSSL_NO_TLSEXT
667 		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
668 			{
669 			SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
670 			goto err;
671 			}
672 #endif
673 		l=(p-d);
674 		d=buf;
675 		*(d++)=SSL3_MT_CLIENT_HELLO;
676 		l2n3(l,d);
677 
678 		s->state=SSL3_ST_CW_CLNT_HELLO_B;
679 		/* number of bytes to write */
680 		s->init_num=p-buf;
681 		s->init_off=0;
682 		}
683 
684 	/* SSL3_ST_CW_CLNT_HELLO_B */
685 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
686 err:
687 	return(-1);
688 	}
689 
ssl3_get_server_hello(SSL * s)690 int ssl3_get_server_hello(SSL *s)
691 	{
692 	STACK_OF(SSL_CIPHER) *sk;
693 	SSL_CIPHER *c;
694 	unsigned char *p,*d;
695 	int i,al,ok;
696 	unsigned int j;
697 	long n;
698 #ifndef OPENSSL_NO_COMP
699 	SSL_COMP *comp;
700 #endif
701 
702 	n=s->method->ssl_get_message(s,
703 		SSL3_ST_CR_SRVR_HELLO_A,
704 		SSL3_ST_CR_SRVR_HELLO_B,
705 		-1,
706 		20000, /* ?? */
707 		&ok);
708 
709 	if (!ok) return((int)n);
710 
711 	if ( SSL_version(s) == DTLS1_VERSION)
712 		{
713 		if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
714 			{
715 			if ( s->d1->send_cookie == 0)
716 				{
717 				s->s3->tmp.reuse_message = 1;
718 				return 1;
719 				}
720 			else /* already sent a cookie */
721 				{
722 				al=SSL_AD_UNEXPECTED_MESSAGE;
723 				SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
724 				goto f_err;
725 				}
726 			}
727 		}
728 
729 	if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
730 		{
731 		al=SSL_AD_UNEXPECTED_MESSAGE;
732 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
733 		goto f_err;
734 		}
735 
736 	d=p=(unsigned char *)s->init_msg;
737 
738 	if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
739 		{
740 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
741 		s->version=(s->version&0xff00)|p[1];
742 		al=SSL_AD_PROTOCOL_VERSION;
743 		goto f_err;
744 		}
745 	p+=2;
746 
747 	/* load the server hello data */
748 	/* load the server random */
749 	memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
750 	p+=SSL3_RANDOM_SIZE;
751 
752 	/* get the session-id */
753 	j= *(p++);
754 
755 	if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
756 		{
757 		al=SSL_AD_ILLEGAL_PARAMETER;
758 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
759 		goto f_err;
760 		}
761 
762 	if (j != 0 && j == s->session->session_id_length
763 	    && memcmp(p,s->session->session_id,j) == 0)
764 	    {
765 	    if(s->sid_ctx_length != s->session->sid_ctx_length
766 	       || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
767 		{
768 		/* actually a client application bug */
769 		al=SSL_AD_ILLEGAL_PARAMETER;
770 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
771 		goto f_err;
772 		}
773 	    s->hit=1;
774 	    }
775 	else	/* a miss or crap from the other end */
776 		{
777 		/* If we were trying for session-id reuse, make a new
778 		 * SSL_SESSION so we don't stuff up other people */
779 		s->hit=0;
780 		if (s->session->session_id_length > 0)
781 			{
782 			if (!ssl_get_new_session(s,0))
783 				{
784 				al=SSL_AD_INTERNAL_ERROR;
785 				goto f_err;
786 				}
787 			}
788 		s->session->session_id_length=j;
789 		memcpy(s->session->session_id,p,j); /* j could be 0 */
790 		}
791 	p+=j;
792 	c=ssl_get_cipher_by_char(s,p);
793 	if (c == NULL)
794 		{
795 		/* unknown cipher */
796 		al=SSL_AD_ILLEGAL_PARAMETER;
797 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
798 		goto f_err;
799 		}
800 	p+=ssl_put_cipher_by_char(s,NULL,NULL);
801 
802 	sk=ssl_get_ciphers_by_id(s);
803 	i=sk_SSL_CIPHER_find(sk,c);
804 	if (i < 0)
805 		{
806 		/* we did not say we would use this cipher */
807 		al=SSL_AD_ILLEGAL_PARAMETER;
808 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
809 		goto f_err;
810 		}
811 
812 	/* Depending on the session caching (internal/external), the cipher
813 	   and/or cipher_id values may not be set. Make sure that
814 	   cipher_id is set and use it for comparison. */
815 	if (s->session->cipher)
816 		s->session->cipher_id = s->session->cipher->id;
817 	if (s->hit && (s->session->cipher_id != c->id))
818 		{
819 		if (!(s->options &
820 			SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
821 			{
822 			al=SSL_AD_ILLEGAL_PARAMETER;
823 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
824 			goto f_err;
825 			}
826 		}
827 	s->s3->tmp.new_cipher=c;
828 
829 	/* lets get the compression algorithm */
830 	/* COMPRESSION */
831 #ifdef OPENSSL_NO_COMP
832 	if (*(p++) != 0)
833 		{
834 		al=SSL_AD_ILLEGAL_PARAMETER;
835 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
836 		goto f_err;
837 		}
838 #else
839 	j= *(p++);
840 	if (j == 0)
841 		comp=NULL;
842 	else
843 		comp=ssl3_comp_find(s->ctx->comp_methods,j);
844 
845 	if ((j != 0) && (comp == NULL))
846 		{
847 		al=SSL_AD_ILLEGAL_PARAMETER;
848 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
849 		goto f_err;
850 		}
851 	else
852 		{
853 		s->s3->tmp.new_compression=comp;
854 		}
855 #endif
856 #ifndef OPENSSL_NO_TLSEXT
857 	/* TLS extensions*/
858 	if (s->version > SSL3_VERSION)
859 		{
860 		if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
861 			{
862 			/* 'al' set by ssl_parse_serverhello_tlsext */
863 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
864 			goto f_err;
865 			}
866 		if (ssl_check_serverhello_tlsext(s) <= 0)
867 			{
868 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
869 				goto err;
870 			}
871 		}
872 #endif
873 
874 
875 	if (p != (d+n))
876 		{
877 		/* wrong packet length */
878 		al=SSL_AD_DECODE_ERROR;
879 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
880 		goto err;
881 		}
882 
883 	return(1);
884 f_err:
885 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
886 err:
887 	return(-1);
888 	}
889 
ssl3_get_server_certificate(SSL * s)890 int ssl3_get_server_certificate(SSL *s)
891 	{
892 	int al,i,ok,ret= -1;
893 	unsigned long n,nc,llen,l;
894 	X509 *x=NULL;
895 	const unsigned char *q,*p;
896 	unsigned char *d;
897 	STACK_OF(X509) *sk=NULL;
898 	SESS_CERT *sc;
899 	EVP_PKEY *pkey=NULL;
900 	int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
901 
902 	n=s->method->ssl_get_message(s,
903 		SSL3_ST_CR_CERT_A,
904 		SSL3_ST_CR_CERT_B,
905 		-1,
906 		s->max_cert_list,
907 		&ok);
908 
909 	if (!ok) return((int)n);
910 
911 	if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
912 		((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) &&
913 		(s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
914 		{
915 		s->s3->tmp.reuse_message=1;
916 		return(1);
917 		}
918 
919 	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
920 		{
921 		al=SSL_AD_UNEXPECTED_MESSAGE;
922 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
923 		goto f_err;
924 		}
925 	p=d=(unsigned char *)s->init_msg;
926 
927 	if ((sk=sk_X509_new_null()) == NULL)
928 		{
929 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
930 		goto err;
931 		}
932 
933 	n2l3(p,llen);
934 	if (llen+3 != n)
935 		{
936 		al=SSL_AD_DECODE_ERROR;
937 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
938 		goto f_err;
939 		}
940 	for (nc=0; nc<llen; )
941 		{
942 		n2l3(p,l);
943 		if ((l+nc+3) > llen)
944 			{
945 			al=SSL_AD_DECODE_ERROR;
946 			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
947 			goto f_err;
948 			}
949 
950 		q=p;
951 		x=d2i_X509(NULL,&q,l);
952 		if (x == NULL)
953 			{
954 			al=SSL_AD_BAD_CERTIFICATE;
955 			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
956 			goto f_err;
957 			}
958 		if (q != (p+l))
959 			{
960 			al=SSL_AD_DECODE_ERROR;
961 			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
962 			goto f_err;
963 			}
964 		if (!sk_X509_push(sk,x))
965 			{
966 			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
967 			goto err;
968 			}
969 		x=NULL;
970 		nc+=l+3;
971 		p=q;
972 		}
973 
974 	i=ssl_verify_cert_chain(s,sk);
975 	if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
976 #ifndef OPENSSL_NO_KRB5
977 	        && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
978 	        != (SSL_aKRB5|SSL_kKRB5)
979 #endif /* OPENSSL_NO_KRB5 */
980 	        )
981 		{
982 		al=ssl_verify_alarm_type(s->verify_result);
983 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
984 		goto f_err;
985 		}
986 	ERR_clear_error(); /* but we keep s->verify_result */
987 
988 	sc=ssl_sess_cert_new();
989 	if (sc == NULL) goto err;
990 
991 	if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
992 	s->session->sess_cert=sc;
993 
994 	sc->cert_chain=sk;
995 	/* Inconsistency alert: cert_chain does include the peer's
996 	 * certificate, which we don't include in s3_srvr.c */
997 	x=sk_X509_value(sk,0);
998 	sk=NULL;
999  	/* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1000 
1001 	pkey=X509_get_pubkey(x);
1002 
1003 	/* VRS: allow null cert if auth == KRB5 */
1004 	need_cert =	((s->s3->tmp.new_cipher->algorithms
1005 	                 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
1006 	                 == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
1007 
1008 #ifdef KSSL_DEBUG
1009 	printf("pkey,x = %p, %p\n", (void *)pkey,(void *)x);
1010 	printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
1011 	printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
1012 	        s->s3->tmp.new_cipher->algorithms, need_cert);
1013 #endif    /* KSSL_DEBUG */
1014 
1015 	if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
1016 		{
1017 		x=NULL;
1018 		al=SSL3_AL_FATAL;
1019 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1020 			SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1021 		goto f_err;
1022 		}
1023 
1024 	i=ssl_cert_type(x,pkey);
1025 	if (need_cert && i < 0)
1026 		{
1027 		x=NULL;
1028 		al=SSL3_AL_FATAL;
1029 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1030 			SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1031 		goto f_err;
1032 		}
1033 
1034 	if (need_cert)
1035 		{
1036 		sc->peer_cert_type=i;
1037 		CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1038 		/* Why would the following ever happen?
1039 		 * We just created sc a couple of lines ago. */
1040 		if (sc->peer_pkeys[i].x509 != NULL)
1041 			X509_free(sc->peer_pkeys[i].x509);
1042 		sc->peer_pkeys[i].x509=x;
1043 		sc->peer_key= &(sc->peer_pkeys[i]);
1044 
1045 		if (s->session->peer != NULL)
1046 			X509_free(s->session->peer);
1047 		CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1048 		s->session->peer=x;
1049 		}
1050 	else
1051 		{
1052 		sc->peer_cert_type=i;
1053 		sc->peer_key= NULL;
1054 
1055 		if (s->session->peer != NULL)
1056 			X509_free(s->session->peer);
1057 		s->session->peer=NULL;
1058 		}
1059 	s->session->verify_result = s->verify_result;
1060 
1061 	x=NULL;
1062 	ret=1;
1063 
1064 	if (0)
1065 		{
1066 f_err:
1067 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
1068 		}
1069 err:
1070 	EVP_PKEY_free(pkey);
1071 	X509_free(x);
1072 	sk_X509_pop_free(sk,X509_free);
1073 	return(ret);
1074 	}
1075 
ssl3_get_key_exchange(SSL * s)1076 int ssl3_get_key_exchange(SSL *s)
1077 	{
1078 #ifndef OPENSSL_NO_RSA
1079 	unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1080 #endif
1081 	EVP_MD_CTX md_ctx;
1082 	unsigned char *param,*p;
1083 	int al,i,j,param_len,ok;
1084 	long n,alg;
1085 	EVP_PKEY *pkey=NULL;
1086 #ifndef OPENSSL_NO_RSA
1087 	RSA *rsa=NULL;
1088 #endif
1089 #ifndef OPENSSL_NO_DH
1090 	DH *dh=NULL;
1091 #endif
1092 #ifndef OPENSSL_NO_ECDH
1093 	EC_KEY *ecdh = NULL;
1094 	BN_CTX *bn_ctx = NULL;
1095 	EC_POINT *srvr_ecpoint = NULL;
1096 	int curve_nid = 0;
1097 	int encoded_pt_len = 0;
1098 #endif
1099 
1100 	/* use same message size as in ssl3_get_certificate_request()
1101 	 * as ServerKeyExchange message may be skipped */
1102 	n=s->method->ssl_get_message(s,
1103 		SSL3_ST_CR_KEY_EXCH_A,
1104 		SSL3_ST_CR_KEY_EXCH_B,
1105 		-1,
1106 		s->max_cert_list,
1107 		&ok);
1108 
1109 	if (!ok) return((int)n);
1110 
1111 	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1112 		{
1113 		s->s3->tmp.reuse_message=1;
1114 		return(1);
1115 		}
1116 
1117 	param=p=(unsigned char *)s->init_msg;
1118 
1119 	if (s->session->sess_cert != NULL)
1120 		{
1121 #ifndef OPENSSL_NO_RSA
1122 		if (s->session->sess_cert->peer_rsa_tmp != NULL)
1123 			{
1124 			RSA_free(s->session->sess_cert->peer_rsa_tmp);
1125 			s->session->sess_cert->peer_rsa_tmp=NULL;
1126 			}
1127 #endif
1128 #ifndef OPENSSL_NO_DH
1129 		if (s->session->sess_cert->peer_dh_tmp)
1130 			{
1131 			DH_free(s->session->sess_cert->peer_dh_tmp);
1132 			s->session->sess_cert->peer_dh_tmp=NULL;
1133 			}
1134 #endif
1135 #ifndef OPENSSL_NO_ECDH
1136 		if (s->session->sess_cert->peer_ecdh_tmp)
1137 			{
1138 			EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1139 			s->session->sess_cert->peer_ecdh_tmp=NULL;
1140 			}
1141 #endif
1142 		}
1143 	else
1144 		{
1145 		s->session->sess_cert=ssl_sess_cert_new();
1146 		}
1147 
1148 	param_len=0;
1149 	alg=s->s3->tmp.new_cipher->algorithms;
1150 	EVP_MD_CTX_init(&md_ctx);
1151 
1152 #ifndef OPENSSL_NO_RSA
1153 	if (alg & SSL_kRSA)
1154 		{
1155 		if ((rsa=RSA_new()) == NULL)
1156 			{
1157 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1158 			goto err;
1159 			}
1160 		n2s(p,i);
1161 		param_len=i+2;
1162 		if (param_len > n)
1163 			{
1164 			al=SSL_AD_DECODE_ERROR;
1165 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1166 			goto f_err;
1167 			}
1168 		if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1169 			{
1170 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1171 			goto err;
1172 			}
1173 		p+=i;
1174 
1175 		n2s(p,i);
1176 		param_len+=i+2;
1177 		if (param_len > n)
1178 			{
1179 			al=SSL_AD_DECODE_ERROR;
1180 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1181 			goto f_err;
1182 			}
1183 		if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1184 			{
1185 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1186 			goto err;
1187 			}
1188 		p+=i;
1189 		n-=param_len;
1190 
1191 		/* this should be because we are using an export cipher */
1192 		if (alg & SSL_aRSA)
1193 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1194 		else
1195 			{
1196 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1197 			goto err;
1198 			}
1199 		s->session->sess_cert->peer_rsa_tmp=rsa;
1200 		rsa=NULL;
1201 		}
1202 #else /* OPENSSL_NO_RSA */
1203 	if (0)
1204 		;
1205 #endif
1206 #ifndef OPENSSL_NO_DH
1207 	else if (alg & SSL_kEDH)
1208 		{
1209 		if ((dh=DH_new()) == NULL)
1210 			{
1211 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1212 			goto err;
1213 			}
1214 		n2s(p,i);
1215 		param_len=i+2;
1216 		if (param_len > n)
1217 			{
1218 			al=SSL_AD_DECODE_ERROR;
1219 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1220 			goto f_err;
1221 			}
1222 		if (!(dh->p=BN_bin2bn(p,i,NULL)))
1223 			{
1224 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1225 			goto err;
1226 			}
1227 		p+=i;
1228 
1229 		n2s(p,i);
1230 		param_len+=i+2;
1231 		if (param_len > n)
1232 			{
1233 			al=SSL_AD_DECODE_ERROR;
1234 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1235 			goto f_err;
1236 			}
1237 		if (!(dh->g=BN_bin2bn(p,i,NULL)))
1238 			{
1239 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1240 			goto err;
1241 			}
1242 		p+=i;
1243 
1244 		n2s(p,i);
1245 		param_len+=i+2;
1246 		if (param_len > n)
1247 			{
1248 			al=SSL_AD_DECODE_ERROR;
1249 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1250 			goto f_err;
1251 			}
1252 		if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1253 			{
1254 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1255 			goto err;
1256 			}
1257 		p+=i;
1258 		n-=param_len;
1259 
1260 #ifndef OPENSSL_NO_RSA
1261 		if (alg & SSL_aRSA)
1262 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1263 #else
1264 		if (0)
1265 			;
1266 #endif
1267 #ifndef OPENSSL_NO_DSA
1268 		else if (alg & SSL_aDSS)
1269 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1270 #endif
1271 		/* else anonymous DH, so no certificate or pkey. */
1272 
1273 		s->session->sess_cert->peer_dh_tmp=dh;
1274 		dh=NULL;
1275 		}
1276 	else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
1277 		{
1278 		al=SSL_AD_ILLEGAL_PARAMETER;
1279 		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1280 		goto f_err;
1281 		}
1282 #endif /* !OPENSSL_NO_DH */
1283 
1284 #ifndef OPENSSL_NO_ECDH
1285 	else if (alg & SSL_kECDHE)
1286 		{
1287 		EC_GROUP *ngroup;
1288 		const EC_GROUP *group;
1289 
1290 		if ((ecdh=EC_KEY_new()) == NULL)
1291 			{
1292 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1293 			goto err;
1294 			}
1295 
1296 		/* Extract elliptic curve parameters and the
1297 		 * server's ephemeral ECDH public key.
1298 		 * Keep accumulating lengths of various components in
1299 		 * param_len and make sure it never exceeds n.
1300 		 */
1301 
1302 		/* XXX: For now we only support named (not generic) curves
1303 		 * and the ECParameters in this case is just three bytes.
1304 		 */
1305 		param_len=3;
1306 		if ((param_len > n) ||
1307 		    (*p != NAMED_CURVE_TYPE) ||
1308 		    ((curve_nid = curve_id2nid(*(p + 2))) == 0))
1309 			{
1310 			al=SSL_AD_INTERNAL_ERROR;
1311 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1312 			goto f_err;
1313 			}
1314 
1315 		ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1316 		if (ngroup == NULL)
1317 			{
1318 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1319 			goto err;
1320 			}
1321 		if (EC_KEY_set_group(ecdh, ngroup) == 0)
1322 			{
1323 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1324 			goto err;
1325 			}
1326 		EC_GROUP_free(ngroup);
1327 
1328 		group = EC_KEY_get0_group(ecdh);
1329 
1330 		if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1331 		    (EC_GROUP_get_degree(group) > 163))
1332 			{
1333 			al=SSL_AD_EXPORT_RESTRICTION;
1334 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1335 			goto f_err;
1336 			}
1337 
1338 		p+=3;
1339 
1340 		/* Next, get the encoded ECPoint */
1341 		if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1342 		    ((bn_ctx = BN_CTX_new()) == NULL))
1343 			{
1344 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1345 			goto err;
1346 			}
1347 
1348 		encoded_pt_len = *p;  /* length of encoded point */
1349 		p+=1;
1350 		param_len += (1 + encoded_pt_len);
1351 		if ((param_len > n) ||
1352 		    (EC_POINT_oct2point(group, srvr_ecpoint,
1353 			p, encoded_pt_len, bn_ctx) == 0))
1354 			{
1355 			al=SSL_AD_DECODE_ERROR;
1356 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1357 			goto f_err;
1358 			}
1359 
1360 		n-=param_len;
1361 		p+=encoded_pt_len;
1362 
1363 		/* The ECC/TLS specification does not mention
1364 		 * the use of DSA to sign ECParameters in the server
1365 		 * key exchange message. We do support RSA and ECDSA.
1366 		 */
1367 		if (0) ;
1368 #ifndef OPENSSL_NO_RSA
1369 		else if (alg & SSL_aRSA)
1370 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1371 #endif
1372 #ifndef OPENSSL_NO_ECDSA
1373 		else if (alg & SSL_aECDSA)
1374 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1375 #endif
1376 		/* else anonymous ECDH, so no certificate or pkey. */
1377 		EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1378 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
1379 		ecdh=NULL;
1380 		BN_CTX_free(bn_ctx);
1381 		EC_POINT_free(srvr_ecpoint);
1382 		srvr_ecpoint = NULL;
1383 		}
1384 	else if (alg & SSL_kECDH)
1385 		{
1386 		al=SSL_AD_UNEXPECTED_MESSAGE;
1387 		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1388 		goto f_err;
1389 		}
1390 #endif /* !OPENSSL_NO_ECDH */
1391 	if (alg & SSL_aFZA)
1392 		{
1393 		al=SSL_AD_HANDSHAKE_FAILURE;
1394 		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1395 		goto f_err;
1396 		}
1397 
1398 
1399 	/* p points to the next byte, there are 'n' bytes left */
1400 
1401 	/* if it was signed, check the signature */
1402 	if (pkey != NULL)
1403 		{
1404 		n2s(p,i);
1405 		n-=2;
1406 		j=EVP_PKEY_size(pkey);
1407 
1408 		if ((i != n) || (n > j) || (n <= 0))
1409 			{
1410 			/* wrong packet length */
1411 			al=SSL_AD_DECODE_ERROR;
1412 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1413 			goto f_err;
1414 			}
1415 
1416 #ifndef OPENSSL_NO_RSA
1417 		if (pkey->type == EVP_PKEY_RSA)
1418 			{
1419 			int num;
1420 
1421 			j=0;
1422 			q=md_buf;
1423 			for (num=2; num > 0; num--)
1424 				{
1425 				EVP_MD_CTX_set_flags(&md_ctx,
1426 					EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1427 				EVP_DigestInit_ex(&md_ctx,(num == 2)
1428 					?s->ctx->md5:s->ctx->sha1, NULL);
1429 				EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1430 				EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1431 				EVP_DigestUpdate(&md_ctx,param,param_len);
1432 				EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1433 				q+=i;
1434 				j+=i;
1435 				}
1436 			i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1437 								pkey->pkey.rsa);
1438 			if (i < 0)
1439 				{
1440 				al=SSL_AD_DECRYPT_ERROR;
1441 				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1442 				goto f_err;
1443 				}
1444 			if (i == 0)
1445 				{
1446 				/* bad signature */
1447 				al=SSL_AD_DECRYPT_ERROR;
1448 				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1449 				goto f_err;
1450 				}
1451 			}
1452 		else
1453 #endif
1454 #ifndef OPENSSL_NO_DSA
1455 			if (pkey->type == EVP_PKEY_DSA)
1456 			{
1457 			/* lets do DSS */
1458 			EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1459 			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1460 			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1461 			EVP_VerifyUpdate(&md_ctx,param,param_len);
1462 			if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1463 				{
1464 				/* bad signature */
1465 				al=SSL_AD_DECRYPT_ERROR;
1466 				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1467 				goto f_err;
1468 				}
1469 			}
1470 		else
1471 #endif
1472 #ifndef OPENSSL_NO_ECDSA
1473 			if (pkey->type == EVP_PKEY_EC)
1474 			{
1475 			/* let's do ECDSA */
1476 			EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1477 			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1478 			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1479 			EVP_VerifyUpdate(&md_ctx,param,param_len);
1480 			if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1481 				{
1482 				/* bad signature */
1483 				al=SSL_AD_DECRYPT_ERROR;
1484 				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1485 				goto f_err;
1486 				}
1487 			}
1488 		else
1489 #endif
1490 			{
1491 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1492 			goto err;
1493 			}
1494 		}
1495 	else
1496 		{
1497 		/* still data left over */
1498 		if (!(alg & SSL_aNULL))
1499 			{
1500 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1501 			goto err;
1502 			}
1503 		if (n != 0)
1504 			{
1505 			al=SSL_AD_DECODE_ERROR;
1506 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1507 			goto f_err;
1508 			}
1509 		}
1510 	EVP_PKEY_free(pkey);
1511 	EVP_MD_CTX_cleanup(&md_ctx);
1512 	return(1);
1513 f_err:
1514 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
1515 err:
1516 	EVP_PKEY_free(pkey);
1517 #ifndef OPENSSL_NO_RSA
1518 	if (rsa != NULL)
1519 		RSA_free(rsa);
1520 #endif
1521 #ifndef OPENSSL_NO_DH
1522 	if (dh != NULL)
1523 		DH_free(dh);
1524 #endif
1525 #ifndef OPENSSL_NO_ECDH
1526 	BN_CTX_free(bn_ctx);
1527 	EC_POINT_free(srvr_ecpoint);
1528 	if (ecdh != NULL)
1529 		EC_KEY_free(ecdh);
1530 #endif
1531 	EVP_MD_CTX_cleanup(&md_ctx);
1532 	return(-1);
1533 	}
1534 
ssl3_get_certificate_request(SSL * s)1535 int ssl3_get_certificate_request(SSL *s)
1536 	{
1537 	int ok,ret=0;
1538 	unsigned long n,nc,l;
1539 	unsigned int llen,ctype_num,i;
1540 	X509_NAME *xn=NULL;
1541 	const unsigned char *p,*q;
1542 	unsigned char *d;
1543 	STACK_OF(X509_NAME) *ca_sk=NULL;
1544 
1545 	n=s->method->ssl_get_message(s,
1546 		SSL3_ST_CR_CERT_REQ_A,
1547 		SSL3_ST_CR_CERT_REQ_B,
1548 		-1,
1549 		s->max_cert_list,
1550 		&ok);
1551 
1552 	if (!ok) return((int)n);
1553 
1554 	s->s3->tmp.cert_req=0;
1555 
1556 	if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1557 		{
1558 		s->s3->tmp.reuse_message=1;
1559 		return(1);
1560 		}
1561 
1562 	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1563 		{
1564 		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1565 		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1566 		goto err;
1567 		}
1568 
1569 	/* TLS does not like anon-DH with client cert */
1570 	if (s->version > SSL3_VERSION)
1571 		{
1572 		l=s->s3->tmp.new_cipher->algorithms;
1573 		if (l & SSL_aNULL)
1574 			{
1575 			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1576 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1577 			goto err;
1578 			}
1579 		}
1580 
1581 	p=d=(unsigned char *)s->init_msg;
1582 
1583 	if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1584 		{
1585 		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1586 		goto err;
1587 		}
1588 
1589 	/* get the certificate types */
1590 	ctype_num= *(p++);
1591 	if (ctype_num > SSL3_CT_NUMBER)
1592 		ctype_num=SSL3_CT_NUMBER;
1593 	for (i=0; i<ctype_num; i++)
1594 		s->s3->tmp.ctype[i]= p[i];
1595 	p+=ctype_num;
1596 
1597 	/* get the CA RDNs */
1598 	n2s(p,llen);
1599 #if 0
1600 {
1601 FILE *out;
1602 out=fopen("/tmp/vsign.der","w");
1603 fwrite(p,1,llen,out);
1604 fclose(out);
1605 }
1606 #endif
1607 
1608 	if ((llen+ctype_num+2+1) != n)
1609 		{
1610 		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1611 		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1612 		goto err;
1613 		}
1614 
1615 	for (nc=0; nc<llen; )
1616 		{
1617 		n2s(p,l);
1618 		if ((l+nc+2) > llen)
1619 			{
1620 			if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1621 				goto cont; /* netscape bugs */
1622 			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1623 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1624 			goto err;
1625 			}
1626 
1627 		q=p;
1628 
1629 		if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1630 			{
1631 			/* If netscape tolerance is on, ignore errors */
1632 			if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1633 				goto cont;
1634 			else
1635 				{
1636 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1637 				SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1638 				goto err;
1639 				}
1640 			}
1641 
1642 		if (q != (p+l))
1643 			{
1644 			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1645 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1646 			goto err;
1647 			}
1648 		if (!sk_X509_NAME_push(ca_sk,xn))
1649 			{
1650 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1651 			goto err;
1652 			}
1653 
1654 		p+=l;
1655 		nc+=l+2;
1656 		}
1657 
1658 	if (0)
1659 		{
1660 cont:
1661 		ERR_clear_error();
1662 		}
1663 
1664 	/* we should setup a certificate to return.... */
1665 	s->s3->tmp.cert_req=1;
1666 	s->s3->tmp.ctype_num=ctype_num;
1667 	if (s->s3->tmp.ca_names != NULL)
1668 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1669 	s->s3->tmp.ca_names=ca_sk;
1670 	ca_sk=NULL;
1671 
1672 	ret=1;
1673 err:
1674 	if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1675 	return(ret);
1676 	}
1677 
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)1678 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1679 	{
1680 	return(X509_NAME_cmp(*a,*b));
1681 	}
1682 #ifndef OPENSSL_NO_TLSEXT
ssl3_get_new_session_ticket(SSL * s)1683 int ssl3_get_new_session_ticket(SSL *s)
1684 	{
1685 	int ok,al,ret=0, ticklen;
1686 	long n;
1687 	const unsigned char *p;
1688 	unsigned char *d;
1689 
1690 	n=s->method->ssl_get_message(s,
1691 		SSL3_ST_CR_SESSION_TICKET_A,
1692 		SSL3_ST_CR_SESSION_TICKET_B,
1693 		-1,
1694 		16384,
1695 		&ok);
1696 
1697 	if (!ok)
1698 		return((int)n);
1699 
1700 	if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
1701 		{
1702 		s->s3->tmp.reuse_message=1;
1703 		return(1);
1704 		}
1705 	if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET)
1706 		{
1707 		al=SSL_AD_UNEXPECTED_MESSAGE;
1708 		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
1709 		goto f_err;
1710 		}
1711 	if (n < 6)
1712 		{
1713 		/* need at least ticket_lifetime_hint + ticket length */
1714 		al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1715 		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1716 		goto f_err;
1717 		}
1718 	p=d=(unsigned char *)s->init_msg;
1719 	n2l(p, s->session->tlsext_tick_lifetime_hint);
1720 	n2s(p, ticklen);
1721 	/* ticket_lifetime_hint + ticket_length + ticket */
1722 	if (ticklen + 6 != n)
1723 		{
1724 		al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1725 		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1726 		goto f_err;
1727 		}
1728 	if (s->session->tlsext_tick)
1729 		{
1730 		OPENSSL_free(s->session->tlsext_tick);
1731 		s->session->tlsext_ticklen = 0;
1732 		}
1733 	s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1734 	if (!s->session->tlsext_tick)
1735 		{
1736 		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
1737 		goto err;
1738 		}
1739 	memcpy(s->session->tlsext_tick, p, ticklen);
1740 	s->session->tlsext_ticklen = ticklen;
1741 
1742 	ret=1;
1743 	return(ret);
1744 f_err:
1745 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
1746 err:
1747 	return(-1);
1748 	}
1749 
ssl3_get_cert_status(SSL * s)1750 int ssl3_get_cert_status(SSL *s)
1751 	{
1752 	int ok, al;
1753 	unsigned long resplen;
1754 	long n;
1755 	const unsigned char *p;
1756 
1757 	n=s->method->ssl_get_message(s,
1758 		SSL3_ST_CR_CERT_STATUS_A,
1759 		SSL3_ST_CR_CERT_STATUS_B,
1760 		SSL3_MT_CERTIFICATE_STATUS,
1761 		16384,
1762 		&ok);
1763 
1764 	if (!ok) return((int)n);
1765 	if (n < 4)
1766 		{
1767 		/* need at least status type + length */
1768 		al = SSL_AD_DECODE_ERROR;
1769 		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1770 		goto f_err;
1771 		}
1772 	p = (unsigned char *)s->init_msg;
1773 	if (*p++ != TLSEXT_STATUSTYPE_ocsp)
1774 		{
1775 		al = SSL_AD_DECODE_ERROR;
1776 		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE);
1777 		goto f_err;
1778 		}
1779 	n2l3(p, resplen);
1780 	if (resplen + 4 != (unsigned long)n)
1781 		{
1782 		al = SSL_AD_DECODE_ERROR;
1783 		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1784 		goto f_err;
1785 		}
1786 	if (s->tlsext_ocsp_resp)
1787 		OPENSSL_free(s->tlsext_ocsp_resp);
1788 	s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
1789 	if (!s->tlsext_ocsp_resp)
1790 		{
1791 		al = SSL_AD_INTERNAL_ERROR;
1792 		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
1793 		goto f_err;
1794 		}
1795 	s->tlsext_ocsp_resplen = resplen;
1796 	if (s->ctx->tlsext_status_cb)
1797 		{
1798 		int ret;
1799 		ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1800 		if (ret == 0)
1801 			{
1802 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1803 			SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE);
1804 			goto f_err;
1805 			}
1806 		if (ret < 0)
1807 			{
1808 			al = SSL_AD_INTERNAL_ERROR;
1809 			SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
1810 			goto f_err;
1811 			}
1812 		}
1813 	return 1;
1814 f_err:
1815 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
1816 	return(-1);
1817 	}
1818 #endif
1819 
ssl3_get_server_done(SSL * s)1820 int ssl3_get_server_done(SSL *s)
1821 	{
1822 	int ok,ret=0;
1823 	long n;
1824 
1825 	n=s->method->ssl_get_message(s,
1826 		SSL3_ST_CR_SRVR_DONE_A,
1827 		SSL3_ST_CR_SRVR_DONE_B,
1828 		SSL3_MT_SERVER_DONE,
1829 		30, /* should be very small, like 0 :-) */
1830 		&ok);
1831 
1832 	if (!ok) return((int)n);
1833 	if (n > 0)
1834 		{
1835 		/* should contain no data */
1836 		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1837 		SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1838 		return -1;
1839 		}
1840 	ret=1;
1841 	return(ret);
1842 	}
1843 
1844 
ssl3_send_client_key_exchange(SSL * s)1845 int ssl3_send_client_key_exchange(SSL *s)
1846 	{
1847 	unsigned char *p,*d;
1848 	int n;
1849 	unsigned long l;
1850 #ifndef OPENSSL_NO_RSA
1851 	unsigned char *q;
1852 	EVP_PKEY *pkey=NULL;
1853 #endif
1854 #ifndef OPENSSL_NO_KRB5
1855 	KSSL_ERR kssl_err;
1856 #endif /* OPENSSL_NO_KRB5 */
1857 #ifndef OPENSSL_NO_ECDH
1858 	EC_KEY *clnt_ecdh = NULL;
1859 	const EC_POINT *srvr_ecpoint = NULL;
1860 	EVP_PKEY *srvr_pub_pkey = NULL;
1861 	unsigned char *encodedPoint = NULL;
1862 	int encoded_pt_len = 0;
1863 	BN_CTX * bn_ctx = NULL;
1864 #endif
1865 
1866 	if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1867 		{
1868 		d=(unsigned char *)s->init_buf->data;
1869 		p= &(d[4]);
1870 
1871 		l=s->s3->tmp.new_cipher->algorithms;
1872 
1873 		/* Fool emacs indentation */
1874 		if (0) {}
1875 #ifndef OPENSSL_NO_RSA
1876 		else if (l & SSL_kRSA)
1877 			{
1878 			RSA *rsa;
1879 			unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1880 
1881 			if (s->session->sess_cert->peer_rsa_tmp != NULL)
1882 				rsa=s->session->sess_cert->peer_rsa_tmp;
1883 			else
1884 				{
1885 				pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1886 				if ((pkey == NULL) ||
1887 					(pkey->type != EVP_PKEY_RSA) ||
1888 					(pkey->pkey.rsa == NULL))
1889 					{
1890 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1891 					goto err;
1892 					}
1893 				rsa=pkey->pkey.rsa;
1894 				EVP_PKEY_free(pkey);
1895 				}
1896 
1897 			tmp_buf[0]=s->client_version>>8;
1898 			tmp_buf[1]=s->client_version&0xff;
1899 			if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
1900 					goto err;
1901 
1902 			s->session->master_key_length=sizeof tmp_buf;
1903 
1904 			q=p;
1905 			/* Fix buf for TLS and beyond */
1906 			if (s->version > SSL3_VERSION)
1907 				p+=2;
1908 			n=RSA_public_encrypt(sizeof tmp_buf,
1909 				tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1910 #ifdef PKCS1_CHECK
1911 			if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
1912 			if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
1913 #endif
1914 			if (n <= 0)
1915 				{
1916 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1917 				goto err;
1918 				}
1919 
1920 			/* Fix buf for TLS and beyond */
1921 			if (s->version > SSL3_VERSION)
1922 				{
1923 				s2n(n,q);
1924 				n+=2;
1925 				}
1926 
1927 			s->session->master_key_length=
1928 				s->method->ssl3_enc->generate_master_secret(s,
1929 					s->session->master_key,
1930 					tmp_buf,sizeof tmp_buf);
1931 			OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
1932 			}
1933 #endif
1934 #ifndef OPENSSL_NO_KRB5
1935 		else if (l & SSL_kKRB5)
1936 			{
1937 			krb5_error_code	krb5rc;
1938 			KSSL_CTX	*kssl_ctx = s->kssl_ctx;
1939 			/*  krb5_data	krb5_ap_req;  */
1940 			krb5_data	*enc_ticket;
1941 			krb5_data	authenticator, *authp = NULL;
1942 			EVP_CIPHER_CTX	ciph_ctx;
1943 			EVP_CIPHER	*enc = NULL;
1944 			unsigned char	iv[EVP_MAX_IV_LENGTH];
1945 			unsigned char	tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1946 			unsigned char	epms[SSL_MAX_MASTER_KEY_LENGTH
1947 						+ EVP_MAX_IV_LENGTH];
1948 			int 		padl, outl = sizeof(epms);
1949 
1950 			EVP_CIPHER_CTX_init(&ciph_ctx);
1951 
1952 #ifdef KSSL_DEBUG
1953 			printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
1954 			        l, SSL_kKRB5);
1955 #endif	/* KSSL_DEBUG */
1956 
1957 			authp = NULL;
1958 #ifdef KRB5SENDAUTH
1959 			if (KRB5SENDAUTH)  authp = &authenticator;
1960 #endif	/* KRB5SENDAUTH */
1961 
1962 			krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
1963 				&kssl_err);
1964 			enc = kssl_map_enc(kssl_ctx->enctype);
1965 			if (enc == NULL)
1966 			    goto err;
1967 #ifdef KSSL_DEBUG
1968 			{
1969 			printf("kssl_cget_tkt rtn %d\n", krb5rc);
1970 			if (krb5rc && kssl_err.text)
1971 			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
1972 			}
1973 #endif	/* KSSL_DEBUG */
1974 
1975 			if (krb5rc)
1976 				{
1977 				ssl3_send_alert(s,SSL3_AL_FATAL,
1978 						SSL_AD_HANDSHAKE_FAILURE);
1979 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1980 						kssl_err.reason);
1981 				goto err;
1982 				}
1983 
1984 			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
1985 			**  in place of RFC 2712 KerberosWrapper, as in:
1986 			**
1987 			**  Send ticket (copy to *p, set n = length)
1988 			**  n = krb5_ap_req.length;
1989 			**  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
1990 			**  if (krb5_ap_req.data)
1991 			**    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
1992 			**
1993 			**  Now using real RFC 2712 KerberosWrapper
1994 			**  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
1995 			**  Note: 2712 "opaque" types are here replaced
1996 			**  with a 2-byte length followed by the value.
1997 			**  Example:
1998 			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
1999 			**  Where "xx xx" = length bytes.  Shown here with
2000 			**  optional authenticator omitted.
2001 			*/
2002 
2003 			/*  KerberosWrapper.Ticket		*/
2004 			s2n(enc_ticket->length,p);
2005 			memcpy(p, enc_ticket->data, enc_ticket->length);
2006 			p+= enc_ticket->length;
2007 			n = enc_ticket->length + 2;
2008 
2009 			/*  KerberosWrapper.Authenticator	*/
2010 			if (authp  &&  authp->length)
2011 				{
2012 				s2n(authp->length,p);
2013 				memcpy(p, authp->data, authp->length);
2014 				p+= authp->length;
2015 				n+= authp->length + 2;
2016 
2017 				free(authp->data);
2018 				authp->data = NULL;
2019 				authp->length = 0;
2020 				}
2021 			else
2022 				{
2023 				s2n(0,p);/*  null authenticator length	*/
2024 				n+=2;
2025 				}
2026 
2027 			    tmp_buf[0]=s->client_version>>8;
2028 			    tmp_buf[1]=s->client_version&0xff;
2029 			    if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2030 				goto err;
2031 
2032 			/*  20010420 VRS.  Tried it this way; failed.
2033 			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
2034 			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
2035 			**				kssl_ctx->length);
2036 			**	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2037 			*/
2038 
2039 			memset(iv, 0, sizeof iv);  /* per RFC 1510 */
2040 			EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
2041 				kssl_ctx->key,iv);
2042 			EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
2043 				sizeof tmp_buf);
2044 			EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
2045 			outl += padl;
2046 			if (outl > sizeof epms)
2047 				{
2048 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2049 				goto err;
2050 				}
2051 			EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2052 
2053 			/*  KerberosWrapper.EncryptedPreMasterSecret	*/
2054 			s2n(outl,p);
2055 			memcpy(p, epms, outl);
2056 			p+=outl;
2057 			n+=outl + 2;
2058 
2059 			s->session->master_key_length=
2060 			        s->method->ssl3_enc->generate_master_secret(s,
2061 					s->session->master_key,
2062 					tmp_buf, sizeof tmp_buf);
2063 
2064 			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2065 			OPENSSL_cleanse(epms, outl);
2066 			}
2067 #endif
2068 #ifndef OPENSSL_NO_DH
2069 		else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2070 			{
2071 			DH *dh_srvr,*dh_clnt;
2072 
2073 			if (s->session->sess_cert == NULL)
2074 				{
2075 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2076 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
2077 				goto err;
2078 			        }
2079 
2080 			if (s->session->sess_cert->peer_dh_tmp != NULL)
2081 				dh_srvr=s->session->sess_cert->peer_dh_tmp;
2082 			else
2083 				{
2084 				/* we get them from the cert */
2085 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2086 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2087 				goto err;
2088 				}
2089 
2090 			/* generate a new random key */
2091 			if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
2092 				{
2093 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2094 				goto err;
2095 				}
2096 			if (!DH_generate_key(dh_clnt))
2097 				{
2098 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2099 				goto err;
2100 				}
2101 
2102 			/* use the 'p' output buffer for the DH key, but
2103 			 * make sure to clear it out afterwards */
2104 
2105 			n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
2106 
2107 			if (n <= 0)
2108 				{
2109 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2110 				goto err;
2111 				}
2112 
2113 			/* generate master key from the result */
2114 			s->session->master_key_length=
2115 				s->method->ssl3_enc->generate_master_secret(s,
2116 					s->session->master_key,p,n);
2117 			/* clean up */
2118 			memset(p,0,n);
2119 
2120 			/* send off the data */
2121 			n=BN_num_bytes(dh_clnt->pub_key);
2122 			s2n(n,p);
2123 			BN_bn2bin(dh_clnt->pub_key,p);
2124 			n+=2;
2125 
2126 			DH_free(dh_clnt);
2127 
2128 			/* perhaps clean things up a bit EAY EAY EAY EAY*/
2129 			}
2130 #endif
2131 
2132 #ifndef OPENSSL_NO_ECDH
2133 		else if ((l & SSL_kECDH) || (l & SSL_kECDHE))
2134 			{
2135 			const EC_GROUP *srvr_group = NULL;
2136 			EC_KEY *tkey;
2137 			int ecdh_clnt_cert = 0;
2138 			int field_size = 0;
2139 
2140 			/* Did we send out the client's
2141 			 * ECDH share for use in premaster
2142 			 * computation as part of client certificate?
2143 			 * If so, set ecdh_clnt_cert to 1.
2144 			 */
2145 			if ((l & SSL_kECDH) && (s->cert != NULL))
2146 				{
2147 				/* XXX: For now, we do not support client
2148 				 * authentication using ECDH certificates.
2149 				 * To add such support, one needs to add
2150 				 * code that checks for appropriate
2151 				 * conditions and sets ecdh_clnt_cert to 1.
2152 				 * For example, the cert have an ECC
2153 				 * key on the same curve as the server's
2154 				 * and the key should be authorized for
2155 				 * key agreement.
2156 				 *
2157 				 * One also needs to add code in ssl3_connect
2158 				 * to skip sending the certificate verify
2159 				 * message.
2160 				 *
2161 				 * if ((s->cert->key->privatekey != NULL) &&
2162 				 *     (s->cert->key->privatekey->type ==
2163 				 *      EVP_PKEY_EC) && ...)
2164 				 * ecdh_clnt_cert = 1;
2165 				 */
2166 				}
2167 
2168 			if (s->session->sess_cert->peer_ecdh_tmp != NULL)
2169 				{
2170 				tkey = s->session->sess_cert->peer_ecdh_tmp;
2171 				}
2172 			else
2173 				{
2174 				/* Get the Server Public Key from Cert */
2175 				srvr_pub_pkey = X509_get_pubkey(s->session-> \
2176 				    sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2177 				if ((srvr_pub_pkey == NULL) ||
2178 				    (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2179 				    (srvr_pub_pkey->pkey.ec == NULL))
2180 					{
2181 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2182 					    ERR_R_INTERNAL_ERROR);
2183 					goto err;
2184 					}
2185 
2186 				tkey = srvr_pub_pkey->pkey.ec;
2187 				}
2188 
2189 			srvr_group   = EC_KEY_get0_group(tkey);
2190 			srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2191 
2192 			if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
2193 				{
2194 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2195 				    ERR_R_INTERNAL_ERROR);
2196 				goto err;
2197 				}
2198 
2199 			if ((clnt_ecdh=EC_KEY_new()) == NULL)
2200 				{
2201 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2202 				goto err;
2203 				}
2204 
2205 			if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
2206 				{
2207 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2208 				goto err;
2209 				}
2210 			if (ecdh_clnt_cert)
2211 				{
2212 				/* Reuse key info from our certificate
2213 				 * We only need our private key to perform
2214 				 * the ECDH computation.
2215 				 */
2216 				const BIGNUM *priv_key;
2217 				tkey = s->cert->key->privatekey->pkey.ec;
2218 				priv_key = EC_KEY_get0_private_key(tkey);
2219 				if (priv_key == NULL)
2220 					{
2221 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2222 					goto err;
2223 					}
2224 				if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2225 					{
2226 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2227 					goto err;
2228 					}
2229 				}
2230 			else
2231 				{
2232 				/* Generate a new ECDH key pair */
2233 				if (!(EC_KEY_generate_key(clnt_ecdh)))
2234 					{
2235 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2236 					goto err;
2237 					}
2238 				}
2239 
2240 			/* use the 'p' output buffer for the ECDH key, but
2241 			 * make sure to clear it out afterwards
2242 			 */
2243 
2244 			field_size = EC_GROUP_get_degree(srvr_group);
2245 			if (field_size <= 0)
2246 				{
2247 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2248 				       ERR_R_ECDH_LIB);
2249 				goto err;
2250 				}
2251 			n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2252 			if (n <= 0)
2253 				{
2254 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2255 				       ERR_R_ECDH_LIB);
2256 				goto err;
2257 				}
2258 
2259 			/* generate master key from the result */
2260 			s->session->master_key_length = s->method->ssl3_enc \
2261 			    -> generate_master_secret(s,
2262 				s->session->master_key,
2263 				p, n);
2264 
2265 			memset(p, 0, n); /* clean up */
2266 
2267 			if (ecdh_clnt_cert)
2268 				{
2269 				/* Send empty client key exch message */
2270 				n = 0;
2271 				}
2272 			else
2273 				{
2274 				/* First check the size of encoding and
2275 				 * allocate memory accordingly.
2276 				 */
2277 				encoded_pt_len =
2278 				    EC_POINT_point2oct(srvr_group,
2279 					EC_KEY_get0_public_key(clnt_ecdh),
2280 					POINT_CONVERSION_UNCOMPRESSED,
2281 					NULL, 0, NULL);
2282 
2283 				encodedPoint = (unsigned char *)
2284 				    OPENSSL_malloc(encoded_pt_len *
2285 					sizeof(unsigned char));
2286 				bn_ctx = BN_CTX_new();
2287 				if ((encodedPoint == NULL) ||
2288 				    (bn_ctx == NULL))
2289 					{
2290 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2291 					goto err;
2292 					}
2293 
2294 				/* Encode the public key */
2295 				n = EC_POINT_point2oct(srvr_group,
2296 				    EC_KEY_get0_public_key(clnt_ecdh),
2297 				    POINT_CONVERSION_UNCOMPRESSED,
2298 				    encodedPoint, encoded_pt_len, bn_ctx);
2299 
2300 				*p = n; /* length of encoded point */
2301 				/* Encoded point will be copied here */
2302 				p += 1;
2303 				/* copy the point */
2304 				memcpy((unsigned char *)p, encodedPoint, n);
2305 				/* increment n to account for length field */
2306 				n += 1;
2307 				}
2308 
2309 			/* Free allocated memory */
2310 			BN_CTX_free(bn_ctx);
2311 			if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2312 			if (clnt_ecdh != NULL)
2313 				 EC_KEY_free(clnt_ecdh);
2314 			EVP_PKEY_free(srvr_pub_pkey);
2315 			}
2316 #endif /* !OPENSSL_NO_ECDH */
2317 		else
2318 			{
2319 			ssl3_send_alert(s, SSL3_AL_FATAL,
2320 			    SSL_AD_HANDSHAKE_FAILURE);
2321 			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2322 			    ERR_R_INTERNAL_ERROR);
2323 			goto err;
2324 			}
2325 
2326 		*(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2327 		l2n3(n,d);
2328 
2329 		s->state=SSL3_ST_CW_KEY_EXCH_B;
2330 		/* number of bytes to write */
2331 		s->init_num=n+4;
2332 		s->init_off=0;
2333 		}
2334 
2335 	/* SSL3_ST_CW_KEY_EXCH_B */
2336 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2337 err:
2338 #ifndef OPENSSL_NO_ECDH
2339 	BN_CTX_free(bn_ctx);
2340 	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2341 	if (clnt_ecdh != NULL)
2342 		EC_KEY_free(clnt_ecdh);
2343 	EVP_PKEY_free(srvr_pub_pkey);
2344 #endif
2345 	return(-1);
2346 	}
2347 
ssl3_send_client_verify(SSL * s)2348 int ssl3_send_client_verify(SSL *s)
2349 	{
2350 	unsigned char *p,*d;
2351 	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2352 	EVP_PKEY *pkey;
2353 #ifndef OPENSSL_NO_RSA
2354 	unsigned u=0;
2355 #endif
2356 	unsigned long n;
2357 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
2358 	int j;
2359 #endif
2360 
2361 	if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2362 		{
2363 		d=(unsigned char *)s->init_buf->data;
2364 		p= &(d[4]);
2365 		pkey=s->cert->key->privatekey;
2366 
2367 		s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
2368 			&(data[MD5_DIGEST_LENGTH]));
2369 
2370 #ifndef OPENSSL_NO_RSA
2371 		if (pkey->type == EVP_PKEY_RSA)
2372 			{
2373 			s->method->ssl3_enc->cert_verify_mac(s,
2374 				&(s->s3->finish_dgst1),&(data[0]));
2375 			if (RSA_sign(NID_md5_sha1, data,
2376 					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2377 					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
2378 				{
2379 				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
2380 				goto err;
2381 				}
2382 			s2n(u,p);
2383 			n=u+2;
2384 			}
2385 		else
2386 #endif
2387 #ifndef OPENSSL_NO_DSA
2388 			if (pkey->type == EVP_PKEY_DSA)
2389 			{
2390 			if (!DSA_sign(pkey->save_type,
2391 				&(data[MD5_DIGEST_LENGTH]),
2392 				SHA_DIGEST_LENGTH,&(p[2]),
2393 				(unsigned int *)&j,pkey->pkey.dsa))
2394 				{
2395 				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
2396 				goto err;
2397 				}
2398 			s2n(j,p);
2399 			n=j+2;
2400 			}
2401 		else
2402 #endif
2403 #ifndef OPENSSL_NO_ECDSA
2404 			if (pkey->type == EVP_PKEY_EC)
2405 			{
2406 			if (!ECDSA_sign(pkey->save_type,
2407 				&(data[MD5_DIGEST_LENGTH]),
2408 				SHA_DIGEST_LENGTH,&(p[2]),
2409 				(unsigned int *)&j,pkey->pkey.ec))
2410 				{
2411 				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2412 				    ERR_R_ECDSA_LIB);
2413 				goto err;
2414 				}
2415 			s2n(j,p);
2416 			n=j+2;
2417 			}
2418 		else
2419 #endif
2420 			{
2421 			SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
2422 			goto err;
2423 			}
2424 		*(d++)=SSL3_MT_CERTIFICATE_VERIFY;
2425 		l2n3(n,d);
2426 
2427 		s->state=SSL3_ST_CW_CERT_VRFY_B;
2428 		s->init_num=(int)n+4;
2429 		s->init_off=0;
2430 		}
2431 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2432 err:
2433 	return(-1);
2434 	}
2435 
ssl3_send_client_certificate(SSL * s)2436 int ssl3_send_client_certificate(SSL *s)
2437 	{
2438 	X509 *x509=NULL;
2439 	EVP_PKEY *pkey=NULL;
2440 	int i;
2441 	unsigned long l;
2442 
2443 	if (s->state ==	SSL3_ST_CW_CERT_A)
2444 		{
2445 		if ((s->cert == NULL) ||
2446 			(s->cert->key->x509 == NULL) ||
2447 			(s->cert->key->privatekey == NULL))
2448 			s->state=SSL3_ST_CW_CERT_B;
2449 		else
2450 			s->state=SSL3_ST_CW_CERT_C;
2451 		}
2452 
2453 	/* We need to get a client cert */
2454 	if (s->state == SSL3_ST_CW_CERT_B)
2455 		{
2456 		/* If we get an error, we need to
2457 		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2458 		 * We then get retied later */
2459 		i=0;
2460 		i = ssl_do_client_cert_cb(s, &x509, &pkey);
2461 		if (i < 0)
2462 			{
2463 			s->rwstate=SSL_X509_LOOKUP;
2464 			return(-1);
2465 			}
2466 		s->rwstate=SSL_NOTHING;
2467 		if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2468 			{
2469 			s->state=SSL3_ST_CW_CERT_B;
2470 			if (	!SSL_use_certificate(s,x509) ||
2471 				!SSL_use_PrivateKey(s,pkey))
2472 				i=0;
2473 			}
2474 		else if (i == 1)
2475 			{
2476 			i=0;
2477 			SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2478 			}
2479 
2480 		if (x509 != NULL) X509_free(x509);
2481 		if (pkey != NULL) EVP_PKEY_free(pkey);
2482 		if (i == 0)
2483 			{
2484 			if (s->version == SSL3_VERSION)
2485 				{
2486 				s->s3->tmp.cert_req=0;
2487 				ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2488 				return(1);
2489 				}
2490 			else
2491 				{
2492 				s->s3->tmp.cert_req=2;
2493 				}
2494 			}
2495 
2496 		/* Ok, we have a cert */
2497 		s->state=SSL3_ST_CW_CERT_C;
2498 		}
2499 
2500 	if (s->state == SSL3_ST_CW_CERT_C)
2501 		{
2502 		s->state=SSL3_ST_CW_CERT_D;
2503 		l=ssl3_output_cert_chain(s,
2504 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
2505 		s->init_num=(int)l;
2506 		s->init_off=0;
2507 		}
2508 	/* SSL3_ST_CW_CERT_D */
2509 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2510 	}
2511 
2512 #define has_bits(i,m)	(((i)&(m)) == (m))
2513 
ssl3_check_cert_and_algorithm(SSL * s)2514 int ssl3_check_cert_and_algorithm(SSL *s)
2515 	{
2516 	int i,idx;
2517 	long algs;
2518 	EVP_PKEY *pkey=NULL;
2519 	SESS_CERT *sc;
2520 #ifndef OPENSSL_NO_RSA
2521 	RSA *rsa;
2522 #endif
2523 #ifndef OPENSSL_NO_DH
2524 	DH *dh;
2525 #endif
2526 
2527 	sc=s->session->sess_cert;
2528 
2529 	algs=s->s3->tmp.new_cipher->algorithms;
2530 
2531 	/* we don't have a certificate */
2532 	if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
2533 		return(1);
2534 
2535 	if (sc == NULL)
2536 		{
2537 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
2538 		goto err;
2539 		}
2540 
2541 #ifndef OPENSSL_NO_RSA
2542 	rsa=s->session->sess_cert->peer_rsa_tmp;
2543 #endif
2544 #ifndef OPENSSL_NO_DH
2545 	dh=s->session->sess_cert->peer_dh_tmp;
2546 #endif
2547 
2548 	/* This is the passed certificate */
2549 
2550 	idx=sc->peer_cert_type;
2551 #ifndef OPENSSL_NO_ECDH
2552 	if (idx == SSL_PKEY_ECC)
2553 		{
2554 		if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2555 		    s->s3->tmp.new_cipher) == 0)
2556 			{ /* check failed */
2557 			SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
2558 			goto f_err;
2559 			}
2560 		else
2561 			{
2562 			return 1;
2563 			}
2564 		}
2565 #endif
2566 	pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
2567 	i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
2568 	EVP_PKEY_free(pkey);
2569 
2570 
2571 	/* Check that we have a certificate if we require one */
2572 	if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
2573 		{
2574 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
2575 		goto f_err;
2576 		}
2577 #ifndef OPENSSL_NO_DSA
2578 	else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
2579 		{
2580 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
2581 		goto f_err;
2582 		}
2583 #endif
2584 #ifndef OPENSSL_NO_RSA
2585 	if ((algs & SSL_kRSA) &&
2586 		!(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
2587 		{
2588 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2589 		goto f_err;
2590 		}
2591 #endif
2592 #ifndef OPENSSL_NO_DH
2593 	if ((algs & SSL_kEDH) &&
2594 		!(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
2595 		{
2596 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
2597 		goto f_err;
2598 		}
2599 	else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
2600 		{
2601 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
2602 		goto f_err;
2603 		}
2604 #ifndef OPENSSL_NO_DSA
2605 	else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
2606 		{
2607 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
2608 		goto f_err;
2609 		}
2610 #endif
2611 #endif
2612 
2613 	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
2614 		{
2615 #ifndef OPENSSL_NO_RSA
2616 		if (algs & SSL_kRSA)
2617 			{
2618 			if (rsa == NULL
2619 			    || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2620 				{
2621 				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
2622 				goto f_err;
2623 				}
2624 			}
2625 		else
2626 #endif
2627 #ifndef OPENSSL_NO_DH
2628 			if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2629 			    {
2630 			    if (dh == NULL
2631 				|| DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2632 				{
2633 				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
2634 				goto f_err;
2635 				}
2636 			}
2637 		else
2638 #endif
2639 			{
2640 			SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2641 			goto f_err;
2642 			}
2643 		}
2644 	return(1);
2645 f_err:
2646 	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2647 err:
2648 	return(0);
2649 	}
2650 
2651 
2652 #ifndef OPENSSL_NO_ECDH
2653 /* This is the complement of nid2curve_id in s3_srvr.c. */
curve_id2nid(int curve_id)2654 static int curve_id2nid(int curve_id)
2655 {
2656 	/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2657 	 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2658 	static int nid_list[26] =
2659 	{
2660 		0,
2661 		NID_sect163k1, /* sect163k1 (1) */
2662 		NID_sect163r1, /* sect163r1 (2) */
2663 		NID_sect163r2, /* sect163r2 (3) */
2664 		NID_sect193r1, /* sect193r1 (4) */
2665 		NID_sect193r2, /* sect193r2 (5) */
2666 		NID_sect233k1, /* sect233k1 (6) */
2667 		NID_sect233r1, /* sect233r1 (7) */
2668 		NID_sect239k1, /* sect239k1 (8) */
2669 		NID_sect283k1, /* sect283k1 (9) */
2670 		NID_sect283r1, /* sect283r1 (10) */
2671 		NID_sect409k1, /* sect409k1 (11) */
2672 		NID_sect409r1, /* sect409r1 (12) */
2673 		NID_sect571k1, /* sect571k1 (13) */
2674 		NID_sect571r1, /* sect571r1 (14) */
2675 		NID_secp160k1, /* secp160k1 (15) */
2676 		NID_secp160r1, /* secp160r1 (16) */
2677 		NID_secp160r2, /* secp160r2 (17) */
2678 		NID_secp192k1, /* secp192k1 (18) */
2679 		NID_X9_62_prime192v1, /* secp192r1 (19) */
2680 		NID_secp224k1, /* secp224k1 (20) */
2681 		NID_secp224r1, /* secp224r1 (21) */
2682 		NID_secp256k1, /* secp256k1 (22) */
2683 		NID_X9_62_prime256v1, /* secp256r1 (23) */
2684 		NID_secp384r1, /* secp384r1 (24) */
2685 		NID_secp521r1  /* secp521r1 (25) */
2686 	};
2687 
2688 	if ((curve_id < 1) || (curve_id > 25)) return 0;
2689 
2690 	return nid_list[curve_id];
2691 }
2692 #endif
2693 
2694 /* Check to see if handshake is full or resumed. Usually this is just a
2695  * case of checking to see if a cache hit has occurred. In the case of
2696  * session tickets we have to check the next message to be sure.
2697  */
2698 
2699 #ifndef OPENSSL_NO_TLSEXT
ssl3_check_finished(SSL * s)2700 static int ssl3_check_finished(SSL *s)
2701 	{
2702 	int ok;
2703 	long n;
2704 	/* If we have no ticket or session ID is non-zero length (a match of
2705 	 * a non-zero session length would never reach here) it cannot be a
2706 	 * resumed session.
2707 	 */
2708 	if (!s->session->tlsext_tick || s->session->session_id_length)
2709 		return 1;
2710 	/* this function is called when we really expect a Certificate
2711 	 * message, so permit appropriate message length */
2712 	n=s->method->ssl_get_message(s,
2713 		SSL3_ST_CR_CERT_A,
2714 		SSL3_ST_CR_CERT_B,
2715 		-1,
2716 		s->max_cert_list,
2717 		&ok);
2718 	if (!ok) return((int)n);
2719 	s->s3->tmp.reuse_message = 1;
2720 	if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
2721 		|| (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
2722 		return 2;
2723 
2724 	return 1;
2725 	}
2726 #endif
2727 
ssl_do_client_cert_cb(SSL * s,X509 ** px509,EVP_PKEY ** ppkey)2728 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2729 	{
2730 	int i = 0;
2731 #ifndef OPENSSL_NO_ENGINE
2732 	if (s->ctx->client_cert_engine)
2733 		{
2734 		i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
2735 						SSL_get_client_CA_list(s),
2736 						px509, ppkey, NULL, NULL, NULL);
2737 		if (i != 0)
2738 			return i;
2739 		}
2740 #endif
2741 	if (s->ctx->client_cert_cb)
2742 		i = s->ctx->client_cert_cb(s,px509,ppkey);
2743 	return i;
2744 	}
2745