• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* ssl/s3_clnt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  *
114  * Portions of the attached software ("Contribution") are developed by
115  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116  *
117  * The Contribution is licensed pursuant to the OpenSSL open source
118  * license provided above.
119  *
120  * ECC cipher suite support in OpenSSL originally written by
121  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122  *
123  */
124 /* ====================================================================
125  * Copyright 2005 Nokia. All rights reserved.
126  *
127  * The portions of the attached software ("Contribution") is developed by
128  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129  * license.
130  *
131  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133  * support (see RFC 4279) to OpenSSL.
134  *
135  * No patent licenses or other rights except those expressly stated in
136  * the OpenSSL open source license shall be deemed granted or received
137  * expressly, by implication, estoppel, or otherwise.
138  *
139  * No assurances are provided by Nokia that the Contribution does not
140  * infringe the patent or other intellectual property rights of any third
141  * party or that the license provides you with all the necessary rights
142  * to make use of the Contribution.
143  *
144  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148  * OTHERWISE.
149  */
150 
151 #include <stdio.h>
152 #include "ssl_locl.h"
153 #include "kssl_lcl.h"
154 #include <openssl/buffer.h>
155 #include <openssl/rand.h>
156 #include <openssl/objects.h>
157 #include <openssl/evp.h>
158 #include <openssl/md5.h>
159 #ifndef OPENSSL_NO_DH
160 #include <openssl/dh.h>
161 #endif
162 #include <openssl/bn.h>
163 #ifndef OPENSSL_NO_ENGINE
164 #include <openssl/engine.h>
165 #endif
166 
167 static const SSL_METHOD *ssl3_get_client_method(int ver);
168 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
169 
ssl3_get_client_method(int ver)170 static const SSL_METHOD *ssl3_get_client_method(int ver)
171 	{
172 	if (ver == SSL3_VERSION)
173 		return(SSLv3_client_method());
174 	else
175 		return(NULL);
176 	}
177 
IMPLEMENT_ssl3_meth_func(SSLv3_client_method,ssl_undefined_function,ssl3_connect,ssl3_get_client_method)178 IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
179 			ssl_undefined_function,
180 			ssl3_connect,
181 			ssl3_get_client_method)
182 
183 int ssl3_connect(SSL *s)
184 	{
185 	BUF_MEM *buf=NULL;
186 	unsigned long Time=(unsigned long)time(NULL);
187 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
188 	int ret= -1;
189 	int new_state,state,skip=0;
190 
191 	RAND_add(&Time,sizeof(Time),0);
192 	ERR_clear_error();
193 	clear_sys_error();
194 
195 	if (s->info_callback != NULL)
196 		cb=s->info_callback;
197 	else if (s->ctx->info_callback != NULL)
198 		cb=s->ctx->info_callback;
199 
200 	s->in_handshake++;
201 	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
202 #if 0	/* Send app data in separate packet, otherwise, some particular site
203 	 * (only one site so far) closes the socket.
204 	 * Note: there is a very small chance that two TCP packets
205 	 * could be arriving at server combined into a single TCP packet,
206 	 * then trigger that site to break. We haven't encounter that though.
207 	 */
208 	if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
209 		{
210 		/* Send app data along with CCS/Finished */
211 		s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
212 		}
213 #endif
214 
215 	for (;;)
216 		{
217 		state=s->state;
218 
219 		switch(s->state)
220 			{
221 		case SSL_ST_RENEGOTIATE:
222 			s->new_session=1;
223 			s->state=SSL_ST_CONNECT;
224 			s->ctx->stats.sess_connect_renegotiate++;
225 			/* break */
226 		case SSL_ST_BEFORE:
227 		case SSL_ST_CONNECT:
228 		case SSL_ST_BEFORE|SSL_ST_CONNECT:
229 		case SSL_ST_OK|SSL_ST_CONNECT:
230 
231 			s->server=0;
232 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
233 
234 			if ((s->version & 0xff00 ) != 0x0300)
235 				{
236 				SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
237 				ret = -1;
238 				goto end;
239 				}
240 
241 			/* s->version=SSL3_VERSION; */
242 			s->type=SSL_ST_CONNECT;
243 
244 			if (s->init_buf == NULL)
245 				{
246 				if ((buf=BUF_MEM_new()) == NULL)
247 					{
248 					ret= -1;
249 					goto end;
250 					}
251 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
252 					{
253 					ret= -1;
254 					goto end;
255 					}
256 				s->init_buf=buf;
257 				buf=NULL;
258 				}
259 
260 			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
261 
262 			/* setup buffing BIO */
263 			if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
264 
265 			/* don't push the buffering BIO quite yet */
266 
267 			ssl3_init_finished_mac(s);
268 
269 			s->state=SSL3_ST_CW_CLNT_HELLO_A;
270 			s->ctx->stats.sess_connect++;
271 			s->init_num=0;
272 			break;
273 
274 		case SSL3_ST_CW_CLNT_HELLO_A:
275 		case SSL3_ST_CW_CLNT_HELLO_B:
276 
277 			s->shutdown=0;
278 			ret=ssl3_client_hello(s);
279 			if (ret <= 0) goto end;
280 			s->state=SSL3_ST_CR_SRVR_HELLO_A;
281 			s->init_num=0;
282 
283 			/* turn on buffering for the next lot of output */
284 			if (s->bbio != s->wbio)
285 				s->wbio=BIO_push(s->bbio,s->wbio);
286 
287 			break;
288 
289 		case SSL3_ST_CR_SRVR_HELLO_A:
290 		case SSL3_ST_CR_SRVR_HELLO_B:
291 			ret=ssl3_get_server_hello(s);
292 			if (ret <= 0) goto end;
293 
294 			if (s->hit)
295 				s->state=SSL3_ST_CR_FINISHED_A;
296 			else
297 				s->state=SSL3_ST_CR_CERT_A;
298 			s->init_num=0;
299 			break;
300 
301 		case SSL3_ST_CR_CERT_A:
302 		case SSL3_ST_CR_CERT_B:
303 #ifndef OPENSSL_NO_TLSEXT
304 			ret=ssl3_check_finished(s);
305 			if (ret <= 0) goto end;
306 			if (ret == 2)
307 				{
308 				s->hit = 1;
309 				if (s->tlsext_ticket_expected)
310 					s->state=SSL3_ST_CR_SESSION_TICKET_A;
311 				else
312 					s->state=SSL3_ST_CR_FINISHED_A;
313 				s->init_num=0;
314 				break;
315 				}
316 #endif
317 			/* Check if it is anon DH/ECDH */
318 			/* or PSK */
319 			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
320 			    !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
321 				{
322 				ret=ssl3_get_server_certificate(s);
323 				if (ret <= 0) goto end;
324 #ifndef OPENSSL_NO_TLSEXT
325 				if (s->tlsext_status_expected)
326 					s->state=SSL3_ST_CR_CERT_STATUS_A;
327 				else
328 					s->state=SSL3_ST_CR_KEY_EXCH_A;
329 				}
330 			else
331 				{
332 				skip = 1;
333 				s->state=SSL3_ST_CR_KEY_EXCH_A;
334 				}
335 #else
336 				}
337 			else
338 				skip=1;
339 
340 			s->state=SSL3_ST_CR_KEY_EXCH_A;
341 #endif
342 			s->init_num=0;
343 			break;
344 
345 		case SSL3_ST_CR_KEY_EXCH_A:
346 		case SSL3_ST_CR_KEY_EXCH_B:
347 			ret=ssl3_get_key_exchange(s);
348 			if (ret <= 0) goto end;
349 			s->state=SSL3_ST_CR_CERT_REQ_A;
350 			s->init_num=0;
351 
352 			/* at this point we check that we have the
353 			 * required stuff from the server */
354 			if (!ssl3_check_cert_and_algorithm(s))
355 				{
356 				ret= -1;
357 				goto end;
358 				}
359 			break;
360 
361 		case SSL3_ST_CR_CERT_REQ_A:
362 		case SSL3_ST_CR_CERT_REQ_B:
363 			ret=ssl3_get_certificate_request(s);
364 			if (ret <= 0) goto end;
365 			s->state=SSL3_ST_CR_SRVR_DONE_A;
366 			s->init_num=0;
367 			break;
368 
369 		case SSL3_ST_CR_SRVR_DONE_A:
370 		case SSL3_ST_CR_SRVR_DONE_B:
371 			ret=ssl3_get_server_done(s);
372 			if (ret <= 0) goto end;
373 			if (s->s3->tmp.cert_req)
374 				s->state=SSL3_ST_CW_CERT_A;
375 			else
376 				s->state=SSL3_ST_CW_KEY_EXCH_A;
377 			s->init_num=0;
378 
379 			break;
380 
381 		case SSL3_ST_CW_CERT_A:
382 		case SSL3_ST_CW_CERT_B:
383 		case SSL3_ST_CW_CERT_C:
384 		case SSL3_ST_CW_CERT_D:
385 			ret=ssl3_send_client_certificate(s);
386 			if (ret <= 0) goto end;
387 			s->state=SSL3_ST_CW_KEY_EXCH_A;
388 			s->init_num=0;
389 			break;
390 
391 		case SSL3_ST_CW_KEY_EXCH_A:
392 		case SSL3_ST_CW_KEY_EXCH_B:
393 			ret=ssl3_send_client_key_exchange(s);
394 			if (ret <= 0) goto end;
395 			/* EAY EAY EAY need to check for DH fix cert
396 			 * sent back */
397 			/* For TLS, cert_req is set to 2, so a cert chain
398 			 * of nothing is sent, but no verify packet is sent */
399 			/* XXX: For now, we do not support client
400 			 * authentication in ECDH cipher suites with
401 			 * ECDH (rather than ECDSA) certificates.
402 			 * We need to skip the certificate verify
403 			 * message when client's ECDH public key is sent
404 			 * inside the client certificate.
405 			 */
406 			if (s->s3->tmp.cert_req == 1)
407 				{
408 				s->state=SSL3_ST_CW_CERT_VRFY_A;
409 				}
410 			else
411 				{
412 				s->state=SSL3_ST_CW_CHANGE_A;
413 				s->s3->change_cipher_spec=0;
414 				}
415 			if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
416 				{
417 				s->state=SSL3_ST_CW_CHANGE_A;
418 				s->s3->change_cipher_spec=0;
419 				}
420 
421 			s->init_num=0;
422 			break;
423 
424 		case SSL3_ST_CW_CERT_VRFY_A:
425 		case SSL3_ST_CW_CERT_VRFY_B:
426 			ret=ssl3_send_client_verify(s);
427 			if (ret <= 0) goto end;
428 			s->state=SSL3_ST_CW_CHANGE_A;
429 			s->init_num=0;
430 			s->s3->change_cipher_spec=0;
431 			break;
432 
433 		case SSL3_ST_CW_CHANGE_A:
434 		case SSL3_ST_CW_CHANGE_B:
435 			ret=ssl3_send_change_cipher_spec(s,
436 				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
437 			if (ret <= 0) goto end;
438 			s->state=SSL3_ST_CW_FINISHED_A;
439 			s->init_num=0;
440 
441 			s->session->cipher=s->s3->tmp.new_cipher;
442 #ifdef OPENSSL_NO_COMP
443 			s->session->compress_meth=0;
444 #else
445 			if (s->s3->tmp.new_compression == NULL)
446 				s->session->compress_meth=0;
447 			else
448 				s->session->compress_meth=
449 					s->s3->tmp.new_compression->id;
450 #endif
451 			if (!s->method->ssl3_enc->setup_key_block(s))
452 				{
453 				ret= -1;
454 				goto end;
455 				}
456 
457 			if (!s->method->ssl3_enc->change_cipher_state(s,
458 				SSL3_CHANGE_CIPHER_CLIENT_WRITE))
459 				{
460 				ret= -1;
461 				goto end;
462 				}
463 
464 			break;
465 
466 		case SSL3_ST_CW_FINISHED_A:
467 		case SSL3_ST_CW_FINISHED_B:
468 			ret=ssl3_send_finished(s,
469 				SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
470 				s->method->ssl3_enc->client_finished_label,
471 				s->method->ssl3_enc->client_finished_label_len);
472 			if (ret <= 0) goto end;
473 			s->state=SSL3_ST_CW_FLUSH;
474 
475 			/* clear flags */
476 			s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
477 			if (s->hit)
478 				{
479 				s->s3->tmp.next_state=SSL_ST_OK;
480 				if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
481 					{
482 					s->state=SSL_ST_OK;
483 					s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
484 					s->s3->delay_buf_pop_ret=0;
485 					}
486 				}
487 			else
488 				{
489 				if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && SSL_get_cipher_bits(s, NULL) >= 128
490 				    && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */
491 				   )
492 					{
493 					if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
494 						{
495 						s->state=SSL3_ST_CUTTHROUGH_COMPLETE;
496 						s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
497 						s->s3->delay_buf_pop_ret=0;
498 						}
499 					else
500 						{
501 						s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE;
502 						}
503 					}
504 				else
505 					{
506 #ifndef OPENSSL_NO_TLSEXT
507 					/* Allow NewSessionTicket if ticket expected */
508 					if (s->tlsext_ticket_expected)
509 						s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
510 					else
511 #endif
512 						s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
513 					}
514 				}
515 			s->init_num=0;
516 			break;
517 
518 #ifndef OPENSSL_NO_TLSEXT
519 		case SSL3_ST_CR_SESSION_TICKET_A:
520 		case SSL3_ST_CR_SESSION_TICKET_B:
521 			ret=ssl3_get_new_session_ticket(s);
522 			if (ret <= 0) goto end;
523 			s->state=SSL3_ST_CR_FINISHED_A;
524 			s->init_num=0;
525 		break;
526 
527 		case SSL3_ST_CR_CERT_STATUS_A:
528 		case SSL3_ST_CR_CERT_STATUS_B:
529 			ret=ssl3_get_cert_status(s);
530 			if (ret <= 0) goto end;
531 			s->state=SSL3_ST_CR_KEY_EXCH_A;
532 			s->init_num=0;
533 		break;
534 #endif
535 
536 		case SSL3_ST_CR_FINISHED_A:
537 		case SSL3_ST_CR_FINISHED_B:
538 
539 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
540 				SSL3_ST_CR_FINISHED_B);
541 			if (ret <= 0) goto end;
542 
543 			if (s->hit)
544 				s->state=SSL3_ST_CW_CHANGE_A;
545 			else
546 				s->state=SSL_ST_OK;
547 			s->init_num=0;
548 			break;
549 
550 		case SSL3_ST_CW_FLUSH:
551 			s->rwstate=SSL_WRITING;
552 			if (BIO_flush(s->wbio) <= 0)
553 				{
554 				ret= -1;
555 				goto end;
556 				}
557 			s->rwstate=SSL_NOTHING;
558 			s->state=s->s3->tmp.next_state;
559 			break;
560 
561 		case SSL3_ST_CUTTHROUGH_COMPLETE:
562 #ifndef OPENSSL_NO_TLSEXT
563 			/* Allow NewSessionTicket if ticket expected */
564 			if (s->tlsext_ticket_expected)
565 				s->state=SSL3_ST_CR_SESSION_TICKET_A;
566 			else
567 #endif
568 				s->state=SSL3_ST_CR_FINISHED_A;
569 
570 			/* SSL_write() will take care of flushing buffered data if
571 			 * DELAY_CLIENT_FINISHED is set.
572 			 */
573 			if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED))
574 				ssl_free_wbio_buffer(s);
575 			ret = 1;
576 			goto end;
577 			/* break; */
578 
579 		case SSL_ST_OK:
580 			/* clean a few things up */
581 			ssl3_cleanup_key_block(s);
582 
583 			if (s->init_buf != NULL)
584 				{
585 				BUF_MEM_free(s->init_buf);
586 				s->init_buf=NULL;
587 				}
588 
589 			/* If we are not 'joining' the last two packets,
590 			 * remove the buffering now */
591 			if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
592 				ssl_free_wbio_buffer(s);
593 			/* else do it later in ssl3_write */
594 
595 			s->init_num=0;
596 			s->new_session=0;
597 
598 			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
599 			if (s->hit) s->ctx->stats.sess_hit++;
600 
601 			ret=1;
602 			/* s->server=0; */
603 			s->handshake_func=ssl3_connect;
604 			s->ctx->stats.sess_connect_good++;
605 
606 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
607 
608 			goto end;
609 			/* break; */
610 
611 		default:
612 			SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
613 			ret= -1;
614 			goto end;
615 			/* break; */
616 			}
617 
618 		/* did we do anything */
619 		if (!s->s3->tmp.reuse_message && !skip)
620 			{
621 			if (s->debug)
622 				{
623 				if ((ret=BIO_flush(s->wbio)) <= 0)
624 					goto end;
625 				}
626 
627 			if ((cb != NULL) && (s->state != state))
628 				{
629 				new_state=s->state;
630 				s->state=state;
631 				cb(s,SSL_CB_CONNECT_LOOP,1);
632 				s->state=new_state;
633 				}
634 			}
635 		skip=0;
636 		}
637 end:
638 	s->in_handshake--;
639 	if (buf != NULL)
640 		BUF_MEM_free(buf);
641 	if (cb != NULL)
642 		cb(s,SSL_CB_CONNECT_EXIT,ret);
643 	return(ret);
644 	}
645 
646 
ssl3_client_hello(SSL * s)647 int ssl3_client_hello(SSL *s)
648 	{
649 	unsigned char *buf;
650 	unsigned char *p,*d;
651 	int i;
652 	unsigned long Time,l;
653 #ifndef OPENSSL_NO_COMP
654 	int j;
655 	SSL_COMP *comp;
656 #endif
657 
658 	buf=(unsigned char *)s->init_buf->data;
659 	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
660 		{
661 		SSL_SESSION *sess = s->session;
662 		if ((sess == NULL) ||
663 			(sess->ssl_version != s->version) ||
664 #ifdef OPENSSL_NO_TLSEXT
665 			!sess->session_id_length ||
666 #else
667 			(!sess->session_id_length && !sess->tlsext_tick) ||
668 #endif
669 			(sess->not_resumable))
670 			{
671 		        if (!s->session_creation_enabled)
672 				{
673 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
674 				SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
675 				goto err;
676 				}
677 			if (!ssl_get_new_session(s,0))
678 				goto err;
679 			}
680 		/* else use the pre-loaded session */
681 
682 		p=s->s3->client_random;
683 		Time=(unsigned long)time(NULL);			/* Time */
684 		l2n(Time,p);
685 		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
686 			goto err;
687 
688 		/* Do the message type and length last */
689 		d=p= &(buf[4]);
690 
691 		*(p++)=s->version>>8;
692 		*(p++)=s->version&0xff;
693 		s->client_version=s->version;
694 
695 		/* Random stuff */
696 		memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
697 		p+=SSL3_RANDOM_SIZE;
698 
699 		/* Session ID */
700 		if (s->new_session)
701 			i=0;
702 		else
703 			i=s->session->session_id_length;
704 		*(p++)=i;
705 		if (i != 0)
706 			{
707 			if (i > (int)sizeof(s->session->session_id))
708 				{
709 				SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
710 				goto err;
711 				}
712 			memcpy(p,s->session->session_id,i);
713 			p+=i;
714 			}
715 
716 		/* Ciphers supported */
717 		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
718 		if (i == 0)
719 			{
720 			SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
721 			goto err;
722 			}
723 		s2n(i,p);
724 		p+=i;
725 
726 		/* COMPRESSION */
727 #ifdef OPENSSL_NO_COMP
728 		*(p++)=1;
729 #else
730 
731 		if ((s->options & SSL_OP_NO_COMPRESSION)
732 					|| !s->ctx->comp_methods)
733 			j=0;
734 		else
735 			j=sk_SSL_COMP_num(s->ctx->comp_methods);
736 		*(p++)=1+j;
737 		for (i=0; i<j; i++)
738 			{
739 			comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
740 			*(p++)=comp->id;
741 			}
742 #endif
743 		*(p++)=0; /* Add the NULL method */
744 
745 #ifndef OPENSSL_NO_TLSEXT
746 		/* TLS extensions*/
747 		if (ssl_prepare_clienthello_tlsext(s) <= 0)
748 			{
749 			SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
750 			goto err;
751 			}
752 		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
753 			{
754 			SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
755 			goto err;
756 			}
757 #endif
758 
759 		l=(p-d);
760 		d=buf;
761 		*(d++)=SSL3_MT_CLIENT_HELLO;
762 		l2n3(l,d);
763 
764 		s->state=SSL3_ST_CW_CLNT_HELLO_B;
765 		/* number of bytes to write */
766 		s->init_num=p-buf;
767 		s->init_off=0;
768 		}
769 
770 	/* SSL3_ST_CW_CLNT_HELLO_B */
771 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
772 err:
773 	return(-1);
774 	}
775 
ssl3_get_server_hello(SSL * s)776 int ssl3_get_server_hello(SSL *s)
777 	{
778 	STACK_OF(SSL_CIPHER) *sk;
779 	const SSL_CIPHER *c;
780 	unsigned char *p,*d;
781 	int i,al,ok;
782 	unsigned int j;
783 	long n;
784 #ifndef OPENSSL_NO_COMP
785 	SSL_COMP *comp;
786 #endif
787 
788 	n=s->method->ssl_get_message(s,
789 		SSL3_ST_CR_SRVR_HELLO_A,
790 		SSL3_ST_CR_SRVR_HELLO_B,
791 		-1,
792 		20000, /* ?? */
793 		&ok);
794 
795 	if (!ok) return((int)n);
796 
797 	if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
798 		{
799 		if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
800 			{
801 			if ( s->d1->send_cookie == 0)
802 				{
803 				s->s3->tmp.reuse_message = 1;
804 				return 1;
805 				}
806 			else /* already sent a cookie */
807 				{
808 				al=SSL_AD_UNEXPECTED_MESSAGE;
809 				SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
810 				goto f_err;
811 				}
812 			}
813 		}
814 
815 	if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
816 		{
817 		al=SSL_AD_UNEXPECTED_MESSAGE;
818 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
819 		goto f_err;
820 		}
821 
822 	d=p=(unsigned char *)s->init_msg;
823 
824 	if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
825 		{
826 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
827 		s->version=(s->version&0xff00)|p[1];
828 		al=SSL_AD_PROTOCOL_VERSION;
829 		goto f_err;
830 		}
831 	p+=2;
832 
833 	/* load the server hello data */
834 	/* load the server random */
835 	memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
836 	p+=SSL3_RANDOM_SIZE;
837 
838 	/* get the session-id */
839 	j= *(p++);
840 
841 	if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
842 		{
843 		al=SSL_AD_ILLEGAL_PARAMETER;
844 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
845 		goto f_err;
846 		}
847 
848 #ifndef OPENSSL_NO_TLSEXT
849 	/* check if we want to resume the session based on external pre-shared secret */
850 	if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
851 		{
852 		SSL_CIPHER *pref_cipher=NULL;
853 		s->session->master_key_length=sizeof(s->session->master_key);
854 		if (s->tls_session_secret_cb(s, s->session->master_key,
855 					     &s->session->master_key_length,
856 					     NULL, &pref_cipher,
857 					     s->tls_session_secret_cb_arg))
858 			{
859 			s->session->cipher = pref_cipher ?
860 				pref_cipher : ssl_get_cipher_by_char(s, p+j);
861 			}
862 		}
863 #endif /* OPENSSL_NO_TLSEXT */
864 
865 	if (j != 0 && j == s->session->session_id_length
866 	    && memcmp(p,s->session->session_id,j) == 0)
867 	    {
868 	    if(s->sid_ctx_length != s->session->sid_ctx_length
869 	       || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
870 		{
871 		/* actually a client application bug */
872 		al=SSL_AD_ILLEGAL_PARAMETER;
873 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
874 		goto f_err;
875 		}
876 	    s->hit=1;
877 	    }
878 	else	/* a miss or crap from the other end */
879 		{
880 		/* If we were trying for session-id reuse, make a new
881 		 * SSL_SESSION so we don't stuff up other people */
882 		s->hit=0;
883 		if (s->session->session_id_length > 0)
884 			{
885 		        if (!s->session_creation_enabled)
886 				{
887 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
888 				SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
889 				goto err;
890 				}
891 			if (!ssl_get_new_session(s,0))
892 				{
893 				al=SSL_AD_INTERNAL_ERROR;
894 				goto f_err;
895 				}
896 			}
897 		s->session->session_id_length=j;
898 		memcpy(s->session->session_id,p,j); /* j could be 0 */
899 		}
900 	p+=j;
901 	c=ssl_get_cipher_by_char(s,p);
902 	if (c == NULL)
903 		{
904 		/* unknown cipher */
905 		al=SSL_AD_ILLEGAL_PARAMETER;
906 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
907 		goto f_err;
908 		}
909 	p+=ssl_put_cipher_by_char(s,NULL,NULL);
910 
911 	sk=ssl_get_ciphers_by_id(s);
912 	i=sk_SSL_CIPHER_find(sk,c);
913 	if (i < 0)
914 		{
915 		/* we did not say we would use this cipher */
916 		al=SSL_AD_ILLEGAL_PARAMETER;
917 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
918 		goto f_err;
919 		}
920 
921 	/* Depending on the session caching (internal/external), the cipher
922 	   and/or cipher_id values may not be set. Make sure that
923 	   cipher_id is set and use it for comparison. */
924 	if (s->session->cipher)
925 		s->session->cipher_id = s->session->cipher->id;
926 	if (s->hit && (s->session->cipher_id != c->id))
927 		{
928 		if (!(s->options &
929 			SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
930 			{
931 			al=SSL_AD_ILLEGAL_PARAMETER;
932 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
933 			goto f_err;
934 			}
935 		}
936 	s->s3->tmp.new_cipher=c;
937 	if (!ssl3_digest_cached_records(s))
938 		goto f_err;
939 
940 	/* lets get the compression algorithm */
941 	/* COMPRESSION */
942 #ifdef OPENSSL_NO_COMP
943 	if (*(p++) != 0)
944 		{
945 		al=SSL_AD_ILLEGAL_PARAMETER;
946 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
947 		goto f_err;
948 		}
949 	/* If compression is disabled we'd better not try to resume a session
950 	 * using compression.
951 	 */
952 	if (s->session->compress_meth != 0)
953 		{
954 		al=SSL_AD_INTERNAL_ERROR;
955 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
956 		goto f_err;
957 		}
958 #else
959 	j= *(p++);
960 	if (s->hit && j != s->session->compress_meth)
961 		{
962 		al=SSL_AD_ILLEGAL_PARAMETER;
963 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
964 		goto f_err;
965 		}
966 	if (j == 0)
967 		comp=NULL;
968 	else if (s->options & SSL_OP_NO_COMPRESSION)
969 		{
970 		al=SSL_AD_ILLEGAL_PARAMETER;
971 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
972 		goto f_err;
973 		}
974 	else
975 		comp=ssl3_comp_find(s->ctx->comp_methods,j);
976 
977 	if ((j != 0) && (comp == NULL))
978 		{
979 		al=SSL_AD_ILLEGAL_PARAMETER;
980 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
981 		goto f_err;
982 		}
983 	else
984 		{
985 		s->s3->tmp.new_compression=comp;
986 		}
987 #endif
988 
989 #ifndef OPENSSL_NO_TLSEXT
990 	/* TLS extensions*/
991 	if (s->version >= SSL3_VERSION)
992 		{
993 		if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
994 			{
995 			/* 'al' set by ssl_parse_serverhello_tlsext */
996 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
997 			goto f_err;
998 			}
999 		if (ssl_check_serverhello_tlsext(s) <= 0)
1000 			{
1001 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1002 				goto err;
1003 			}
1004 		}
1005 #endif
1006 
1007 	if (p != (d+n))
1008 		{
1009 		/* wrong packet length */
1010 		al=SSL_AD_DECODE_ERROR;
1011 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
1012 		goto err;
1013 		}
1014 
1015 	return(1);
1016 f_err:
1017 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
1018 err:
1019 	return(-1);
1020 	}
1021 
ssl3_get_server_certificate(SSL * s)1022 int ssl3_get_server_certificate(SSL *s)
1023 	{
1024 	int al,i,ok,ret= -1;
1025 	unsigned long n,nc,llen,l;
1026 	X509 *x=NULL;
1027 	const unsigned char *q,*p;
1028 	unsigned char *d;
1029 	STACK_OF(X509) *sk=NULL;
1030 	SESS_CERT *sc;
1031 	EVP_PKEY *pkey=NULL;
1032 	int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
1033 
1034 	n=s->method->ssl_get_message(s,
1035 		SSL3_ST_CR_CERT_A,
1036 		SSL3_ST_CR_CERT_B,
1037 		-1,
1038 		s->max_cert_list,
1039 		&ok);
1040 
1041 	if (!ok) return((int)n);
1042 
1043 	if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
1044 		((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1045 		(s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
1046 		{
1047 		s->s3->tmp.reuse_message=1;
1048 		return(1);
1049 		}
1050 
1051 	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1052 		{
1053 		al=SSL_AD_UNEXPECTED_MESSAGE;
1054 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
1055 		goto f_err;
1056 		}
1057 	p=d=(unsigned char *)s->init_msg;
1058 
1059 	if ((sk=sk_X509_new_null()) == NULL)
1060 		{
1061 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1062 		goto err;
1063 		}
1064 
1065 	n2l3(p,llen);
1066 	if (llen+3 != n)
1067 		{
1068 		al=SSL_AD_DECODE_ERROR;
1069 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1070 		goto f_err;
1071 		}
1072 	for (nc=0; nc<llen; )
1073 		{
1074 		n2l3(p,l);
1075 		if ((l+nc+3) > llen)
1076 			{
1077 			al=SSL_AD_DECODE_ERROR;
1078 			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1079 			goto f_err;
1080 			}
1081 
1082 		q=p;
1083 		x=d2i_X509(NULL,&q,l);
1084 		if (x == NULL)
1085 			{
1086 			al=SSL_AD_BAD_CERTIFICATE;
1087 			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
1088 			goto f_err;
1089 			}
1090 		if (q != (p+l))
1091 			{
1092 			al=SSL_AD_DECODE_ERROR;
1093 			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1094 			goto f_err;
1095 			}
1096 		if (!sk_X509_push(sk,x))
1097 			{
1098 			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1099 			goto err;
1100 			}
1101 		x=NULL;
1102 		nc+=l+3;
1103 		p=q;
1104 		}
1105 
1106 	i=ssl_verify_cert_chain(s,sk);
1107 	if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1108 #ifndef OPENSSL_NO_KRB5
1109 	    && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1110 		 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1111 #endif /* OPENSSL_NO_KRB5 */
1112 		)
1113 		{
1114 		al=ssl_verify_alarm_type(s->verify_result);
1115 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
1116 		goto f_err;
1117 		}
1118 	ERR_clear_error(); /* but we keep s->verify_result */
1119 
1120 	sc=ssl_sess_cert_new();
1121 	if (sc == NULL) goto err;
1122 
1123 	if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
1124 	s->session->sess_cert=sc;
1125 
1126 	sc->cert_chain=sk;
1127 	/* Inconsistency alert: cert_chain does include the peer's
1128 	 * certificate, which we don't include in s3_srvr.c */
1129 	x=sk_X509_value(sk,0);
1130 	sk=NULL;
1131  	/* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1132 
1133 	pkey=X509_get_pubkey(x);
1134 
1135 	/* VRS: allow null cert if auth == KRB5 */
1136 	need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1137 	            (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1138 	            ? 0 : 1;
1139 
1140 #ifdef KSSL_DEBUG
1141 	printf("pkey,x = %p, %p\n", pkey,x);
1142 	printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
1143 	printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
1144 		s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1145 #endif    /* KSSL_DEBUG */
1146 
1147 	if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
1148 		{
1149 		x=NULL;
1150 		al=SSL3_AL_FATAL;
1151 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1152 			SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1153 		goto f_err;
1154 		}
1155 
1156 	i=ssl_cert_type(x,pkey);
1157 	if (need_cert && i < 0)
1158 		{
1159 		x=NULL;
1160 		al=SSL3_AL_FATAL;
1161 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1162 			SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1163 		goto f_err;
1164 		}
1165 
1166 	if (need_cert)
1167 		{
1168 		sc->peer_cert_type=i;
1169 		CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1170 		/* Why would the following ever happen?
1171 		 * We just created sc a couple of lines ago. */
1172 		if (sc->peer_pkeys[i].x509 != NULL)
1173 			X509_free(sc->peer_pkeys[i].x509);
1174 		sc->peer_pkeys[i].x509=x;
1175 		sc->peer_key= &(sc->peer_pkeys[i]);
1176 
1177 		if (s->session->peer != NULL)
1178 			X509_free(s->session->peer);
1179 		CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1180 		s->session->peer=x;
1181 		}
1182 	else
1183 		{
1184 		sc->peer_cert_type=i;
1185 		sc->peer_key= NULL;
1186 
1187 		if (s->session->peer != NULL)
1188 			X509_free(s->session->peer);
1189 		s->session->peer=NULL;
1190 		}
1191 	s->session->verify_result = s->verify_result;
1192 
1193 	x=NULL;
1194 	ret=1;
1195 
1196 	if (0)
1197 		{
1198 f_err:
1199 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
1200 		}
1201 err:
1202 	EVP_PKEY_free(pkey);
1203 	X509_free(x);
1204 	sk_X509_pop_free(sk,X509_free);
1205 	return(ret);
1206 	}
1207 
ssl3_get_key_exchange(SSL * s)1208 int ssl3_get_key_exchange(SSL *s)
1209 	{
1210 #ifndef OPENSSL_NO_RSA
1211 	unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1212 #endif
1213 	EVP_MD_CTX md_ctx;
1214 	unsigned char *param,*p;
1215 	int al,i,j,param_len,ok;
1216 	long n,alg_k,alg_a;
1217 	EVP_PKEY *pkey=NULL;
1218 #ifndef OPENSSL_NO_RSA
1219 	RSA *rsa=NULL;
1220 #endif
1221 #ifndef OPENSSL_NO_DH
1222 	DH *dh=NULL;
1223 #endif
1224 #ifndef OPENSSL_NO_ECDH
1225 	EC_KEY *ecdh = NULL;
1226 	BN_CTX *bn_ctx = NULL;
1227 	EC_POINT *srvr_ecpoint = NULL;
1228 	int curve_nid = 0;
1229 	int encoded_pt_len = 0;
1230 #endif
1231 
1232 	/* use same message size as in ssl3_get_certificate_request()
1233 	 * as ServerKeyExchange message may be skipped */
1234 	n=s->method->ssl_get_message(s,
1235 		SSL3_ST_CR_KEY_EXCH_A,
1236 		SSL3_ST_CR_KEY_EXCH_B,
1237 		-1,
1238 		s->max_cert_list,
1239 		&ok);
1240 	if (!ok) return((int)n);
1241 
1242 	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1243 		{
1244 #ifndef OPENSSL_NO_PSK
1245 		/* In plain PSK ciphersuite, ServerKeyExchange can be
1246 		   omitted if no identity hint is sent. Set
1247 		   session->sess_cert anyway to avoid problems
1248 		   later.*/
1249 		if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
1250 			{
1251 			s->session->sess_cert=ssl_sess_cert_new();
1252 			if (s->ctx->psk_identity_hint)
1253 				OPENSSL_free(s->ctx->psk_identity_hint);
1254 			s->ctx->psk_identity_hint = NULL;
1255 			}
1256 #endif
1257 		s->s3->tmp.reuse_message=1;
1258 		return(1);
1259 		}
1260 
1261 	param=p=(unsigned char *)s->init_msg;
1262 	if (s->session->sess_cert != NULL)
1263 		{
1264 #ifndef OPENSSL_NO_RSA
1265 		if (s->session->sess_cert->peer_rsa_tmp != NULL)
1266 			{
1267 			RSA_free(s->session->sess_cert->peer_rsa_tmp);
1268 			s->session->sess_cert->peer_rsa_tmp=NULL;
1269 			}
1270 #endif
1271 #ifndef OPENSSL_NO_DH
1272 		if (s->session->sess_cert->peer_dh_tmp)
1273 			{
1274 			DH_free(s->session->sess_cert->peer_dh_tmp);
1275 			s->session->sess_cert->peer_dh_tmp=NULL;
1276 			}
1277 #endif
1278 #ifndef OPENSSL_NO_ECDH
1279 		if (s->session->sess_cert->peer_ecdh_tmp)
1280 			{
1281 			EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1282 			s->session->sess_cert->peer_ecdh_tmp=NULL;
1283 			}
1284 #endif
1285 		}
1286 	else
1287 		{
1288 		s->session->sess_cert=ssl_sess_cert_new();
1289 		}
1290 
1291 	param_len=0;
1292 	alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1293 	alg_a=s->s3->tmp.new_cipher->algorithm_auth;
1294 	EVP_MD_CTX_init(&md_ctx);
1295 
1296 #ifndef OPENSSL_NO_PSK
1297 	if (alg_k & SSL_kPSK)
1298 		{
1299 		char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
1300 
1301 		al=SSL_AD_HANDSHAKE_FAILURE;
1302 		n2s(p,i);
1303 		param_len=i+2;
1304 		/* Store PSK identity hint for later use, hint is used
1305 		 * in ssl3_send_client_key_exchange.  Assume that the
1306 		 * maximum length of a PSK identity hint can be as
1307 		 * long as the maximum length of a PSK identity. */
1308 		if (i > PSK_MAX_IDENTITY_LEN)
1309 			{
1310 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1311 				SSL_R_DATA_LENGTH_TOO_LONG);
1312 			goto f_err;
1313 			}
1314 		if (param_len > n)
1315 			{
1316 			al=SSL_AD_DECODE_ERROR;
1317 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1318 				SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1319 			goto f_err;
1320 			}
1321 		/* If received PSK identity hint contains NULL
1322 		 * characters, the hint is truncated from the first
1323 		 * NULL. p may not be ending with NULL, so create a
1324 		 * NULL-terminated string. */
1325 		memcpy(tmp_id_hint, p, i);
1326 		memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
1327 		if (s->ctx->psk_identity_hint != NULL)
1328 			OPENSSL_free(s->ctx->psk_identity_hint);
1329 		s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
1330 		if (s->ctx->psk_identity_hint == NULL)
1331 			{
1332 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1333 			goto f_err;
1334 			}
1335 
1336 		p+=i;
1337 		n-=param_len;
1338 		}
1339 	else
1340 #endif /* !OPENSSL_NO_PSK */
1341 #ifndef OPENSSL_NO_RSA
1342 	if (alg_k & SSL_kRSA)
1343 		{
1344 		if ((rsa=RSA_new()) == NULL)
1345 			{
1346 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1347 			goto err;
1348 			}
1349 		n2s(p,i);
1350 		param_len=i+2;
1351 		if (param_len > n)
1352 			{
1353 			al=SSL_AD_DECODE_ERROR;
1354 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1355 			goto f_err;
1356 			}
1357 		if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1358 			{
1359 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1360 			goto err;
1361 			}
1362 		p+=i;
1363 
1364 		n2s(p,i);
1365 		param_len+=i+2;
1366 		if (param_len > n)
1367 			{
1368 			al=SSL_AD_DECODE_ERROR;
1369 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1370 			goto f_err;
1371 			}
1372 		if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1373 			{
1374 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1375 			goto err;
1376 			}
1377 		p+=i;
1378 		n-=param_len;
1379 
1380 		/* this should be because we are using an export cipher */
1381 		if (alg_a & SSL_aRSA)
1382 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1383 		else
1384 			{
1385 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1386 			goto err;
1387 			}
1388 		s->session->sess_cert->peer_rsa_tmp=rsa;
1389 		rsa=NULL;
1390 		}
1391 #else /* OPENSSL_NO_RSA */
1392 	if (0)
1393 		;
1394 #endif
1395 #ifndef OPENSSL_NO_DH
1396 	else if (alg_k & SSL_kEDH)
1397 		{
1398 		if ((dh=DH_new()) == NULL)
1399 			{
1400 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1401 			goto err;
1402 			}
1403 		n2s(p,i);
1404 		param_len=i+2;
1405 		if (param_len > n)
1406 			{
1407 			al=SSL_AD_DECODE_ERROR;
1408 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1409 			goto f_err;
1410 			}
1411 		if (!(dh->p=BN_bin2bn(p,i,NULL)))
1412 			{
1413 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1414 			goto err;
1415 			}
1416 		p+=i;
1417 
1418 		n2s(p,i);
1419 		param_len+=i+2;
1420 		if (param_len > n)
1421 			{
1422 			al=SSL_AD_DECODE_ERROR;
1423 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1424 			goto f_err;
1425 			}
1426 		if (!(dh->g=BN_bin2bn(p,i,NULL)))
1427 			{
1428 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1429 			goto err;
1430 			}
1431 		p+=i;
1432 
1433 		n2s(p,i);
1434 		param_len+=i+2;
1435 		if (param_len > n)
1436 			{
1437 			al=SSL_AD_DECODE_ERROR;
1438 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1439 			goto f_err;
1440 			}
1441 		if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1442 			{
1443 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1444 			goto err;
1445 			}
1446 		p+=i;
1447 		n-=param_len;
1448 
1449 #ifndef OPENSSL_NO_RSA
1450 		if (alg_a & SSL_aRSA)
1451 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1452 #else
1453 		if (0)
1454 			;
1455 #endif
1456 #ifndef OPENSSL_NO_DSA
1457 		else if (alg_a & SSL_aDSS)
1458 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1459 #endif
1460 		/* else anonymous DH, so no certificate or pkey. */
1461 
1462 		s->session->sess_cert->peer_dh_tmp=dh;
1463 		dh=NULL;
1464 		}
1465 	else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd))
1466 		{
1467 		al=SSL_AD_ILLEGAL_PARAMETER;
1468 		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1469 		goto f_err;
1470 		}
1471 #endif /* !OPENSSL_NO_DH */
1472 
1473 #ifndef OPENSSL_NO_ECDH
1474 	else if (alg_k & SSL_kEECDH)
1475 		{
1476 		EC_GROUP *ngroup;
1477 		const EC_GROUP *group;
1478 
1479 		if ((ecdh=EC_KEY_new()) == NULL)
1480 			{
1481 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1482 			goto err;
1483 			}
1484 
1485 		/* Extract elliptic curve parameters and the
1486 		 * server's ephemeral ECDH public key.
1487 		 * Keep accumulating lengths of various components in
1488 		 * param_len and make sure it never exceeds n.
1489 		 */
1490 
1491 		/* XXX: For now we only support named (not generic) curves
1492 		 * and the ECParameters in this case is just three bytes.
1493 		 */
1494 		param_len=3;
1495 		if ((param_len > n) ||
1496 		    (*p != NAMED_CURVE_TYPE) ||
1497 		    ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0))
1498 			{
1499 			al=SSL_AD_INTERNAL_ERROR;
1500 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1501 			goto f_err;
1502 			}
1503 
1504 		ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1505 		if (ngroup == NULL)
1506 			{
1507 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1508 			goto err;
1509 			}
1510 		if (EC_KEY_set_group(ecdh, ngroup) == 0)
1511 			{
1512 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1513 			goto err;
1514 			}
1515 		EC_GROUP_free(ngroup);
1516 
1517 		group = EC_KEY_get0_group(ecdh);
1518 
1519 		if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1520 		    (EC_GROUP_get_degree(group) > 163))
1521 			{
1522 			al=SSL_AD_EXPORT_RESTRICTION;
1523 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1524 			goto f_err;
1525 			}
1526 
1527 		p+=3;
1528 
1529 		/* Next, get the encoded ECPoint */
1530 		if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1531 		    ((bn_ctx = BN_CTX_new()) == NULL))
1532 			{
1533 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1534 			goto err;
1535 			}
1536 
1537 		encoded_pt_len = *p;  /* length of encoded point */
1538 		p+=1;
1539 		param_len += (1 + encoded_pt_len);
1540 		if ((param_len > n) ||
1541 		    (EC_POINT_oct2point(group, srvr_ecpoint,
1542 			p, encoded_pt_len, bn_ctx) == 0))
1543 			{
1544 			al=SSL_AD_DECODE_ERROR;
1545 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1546 			goto f_err;
1547 			}
1548 
1549 		n-=param_len;
1550 		p+=encoded_pt_len;
1551 
1552 		/* The ECC/TLS specification does not mention
1553 		 * the use of DSA to sign ECParameters in the server
1554 		 * key exchange message. We do support RSA and ECDSA.
1555 		 */
1556 		if (0) ;
1557 #ifndef OPENSSL_NO_RSA
1558 		else if (alg_a & SSL_aRSA)
1559 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1560 #endif
1561 #ifndef OPENSSL_NO_ECDSA
1562 		else if (alg_a & SSL_aECDSA)
1563 			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1564 #endif
1565 		/* else anonymous ECDH, so no certificate or pkey. */
1566 		EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1567 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
1568 		ecdh=NULL;
1569 		BN_CTX_free(bn_ctx);
1570 		EC_POINT_free(srvr_ecpoint);
1571 		srvr_ecpoint = NULL;
1572 		}
1573 	else if (alg_k)
1574 		{
1575 		al=SSL_AD_UNEXPECTED_MESSAGE;
1576 		SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1577 		goto f_err;
1578 		}
1579 #endif /* !OPENSSL_NO_ECDH */
1580 
1581 
1582 	/* p points to the next byte, there are 'n' bytes left */
1583 
1584 	/* if it was signed, check the signature */
1585 	if (pkey != NULL)
1586 		{
1587 		n2s(p,i);
1588 		n-=2;
1589 		j=EVP_PKEY_size(pkey);
1590 
1591 		if ((i != n) || (n > j) || (n <= 0))
1592 			{
1593 			/* wrong packet length */
1594 			al=SSL_AD_DECODE_ERROR;
1595 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1596 			goto f_err;
1597 			}
1598 
1599 #ifndef OPENSSL_NO_RSA
1600 		if (pkey->type == EVP_PKEY_RSA)
1601 			{
1602 			int num;
1603 
1604 			j=0;
1605 			q=md_buf;
1606 			for (num=2; num > 0; num--)
1607 				{
1608 				EVP_DigestInit_ex(&md_ctx,(num == 2)
1609 					?s->ctx->md5:s->ctx->sha1, NULL);
1610 				EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1611 				EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1612 				EVP_DigestUpdate(&md_ctx,param,param_len);
1613 				EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1614 				q+=i;
1615 				j+=i;
1616 				}
1617 			i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1618 								pkey->pkey.rsa);
1619 			if (i < 0)
1620 				{
1621 				al=SSL_AD_DECRYPT_ERROR;
1622 				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1623 				goto f_err;
1624 				}
1625 			if (i == 0)
1626 				{
1627 				/* bad signature */
1628 				al=SSL_AD_DECRYPT_ERROR;
1629 				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1630 				goto f_err;
1631 				}
1632 			}
1633 		else
1634 #endif
1635 #ifndef OPENSSL_NO_DSA
1636 			if (pkey->type == EVP_PKEY_DSA)
1637 			{
1638 			/* lets do DSS */
1639 			EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1640 			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1641 			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1642 			EVP_VerifyUpdate(&md_ctx,param,param_len);
1643 			if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1644 				{
1645 				/* bad signature */
1646 				al=SSL_AD_DECRYPT_ERROR;
1647 				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1648 				goto f_err;
1649 				}
1650 			}
1651 		else
1652 #endif
1653 #ifndef OPENSSL_NO_ECDSA
1654 			if (pkey->type == EVP_PKEY_EC)
1655 			{
1656 			/* let's do ECDSA */
1657 			EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1658 			EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1659 			EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1660 			EVP_VerifyUpdate(&md_ctx,param,param_len);
1661 			if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1662 				{
1663 				/* bad signature */
1664 				al=SSL_AD_DECRYPT_ERROR;
1665 				SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1666 				goto f_err;
1667 				}
1668 			}
1669 		else
1670 #endif
1671 			{
1672 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1673 			goto err;
1674 			}
1675 		}
1676 	else
1677 		{
1678 		if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
1679 			/* aNULL or kPSK do not need public keys */
1680 			{
1681 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1682 			goto err;
1683 			}
1684 		/* still data left over */
1685 		if (n != 0)
1686 			{
1687 			al=SSL_AD_DECODE_ERROR;
1688 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1689 			goto f_err;
1690 			}
1691 		}
1692 	EVP_PKEY_free(pkey);
1693 	EVP_MD_CTX_cleanup(&md_ctx);
1694 	return(1);
1695 f_err:
1696 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
1697 err:
1698 	EVP_PKEY_free(pkey);
1699 #ifndef OPENSSL_NO_RSA
1700 	if (rsa != NULL)
1701 		RSA_free(rsa);
1702 #endif
1703 #ifndef OPENSSL_NO_DH
1704 	if (dh != NULL)
1705 		DH_free(dh);
1706 #endif
1707 #ifndef OPENSSL_NO_ECDH
1708 	BN_CTX_free(bn_ctx);
1709 	EC_POINT_free(srvr_ecpoint);
1710 	if (ecdh != NULL)
1711 		EC_KEY_free(ecdh);
1712 #endif
1713 	EVP_MD_CTX_cleanup(&md_ctx);
1714 	return(-1);
1715 	}
1716 
ssl3_get_certificate_request(SSL * s)1717 int ssl3_get_certificate_request(SSL *s)
1718 	{
1719 	int ok,ret=0;
1720 	unsigned long n,nc,l;
1721 	unsigned int llen,ctype_num,i;
1722 	X509_NAME *xn=NULL;
1723 	const unsigned char *p,*q;
1724 	unsigned char *d;
1725 	STACK_OF(X509_NAME) *ca_sk=NULL;
1726 
1727 	n=s->method->ssl_get_message(s,
1728 		SSL3_ST_CR_CERT_REQ_A,
1729 		SSL3_ST_CR_CERT_REQ_B,
1730 		-1,
1731 		s->max_cert_list,
1732 		&ok);
1733 
1734 	if (!ok) return((int)n);
1735 
1736 	s->s3->tmp.cert_req=0;
1737 
1738 	if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1739 		{
1740 		s->s3->tmp.reuse_message=1;
1741 		return(1);
1742 		}
1743 
1744 	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1745 		{
1746 		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1747 		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1748 		goto err;
1749 		}
1750 
1751 	/* TLS does not like anon-DH with client cert */
1752 	if (s->version > SSL3_VERSION)
1753 		{
1754 		if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1755 			{
1756 			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1757 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1758 			goto err;
1759 			}
1760 		}
1761 
1762 	p=d=(unsigned char *)s->init_msg;
1763 
1764 	if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1765 		{
1766 		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1767 		goto err;
1768 		}
1769 
1770 	/* get the certificate types */
1771 	ctype_num= *(p++);
1772 	if (ctype_num > SSL3_CT_NUMBER)
1773 		ctype_num=SSL3_CT_NUMBER;
1774 	for (i=0; i<ctype_num; i++)
1775 		s->s3->tmp.ctype[i]= p[i];
1776 	p+=ctype_num;
1777 
1778 	/* get the CA RDNs */
1779 	n2s(p,llen);
1780 #if 0
1781 {
1782 FILE *out;
1783 out=fopen("/tmp/vsign.der","w");
1784 fwrite(p,1,llen,out);
1785 fclose(out);
1786 }
1787 #endif
1788 
1789 	if ((llen+ctype_num+2+1) != n)
1790 		{
1791 		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1792 		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1793 		goto err;
1794 		}
1795 
1796 	for (nc=0; nc<llen; )
1797 		{
1798 		n2s(p,l);
1799 		if ((l+nc+2) > llen)
1800 			{
1801 			if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1802 				goto cont; /* netscape bugs */
1803 			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1804 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1805 			goto err;
1806 			}
1807 
1808 		q=p;
1809 
1810 		if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1811 			{
1812 			/* If netscape tolerance is on, ignore errors */
1813 			if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1814 				goto cont;
1815 			else
1816 				{
1817 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1818 				SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1819 				goto err;
1820 				}
1821 			}
1822 
1823 		if (q != (p+l))
1824 			{
1825 			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1826 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1827 			goto err;
1828 			}
1829 		if (!sk_X509_NAME_push(ca_sk,xn))
1830 			{
1831 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1832 			goto err;
1833 			}
1834 
1835 		p+=l;
1836 		nc+=l+2;
1837 		}
1838 
1839 	if (0)
1840 		{
1841 cont:
1842 		ERR_clear_error();
1843 		}
1844 
1845 	/* we should setup a certificate to return.... */
1846 	s->s3->tmp.cert_req=1;
1847 	s->s3->tmp.ctype_num=ctype_num;
1848 	if (s->s3->tmp.ca_names != NULL)
1849 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1850 	s->s3->tmp.ca_names=ca_sk;
1851 	ca_sk=NULL;
1852 
1853 	ret=1;
1854 err:
1855 	if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1856 	return(ret);
1857 	}
1858 
ca_dn_cmp(const X509_NAME * const * a,const X509_NAME * const * b)1859 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1860 	{
1861 	return(X509_NAME_cmp(*a,*b));
1862 	}
1863 #ifndef OPENSSL_NO_TLSEXT
ssl3_get_new_session_ticket(SSL * s)1864 int ssl3_get_new_session_ticket(SSL *s)
1865 	{
1866 	int ok,al,ret=0, ticklen;
1867 	long n;
1868 	const unsigned char *p;
1869 	unsigned char *d;
1870 
1871 	n=s->method->ssl_get_message(s,
1872 		SSL3_ST_CR_SESSION_TICKET_A,
1873 		SSL3_ST_CR_SESSION_TICKET_B,
1874 		-1,
1875 		16384,
1876 		&ok);
1877 
1878 	if (!ok)
1879 		return((int)n);
1880 
1881 	if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
1882 		{
1883 		s->s3->tmp.reuse_message=1;
1884 		return(1);
1885 		}
1886 	if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET)
1887 		{
1888 		al=SSL_AD_UNEXPECTED_MESSAGE;
1889 		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
1890 		goto f_err;
1891 		}
1892 	if (n < 6)
1893 		{
1894 		/* need at least ticket_lifetime_hint + ticket length */
1895 		al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1896 		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1897 		goto f_err;
1898 		}
1899 
1900 	p=d=(unsigned char *)s->init_msg;
1901 	n2l(p, s->session->tlsext_tick_lifetime_hint);
1902 	n2s(p, ticklen);
1903 	/* ticket_lifetime_hint + ticket_length + ticket */
1904 	if (ticklen + 6 != n)
1905 		{
1906 		al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1907 		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1908 		goto f_err;
1909 		}
1910 	if (s->session->tlsext_tick)
1911 		{
1912 		OPENSSL_free(s->session->tlsext_tick);
1913 		s->session->tlsext_ticklen = 0;
1914 		}
1915 	s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1916 	if (!s->session->tlsext_tick)
1917 		{
1918 		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
1919 		goto err;
1920 		}
1921 	memcpy(s->session->tlsext_tick, p, ticklen);
1922 	s->session->tlsext_ticklen = ticklen;
1923 	/* There are two ways to detect a resumed ticket sesion.
1924 	 * One is to set an appropriate session ID and then the server
1925 	 * must return a match in ServerHello. This allows the normal
1926 	 * client session ID matching to work and we know much
1927 	 * earlier that the ticket has been accepted.
1928 	 *
1929 	 * The other way is to set zero length session ID when the
1930 	 * ticket is presented and rely on the handshake to determine
1931 	 * session resumption.
1932 	 *
1933 	 * We choose the former approach because this fits in with
1934 	 * assumptions elsewhere in OpenSSL. The session ID is set
1935 	 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
1936 	 * ticket.
1937 	 */
1938 	EVP_Digest(p, ticklen,
1939 			s->session->session_id, &s->session->session_id_length,
1940 #ifndef OPENSSL_NO_SHA256
1941 							EVP_sha256(), NULL);
1942 #else
1943 							EVP_sha1(), NULL);
1944 #endif
1945 	ret=1;
1946 	return(ret);
1947 f_err:
1948 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
1949 err:
1950 	return(-1);
1951 	}
1952 
ssl3_get_cert_status(SSL * s)1953 int ssl3_get_cert_status(SSL *s)
1954 	{
1955 	int ok, al;
1956 	unsigned long resplen,n;
1957 	const unsigned char *p;
1958 
1959 	n=s->method->ssl_get_message(s,
1960 		SSL3_ST_CR_CERT_STATUS_A,
1961 		SSL3_ST_CR_CERT_STATUS_B,
1962 		SSL3_MT_CERTIFICATE_STATUS,
1963 		16384,
1964 		&ok);
1965 
1966 	if (!ok) return((int)n);
1967 	if (n < 4)
1968 		{
1969 		/* need at least status type + length */
1970 		al = SSL_AD_DECODE_ERROR;
1971 		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1972 		goto f_err;
1973 		}
1974 	p = (unsigned char *)s->init_msg;
1975 	if (*p++ != TLSEXT_STATUSTYPE_ocsp)
1976 		{
1977 		al = SSL_AD_DECODE_ERROR;
1978 		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE);
1979 		goto f_err;
1980 		}
1981 	n2l3(p, resplen);
1982 	if (resplen + 4 != n)
1983 		{
1984 		al = SSL_AD_DECODE_ERROR;
1985 		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1986 		goto f_err;
1987 		}
1988 	if (s->tlsext_ocsp_resp)
1989 		OPENSSL_free(s->tlsext_ocsp_resp);
1990 	s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
1991 	if (!s->tlsext_ocsp_resp)
1992 		{
1993 		al = SSL_AD_INTERNAL_ERROR;
1994 		SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
1995 		goto f_err;
1996 		}
1997 	s->tlsext_ocsp_resplen = resplen;
1998 	if (s->ctx->tlsext_status_cb)
1999 		{
2000 		int ret;
2001 		ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2002 		if (ret == 0)
2003 			{
2004 			al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2005 			SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE);
2006 			goto f_err;
2007 			}
2008 		if (ret < 0)
2009 			{
2010 			al = SSL_AD_INTERNAL_ERROR;
2011 			SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
2012 			goto f_err;
2013 			}
2014 		}
2015 	return 1;
2016 f_err:
2017 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
2018 	return(-1);
2019 	}
2020 #endif
2021 
ssl3_get_server_done(SSL * s)2022 int ssl3_get_server_done(SSL *s)
2023 	{
2024 	int ok,ret=0;
2025 	long n;
2026 
2027 	n=s->method->ssl_get_message(s,
2028 		SSL3_ST_CR_SRVR_DONE_A,
2029 		SSL3_ST_CR_SRVR_DONE_B,
2030 		SSL3_MT_SERVER_DONE,
2031 		30, /* should be very small, like 0 :-) */
2032 		&ok);
2033 
2034 	if (!ok) return((int)n);
2035 	if (n > 0)
2036 		{
2037 		/* should contain no data */
2038 		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
2039 		SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
2040 		return -1;
2041 		}
2042 	ret=1;
2043 	return(ret);
2044 	}
2045 
2046 
ssl3_send_client_key_exchange(SSL * s)2047 int ssl3_send_client_key_exchange(SSL *s)
2048 	{
2049 	unsigned char *p,*d;
2050 	int n;
2051 	unsigned long alg_k;
2052 #ifndef OPENSSL_NO_RSA
2053 	unsigned char *q;
2054 	EVP_PKEY *pkey=NULL;
2055 #endif
2056 #ifndef OPENSSL_NO_KRB5
2057 	KSSL_ERR kssl_err;
2058 #endif /* OPENSSL_NO_KRB5 */
2059 #ifndef OPENSSL_NO_ECDH
2060 	EC_KEY *clnt_ecdh = NULL;
2061 	const EC_POINT *srvr_ecpoint = NULL;
2062 	EVP_PKEY *srvr_pub_pkey = NULL;
2063 	unsigned char *encodedPoint = NULL;
2064 	int encoded_pt_len = 0;
2065 	BN_CTX * bn_ctx = NULL;
2066 #endif
2067 
2068 	if (s->state == SSL3_ST_CW_KEY_EXCH_A)
2069 		{
2070 		d=(unsigned char *)s->init_buf->data;
2071 		p= &(d[4]);
2072 
2073 		alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
2074 
2075 		/* Fool emacs indentation */
2076 		if (0) {}
2077 #ifndef OPENSSL_NO_RSA
2078 		else if (alg_k & SSL_kRSA)
2079 			{
2080 			RSA *rsa;
2081 			unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2082 
2083 			if (s->session->sess_cert->peer_rsa_tmp != NULL)
2084 				rsa=s->session->sess_cert->peer_rsa_tmp;
2085 			else
2086 				{
2087 				pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2088 				if ((pkey == NULL) ||
2089 					(pkey->type != EVP_PKEY_RSA) ||
2090 					(pkey->pkey.rsa == NULL))
2091 					{
2092 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2093 					goto err;
2094 					}
2095 				rsa=pkey->pkey.rsa;
2096 				EVP_PKEY_free(pkey);
2097 				}
2098 
2099 			tmp_buf[0]=s->client_version>>8;
2100 			tmp_buf[1]=s->client_version&0xff;
2101 			if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2102 					goto err;
2103 
2104 			s->session->master_key_length=sizeof tmp_buf;
2105 
2106 			q=p;
2107 			/* Fix buf for TLS and beyond */
2108 			if (s->version > SSL3_VERSION)
2109 				p+=2;
2110 			n=RSA_public_encrypt(sizeof tmp_buf,
2111 				tmp_buf,p,rsa,RSA_PKCS1_PADDING);
2112 #ifdef PKCS1_CHECK
2113 			if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
2114 			if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
2115 #endif
2116 			if (n <= 0)
2117 				{
2118 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
2119 				goto err;
2120 				}
2121 
2122 			/* Fix buf for TLS and beyond */
2123 			if (s->version > SSL3_VERSION)
2124 				{
2125 				s2n(n,q);
2126 				n+=2;
2127 				}
2128 
2129 			s->session->master_key_length=
2130 				s->method->ssl3_enc->generate_master_secret(s,
2131 					s->session->master_key,
2132 					tmp_buf,sizeof tmp_buf);
2133 			OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2134 			}
2135 #endif
2136 #ifndef OPENSSL_NO_KRB5
2137 		else if (alg_k & SSL_kKRB5)
2138 			{
2139 			krb5_error_code	krb5rc;
2140 			KSSL_CTX	*kssl_ctx = s->kssl_ctx;
2141 			/*  krb5_data	krb5_ap_req;  */
2142 			krb5_data	*enc_ticket;
2143 			krb5_data	authenticator, *authp = NULL;
2144 			EVP_CIPHER_CTX	ciph_ctx;
2145 			const EVP_CIPHER *enc = NULL;
2146 			unsigned char	iv[EVP_MAX_IV_LENGTH];
2147 			unsigned char	tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2148 			unsigned char	epms[SSL_MAX_MASTER_KEY_LENGTH
2149 						+ EVP_MAX_IV_LENGTH];
2150 			int 		padl, outl = sizeof(epms);
2151 
2152 			EVP_CIPHER_CTX_init(&ciph_ctx);
2153 
2154 #ifdef KSSL_DEBUG
2155 			printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
2156 				alg_k, SSL_kKRB5);
2157 #endif	/* KSSL_DEBUG */
2158 
2159 			authp = NULL;
2160 #ifdef KRB5SENDAUTH
2161 			if (KRB5SENDAUTH)  authp = &authenticator;
2162 #endif	/* KRB5SENDAUTH */
2163 
2164 			krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
2165 				&kssl_err);
2166 			enc = kssl_map_enc(kssl_ctx->enctype);
2167 			if (enc == NULL)
2168 			    goto err;
2169 #ifdef KSSL_DEBUG
2170 			{
2171 			printf("kssl_cget_tkt rtn %d\n", krb5rc);
2172 			if (krb5rc && kssl_err.text)
2173 			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
2174 			}
2175 #endif	/* KSSL_DEBUG */
2176 
2177 			if (krb5rc)
2178 				{
2179 				ssl3_send_alert(s,SSL3_AL_FATAL,
2180 						SSL_AD_HANDSHAKE_FAILURE);
2181 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2182 						kssl_err.reason);
2183 				goto err;
2184 				}
2185 
2186 			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
2187 			**  in place of RFC 2712 KerberosWrapper, as in:
2188 			**
2189 			**  Send ticket (copy to *p, set n = length)
2190 			**  n = krb5_ap_req.length;
2191 			**  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
2192 			**  if (krb5_ap_req.data)
2193 			**    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
2194 			**
2195 			**  Now using real RFC 2712 KerberosWrapper
2196 			**  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
2197 			**  Note: 2712 "opaque" types are here replaced
2198 			**  with a 2-byte length followed by the value.
2199 			**  Example:
2200 			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
2201 			**  Where "xx xx" = length bytes.  Shown here with
2202 			**  optional authenticator omitted.
2203 			*/
2204 
2205 			/*  KerberosWrapper.Ticket		*/
2206 			s2n(enc_ticket->length,p);
2207 			memcpy(p, enc_ticket->data, enc_ticket->length);
2208 			p+= enc_ticket->length;
2209 			n = enc_ticket->length + 2;
2210 
2211 			/*  KerberosWrapper.Authenticator	*/
2212 			if (authp  &&  authp->length)
2213 				{
2214 				s2n(authp->length,p);
2215 				memcpy(p, authp->data, authp->length);
2216 				p+= authp->length;
2217 				n+= authp->length + 2;
2218 
2219 				free(authp->data);
2220 				authp->data = NULL;
2221 				authp->length = 0;
2222 				}
2223 			else
2224 				{
2225 				s2n(0,p);/*  null authenticator length	*/
2226 				n+=2;
2227 				}
2228 
2229 			    tmp_buf[0]=s->client_version>>8;
2230 			    tmp_buf[1]=s->client_version&0xff;
2231 			    if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2232 				goto err;
2233 
2234 			/*  20010420 VRS.  Tried it this way; failed.
2235 			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
2236 			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
2237 			**				kssl_ctx->length);
2238 			**	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2239 			*/
2240 
2241 			memset(iv, 0, sizeof iv);  /* per RFC 1510 */
2242 			EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
2243 				kssl_ctx->key,iv);
2244 			EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
2245 				sizeof tmp_buf);
2246 			EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
2247 			outl += padl;
2248 			if (outl > (int)sizeof epms)
2249 				{
2250 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2251 				goto err;
2252 				}
2253 			EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2254 
2255 			/*  KerberosWrapper.EncryptedPreMasterSecret	*/
2256 			s2n(outl,p);
2257 			memcpy(p, epms, outl);
2258 			p+=outl;
2259 			n+=outl + 2;
2260 
2261 			s->session->master_key_length=
2262 				s->method->ssl3_enc->generate_master_secret(s,
2263 					s->session->master_key,
2264 					tmp_buf, sizeof tmp_buf);
2265 
2266 			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2267 			OPENSSL_cleanse(epms, outl);
2268 			}
2269 #endif
2270 #ifndef OPENSSL_NO_DH
2271 		else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2272 			{
2273 			DH *dh_srvr,*dh_clnt;
2274 
2275 			if (s->session->sess_cert == NULL)
2276 				{
2277 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2278 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
2279 				goto err;
2280 				}
2281 
2282 			if (s->session->sess_cert->peer_dh_tmp != NULL)
2283 				dh_srvr=s->session->sess_cert->peer_dh_tmp;
2284 			else
2285 				{
2286 				/* we get them from the cert */
2287 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2288 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2289 				goto err;
2290 				}
2291 
2292 			/* generate a new random key */
2293 			if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
2294 				{
2295 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2296 				goto err;
2297 				}
2298 			if (!DH_generate_key(dh_clnt))
2299 				{
2300 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2301 				goto err;
2302 				}
2303 
2304 			/* use the 'p' output buffer for the DH key, but
2305 			 * make sure to clear it out afterwards */
2306 
2307 			n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
2308 
2309 			if (n <= 0)
2310 				{
2311 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2312 				goto err;
2313 				}
2314 
2315 			/* generate master key from the result */
2316 			s->session->master_key_length=
2317 				s->method->ssl3_enc->generate_master_secret(s,
2318 					s->session->master_key,p,n);
2319 			/* clean up */
2320 			memset(p,0,n);
2321 
2322 			/* send off the data */
2323 			n=BN_num_bytes(dh_clnt->pub_key);
2324 			s2n(n,p);
2325 			BN_bn2bin(dh_clnt->pub_key,p);
2326 			n+=2;
2327 
2328 			DH_free(dh_clnt);
2329 
2330 			/* perhaps clean things up a bit EAY EAY EAY EAY*/
2331 			}
2332 #endif
2333 
2334 #ifndef OPENSSL_NO_ECDH
2335 		else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
2336 			{
2337 			const EC_GROUP *srvr_group = NULL;
2338 			EC_KEY *tkey;
2339 			int ecdh_clnt_cert = 0;
2340 			int field_size = 0;
2341 
2342 			/* Did we send out the client's
2343 			 * ECDH share for use in premaster
2344 			 * computation as part of client certificate?
2345 			 * If so, set ecdh_clnt_cert to 1.
2346 			 */
2347 			if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
2348 				{
2349 				/* XXX: For now, we do not support client
2350 				 * authentication using ECDH certificates.
2351 				 * To add such support, one needs to add
2352 				 * code that checks for appropriate
2353 				 * conditions and sets ecdh_clnt_cert to 1.
2354 				 * For example, the cert have an ECC
2355 				 * key on the same curve as the server's
2356 				 * and the key should be authorized for
2357 				 * key agreement.
2358 				 *
2359 				 * One also needs to add code in ssl3_connect
2360 				 * to skip sending the certificate verify
2361 				 * message.
2362 				 *
2363 				 * if ((s->cert->key->privatekey != NULL) &&
2364 				 *     (s->cert->key->privatekey->type ==
2365 				 *      EVP_PKEY_EC) && ...)
2366 				 * ecdh_clnt_cert = 1;
2367 				 */
2368 				}
2369 
2370 			if (s->session->sess_cert->peer_ecdh_tmp != NULL)
2371 				{
2372 				tkey = s->session->sess_cert->peer_ecdh_tmp;
2373 				}
2374 			else
2375 				{
2376 				/* Get the Server Public Key from Cert */
2377 				srvr_pub_pkey = X509_get_pubkey(s->session-> \
2378 				    sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2379 				if ((srvr_pub_pkey == NULL) ||
2380 				    (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2381 				    (srvr_pub_pkey->pkey.ec == NULL))
2382 					{
2383 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2384 					    ERR_R_INTERNAL_ERROR);
2385 					goto err;
2386 					}
2387 
2388 				tkey = srvr_pub_pkey->pkey.ec;
2389 				}
2390 
2391 			srvr_group   = EC_KEY_get0_group(tkey);
2392 			srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2393 
2394 			if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
2395 				{
2396 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2397 				    ERR_R_INTERNAL_ERROR);
2398 				goto err;
2399 				}
2400 
2401 			if ((clnt_ecdh=EC_KEY_new()) == NULL)
2402 				{
2403 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2404 				goto err;
2405 				}
2406 
2407 			if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
2408 				{
2409 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2410 				goto err;
2411 				}
2412 			if (ecdh_clnt_cert)
2413 				{
2414 				/* Reuse key info from our certificate
2415 				 * We only need our private key to perform
2416 				 * the ECDH computation.
2417 				 */
2418 				const BIGNUM *priv_key;
2419 				tkey = s->cert->key->privatekey->pkey.ec;
2420 				priv_key = EC_KEY_get0_private_key(tkey);
2421 				if (priv_key == NULL)
2422 					{
2423 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2424 					goto err;
2425 					}
2426 				if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2427 					{
2428 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2429 					goto err;
2430 					}
2431 				}
2432 			else
2433 				{
2434 				/* Generate a new ECDH key pair */
2435 				if (!(EC_KEY_generate_key(clnt_ecdh)))
2436 					{
2437 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2438 					goto err;
2439 					}
2440 				}
2441 
2442 			/* use the 'p' output buffer for the ECDH key, but
2443 			 * make sure to clear it out afterwards
2444 			 */
2445 
2446 			field_size = EC_GROUP_get_degree(srvr_group);
2447 			if (field_size <= 0)
2448 				{
2449 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2450 				       ERR_R_ECDH_LIB);
2451 				goto err;
2452 				}
2453 			n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2454 			if (n <= 0)
2455 				{
2456 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2457 				       ERR_R_ECDH_LIB);
2458 				goto err;
2459 				}
2460 
2461 			/* generate master key from the result */
2462 			s->session->master_key_length = s->method->ssl3_enc \
2463 			    -> generate_master_secret(s,
2464 				s->session->master_key,
2465 				p, n);
2466 
2467 			memset(p, 0, n); /* clean up */
2468 
2469 			if (ecdh_clnt_cert)
2470 				{
2471 				/* Send empty client key exch message */
2472 				n = 0;
2473 				}
2474 			else
2475 				{
2476 				/* First check the size of encoding and
2477 				 * allocate memory accordingly.
2478 				 */
2479 				encoded_pt_len =
2480 				    EC_POINT_point2oct(srvr_group,
2481 					EC_KEY_get0_public_key(clnt_ecdh),
2482 					POINT_CONVERSION_UNCOMPRESSED,
2483 					NULL, 0, NULL);
2484 
2485 				encodedPoint = (unsigned char *)
2486 				    OPENSSL_malloc(encoded_pt_len *
2487 					sizeof(unsigned char));
2488 				bn_ctx = BN_CTX_new();
2489 				if ((encodedPoint == NULL) ||
2490 				    (bn_ctx == NULL))
2491 					{
2492 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2493 					goto err;
2494 					}
2495 
2496 				/* Encode the public key */
2497 				n = EC_POINT_point2oct(srvr_group,
2498 				    EC_KEY_get0_public_key(clnt_ecdh),
2499 				    POINT_CONVERSION_UNCOMPRESSED,
2500 				    encodedPoint, encoded_pt_len, bn_ctx);
2501 
2502 				*p = n; /* length of encoded point */
2503 				/* Encoded point will be copied here */
2504 				p += 1;
2505 				/* copy the point */
2506 				memcpy((unsigned char *)p, encodedPoint, n);
2507 				/* increment n to account for length field */
2508 				n += 1;
2509 				}
2510 
2511 			/* Free allocated memory */
2512 			BN_CTX_free(bn_ctx);
2513 			if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2514 			if (clnt_ecdh != NULL)
2515 				 EC_KEY_free(clnt_ecdh);
2516 			EVP_PKEY_free(srvr_pub_pkey);
2517 			}
2518 #endif /* !OPENSSL_NO_ECDH */
2519 		else if (alg_k & SSL_kGOST)
2520 			{
2521 			/* GOST key exchange message creation */
2522 			EVP_PKEY_CTX *pkey_ctx;
2523 			X509 *peer_cert;
2524 			size_t msglen;
2525 			unsigned int md_len;
2526 			int keytype;
2527 			unsigned char premaster_secret[32],shared_ukm[32], tmp[256];
2528 			EVP_MD_CTX *ukm_hash;
2529 			EVP_PKEY *pub_key;
2530 
2531 			/* Get server sertificate PKEY and create ctx from it */
2532 			peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509;
2533 			if (!peer_cert)
2534 				peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509;
2535 			if (!peer_cert)		{
2536 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2537 					goto err;
2538 				}
2539 
2540 			pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL);
2541 			/* If we have send a certificate, and certificate key
2542 
2543 			 * parameters match those of server certificate, use
2544 			 * certificate key for key exchange
2545 			 */
2546 
2547 			 /* Otherwise, generate ephemeral key pair */
2548 
2549 			EVP_PKEY_encrypt_init(pkey_ctx);
2550 			  /* Generate session key */
2551 		    RAND_bytes(premaster_secret,32);
2552 			/* If we have client certificate, use its secret as peer key */
2553 			if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2554 				if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) {
2555 					/* If there was an error - just ignore it. Ephemeral key
2556 					* would be used
2557 					*/
2558 					ERR_clear_error();
2559 				}
2560 			}
2561 			/* Compute shared IV and store it in algorithm-specific
2562 			 * context data */
2563 			ukm_hash = EVP_MD_CTX_create();
2564 			EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94));
2565 			EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE);
2566 			EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE);
2567 			EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
2568 			EVP_MD_CTX_destroy(ukm_hash);
2569 			if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV,
2570 				8,shared_ukm)<0) {
2571 					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2572 						SSL_R_LIBRARY_BUG);
2573 					goto err;
2574 				}
2575 			/* Make GOST keytransport blob message */
2576 			/*Encapsulate it into sequence */
2577 			*(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
2578 			msglen=255;
2579 			if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) {
2580 			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2581 					SSL_R_LIBRARY_BUG);
2582 				goto err;
2583 			}
2584 			if (msglen >= 0x80)
2585 				{
2586 				*(p++)=0x81;
2587 				*(p++)= msglen & 0xff;
2588 				n=msglen+3;
2589 				}
2590 			else
2591 				{
2592 				*(p++)= msglen & 0xff;
2593 				n=msglen+2;
2594 				}
2595 			memcpy(p, tmp, msglen);
2596 			/* Check if pubkey from client certificate was used */
2597 			if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2598 				{
2599 				/* Set flag "skip certificate verify" */
2600 				s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2601 				}
2602 			EVP_PKEY_CTX_free(pkey_ctx);
2603 			s->session->master_key_length=
2604 				s->method->ssl3_enc->generate_master_secret(s,
2605 					s->session->master_key,premaster_secret,32);
2606 			EVP_PKEY_free(pub_key);
2607 
2608 			}
2609 #ifndef OPENSSL_NO_PSK
2610 		else if (alg_k & SSL_kPSK)
2611 			{
2612 			char identity[PSK_MAX_IDENTITY_LEN];
2613 			unsigned char *t = NULL;
2614 			unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
2615 			unsigned int pre_ms_len = 0, psk_len = 0;
2616 			int psk_err = 1;
2617 
2618 			n = 0;
2619 			if (s->psk_client_callback == NULL)
2620 				{
2621 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2622 					SSL_R_PSK_NO_CLIENT_CB);
2623 				goto err;
2624 				}
2625 
2626 			psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
2627 				identity, PSK_MAX_IDENTITY_LEN,
2628 				psk_or_pre_ms, sizeof(psk_or_pre_ms));
2629 			if (psk_len > PSK_MAX_PSK_LEN)
2630 				{
2631 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2632 					ERR_R_INTERNAL_ERROR);
2633 				goto psk_err;
2634 				}
2635 			else if (psk_len == 0)
2636 				{
2637 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2638 					SSL_R_PSK_IDENTITY_NOT_FOUND);
2639 				goto psk_err;
2640 				}
2641 
2642 			/* create PSK pre_master_secret */
2643 			pre_ms_len = 2+psk_len+2+psk_len;
2644 			t = psk_or_pre_ms;
2645 			memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
2646 			s2n(psk_len, t);
2647 			memset(t, 0, psk_len);
2648 			t+=psk_len;
2649 			s2n(psk_len, t);
2650 
2651 			if (s->session->psk_identity_hint != NULL)
2652 				OPENSSL_free(s->session->psk_identity_hint);
2653 			s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2654 			if (s->ctx->psk_identity_hint != NULL &&
2655 				s->session->psk_identity_hint == NULL)
2656 				{
2657 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2658 					ERR_R_MALLOC_FAILURE);
2659 				goto psk_err;
2660 				}
2661 
2662 			if (s->session->psk_identity != NULL)
2663 				OPENSSL_free(s->session->psk_identity);
2664 			s->session->psk_identity = BUF_strdup(identity);
2665 			if (s->session->psk_identity == NULL)
2666 				{
2667 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2668 					ERR_R_MALLOC_FAILURE);
2669 				goto psk_err;
2670 				}
2671 
2672 			s->session->master_key_length =
2673 				s->method->ssl3_enc->generate_master_secret(s,
2674 					s->session->master_key,
2675 					psk_or_pre_ms, pre_ms_len);
2676 			n = strlen(identity);
2677 			s2n(n, p);
2678 			memcpy(p, identity, n);
2679 			n+=2;
2680 			psk_err = 0;
2681 		psk_err:
2682 			OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2683 			OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2684 			if (psk_err != 0)
2685 				{
2686 				ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2687 				goto err;
2688 				}
2689 			}
2690 #endif
2691 		else
2692 			{
2693 			ssl3_send_alert(s, SSL3_AL_FATAL,
2694 			    SSL_AD_HANDSHAKE_FAILURE);
2695 			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2696 			    ERR_R_INTERNAL_ERROR);
2697 			goto err;
2698 			}
2699 
2700 		*(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2701 		l2n3(n,d);
2702 
2703 		s->state=SSL3_ST_CW_KEY_EXCH_B;
2704 		/* number of bytes to write */
2705 		s->init_num=n+4;
2706 		s->init_off=0;
2707 		}
2708 
2709 	/* SSL3_ST_CW_KEY_EXCH_B */
2710 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2711 err:
2712 #ifndef OPENSSL_NO_ECDH
2713 	BN_CTX_free(bn_ctx);
2714 	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2715 	if (clnt_ecdh != NULL)
2716 		EC_KEY_free(clnt_ecdh);
2717 	EVP_PKEY_free(srvr_pub_pkey);
2718 #endif
2719 	return(-1);
2720 	}
2721 
ssl3_send_client_verify(SSL * s)2722 int ssl3_send_client_verify(SSL *s)
2723 	{
2724 	unsigned char *p,*d;
2725 	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2726 	EVP_PKEY *pkey;
2727 	EVP_PKEY_CTX *pctx=NULL;
2728 #ifndef OPENSSL_NO_RSA
2729 	unsigned u=0;
2730 #endif
2731 	unsigned long n;
2732 	int j;
2733 
2734 	if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2735 		{
2736 		d=(unsigned char *)s->init_buf->data;
2737 		p= &(d[4]);
2738 		pkey=s->cert->key->privatekey;
2739 /* Create context from key and test if sha1 is allowed as digest */
2740 		pctx = EVP_PKEY_CTX_new(pkey,NULL);
2741 		EVP_PKEY_sign_init(pctx);
2742 		if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
2743 			{
2744 			s->method->ssl3_enc->cert_verify_mac(s,
2745 						NID_sha1,
2746 						&(data[MD5_DIGEST_LENGTH]));
2747 			}
2748 		else
2749 			{
2750 			ERR_clear_error();
2751 			}
2752 #ifndef OPENSSL_NO_RSA
2753 		if (pkey->type == EVP_PKEY_RSA)
2754 			{
2755 			s->method->ssl3_enc->cert_verify_mac(s,
2756 				NID_md5,
2757 			 	&(data[0]));
2758 			if (RSA_sign(NID_md5_sha1, data,
2759 					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2760 					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
2761 				{
2762 				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
2763 				goto err;
2764 				}
2765 			s2n(u,p);
2766 			n=u+2;
2767 			}
2768 		else
2769 #endif
2770 #ifndef OPENSSL_NO_DSA
2771 			if (pkey->type == EVP_PKEY_DSA)
2772 			{
2773 			if (!DSA_sign(pkey->save_type,
2774 				&(data[MD5_DIGEST_LENGTH]),
2775 				SHA_DIGEST_LENGTH,&(p[2]),
2776 				(unsigned int *)&j,pkey->pkey.dsa))
2777 				{
2778 				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
2779 				goto err;
2780 				}
2781 			s2n(j,p);
2782 			n=j+2;
2783 			}
2784 		else
2785 #endif
2786 #ifndef OPENSSL_NO_ECDSA
2787 			if (pkey->type == EVP_PKEY_EC)
2788 			{
2789 			if (!ECDSA_sign(pkey->save_type,
2790 				&(data[MD5_DIGEST_LENGTH]),
2791 				SHA_DIGEST_LENGTH,&(p[2]),
2792 				(unsigned int *)&j,pkey->pkey.ec))
2793 				{
2794 				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2795 				    ERR_R_ECDSA_LIB);
2796 				goto err;
2797 				}
2798 			s2n(j,p);
2799 			n=j+2;
2800 			}
2801 		else
2802 #endif
2803 		if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001)
2804 		{
2805 		unsigned char signbuf[64];
2806 		int i;
2807 		size_t sigsize=64;
2808 		s->method->ssl3_enc->cert_verify_mac(s,
2809 			NID_id_GostR3411_94,
2810 			data);
2811 		if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
2812 			SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2813 			ERR_R_INTERNAL_ERROR);
2814 			goto err;
2815 		}
2816 		for (i=63,j=0; i>=0; j++, i--) {
2817 			p[2+j]=signbuf[i];
2818 		}
2819 		s2n(j,p);
2820 		n=j+2;
2821 		}
2822 		else
2823 		{
2824 			SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
2825 			goto err;
2826 		}
2827 		*(d++)=SSL3_MT_CERTIFICATE_VERIFY;
2828 		l2n3(n,d);
2829 
2830 		s->state=SSL3_ST_CW_CERT_VRFY_B;
2831 		s->init_num=(int)n+4;
2832 		s->init_off=0;
2833 		}
2834 	EVP_PKEY_CTX_free(pctx);
2835 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2836 err:
2837 	EVP_PKEY_CTX_free(pctx);
2838 	return(-1);
2839 	}
2840 
ssl3_send_client_certificate(SSL * s)2841 int ssl3_send_client_certificate(SSL *s)
2842 	{
2843 	X509 *x509=NULL;
2844 	EVP_PKEY *pkey=NULL;
2845 	int i;
2846 	unsigned long l;
2847 
2848 	if (s->state ==	SSL3_ST_CW_CERT_A)
2849 		{
2850 		if ((s->cert == NULL) ||
2851 			(s->cert->key->x509 == NULL) ||
2852 			(s->cert->key->privatekey == NULL))
2853 			s->state=SSL3_ST_CW_CERT_B;
2854 		else
2855 			s->state=SSL3_ST_CW_CERT_C;
2856 		}
2857 
2858 	/* We need to get a client cert */
2859 	if (s->state == SSL3_ST_CW_CERT_B)
2860 		{
2861 		/* If we get an error, we need to
2862 		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2863 		 * We then get retied later */
2864 		i=0;
2865 		i = ssl_do_client_cert_cb(s, &x509, &pkey);
2866 		if (i < 0)
2867 			{
2868 			s->rwstate=SSL_X509_LOOKUP;
2869 			return(-1);
2870 			}
2871 		s->rwstate=SSL_NOTHING;
2872 		if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2873 			{
2874 			s->state=SSL3_ST_CW_CERT_B;
2875 			if (	!SSL_use_certificate(s,x509) ||
2876 				!SSL_use_PrivateKey(s,pkey))
2877 				i=0;
2878 			}
2879 		else if (i == 1)
2880 			{
2881 			i=0;
2882 			SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2883 			}
2884 
2885 		if (x509 != NULL) X509_free(x509);
2886 		if (pkey != NULL) EVP_PKEY_free(pkey);
2887 		if (i == 0)
2888 			{
2889 			if (s->version == SSL3_VERSION)
2890 				{
2891 				s->s3->tmp.cert_req=0;
2892 				ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2893 				return(1);
2894 				}
2895 			else
2896 				{
2897 				s->s3->tmp.cert_req=2;
2898 				}
2899 			}
2900 
2901 		/* Ok, we have a cert */
2902 		s->state=SSL3_ST_CW_CERT_C;
2903 		}
2904 
2905 	if (s->state == SSL3_ST_CW_CERT_C)
2906 		{
2907 		s->state=SSL3_ST_CW_CERT_D;
2908 		l=ssl3_output_cert_chain(s,
2909 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
2910 		s->init_num=(int)l;
2911 		s->init_off=0;
2912 		}
2913 	/* SSL3_ST_CW_CERT_D */
2914 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2915 	}
2916 
2917 #define has_bits(i,m)	(((i)&(m)) == (m))
2918 
ssl3_check_cert_and_algorithm(SSL * s)2919 int ssl3_check_cert_and_algorithm(SSL *s)
2920 	{
2921 	int i,idx;
2922 	long alg_k,alg_a;
2923 	EVP_PKEY *pkey=NULL;
2924 	SESS_CERT *sc;
2925 #ifndef OPENSSL_NO_RSA
2926 	RSA *rsa;
2927 #endif
2928 #ifndef OPENSSL_NO_DH
2929 	DH *dh;
2930 #endif
2931 
2932 	alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
2933 	alg_a=s->s3->tmp.new_cipher->algorithm_auth;
2934 
2935 	/* we don't have a certificate */
2936 	if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
2937 		return(1);
2938 
2939 	sc=s->session->sess_cert;
2940 	if (sc == NULL)
2941 		{
2942 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
2943 		goto err;
2944 		}
2945 
2946 #ifndef OPENSSL_NO_RSA
2947 	rsa=s->session->sess_cert->peer_rsa_tmp;
2948 #endif
2949 #ifndef OPENSSL_NO_DH
2950 	dh=s->session->sess_cert->peer_dh_tmp;
2951 #endif
2952 
2953 	/* This is the passed certificate */
2954 
2955 	idx=sc->peer_cert_type;
2956 #ifndef OPENSSL_NO_ECDH
2957 	if (idx == SSL_PKEY_ECC)
2958 		{
2959 		if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2960 		    s->s3->tmp.new_cipher) == 0)
2961 			{ /* check failed */
2962 			SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
2963 			goto f_err;
2964 			}
2965 		else
2966 			{
2967 			return 1;
2968 			}
2969 		}
2970 #endif
2971 	pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
2972 	i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
2973 	EVP_PKEY_free(pkey);
2974 
2975 
2976 	/* Check that we have a certificate if we require one */
2977 	if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
2978 		{
2979 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
2980 		goto f_err;
2981 		}
2982 #ifndef OPENSSL_NO_DSA
2983 	else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
2984 		{
2985 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
2986 		goto f_err;
2987 		}
2988 #endif
2989 #ifndef OPENSSL_NO_RSA
2990 	if ((alg_k & SSL_kRSA) &&
2991 		!(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
2992 		{
2993 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2994 		goto f_err;
2995 		}
2996 #endif
2997 #ifndef OPENSSL_NO_DH
2998 	if ((alg_k & SSL_kEDH) &&
2999 		!(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
3000 		{
3001 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
3002 		goto f_err;
3003 		}
3004 	else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
3005 		{
3006 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
3007 		goto f_err;
3008 		}
3009 #ifndef OPENSSL_NO_DSA
3010 	else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
3011 		{
3012 		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
3013 		goto f_err;
3014 		}
3015 #endif
3016 #endif
3017 
3018 	if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
3019 		{
3020 #ifndef OPENSSL_NO_RSA
3021 		if (alg_k & SSL_kRSA)
3022 			{
3023 			if (rsa == NULL
3024 			    || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
3025 				{
3026 				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3027 				goto f_err;
3028 				}
3029 			}
3030 		else
3031 #endif
3032 #ifndef OPENSSL_NO_DH
3033 			if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
3034 			    {
3035 			    if (dh == NULL
3036 				|| DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
3037 				{
3038 				SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3039 				goto f_err;
3040 				}
3041 			}
3042 		else
3043 #endif
3044 			{
3045 			SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
3046 			goto f_err;
3047 			}
3048 		}
3049 	return(1);
3050 f_err:
3051 	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
3052 err:
3053 	return(0);
3054 	}
3055 
3056 /* Check to see if handshake is full or resumed. Usually this is just a
3057  * case of checking to see if a cache hit has occurred. In the case of
3058  * session tickets we have to check the next message to be sure.
3059  */
3060 
3061 #ifndef OPENSSL_NO_TLSEXT
ssl3_check_finished(SSL * s)3062 int ssl3_check_finished(SSL *s)
3063 	{
3064 	int ok;
3065 	long n;
3066 	/* If we have no ticket it cannot be a resumed session. */
3067 	if (!s->session->tlsext_tick)
3068 		return 1;
3069 	/* this function is called when we really expect a Certificate
3070 	 * message, so permit appropriate message length */
3071 	n=s->method->ssl_get_message(s,
3072 		SSL3_ST_CR_CERT_A,
3073 		SSL3_ST_CR_CERT_B,
3074 		-1,
3075 		s->max_cert_list,
3076 		&ok);
3077 	if (!ok) return((int)n);
3078 	s->s3->tmp.reuse_message = 1;
3079 	if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
3080 		|| (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
3081 		return 2;
3082 
3083 	return 1;
3084 	}
3085 #endif
3086 
ssl_do_client_cert_cb(SSL * s,X509 ** px509,EVP_PKEY ** ppkey)3087 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3088 	{
3089 	int i = 0;
3090 #ifndef OPENSSL_NO_ENGINE
3091 	if (s->ctx->client_cert_engine)
3092 		{
3093 		i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3094 						SSL_get_client_CA_list(s),
3095 						px509, ppkey, NULL, NULL, NULL);
3096 		if (i != 0)
3097 			return i;
3098 		}
3099 #endif
3100 	if (s->ctx->client_cert_cb)
3101 		i = s->ctx->client_cert_cb(s,px509,ppkey);
3102 	return i;
3103 	}
3104