| @@ -493,1998 +493,1999 @@ int ssl3_connect(SSL *s) | | | @@ -493,1998 +493,1999 @@ int ssl3_connect(SSL *s) |
493 | ret=ssl3_get_new_session_ticket(s); | | 493 | ret=ssl3_get_new_session_ticket(s); |
494 | if (ret <= 0) goto end; | | 494 | if (ret <= 0) goto end; |
495 | s->state=SSL3_ST_CR_FINISHED_A; | | 495 | s->state=SSL3_ST_CR_FINISHED_A; |
496 | s->init_num=0; | | 496 | s->init_num=0; |
497 | break; | | 497 | break; |
498 | | | 498 | |
499 | case SSL3_ST_CR_CERT_STATUS_A: | | 499 | case SSL3_ST_CR_CERT_STATUS_A: |
500 | case SSL3_ST_CR_CERT_STATUS_B: | | 500 | case SSL3_ST_CR_CERT_STATUS_B: |
501 | ret=ssl3_get_cert_status(s); | | 501 | ret=ssl3_get_cert_status(s); |
502 | if (ret <= 0) goto end; | | 502 | if (ret <= 0) goto end; |
503 | s->state=SSL3_ST_CR_KEY_EXCH_A; | | 503 | s->state=SSL3_ST_CR_KEY_EXCH_A; |
504 | s->init_num=0; | | 504 | s->init_num=0; |
505 | break; | | 505 | break; |
506 | #endif | | 506 | #endif |
507 | | | 507 | |
508 | case SSL3_ST_CR_FINISHED_A: | | 508 | case SSL3_ST_CR_FINISHED_A: |
509 | case SSL3_ST_CR_FINISHED_B: | | 509 | case SSL3_ST_CR_FINISHED_B: |
510 | | | 510 | |
511 | ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, | | 511 | ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, |
512 | SSL3_ST_CR_FINISHED_B); | | 512 | SSL3_ST_CR_FINISHED_B); |
513 | if (ret <= 0) goto end; | | 513 | if (ret <= 0) goto end; |
514 | | | 514 | |
515 | if (s->hit) | | 515 | if (s->hit) |
516 | s->state=SSL3_ST_CW_CHANGE_A; | | 516 | s->state=SSL3_ST_CW_CHANGE_A; |
517 | else | | 517 | else |
518 | s->state=SSL_ST_OK; | | 518 | s->state=SSL_ST_OK; |
519 | s->init_num=0; | | 519 | s->init_num=0; |
520 | break; | | 520 | break; |
521 | | | 521 | |
522 | case SSL3_ST_CW_FLUSH: | | 522 | case SSL3_ST_CW_FLUSH: |
523 | /* number of bytes to be flushed */ | | 523 | /* number of bytes to be flushed */ |
524 | num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); | | 524 | num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); |
525 | if (num1 > 0) | | 525 | if (num1 > 0) |
526 | { | | 526 | { |
527 | s->rwstate=SSL_WRITING; | | 527 | s->rwstate=SSL_WRITING; |
528 | num1=BIO_flush(s->wbio); | | 528 | num1=BIO_flush(s->wbio); |
529 | if (num1 <= 0) { ret= -1; goto end; } | | 529 | if (num1 <= 0) { ret= -1; goto end; } |
530 | s->rwstate=SSL_NOTHING; | | 530 | s->rwstate=SSL_NOTHING; |
531 | } | | 531 | } |
532 | | | 532 | |
533 | s->state=s->s3->tmp.next_state; | | 533 | s->state=s->s3->tmp.next_state; |
534 | break; | | 534 | break; |
535 | | | 535 | |
536 | case SSL_ST_OK: | | 536 | case SSL_ST_OK: |
537 | /* clean a few things up */ | | 537 | /* clean a few things up */ |
538 | ssl3_cleanup_key_block(s); | | 538 | ssl3_cleanup_key_block(s); |
539 | | | 539 | |
540 | if (s->init_buf != NULL) | | 540 | if (s->init_buf != NULL) |
541 | { | | 541 | { |
542 | BUF_MEM_free(s->init_buf); | | 542 | BUF_MEM_free(s->init_buf); |
543 | s->init_buf=NULL; | | 543 | s->init_buf=NULL; |
544 | } | | 544 | } |
545 | | | 545 | |
546 | /* If we are not 'joining' the last two packets, | | 546 | /* If we are not 'joining' the last two packets, |
547 | * remove the buffering now */ | | 547 | * remove the buffering now */ |
548 | if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) | | 548 | if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) |
549 | ssl_free_wbio_buffer(s); | | 549 | ssl_free_wbio_buffer(s); |
550 | /* else do it later in ssl3_write */ | | 550 | /* else do it later in ssl3_write */ |
551 | | | 551 | |
552 | s->init_num=0; | | 552 | s->init_num=0; |
553 | s->new_session=0; | | 553 | s->new_session=0; |
554 | | | 554 | |
555 | ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); | | 555 | ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); |
556 | if (s->hit) s->ctx->stats.sess_hit++; | | 556 | if (s->hit) s->ctx->stats.sess_hit++; |
557 | | | 557 | |
558 | ret=1; | | 558 | ret=1; |
559 | /* s->server=0; */ | | 559 | /* s->server=0; */ |
560 | s->handshake_func=ssl3_connect; | | 560 | s->handshake_func=ssl3_connect; |
561 | s->ctx->stats.sess_connect_good++; | | 561 | s->ctx->stats.sess_connect_good++; |
562 | | | 562 | |
563 | if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); | | 563 | if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); |
564 | | | 564 | |
565 | goto end; | | 565 | goto end; |
566 | /* break; */ | | 566 | /* break; */ |
567 | | | 567 | |
568 | default: | | 568 | default: |
569 | SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); | | 569 | SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); |
570 | ret= -1; | | 570 | ret= -1; |
571 | goto end; | | 571 | goto end; |
572 | /* break; */ | | 572 | /* break; */ |
573 | } | | 573 | } |
574 | | | 574 | |
575 | /* did we do anything */ | | 575 | /* did we do anything */ |
576 | if (!s->s3->tmp.reuse_message && !skip) | | 576 | if (!s->s3->tmp.reuse_message && !skip) |
577 | { | | 577 | { |
578 | if (s->debug) | | 578 | if (s->debug) |
579 | { | | 579 | { |
580 | if ((ret=BIO_flush(s->wbio)) <= 0) | | 580 | if ((ret=BIO_flush(s->wbio)) <= 0) |
581 | goto end; | | 581 | goto end; |
582 | } | | 582 | } |
583 | | | 583 | |
584 | if ((cb != NULL) && (s->state != state)) | | 584 | if ((cb != NULL) && (s->state != state)) |
585 | { | | 585 | { |
586 | new_state=s->state; | | 586 | new_state=s->state; |
587 | s->state=state; | | 587 | s->state=state; |
588 | cb(s,SSL_CB_CONNECT_LOOP,1); | | 588 | cb(s,SSL_CB_CONNECT_LOOP,1); |
589 | s->state=new_state; | | 589 | s->state=new_state; |
590 | } | | 590 | } |
591 | } | | 591 | } |
592 | skip=0; | | 592 | skip=0; |
593 | } | | 593 | } |
594 | end: | | 594 | end: |
595 | s->in_handshake--; | | 595 | s->in_handshake--; |
596 | if (buf != NULL) | | 596 | if (buf != NULL) |
597 | BUF_MEM_free(buf); | | 597 | BUF_MEM_free(buf); |
598 | if (cb != NULL) | | 598 | if (cb != NULL) |
599 | cb(s,SSL_CB_CONNECT_EXIT,ret); | | 599 | cb(s,SSL_CB_CONNECT_EXIT,ret); |
600 | return(ret); | | 600 | return(ret); |
601 | } | | 601 | } |
602 | | | 602 | |
603 | | | 603 | |
604 | int ssl3_client_hello(SSL *s) | | 604 | int ssl3_client_hello(SSL *s) |
605 | { | | 605 | { |
606 | unsigned char *buf; | | 606 | unsigned char *buf; |
607 | unsigned char *p,*d; | | 607 | unsigned char *p,*d; |
608 | int i; | | 608 | int i; |
609 | unsigned long Time,l; | | 609 | unsigned long Time,l; |
610 | #ifndef OPENSSL_NO_COMP | | 610 | #ifndef OPENSSL_NO_COMP |
611 | int j; | | 611 | int j; |
612 | SSL_COMP *comp; | | 612 | SSL_COMP *comp; |
613 | #endif | | 613 | #endif |
614 | | | 614 | |
615 | buf=(unsigned char *)s->init_buf->data; | | 615 | buf=(unsigned char *)s->init_buf->data; |
616 | if (s->state == SSL3_ST_CW_CLNT_HELLO_A) | | 616 | if (s->state == SSL3_ST_CW_CLNT_HELLO_A) |
617 | { | | 617 | { |
618 | SSL_SESSION *sess = s->session; | | 618 | SSL_SESSION *sess = s->session; |
619 | if ((sess == NULL) || | | 619 | if ((sess == NULL) || |
620 | (sess->ssl_version != s->version) || | | 620 | (sess->ssl_version != s->version) || |
621 | #ifdef OPENSSL_NO_TLSEXT | | 621 | #ifdef OPENSSL_NO_TLSEXT |
622 | !sess->session_id_length || | | 622 | !sess->session_id_length || |
623 | #else | | 623 | #else |
624 | (!sess->session_id_length && !sess->tlsext_tick) || | | 624 | (!sess->session_id_length && !sess->tlsext_tick) || |
625 | #endif | | 625 | #endif |
626 | (sess->not_resumable)) | | 626 | (sess->not_resumable)) |
627 | { | | 627 | { |
628 | if (!ssl_get_new_session(s,0)) | | 628 | if (!ssl_get_new_session(s,0)) |
629 | goto err; | | 629 | goto err; |
630 | } | | 630 | } |
631 | /* else use the pre-loaded session */ | | 631 | /* else use the pre-loaded session */ |
632 | | | 632 | |
633 | p=s->s3->client_random; | | 633 | p=s->s3->client_random; |
634 | Time=(unsigned long)time(NULL); /* Time */ | | 634 | Time=(unsigned long)time(NULL); /* Time */ |
635 | l2n(Time,p); | | 635 | l2n(Time,p); |
636 | if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) | | 636 | if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) |
637 | goto err; | | 637 | goto err; |
638 | | | 638 | |
639 | /* Do the message type and length last */ | | 639 | /* Do the message type and length last */ |
640 | d=p= &(buf[4]); | | 640 | d=p= &(buf[4]); |
641 | | | 641 | |
642 | *(p++)=s->version>>8; | | 642 | *(p++)=s->version>>8; |
643 | *(p++)=s->version&0xff; | | 643 | *(p++)=s->version&0xff; |
644 | s->client_version=s->version; | | 644 | s->client_version=s->version; |
645 | | | 645 | |
646 | /* Random stuff */ | | 646 | /* Random stuff */ |
647 | memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); | | 647 | memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); |
648 | p+=SSL3_RANDOM_SIZE; | | 648 | p+=SSL3_RANDOM_SIZE; |
649 | | | 649 | |
650 | /* Session ID */ | | 650 | /* Session ID */ |
651 | if (s->new_session) | | 651 | if (s->new_session) |
652 | i=0; | | 652 | i=0; |
653 | else | | 653 | else |
654 | i=s->session->session_id_length; | | 654 | i=s->session->session_id_length; |
655 | *(p++)=i; | | 655 | *(p++)=i; |
656 | if (i != 0) | | 656 | if (i != 0) |
657 | { | | 657 | { |
658 | if (i > (int)sizeof(s->session->session_id)) | | 658 | if (i > (int)sizeof(s->session->session_id)) |
659 | { | | 659 | { |
660 | SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); | | 660 | SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); |
661 | goto err; | | 661 | goto err; |
662 | } | | 662 | } |
663 | memcpy(p,s->session->session_id,i); | | 663 | memcpy(p,s->session->session_id,i); |
664 | p+=i; | | 664 | p+=i; |
665 | } | | 665 | } |
666 | | | 666 | |
667 | /* Ciphers supported */ | | 667 | /* Ciphers supported */ |
668 | i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); | | 668 | i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); |
669 | if (i == 0) | | 669 | if (i == 0) |
670 | { | | 670 | { |
671 | SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); | | 671 | SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); |
672 | goto err; | | 672 | goto err; |
673 | } | | 673 | } |
674 | s2n(i,p); | | 674 | s2n(i,p); |
675 | p+=i; | | 675 | p+=i; |
676 | | | 676 | |
677 | /* COMPRESSION */ | | 677 | /* COMPRESSION */ |
678 | #ifdef OPENSSL_NO_COMP | | 678 | #ifdef OPENSSL_NO_COMP |
679 | *(p++)=1; | | 679 | *(p++)=1; |
680 | #else | | 680 | #else |
681 | | | 681 | |
682 | if ((s->options & SSL_OP_NO_COMPRESSION) | | 682 | if ((s->options & SSL_OP_NO_COMPRESSION) |
683 | || !s->ctx->comp_methods) | | 683 | || !s->ctx->comp_methods) |
684 | j=0; | | 684 | j=0; |
685 | else | | 685 | else |
686 | j=sk_SSL_COMP_num(s->ctx->comp_methods); | | 686 | j=sk_SSL_COMP_num(s->ctx->comp_methods); |
687 | *(p++)=1+j; | | 687 | *(p++)=1+j; |
688 | for (i=0; i<j; i++) | | 688 | for (i=0; i<j; i++) |
689 | { | | 689 | { |
690 | comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); | | 690 | comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); |
691 | *(p++)=comp->id; | | 691 | *(p++)=comp->id; |
692 | } | | 692 | } |
693 | #endif | | 693 | #endif |
694 | *(p++)=0; /* Add the NULL method */ | | 694 | *(p++)=0; /* Add the NULL method */ |
695 | | | 695 | |
696 | #ifndef OPENSSL_NO_TLSEXT | | 696 | #ifndef OPENSSL_NO_TLSEXT |
697 | /* TLS extensions*/ | | 697 | /* TLS extensions*/ |
698 | if (ssl_prepare_clienthello_tlsext(s) <= 0) | | 698 | if (ssl_prepare_clienthello_tlsext(s) <= 0) |
699 | { | | 699 | { |
700 | SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); | | 700 | SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); |
701 | goto err; | | 701 | goto err; |
702 | } | | 702 | } |
703 | if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) | | 703 | if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) |
704 | { | | 704 | { |
705 | SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); | | 705 | SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); |
706 | goto err; | | 706 | goto err; |
707 | } | | 707 | } |
708 | #endif | | 708 | #endif |
709 | | | 709 | |
710 | l=(p-d); | | 710 | l=(p-d); |
711 | d=buf; | | 711 | d=buf; |
712 | *(d++)=SSL3_MT_CLIENT_HELLO; | | 712 | *(d++)=SSL3_MT_CLIENT_HELLO; |
713 | l2n3(l,d); | | 713 | l2n3(l,d); |
714 | | | 714 | |
715 | s->state=SSL3_ST_CW_CLNT_HELLO_B; | | 715 | s->state=SSL3_ST_CW_CLNT_HELLO_B; |
716 | /* number of bytes to write */ | | 716 | /* number of bytes to write */ |
717 | s->init_num=p-buf; | | 717 | s->init_num=p-buf; |
718 | s->init_off=0; | | 718 | s->init_off=0; |
719 | } | | 719 | } |
720 | | | 720 | |
721 | /* SSL3_ST_CW_CLNT_HELLO_B */ | | 721 | /* SSL3_ST_CW_CLNT_HELLO_B */ |
722 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | | 722 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
723 | err: | | 723 | err: |
724 | return(-1); | | 724 | return(-1); |
725 | } | | 725 | } |
726 | | | 726 | |
727 | int ssl3_get_server_hello(SSL *s) | | 727 | int ssl3_get_server_hello(SSL *s) |
728 | { | | 728 | { |
729 | STACK_OF(SSL_CIPHER) *sk; | | 729 | STACK_OF(SSL_CIPHER) *sk; |
730 | const SSL_CIPHER *c; | | 730 | const SSL_CIPHER *c; |
731 | unsigned char *p,*d; | | 731 | unsigned char *p,*d; |
732 | int i,al,ok; | | 732 | int i,al,ok; |
733 | unsigned int j; | | 733 | unsigned int j; |
734 | long n; | | 734 | long n; |
735 | #ifndef OPENSSL_NO_COMP | | 735 | #ifndef OPENSSL_NO_COMP |
736 | SSL_COMP *comp; | | 736 | SSL_COMP *comp; |
737 | #endif | | 737 | #endif |
738 | | | 738 | |
739 | n=s->method->ssl_get_message(s, | | 739 | n=s->method->ssl_get_message(s, |
740 | SSL3_ST_CR_SRVR_HELLO_A, | | 740 | SSL3_ST_CR_SRVR_HELLO_A, |
741 | SSL3_ST_CR_SRVR_HELLO_B, | | 741 | SSL3_ST_CR_SRVR_HELLO_B, |
742 | -1, | | 742 | -1, |
743 | 20000, /* ?? */ | | 743 | 20000, /* ?? */ |
744 | &ok); | | 744 | &ok); |
745 | | | 745 | |
746 | if (!ok) return((int)n); | | 746 | if (!ok) return((int)n); |
747 | | | 747 | |
748 | if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) | | 748 | if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) |
749 | { | | 749 | { |
750 | if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) | | 750 | if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) |
751 | { | | 751 | { |
752 | if ( s->d1->send_cookie == 0) | | 752 | if ( s->d1->send_cookie == 0) |
753 | { | | 753 | { |
754 | s->s3->tmp.reuse_message = 1; | | 754 | s->s3->tmp.reuse_message = 1; |
755 | return 1; | | 755 | return 1; |
756 | } | | 756 | } |
757 | else /* already sent a cookie */ | | 757 | else /* already sent a cookie */ |
758 | { | | 758 | { |
759 | al=SSL_AD_UNEXPECTED_MESSAGE; | | 759 | al=SSL_AD_UNEXPECTED_MESSAGE; |
760 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); | | 760 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); |
761 | goto f_err; | | 761 | goto f_err; |
762 | } | | 762 | } |
763 | } | | 763 | } |
764 | } | | 764 | } |
765 | | | 765 | |
766 | if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) | | 766 | if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) |
767 | { | | 767 | { |
768 | al=SSL_AD_UNEXPECTED_MESSAGE; | | 768 | al=SSL_AD_UNEXPECTED_MESSAGE; |
769 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); | | 769 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); |
770 | goto f_err; | | 770 | goto f_err; |
771 | } | | 771 | } |
772 | | | 772 | |
773 | d=p=(unsigned char *)s->init_msg; | | 773 | d=p=(unsigned char *)s->init_msg; |
774 | | | 774 | |
775 | if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) | | 775 | if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) |
776 | { | | 776 | { |
777 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); | | 777 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); |
778 | s->version=(s->version&0xff00)|p[1]; | | 778 | s->version=(s->version&0xff00)|p[1]; |
779 | al=SSL_AD_PROTOCOL_VERSION; | | 779 | al=SSL_AD_PROTOCOL_VERSION; |
780 | goto f_err; | | 780 | goto f_err; |
781 | } | | 781 | } |
782 | p+=2; | | 782 | p+=2; |
783 | | | 783 | |
784 | /* load the server hello data */ | | 784 | /* load the server hello data */ |
785 | /* load the server random */ | | 785 | /* load the server random */ |
786 | memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); | | 786 | memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); |
787 | p+=SSL3_RANDOM_SIZE; | | 787 | p+=SSL3_RANDOM_SIZE; |
788 | | | 788 | |
789 | /* get the session-id */ | | 789 | /* get the session-id */ |
790 | j= *(p++); | | 790 | j= *(p++); |
791 | | | 791 | |
792 | if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) | | 792 | if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) |
793 | { | | 793 | { |
794 | al=SSL_AD_ILLEGAL_PARAMETER; | | 794 | al=SSL_AD_ILLEGAL_PARAMETER; |
795 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); | | 795 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); |
796 | goto f_err; | | 796 | goto f_err; |
797 | } | | 797 | } |
798 | | | 798 | |
799 | #ifndef OPENSSL_NO_TLSEXT | | 799 | #ifndef OPENSSL_NO_TLSEXT |
800 | /* check if we want to resume the session based on external pre-shared secret */ | | 800 | /* check if we want to resume the session based on external pre-shared secret */ |
801 | if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) | | 801 | if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) |
802 | { | | 802 | { |
803 | SSL_CIPHER *pref_cipher=NULL; | | 803 | SSL_CIPHER *pref_cipher=NULL; |
804 | s->session->master_key_length=sizeof(s->session->master_key); | | 804 | s->session->master_key_length=sizeof(s->session->master_key); |
805 | if (s->tls_session_secret_cb(s, s->session->master_key, | | 805 | if (s->tls_session_secret_cb(s, s->session->master_key, |
806 | &s->session->master_key_length, | | 806 | &s->session->master_key_length, |
807 | NULL, &pref_cipher, | | 807 | NULL, &pref_cipher, |
808 | s->tls_session_secret_cb_arg)) | | 808 | s->tls_session_secret_cb_arg)) |
809 | { | | 809 | { |
810 | s->session->cipher = pref_cipher ? | | 810 | s->session->cipher = pref_cipher ? |
811 | pref_cipher : ssl_get_cipher_by_char(s, p+j); | | 811 | pref_cipher : ssl_get_cipher_by_char(s, p+j); |
812 | } | | 812 | } |
813 | } | | 813 | } |
814 | #endif /* OPENSSL_NO_TLSEXT */ | | 814 | #endif /* OPENSSL_NO_TLSEXT */ |
815 | | | 815 | |
816 | if (j != 0 && j == s->session->session_id_length | | 816 | if (j != 0 && j == s->session->session_id_length |
817 | && memcmp(p,s->session->session_id,j) == 0) | | 817 | && memcmp(p,s->session->session_id,j) == 0) |
818 | { | | 818 | { |
819 | if(s->sid_ctx_length != s->session->sid_ctx_length | | 819 | if(s->sid_ctx_length != s->session->sid_ctx_length |
820 | || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) | | 820 | || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) |
821 | { | | 821 | { |
822 | /* actually a client application bug */ | | 822 | /* actually a client application bug */ |
823 | al=SSL_AD_ILLEGAL_PARAMETER; | | 823 | al=SSL_AD_ILLEGAL_PARAMETER; |
824 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); | | 824 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); |
825 | goto f_err; | | 825 | goto f_err; |
826 | } | | 826 | } |
827 | s->hit=1; | | 827 | s->hit=1; |
828 | } | | 828 | } |
829 | else /* a miss or crap from the other end */ | | 829 | else /* a miss or crap from the other end */ |
830 | { | | 830 | { |
831 | /* If we were trying for session-id reuse, make a new | | 831 | /* If we were trying for session-id reuse, make a new |
832 | * SSL_SESSION so we don't stuff up other people */ | | 832 | * SSL_SESSION so we don't stuff up other people */ |
833 | s->hit=0; | | 833 | s->hit=0; |
834 | if (s->session->session_id_length > 0) | | 834 | if (s->session->session_id_length > 0) |
835 | { | | 835 | { |
836 | if (!ssl_get_new_session(s,0)) | | 836 | if (!ssl_get_new_session(s,0)) |
837 | { | | 837 | { |
838 | al=SSL_AD_INTERNAL_ERROR; | | 838 | al=SSL_AD_INTERNAL_ERROR; |
839 | goto f_err; | | 839 | goto f_err; |
840 | } | | 840 | } |
841 | } | | 841 | } |
842 | s->session->session_id_length=j; | | 842 | s->session->session_id_length=j; |
843 | memcpy(s->session->session_id,p,j); /* j could be 0 */ | | 843 | memcpy(s->session->session_id,p,j); /* j could be 0 */ |
844 | } | | 844 | } |
845 | p+=j; | | 845 | p+=j; |
846 | c=ssl_get_cipher_by_char(s,p); | | 846 | c=ssl_get_cipher_by_char(s,p); |
847 | if (c == NULL) | | 847 | if (c == NULL) |
848 | { | | 848 | { |
849 | /* unknown cipher */ | | 849 | /* unknown cipher */ |
850 | al=SSL_AD_ILLEGAL_PARAMETER; | | 850 | al=SSL_AD_ILLEGAL_PARAMETER; |
851 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); | | 851 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); |
852 | goto f_err; | | 852 | goto f_err; |
853 | } | | 853 | } |
854 | p+=ssl_put_cipher_by_char(s,NULL,NULL); | | 854 | p+=ssl_put_cipher_by_char(s,NULL,NULL); |
855 | | | 855 | |
856 | sk=ssl_get_ciphers_by_id(s); | | 856 | sk=ssl_get_ciphers_by_id(s); |
857 | i=sk_SSL_CIPHER_find(sk,c); | | 857 | i=sk_SSL_CIPHER_find(sk,c); |
858 | if (i < 0) | | 858 | if (i < 0) |
859 | { | | 859 | { |
860 | /* we did not say we would use this cipher */ | | 860 | /* we did not say we would use this cipher */ |
861 | al=SSL_AD_ILLEGAL_PARAMETER; | | 861 | al=SSL_AD_ILLEGAL_PARAMETER; |
862 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); | | 862 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); |
863 | goto f_err; | | 863 | goto f_err; |
864 | } | | 864 | } |
865 | | | 865 | |
866 | /* Depending on the session caching (internal/external), the cipher | | 866 | /* Depending on the session caching (internal/external), the cipher |
867 | and/or cipher_id values may not be set. Make sure that | | 867 | and/or cipher_id values may not be set. Make sure that |
868 | cipher_id is set and use it for comparison. */ | | 868 | cipher_id is set and use it for comparison. */ |
869 | if (s->session->cipher) | | 869 | if (s->session->cipher) |
870 | s->session->cipher_id = s->session->cipher->id; | | 870 | s->session->cipher_id = s->session->cipher->id; |
871 | if (s->hit && (s->session->cipher_id != c->id)) | | 871 | if (s->hit && (s->session->cipher_id != c->id)) |
872 | { | | 872 | { |
873 | if (!(s->options & | | 873 | if (!(s->options & |
874 | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) | | 874 | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) |
875 | { | | 875 | { |
876 | al=SSL_AD_ILLEGAL_PARAMETER; | | 876 | al=SSL_AD_ILLEGAL_PARAMETER; |
877 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); | | 877 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); |
878 | goto f_err; | | 878 | goto f_err; |
879 | } | | 879 | } |
880 | } | | 880 | } |
881 | s->s3->tmp.new_cipher=c; | | 881 | s->s3->tmp.new_cipher=c; |
882 | if (!ssl3_digest_cached_records(s)) | | 882 | if (!ssl3_digest_cached_records(s)) |
883 | goto f_err; | | 883 | goto f_err; |
884 | | | 884 | |
885 | /* lets get the compression algorithm */ | | 885 | /* lets get the compression algorithm */ |
886 | /* COMPRESSION */ | | 886 | /* COMPRESSION */ |
887 | #ifdef OPENSSL_NO_COMP | | 887 | #ifdef OPENSSL_NO_COMP |
888 | if (*(p++) != 0) | | 888 | if (*(p++) != 0) |
889 | { | | 889 | { |
890 | al=SSL_AD_ILLEGAL_PARAMETER; | | 890 | al=SSL_AD_ILLEGAL_PARAMETER; |
891 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); | | 891 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); |
892 | goto f_err; | | 892 | goto f_err; |
893 | } | | 893 | } |
894 | #else | | 894 | #else |
895 | j= *(p++); | | 895 | j= *(p++); |
896 | if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION)) | | 896 | if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION)) |
897 | comp=NULL; | | 897 | comp=NULL; |
898 | else | | 898 | else |
899 | comp=ssl3_comp_find(s->ctx->comp_methods,j); | | 899 | comp=ssl3_comp_find(s->ctx->comp_methods,j); |
900 | | | 900 | |
901 | if ((j != 0) && (comp == NULL)) | | 901 | if ((j != 0) && (comp == NULL)) |
902 | { | | 902 | { |
903 | al=SSL_AD_ILLEGAL_PARAMETER; | | 903 | al=SSL_AD_ILLEGAL_PARAMETER; |
904 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); | | 904 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); |
905 | goto f_err; | | 905 | goto f_err; |
906 | } | | 906 | } |
907 | else | | 907 | else |
908 | { | | 908 | { |
909 | s->s3->tmp.new_compression=comp; | | 909 | s->s3->tmp.new_compression=comp; |
910 | } | | 910 | } |
911 | #endif | | 911 | #endif |
912 | | | 912 | |
913 | #ifndef OPENSSL_NO_TLSEXT | | 913 | #ifndef OPENSSL_NO_TLSEXT |
914 | /* TLS extensions*/ | | 914 | /* TLS extensions*/ |
915 | if (s->version >= SSL3_VERSION) | | 915 | if (s->version >= SSL3_VERSION) |
916 | { | | 916 | { |
917 | if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) | | 917 | if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) |
918 | { | | 918 | { |
919 | /* 'al' set by ssl_parse_serverhello_tlsext */ | | 919 | /* 'al' set by ssl_parse_serverhello_tlsext */ |
920 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); | | 920 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); |
921 | goto f_err; | | 921 | goto f_err; |
922 | } | | 922 | } |
923 | if (ssl_check_serverhello_tlsext(s) <= 0) | | 923 | if (ssl_check_serverhello_tlsext(s) <= 0) |
924 | { | | 924 | { |
925 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); | | 925 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); |
926 | goto err; | | 926 | goto err; |
927 | } | | 927 | } |
928 | } | | 928 | } |
929 | #endif | | 929 | #endif |
930 | | | 930 | |
931 | if (p != (d+n)) | | 931 | if (p != (d+n)) |
932 | { | | 932 | { |
933 | /* wrong packet length */ | | 933 | /* wrong packet length */ |
934 | al=SSL_AD_DECODE_ERROR; | | 934 | al=SSL_AD_DECODE_ERROR; |
935 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); | | 935 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); |
936 | goto err; | | 936 | goto err; |
937 | } | | 937 | } |
938 | | | 938 | |
939 | return(1); | | 939 | return(1); |
940 | f_err: | | 940 | f_err: |
941 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | | 941 | ssl3_send_alert(s,SSL3_AL_FATAL,al); |
942 | err: | | 942 | err: |
943 | return(-1); | | 943 | return(-1); |
944 | } | | 944 | } |
945 | | | 945 | |
946 | int ssl3_get_server_certificate(SSL *s) | | 946 | int ssl3_get_server_certificate(SSL *s) |
947 | { | | 947 | { |
948 | int al,i,ok,ret= -1; | | 948 | int al,i,ok,ret= -1; |
949 | unsigned long n,nc,llen,l; | | 949 | unsigned long n,nc,llen,l; |
950 | X509 *x=NULL; | | 950 | X509 *x=NULL; |
951 | const unsigned char *q,*p; | | 951 | const unsigned char *q,*p; |
952 | unsigned char *d; | | 952 | unsigned char *d; |
953 | STACK_OF(X509) *sk=NULL; | | 953 | STACK_OF(X509) *sk=NULL; |
954 | SESS_CERT *sc; | | 954 | SESS_CERT *sc; |
955 | EVP_PKEY *pkey=NULL; | | 955 | EVP_PKEY *pkey=NULL; |
956 | int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ | | 956 | int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ |
957 | | | 957 | |
958 | n=s->method->ssl_get_message(s, | | 958 | n=s->method->ssl_get_message(s, |
959 | SSL3_ST_CR_CERT_A, | | 959 | SSL3_ST_CR_CERT_A, |
960 | SSL3_ST_CR_CERT_B, | | 960 | SSL3_ST_CR_CERT_B, |
961 | -1, | | 961 | -1, |
962 | s->max_cert_list, | | 962 | s->max_cert_list, |
963 | &ok); | | 963 | &ok); |
964 | | | 964 | |
965 | if (!ok) return((int)n); | | 965 | if (!ok) return((int)n); |
966 | | | 966 | |
967 | if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) | | 967 | if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) |
968 | { | | 968 | { |
969 | s->s3->tmp.reuse_message=1; | | 969 | s->s3->tmp.reuse_message=1; |
970 | return(1); | | 970 | return(1); |
971 | } | | 971 | } |
972 | | | 972 | |
973 | if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) | | 973 | if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) |
974 | { | | 974 | { |
975 | al=SSL_AD_UNEXPECTED_MESSAGE; | | 975 | al=SSL_AD_UNEXPECTED_MESSAGE; |
976 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); | | 976 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); |
977 | goto f_err; | | 977 | goto f_err; |
978 | } | | 978 | } |
979 | p=d=(unsigned char *)s->init_msg; | | 979 | p=d=(unsigned char *)s->init_msg; |
980 | | | 980 | |
981 | if ((sk=sk_X509_new_null()) == NULL) | | 981 | if ((sk=sk_X509_new_null()) == NULL) |
982 | { | | 982 | { |
983 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); | | 983 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); |
984 | goto err; | | 984 | goto err; |
985 | } | | 985 | } |
986 | | | 986 | |
987 | n2l3(p,llen); | | 987 | n2l3(p,llen); |
988 | if (llen+3 != n) | | 988 | if (llen+3 != n) |
989 | { | | 989 | { |
990 | al=SSL_AD_DECODE_ERROR; | | 990 | al=SSL_AD_DECODE_ERROR; |
991 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); | | 991 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); |
992 | goto f_err; | | 992 | goto f_err; |
993 | } | | 993 | } |
994 | for (nc=0; nc<llen; ) | | 994 | for (nc=0; nc<llen; ) |
995 | { | | 995 | { |
996 | n2l3(p,l); | | 996 | n2l3(p,l); |
997 | if ((l+nc+3) > llen) | | 997 | if ((l+nc+3) > llen) |
998 | { | | 998 | { |
999 | al=SSL_AD_DECODE_ERROR; | | 999 | al=SSL_AD_DECODE_ERROR; |
1000 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); | | 1000 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); |
1001 | goto f_err; | | 1001 | goto f_err; |
1002 | } | | 1002 | } |
1003 | | | 1003 | |
1004 | q=p; | | 1004 | q=p; |
1005 | x=d2i_X509(NULL,&q,l); | | 1005 | x=d2i_X509(NULL,&q,l); |
1006 | if (x == NULL) | | 1006 | if (x == NULL) |
1007 | { | | 1007 | { |
1008 | al=SSL_AD_BAD_CERTIFICATE; | | 1008 | al=SSL_AD_BAD_CERTIFICATE; |
1009 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); | | 1009 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); |
1010 | goto f_err; | | 1010 | goto f_err; |
1011 | } | | 1011 | } |
1012 | if (q != (p+l)) | | 1012 | if (q != (p+l)) |
1013 | { | | 1013 | { |
1014 | al=SSL_AD_DECODE_ERROR; | | 1014 | al=SSL_AD_DECODE_ERROR; |
1015 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); | | 1015 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); |
1016 | goto f_err; | | 1016 | goto f_err; |
1017 | } | | 1017 | } |
1018 | if (!sk_X509_push(sk,x)) | | 1018 | if (!sk_X509_push(sk,x)) |
1019 | { | | 1019 | { |
1020 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); | | 1020 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); |
1021 | goto err; | | 1021 | goto err; |
1022 | } | | 1022 | } |
1023 | x=NULL; | | 1023 | x=NULL; |
1024 | nc+=l+3; | | 1024 | nc+=l+3; |
1025 | p=q; | | 1025 | p=q; |
1026 | } | | 1026 | } |
1027 | | | 1027 | |
1028 | i=ssl_verify_cert_chain(s,sk); | | 1028 | i=ssl_verify_cert_chain(s,sk); |
1029 | if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) | | 1029 | if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) |
1030 | #ifndef OPENSSL_NO_KRB5 | | 1030 | #ifndef OPENSSL_NO_KRB5 |
1031 | && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && | | 1031 | && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && |
1032 | (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) | | 1032 | (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) |
1033 | #endif /* OPENSSL_NO_KRB5 */ | | 1033 | #endif /* OPENSSL_NO_KRB5 */ |
1034 | ) | | 1034 | ) |
1035 | { | | 1035 | { |
1036 | al=ssl_verify_alarm_type(s->verify_result); | | 1036 | al=ssl_verify_alarm_type(s->verify_result); |
1037 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); | | 1037 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); |
1038 | goto f_err; | | 1038 | goto f_err; |
1039 | } | | 1039 | } |
1040 | ERR_clear_error(); /* but we keep s->verify_result */ | | 1040 | ERR_clear_error(); /* but we keep s->verify_result */ |
1041 | | | 1041 | |
1042 | sc=ssl_sess_cert_new(); | | 1042 | sc=ssl_sess_cert_new(); |
1043 | if (sc == NULL) goto err; | | 1043 | if (sc == NULL) goto err; |
1044 | | | 1044 | |
1045 | if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); | | 1045 | if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); |
1046 | s->session->sess_cert=sc; | | 1046 | s->session->sess_cert=sc; |
1047 | | | 1047 | |
1048 | sc->cert_chain=sk; | | 1048 | sc->cert_chain=sk; |
1049 | /* Inconsistency alert: cert_chain does include the peer's | | 1049 | /* Inconsistency alert: cert_chain does include the peer's |
1050 | * certificate, which we don't include in s3_srvr.c */ | | 1050 | * certificate, which we don't include in s3_srvr.c */ |
1051 | x=sk_X509_value(sk,0); | | 1051 | x=sk_X509_value(sk,0); |
1052 | sk=NULL; | | 1052 | sk=NULL; |
1053 | /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ | | 1053 | /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ |
1054 | | | 1054 | |
1055 | pkey=X509_get_pubkey(x); | | 1055 | pkey=X509_get_pubkey(x); |
1056 | | | 1056 | |
1057 | /* VRS: allow null cert if auth == KRB5 */ | | 1057 | /* VRS: allow null cert if auth == KRB5 */ |
1058 | need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && | | 1058 | need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && |
1059 | (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) | | 1059 | (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) |
1060 | ? 0 : 1; | | 1060 | ? 0 : 1; |
1061 | | | 1061 | |
1062 | #ifdef KSSL_DEBUG | | 1062 | #ifdef KSSL_DEBUG |
1063 | printf("pkey,x = %p, %p\n", pkey,x); | | 1063 | printf("pkey,x = %p, %p\n", pkey,x); |
1064 | printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); | | 1064 | printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); |
1065 | printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, | | 1065 | printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, |
1066 | s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); | | 1066 | s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); |
1067 | #endif /* KSSL_DEBUG */ | | 1067 | #endif /* KSSL_DEBUG */ |
1068 | | | 1068 | |
1069 | if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) | | 1069 | if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) |
1070 | { | | 1070 | { |
1071 | x=NULL; | | 1071 | x=NULL; |
1072 | al=SSL3_AL_FATAL; | | 1072 | al=SSL3_AL_FATAL; |
1073 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, | | 1073 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, |
1074 | SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); | | 1074 | SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); |
1075 | goto f_err; | | 1075 | goto f_err; |
1076 | } | | 1076 | } |
1077 | | | 1077 | |
1078 | i=ssl_cert_type(x,pkey); | | 1078 | i=ssl_cert_type(x,pkey); |
1079 | if (need_cert && i < 0) | | 1079 | if (need_cert && i < 0) |
1080 | { | | 1080 | { |
1081 | x=NULL; | | 1081 | x=NULL; |
1082 | al=SSL3_AL_FATAL; | | 1082 | al=SSL3_AL_FATAL; |
1083 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, | | 1083 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, |
1084 | SSL_R_UNKNOWN_CERTIFICATE_TYPE); | | 1084 | SSL_R_UNKNOWN_CERTIFICATE_TYPE); |
1085 | goto f_err; | | 1085 | goto f_err; |
1086 | } | | 1086 | } |
1087 | | | 1087 | |
1088 | if (need_cert) | | 1088 | if (need_cert) |
1089 | { | | 1089 | { |
1090 | sc->peer_cert_type=i; | | 1090 | sc->peer_cert_type=i; |
1091 | CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); | | 1091 | CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); |
1092 | /* Why would the following ever happen? | | 1092 | /* Why would the following ever happen? |
1093 | * We just created sc a couple of lines ago. */ | | 1093 | * We just created sc a couple of lines ago. */ |
1094 | if (sc->peer_pkeys[i].x509 != NULL) | | 1094 | if (sc->peer_pkeys[i].x509 != NULL) |
1095 | X509_free(sc->peer_pkeys[i].x509); | | 1095 | X509_free(sc->peer_pkeys[i].x509); |
1096 | sc->peer_pkeys[i].x509=x; | | 1096 | sc->peer_pkeys[i].x509=x; |
1097 | sc->peer_key= &(sc->peer_pkeys[i]); | | 1097 | sc->peer_key= &(sc->peer_pkeys[i]); |
1098 | | | 1098 | |
1099 | if (s->session->peer != NULL) | | 1099 | if (s->session->peer != NULL) |
1100 | X509_free(s->session->peer); | | 1100 | X509_free(s->session->peer); |
1101 | CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); | | 1101 | CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); |
1102 | s->session->peer=x; | | 1102 | s->session->peer=x; |
1103 | } | | 1103 | } |
1104 | else | | 1104 | else |
1105 | { | | 1105 | { |
1106 | sc->peer_cert_type=i; | | 1106 | sc->peer_cert_type=i; |
1107 | sc->peer_key= NULL; | | 1107 | sc->peer_key= NULL; |
1108 | | | 1108 | |
1109 | if (s->session->peer != NULL) | | 1109 | if (s->session->peer != NULL) |
1110 | X509_free(s->session->peer); | | 1110 | X509_free(s->session->peer); |
1111 | s->session->peer=NULL; | | 1111 | s->session->peer=NULL; |
1112 | } | | 1112 | } |
1113 | s->session->verify_result = s->verify_result; | | 1113 | s->session->verify_result = s->verify_result; |
1114 | | | 1114 | |
1115 | x=NULL; | | 1115 | x=NULL; |
1116 | ret=1; | | 1116 | ret=1; |
1117 | | | 1117 | |
1118 | if (0) | | 1118 | if (0) |
1119 | { | | 1119 | { |
1120 | f_err: | | 1120 | f_err: |
1121 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | | 1121 | ssl3_send_alert(s,SSL3_AL_FATAL,al); |
1122 | } | | 1122 | } |
1123 | err: | | 1123 | err: |
1124 | EVP_PKEY_free(pkey); | | 1124 | EVP_PKEY_free(pkey); |
1125 | X509_free(x); | | 1125 | X509_free(x); |
1126 | sk_X509_pop_free(sk,X509_free); | | 1126 | sk_X509_pop_free(sk,X509_free); |
1127 | return(ret); | | 1127 | return(ret); |
1128 | } | | 1128 | } |
1129 | | | 1129 | |
1130 | int ssl3_get_key_exchange(SSL *s) | | 1130 | int ssl3_get_key_exchange(SSL *s) |
1131 | { | | 1131 | { |
1132 | #ifndef OPENSSL_NO_RSA | | 1132 | #ifndef OPENSSL_NO_RSA |
1133 | unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; | | 1133 | unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; |
1134 | #endif | | 1134 | #endif |
1135 | EVP_MD_CTX md_ctx; | | 1135 | EVP_MD_CTX md_ctx; |
1136 | unsigned char *param,*p; | | 1136 | unsigned char *param,*p; |
1137 | int al,i,j,param_len,ok; | | 1137 | int al,i,j,param_len,ok; |
1138 | long n,alg_k,alg_a; | | 1138 | long n,alg_k,alg_a; |
1139 | EVP_PKEY *pkey=NULL; | | 1139 | EVP_PKEY *pkey=NULL; |
1140 | #ifndef OPENSSL_NO_RSA | | 1140 | #ifndef OPENSSL_NO_RSA |
1141 | RSA *rsa=NULL; | | 1141 | RSA *rsa=NULL; |
1142 | #endif | | 1142 | #endif |
1143 | #ifndef OPENSSL_NO_DH | | 1143 | #ifndef OPENSSL_NO_DH |
1144 | DH *dh=NULL; | | 1144 | DH *dh=NULL; |
1145 | #endif | | 1145 | #endif |
1146 | #ifndef OPENSSL_NO_ECDH | | 1146 | #ifndef OPENSSL_NO_ECDH |
1147 | EC_KEY *ecdh = NULL; | | 1147 | EC_KEY *ecdh = NULL; |
1148 | BN_CTX *bn_ctx = NULL; | | 1148 | BN_CTX *bn_ctx = NULL; |
1149 | EC_POINT *srvr_ecpoint = NULL; | | 1149 | EC_POINT *srvr_ecpoint = NULL; |
1150 | int curve_nid = 0; | | 1150 | int curve_nid = 0; |
1151 | int encoded_pt_len = 0; | | 1151 | int encoded_pt_len = 0; |
1152 | #endif | | 1152 | #endif |
1153 | | | 1153 | |
1154 | /* use same message size as in ssl3_get_certificate_request() | | 1154 | /* use same message size as in ssl3_get_certificate_request() |
1155 | * as ServerKeyExchange message may be skipped */ | | 1155 | * as ServerKeyExchange message may be skipped */ |
1156 | n=s->method->ssl_get_message(s, | | 1156 | n=s->method->ssl_get_message(s, |
1157 | SSL3_ST_CR_KEY_EXCH_A, | | 1157 | SSL3_ST_CR_KEY_EXCH_A, |
1158 | SSL3_ST_CR_KEY_EXCH_B, | | 1158 | SSL3_ST_CR_KEY_EXCH_B, |
1159 | -1, | | 1159 | -1, |
1160 | s->max_cert_list, | | 1160 | s->max_cert_list, |
1161 | &ok); | | 1161 | &ok); |
1162 | if (!ok) return((int)n); | | 1162 | if (!ok) return((int)n); |
1163 | | | 1163 | |
1164 | if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) | | 1164 | if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) |
1165 | { | | 1165 | { |
1166 | #ifndef OPENSSL_NO_PSK | | 1166 | #ifndef OPENSSL_NO_PSK |
1167 | /* In plain PSK ciphersuite, ServerKeyExchange can be | | 1167 | /* In plain PSK ciphersuite, ServerKeyExchange can be |
1168 | omitted if no identity hint is sent. Set | | 1168 | omitted if no identity hint is sent. Set |
1169 | session->sess_cert anyway to avoid problems | | 1169 | session->sess_cert anyway to avoid problems |
1170 | later.*/ | | 1170 | later.*/ |
1171 | if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) | | 1171 | if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) |
1172 | { | | 1172 | { |
1173 | s->session->sess_cert=ssl_sess_cert_new(); | | 1173 | s->session->sess_cert=ssl_sess_cert_new(); |
1174 | if (s->ctx->psk_identity_hint) | | 1174 | if (s->ctx->psk_identity_hint) |
1175 | OPENSSL_free(s->ctx->psk_identity_hint); | | 1175 | OPENSSL_free(s->ctx->psk_identity_hint); |
1176 | s->ctx->psk_identity_hint = NULL; | | 1176 | s->ctx->psk_identity_hint = NULL; |
1177 | } | | 1177 | } |
1178 | #endif | | 1178 | #endif |
1179 | s->s3->tmp.reuse_message=1; | | 1179 | s->s3->tmp.reuse_message=1; |
1180 | return(1); | | 1180 | return(1); |
1181 | } | | 1181 | } |
1182 | | | 1182 | |
1183 | param=p=(unsigned char *)s->init_msg; | | 1183 | param=p=(unsigned char *)s->init_msg; |
1184 | if (s->session->sess_cert != NULL) | | 1184 | if (s->session->sess_cert != NULL) |
1185 | { | | 1185 | { |
1186 | #ifndef OPENSSL_NO_RSA | | 1186 | #ifndef OPENSSL_NO_RSA |
1187 | if (s->session->sess_cert->peer_rsa_tmp != NULL) | | 1187 | if (s->session->sess_cert->peer_rsa_tmp != NULL) |
1188 | { | | 1188 | { |
1189 | RSA_free(s->session->sess_cert->peer_rsa_tmp); | | 1189 | RSA_free(s->session->sess_cert->peer_rsa_tmp); |
1190 | s->session->sess_cert->peer_rsa_tmp=NULL; | | 1190 | s->session->sess_cert->peer_rsa_tmp=NULL; |
1191 | } | | 1191 | } |
1192 | #endif | | 1192 | #endif |
1193 | #ifndef OPENSSL_NO_DH | | 1193 | #ifndef OPENSSL_NO_DH |
1194 | if (s->session->sess_cert->peer_dh_tmp) | | 1194 | if (s->session->sess_cert->peer_dh_tmp) |
1195 | { | | 1195 | { |
1196 | DH_free(s->session->sess_cert->peer_dh_tmp); | | 1196 | DH_free(s->session->sess_cert->peer_dh_tmp); |
1197 | s->session->sess_cert->peer_dh_tmp=NULL; | | 1197 | s->session->sess_cert->peer_dh_tmp=NULL; |
1198 | } | | 1198 | } |
1199 | #endif | | 1199 | #endif |
1200 | #ifndef OPENSSL_NO_ECDH | | 1200 | #ifndef OPENSSL_NO_ECDH |
1201 | if (s->session->sess_cert->peer_ecdh_tmp) | | 1201 | if (s->session->sess_cert->peer_ecdh_tmp) |
1202 | { | | 1202 | { |
1203 | EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); | | 1203 | EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); |
1204 | s->session->sess_cert->peer_ecdh_tmp=NULL; | | 1204 | s->session->sess_cert->peer_ecdh_tmp=NULL; |
1205 | } | | 1205 | } |
1206 | #endif | | 1206 | #endif |
1207 | } | | 1207 | } |
1208 | else | | 1208 | else |
1209 | { | | 1209 | { |
1210 | s->session->sess_cert=ssl_sess_cert_new(); | | 1210 | s->session->sess_cert=ssl_sess_cert_new(); |
1211 | } | | 1211 | } |
1212 | | | 1212 | |
1213 | param_len=0; | | 1213 | param_len=0; |
1214 | alg_k=s->s3->tmp.new_cipher->algorithm_mkey; | | 1214 | alg_k=s->s3->tmp.new_cipher->algorithm_mkey; |
1215 | alg_a=s->s3->tmp.new_cipher->algorithm_auth; | | 1215 | alg_a=s->s3->tmp.new_cipher->algorithm_auth; |
1216 | EVP_MD_CTX_init(&md_ctx); | | 1216 | EVP_MD_CTX_init(&md_ctx); |
1217 | | | 1217 | |
1218 | #ifndef OPENSSL_NO_PSK | | 1218 | #ifndef OPENSSL_NO_PSK |
1219 | if (alg_k & SSL_kPSK) | | 1219 | if (alg_k & SSL_kPSK) |
1220 | { | | 1220 | { |
1221 | char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; | | 1221 | char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; |
1222 | | | 1222 | |
1223 | al=SSL_AD_HANDSHAKE_FAILURE; | | 1223 | al=SSL_AD_HANDSHAKE_FAILURE; |
1224 | n2s(p,i); | | 1224 | n2s(p,i); |
1225 | param_len=i+2; | | 1225 | param_len=i+2; |
1226 | /* Store PSK identity hint for later use, hint is used | | 1226 | /* Store PSK identity hint for later use, hint is used |
1227 | * in ssl3_send_client_key_exchange. Assume that the | | 1227 | * in ssl3_send_client_key_exchange. Assume that the |
1228 | * maximum length of a PSK identity hint can be as | | 1228 | * maximum length of a PSK identity hint can be as |
1229 | * long as the maximum length of a PSK identity. */ | | 1229 | * long as the maximum length of a PSK identity. */ |
1230 | if (i > PSK_MAX_IDENTITY_LEN) | | 1230 | if (i > PSK_MAX_IDENTITY_LEN) |
1231 | { | | 1231 | { |
1232 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, | | 1232 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, |
1233 | SSL_R_DATA_LENGTH_TOO_LONG); | | 1233 | SSL_R_DATA_LENGTH_TOO_LONG); |
1234 | goto f_err; | | 1234 | goto f_err; |
1235 | } | | 1235 | } |
1236 | if (param_len > n) | | 1236 | if (param_len > n) |
1237 | { | | 1237 | { |
1238 | al=SSL_AD_DECODE_ERROR; | | 1238 | al=SSL_AD_DECODE_ERROR; |
1239 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, | | 1239 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, |
1240 | SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); | | 1240 | SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); |
1241 | goto f_err; | | 1241 | goto f_err; |
1242 | } | | 1242 | } |
1243 | /* If received PSK identity hint contains NULL | | 1243 | /* If received PSK identity hint contains NULL |
1244 | * characters, the hint is truncated from the first | | 1244 | * characters, the hint is truncated from the first |
1245 | * NULL. p may not be ending with NULL, so create a | | 1245 | * NULL. p may not be ending with NULL, so create a |
1246 | * NULL-terminated string. */ | | 1246 | * NULL-terminated string. */ |
1247 | memcpy(tmp_id_hint, p, i); | | 1247 | memcpy(tmp_id_hint, p, i); |
1248 | memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); | | 1248 | memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); |
1249 | if (s->ctx->psk_identity_hint != NULL) | | 1249 | if (s->ctx->psk_identity_hint != NULL) |
1250 | OPENSSL_free(s->ctx->psk_identity_hint); | | 1250 | OPENSSL_free(s->ctx->psk_identity_hint); |
1251 | s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); | | 1251 | s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); |
1252 | if (s->ctx->psk_identity_hint == NULL) | | 1252 | if (s->ctx->psk_identity_hint == NULL) |
1253 | { | | 1253 | { |
1254 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); | | 1254 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); |
1255 | goto f_err; | | 1255 | goto f_err; |
1256 | } | | 1256 | } |
1257 | | | 1257 | |
1258 | p+=i; | | 1258 | p+=i; |
1259 | n-=param_len; | | 1259 | n-=param_len; |
1260 | } | | 1260 | } |
1261 | else | | 1261 | else |
1262 | #endif /* !OPENSSL_NO_PSK */ | | 1262 | #endif /* !OPENSSL_NO_PSK */ |
1263 | #ifndef OPENSSL_NO_RSA | | 1263 | #ifndef OPENSSL_NO_RSA |
1264 | if (alg_k & SSL_kRSA) | | 1264 | if (alg_k & SSL_kRSA) |
1265 | { | | 1265 | { |
1266 | if ((rsa=RSA_new()) == NULL) | | 1266 | if ((rsa=RSA_new()) == NULL) |
1267 | { | | 1267 | { |
1268 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | | 1268 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); |
1269 | goto err; | | 1269 | goto err; |
1270 | } | | 1270 | } |
1271 | n2s(p,i); | | 1271 | n2s(p,i); |
1272 | param_len=i+2; | | 1272 | param_len=i+2; |
1273 | if (param_len > n) | | 1273 | if (param_len > n) |
1274 | { | | 1274 | { |
1275 | al=SSL_AD_DECODE_ERROR; | | 1275 | al=SSL_AD_DECODE_ERROR; |
1276 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); | | 1276 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); |
1277 | goto f_err; | | 1277 | goto f_err; |
1278 | } | | 1278 | } |
1279 | if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) | | 1279 | if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) |
1280 | { | | 1280 | { |
1281 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); | | 1281 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); |
1282 | goto err; | | 1282 | goto err; |
1283 | } | | 1283 | } |
1284 | p+=i; | | 1284 | p+=i; |
1285 | | | 1285 | |
1286 | n2s(p,i); | | 1286 | n2s(p,i); |
1287 | param_len+=i+2; | | 1287 | param_len+=i+2; |
1288 | if (param_len > n) | | 1288 | if (param_len > n) |
1289 | { | | 1289 | { |
1290 | al=SSL_AD_DECODE_ERROR; | | 1290 | al=SSL_AD_DECODE_ERROR; |
1291 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); | | 1291 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); |
1292 | goto f_err; | | 1292 | goto f_err; |
1293 | } | | 1293 | } |
1294 | if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) | | 1294 | if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) |
1295 | { | | 1295 | { |
1296 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); | | 1296 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); |
1297 | goto err; | | 1297 | goto err; |
1298 | } | | 1298 | } |
1299 | p+=i; | | 1299 | p+=i; |
1300 | n-=param_len; | | 1300 | n-=param_len; |
1301 | | | 1301 | |
1302 | /* this should be because we are using an export cipher */ | | 1302 | /* this should be because we are using an export cipher */ |
1303 | if (alg_a & SSL_aRSA) | | 1303 | if (alg_a & SSL_aRSA) |
1304 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | | 1304 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); |
1305 | else | | 1305 | else |
1306 | { | | 1306 | { |
1307 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | | 1307 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); |
1308 | goto err; | | 1308 | goto err; |
1309 | } | | 1309 | } |
1310 | s->session->sess_cert->peer_rsa_tmp=rsa; | | 1310 | s->session->sess_cert->peer_rsa_tmp=rsa; |
1311 | rsa=NULL; | | 1311 | rsa=NULL; |
1312 | } | | 1312 | } |
1313 | #else /* OPENSSL_NO_RSA */ | | 1313 | #else /* OPENSSL_NO_RSA */ |
1314 | if (0) | | 1314 | if (0) |
1315 | ; | | 1315 | ; |
1316 | #endif | | 1316 | #endif |
1317 | #ifndef OPENSSL_NO_DH | | 1317 | #ifndef OPENSSL_NO_DH |
1318 | else if (alg_k & SSL_kEDH) | | 1318 | else if (alg_k & SSL_kEDH) |
1319 | { | | 1319 | { |
1320 | if ((dh=DH_new()) == NULL) | | 1320 | if ((dh=DH_new()) == NULL) |
1321 | { | | 1321 | { |
1322 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); | | 1322 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); |
1323 | goto err; | | 1323 | goto err; |
1324 | } | | 1324 | } |
1325 | n2s(p,i); | | 1325 | n2s(p,i); |
1326 | param_len=i+2; | | 1326 | param_len=i+2; |
1327 | if (param_len > n) | | 1327 | if (param_len > n) |
1328 | { | | 1328 | { |
1329 | al=SSL_AD_DECODE_ERROR; | | 1329 | al=SSL_AD_DECODE_ERROR; |
1330 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); | | 1330 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); |
1331 | goto f_err; | | 1331 | goto f_err; |
1332 | } | | 1332 | } |
1333 | if (!(dh->p=BN_bin2bn(p,i,NULL))) | | 1333 | if (!(dh->p=BN_bin2bn(p,i,NULL))) |
1334 | { | | 1334 | { |
1335 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); | | 1335 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); |
1336 | goto err; | | 1336 | goto err; |
1337 | } | | 1337 | } |
1338 | p+=i; | | 1338 | p+=i; |
1339 | | | 1339 | |
1340 | n2s(p,i); | | 1340 | n2s(p,i); |
1341 | param_len+=i+2; | | 1341 | param_len+=i+2; |
1342 | if (param_len > n) | | 1342 | if (param_len > n) |
1343 | { | | 1343 | { |
1344 | al=SSL_AD_DECODE_ERROR; | | 1344 | al=SSL_AD_DECODE_ERROR; |
1345 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); | | 1345 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); |
1346 | goto f_err; | | 1346 | goto f_err; |
1347 | } | | 1347 | } |
1348 | if (!(dh->g=BN_bin2bn(p,i,NULL))) | | 1348 | if (!(dh->g=BN_bin2bn(p,i,NULL))) |
1349 | { | | 1349 | { |
1350 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); | | 1350 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); |
1351 | goto err; | | 1351 | goto err; |
1352 | } | | 1352 | } |
1353 | p+=i; | | 1353 | p+=i; |
1354 | | | 1354 | |
1355 | n2s(p,i); | | 1355 | n2s(p,i); |
1356 | param_len+=i+2; | | 1356 | param_len+=i+2; |
1357 | if (param_len > n) | | 1357 | if (param_len > n) |
1358 | { | | 1358 | { |
1359 | al=SSL_AD_DECODE_ERROR; | | 1359 | al=SSL_AD_DECODE_ERROR; |
1360 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); | | 1360 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); |
1361 | goto f_err; | | 1361 | goto f_err; |
1362 | } | | 1362 | } |
1363 | if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) | | 1363 | if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) |
1364 | { | | 1364 | { |
1365 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); | | 1365 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); |
1366 | goto err; | | 1366 | goto err; |
1367 | } | | 1367 | } |
1368 | p+=i; | | 1368 | p+=i; |
1369 | n-=param_len; | | 1369 | n-=param_len; |
1370 | | | 1370 | |
1371 | #ifndef OPENSSL_NO_RSA | | 1371 | #ifndef OPENSSL_NO_RSA |
1372 | if (alg_a & SSL_aRSA) | | 1372 | if (alg_a & SSL_aRSA) |
1373 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | | 1373 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); |
1374 | #else | | 1374 | #else |
1375 | if (0) | | 1375 | if (0) |
1376 | ; | | 1376 | ; |
1377 | #endif | | 1377 | #endif |
1378 | #ifndef OPENSSL_NO_DSA | | 1378 | #ifndef OPENSSL_NO_DSA |
1379 | else if (alg_a & SSL_aDSS) | | 1379 | else if (alg_a & SSL_aDSS) |
1380 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); | | 1380 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); |
1381 | #endif | | 1381 | #endif |
1382 | /* else anonymous DH, so no certificate or pkey. */ | | 1382 | /* else anonymous DH, so no certificate or pkey. */ |
1383 | | | 1383 | |
1384 | s->session->sess_cert->peer_dh_tmp=dh; | | 1384 | s->session->sess_cert->peer_dh_tmp=dh; |
1385 | dh=NULL; | | 1385 | dh=NULL; |
1386 | } | | 1386 | } |
1387 | else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) | | 1387 | else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) |
1388 | { | | 1388 | { |
1389 | al=SSL_AD_ILLEGAL_PARAMETER; | | 1389 | al=SSL_AD_ILLEGAL_PARAMETER; |
1390 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); | | 1390 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); |
1391 | goto f_err; | | 1391 | goto f_err; |
1392 | } | | 1392 | } |
1393 | #endif /* !OPENSSL_NO_DH */ | | 1393 | #endif /* !OPENSSL_NO_DH */ |
1394 | | | 1394 | |
1395 | #ifndef OPENSSL_NO_ECDH | | 1395 | #ifndef OPENSSL_NO_ECDH |
1396 | else if (alg_k & SSL_kEECDH) | | 1396 | else if (alg_k & SSL_kEECDH) |
1397 | { | | 1397 | { |
1398 | EC_GROUP *ngroup; | | 1398 | EC_GROUP *ngroup; |
1399 | const EC_GROUP *group; | | 1399 | const EC_GROUP *group; |
1400 | | | 1400 | |
1401 | if ((ecdh=EC_KEY_new()) == NULL) | | 1401 | if ((ecdh=EC_KEY_new()) == NULL) |
1402 | { | | 1402 | { |
1403 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | | 1403 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); |
1404 | goto err; | | 1404 | goto err; |
1405 | } | | 1405 | } |
1406 | | | 1406 | |
1407 | /* Extract elliptic curve parameters and the | | 1407 | /* Extract elliptic curve parameters and the |
1408 | * server's ephemeral ECDH public key. | | 1408 | * server's ephemeral ECDH public key. |
1409 | * Keep accumulating lengths of various components in | | 1409 | * Keep accumulating lengths of various components in |
1410 | * param_len and make sure it never exceeds n. | | 1410 | * param_len and make sure it never exceeds n. |
1411 | */ | | 1411 | */ |
1412 | | | 1412 | |
1413 | /* XXX: For now we only support named (not generic) curves | | 1413 | /* XXX: For now we only support named (not generic) curves |
1414 | * and the ECParameters in this case is just three bytes. | | 1414 | * and the ECParameters in this case is just three bytes. |
1415 | */ | | 1415 | */ |
1416 | param_len=3; | | 1416 | param_len=3; |
1417 | if ((param_len > n) || | | 1417 | if ((param_len > n) || |
1418 | (*p != NAMED_CURVE_TYPE) || | | 1418 | (*p != NAMED_CURVE_TYPE) || |
1419 | ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) | | 1419 | ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) |
1420 | { | | 1420 | { |
1421 | al=SSL_AD_INTERNAL_ERROR; | | 1421 | al=SSL_AD_INTERNAL_ERROR; |
1422 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); | | 1422 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); |
1423 | goto f_err; | | 1423 | goto f_err; |
1424 | } | | 1424 | } |
1425 | | | 1425 | |
1426 | ngroup = EC_GROUP_new_by_curve_name(curve_nid); | | 1426 | ngroup = EC_GROUP_new_by_curve_name(curve_nid); |
1427 | if (ngroup == NULL) | | 1427 | if (ngroup == NULL) |
1428 | { | | 1428 | { |
1429 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); | | 1429 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); |
1430 | goto err; | | 1430 | goto err; |
1431 | } | | 1431 | } |
1432 | if (EC_KEY_set_group(ecdh, ngroup) == 0) | | 1432 | if (EC_KEY_set_group(ecdh, ngroup) == 0) |
1433 | { | | 1433 | { |
1434 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); | | 1434 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); |
1435 | goto err; | | 1435 | goto err; |
1436 | } | | 1436 | } |
1437 | EC_GROUP_free(ngroup); | | 1437 | EC_GROUP_free(ngroup); |
1438 | | | 1438 | |
1439 | group = EC_KEY_get0_group(ecdh); | | 1439 | group = EC_KEY_get0_group(ecdh); |
1440 | | | 1440 | |
1441 | if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && | | 1441 | if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && |
1442 | (EC_GROUP_get_degree(group) > 163)) | | 1442 | (EC_GROUP_get_degree(group) > 163)) |
1443 | { | | 1443 | { |
1444 | al=SSL_AD_EXPORT_RESTRICTION; | | 1444 | al=SSL_AD_EXPORT_RESTRICTION; |
1445 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); | | 1445 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); |
1446 | goto f_err; | | 1446 | goto f_err; |
1447 | } | | 1447 | } |
1448 | | | 1448 | |
1449 | p+=3; | | 1449 | p+=3; |
1450 | | | 1450 | |
1451 | /* Next, get the encoded ECPoint */ | | 1451 | /* Next, get the encoded ECPoint */ |
1452 | if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || | | 1452 | if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || |
1453 | ((bn_ctx = BN_CTX_new()) == NULL)) | | 1453 | ((bn_ctx = BN_CTX_new()) == NULL)) |
1454 | { | | 1454 | { |
1455 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | | 1455 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); |
1456 | goto err; | | 1456 | goto err; |
1457 | } | | 1457 | } |
1458 | | | 1458 | |
1459 | encoded_pt_len = *p; /* length of encoded point */ | | 1459 | encoded_pt_len = *p; /* length of encoded point */ |
1460 | p+=1; | | 1460 | p+=1; |
1461 | param_len += (1 + encoded_pt_len); | | 1461 | param_len += (1 + encoded_pt_len); |
1462 | if ((param_len > n) || | | 1462 | if ((param_len > n) || |
1463 | (EC_POINT_oct2point(group, srvr_ecpoint, | | 1463 | (EC_POINT_oct2point(group, srvr_ecpoint, |
1464 | p, encoded_pt_len, bn_ctx) == 0)) | | 1464 | p, encoded_pt_len, bn_ctx) == 0)) |
1465 | { | | 1465 | { |
1466 | al=SSL_AD_DECODE_ERROR; | | 1466 | al=SSL_AD_DECODE_ERROR; |
1467 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); | | 1467 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); |
1468 | goto f_err; | | 1468 | goto f_err; |
1469 | } | | 1469 | } |
1470 | | | 1470 | |
1471 | n-=param_len; | | 1471 | n-=param_len; |
1472 | p+=encoded_pt_len; | | 1472 | p+=encoded_pt_len; |
1473 | | | 1473 | |
1474 | /* The ECC/TLS specification does not mention | | 1474 | /* The ECC/TLS specification does not mention |
1475 | * the use of DSA to sign ECParameters in the server | | 1475 | * the use of DSA to sign ECParameters in the server |
1476 | * key exchange message. We do support RSA and ECDSA. | | 1476 | * key exchange message. We do support RSA and ECDSA. |
1477 | */ | | 1477 | */ |
1478 | if (0) ; | | 1478 | if (0) ; |
1479 | #ifndef OPENSSL_NO_RSA | | 1479 | #ifndef OPENSSL_NO_RSA |
1480 | else if (alg_a & SSL_aRSA) | | 1480 | else if (alg_a & SSL_aRSA) |
1481 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | | 1481 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); |
1482 | #endif | | 1482 | #endif |
1483 | #ifndef OPENSSL_NO_ECDSA | | 1483 | #ifndef OPENSSL_NO_ECDSA |
1484 | else if (alg_a & SSL_aECDSA) | | 1484 | else if (alg_a & SSL_aECDSA) |
1485 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); | | 1485 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); |
1486 | #endif | | 1486 | #endif |
1487 | /* else anonymous ECDH, so no certificate or pkey. */ | | 1487 | /* else anonymous ECDH, so no certificate or pkey. */ |
1488 | EC_KEY_set_public_key(ecdh, srvr_ecpoint); | | 1488 | EC_KEY_set_public_key(ecdh, srvr_ecpoint); |
1489 | s->session->sess_cert->peer_ecdh_tmp=ecdh; | | 1489 | s->session->sess_cert->peer_ecdh_tmp=ecdh; |
1490 | ecdh=NULL; | | 1490 | ecdh=NULL; |
1491 | BN_CTX_free(bn_ctx); | | 1491 | BN_CTX_free(bn_ctx); |
| | | 1492 | bn_ctx = NULL; |
1492 | EC_POINT_free(srvr_ecpoint); | | 1493 | EC_POINT_free(srvr_ecpoint); |
1493 | srvr_ecpoint = NULL; | | 1494 | srvr_ecpoint = NULL; |
1494 | } | | 1495 | } |
1495 | else if (alg_k) | | 1496 | else if (alg_k) |
1496 | { | | 1497 | { |
1497 | al=SSL_AD_UNEXPECTED_MESSAGE; | | 1498 | al=SSL_AD_UNEXPECTED_MESSAGE; |
1498 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); | | 1499 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); |
1499 | goto f_err; | | 1500 | goto f_err; |
1500 | } | | 1501 | } |
1501 | #endif /* !OPENSSL_NO_ECDH */ | | 1502 | #endif /* !OPENSSL_NO_ECDH */ |
1502 | | | 1503 | |
1503 | | | 1504 | |
1504 | /* p points to the next byte, there are 'n' bytes left */ | | 1505 | /* p points to the next byte, there are 'n' bytes left */ |
1505 | | | 1506 | |
1506 | /* if it was signed, check the signature */ | | 1507 | /* if it was signed, check the signature */ |
1507 | if (pkey != NULL) | | 1508 | if (pkey != NULL) |
1508 | { | | 1509 | { |
1509 | n2s(p,i); | | 1510 | n2s(p,i); |
1510 | n-=2; | | 1511 | n-=2; |
1511 | j=EVP_PKEY_size(pkey); | | 1512 | j=EVP_PKEY_size(pkey); |
1512 | | | 1513 | |
1513 | if ((i != n) || (n > j) || (n <= 0)) | | 1514 | if ((i != n) || (n > j) || (n <= 0)) |
1514 | { | | 1515 | { |
1515 | /* wrong packet length */ | | 1516 | /* wrong packet length */ |
1516 | al=SSL_AD_DECODE_ERROR; | | 1517 | al=SSL_AD_DECODE_ERROR; |
1517 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); | | 1518 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); |
1518 | goto f_err; | | 1519 | goto f_err; |
1519 | } | | 1520 | } |
1520 | | | 1521 | |
1521 | #ifndef OPENSSL_NO_RSA | | 1522 | #ifndef OPENSSL_NO_RSA |
1522 | if (pkey->type == EVP_PKEY_RSA) | | 1523 | if (pkey->type == EVP_PKEY_RSA) |
1523 | { | | 1524 | { |
1524 | int num; | | 1525 | int num; |
1525 | | | 1526 | |
1526 | j=0; | | 1527 | j=0; |
1527 | q=md_buf; | | 1528 | q=md_buf; |
1528 | for (num=2; num > 0; num--) | | 1529 | for (num=2; num > 0; num--) |
1529 | { | | 1530 | { |
1530 | EVP_DigestInit_ex(&md_ctx,(num == 2) | | 1531 | EVP_DigestInit_ex(&md_ctx,(num == 2) |
1531 | ?s->ctx->md5:s->ctx->sha1, NULL); | | 1532 | ?s->ctx->md5:s->ctx->sha1, NULL); |
1532 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | | 1533 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); |
1533 | EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | | 1534 | EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); |
1534 | EVP_DigestUpdate(&md_ctx,param,param_len); | | 1535 | EVP_DigestUpdate(&md_ctx,param,param_len); |
1535 | EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); | | 1536 | EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); |
1536 | q+=i; | | 1537 | q+=i; |
1537 | j+=i; | | 1538 | j+=i; |
1538 | } | | 1539 | } |
1539 | i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, | | 1540 | i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, |
1540 | pkey->pkey.rsa); | | 1541 | pkey->pkey.rsa); |
1541 | if (i < 0) | | 1542 | if (i < 0) |
1542 | { | | 1543 | { |
1543 | al=SSL_AD_DECRYPT_ERROR; | | 1544 | al=SSL_AD_DECRYPT_ERROR; |
1544 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); | | 1545 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); |
1545 | goto f_err; | | 1546 | goto f_err; |
1546 | } | | 1547 | } |
1547 | if (i == 0) | | 1548 | if (i == 0) |
1548 | { | | 1549 | { |
1549 | /* bad signature */ | | 1550 | /* bad signature */ |
1550 | al=SSL_AD_DECRYPT_ERROR; | | 1551 | al=SSL_AD_DECRYPT_ERROR; |
1551 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); | | 1552 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); |
1552 | goto f_err; | | 1553 | goto f_err; |
1553 | } | | 1554 | } |
1554 | } | | 1555 | } |
1555 | else | | 1556 | else |
1556 | #endif | | 1557 | #endif |
1557 | #ifndef OPENSSL_NO_DSA | | 1558 | #ifndef OPENSSL_NO_DSA |
1558 | if (pkey->type == EVP_PKEY_DSA) | | 1559 | if (pkey->type == EVP_PKEY_DSA) |
1559 | { | | 1560 | { |
1560 | /* lets do DSS */ | | 1561 | /* lets do DSS */ |
1561 | EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL); | | 1562 | EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL); |
1562 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | | 1563 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); |
1563 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | | 1564 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); |
1564 | EVP_VerifyUpdate(&md_ctx,param,param_len); | | 1565 | EVP_VerifyUpdate(&md_ctx,param,param_len); |
1565 | if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) | | 1566 | if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) |
1566 | { | | 1567 | { |
1567 | /* bad signature */ | | 1568 | /* bad signature */ |
1568 | al=SSL_AD_DECRYPT_ERROR; | | 1569 | al=SSL_AD_DECRYPT_ERROR; |
1569 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); | | 1570 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); |
1570 | goto f_err; | | 1571 | goto f_err; |
1571 | } | | 1572 | } |
1572 | } | | 1573 | } |
1573 | else | | 1574 | else |
1574 | #endif | | 1575 | #endif |
1575 | #ifndef OPENSSL_NO_ECDSA | | 1576 | #ifndef OPENSSL_NO_ECDSA |
1576 | if (pkey->type == EVP_PKEY_EC) | | 1577 | if (pkey->type == EVP_PKEY_EC) |
1577 | { | | 1578 | { |
1578 | /* let's do ECDSA */ | | 1579 | /* let's do ECDSA */ |
1579 | EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL); | | 1580 | EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL); |
1580 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | | 1581 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); |
1581 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | | 1582 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); |
1582 | EVP_VerifyUpdate(&md_ctx,param,param_len); | | 1583 | EVP_VerifyUpdate(&md_ctx,param,param_len); |
1583 | if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) | | 1584 | if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) |
1584 | { | | 1585 | { |
1585 | /* bad signature */ | | 1586 | /* bad signature */ |
1586 | al=SSL_AD_DECRYPT_ERROR; | | 1587 | al=SSL_AD_DECRYPT_ERROR; |
1587 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); | | 1588 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); |
1588 | goto f_err; | | 1589 | goto f_err; |
1589 | } | | 1590 | } |
1590 | } | | 1591 | } |
1591 | else | | 1592 | else |
1592 | #endif | | 1593 | #endif |
1593 | { | | 1594 | { |
1594 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | | 1595 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); |
1595 | goto err; | | 1596 | goto err; |
1596 | } | | 1597 | } |
1597 | } | | 1598 | } |
1598 | else | | 1599 | else |
1599 | { | | 1600 | { |
1600 | if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) | | 1601 | if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) |
1601 | /* aNULL or kPSK do not need public keys */ | | 1602 | /* aNULL or kPSK do not need public keys */ |
1602 | { | | 1603 | { |
1603 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | | 1604 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); |
1604 | goto err; | | 1605 | goto err; |
1605 | } | | 1606 | } |
1606 | /* still data left over */ | | 1607 | /* still data left over */ |
1607 | if (n != 0) | | 1608 | if (n != 0) |
1608 | { | | 1609 | { |
1609 | al=SSL_AD_DECODE_ERROR; | | 1610 | al=SSL_AD_DECODE_ERROR; |
1610 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); | | 1611 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); |
1611 | goto f_err; | | 1612 | goto f_err; |
1612 | } | | 1613 | } |
1613 | } | | 1614 | } |
1614 | EVP_PKEY_free(pkey); | | 1615 | EVP_PKEY_free(pkey); |
1615 | EVP_MD_CTX_cleanup(&md_ctx); | | 1616 | EVP_MD_CTX_cleanup(&md_ctx); |
1616 | return(1); | | 1617 | return(1); |
1617 | f_err: | | 1618 | f_err: |
1618 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | | 1619 | ssl3_send_alert(s,SSL3_AL_FATAL,al); |
1619 | err: | | 1620 | err: |
1620 | EVP_PKEY_free(pkey); | | 1621 | EVP_PKEY_free(pkey); |
1621 | #ifndef OPENSSL_NO_RSA | | 1622 | #ifndef OPENSSL_NO_RSA |
1622 | if (rsa != NULL) | | 1623 | if (rsa != NULL) |
1623 | RSA_free(rsa); | | 1624 | RSA_free(rsa); |
1624 | #endif | | 1625 | #endif |
1625 | #ifndef OPENSSL_NO_DH | | 1626 | #ifndef OPENSSL_NO_DH |
1626 | if (dh != NULL) | | 1627 | if (dh != NULL) |
1627 | DH_free(dh); | | 1628 | DH_free(dh); |
1628 | #endif | | 1629 | #endif |
1629 | #ifndef OPENSSL_NO_ECDH | | 1630 | #ifndef OPENSSL_NO_ECDH |
1630 | BN_CTX_free(bn_ctx); | | 1631 | BN_CTX_free(bn_ctx); |
1631 | EC_POINT_free(srvr_ecpoint); | | 1632 | EC_POINT_free(srvr_ecpoint); |
1632 | if (ecdh != NULL) | | 1633 | if (ecdh != NULL) |
1633 | EC_KEY_free(ecdh); | | 1634 | EC_KEY_free(ecdh); |
1634 | #endif | | 1635 | #endif |
1635 | EVP_MD_CTX_cleanup(&md_ctx); | | 1636 | EVP_MD_CTX_cleanup(&md_ctx); |
1636 | return(-1); | | 1637 | return(-1); |
1637 | } | | 1638 | } |
1638 | | | 1639 | |
1639 | int ssl3_get_certificate_request(SSL *s) | | 1640 | int ssl3_get_certificate_request(SSL *s) |
1640 | { | | 1641 | { |
1641 | int ok,ret=0; | | 1642 | int ok,ret=0; |
1642 | unsigned long n,nc,l; | | 1643 | unsigned long n,nc,l; |
1643 | unsigned int llen,ctype_num,i; | | 1644 | unsigned int llen,ctype_num,i; |
1644 | X509_NAME *xn=NULL; | | 1645 | X509_NAME *xn=NULL; |
1645 | const unsigned char *p,*q; | | 1646 | const unsigned char *p,*q; |
1646 | unsigned char *d; | | 1647 | unsigned char *d; |
1647 | STACK_OF(X509_NAME) *ca_sk=NULL; | | 1648 | STACK_OF(X509_NAME) *ca_sk=NULL; |
1648 | | | 1649 | |
1649 | n=s->method->ssl_get_message(s, | | 1650 | n=s->method->ssl_get_message(s, |
1650 | SSL3_ST_CR_CERT_REQ_A, | | 1651 | SSL3_ST_CR_CERT_REQ_A, |
1651 | SSL3_ST_CR_CERT_REQ_B, | | 1652 | SSL3_ST_CR_CERT_REQ_B, |
1652 | -1, | | 1653 | -1, |
1653 | s->max_cert_list, | | 1654 | s->max_cert_list, |
1654 | &ok); | | 1655 | &ok); |
1655 | | | 1656 | |
1656 | if (!ok) return((int)n); | | 1657 | if (!ok) return((int)n); |
1657 | | | 1658 | |
1658 | s->s3->tmp.cert_req=0; | | 1659 | s->s3->tmp.cert_req=0; |
1659 | | | 1660 | |
1660 | if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) | | 1661 | if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) |
1661 | { | | 1662 | { |
1662 | s->s3->tmp.reuse_message=1; | | 1663 | s->s3->tmp.reuse_message=1; |
1663 | return(1); | | 1664 | return(1); |
1664 | } | | 1665 | } |
1665 | | | 1666 | |
1666 | if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) | | 1667 | if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) |
1667 | { | | 1668 | { |
1668 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); | | 1669 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); |
1669 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); | | 1670 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); |
1670 | goto err; | | 1671 | goto err; |
1671 | } | | 1672 | } |
1672 | | | 1673 | |
1673 | /* TLS does not like anon-DH with client cert */ | | 1674 | /* TLS does not like anon-DH with client cert */ |
1674 | if (s->version > SSL3_VERSION) | | 1675 | if (s->version > SSL3_VERSION) |
1675 | { | | 1676 | { |
1676 | if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) | | 1677 | if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) |
1677 | { | | 1678 | { |
1678 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); | | 1679 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); |
1679 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); | | 1680 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); |
1680 | goto err; | | 1681 | goto err; |
1681 | } | | 1682 | } |
1682 | } | | 1683 | } |
1683 | | | 1684 | |
1684 | p=d=(unsigned char *)s->init_msg; | | 1685 | p=d=(unsigned char *)s->init_msg; |
1685 | | | 1686 | |
1686 | if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) | | 1687 | if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) |
1687 | { | | 1688 | { |
1688 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); | | 1689 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); |
1689 | goto err; | | 1690 | goto err; |
1690 | } | | 1691 | } |
1691 | | | 1692 | |
1692 | /* get the certificate types */ | | 1693 | /* get the certificate types */ |
1693 | ctype_num= *(p++); | | 1694 | ctype_num= *(p++); |
1694 | if (ctype_num > SSL3_CT_NUMBER) | | 1695 | if (ctype_num > SSL3_CT_NUMBER) |
1695 | ctype_num=SSL3_CT_NUMBER; | | 1696 | ctype_num=SSL3_CT_NUMBER; |
1696 | for (i=0; i<ctype_num; i++) | | 1697 | for (i=0; i<ctype_num; i++) |
1697 | s->s3->tmp.ctype[i]= p[i]; | | 1698 | s->s3->tmp.ctype[i]= p[i]; |
1698 | p+=ctype_num; | | 1699 | p+=ctype_num; |
1699 | | | 1700 | |
1700 | /* get the CA RDNs */ | | 1701 | /* get the CA RDNs */ |
1701 | n2s(p,llen); | | 1702 | n2s(p,llen); |
1702 | #if 0 | | 1703 | #if 0 |
1703 | { | | 1704 | { |
1704 | FILE *out; | | 1705 | FILE *out; |
1705 | out=fopen("/tmp/vsign.der","w"); | | 1706 | out=fopen("/tmp/vsign.der","w"); |
1706 | fwrite(p,1,llen,out); | | 1707 | fwrite(p,1,llen,out); |
1707 | fclose(out); | | 1708 | fclose(out); |
1708 | } | | 1709 | } |
1709 | #endif | | 1710 | #endif |
1710 | | | 1711 | |
1711 | if ((llen+ctype_num+2+1) != n) | | 1712 | if ((llen+ctype_num+2+1) != n) |
1712 | { | | 1713 | { |
1713 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); | | 1714 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); |
1714 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); | | 1715 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); |
1715 | goto err; | | 1716 | goto err; |
1716 | } | | 1717 | } |
1717 | | | 1718 | |
1718 | for (nc=0; nc<llen; ) | | 1719 | for (nc=0; nc<llen; ) |
1719 | { | | 1720 | { |
1720 | n2s(p,l); | | 1721 | n2s(p,l); |
1721 | if ((l+nc+2) > llen) | | 1722 | if ((l+nc+2) > llen) |
1722 | { | | 1723 | { |
1723 | if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) | | 1724 | if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) |
1724 | goto cont; /* netscape bugs */ | | 1725 | goto cont; /* netscape bugs */ |
1725 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); | | 1726 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); |
1726 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); | | 1727 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); |
1727 | goto err; | | 1728 | goto err; |
1728 | } | | 1729 | } |
1729 | | | 1730 | |
1730 | q=p; | | 1731 | q=p; |
1731 | | | 1732 | |
1732 | if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) | | 1733 | if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) |
1733 | { | | 1734 | { |
1734 | /* If netscape tolerance is on, ignore errors */ | | 1735 | /* If netscape tolerance is on, ignore errors */ |
1735 | if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) | | 1736 | if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) |
1736 | goto cont; | | 1737 | goto cont; |
1737 | else | | 1738 | else |
1738 | { | | 1739 | { |
1739 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); | | 1740 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); |
1740 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); | | 1741 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); |
1741 | goto err; | | 1742 | goto err; |
1742 | } | | 1743 | } |
1743 | } | | 1744 | } |
1744 | | | 1745 | |
1745 | if (q != (p+l)) | | 1746 | if (q != (p+l)) |
1746 | { | | 1747 | { |
1747 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); | | 1748 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); |
1748 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); | | 1749 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); |
1749 | goto err; | | 1750 | goto err; |
1750 | } | | 1751 | } |
1751 | if (!sk_X509_NAME_push(ca_sk,xn)) | | 1752 | if (!sk_X509_NAME_push(ca_sk,xn)) |
1752 | { | | 1753 | { |
1753 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); | | 1754 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); |
1754 | goto err; | | 1755 | goto err; |
1755 | } | | 1756 | } |
1756 | | | 1757 | |
1757 | p+=l; | | 1758 | p+=l; |
1758 | nc+=l+2; | | 1759 | nc+=l+2; |
1759 | } | | 1760 | } |
1760 | | | 1761 | |
1761 | if (0) | | 1762 | if (0) |
1762 | { | | 1763 | { |
1763 | cont: | | 1764 | cont: |
1764 | ERR_clear_error(); | | 1765 | ERR_clear_error(); |
1765 | } | | 1766 | } |
1766 | | | 1767 | |
1767 | /* we should setup a certificate to return.... */ | | 1768 | /* we should setup a certificate to return.... */ |
1768 | s->s3->tmp.cert_req=1; | | 1769 | s->s3->tmp.cert_req=1; |
1769 | s->s3->tmp.ctype_num=ctype_num; | | 1770 | s->s3->tmp.ctype_num=ctype_num; |
1770 | if (s->s3->tmp.ca_names != NULL) | | 1771 | if (s->s3->tmp.ca_names != NULL) |
1771 | sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); | | 1772 | sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); |
1772 | s->s3->tmp.ca_names=ca_sk; | | 1773 | s->s3->tmp.ca_names=ca_sk; |
1773 | ca_sk=NULL; | | 1774 | ca_sk=NULL; |
1774 | | | 1775 | |
1775 | ret=1; | | 1776 | ret=1; |
1776 | err: | | 1777 | err: |
1777 | if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); | | 1778 | if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); |
1778 | return(ret); | | 1779 | return(ret); |
1779 | } | | 1780 | } |
1780 | | | 1781 | |
1781 | static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) | | 1782 | static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) |
1782 | { | | 1783 | { |
1783 | return(X509_NAME_cmp(*a,*b)); | | 1784 | return(X509_NAME_cmp(*a,*b)); |
1784 | } | | 1785 | } |
1785 | #ifndef OPENSSL_NO_TLSEXT | | 1786 | #ifndef OPENSSL_NO_TLSEXT |
1786 | int ssl3_get_new_session_ticket(SSL *s) | | 1787 | int ssl3_get_new_session_ticket(SSL *s) |
1787 | { | | 1788 | { |
1788 | int ok,al,ret=0, ticklen; | | 1789 | int ok,al,ret=0, ticklen; |
1789 | long n; | | 1790 | long n; |
1790 | const unsigned char *p; | | 1791 | const unsigned char *p; |
1791 | unsigned char *d; | | 1792 | unsigned char *d; |
1792 | | | 1793 | |
1793 | n=s->method->ssl_get_message(s, | | 1794 | n=s->method->ssl_get_message(s, |
1794 | SSL3_ST_CR_SESSION_TICKET_A, | | 1795 | SSL3_ST_CR_SESSION_TICKET_A, |
1795 | SSL3_ST_CR_SESSION_TICKET_B, | | 1796 | SSL3_ST_CR_SESSION_TICKET_B, |
1796 | -1, | | 1797 | -1, |
1797 | 16384, | | 1798 | 16384, |
1798 | &ok); | | 1799 | &ok); |
1799 | | | 1800 | |
1800 | if (!ok) | | 1801 | if (!ok) |
1801 | return((int)n); | | 1802 | return((int)n); |
1802 | | | 1803 | |
1803 | if (s->s3->tmp.message_type == SSL3_MT_FINISHED) | | 1804 | if (s->s3->tmp.message_type == SSL3_MT_FINISHED) |
1804 | { | | 1805 | { |
1805 | s->s3->tmp.reuse_message=1; | | 1806 | s->s3->tmp.reuse_message=1; |
1806 | return(1); | | 1807 | return(1); |
1807 | } | | 1808 | } |
1808 | if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) | | 1809 | if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) |
1809 | { | | 1810 | { |
1810 | al=SSL_AD_UNEXPECTED_MESSAGE; | | 1811 | al=SSL_AD_UNEXPECTED_MESSAGE; |
1811 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); | | 1812 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); |
1812 | goto f_err; | | 1813 | goto f_err; |
1813 | } | | 1814 | } |
1814 | if (n < 6) | | 1815 | if (n < 6) |
1815 | { | | 1816 | { |
1816 | /* need at least ticket_lifetime_hint + ticket length */ | | 1817 | /* need at least ticket_lifetime_hint + ticket length */ |
1817 | al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; | | 1818 | al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; |
1818 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); | | 1819 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); |
1819 | goto f_err; | | 1820 | goto f_err; |
1820 | } | | 1821 | } |
1821 | | | 1822 | |
1822 | p=d=(unsigned char *)s->init_msg; | | 1823 | p=d=(unsigned char *)s->init_msg; |
1823 | n2l(p, s->session->tlsext_tick_lifetime_hint); | | 1824 | n2l(p, s->session->tlsext_tick_lifetime_hint); |
1824 | n2s(p, ticklen); | | 1825 | n2s(p, ticklen); |
1825 | /* ticket_lifetime_hint + ticket_length + ticket */ | | 1826 | /* ticket_lifetime_hint + ticket_length + ticket */ |
1826 | if (ticklen + 6 != n) | | 1827 | if (ticklen + 6 != n) |
1827 | { | | 1828 | { |
1828 | al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; | | 1829 | al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; |
1829 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); | | 1830 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); |
1830 | goto f_err; | | 1831 | goto f_err; |
1831 | } | | 1832 | } |
1832 | if (s->session->tlsext_tick) | | 1833 | if (s->session->tlsext_tick) |
1833 | { | | 1834 | { |
1834 | OPENSSL_free(s->session->tlsext_tick); | | 1835 | OPENSSL_free(s->session->tlsext_tick); |
1835 | s->session->tlsext_ticklen = 0; | | 1836 | s->session->tlsext_ticklen = 0; |
1836 | } | | 1837 | } |
1837 | s->session->tlsext_tick = OPENSSL_malloc(ticklen); | | 1838 | s->session->tlsext_tick = OPENSSL_malloc(ticklen); |
1838 | if (!s->session->tlsext_tick) | | 1839 | if (!s->session->tlsext_tick) |
1839 | { | | 1840 | { |
1840 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); | | 1841 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); |
1841 | goto err; | | 1842 | goto err; |
1842 | } | | 1843 | } |
1843 | memcpy(s->session->tlsext_tick, p, ticklen); | | 1844 | memcpy(s->session->tlsext_tick, p, ticklen); |
1844 | s->session->tlsext_ticklen = ticklen; | | 1845 | s->session->tlsext_ticklen = ticklen; |
1845 | /* There are two ways to detect a resumed ticket sesion. | | 1846 | /* There are two ways to detect a resumed ticket sesion. |
1846 | * One is to set an appropriate session ID and then the server | | 1847 | * One is to set an appropriate session ID and then the server |
1847 | * must return a match in ServerHello. This allows the normal | | 1848 | * must return a match in ServerHello. This allows the normal |
1848 | * client session ID matching to work and we know much | | 1849 | * client session ID matching to work and we know much |
1849 | * earlier that the ticket has been accepted. | | 1850 | * earlier that the ticket has been accepted. |
1850 | * | | 1851 | * |
1851 | * The other way is to set zero length session ID when the | | 1852 | * The other way is to set zero length session ID when the |
1852 | * ticket is presented and rely on the handshake to determine | | 1853 | * ticket is presented and rely on the handshake to determine |
1853 | * session resumption. | | 1854 | * session resumption. |
1854 | * | | 1855 | * |
1855 | * We choose the former approach because this fits in with | | 1856 | * We choose the former approach because this fits in with |
1856 | * assumptions elsewhere in OpenSSL. The session ID is set | | 1857 | * assumptions elsewhere in OpenSSL. The session ID is set |
1857 | * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the | | 1858 | * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the |
1858 | * ticket. | | 1859 | * ticket. |
1859 | */ | | 1860 | */ |
1860 | EVP_Digest(p, ticklen, | | 1861 | EVP_Digest(p, ticklen, |
1861 | s->session->session_id, &s->session->session_id_length, | | 1862 | s->session->session_id, &s->session->session_id_length, |
1862 | #ifndef OPENSSL_NO_SHA256 | | 1863 | #ifndef OPENSSL_NO_SHA256 |
1863 | EVP_sha256(), NULL); | | 1864 | EVP_sha256(), NULL); |
1864 | #else | | 1865 | #else |
1865 | EVP_sha1(), NULL); | | 1866 | EVP_sha1(), NULL); |
1866 | #endif | | 1867 | #endif |
1867 | ret=1; | | 1868 | ret=1; |
1868 | return(ret); | | 1869 | return(ret); |
1869 | f_err: | | 1870 | f_err: |
1870 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | | 1871 | ssl3_send_alert(s,SSL3_AL_FATAL,al); |
1871 | err: | | 1872 | err: |
1872 | return(-1); | | 1873 | return(-1); |
1873 | } | | 1874 | } |
1874 | | | 1875 | |
1875 | int ssl3_get_cert_status(SSL *s) | | 1876 | int ssl3_get_cert_status(SSL *s) |
1876 | { | | 1877 | { |
1877 | int ok, al; | | 1878 | int ok, al; |
1878 | unsigned long resplen,n; | | 1879 | unsigned long resplen,n; |
1879 | const unsigned char *p; | | 1880 | const unsigned char *p; |
1880 | | | 1881 | |
1881 | n=s->method->ssl_get_message(s, | | 1882 | n=s->method->ssl_get_message(s, |
1882 | SSL3_ST_CR_CERT_STATUS_A, | | 1883 | SSL3_ST_CR_CERT_STATUS_A, |
1883 | SSL3_ST_CR_CERT_STATUS_B, | | 1884 | SSL3_ST_CR_CERT_STATUS_B, |
1884 | SSL3_MT_CERTIFICATE_STATUS, | | 1885 | SSL3_MT_CERTIFICATE_STATUS, |
1885 | 16384, | | 1886 | 16384, |
1886 | &ok); | | 1887 | &ok); |
1887 | | | 1888 | |
1888 | if (!ok) return((int)n); | | 1889 | if (!ok) return((int)n); |
1889 | if (n < 4) | | 1890 | if (n < 4) |
1890 | { | | 1891 | { |
1891 | /* need at least status type + length */ | | 1892 | /* need at least status type + length */ |
1892 | al = SSL_AD_DECODE_ERROR; | | 1893 | al = SSL_AD_DECODE_ERROR; |
1893 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); | | 1894 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); |
1894 | goto f_err; | | 1895 | goto f_err; |
1895 | } | | 1896 | } |
1896 | p = (unsigned char *)s->init_msg; | | 1897 | p = (unsigned char *)s->init_msg; |
1897 | if (*p++ != TLSEXT_STATUSTYPE_ocsp) | | 1898 | if (*p++ != TLSEXT_STATUSTYPE_ocsp) |
1898 | { | | 1899 | { |
1899 | al = SSL_AD_DECODE_ERROR; | | 1900 | al = SSL_AD_DECODE_ERROR; |
1900 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); | | 1901 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); |
1901 | goto f_err; | | 1902 | goto f_err; |
1902 | } | | 1903 | } |
1903 | n2l3(p, resplen); | | 1904 | n2l3(p, resplen); |
1904 | if (resplen + 4 != n) | | 1905 | if (resplen + 4 != n) |
1905 | { | | 1906 | { |
1906 | al = SSL_AD_DECODE_ERROR; | | 1907 | al = SSL_AD_DECODE_ERROR; |
1907 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); | | 1908 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); |
1908 | goto f_err; | | 1909 | goto f_err; |
1909 | } | | 1910 | } |
1910 | if (s->tlsext_ocsp_resp) | | 1911 | if (s->tlsext_ocsp_resp) |
1911 | OPENSSL_free(s->tlsext_ocsp_resp); | | 1912 | OPENSSL_free(s->tlsext_ocsp_resp); |
1912 | s->tlsext_ocsp_resp = BUF_memdup(p, resplen); | | 1913 | s->tlsext_ocsp_resp = BUF_memdup(p, resplen); |
1913 | if (!s->tlsext_ocsp_resp) | | 1914 | if (!s->tlsext_ocsp_resp) |
1914 | { | | 1915 | { |
1915 | al = SSL_AD_INTERNAL_ERROR; | | 1916 | al = SSL_AD_INTERNAL_ERROR; |
1916 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); | | 1917 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); |
1917 | goto f_err; | | 1918 | goto f_err; |
1918 | } | | 1919 | } |
1919 | s->tlsext_ocsp_resplen = resplen; | | 1920 | s->tlsext_ocsp_resplen = resplen; |
1920 | if (s->ctx->tlsext_status_cb) | | 1921 | if (s->ctx->tlsext_status_cb) |
1921 | { | | 1922 | { |
1922 | int ret; | | 1923 | int ret; |
1923 | ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); | | 1924 | ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); |
1924 | if (ret == 0) | | 1925 | if (ret == 0) |
1925 | { | | 1926 | { |
1926 | al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; | | 1927 | al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; |
1927 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); | | 1928 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); |
1928 | goto f_err; | | 1929 | goto f_err; |
1929 | } | | 1930 | } |
1930 | if (ret < 0) | | 1931 | if (ret < 0) |
1931 | { | | 1932 | { |
1932 | al = SSL_AD_INTERNAL_ERROR; | | 1933 | al = SSL_AD_INTERNAL_ERROR; |
1933 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); | | 1934 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); |
1934 | goto f_err; | | 1935 | goto f_err; |
1935 | } | | 1936 | } |
1936 | } | | 1937 | } |
1937 | return 1; | | 1938 | return 1; |
1938 | f_err: | | 1939 | f_err: |
1939 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | | 1940 | ssl3_send_alert(s,SSL3_AL_FATAL,al); |
1940 | return(-1); | | 1941 | return(-1); |
1941 | } | | 1942 | } |
1942 | #endif | | 1943 | #endif |
1943 | | | 1944 | |
1944 | int ssl3_get_server_done(SSL *s) | | 1945 | int ssl3_get_server_done(SSL *s) |
1945 | { | | 1946 | { |
1946 | int ok,ret=0; | | 1947 | int ok,ret=0; |
1947 | long n; | | 1948 | long n; |
1948 | | | 1949 | |
1949 | n=s->method->ssl_get_message(s, | | 1950 | n=s->method->ssl_get_message(s, |
1950 | SSL3_ST_CR_SRVR_DONE_A, | | 1951 | SSL3_ST_CR_SRVR_DONE_A, |
1951 | SSL3_ST_CR_SRVR_DONE_B, | | 1952 | SSL3_ST_CR_SRVR_DONE_B, |
1952 | SSL3_MT_SERVER_DONE, | | 1953 | SSL3_MT_SERVER_DONE, |
1953 | 30, /* should be very small, like 0 :-) */ | | 1954 | 30, /* should be very small, like 0 :-) */ |
1954 | &ok); | | 1955 | &ok); |
1955 | | | 1956 | |
1956 | if (!ok) return((int)n); | | 1957 | if (!ok) return((int)n); |
1957 | if (n > 0) | | 1958 | if (n > 0) |
1958 | { | | 1959 | { |
1959 | /* should contain no data */ | | 1960 | /* should contain no data */ |
1960 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); | | 1961 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); |
1961 | SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); | | 1962 | SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); |
1962 | return -1; | | 1963 | return -1; |
1963 | } | | 1964 | } |
1964 | ret=1; | | 1965 | ret=1; |
1965 | return(ret); | | 1966 | return(ret); |
1966 | } | | 1967 | } |
1967 | | | 1968 | |
1968 | | | 1969 | |
1969 | int ssl3_send_client_key_exchange(SSL *s) | | 1970 | int ssl3_send_client_key_exchange(SSL *s) |
1970 | { | | 1971 | { |
1971 | unsigned char *p,*d; | | 1972 | unsigned char *p,*d; |
1972 | int n; | | 1973 | int n; |
1973 | unsigned long alg_k; | | 1974 | unsigned long alg_k; |
1974 | #ifndef OPENSSL_NO_RSA | | 1975 | #ifndef OPENSSL_NO_RSA |
1975 | unsigned char *q; | | 1976 | unsigned char *q; |
1976 | EVP_PKEY *pkey=NULL; | | 1977 | EVP_PKEY *pkey=NULL; |
1977 | #endif | | 1978 | #endif |
1978 | #ifndef OPENSSL_NO_KRB5 | | 1979 | #ifndef OPENSSL_NO_KRB5 |
1979 | KSSL_ERR kssl_err; | | 1980 | KSSL_ERR kssl_err; |
1980 | #endif /* OPENSSL_NO_KRB5 */ | | 1981 | #endif /* OPENSSL_NO_KRB5 */ |
1981 | #ifndef OPENSSL_NO_ECDH | | 1982 | #ifndef OPENSSL_NO_ECDH |
1982 | EC_KEY *clnt_ecdh = NULL; | | 1983 | EC_KEY *clnt_ecdh = NULL; |
1983 | const EC_POINT *srvr_ecpoint = NULL; | | 1984 | const EC_POINT *srvr_ecpoint = NULL; |
1984 | EVP_PKEY *srvr_pub_pkey = NULL; | | 1985 | EVP_PKEY *srvr_pub_pkey = NULL; |
1985 | unsigned char *encodedPoint = NULL; | | 1986 | unsigned char *encodedPoint = NULL; |
1986 | int encoded_pt_len = 0; | | 1987 | int encoded_pt_len = 0; |
1987 | BN_CTX * bn_ctx = NULL; | | 1988 | BN_CTX * bn_ctx = NULL; |
1988 | #endif | | 1989 | #endif |
1989 | | | 1990 | |
1990 | if (s->state == SSL3_ST_CW_KEY_EXCH_A) | | 1991 | if (s->state == SSL3_ST_CW_KEY_EXCH_A) |
1991 | { | | 1992 | { |
1992 | d=(unsigned char *)s->init_buf->data; | | 1993 | d=(unsigned char *)s->init_buf->data; |
1993 | p= &(d[4]); | | 1994 | p= &(d[4]); |
1994 | | | 1995 | |
1995 | alg_k=s->s3->tmp.new_cipher->algorithm_mkey; | | 1996 | alg_k=s->s3->tmp.new_cipher->algorithm_mkey; |
1996 | | | 1997 | |
1997 | /* Fool emacs indentation */ | | 1998 | /* Fool emacs indentation */ |
1998 | if (0) {} | | 1999 | if (0) {} |
1999 | #ifndef OPENSSL_NO_RSA | | 2000 | #ifndef OPENSSL_NO_RSA |
2000 | else if (alg_k & SSL_kRSA) | | 2001 | else if (alg_k & SSL_kRSA) |
2001 | { | | 2002 | { |
2002 | RSA *rsa; | | 2003 | RSA *rsa; |
2003 | unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; | | 2004 | unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; |
2004 | | | 2005 | |
2005 | if (s->session->sess_cert->peer_rsa_tmp != NULL) | | 2006 | if (s->session->sess_cert->peer_rsa_tmp != NULL) |
2006 | rsa=s->session->sess_cert->peer_rsa_tmp; | | 2007 | rsa=s->session->sess_cert->peer_rsa_tmp; |
2007 | else | | 2008 | else |
2008 | { | | 2009 | { |
2009 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); | | 2010 | pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); |
2010 | if ((pkey == NULL) || | | 2011 | if ((pkey == NULL) || |
2011 | (pkey->type != EVP_PKEY_RSA) || | | 2012 | (pkey->type != EVP_PKEY_RSA) || |
2012 | (pkey->pkey.rsa == NULL)) | | 2013 | (pkey->pkey.rsa == NULL)) |
2013 | { | | 2014 | { |
2014 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); | | 2015 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); |
2015 | goto err; | | 2016 | goto err; |
2016 | } | | 2017 | } |
2017 | rsa=pkey->pkey.rsa; | | 2018 | rsa=pkey->pkey.rsa; |
2018 | EVP_PKEY_free(pkey); | | 2019 | EVP_PKEY_free(pkey); |
2019 | } | | 2020 | } |
2020 | | | 2021 | |
2021 | tmp_buf[0]=s->client_version>>8; | | 2022 | tmp_buf[0]=s->client_version>>8; |
2022 | tmp_buf[1]=s->client_version&0xff; | | 2023 | tmp_buf[1]=s->client_version&0xff; |
2023 | if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) | | 2024 | if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) |
2024 | goto err; | | 2025 | goto err; |
2025 | | | 2026 | |
2026 | s->session->master_key_length=sizeof tmp_buf; | | 2027 | s->session->master_key_length=sizeof tmp_buf; |
2027 | | | 2028 | |
2028 | q=p; | | 2029 | q=p; |
2029 | /* Fix buf for TLS and beyond */ | | 2030 | /* Fix buf for TLS and beyond */ |
2030 | if (s->version > SSL3_VERSION) | | 2031 | if (s->version > SSL3_VERSION) |
2031 | p+=2; | | 2032 | p+=2; |
2032 | n=RSA_public_encrypt(sizeof tmp_buf, | | 2033 | n=RSA_public_encrypt(sizeof tmp_buf, |
2033 | tmp_buf,p,rsa,RSA_PKCS1_PADDING); | | 2034 | tmp_buf,p,rsa,RSA_PKCS1_PADDING); |
2034 | #ifdef PKCS1_CHECK | | 2035 | #ifdef PKCS1_CHECK |
2035 | if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; | | 2036 | if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; |
2036 | if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; | | 2037 | if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; |
2037 | #endif | | 2038 | #endif |
2038 | if (n <= 0) | | 2039 | if (n <= 0) |
2039 | { | | 2040 | { |
2040 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); | | 2041 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); |
2041 | goto err; | | 2042 | goto err; |
2042 | } | | 2043 | } |
2043 | | | 2044 | |
2044 | /* Fix buf for TLS and beyond */ | | 2045 | /* Fix buf for TLS and beyond */ |
2045 | if (s->version > SSL3_VERSION) | | 2046 | if (s->version > SSL3_VERSION) |
2046 | { | | 2047 | { |
2047 | s2n(n,q); | | 2048 | s2n(n,q); |
2048 | n+=2; | | 2049 | n+=2; |
2049 | } | | 2050 | } |
2050 | | | 2051 | |
2051 | s->session->master_key_length= | | 2052 | s->session->master_key_length= |
2052 | s->method->ssl3_enc->generate_master_secret(s, | | 2053 | s->method->ssl3_enc->generate_master_secret(s, |
2053 | s->session->master_key, | | 2054 | s->session->master_key, |
2054 | tmp_buf,sizeof tmp_buf); | | 2055 | tmp_buf,sizeof tmp_buf); |
2055 | OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); | | 2056 | OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); |
2056 | } | | 2057 | } |
2057 | #endif | | 2058 | #endif |
2058 | #ifndef OPENSSL_NO_KRB5 | | 2059 | #ifndef OPENSSL_NO_KRB5 |
2059 | else if (alg_k & SSL_kKRB5) | | 2060 | else if (alg_k & SSL_kKRB5) |
2060 | { | | 2061 | { |
2061 | krb5_error_code krb5rc; | | 2062 | krb5_error_code krb5rc; |
2062 | KSSL_CTX *kssl_ctx = s->kssl_ctx; | | 2063 | KSSL_CTX *kssl_ctx = s->kssl_ctx; |
2063 | /* krb5_data krb5_ap_req; */ | | 2064 | /* krb5_data krb5_ap_req; */ |
2064 | krb5_data *enc_ticket; | | 2065 | krb5_data *enc_ticket; |
2065 | krb5_data authenticator, *authp = NULL; | | 2066 | krb5_data authenticator, *authp = NULL; |
2066 | EVP_CIPHER_CTX ciph_ctx; | | 2067 | EVP_CIPHER_CTX ciph_ctx; |
2067 | const EVP_CIPHER *enc = NULL; | | 2068 | const EVP_CIPHER *enc = NULL; |
2068 | unsigned char iv[EVP_MAX_IV_LENGTH]; | | 2069 | unsigned char iv[EVP_MAX_IV_LENGTH]; |
2069 | unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; | | 2070 | unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; |
2070 | unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH | | 2071 | unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH |
2071 | + EVP_MAX_IV_LENGTH]; | | 2072 | + EVP_MAX_IV_LENGTH]; |
2072 | int padl, outl = sizeof(epms); | | 2073 | int padl, outl = sizeof(epms); |
2073 | | | 2074 | |
2074 | EVP_CIPHER_CTX_init(&ciph_ctx); | | 2075 | EVP_CIPHER_CTX_init(&ciph_ctx); |
2075 | | | 2076 | |
2076 | #ifdef KSSL_DEBUG | | 2077 | #ifdef KSSL_DEBUG |
2077 | printf("ssl3_send_client_key_exchange(%lx & %lx)\n", | | 2078 | printf("ssl3_send_client_key_exchange(%lx & %lx)\n", |
2078 | alg_k, SSL_kKRB5); | | 2079 | alg_k, SSL_kKRB5); |
2079 | #endif /* KSSL_DEBUG */ | | 2080 | #endif /* KSSL_DEBUG */ |
2080 | | | 2081 | |
2081 | authp = NULL; | | 2082 | authp = NULL; |
2082 | #ifdef KRB5SENDAUTH | | 2083 | #ifdef KRB5SENDAUTH |
2083 | if (KRB5SENDAUTH) authp = &authenticator; | | 2084 | if (KRB5SENDAUTH) authp = &authenticator; |
2084 | #endif /* KRB5SENDAUTH */ | | 2085 | #endif /* KRB5SENDAUTH */ |
2085 | | | 2086 | |
2086 | krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, | | 2087 | krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, |
2087 | &kssl_err); | | 2088 | &kssl_err); |
2088 | enc = kssl_map_enc(kssl_ctx->enctype); | | 2089 | enc = kssl_map_enc(kssl_ctx->enctype); |
2089 | if (enc == NULL) | | 2090 | if (enc == NULL) |
2090 | goto err; | | 2091 | goto err; |
2091 | #ifdef KSSL_DEBUG | | 2092 | #ifdef KSSL_DEBUG |
2092 | { | | 2093 | { |
2093 | printf("kssl_cget_tkt rtn %d\n", krb5rc); | | 2094 | printf("kssl_cget_tkt rtn %d\n", krb5rc); |
2094 | if (krb5rc && kssl_err.text) | | 2095 | if (krb5rc && kssl_err.text) |
2095 | printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); | | 2096 | printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); |
2096 | } | | 2097 | } |
2097 | #endif /* KSSL_DEBUG */ | | 2098 | #endif /* KSSL_DEBUG */ |
2098 | | | 2099 | |
2099 | if (krb5rc) | | 2100 | if (krb5rc) |
2100 | { | | 2101 | { |
2101 | ssl3_send_alert(s,SSL3_AL_FATAL, | | 2102 | ssl3_send_alert(s,SSL3_AL_FATAL, |
2102 | SSL_AD_HANDSHAKE_FAILURE); | | 2103 | SSL_AD_HANDSHAKE_FAILURE); |
2103 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | | 2104 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
2104 | kssl_err.reason); | | 2105 | kssl_err.reason); |
2105 | goto err; | | 2106 | goto err; |
2106 | } | | 2107 | } |
2107 | | | 2108 | |
2108 | /* 20010406 VRS - Earlier versions used KRB5 AP_REQ | | 2109 | /* 20010406 VRS - Earlier versions used KRB5 AP_REQ |
2109 | ** in place of RFC 2712 KerberosWrapper, as in: | | 2110 | ** in place of RFC 2712 KerberosWrapper, as in: |
2110 | ** | | 2111 | ** |
2111 | ** Send ticket (copy to *p, set n = length) | | 2112 | ** Send ticket (copy to *p, set n = length) |
2112 | ** n = krb5_ap_req.length; | | 2113 | ** n = krb5_ap_req.length; |
2113 | ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); | | 2114 | ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); |
2114 | ** if (krb5_ap_req.data) | | 2115 | ** if (krb5_ap_req.data) |
2115 | ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); | | 2116 | ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); |
2116 | ** | | 2117 | ** |
2117 | ** Now using real RFC 2712 KerberosWrapper | | 2118 | ** Now using real RFC 2712 KerberosWrapper |
2118 | ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) | | 2119 | ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) |
2119 | ** Note: 2712 "opaque" types are here replaced | | 2120 | ** Note: 2712 "opaque" types are here replaced |
2120 | ** with a 2-byte length followed by the value. | | 2121 | ** with a 2-byte length followed by the value. |
2121 | ** Example: | | 2122 | ** Example: |
2122 | ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms | | 2123 | ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms |
2123 | ** Where "xx xx" = length bytes. Shown here with | | 2124 | ** Where "xx xx" = length bytes. Shown here with |
2124 | ** optional authenticator omitted. | | 2125 | ** optional authenticator omitted. |
2125 | */ | | 2126 | */ |
2126 | | | 2127 | |
2127 | /* KerberosWrapper.Ticket */ | | 2128 | /* KerberosWrapper.Ticket */ |
2128 | s2n(enc_ticket->length,p); | | 2129 | s2n(enc_ticket->length,p); |
2129 | memcpy(p, enc_ticket->data, enc_ticket->length); | | 2130 | memcpy(p, enc_ticket->data, enc_ticket->length); |
2130 | p+= enc_ticket->length; | | 2131 | p+= enc_ticket->length; |
2131 | n = enc_ticket->length + 2; | | 2132 | n = enc_ticket->length + 2; |
2132 | | | 2133 | |
2133 | /* KerberosWrapper.Authenticator */ | | 2134 | /* KerberosWrapper.Authenticator */ |
2134 | if (authp && authp->length) | | 2135 | if (authp && authp->length) |
2135 | { | | 2136 | { |
2136 | s2n(authp->length,p); | | 2137 | s2n(authp->length,p); |
2137 | memcpy(p, authp->data, authp->length); | | 2138 | memcpy(p, authp->data, authp->length); |
2138 | p+= authp->length; | | 2139 | p+= authp->length; |
2139 | n+= authp->length + 2; | | 2140 | n+= authp->length + 2; |
2140 | | | 2141 | |
2141 | free(authp->data); | | 2142 | free(authp->data); |
2142 | authp->data = NULL; | | 2143 | authp->data = NULL; |
2143 | authp->length = 0; | | 2144 | authp->length = 0; |
2144 | } | | 2145 | } |
2145 | else | | 2146 | else |
2146 | { | | 2147 | { |
2147 | s2n(0,p);/* null authenticator length */ | | 2148 | s2n(0,p);/* null authenticator length */ |
2148 | n+=2; | | 2149 | n+=2; |
2149 | } | | 2150 | } |
2150 | | | 2151 | |
2151 | tmp_buf[0]=s->client_version>>8; | | 2152 | tmp_buf[0]=s->client_version>>8; |
2152 | tmp_buf[1]=s->client_version&0xff; | | 2153 | tmp_buf[1]=s->client_version&0xff; |
2153 | if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) | | 2154 | if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) |
2154 | goto err; | | 2155 | goto err; |
2155 | | | 2156 | |
2156 | /* 20010420 VRS. Tried it this way; failed. | | 2157 | /* 20010420 VRS. Tried it this way; failed. |
2157 | ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); | | 2158 | ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); |
2158 | ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, | | 2159 | ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, |
2159 | ** kssl_ctx->length); | | 2160 | ** kssl_ctx->length); |
2160 | ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); | | 2161 | ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); |
2161 | */ | | 2162 | */ |
2162 | | | 2163 | |
2163 | memset(iv, 0, sizeof iv); /* per RFC 1510 */ | | 2164 | memset(iv, 0, sizeof iv); /* per RFC 1510 */ |
2164 | EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, | | 2165 | EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, |
2165 | kssl_ctx->key,iv); | | 2166 | kssl_ctx->key,iv); |
2166 | EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, | | 2167 | EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, |
2167 | sizeof tmp_buf); | | 2168 | sizeof tmp_buf); |
2168 | EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); | | 2169 | EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); |
2169 | outl += padl; | | 2170 | outl += padl; |
2170 | if (outl > (int)sizeof epms) | | 2171 | if (outl > (int)sizeof epms) |
2171 | { | | 2172 | { |
2172 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); | | 2173 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); |
2173 | goto err; | | 2174 | goto err; |
2174 | } | | 2175 | } |
2175 | EVP_CIPHER_CTX_cleanup(&ciph_ctx); | | 2176 | EVP_CIPHER_CTX_cleanup(&ciph_ctx); |
2176 | | | 2177 | |
2177 | /* KerberosWrapper.EncryptedPreMasterSecret */ | | 2178 | /* KerberosWrapper.EncryptedPreMasterSecret */ |
2178 | s2n(outl,p); | | 2179 | s2n(outl,p); |
2179 | memcpy(p, epms, outl); | | 2180 | memcpy(p, epms, outl); |
2180 | p+=outl; | | 2181 | p+=outl; |
2181 | n+=outl + 2; | | 2182 | n+=outl + 2; |
2182 | | | 2183 | |
2183 | s->session->master_key_length= | | 2184 | s->session->master_key_length= |
2184 | s->method->ssl3_enc->generate_master_secret(s, | | 2185 | s->method->ssl3_enc->generate_master_secret(s, |
2185 | s->session->master_key, | | 2186 | s->session->master_key, |
2186 | tmp_buf, sizeof tmp_buf); | | 2187 | tmp_buf, sizeof tmp_buf); |
2187 | | | 2188 | |
2188 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); | | 2189 | OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); |
2189 | OPENSSL_cleanse(epms, outl); | | 2190 | OPENSSL_cleanse(epms, outl); |
2190 | } | | 2191 | } |
2191 | #endif | | 2192 | #endif |
2192 | #ifndef OPENSSL_NO_DH | | 2193 | #ifndef OPENSSL_NO_DH |
2193 | else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) | | 2194 | else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) |
2194 | { | | 2195 | { |
2195 | DH *dh_srvr,*dh_clnt; | | 2196 | DH *dh_srvr,*dh_clnt; |
2196 | | | 2197 | |
2197 | if (s->session->sess_cert == NULL) | | 2198 | if (s->session->sess_cert == NULL) |
2198 | { | | 2199 | { |
2199 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); | | 2200 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); |
2200 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); | | 2201 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); |
2201 | goto err; | | 2202 | goto err; |
2202 | } | | 2203 | } |
2203 | | | 2204 | |
2204 | if (s->session->sess_cert->peer_dh_tmp != NULL) | | 2205 | if (s->session->sess_cert->peer_dh_tmp != NULL) |
2205 | dh_srvr=s->session->sess_cert->peer_dh_tmp; | | 2206 | dh_srvr=s->session->sess_cert->peer_dh_tmp; |
2206 | else | | 2207 | else |
2207 | { | | 2208 | { |
2208 | /* we get them from the cert */ | | 2209 | /* we get them from the cert */ |
2209 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); | | 2210 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |
2210 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); | | 2211 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); |
2211 | goto err; | | 2212 | goto err; |
2212 | } | | 2213 | } |
2213 | | | 2214 | |
2214 | /* generate a new random key */ | | 2215 | /* generate a new random key */ |
2215 | if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) | | 2216 | if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) |
2216 | { | | 2217 | { |
2217 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); | | 2218 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); |
2218 | goto err; | | 2219 | goto err; |
2219 | } | | 2220 | } |
2220 | if (!DH_generate_key(dh_clnt)) | | 2221 | if (!DH_generate_key(dh_clnt)) |
2221 | { | | 2222 | { |
2222 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); | | 2223 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); |
2223 | goto err; | | 2224 | goto err; |
2224 | } | | 2225 | } |
2225 | | | 2226 | |
2226 | /* use the 'p' output buffer for the DH key, but | | 2227 | /* use the 'p' output buffer for the DH key, but |
2227 | * make sure to clear it out afterwards */ | | 2228 | * make sure to clear it out afterwards */ |
2228 | | | 2229 | |
2229 | n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); | | 2230 | n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); |
2230 | | | 2231 | |
2231 | if (n <= 0) | | 2232 | if (n <= 0) |
2232 | { | | 2233 | { |
2233 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); | | 2234 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); |
2234 | goto err; | | 2235 | goto err; |
2235 | } | | 2236 | } |
2236 | | | 2237 | |
2237 | /* generate master key from the result */ | | 2238 | /* generate master key from the result */ |
2238 | s->session->master_key_length= | | 2239 | s->session->master_key_length= |
2239 | s->method->ssl3_enc->generate_master_secret(s, | | 2240 | s->method->ssl3_enc->generate_master_secret(s, |
2240 | s->session->master_key,p,n); | | 2241 | s->session->master_key,p,n); |
2241 | /* clean up */ | | 2242 | /* clean up */ |
2242 | memset(p,0,n); | | 2243 | memset(p,0,n); |
2243 | | | 2244 | |
2244 | /* send off the data */ | | 2245 | /* send off the data */ |
2245 | n=BN_num_bytes(dh_clnt->pub_key); | | 2246 | n=BN_num_bytes(dh_clnt->pub_key); |
2246 | s2n(n,p); | | 2247 | s2n(n,p); |
2247 | BN_bn2bin(dh_clnt->pub_key,p); | | 2248 | BN_bn2bin(dh_clnt->pub_key,p); |
2248 | n+=2; | | 2249 | n+=2; |
2249 | | | 2250 | |
2250 | DH_free(dh_clnt); | | 2251 | DH_free(dh_clnt); |
2251 | | | 2252 | |
2252 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ | | 2253 | /* perhaps clean things up a bit EAY EAY EAY EAY*/ |
2253 | } | | 2254 | } |
2254 | #endif | | 2255 | #endif |
2255 | | | 2256 | |
2256 | #ifndef OPENSSL_NO_ECDH | | 2257 | #ifndef OPENSSL_NO_ECDH |
2257 | else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) | | 2258 | else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) |
2258 | { | | 2259 | { |
2259 | const EC_GROUP *srvr_group = NULL; | | 2260 | const EC_GROUP *srvr_group = NULL; |
2260 | EC_KEY *tkey; | | 2261 | EC_KEY *tkey; |
2261 | int ecdh_clnt_cert = 0; | | 2262 | int ecdh_clnt_cert = 0; |
2262 | int field_size = 0; | | 2263 | int field_size = 0; |
2263 | | | 2264 | |
2264 | /* Did we send out the client's | | 2265 | /* Did we send out the client's |
2265 | * ECDH share for use in premaster | | 2266 | * ECDH share for use in premaster |
2266 | * computation as part of client certificate? | | 2267 | * computation as part of client certificate? |
2267 | * If so, set ecdh_clnt_cert to 1. | | 2268 | * If so, set ecdh_clnt_cert to 1. |
2268 | */ | | 2269 | */ |
2269 | if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) | | 2270 | if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) |
2270 | { | | 2271 | { |
2271 | /* XXX: For now, we do not support client | | 2272 | /* XXX: For now, we do not support client |
2272 | * authentication using ECDH certificates. | | 2273 | * authentication using ECDH certificates. |
2273 | * To add such support, one needs to add | | 2274 | * To add such support, one needs to add |
2274 | * code that checks for appropriate | | 2275 | * code that checks for appropriate |
2275 | * conditions and sets ecdh_clnt_cert to 1. | | 2276 | * conditions and sets ecdh_clnt_cert to 1. |
2276 | * For example, the cert have an ECC | | 2277 | * For example, the cert have an ECC |
2277 | * key on the same curve as the server's | | 2278 | * key on the same curve as the server's |
2278 | * and the key should be authorized for | | 2279 | * and the key should be authorized for |
2279 | * key agreement. | | 2280 | * key agreement. |
2280 | * | | 2281 | * |
2281 | * One also needs to add code in ssl3_connect | | 2282 | * One also needs to add code in ssl3_connect |
2282 | * to skip sending the certificate verify | | 2283 | * to skip sending the certificate verify |
2283 | * message. | | 2284 | * message. |
2284 | * | | 2285 | * |
2285 | * if ((s->cert->key->privatekey != NULL) && | | 2286 | * if ((s->cert->key->privatekey != NULL) && |
2286 | * (s->cert->key->privatekey->type == | | 2287 | * (s->cert->key->privatekey->type == |
2287 | * EVP_PKEY_EC) && ...) | | 2288 | * EVP_PKEY_EC) && ...) |
2288 | * ecdh_clnt_cert = 1; | | 2289 | * ecdh_clnt_cert = 1; |
2289 | */ | | 2290 | */ |
2290 | } | | 2291 | } |
2291 | | | 2292 | |
2292 | if (s->session->sess_cert->peer_ecdh_tmp != NULL) | | 2293 | if (s->session->sess_cert->peer_ecdh_tmp != NULL) |
2293 | { | | 2294 | { |
2294 | tkey = s->session->sess_cert->peer_ecdh_tmp; | | 2295 | tkey = s->session->sess_cert->peer_ecdh_tmp; |
2295 | } | | 2296 | } |
2296 | else | | 2297 | else |
2297 | { | | 2298 | { |
2298 | /* Get the Server Public Key from Cert */ | | 2299 | /* Get the Server Public Key from Cert */ |
2299 | srvr_pub_pkey = X509_get_pubkey(s->session-> \ | | 2300 | srvr_pub_pkey = X509_get_pubkey(s->session-> \ |
2300 | sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); | | 2301 | sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); |
2301 | if ((srvr_pub_pkey == NULL) || | | 2302 | if ((srvr_pub_pkey == NULL) || |
2302 | (srvr_pub_pkey->type != EVP_PKEY_EC) || | | 2303 | (srvr_pub_pkey->type != EVP_PKEY_EC) || |
2303 | (srvr_pub_pkey->pkey.ec == NULL)) | | 2304 | (srvr_pub_pkey->pkey.ec == NULL)) |
2304 | { | | 2305 | { |
2305 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | | 2306 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
2306 | ERR_R_INTERNAL_ERROR); | | 2307 | ERR_R_INTERNAL_ERROR); |
2307 | goto err; | | 2308 | goto err; |
2308 | } | | 2309 | } |
2309 | | | 2310 | |
2310 | tkey = srvr_pub_pkey->pkey.ec; | | 2311 | tkey = srvr_pub_pkey->pkey.ec; |
2311 | } | | 2312 | } |
2312 | | | 2313 | |
2313 | srvr_group = EC_KEY_get0_group(tkey); | | 2314 | srvr_group = EC_KEY_get0_group(tkey); |
2314 | srvr_ecpoint = EC_KEY_get0_public_key(tkey); | | 2315 | srvr_ecpoint = EC_KEY_get0_public_key(tkey); |
2315 | | | 2316 | |
2316 | if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) | | 2317 | if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) |
2317 | { | | 2318 | { |
2318 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | | 2319 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
2319 | ERR_R_INTERNAL_ERROR); | | 2320 | ERR_R_INTERNAL_ERROR); |
2320 | goto err; | | 2321 | goto err; |
2321 | } | | 2322 | } |
2322 | | | 2323 | |
2323 | if ((clnt_ecdh=EC_KEY_new()) == NULL) | | 2324 | if ((clnt_ecdh=EC_KEY_new()) == NULL) |
2324 | { | | 2325 | { |
2325 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | | 2326 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); |
2326 | goto err; | | 2327 | goto err; |
2327 | } | | 2328 | } |
2328 | | | 2329 | |
2329 | if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) | | 2330 | if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) |
2330 | { | | 2331 | { |
2331 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); | | 2332 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); |
2332 | goto err; | | 2333 | goto err; |
2333 | } | | 2334 | } |
2334 | if (ecdh_clnt_cert) | | 2335 | if (ecdh_clnt_cert) |
2335 | { | | 2336 | { |
2336 | /* Reuse key info from our certificate | | 2337 | /* Reuse key info from our certificate |
2337 | * We only need our private key to perform | | 2338 | * We only need our private key to perform |
2338 | * the ECDH computation. | | 2339 | * the ECDH computation. |
2339 | */ | | 2340 | */ |
2340 | const BIGNUM *priv_key; | | 2341 | const BIGNUM *priv_key; |
2341 | tkey = s->cert->key->privatekey->pkey.ec; | | 2342 | tkey = s->cert->key->privatekey->pkey.ec; |
2342 | priv_key = EC_KEY_get0_private_key(tkey); | | 2343 | priv_key = EC_KEY_get0_private_key(tkey); |
2343 | if (priv_key == NULL) | | 2344 | if (priv_key == NULL) |
2344 | { | | 2345 | { |
2345 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | | 2346 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); |
2346 | goto err; | | 2347 | goto err; |
2347 | } | | 2348 | } |
2348 | if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) | | 2349 | if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) |
2349 | { | | 2350 | { |
2350 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); | | 2351 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); |
2351 | goto err; | | 2352 | goto err; |
2352 | } | | 2353 | } |
2353 | } | | 2354 | } |
2354 | else | | 2355 | else |
2355 | { | | 2356 | { |
2356 | /* Generate a new ECDH key pair */ | | 2357 | /* Generate a new ECDH key pair */ |
2357 | if (!(EC_KEY_generate_key(clnt_ecdh))) | | 2358 | if (!(EC_KEY_generate_key(clnt_ecdh))) |
2358 | { | | 2359 | { |
2359 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); | | 2360 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); |
2360 | goto err; | | 2361 | goto err; |
2361 | } | | 2362 | } |
2362 | } | | 2363 | } |
2363 | | | 2364 | |
2364 | /* use the 'p' output buffer for the ECDH key, but | | 2365 | /* use the 'p' output buffer for the ECDH key, but |
2365 | * make sure to clear it out afterwards | | 2366 | * make sure to clear it out afterwards |
2366 | */ | | 2367 | */ |
2367 | | | 2368 | |
2368 | field_size = EC_GROUP_get_degree(srvr_group); | | 2369 | field_size = EC_GROUP_get_degree(srvr_group); |
2369 | if (field_size <= 0) | | 2370 | if (field_size <= 0) |
2370 | { | | 2371 | { |
2371 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | | 2372 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
2372 | ERR_R_ECDH_LIB); | | 2373 | ERR_R_ECDH_LIB); |
2373 | goto err; | | 2374 | goto err; |
2374 | } | | 2375 | } |
2375 | n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); | | 2376 | n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); |
2376 | if (n <= 0) | | 2377 | if (n <= 0) |
2377 | { | | 2378 | { |
2378 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | | 2379 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
2379 | ERR_R_ECDH_LIB); | | 2380 | ERR_R_ECDH_LIB); |
2380 | goto err; | | 2381 | goto err; |
2381 | } | | 2382 | } |
2382 | | | 2383 | |
2383 | /* generate master key from the result */ | | 2384 | /* generate master key from the result */ |
2384 | s->session->master_key_length = s->method->ssl3_enc \ | | 2385 | s->session->master_key_length = s->method->ssl3_enc \ |
2385 | -> generate_master_secret(s, | | 2386 | -> generate_master_secret(s, |
2386 | s->session->master_key, | | 2387 | s->session->master_key, |
2387 | p, n); | | 2388 | p, n); |
2388 | | | 2389 | |
2389 | memset(p, 0, n); /* clean up */ | | 2390 | memset(p, 0, n); /* clean up */ |
2390 | | | 2391 | |
2391 | if (ecdh_clnt_cert) | | 2392 | if (ecdh_clnt_cert) |
2392 | { | | 2393 | { |
2393 | /* Send empty client key exch message */ | | 2394 | /* Send empty client key exch message */ |
2394 | n = 0; | | 2395 | n = 0; |
2395 | } | | 2396 | } |
2396 | else | | 2397 | else |
2397 | { | | 2398 | { |
2398 | /* First check the size of encoding and | | 2399 | /* First check the size of encoding and |
2399 | * allocate memory accordingly. | | 2400 | * allocate memory accordingly. |
2400 | */ | | 2401 | */ |
2401 | encoded_pt_len = | | 2402 | encoded_pt_len = |
2402 | EC_POINT_point2oct(srvr_group, | | 2403 | EC_POINT_point2oct(srvr_group, |
2403 | EC_KEY_get0_public_key(clnt_ecdh), | | 2404 | EC_KEY_get0_public_key(clnt_ecdh), |
2404 | POINT_CONVERSION_UNCOMPRESSED, | | 2405 | POINT_CONVERSION_UNCOMPRESSED, |
2405 | NULL, 0, NULL); | | 2406 | NULL, 0, NULL); |
2406 | | | 2407 | |
2407 | encodedPoint = (unsigned char *) | | 2408 | encodedPoint = (unsigned char *) |
2408 | OPENSSL_malloc(encoded_pt_len * | | 2409 | OPENSSL_malloc(encoded_pt_len * |
2409 | sizeof(unsigned char)); | | 2410 | sizeof(unsigned char)); |
2410 | bn_ctx = BN_CTX_new(); | | 2411 | bn_ctx = BN_CTX_new(); |
2411 | if ((encodedPoint == NULL) || | | 2412 | if ((encodedPoint == NULL) || |
2412 | (bn_ctx == NULL)) | | 2413 | (bn_ctx == NULL)) |
2413 | { | | 2414 | { |
2414 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | | 2415 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); |
2415 | goto err; | | 2416 | goto err; |
2416 | } | | 2417 | } |
2417 | | | 2418 | |
2418 | /* Encode the public key */ | | 2419 | /* Encode the public key */ |
2419 | n = EC_POINT_point2oct(srvr_group, | | 2420 | n = EC_POINT_point2oct(srvr_group, |
2420 | EC_KEY_get0_public_key(clnt_ecdh), | | 2421 | EC_KEY_get0_public_key(clnt_ecdh), |
2421 | POINT_CONVERSION_UNCOMPRESSED, | | 2422 | POINT_CONVERSION_UNCOMPRESSED, |
2422 | encodedPoint, encoded_pt_len, bn_ctx); | | 2423 | encodedPoint, encoded_pt_len, bn_ctx); |
2423 | | | 2424 | |
2424 | *p = n; /* length of encoded point */ | | 2425 | *p = n; /* length of encoded point */ |
2425 | /* Encoded point will be copied here */ | | 2426 | /* Encoded point will be copied here */ |
2426 | p += 1; | | 2427 | p += 1; |
2427 | /* copy the point */ | | 2428 | /* copy the point */ |
2428 | memcpy((unsigned char *)p, encodedPoint, n); | | 2429 | memcpy((unsigned char *)p, encodedPoint, n); |
2429 | /* increment n to account for length field */ | | 2430 | /* increment n to account for length field */ |
2430 | n += 1; | | 2431 | n += 1; |
2431 | } | | 2432 | } |
2432 | | | 2433 | |
2433 | /* Free allocated memory */ | | 2434 | /* Free allocated memory */ |
2434 | BN_CTX_free(bn_ctx); | | 2435 | BN_CTX_free(bn_ctx); |
2435 | if (encodedPoint != NULL) OPENSSL_free(encodedPoint); | | 2436 | if (encodedPoint != NULL) OPENSSL_free(encodedPoint); |
2436 | if (clnt_ecdh != NULL) | | 2437 | if (clnt_ecdh != NULL) |
2437 | EC_KEY_free(clnt_ecdh); | | 2438 | EC_KEY_free(clnt_ecdh); |
2438 | EVP_PKEY_free(srvr_pub_pkey); | | 2439 | EVP_PKEY_free(srvr_pub_pkey); |
2439 | } | | 2440 | } |
2440 | #endif /* !OPENSSL_NO_ECDH */ | | 2441 | #endif /* !OPENSSL_NO_ECDH */ |
2441 | else if (alg_k & SSL_kGOST) | | 2442 | else if (alg_k & SSL_kGOST) |
2442 | { | | 2443 | { |
2443 | /* GOST key exchange message creation */ | | 2444 | /* GOST key exchange message creation */ |
2444 | EVP_PKEY_CTX *pkey_ctx; | | 2445 | EVP_PKEY_CTX *pkey_ctx; |
2445 | X509 *peer_cert; | | 2446 | X509 *peer_cert; |
2446 | size_t msglen; | | 2447 | size_t msglen; |
2447 | unsigned int md_len; | | 2448 | unsigned int md_len; |
2448 | int keytype; | | 2449 | int keytype; |
2449 | unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; | | 2450 | unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; |
2450 | EVP_MD_CTX *ukm_hash; | | 2451 | EVP_MD_CTX *ukm_hash; |
2451 | EVP_PKEY *pub_key; | | 2452 | EVP_PKEY *pub_key; |
2452 | | | 2453 | |
2453 | /* Get server sertificate PKEY and create ctx from it */ | | 2454 | /* Get server sertificate PKEY and create ctx from it */ |
2454 | peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; | | 2455 | peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; |
2455 | if (!peer_cert) | | 2456 | if (!peer_cert) |
2456 | peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; | | 2457 | peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; |
2457 | if (!peer_cert) { | | 2458 | if (!peer_cert) { |
2458 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); | | 2459 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); |
2459 | goto err; | | 2460 | goto err; |
2460 | } | | 2461 | } |
2461 | | | 2462 | |
2462 | pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); | | 2463 | pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); |
2463 | /* If we have send a certificate, and certificate key | | 2464 | /* If we have send a certificate, and certificate key |
2464 | | | 2465 | |
2465 | * parameters match those of server certificate, use | | 2466 | * parameters match those of server certificate, use |
2466 | * certificate key for key exchange | | 2467 | * certificate key for key exchange |
2467 | */ | | 2468 | */ |
2468 | | | 2469 | |
2469 | /* Otherwise, generate ephemeral key pair */ | | 2470 | /* Otherwise, generate ephemeral key pair */ |
2470 | | | 2471 | |
2471 | EVP_PKEY_encrypt_init(pkey_ctx); | | 2472 | EVP_PKEY_encrypt_init(pkey_ctx); |
2472 | /* Generate session key */ | | 2473 | /* Generate session key */ |
2473 | RAND_bytes(premaster_secret,32); | | 2474 | RAND_bytes(premaster_secret,32); |
2474 | /* If we have client certificate, use its secret as peer key */ | | 2475 | /* If we have client certificate, use its secret as peer key */ |
2475 | if (s->s3->tmp.cert_req && s->cert->key->privatekey) { | | 2476 | if (s->s3->tmp.cert_req && s->cert->key->privatekey) { |
2476 | if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { | | 2477 | if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { |
2477 | /* If there was an error - just ignore it. Ephemeral key | | 2478 | /* If there was an error - just ignore it. Ephemeral key |
2478 | * would be used | | 2479 | * would be used |
2479 | */ | | 2480 | */ |
2480 | ERR_clear_error(); | | 2481 | ERR_clear_error(); |
2481 | } | | 2482 | } |
2482 | } | | 2483 | } |
2483 | /* Compute shared IV and store it in algorithm-specific | | 2484 | /* Compute shared IV and store it in algorithm-specific |
2484 | * context data */ | | 2485 | * context data */ |
2485 | ukm_hash = EVP_MD_CTX_create(); | | 2486 | ukm_hash = EVP_MD_CTX_create(); |
2486 | EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); | | 2487 | EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); |
2487 | EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); | | 2488 | EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); |
2488 | EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); | | 2489 | EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); |
2489 | EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); | | 2490 | EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); |
2490 | EVP_MD_CTX_destroy(ukm_hash); | | 2491 | EVP_MD_CTX_destroy(ukm_hash); |