Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / openssl / 1ddd788de7dc2f73716b032bdaeb988dccd95ab5 / . / ssl / s3_clnt.c
blob: 95f7c123d103b605e5c1a0d74420e4aa7679f169 [file] [log] [blame]
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1/* ssl/s3_clnt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124
125#include <stdio.h>
126#include "ssl_locl.h"
127#include "kssl_lcl.h"
128#include <openssl/buffer.h>
129#include <openssl/rand.h>
130#include <openssl/objects.h>
131#include <openssl/evp.h>
132#include <openssl/md5.h>
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]133#ifdef OPENSSL_FIPS
134#include <openssl/fips.h>
135#endif
136
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]137#ifndef OPENSSL_NO_DH
138#include <openssl/dh.h>
139#endif
140#include <openssl/bn.h>
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]141#ifndef OPENSSL_NO_ENGINE
142#include <openssl/engine.h>
143#endif
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]144
145static SSL_METHOD *ssl3_get_client_method(int ver);
146static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
147#ifndef OPENSSL_NO_TLSEXT
148static int ssl3_check_finished(SSL *s);
149#endif
150
151#ifndef OPENSSL_NO_ECDH
152static int curve_id2nid(int curve_id);
153int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
154#endif
155
156static SSL_METHOD *ssl3_get_client_method(int ver)
157 {
158 if (ver == SSL3_VERSION)
159 return(SSLv3_client_method());
160 else
161 return(NULL);
162 }
163
164IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
165 ssl_undefined_function,
166 ssl3_connect,
167 ssl3_get_client_method)
168
169int ssl3_connect(SSL *s)
170 {
171 BUF_MEM *buf=NULL;
172 unsigned long Time=(unsigned long)time(NULL),l;
173 long num1;
174 void (*cb)(const SSL *ssl,int type,int val)=NULL;
175 int ret= -1;
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]176 int new_state,state,skip=0;
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]177
178 RAND_add(&Time,sizeof(Time),0);
179 ERR_clear_error();
180 clear_sys_error();
181
182 if (s->info_callback != NULL)
183 cb=s->info_callback;
184 else if (s->ctx->info_callback != NULL)
185 cb=s->ctx->info_callback;
186
187 s->in_handshake++;
188 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame]189 if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
190 {
191 /* Reneotiation complicates the state machine */
192 s->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
193 /* Send app data along with CCS/Finished */
194 s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
195 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]196
197 for (;;)
198 {
199 state=s->state;
200
201 switch(s->state)
202 {
203 case SSL_ST_RENEGOTIATE:
204 s->new_session=1;
205 s->state=SSL_ST_CONNECT;
206 s->ctx->stats.sess_connect_renegotiate++;
207 /* break */
208 case SSL_ST_BEFORE:
209 case SSL_ST_CONNECT:
210 case SSL_ST_BEFORE|SSL_ST_CONNECT:
211 case SSL_ST_OK|SSL_ST_CONNECT:
212
213 s->server=0;
214 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
215
216 if ((s->version & 0xff00 ) != 0x0300)
217 {
218 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
219 ret = -1;
220 goto end;
221 }
222
223 /* s->version=SSL3_VERSION; */
224 s->type=SSL_ST_CONNECT;
225
226 if (s->init_buf == NULL)
227 {
228 if ((buf=BUF_MEM_new()) == NULL)
229 {
230 ret= -1;
231 goto end;
232 }
233 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
234 {
235 ret= -1;
236 goto end;
237 }
238 s->init_buf=buf;
239 buf=NULL;
240 }
241
242 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
243
244 /* setup buffing BIO */
245 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
246
247 /* don't push the buffering BIO quite yet */
248
249 ssl3_init_finished_mac(s);
250
251 s->state=SSL3_ST_CW_CLNT_HELLO_A;
252 s->ctx->stats.sess_connect++;
253 s->init_num=0;
254 break;
255
256 case SSL3_ST_CW_CLNT_HELLO_A:
257 case SSL3_ST_CW_CLNT_HELLO_B:
258
259 s->shutdown=0;
260 ret=ssl3_client_hello(s);
261 if (ret <= 0) goto end;
262 s->state=SSL3_ST_CR_SRVR_HELLO_A;
263 s->init_num=0;
264
265 /* turn on buffering for the next lot of output */
266 if (s->bbio != s->wbio)
267 s->wbio=BIO_push(s->bbio,s->wbio);
268
269 break;
270
271 case SSL3_ST_CR_SRVR_HELLO_A:
272 case SSL3_ST_CR_SRVR_HELLO_B:
273 ret=ssl3_get_server_hello(s);
274 if (ret <= 0) goto end;
275 if (s->hit)
276 s->state=SSL3_ST_CR_FINISHED_A;
277 else
278 s->state=SSL3_ST_CR_CERT_A;
279 s->init_num=0;
280 break;
281
282 case SSL3_ST_CR_CERT_A:
283 case SSL3_ST_CR_CERT_B:
284#ifndef OPENSSL_NO_TLSEXT
285 ret=ssl3_check_finished(s);
286 if (ret <= 0) goto end;
287 if (ret == 2)
288 {
289 s->hit = 1;
290 if (s->tlsext_ticket_expected)
291 s->state=SSL3_ST_CR_SESSION_TICKET_A;
292 else
293 s->state=SSL3_ST_CR_FINISHED_A;
294 s->init_num=0;
295 break;
296 }
297#endif
298 /* Check if it is anon DH/ECDH */
299 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
300 {
301 ret=ssl3_get_server_certificate(s);
302 if (ret <= 0) goto end;
303#ifndef OPENSSL_NO_TLSEXT
304 if (s->tlsext_status_expected)
305 s->state=SSL3_ST_CR_CERT_STATUS_A;
306 else
307 s->state=SSL3_ST_CR_KEY_EXCH_A;
308 }
309 else
310 {
311 skip = 1;
312 s->state=SSL3_ST_CR_KEY_EXCH_A;
313 }
314#else
315 }
316 else
317 skip=1;
318
319 s->state=SSL3_ST_CR_KEY_EXCH_A;
320#endif
321 s->init_num=0;
322 break;
323
324 case SSL3_ST_CR_KEY_EXCH_A:
325 case SSL3_ST_CR_KEY_EXCH_B:
326 ret=ssl3_get_key_exchange(s);
327 if (ret <= 0) goto end;
328 s->state=SSL3_ST_CR_CERT_REQ_A;
329 s->init_num=0;
330
331 /* at this point we check that we have the
332 * required stuff from the server */
333 if (!ssl3_check_cert_and_algorithm(s))
334 {
335 ret= -1;
336 goto end;
337 }
338 break;
339
340 case SSL3_ST_CR_CERT_REQ_A:
341 case SSL3_ST_CR_CERT_REQ_B:
342 ret=ssl3_get_certificate_request(s);
343 if (ret <= 0) goto end;
344 s->state=SSL3_ST_CR_SRVR_DONE_A;
345 s->init_num=0;
346 break;
347
348 case SSL3_ST_CR_SRVR_DONE_A:
349 case SSL3_ST_CR_SRVR_DONE_B:
350 ret=ssl3_get_server_done(s);
351 if (ret <= 0) goto end;
352 if (s->s3->tmp.cert_req)
353 s->state=SSL3_ST_CW_CERT_A;
354 else
355 s->state=SSL3_ST_CW_KEY_EXCH_A;
356 s->init_num=0;
357
358 break;
359
360 case SSL3_ST_CW_CERT_A:
361 case SSL3_ST_CW_CERT_B:
362 case SSL3_ST_CW_CERT_C:
363 case SSL3_ST_CW_CERT_D:
364 ret=ssl3_send_client_certificate(s);
365 if (ret <= 0) goto end;
366 s->state=SSL3_ST_CW_KEY_EXCH_A;
367 s->init_num=0;
368 break;
369
370 case SSL3_ST_CW_KEY_EXCH_A:
371 case SSL3_ST_CW_KEY_EXCH_B:
372 ret=ssl3_send_client_key_exchange(s);
373 if (ret <= 0) goto end;
374 l=s->s3->tmp.new_cipher->algorithms;
375 /* EAY EAY EAY need to check for DH fix cert
376 * sent back */
377 /* For TLS, cert_req is set to 2, so a cert chain
378 * of nothing is sent, but no verify packet is sent */
379 /* XXX: For now, we do not support client
380 * authentication in ECDH cipher suites with
381 * ECDH (rather than ECDSA) certificates.
382 * We need to skip the certificate verify
383 * message when client's ECDH public key is sent
384 * inside the client certificate.
385 */
386 if (s->s3->tmp.cert_req == 1)
387 {
388 s->state=SSL3_ST_CW_CERT_VRFY_A;
389 }
390 else
391 {
392 s->state=SSL3_ST_CW_CHANGE_A;
393 s->s3->change_cipher_spec=0;
394 }
395
396 s->init_num=0;
397 break;
398
399 case SSL3_ST_CW_CERT_VRFY_A:
400 case SSL3_ST_CW_CERT_VRFY_B:
401 ret=ssl3_send_client_verify(s);
402 if (ret <= 0) goto end;
403 s->state=SSL3_ST_CW_CHANGE_A;
404 s->init_num=0;
405 s->s3->change_cipher_spec=0;
406 break;
407
408 case SSL3_ST_CW_CHANGE_A:
409 case SSL3_ST_CW_CHANGE_B:
410 ret=ssl3_send_change_cipher_spec(s,
411 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
412 if (ret <= 0) goto end;
413 s->state=SSL3_ST_CW_FINISHED_A;
414 s->init_num=0;
415
416 s->session->cipher=s->s3->tmp.new_cipher;
417#ifdef OPENSSL_NO_COMP
418 s->session->compress_meth=0;
419#else
420 if (s->s3->tmp.new_compression == NULL)
421 s->session->compress_meth=0;
422 else
423 s->session->compress_meth=
424 s->s3->tmp.new_compression->id;
425#endif
426 if (!s->method->ssl3_enc->setup_key_block(s))
427 {
428 ret= -1;
429 goto end;
430 }
431
432 if (!s->method->ssl3_enc->change_cipher_state(s,
433 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
434 {
435 ret= -1;
436 goto end;
437 }
438
439 break;
440
441 case SSL3_ST_CW_FINISHED_A:
442 case SSL3_ST_CW_FINISHED_B:
443 ret=ssl3_send_finished(s,
444 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
445 s->method->ssl3_enc->client_finished_label,
446 s->method->ssl3_enc->client_finished_label_len);
447 if (ret <= 0) goto end;
448 s->state=SSL3_ST_CW_FLUSH;
449
450 /* clear flags */
451 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
452 if (s->hit)
453 {
454 s->s3->tmp.next_state=SSL_ST_OK;
455 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
456 {
457 s->state=SSL_ST_OK;
458 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
459 s->s3->delay_buf_pop_ret=0;
460 }
461 }
462 else
463 {
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]464 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && SSL_get_cipher_bits(s, NULL) >= 128)
465 {
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame]466 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
467 {
468 s->state=SSL3_ST_CUTTHROUGH_COMPLETE;
469 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
470 s->s3->delay_buf_pop_ret=0;
471 }
472 else
473 {
474 s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE;
475 }
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]476 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]477 else
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]478 {
479#ifndef OPENSSL_NO_TLSEXT
480 /* Allow NewSessionTicket if ticket expected */
481 if (s->tlsext_ticket_expected)
482 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
483 else
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]484#endif
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]485 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
486 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]487 }
488 s->init_num=0;
489 break;
490
491#ifndef OPENSSL_NO_TLSEXT
492 case SSL3_ST_CR_SESSION_TICKET_A:
493 case SSL3_ST_CR_SESSION_TICKET_B:
494 ret=ssl3_get_new_session_ticket(s);
495 if (ret <= 0) goto end;
496 s->state=SSL3_ST_CR_FINISHED_A;
497 s->init_num=0;
498 break;
499
500 case SSL3_ST_CR_CERT_STATUS_A:
501 case SSL3_ST_CR_CERT_STATUS_B:
502 ret=ssl3_get_cert_status(s);
503 if (ret <= 0) goto end;
504 s->state=SSL3_ST_CR_KEY_EXCH_A;
505 s->init_num=0;
506 break;
507#endif
508
509 case SSL3_ST_CR_FINISHED_A:
510 case SSL3_ST_CR_FINISHED_B:
511
512 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
513 SSL3_ST_CR_FINISHED_B);
514 if (ret <= 0) goto end;
515
516 if (s->hit)
517 s->state=SSL3_ST_CW_CHANGE_A;
518 else
519 s->state=SSL_ST_OK;
520 s->init_num=0;
521 break;
522
523 case SSL3_ST_CW_FLUSH:
524 /* number of bytes to be flushed */
525 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
526 if (num1 > 0)
527 {
528 s->rwstate=SSL_WRITING;
529 num1=BIO_flush(s->wbio);
530 if (num1 <= 0) { ret= -1; goto end; }
531 s->rwstate=SSL_NOTHING;
532 }
533
534 s->state=s->s3->tmp.next_state;
535 break;
536
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]537 case SSL3_ST_CUTTHROUGH_COMPLETE:
538#ifndef OPENSSL_NO_TLSEXT
539 /* Allow NewSessionTicket if ticket expected */
540 if (s->tlsext_ticket_expected)
541 s->state=SSL3_ST_CR_SESSION_TICKET_A;
542 else
543#endif
544 s->state=SSL3_ST_CR_FINISHED_A;
545
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame]546 /* SSL_write() will take care of flushing buffered data if
547 * DELAY_CLIENT_FINISHED is set.
548 */
549 if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED))
550 ssl_free_wbio_buffer(s);
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]551 ret = 1;
552 goto end;
553 /* break; */
554
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]555 case SSL_ST_OK:
556 /* clean a few things up */
557 ssl3_cleanup_key_block(s);
558
559 if (s->init_buf != NULL)
560 {
561 BUF_MEM_free(s->init_buf);
562 s->init_buf=NULL;
563 }
564
565 /* If we are not 'joining' the last two packets,
566 * remove the buffering now */
567 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
568 ssl_free_wbio_buffer(s);
569 /* else do it later in ssl3_write */
570
571 s->init_num=0;
572 s->new_session=0;
573
574 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
575 if (s->hit) s->ctx->stats.sess_hit++;
576
577 ret=1;
578 /* s->server=0; */
579 s->handshake_func=ssl3_connect;
580 s->ctx->stats.sess_connect_good++;
581
582 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
583
584 goto end;
585 /* break; */
586
587 default:
588 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
589 ret= -1;
590 goto end;
591 /* break; */
592 }
593
594 /* did we do anything */
595 if (!s->s3->tmp.reuse_message && !skip)
596 {
597 if (s->debug)
598 {
599 if ((ret=BIO_flush(s->wbio)) <= 0)
600 goto end;
601 }
602
603 if ((cb != NULL) && (s->state != state))
604 {
605 new_state=s->state;
606 s->state=state;
607 cb(s,SSL_CB_CONNECT_LOOP,1);
608 s->state=new_state;
609 }
610 }
611 skip=0;
612 }
613end:
614 s->in_handshake--;
615 if (buf != NULL)
616 BUF_MEM_free(buf);
617 if (cb != NULL)
618 cb(s,SSL_CB_CONNECT_EXIT,ret);
619 return(ret);
620 }
621
622
623int ssl3_client_hello(SSL *s)
624 {
625 unsigned char *buf;
626 unsigned char *p,*d;
627 int i;
628 unsigned long Time,l;
629#ifndef OPENSSL_NO_COMP
630 int j;
631 SSL_COMP *comp;
632#endif
633
634 buf=(unsigned char *)s->init_buf->data;
635 if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
636 {
637 if ((s->session == NULL) ||
638 (s->session->ssl_version != s->version) ||
639 (s->session->not_resumable))
640 {
641 if (!ssl_get_new_session(s,0))
642 goto err;
643 }
644 /* else use the pre-loaded session */
645
646 p=s->s3->client_random;
647 Time=(unsigned long)time(NULL); /* Time */
648 l2n(Time,p);
649 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
650 goto err;
651
652 /* Do the message type and length last */
653 d=p= &(buf[4]);
654
655 *(p++)=s->version>>8;
656 *(p++)=s->version&0xff;
657 s->client_version=s->version;
658
659 /* Random stuff */
660 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
661 p+=SSL3_RANDOM_SIZE;
662
663 /* Session ID */
664 if (s->new_session)
665 i=0;
666 else
667 i=s->session->session_id_length;
668 *(p++)=i;
669 if (i != 0)
670 {
671 if (i > (int)sizeof(s->session->session_id))
672 {
673 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
674 goto err;
675 }
676 memcpy(p,s->session->session_id,i);
677 p+=i;
678 }
679
680 /* Ciphers supported */
681 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
682 if (i == 0)
683 {
684 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
685 goto err;
686 }
687 s2n(i,p);
688 p+=i;
689
690 /* COMPRESSION */
691#ifdef OPENSSL_NO_COMP
692 *(p++)=1;
693#else
694 if (s->ctx->comp_methods == NULL)
695 j=0;
696 else
697 j=sk_SSL_COMP_num(s->ctx->comp_methods);
698 *(p++)=1+j;
699 for (i=0; i<j; i++)
700 {
701 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
702 *(p++)=comp->id;
703 }
704#endif
705 *(p++)=0; /* Add the NULL method */
706#ifndef OPENSSL_NO_TLSEXT
707 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
708 {
709 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
710 goto err;
711 }
712#endif
713 l=(p-d);
714 d=buf;
715 *(d++)=SSL3_MT_CLIENT_HELLO;
716 l2n3(l,d);
717
718 s->state=SSL3_ST_CW_CLNT_HELLO_B;
719 /* number of bytes to write */
720 s->init_num=p-buf;
721 s->init_off=0;
722 }
723
724 /* SSL3_ST_CW_CLNT_HELLO_B */
725 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
726err:
727 return(-1);
728 }
729
730int ssl3_get_server_hello(SSL *s)
731 {
732 STACK_OF(SSL_CIPHER) *sk;
733 SSL_CIPHER *c;
734 unsigned char *p,*d;
735 int i,al,ok;
736 unsigned int j;
737 long n;
738#ifndef OPENSSL_NO_COMP
739 SSL_COMP *comp;
740#endif
741
742 n=s->method->ssl_get_message(s,
743 SSL3_ST_CR_SRVR_HELLO_A,
744 SSL3_ST_CR_SRVR_HELLO_B,
745 -1,
746 20000, /* ?? */
747 &ok);
748
749 if (!ok) return((int)n);
750
751 if ( SSL_version(s) == DTLS1_VERSION)
752 {
753 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
754 {
755 if ( s->d1->send_cookie == 0)
756 {
757 s->s3->tmp.reuse_message = 1;
758 return 1;
759 }
760 else /* already sent a cookie */
761 {
762 al=SSL_AD_UNEXPECTED_MESSAGE;
763 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
764 goto f_err;
765 }
766 }
767 }
768
769 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
770 {
771 al=SSL_AD_UNEXPECTED_MESSAGE;
772 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
773 goto f_err;
774 }
775
776 d=p=(unsigned char *)s->init_msg;
777
778 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
779 {
780 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
781 s->version=(s->version&0xff00)|p[1];
782 al=SSL_AD_PROTOCOL_VERSION;
783 goto f_err;
784 }
785 p+=2;
786
787 /* load the server hello data */
788 /* load the server random */
789 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
790 p+=SSL3_RANDOM_SIZE;
791
792 /* get the session-id */
793 j= *(p++);
794
795 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
796 {
797 al=SSL_AD_ILLEGAL_PARAMETER;
798 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
799 goto f_err;
800 }
801
802 if (j != 0 && j == s->session->session_id_length
803 && memcmp(p,s->session->session_id,j) == 0)
804 {
805 if(s->sid_ctx_length != s->session->sid_ctx_length
806 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
807 {
808 /* actually a client application bug */
809 al=SSL_AD_ILLEGAL_PARAMETER;
810 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
811 goto f_err;
812 }
813 s->hit=1;
814 }
815 else /* a miss or crap from the other end */
816 {
817 /* If we were trying for session-id reuse, make a new
818 * SSL_SESSION so we don't stuff up other people */
819 s->hit=0;
820 if (s->session->session_id_length > 0)
821 {
822 if (!ssl_get_new_session(s,0))
823 {
824 al=SSL_AD_INTERNAL_ERROR;
825 goto f_err;
826 }
827 }
828 s->session->session_id_length=j;
829 memcpy(s->session->session_id,p,j); /* j could be 0 */
830 }
831 p+=j;
832 c=ssl_get_cipher_by_char(s,p);
833 if (c == NULL)
834 {
835 /* unknown cipher */
836 al=SSL_AD_ILLEGAL_PARAMETER;
837 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
838 goto f_err;
839 }
840 p+=ssl_put_cipher_by_char(s,NULL,NULL);
841
842 sk=ssl_get_ciphers_by_id(s);
843 i=sk_SSL_CIPHER_find(sk,c);
844 if (i < 0)
845 {
846 /* we did not say we would use this cipher */
847 al=SSL_AD_ILLEGAL_PARAMETER;
848 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
849 goto f_err;
850 }
851
852 /* Depending on the session caching (internal/external), the cipher
853 and/or cipher_id values may not be set. Make sure that
854 cipher_id is set and use it for comparison. */
855 if (s->session->cipher)
856 s->session->cipher_id = s->session->cipher->id;
857 if (s->hit && (s->session->cipher_id != c->id))
858 {
859 if (!(s->options &
860 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
861 {
862 al=SSL_AD_ILLEGAL_PARAMETER;
863 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
864 goto f_err;
865 }
866 }
867 s->s3->tmp.new_cipher=c;
868
869 /* lets get the compression algorithm */
870 /* COMPRESSION */
871#ifdef OPENSSL_NO_COMP
872 if (*(p++) != 0)
873 {
874 al=SSL_AD_ILLEGAL_PARAMETER;
875 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
876 goto f_err;
877 }
878#else
879 j= *(p++);
880 if (j == 0)
881 comp=NULL;
882 else
883 comp=ssl3_comp_find(s->ctx->comp_methods,j);
884
885 if ((j != 0) && (comp == NULL))
886 {
887 al=SSL_AD_ILLEGAL_PARAMETER;
888 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
889 goto f_err;
890 }
891 else
892 {
893 s->s3->tmp.new_compression=comp;
894 }
895#endif
896#ifndef OPENSSL_NO_TLSEXT
897 /* TLS extensions*/
898 if (s->version > SSL3_VERSION)
899 {
900 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
901 {
902 /* 'al' set by ssl_parse_serverhello_tlsext */
903 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
904 goto f_err;
905 }
906 if (ssl_check_serverhello_tlsext(s) <= 0)
907 {
908 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
909 goto err;
910 }
911 }
912#endif
913
914
915 if (p != (d+n))
916 {
917 /* wrong packet length */
918 al=SSL_AD_DECODE_ERROR;
919 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
920 goto err;
921 }
922
923 return(1);
924f_err:
925 ssl3_send_alert(s,SSL3_AL_FATAL,al);
926err:
927 return(-1);
928 }
929
930int ssl3_get_server_certificate(SSL *s)
931 {
932 int al,i,ok,ret= -1;
933 unsigned long n,nc,llen,l;
934 X509 *x=NULL;
935 const unsigned char *q,*p;
936 unsigned char *d;
937 STACK_OF(X509) *sk=NULL;
938 SESS_CERT *sc;
939 EVP_PKEY *pkey=NULL;
940 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
941
942 n=s->method->ssl_get_message(s,
943 SSL3_ST_CR_CERT_A,
944 SSL3_ST_CR_CERT_B,
945 -1,
946 s->max_cert_list,
947 &ok);
948
949 if (!ok) return((int)n);
950
951 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
952 ((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) &&
953 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
954 {
955 s->s3->tmp.reuse_message=1;
956 return(1);
957 }
958
959 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
960 {
961 al=SSL_AD_UNEXPECTED_MESSAGE;
962 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
963 goto f_err;
964 }
965 p=d=(unsigned char *)s->init_msg;
966
967 if ((sk=sk_X509_new_null()) == NULL)
968 {
969 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
970 goto err;
971 }
972
973 n2l3(p,llen);
974 if (llen+3 != n)
975 {
976 al=SSL_AD_DECODE_ERROR;
977 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
978 goto f_err;
979 }
980 for (nc=0; nc<llen; )
981 {
982 n2l3(p,l);
983 if ((l+nc+3) > llen)
984 {
985 al=SSL_AD_DECODE_ERROR;
986 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
987 goto f_err;
988 }
989
990 q=p;
991 x=d2i_X509(NULL,&q,l);
992 if (x == NULL)
993 {
994 al=SSL_AD_BAD_CERTIFICATE;
995 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
996 goto f_err;
997 }
998 if (q != (p+l))
999 {
1000 al=SSL_AD_DECODE_ERROR;
1001 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1002 goto f_err;
1003 }
1004 if (!sk_X509_push(sk,x))
1005 {
1006 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1007 goto err;
1008 }
1009 x=NULL;
1010 nc+=l+3;
1011 p=q;
1012 }
1013
1014 i=ssl_verify_cert_chain(s,sk);
1015 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1016#ifndef OPENSSL_NO_KRB5
1017 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
1018 != (SSL_aKRB5|SSL_kKRB5)
1019#endif /* OPENSSL_NO_KRB5 */
1020 )
1021 {
1022 al=ssl_verify_alarm_type(s->verify_result);
1023 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
1024 goto f_err;
1025 }
1026 ERR_clear_error(); /* but we keep s->verify_result */
1027
1028 sc=ssl_sess_cert_new();
1029 if (sc == NULL) goto err;
1030
1031 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
1032 s->session->sess_cert=sc;
1033
1034 sc->cert_chain=sk;
1035 /* Inconsistency alert: cert_chain does include the peer's
1036 * certificate, which we don't include in s3_srvr.c */
1037 x=sk_X509_value(sk,0);
1038 sk=NULL;
1039 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1040
1041 pkey=X509_get_pubkey(x);
1042
1043 /* VRS: allow null cert if auth == KRB5 */
1044 need_cert = ((s->s3->tmp.new_cipher->algorithms
1045 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
1046 == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
1047
1048#ifdef KSSL_DEBUG
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]1049 printf("pkey,x = %p, %p\n", (void *)pkey,(void *)x);
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1050 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
1051 printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
1052 s->s3->tmp.new_cipher->algorithms, need_cert);
1053#endif /* KSSL_DEBUG */
1054
1055 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
1056 {
1057 x=NULL;
1058 al=SSL3_AL_FATAL;
1059 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1060 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1061 goto f_err;
1062 }
1063
1064 i=ssl_cert_type(x,pkey);
1065 if (need_cert && i < 0)
1066 {
1067 x=NULL;
1068 al=SSL3_AL_FATAL;
1069 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1070 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1071 goto f_err;
1072 }
1073
1074 if (need_cert)
1075 {
1076 sc->peer_cert_type=i;
1077 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1078 /* Why would the following ever happen?
1079 * We just created sc a couple of lines ago. */
1080 if (sc->peer_pkeys[i].x509 != NULL)
1081 X509_free(sc->peer_pkeys[i].x509);
1082 sc->peer_pkeys[i].x509=x;
1083 sc->peer_key= &(sc->peer_pkeys[i]);
1084
1085 if (s->session->peer != NULL)
1086 X509_free(s->session->peer);
1087 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1088 s->session->peer=x;
1089 }
1090 else
1091 {
1092 sc->peer_cert_type=i;
1093 sc->peer_key= NULL;
1094
1095 if (s->session->peer != NULL)
1096 X509_free(s->session->peer);
1097 s->session->peer=NULL;
1098 }
1099 s->session->verify_result = s->verify_result;
1100
1101 x=NULL;
1102 ret=1;
1103
1104 if (0)
1105 {
1106f_err:
1107 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1108 }
1109err:
1110 EVP_PKEY_free(pkey);
1111 X509_free(x);
1112 sk_X509_pop_free(sk,X509_free);
1113 return(ret);
1114 }
1115
1116int ssl3_get_key_exchange(SSL *s)
1117 {
1118#ifndef OPENSSL_NO_RSA
1119 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1120#endif
1121 EVP_MD_CTX md_ctx;
1122 unsigned char *param,*p;
1123 int al,i,j,param_len,ok;
1124 long n,alg;
1125 EVP_PKEY *pkey=NULL;
1126#ifndef OPENSSL_NO_RSA
1127 RSA *rsa=NULL;
1128#endif
1129#ifndef OPENSSL_NO_DH
1130 DH *dh=NULL;
1131#endif
1132#ifndef OPENSSL_NO_ECDH
1133 EC_KEY *ecdh = NULL;
1134 BN_CTX *bn_ctx = NULL;
1135 EC_POINT *srvr_ecpoint = NULL;
1136 int curve_nid = 0;
1137 int encoded_pt_len = 0;
1138#endif
1139
1140 /* use same message size as in ssl3_get_certificate_request()
1141 * as ServerKeyExchange message may be skipped */
1142 n=s->method->ssl_get_message(s,
1143 SSL3_ST_CR_KEY_EXCH_A,
1144 SSL3_ST_CR_KEY_EXCH_B,
1145 -1,
1146 s->max_cert_list,
1147 &ok);
1148
1149 if (!ok) return((int)n);
1150
1151 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1152 {
1153 s->s3->tmp.reuse_message=1;
1154 return(1);
1155 }
1156
1157 param=p=(unsigned char *)s->init_msg;
1158
1159 if (s->session->sess_cert != NULL)
1160 {
1161#ifndef OPENSSL_NO_RSA
1162 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1163 {
1164 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1165 s->session->sess_cert->peer_rsa_tmp=NULL;
1166 }
1167#endif
1168#ifndef OPENSSL_NO_DH
1169 if (s->session->sess_cert->peer_dh_tmp)
1170 {
1171 DH_free(s->session->sess_cert->peer_dh_tmp);
1172 s->session->sess_cert->peer_dh_tmp=NULL;
1173 }
1174#endif
1175#ifndef OPENSSL_NO_ECDH
1176 if (s->session->sess_cert->peer_ecdh_tmp)
1177 {
1178 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1179 s->session->sess_cert->peer_ecdh_tmp=NULL;
1180 }
1181#endif
1182 }
1183 else
1184 {
1185 s->session->sess_cert=ssl_sess_cert_new();
1186 }
1187
1188 param_len=0;
1189 alg=s->s3->tmp.new_cipher->algorithms;
1190 EVP_MD_CTX_init(&md_ctx);
1191
1192#ifndef OPENSSL_NO_RSA
1193 if (alg & SSL_kRSA)
1194 {
1195 if ((rsa=RSA_new()) == NULL)
1196 {
1197 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1198 goto err;
1199 }
1200 n2s(p,i);
1201 param_len=i+2;
1202 if (param_len > n)
1203 {
1204 al=SSL_AD_DECODE_ERROR;
1205 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1206 goto f_err;
1207 }
1208 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1209 {
1210 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1211 goto err;
1212 }
1213 p+=i;
1214
1215 n2s(p,i);
1216 param_len+=i+2;
1217 if (param_len > n)
1218 {
1219 al=SSL_AD_DECODE_ERROR;
1220 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1221 goto f_err;
1222 }
1223 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1224 {
1225 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1226 goto err;
1227 }
1228 p+=i;
1229 n-=param_len;
1230
1231 /* this should be because we are using an export cipher */
1232 if (alg & SSL_aRSA)
1233 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1234 else
1235 {
1236 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1237 goto err;
1238 }
1239 s->session->sess_cert->peer_rsa_tmp=rsa;
1240 rsa=NULL;
1241 }
1242#else /* OPENSSL_NO_RSA */
1243 if (0)
1244 ;
1245#endif
1246#ifndef OPENSSL_NO_DH
1247 else if (alg & SSL_kEDH)
1248 {
1249 if ((dh=DH_new()) == NULL)
1250 {
1251 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1252 goto err;
1253 }
1254 n2s(p,i);
1255 param_len=i+2;
1256 if (param_len > n)
1257 {
1258 al=SSL_AD_DECODE_ERROR;
1259 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1260 goto f_err;
1261 }
1262 if (!(dh->p=BN_bin2bn(p,i,NULL)))
1263 {
1264 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1265 goto err;
1266 }
1267 p+=i;
1268
1269 n2s(p,i);
1270 param_len+=i+2;
1271 if (param_len > n)
1272 {
1273 al=SSL_AD_DECODE_ERROR;
1274 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1275 goto f_err;
1276 }
1277 if (!(dh->g=BN_bin2bn(p,i,NULL)))
1278 {
1279 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1280 goto err;
1281 }
1282 p+=i;
1283
1284 n2s(p,i);
1285 param_len+=i+2;
1286 if (param_len > n)
1287 {
1288 al=SSL_AD_DECODE_ERROR;
1289 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1290 goto f_err;
1291 }
1292 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1293 {
1294 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1295 goto err;
1296 }
1297 p+=i;
1298 n-=param_len;
1299
1300#ifndef OPENSSL_NO_RSA
1301 if (alg & SSL_aRSA)
1302 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1303#else
1304 if (0)
1305 ;
1306#endif
1307#ifndef OPENSSL_NO_DSA
1308 else if (alg & SSL_aDSS)
1309 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1310#endif
1311 /* else anonymous DH, so no certificate or pkey. */
1312
1313 s->session->sess_cert->peer_dh_tmp=dh;
1314 dh=NULL;
1315 }
1316 else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
1317 {
1318 al=SSL_AD_ILLEGAL_PARAMETER;
1319 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1320 goto f_err;
1321 }
1322#endif /* !OPENSSL_NO_DH */
1323
1324#ifndef OPENSSL_NO_ECDH
1325 else if (alg & SSL_kECDHE)
1326 {
1327 EC_GROUP *ngroup;
1328 const EC_GROUP *group;
1329
1330 if ((ecdh=EC_KEY_new()) == NULL)
1331 {
1332 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1333 goto err;
1334 }
1335
1336 /* Extract elliptic curve parameters and the
1337 * server's ephemeral ECDH public key.
1338 * Keep accumulating lengths of various components in
1339 * param_len and make sure it never exceeds n.
1340 */
1341
1342 /* XXX: For now we only support named (not generic) curves
1343 * and the ECParameters in this case is just three bytes.
1344 */
1345 param_len=3;
1346 if ((param_len > n) ||
1347 (*p != NAMED_CURVE_TYPE) ||
1348 ((curve_nid = curve_id2nid(*(p + 2))) == 0))
1349 {
1350 al=SSL_AD_INTERNAL_ERROR;
1351 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1352 goto f_err;
1353 }
1354
1355 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1356 if (ngroup == NULL)
1357 {
1358 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1359 goto err;
1360 }
1361 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1362 {
1363 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1364 goto err;
1365 }
1366 EC_GROUP_free(ngroup);
1367
1368 group = EC_KEY_get0_group(ecdh);
1369
1370 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1371 (EC_GROUP_get_degree(group) > 163))
1372 {
1373 al=SSL_AD_EXPORT_RESTRICTION;
1374 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1375 goto f_err;
1376 }
1377
1378 p+=3;
1379
1380 /* Next, get the encoded ECPoint */
1381 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1382 ((bn_ctx = BN_CTX_new()) == NULL))
1383 {
1384 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1385 goto err;
1386 }
1387
1388 encoded_pt_len = *p; /* length of encoded point */
1389 p+=1;
1390 param_len += (1 + encoded_pt_len);
1391 if ((param_len > n) ||
1392 (EC_POINT_oct2point(group, srvr_ecpoint,
1393 p, encoded_pt_len, bn_ctx) == 0))
1394 {
1395 al=SSL_AD_DECODE_ERROR;
1396 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1397 goto f_err;
1398 }
1399
1400 n-=param_len;
1401 p+=encoded_pt_len;
1402
1403 /* The ECC/TLS specification does not mention
1404 * the use of DSA to sign ECParameters in the server
1405 * key exchange message. We do support RSA and ECDSA.
1406 */
1407 if (0) ;
1408#ifndef OPENSSL_NO_RSA
1409 else if (alg & SSL_aRSA)
1410 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1411#endif
1412#ifndef OPENSSL_NO_ECDSA
1413 else if (alg & SSL_aECDSA)
1414 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1415#endif
1416 /* else anonymous ECDH, so no certificate or pkey. */
1417 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1418 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1419 ecdh=NULL;
1420 BN_CTX_free(bn_ctx);
1421 EC_POINT_free(srvr_ecpoint);
1422 srvr_ecpoint = NULL;
1423 }
1424 else if (alg & SSL_kECDH)
1425 {
1426 al=SSL_AD_UNEXPECTED_MESSAGE;
1427 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1428 goto f_err;
1429 }
1430#endif /* !OPENSSL_NO_ECDH */
1431 if (alg & SSL_aFZA)
1432 {
1433 al=SSL_AD_HANDSHAKE_FAILURE;
1434 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1435 goto f_err;
1436 }
1437
1438
1439 /* p points to the next byte, there are 'n' bytes left */
1440
1441 /* if it was signed, check the signature */
1442 if (pkey != NULL)
1443 {
1444 n2s(p,i);
1445 n-=2;
1446 j=EVP_PKEY_size(pkey);
1447
1448 if ((i != n) || (n > j) || (n <= 0))
1449 {
1450 /* wrong packet length */
1451 al=SSL_AD_DECODE_ERROR;
1452 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1453 goto f_err;
1454 }
1455
1456#ifndef OPENSSL_NO_RSA
1457 if (pkey->type == EVP_PKEY_RSA)
1458 {
1459 int num;
1460
1461 j=0;
1462 q=md_buf;
1463 for (num=2; num > 0; num--)
1464 {
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]1465 EVP_MD_CTX_set_flags(&md_ctx,
1466 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1467 EVP_DigestInit_ex(&md_ctx,(num == 2)
1468 ?s->ctx->md5:s->ctx->sha1, NULL);
1469 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1470 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1471 EVP_DigestUpdate(&md_ctx,param,param_len);
1472 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1473 q+=i;
1474 j+=i;
1475 }
1476 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1477 pkey->pkey.rsa);
1478 if (i < 0)
1479 {
1480 al=SSL_AD_DECRYPT_ERROR;
1481 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1482 goto f_err;
1483 }
1484 if (i == 0)
1485 {
1486 /* bad signature */
1487 al=SSL_AD_DECRYPT_ERROR;
1488 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1489 goto f_err;
1490 }
1491 }
1492 else
1493#endif
1494#ifndef OPENSSL_NO_DSA
1495 if (pkey->type == EVP_PKEY_DSA)
1496 {
1497 /* lets do DSS */
1498 EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1499 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1500 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1501 EVP_VerifyUpdate(&md_ctx,param,param_len);
1502 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1503 {
1504 /* bad signature */
1505 al=SSL_AD_DECRYPT_ERROR;
1506 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1507 goto f_err;
1508 }
1509 }
1510 else
1511#endif
1512#ifndef OPENSSL_NO_ECDSA
1513 if (pkey->type == EVP_PKEY_EC)
1514 {
1515 /* let's do ECDSA */
1516 EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1517 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1518 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1519 EVP_VerifyUpdate(&md_ctx,param,param_len);
1520 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1521 {
1522 /* bad signature */
1523 al=SSL_AD_DECRYPT_ERROR;
1524 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1525 goto f_err;
1526 }
1527 }
1528 else
1529#endif
1530 {
1531 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1532 goto err;
1533 }
1534 }
1535 else
1536 {
1537 /* still data left over */
1538 if (!(alg & SSL_aNULL))
1539 {
1540 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1541 goto err;
1542 }
1543 if (n != 0)
1544 {
1545 al=SSL_AD_DECODE_ERROR;
1546 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1547 goto f_err;
1548 }
1549 }
1550 EVP_PKEY_free(pkey);
1551 EVP_MD_CTX_cleanup(&md_ctx);
1552 return(1);
1553f_err:
1554 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1555err:
1556 EVP_PKEY_free(pkey);
1557#ifndef OPENSSL_NO_RSA
1558 if (rsa != NULL)
1559 RSA_free(rsa);
1560#endif
1561#ifndef OPENSSL_NO_DH
1562 if (dh != NULL)
1563 DH_free(dh);
1564#endif
1565#ifndef OPENSSL_NO_ECDH
1566 BN_CTX_free(bn_ctx);
1567 EC_POINT_free(srvr_ecpoint);
1568 if (ecdh != NULL)
1569 EC_KEY_free(ecdh);
1570#endif
1571 EVP_MD_CTX_cleanup(&md_ctx);
1572 return(-1);
1573 }
1574
1575int ssl3_get_certificate_request(SSL *s)
1576 {
1577 int ok,ret=0;
1578 unsigned long n,nc,l;
1579 unsigned int llen,ctype_num,i;
1580 X509_NAME *xn=NULL;
1581 const unsigned char *p,*q;
1582 unsigned char *d;
1583 STACK_OF(X509_NAME) *ca_sk=NULL;
1584
1585 n=s->method->ssl_get_message(s,
1586 SSL3_ST_CR_CERT_REQ_A,
1587 SSL3_ST_CR_CERT_REQ_B,
1588 -1,
1589 s->max_cert_list,
1590 &ok);
1591
1592 if (!ok) return((int)n);
1593
1594 s->s3->tmp.cert_req=0;
1595
1596 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1597 {
1598 s->s3->tmp.reuse_message=1;
1599 return(1);
1600 }
1601
1602 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1603 {
1604 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1605 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1606 goto err;
1607 }
1608
1609 /* TLS does not like anon-DH with client cert */
1610 if (s->version > SSL3_VERSION)
1611 {
1612 l=s->s3->tmp.new_cipher->algorithms;
1613 if (l & SSL_aNULL)
1614 {
1615 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1616 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1617 goto err;
1618 }
1619 }
1620
1621 p=d=(unsigned char *)s->init_msg;
1622
1623 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1624 {
1625 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1626 goto err;
1627 }
1628
1629 /* get the certificate types */
1630 ctype_num= *(p++);
1631 if (ctype_num > SSL3_CT_NUMBER)
1632 ctype_num=SSL3_CT_NUMBER;
1633 for (i=0; i<ctype_num; i++)
1634 s->s3->tmp.ctype[i]= p[i];
1635 p+=ctype_num;
1636
1637 /* get the CA RDNs */
1638 n2s(p,llen);
1639#if 0
1640{
1641FILE *out;
1642out=fopen("/tmp/vsign.der","w");
1643fwrite(p,1,llen,out);
1644fclose(out);
1645}
1646#endif
1647
1648 if ((llen+ctype_num+2+1) != n)
1649 {
1650 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1651 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1652 goto err;
1653 }
1654
1655 for (nc=0; nc<llen; )
1656 {
1657 n2s(p,l);
1658 if ((l+nc+2) > llen)
1659 {
1660 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1661 goto cont; /* netscape bugs */
1662 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1663 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1664 goto err;
1665 }
1666
1667 q=p;
1668
1669 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1670 {
1671 /* If netscape tolerance is on, ignore errors */
1672 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1673 goto cont;
1674 else
1675 {
1676 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1677 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1678 goto err;
1679 }
1680 }
1681
1682 if (q != (p+l))
1683 {
1684 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1685 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1686 goto err;
1687 }
1688 if (!sk_X509_NAME_push(ca_sk,xn))
1689 {
1690 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1691 goto err;
1692 }
1693
1694 p+=l;
1695 nc+=l+2;
1696 }
1697
1698 if (0)
1699 {
1700cont:
1701 ERR_clear_error();
1702 }
1703
1704 /* we should setup a certificate to return.... */
1705 s->s3->tmp.cert_req=1;
1706 s->s3->tmp.ctype_num=ctype_num;
1707 if (s->s3->tmp.ca_names != NULL)
1708 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1709 s->s3->tmp.ca_names=ca_sk;
1710 ca_sk=NULL;
1711
1712 ret=1;
1713err:
1714 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1715 return(ret);
1716 }
1717
1718static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1719 {
1720 return(X509_NAME_cmp(*a,*b));
1721 }
1722#ifndef OPENSSL_NO_TLSEXT
1723int ssl3_get_new_session_ticket(SSL *s)
1724 {
1725 int ok,al,ret=0, ticklen;
1726 long n;
1727 const unsigned char *p;
1728 unsigned char *d;
1729
1730 n=s->method->ssl_get_message(s,
1731 SSL3_ST_CR_SESSION_TICKET_A,
1732 SSL3_ST_CR_SESSION_TICKET_B,
1733 -1,
1734 16384,
1735 &ok);
1736
1737 if (!ok)
1738 return((int)n);
1739
1740 if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
1741 {
1742 s->s3->tmp.reuse_message=1;
1743 return(1);
1744 }
1745 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET)
1746 {
1747 al=SSL_AD_UNEXPECTED_MESSAGE;
1748 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
1749 goto f_err;
1750 }
1751 if (n < 6)
1752 {
1753 /* need at least ticket_lifetime_hint + ticket length */
1754 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1755 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1756 goto f_err;
1757 }
1758 p=d=(unsigned char *)s->init_msg;
1759 n2l(p, s->session->tlsext_tick_lifetime_hint);
1760 n2s(p, ticklen);
1761 /* ticket_lifetime_hint + ticket_length + ticket */
1762 if (ticklen + 6 != n)
1763 {
1764 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1765 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1766 goto f_err;
1767 }
1768 if (s->session->tlsext_tick)
1769 {
1770 OPENSSL_free(s->session->tlsext_tick);
1771 s->session->tlsext_ticklen = 0;
1772 }
1773 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1774 if (!s->session->tlsext_tick)
1775 {
1776 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
1777 goto err;
1778 }
1779 memcpy(s->session->tlsext_tick, p, ticklen);
1780 s->session->tlsext_ticklen = ticklen;
1781
1782 ret=1;
1783 return(ret);
1784f_err:
1785 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1786err:
1787 return(-1);
1788 }
1789
1790int ssl3_get_cert_status(SSL *s)
1791 {
1792 int ok, al;
1793 unsigned long resplen;
1794 long n;
1795 const unsigned char *p;
1796
1797 n=s->method->ssl_get_message(s,
1798 SSL3_ST_CR_CERT_STATUS_A,
1799 SSL3_ST_CR_CERT_STATUS_B,
1800 SSL3_MT_CERTIFICATE_STATUS,
1801 16384,
1802 &ok);
1803
1804 if (!ok) return((int)n);
1805 if (n < 4)
1806 {
1807 /* need at least status type + length */
1808 al = SSL_AD_DECODE_ERROR;
1809 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1810 goto f_err;
1811 }
1812 p = (unsigned char *)s->init_msg;
1813 if (*p++ != TLSEXT_STATUSTYPE_ocsp)
1814 {
1815 al = SSL_AD_DECODE_ERROR;
1816 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE);
1817 goto f_err;
1818 }
1819 n2l3(p, resplen);
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]1820 if (resplen + 4 != (unsigned long)n)
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1821 {
1822 al = SSL_AD_DECODE_ERROR;
1823 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1824 goto f_err;
1825 }
1826 if (s->tlsext_ocsp_resp)
1827 OPENSSL_free(s->tlsext_ocsp_resp);
1828 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
1829 if (!s->tlsext_ocsp_resp)
1830 {
1831 al = SSL_AD_INTERNAL_ERROR;
1832 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
1833 goto f_err;
1834 }
1835 s->tlsext_ocsp_resplen = resplen;
1836 if (s->ctx->tlsext_status_cb)
1837 {
1838 int ret;
1839 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1840 if (ret == 0)
1841 {
1842 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1843 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE);
1844 goto f_err;
1845 }
1846 if (ret < 0)
1847 {
1848 al = SSL_AD_INTERNAL_ERROR;
1849 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
1850 goto f_err;
1851 }
1852 }
1853 return 1;
1854f_err:
1855 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1856 return(-1);
1857 }
1858#endif
1859
1860int ssl3_get_server_done(SSL *s)
1861 {
1862 int ok,ret=0;
1863 long n;
1864
1865 n=s->method->ssl_get_message(s,
1866 SSL3_ST_CR_SRVR_DONE_A,
1867 SSL3_ST_CR_SRVR_DONE_B,
1868 SSL3_MT_SERVER_DONE,
1869 30, /* should be very small, like 0 :-) */
1870 &ok);
1871
1872 if (!ok) return((int)n);
1873 if (n > 0)
1874 {
1875 /* should contain no data */
1876 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1877 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1878 return -1;
1879 }
1880 ret=1;
1881 return(ret);
1882 }
1883
1884
1885int ssl3_send_client_key_exchange(SSL *s)
1886 {
1887 unsigned char *p,*d;
1888 int n;
1889 unsigned long l;
1890#ifndef OPENSSL_NO_RSA
1891 unsigned char *q;
1892 EVP_PKEY *pkey=NULL;
1893#endif
1894#ifndef OPENSSL_NO_KRB5
1895 KSSL_ERR kssl_err;
1896#endif /* OPENSSL_NO_KRB5 */
1897#ifndef OPENSSL_NO_ECDH
1898 EC_KEY *clnt_ecdh = NULL;
1899 const EC_POINT *srvr_ecpoint = NULL;
1900 EVP_PKEY *srvr_pub_pkey = NULL;
1901 unsigned char *encodedPoint = NULL;
1902 int encoded_pt_len = 0;
1903 BN_CTX * bn_ctx = NULL;
1904#endif
1905
1906 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1907 {
1908 d=(unsigned char *)s->init_buf->data;
1909 p= &(d[4]);
1910
1911 l=s->s3->tmp.new_cipher->algorithms;
1912
1913 /* Fool emacs indentation */
1914 if (0) {}
1915#ifndef OPENSSL_NO_RSA
1916 else if (l & SSL_kRSA)
1917 {
1918 RSA *rsa;
1919 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1920
1921 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1922 rsa=s->session->sess_cert->peer_rsa_tmp;
1923 else
1924 {
1925 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1926 if ((pkey == NULL) ||
1927 (pkey->type != EVP_PKEY_RSA) ||
1928 (pkey->pkey.rsa == NULL))
1929 {
1930 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1931 goto err;
1932 }
1933 rsa=pkey->pkey.rsa;
1934 EVP_PKEY_free(pkey);
1935 }
1936
1937 tmp_buf[0]=s->client_version>>8;
1938 tmp_buf[1]=s->client_version&0xff;
1939 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
1940 goto err;
1941
1942 s->session->master_key_length=sizeof tmp_buf;
1943
1944 q=p;
1945 /* Fix buf for TLS and beyond */
1946 if (s->version > SSL3_VERSION)
1947 p+=2;
1948 n=RSA_public_encrypt(sizeof tmp_buf,
1949 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1950#ifdef PKCS1_CHECK
1951 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
1952 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
1953#endif
1954 if (n <= 0)
1955 {
1956 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1957 goto err;
1958 }
1959
1960 /* Fix buf for TLS and beyond */
1961 if (s->version > SSL3_VERSION)
1962 {
1963 s2n(n,q);
1964 n+=2;
1965 }
1966
1967 s->session->master_key_length=
1968 s->method->ssl3_enc->generate_master_secret(s,
1969 s->session->master_key,
1970 tmp_buf,sizeof tmp_buf);
1971 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
1972 }
1973#endif
1974#ifndef OPENSSL_NO_KRB5
1975 else if (l & SSL_kKRB5)
1976 {
1977 krb5_error_code krb5rc;
1978 KSSL_CTX *kssl_ctx = s->kssl_ctx;
1979 /* krb5_data krb5_ap_req; */
1980 krb5_data *enc_ticket;
1981 krb5_data authenticator, *authp = NULL;
1982 EVP_CIPHER_CTX ciph_ctx;
1983 EVP_CIPHER *enc = NULL;
1984 unsigned char iv[EVP_MAX_IV_LENGTH];
1985 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1986 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
1987 + EVP_MAX_IV_LENGTH];
1988 int padl, outl = sizeof(epms);
1989
1990 EVP_CIPHER_CTX_init(&ciph_ctx);
1991
1992#ifdef KSSL_DEBUG
1993 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
1994 l, SSL_kKRB5);
1995#endif /* KSSL_DEBUG */
1996
1997 authp = NULL;
1998#ifdef KRB5SENDAUTH
1999 if (KRB5SENDAUTH) authp = &authenticator;
2000#endif /* KRB5SENDAUTH */
2001
2002 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
2003 &kssl_err);
2004 enc = kssl_map_enc(kssl_ctx->enctype);
2005 if (enc == NULL)
2006 goto err;
2007#ifdef KSSL_DEBUG
2008 {
2009 printf("kssl_cget_tkt rtn %d\n", krb5rc);
2010 if (krb5rc && kssl_err.text)
2011 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
2012 }
2013#endif /* KSSL_DEBUG */
2014
2015 if (krb5rc)
2016 {
2017 ssl3_send_alert(s,SSL3_AL_FATAL,
2018 SSL_AD_HANDSHAKE_FAILURE);
2019 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2020 kssl_err.reason);
2021 goto err;
2022 }
2023
2024 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
2025 ** in place of RFC 2712 KerberosWrapper, as in:
2026 **
2027 ** Send ticket (copy to *p, set n = length)
2028 ** n = krb5_ap_req.length;
2029 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
2030 ** if (krb5_ap_req.data)
2031 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
2032 **
2033 ** Now using real RFC 2712 KerberosWrapper
2034 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
2035 ** Note: 2712 "opaque" types are here replaced
2036 ** with a 2-byte length followed by the value.
2037 ** Example:
2038 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
2039 ** Where "xx xx" = length bytes. Shown here with
2040 ** optional authenticator omitted.
2041 */
2042
2043 /* KerberosWrapper.Ticket */
2044 s2n(enc_ticket->length,p);
2045 memcpy(p, enc_ticket->data, enc_ticket->length);
2046 p+= enc_ticket->length;
2047 n = enc_ticket->length + 2;
2048
2049 /* KerberosWrapper.Authenticator */
2050 if (authp && authp->length)
2051 {
2052 s2n(authp->length,p);
2053 memcpy(p, authp->data, authp->length);
2054 p+= authp->length;
2055 n+= authp->length + 2;
2056
2057 free(authp->data);
2058 authp->data = NULL;
2059 authp->length = 0;
2060 }
2061 else
2062 {
2063 s2n(0,p);/* null authenticator length */
2064 n+=2;
2065 }
2066
2067 tmp_buf[0]=s->client_version>>8;
2068 tmp_buf[1]=s->client_version&0xff;
2069 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2070 goto err;
2071
2072 /* 20010420 VRS. Tried it this way; failed.
2073 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
2074 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
2075 ** kssl_ctx->length);
2076 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2077 */
2078
2079 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2080 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
2081 kssl_ctx->key,iv);
2082 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
2083 sizeof tmp_buf);
2084 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
2085 outl += padl;
2086 if (outl > sizeof epms)
2087 {
2088 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2089 goto err;
2090 }
2091 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2092
2093 /* KerberosWrapper.EncryptedPreMasterSecret */
2094 s2n(outl,p);
2095 memcpy(p, epms, outl);
2096 p+=outl;
2097 n+=outl + 2;
2098
2099 s->session->master_key_length=
2100 s->method->ssl3_enc->generate_master_secret(s,
2101 s->session->master_key,
2102 tmp_buf, sizeof tmp_buf);
2103
2104 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2105 OPENSSL_cleanse(epms, outl);
2106 }
2107#endif
2108#ifndef OPENSSL_NO_DH
2109 else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2110 {
2111 DH *dh_srvr,*dh_clnt;
2112
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]2113 if (s->session->sess_cert == NULL)
2114 {
2115 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2116 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
2117 goto err;
2118 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]2119
2120 if (s->session->sess_cert->peer_dh_tmp != NULL)
2121 dh_srvr=s->session->sess_cert->peer_dh_tmp;
2122 else
2123 {
2124 /* we get them from the cert */
2125 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2126 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2127 goto err;
2128 }
2129
2130 /* generate a new random key */
2131 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
2132 {
2133 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2134 goto err;
2135 }
2136 if (!DH_generate_key(dh_clnt))
2137 {
2138 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2139 goto err;
2140 }
2141
2142 /* use the 'p' output buffer for the DH key, but
2143 * make sure to clear it out afterwards */
2144
2145 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
2146
2147 if (n <= 0)
2148 {
2149 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2150 goto err;
2151 }
2152
2153 /* generate master key from the result */
2154 s->session->master_key_length=
2155 s->method->ssl3_enc->generate_master_secret(s,
2156 s->session->master_key,p,n);
2157 /* clean up */
2158 memset(p,0,n);
2159
2160 /* send off the data */
2161 n=BN_num_bytes(dh_clnt->pub_key);
2162 s2n(n,p);
2163 BN_bn2bin(dh_clnt->pub_key,p);
2164 n+=2;
2165
2166 DH_free(dh_clnt);
2167
2168 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2169 }
2170#endif
2171
2172#ifndef OPENSSL_NO_ECDH
2173 else if ((l & SSL_kECDH) || (l & SSL_kECDHE))
2174 {
2175 const EC_GROUP *srvr_group = NULL;
2176 EC_KEY *tkey;
2177 int ecdh_clnt_cert = 0;
2178 int field_size = 0;
2179
2180 /* Did we send out the client's
2181 * ECDH share for use in premaster
2182 * computation as part of client certificate?
2183 * If so, set ecdh_clnt_cert to 1.
2184 */
2185 if ((l & SSL_kECDH) && (s->cert != NULL))
2186 {
2187 /* XXX: For now, we do not support client
2188 * authentication using ECDH certificates.
2189 * To add such support, one needs to add
2190 * code that checks for appropriate
2191 * conditions and sets ecdh_clnt_cert to 1.
2192 * For example, the cert have an ECC
2193 * key on the same curve as the server's
2194 * and the key should be authorized for
2195 * key agreement.
2196 *
2197 * One also needs to add code in ssl3_connect
2198 * to skip sending the certificate verify
2199 * message.
2200 *
2201 * if ((s->cert->key->privatekey != NULL) &&
2202 * (s->cert->key->privatekey->type ==
2203 * EVP_PKEY_EC) && ...)
2204 * ecdh_clnt_cert = 1;
2205 */
2206 }
2207
2208 if (s->session->sess_cert->peer_ecdh_tmp != NULL)
2209 {
2210 tkey = s->session->sess_cert->peer_ecdh_tmp;
2211 }
2212 else
2213 {
2214 /* Get the Server Public Key from Cert */
2215 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2216 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2217 if ((srvr_pub_pkey == NULL) ||
2218 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2219 (srvr_pub_pkey->pkey.ec == NULL))
2220 {
2221 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2222 ERR_R_INTERNAL_ERROR);
2223 goto err;
2224 }
2225
2226 tkey = srvr_pub_pkey->pkey.ec;
2227 }
2228
2229 srvr_group = EC_KEY_get0_group(tkey);
2230 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2231
2232 if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
2233 {
2234 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2235 ERR_R_INTERNAL_ERROR);
2236 goto err;
2237 }
2238
2239 if ((clnt_ecdh=EC_KEY_new()) == NULL)
2240 {
2241 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2242 goto err;
2243 }
2244
2245 if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
2246 {
2247 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2248 goto err;
2249 }
2250 if (ecdh_clnt_cert)
2251 {
2252 /* Reuse key info from our certificate
2253 * We only need our private key to perform
2254 * the ECDH computation.
2255 */
2256 const BIGNUM *priv_key;
2257 tkey = s->cert->key->privatekey->pkey.ec;
2258 priv_key = EC_KEY_get0_private_key(tkey);
2259 if (priv_key == NULL)
2260 {
2261 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2262 goto err;
2263 }
2264 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2265 {
2266 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2267 goto err;
2268 }
2269 }
2270 else
2271 {
2272 /* Generate a new ECDH key pair */
2273 if (!(EC_KEY_generate_key(clnt_ecdh)))
2274 {
2275 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2276 goto err;
2277 }
2278 }
2279
2280 /* use the 'p' output buffer for the ECDH key, but
2281 * make sure to clear it out afterwards
2282 */
2283
2284 field_size = EC_GROUP_get_degree(srvr_group);
2285 if (field_size <= 0)
2286 {
2287 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2288 ERR_R_ECDH_LIB);
2289 goto err;
2290 }
2291 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2292 if (n <= 0)
2293 {
2294 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2295 ERR_R_ECDH_LIB);
2296 goto err;
2297 }
2298
2299 /* generate master key from the result */
2300 s->session->master_key_length = s->method->ssl3_enc \
2301 -> generate_master_secret(s,
2302 s->session->master_key,
2303 p, n);
2304
2305 memset(p, 0, n); /* clean up */
2306
2307 if (ecdh_clnt_cert)
2308 {
2309 /* Send empty client key exch message */
2310 n = 0;
2311 }
2312 else
2313 {
2314 /* First check the size of encoding and
2315 * allocate memory accordingly.
2316 */
2317 encoded_pt_len =
2318 EC_POINT_point2oct(srvr_group,
2319 EC_KEY_get0_public_key(clnt_ecdh),
2320 POINT_CONVERSION_UNCOMPRESSED,
2321 NULL, 0, NULL);
2322
2323 encodedPoint = (unsigned char *)
2324 OPENSSL_malloc(encoded_pt_len *
2325 sizeof(unsigned char));
2326 bn_ctx = BN_CTX_new();
2327 if ((encodedPoint == NULL) ||
2328 (bn_ctx == NULL))
2329 {
2330 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2331 goto err;
2332 }
2333
2334 /* Encode the public key */
2335 n = EC_POINT_point2oct(srvr_group,
2336 EC_KEY_get0_public_key(clnt_ecdh),
2337 POINT_CONVERSION_UNCOMPRESSED,
2338 encodedPoint, encoded_pt_len, bn_ctx);
2339
2340 *p = n; /* length of encoded point */
2341 /* Encoded point will be copied here */
2342 p += 1;
2343 /* copy the point */
2344 memcpy((unsigned char *)p, encodedPoint, n);
2345 /* increment n to account for length field */
2346 n += 1;
2347 }
2348
2349 /* Free allocated memory */
2350 BN_CTX_free(bn_ctx);
2351 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2352 if (clnt_ecdh != NULL)
2353 EC_KEY_free(clnt_ecdh);
2354 EVP_PKEY_free(srvr_pub_pkey);
2355 }
2356#endif /* !OPENSSL_NO_ECDH */
2357 else
2358 {
2359 ssl3_send_alert(s, SSL3_AL_FATAL,
2360 SSL_AD_HANDSHAKE_FAILURE);
2361 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2362 ERR_R_INTERNAL_ERROR);
2363 goto err;
2364 }
2365
2366 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2367 l2n3(n,d);
2368
2369 s->state=SSL3_ST_CW_KEY_EXCH_B;
2370 /* number of bytes to write */
2371 s->init_num=n+4;
2372 s->init_off=0;
2373 }
2374
2375 /* SSL3_ST_CW_KEY_EXCH_B */
2376 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2377err:
2378#ifndef OPENSSL_NO_ECDH
2379 BN_CTX_free(bn_ctx);
2380 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2381 if (clnt_ecdh != NULL)
2382 EC_KEY_free(clnt_ecdh);
2383 EVP_PKEY_free(srvr_pub_pkey);
2384#endif
2385 return(-1);
2386 }
2387
2388int ssl3_send_client_verify(SSL *s)
2389 {
2390 unsigned char *p,*d;
2391 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2392 EVP_PKEY *pkey;
2393#ifndef OPENSSL_NO_RSA
2394 unsigned u=0;
2395#endif
2396 unsigned long n;
2397#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
2398 int j;
2399#endif
2400
2401 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2402 {
2403 d=(unsigned char *)s->init_buf->data;
2404 p= &(d[4]);
2405 pkey=s->cert->key->privatekey;
2406
2407 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
2408 &(data[MD5_DIGEST_LENGTH]));
2409
2410#ifndef OPENSSL_NO_RSA
2411 if (pkey->type == EVP_PKEY_RSA)
2412 {
2413 s->method->ssl3_enc->cert_verify_mac(s,
2414 &(s->s3->finish_dgst1),&(data[0]));
2415 if (RSA_sign(NID_md5_sha1, data,
2416 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2417 &(p[2]), &u, pkey->pkey.rsa) <= 0 )
2418 {
2419 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
2420 goto err;
2421 }
2422 s2n(u,p);
2423 n=u+2;
2424 }
2425 else
2426#endif
2427#ifndef OPENSSL_NO_DSA
2428 if (pkey->type == EVP_PKEY_DSA)
2429 {
2430 if (!DSA_sign(pkey->save_type,
2431 &(data[MD5_DIGEST_LENGTH]),
2432 SHA_DIGEST_LENGTH,&(p[2]),
2433 (unsigned int *)&j,pkey->pkey.dsa))
2434 {
2435 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
2436 goto err;
2437 }
2438 s2n(j,p);
2439 n=j+2;
2440 }
2441 else
2442#endif
2443#ifndef OPENSSL_NO_ECDSA
2444 if (pkey->type == EVP_PKEY_EC)
2445 {
2446 if (!ECDSA_sign(pkey->save_type,
2447 &(data[MD5_DIGEST_LENGTH]),
2448 SHA_DIGEST_LENGTH,&(p[2]),
2449 (unsigned int *)&j,pkey->pkey.ec))
2450 {
2451 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2452 ERR_R_ECDSA_LIB);
2453 goto err;
2454 }
2455 s2n(j,p);
2456 n=j+2;
2457 }
2458 else
2459#endif
2460 {
2461 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
2462 goto err;
2463 }
2464 *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
2465 l2n3(n,d);
2466
2467 s->state=SSL3_ST_CW_CERT_VRFY_B;
2468 s->init_num=(int)n+4;
2469 s->init_off=0;
2470 }
2471 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2472err:
2473 return(-1);
2474 }
2475
2476int ssl3_send_client_certificate(SSL *s)
2477 {
2478 X509 *x509=NULL;
2479 EVP_PKEY *pkey=NULL;
2480 int i;
2481 unsigned long l;
2482
2483 if (s->state == SSL3_ST_CW_CERT_A)
2484 {
2485 if ((s->cert == NULL) ||
2486 (s->cert->key->x509 == NULL) ||
2487 (s->cert->key->privatekey == NULL))
2488 s->state=SSL3_ST_CW_CERT_B;
2489 else
2490 s->state=SSL3_ST_CW_CERT_C;
2491 }
2492
2493 /* We need to get a client cert */
2494 if (s->state == SSL3_ST_CW_CERT_B)
2495 {
2496 /* If we get an error, we need to
2497 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2498 * We then get retied later */
2499 i=0;
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]2500 i = ssl_do_client_cert_cb(s, &x509, &pkey);
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]2501 if (i < 0)
2502 {
2503 s->rwstate=SSL_X509_LOOKUP;
2504 return(-1);
2505 }
2506 s->rwstate=SSL_NOTHING;
2507 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2508 {
2509 s->state=SSL3_ST_CW_CERT_B;
2510 if ( !SSL_use_certificate(s,x509) ||
2511 !SSL_use_PrivateKey(s,pkey))
2512 i=0;
2513 }
2514 else if (i == 1)
2515 {
2516 i=0;
2517 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2518 }
2519
2520 if (x509 != NULL) X509_free(x509);
2521 if (pkey != NULL) EVP_PKEY_free(pkey);
2522 if (i == 0)
2523 {
2524 if (s->version == SSL3_VERSION)
2525 {
2526 s->s3->tmp.cert_req=0;
2527 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2528 return(1);
2529 }
2530 else
2531 {
2532 s->s3->tmp.cert_req=2;
2533 }
2534 }
2535
2536 /* Ok, we have a cert */
2537 s->state=SSL3_ST_CW_CERT_C;
2538 }
2539
2540 if (s->state == SSL3_ST_CW_CERT_C)
2541 {
2542 s->state=SSL3_ST_CW_CERT_D;
2543 l=ssl3_output_cert_chain(s,
2544 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
2545 s->init_num=(int)l;
2546 s->init_off=0;
2547 }
2548 /* SSL3_ST_CW_CERT_D */
2549 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2550 }
2551
2552#define has_bits(i,m) (((i)&(m)) == (m))
2553
2554int ssl3_check_cert_and_algorithm(SSL *s)
2555 {
2556 int i,idx;
2557 long algs;
2558 EVP_PKEY *pkey=NULL;
2559 SESS_CERT *sc;
2560#ifndef OPENSSL_NO_RSA
2561 RSA *rsa;
2562#endif
2563#ifndef OPENSSL_NO_DH
2564 DH *dh;
2565#endif
2566
2567 sc=s->session->sess_cert;
2568
2569 algs=s->s3->tmp.new_cipher->algorithms;
2570
2571 /* we don't have a certificate */
2572 if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
2573 return(1);
2574
2575 if (sc == NULL)
2576 {
2577 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
2578 goto err;
2579 }
2580
2581#ifndef OPENSSL_NO_RSA
2582 rsa=s->session->sess_cert->peer_rsa_tmp;
2583#endif
2584#ifndef OPENSSL_NO_DH
2585 dh=s->session->sess_cert->peer_dh_tmp;
2586#endif
2587
2588 /* This is the passed certificate */
2589
2590 idx=sc->peer_cert_type;
2591#ifndef OPENSSL_NO_ECDH
2592 if (idx == SSL_PKEY_ECC)
2593 {
2594 if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2595 s->s3->tmp.new_cipher) == 0)
2596 { /* check failed */
2597 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
2598 goto f_err;
2599 }
2600 else
2601 {
2602 return 1;
2603 }
2604 }
2605#endif
2606 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
2607 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
2608 EVP_PKEY_free(pkey);
2609
2610
2611 /* Check that we have a certificate if we require one */
2612 if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
2613 {
2614 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
2615 goto f_err;
2616 }
2617#ifndef OPENSSL_NO_DSA
2618 else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
2619 {
2620 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
2621 goto f_err;
2622 }
2623#endif
2624#ifndef OPENSSL_NO_RSA
2625 if ((algs & SSL_kRSA) &&
2626 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
2627 {
2628 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2629 goto f_err;
2630 }
2631#endif
2632#ifndef OPENSSL_NO_DH
2633 if ((algs & SSL_kEDH) &&
2634 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
2635 {
2636 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
2637 goto f_err;
2638 }
2639 else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
2640 {
2641 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
2642 goto f_err;
2643 }
2644#ifndef OPENSSL_NO_DSA
2645 else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
2646 {
2647 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
2648 goto f_err;
2649 }
2650#endif
2651#endif
2652
2653 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
2654 {
2655#ifndef OPENSSL_NO_RSA
2656 if (algs & SSL_kRSA)
2657 {
2658 if (rsa == NULL
2659 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2660 {
2661 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
2662 goto f_err;
2663 }
2664 }
2665 else
2666#endif
2667#ifndef OPENSSL_NO_DH
2668 if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2669 {
2670 if (dh == NULL
2671 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2672 {
2673 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
2674 goto f_err;
2675 }
2676 }
2677 else
2678#endif
2679 {
2680 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2681 goto f_err;
2682 }
2683 }
2684 return(1);
2685f_err:
2686 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2687err:
2688 return(0);
2689 }
2690
2691
2692#ifndef OPENSSL_NO_ECDH
2693/* This is the complement of nid2curve_id in s3_srvr.c. */
2694static int curve_id2nid(int curve_id)
2695{
2696 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2697 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2698 static int nid_list[26] =
2699 {
2700 0,
2701 NID_sect163k1, /* sect163k1 (1) */
2702 NID_sect163r1, /* sect163r1 (2) */
2703 NID_sect163r2, /* sect163r2 (3) */
2704 NID_sect193r1, /* sect193r1 (4) */
2705 NID_sect193r2, /* sect193r2 (5) */
2706 NID_sect233k1, /* sect233k1 (6) */
2707 NID_sect233r1, /* sect233r1 (7) */
2708 NID_sect239k1, /* sect239k1 (8) */
2709 NID_sect283k1, /* sect283k1 (9) */
2710 NID_sect283r1, /* sect283r1 (10) */
2711 NID_sect409k1, /* sect409k1 (11) */
2712 NID_sect409r1, /* sect409r1 (12) */
2713 NID_sect571k1, /* sect571k1 (13) */
2714 NID_sect571r1, /* sect571r1 (14) */
2715 NID_secp160k1, /* secp160k1 (15) */
2716 NID_secp160r1, /* secp160r1 (16) */
2717 NID_secp160r2, /* secp160r2 (17) */
2718 NID_secp192k1, /* secp192k1 (18) */
2719 NID_X9_62_prime192v1, /* secp192r1 (19) */
2720 NID_secp224k1, /* secp224k1 (20) */
2721 NID_secp224r1, /* secp224r1 (21) */
2722 NID_secp256k1, /* secp256k1 (22) */
2723 NID_X9_62_prime256v1, /* secp256r1 (23) */
2724 NID_secp384r1, /* secp384r1 (24) */
2725 NID_secp521r1 /* secp521r1 (25) */
2726 };
2727
2728 if ((curve_id < 1) || (curve_id > 25)) return 0;
2729
2730 return nid_list[curve_id];
2731}
2732#endif
2733
2734/* Check to see if handshake is full or resumed. Usually this is just a
2735 * case of checking to see if a cache hit has occurred. In the case of
2736 * session tickets we have to check the next message to be sure.
2737 */
2738
2739#ifndef OPENSSL_NO_TLSEXT
2740static int ssl3_check_finished(SSL *s)
2741 {
2742 int ok;
2743 long n;
2744 /* If we have no ticket or session ID is non-zero length (a match of
2745 * a non-zero session length would never reach here) it cannot be a
2746 * resumed session.
2747 */
2748 if (!s->session->tlsext_tick || s->session->session_id_length)
2749 return 1;
2750 /* this function is called when we really expect a Certificate
2751 * message, so permit appropriate message length */
2752 n=s->method->ssl_get_message(s,
2753 SSL3_ST_CR_CERT_A,
2754 SSL3_ST_CR_CERT_B,
2755 -1,
2756 s->max_cert_list,
2757 &ok);
2758 if (!ok) return((int)n);
2759 s->s3->tmp.reuse_message = 1;
2760 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
2761 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
2762 return 2;
2763
2764 return 1;
2765 }
2766#endif
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]2767
2768int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2769 {
2770 int i = 0;
2771#ifndef OPENSSL_NO_ENGINE
2772 if (s->ctx->client_cert_engine)
2773 {
2774 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
2775 SSL_get_client_CA_list(s),
2776 px509, ppkey, NULL, NULL, NULL);
2777 if (i != 0)
2778 return i;
2779 }
2780#endif
2781 if (s->ctx->client_cert_cb)
2782 i = s->ctx->client_cert_cb(s,px509,ppkey);
2783 return i;
2784 }