Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / openssl / 36fa7aa6abef21886f646867077ebf07088d428c / . / ssl / s3_clnt.c
blob: 5893064c8573393efbcf4205e4fb21cfca7ed77d [file] [log] [blame]
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1/* ssl/s3_clnt.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 *
114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above.
119 *
120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 *
123 */
124
125#include <stdio.h>
126#include "ssl_locl.h"
127#include "kssl_lcl.h"
128#include <openssl/buffer.h>
129#include <openssl/rand.h>
130#include <openssl/objects.h>
131#include <openssl/evp.h>
132#include <openssl/md5.h>
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]133#ifdef OPENSSL_FIPS
134#include <openssl/fips.h>
135#endif
136
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]137#ifndef OPENSSL_NO_DH
138#include <openssl/dh.h>
139#endif
140#include <openssl/bn.h>
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]141#ifndef OPENSSL_NO_ENGINE
142#include <openssl/engine.h>
143#endif
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]144
145static SSL_METHOD *ssl3_get_client_method(int ver);
146static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]147
148#ifndef OPENSSL_NO_ECDH
149static int curve_id2nid(int curve_id);
150int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
151#endif
152
153static SSL_METHOD *ssl3_get_client_method(int ver)
154 {
155 if (ver == SSL3_VERSION)
156 return(SSLv3_client_method());
157 else
158 return(NULL);
159 }
160
161IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
162 ssl_undefined_function,
163 ssl3_connect,
164 ssl3_get_client_method)
165
166int ssl3_connect(SSL *s)
167 {
168 BUF_MEM *buf=NULL;
169 unsigned long Time=(unsigned long)time(NULL),l;
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]170 void (*cb)(const SSL *ssl,int type,int val)=NULL;
171 int ret= -1;
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]172 int new_state,state,skip=0;
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]173
174 RAND_add(&Time,sizeof(Time),0);
175 ERR_clear_error();
176 clear_sys_error();
177
178 if (s->info_callback != NULL)
179 cb=s->info_callback;
180 else if (s->ctx->info_callback != NULL)
181 cb=s->ctx->info_callback;
182
183 s->in_handshake++;
184 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame]185 if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
186 {
187 /* Reneotiation complicates the state machine */
188 s->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
189 /* Send app data along with CCS/Finished */
190 s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED;
191 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]192
193 for (;;)
194 {
195 state=s->state;
196
197 switch(s->state)
198 {
199 case SSL_ST_RENEGOTIATE:
200 s->new_session=1;
201 s->state=SSL_ST_CONNECT;
202 s->ctx->stats.sess_connect_renegotiate++;
203 /* break */
204 case SSL_ST_BEFORE:
205 case SSL_ST_CONNECT:
206 case SSL_ST_BEFORE|SSL_ST_CONNECT:
207 case SSL_ST_OK|SSL_ST_CONNECT:
208
209 s->server=0;
210 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
211
212 if ((s->version & 0xff00 ) != 0x0300)
213 {
214 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
215 ret = -1;
216 goto end;
217 }
218
219 /* s->version=SSL3_VERSION; */
220 s->type=SSL_ST_CONNECT;
221
222 if (s->init_buf == NULL)
223 {
224 if ((buf=BUF_MEM_new()) == NULL)
225 {
226 ret= -1;
227 goto end;
228 }
229 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
230 {
231 ret= -1;
232 goto end;
233 }
234 s->init_buf=buf;
235 buf=NULL;
236 }
237
238 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
239
240 /* setup buffing BIO */
241 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
242
243 /* don't push the buffering BIO quite yet */
244
245 ssl3_init_finished_mac(s);
246
247 s->state=SSL3_ST_CW_CLNT_HELLO_A;
248 s->ctx->stats.sess_connect++;
249 s->init_num=0;
250 break;
251
252 case SSL3_ST_CW_CLNT_HELLO_A:
253 case SSL3_ST_CW_CLNT_HELLO_B:
254
255 s->shutdown=0;
256 ret=ssl3_client_hello(s);
257 if (ret <= 0) goto end;
258 s->state=SSL3_ST_CR_SRVR_HELLO_A;
259 s->init_num=0;
260
261 /* turn on buffering for the next lot of output */
262 if (s->bbio != s->wbio)
263 s->wbio=BIO_push(s->bbio,s->wbio);
264
265 break;
266
267 case SSL3_ST_CR_SRVR_HELLO_A:
268 case SSL3_ST_CR_SRVR_HELLO_B:
269 ret=ssl3_get_server_hello(s);
270 if (ret <= 0) goto end;
271 if (s->hit)
272 s->state=SSL3_ST_CR_FINISHED_A;
273 else
274 s->state=SSL3_ST_CR_CERT_A;
275 s->init_num=0;
276 break;
277
278 case SSL3_ST_CR_CERT_A:
279 case SSL3_ST_CR_CERT_B:
280#ifndef OPENSSL_NO_TLSEXT
281 ret=ssl3_check_finished(s);
282 if (ret <= 0) goto end;
283 if (ret == 2)
284 {
285 s->hit = 1;
286 if (s->tlsext_ticket_expected)
287 s->state=SSL3_ST_CR_SESSION_TICKET_A;
288 else
289 s->state=SSL3_ST_CR_FINISHED_A;
290 s->init_num=0;
291 break;
292 }
293#endif
294 /* Check if it is anon DH/ECDH */
295 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
296 {
297 ret=ssl3_get_server_certificate(s);
298 if (ret <= 0) goto end;
299#ifndef OPENSSL_NO_TLSEXT
300 if (s->tlsext_status_expected)
301 s->state=SSL3_ST_CR_CERT_STATUS_A;
302 else
303 s->state=SSL3_ST_CR_KEY_EXCH_A;
304 }
305 else
306 {
307 skip = 1;
308 s->state=SSL3_ST_CR_KEY_EXCH_A;
309 }
310#else
311 }
312 else
313 skip=1;
314
315 s->state=SSL3_ST_CR_KEY_EXCH_A;
316#endif
317 s->init_num=0;
318 break;
319
320 case SSL3_ST_CR_KEY_EXCH_A:
321 case SSL3_ST_CR_KEY_EXCH_B:
322 ret=ssl3_get_key_exchange(s);
323 if (ret <= 0) goto end;
324 s->state=SSL3_ST_CR_CERT_REQ_A;
325 s->init_num=0;
326
327 /* at this point we check that we have the
328 * required stuff from the server */
329 if (!ssl3_check_cert_and_algorithm(s))
330 {
331 ret= -1;
332 goto end;
333 }
334 break;
335
336 case SSL3_ST_CR_CERT_REQ_A:
337 case SSL3_ST_CR_CERT_REQ_B:
338 ret=ssl3_get_certificate_request(s);
339 if (ret <= 0) goto end;
340 s->state=SSL3_ST_CR_SRVR_DONE_A;
341 s->init_num=0;
342 break;
343
344 case SSL3_ST_CR_SRVR_DONE_A:
345 case SSL3_ST_CR_SRVR_DONE_B:
346 ret=ssl3_get_server_done(s);
347 if (ret <= 0) goto end;
348 if (s->s3->tmp.cert_req)
349 s->state=SSL3_ST_CW_CERT_A;
350 else
351 s->state=SSL3_ST_CW_KEY_EXCH_A;
352 s->init_num=0;
353
354 break;
355
356 case SSL3_ST_CW_CERT_A:
357 case SSL3_ST_CW_CERT_B:
358 case SSL3_ST_CW_CERT_C:
359 case SSL3_ST_CW_CERT_D:
360 ret=ssl3_send_client_certificate(s);
361 if (ret <= 0) goto end;
362 s->state=SSL3_ST_CW_KEY_EXCH_A;
363 s->init_num=0;
364 break;
365
366 case SSL3_ST_CW_KEY_EXCH_A:
367 case SSL3_ST_CW_KEY_EXCH_B:
368 ret=ssl3_send_client_key_exchange(s);
369 if (ret <= 0) goto end;
370 l=s->s3->tmp.new_cipher->algorithms;
371 /* EAY EAY EAY need to check for DH fix cert
372 * sent back */
373 /* For TLS, cert_req is set to 2, so a cert chain
374 * of nothing is sent, but no verify packet is sent */
375 /* XXX: For now, we do not support client
376 * authentication in ECDH cipher suites with
377 * ECDH (rather than ECDSA) certificates.
378 * We need to skip the certificate verify
379 * message when client's ECDH public key is sent
380 * inside the client certificate.
381 */
382 if (s->s3->tmp.cert_req == 1)
383 {
384 s->state=SSL3_ST_CW_CERT_VRFY_A;
385 }
386 else
387 {
388 s->state=SSL3_ST_CW_CHANGE_A;
389 s->s3->change_cipher_spec=0;
390 }
391
392 s->init_num=0;
393 break;
394
395 case SSL3_ST_CW_CERT_VRFY_A:
396 case SSL3_ST_CW_CERT_VRFY_B:
397 ret=ssl3_send_client_verify(s);
398 if (ret <= 0) goto end;
399 s->state=SSL3_ST_CW_CHANGE_A;
400 s->init_num=0;
401 s->s3->change_cipher_spec=0;
402 break;
403
404 case SSL3_ST_CW_CHANGE_A:
405 case SSL3_ST_CW_CHANGE_B:
406 ret=ssl3_send_change_cipher_spec(s,
407 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
408 if (ret <= 0) goto end;
409 s->state=SSL3_ST_CW_FINISHED_A;
410 s->init_num=0;
411
412 s->session->cipher=s->s3->tmp.new_cipher;
413#ifdef OPENSSL_NO_COMP
414 s->session->compress_meth=0;
415#else
416 if (s->s3->tmp.new_compression == NULL)
417 s->session->compress_meth=0;
418 else
419 s->session->compress_meth=
420 s->s3->tmp.new_compression->id;
421#endif
422 if (!s->method->ssl3_enc->setup_key_block(s))
423 {
424 ret= -1;
425 goto end;
426 }
427
428 if (!s->method->ssl3_enc->change_cipher_state(s,
429 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
430 {
431 ret= -1;
432 goto end;
433 }
434
435 break;
436
437 case SSL3_ST_CW_FINISHED_A:
438 case SSL3_ST_CW_FINISHED_B:
439 ret=ssl3_send_finished(s,
440 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
441 s->method->ssl3_enc->client_finished_label,
442 s->method->ssl3_enc->client_finished_label_len);
443 if (ret <= 0) goto end;
444 s->state=SSL3_ST_CW_FLUSH;
445
446 /* clear flags */
447 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
448 if (s->hit)
449 {
450 s->s3->tmp.next_state=SSL_ST_OK;
451 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
452 {
453 s->state=SSL_ST_OK;
454 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
455 s->s3->delay_buf_pop_ret=0;
456 }
457 }
458 else
459 {
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]460 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && SSL_get_cipher_bits(s, NULL) >= 128)
461 {
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame]462 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
463 {
464 s->state=SSL3_ST_CUTTHROUGH_COMPLETE;
465 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
466 s->s3->delay_buf_pop_ret=0;
467 }
468 else
469 {
470 s->s3->tmp.next_state=SSL3_ST_CUTTHROUGH_COMPLETE;
471 }
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]472 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]473 else
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]474 {
475#ifndef OPENSSL_NO_TLSEXT
476 /* Allow NewSessionTicket if ticket expected */
477 if (s->tlsext_ticket_expected)
478 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
479 else
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]480#endif
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]481 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
482 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]483 }
484 s->init_num=0;
485 break;
486
487#ifndef OPENSSL_NO_TLSEXT
488 case SSL3_ST_CR_SESSION_TICKET_A:
489 case SSL3_ST_CR_SESSION_TICKET_B:
490 ret=ssl3_get_new_session_ticket(s);
491 if (ret <= 0) goto end;
492 s->state=SSL3_ST_CR_FINISHED_A;
493 s->init_num=0;
494 break;
495
496 case SSL3_ST_CR_CERT_STATUS_A:
497 case SSL3_ST_CR_CERT_STATUS_B:
498 ret=ssl3_get_cert_status(s);
499 if (ret <= 0) goto end;
500 s->state=SSL3_ST_CR_KEY_EXCH_A;
501 s->init_num=0;
502 break;
503#endif
504
505 case SSL3_ST_CR_FINISHED_A:
506 case SSL3_ST_CR_FINISHED_B:
507
508 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
509 SSL3_ST_CR_FINISHED_B);
510 if (ret <= 0) goto end;
511
512 if (s->hit)
513 s->state=SSL3_ST_CW_CHANGE_A;
514 else
515 s->state=SSL_ST_OK;
516 s->init_num=0;
517 break;
518
519 case SSL3_ST_CW_FLUSH:
Brian Carlstrom98d58bb2010-03-09 09:56:55 -0800[diff] [blame]520 s->rwstate=SSL_WRITING;
521 if (BIO_flush(s->wbio) <= 0)
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]522 {
Brian Carlstrom98d58bb2010-03-09 09:56:55 -0800[diff] [blame]523 ret= -1;
524 goto end;
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]525 }
Brian Carlstrom98d58bb2010-03-09 09:56:55 -0800[diff] [blame]526 s->rwstate=SSL_NOTHING;
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]527 s->state=s->s3->tmp.next_state;
528 break;
529
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]530 case SSL3_ST_CUTTHROUGH_COMPLETE:
531#ifndef OPENSSL_NO_TLSEXT
532 /* Allow NewSessionTicket if ticket expected */
533 if (s->tlsext_ticket_expected)
534 s->state=SSL3_ST_CR_SESSION_TICKET_A;
535 else
536#endif
537 s->state=SSL3_ST_CR_FINISHED_A;
538
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame]539 /* SSL_write() will take care of flushing buffered data if
540 * DELAY_CLIENT_FINISHED is set.
541 */
542 if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED))
543 ssl_free_wbio_buffer(s);
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]544 ret = 1;
545 goto end;
546 /* break; */
547
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]548 case SSL_ST_OK:
549 /* clean a few things up */
550 ssl3_cleanup_key_block(s);
551
552 if (s->init_buf != NULL)
553 {
554 BUF_MEM_free(s->init_buf);
555 s->init_buf=NULL;
556 }
557
558 /* If we are not 'joining' the last two packets,
559 * remove the buffering now */
560 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
561 ssl_free_wbio_buffer(s);
562 /* else do it later in ssl3_write */
563
564 s->init_num=0;
565 s->new_session=0;
566
567 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
568 if (s->hit) s->ctx->stats.sess_hit++;
569
570 ret=1;
571 /* s->server=0; */
572 s->handshake_func=ssl3_connect;
573 s->ctx->stats.sess_connect_good++;
574
575 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
576
577 goto end;
578 /* break; */
579
580 default:
581 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
582 ret= -1;
583 goto end;
584 /* break; */
585 }
586
587 /* did we do anything */
588 if (!s->s3->tmp.reuse_message && !skip)
589 {
590 if (s->debug)
591 {
592 if ((ret=BIO_flush(s->wbio)) <= 0)
593 goto end;
594 }
595
596 if ((cb != NULL) && (s->state != state))
597 {
598 new_state=s->state;
599 s->state=state;
600 cb(s,SSL_CB_CONNECT_LOOP,1);
601 s->state=new_state;
602 }
603 }
604 skip=0;
605 }
606end:
607 s->in_handshake--;
608 if (buf != NULL)
609 BUF_MEM_free(buf);
610 if (cb != NULL)
611 cb(s,SSL_CB_CONNECT_EXIT,ret);
612 return(ret);
613 }
614
615
616int ssl3_client_hello(SSL *s)
617 {
618 unsigned char *buf;
619 unsigned char *p,*d;
620 int i;
621 unsigned long Time,l;
622#ifndef OPENSSL_NO_COMP
623 int j;
624 SSL_COMP *comp;
625#endif
626
627 buf=(unsigned char *)s->init_buf->data;
628 if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
629 {
Brian Carlstrom98d58bb2010-03-09 09:56:55 -0800[diff] [blame]630 SSL_SESSION *sess = s->session;
631 if ((sess == NULL) ||
632 (sess->ssl_version != s->version) ||
633#ifdef OPENSSL_NO_TLSEXT
634 !sess->session_id_length ||
635#else
636 (!sess->session_id_length && !sess->tlsext_tick) ||
637#endif
638 (sess->not_resumable))
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]639 {
640 if (!ssl_get_new_session(s,0))
641 goto err;
642 }
643 /* else use the pre-loaded session */
644
645 p=s->s3->client_random;
646 Time=(unsigned long)time(NULL); /* Time */
647 l2n(Time,p);
648 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
649 goto err;
650
651 /* Do the message type and length last */
652 d=p= &(buf[4]);
653
654 *(p++)=s->version>>8;
655 *(p++)=s->version&0xff;
656 s->client_version=s->version;
657
658 /* Random stuff */
659 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
660 p+=SSL3_RANDOM_SIZE;
661
662 /* Session ID */
663 if (s->new_session)
664 i=0;
665 else
666 i=s->session->session_id_length;
667 *(p++)=i;
668 if (i != 0)
669 {
670 if (i > (int)sizeof(s->session->session_id))
671 {
672 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
673 goto err;
674 }
675 memcpy(p,s->session->session_id,i);
676 p+=i;
677 }
678
679 /* Ciphers supported */
680 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
681 if (i == 0)
682 {
683 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
684 goto err;
685 }
686 s2n(i,p);
687 p+=i;
688
689 /* COMPRESSION */
690#ifdef OPENSSL_NO_COMP
691 *(p++)=1;
692#else
693 if (s->ctx->comp_methods == NULL)
694 j=0;
695 else
696 j=sk_SSL_COMP_num(s->ctx->comp_methods);
697 *(p++)=1+j;
698 for (i=0; i<j; i++)
699 {
700 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
701 *(p++)=comp->id;
702 }
703#endif
704 *(p++)=0; /* Add the NULL method */
705#ifndef OPENSSL_NO_TLSEXT
706 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
707 {
708 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
709 goto err;
710 }
711#endif
712 l=(p-d);
713 d=buf;
714 *(d++)=SSL3_MT_CLIENT_HELLO;
715 l2n3(l,d);
716
717 s->state=SSL3_ST_CW_CLNT_HELLO_B;
718 /* number of bytes to write */
719 s->init_num=p-buf;
720 s->init_off=0;
721 }
722
723 /* SSL3_ST_CW_CLNT_HELLO_B */
724 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
725err:
726 return(-1);
727 }
728
729int ssl3_get_server_hello(SSL *s)
730 {
731 STACK_OF(SSL_CIPHER) *sk;
732 SSL_CIPHER *c;
733 unsigned char *p,*d;
734 int i,al,ok;
735 unsigned int j;
736 long n;
737#ifndef OPENSSL_NO_COMP
738 SSL_COMP *comp;
739#endif
740
741 n=s->method->ssl_get_message(s,
742 SSL3_ST_CR_SRVR_HELLO_A,
743 SSL3_ST_CR_SRVR_HELLO_B,
744 -1,
745 20000, /* ?? */
746 &ok);
747
748 if (!ok) return((int)n);
749
Brian Carlstrom98d58bb2010-03-09 09:56:55 -0800[diff] [blame]750 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]751 {
752 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
753 {
754 if ( s->d1->send_cookie == 0)
755 {
756 s->s3->tmp.reuse_message = 1;
757 return 1;
758 }
759 else /* already sent a cookie */
760 {
761 al=SSL_AD_UNEXPECTED_MESSAGE;
762 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
763 goto f_err;
764 }
765 }
766 }
767
768 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
769 {
770 al=SSL_AD_UNEXPECTED_MESSAGE;
771 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
772 goto f_err;
773 }
774
775 d=p=(unsigned char *)s->init_msg;
776
777 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
778 {
779 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
780 s->version=(s->version&0xff00)|p[1];
781 al=SSL_AD_PROTOCOL_VERSION;
782 goto f_err;
783 }
784 p+=2;
785
786 /* load the server hello data */
787 /* load the server random */
788 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
789 p+=SSL3_RANDOM_SIZE;
790
791 /* get the session-id */
792 j= *(p++);
793
794 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
795 {
796 al=SSL_AD_ILLEGAL_PARAMETER;
797 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
798 goto f_err;
799 }
800
801 if (j != 0 && j == s->session->session_id_length
802 && memcmp(p,s->session->session_id,j) == 0)
803 {
804 if(s->sid_ctx_length != s->session->sid_ctx_length
805 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
806 {
807 /* actually a client application bug */
808 al=SSL_AD_ILLEGAL_PARAMETER;
809 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
810 goto f_err;
811 }
812 s->hit=1;
813 }
814 else /* a miss or crap from the other end */
815 {
816 /* If we were trying for session-id reuse, make a new
817 * SSL_SESSION so we don't stuff up other people */
818 s->hit=0;
819 if (s->session->session_id_length > 0)
820 {
821 if (!ssl_get_new_session(s,0))
822 {
823 al=SSL_AD_INTERNAL_ERROR;
824 goto f_err;
825 }
826 }
827 s->session->session_id_length=j;
828 memcpy(s->session->session_id,p,j); /* j could be 0 */
829 }
830 p+=j;
831 c=ssl_get_cipher_by_char(s,p);
832 if (c == NULL)
833 {
834 /* unknown cipher */
835 al=SSL_AD_ILLEGAL_PARAMETER;
836 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
837 goto f_err;
838 }
839 p+=ssl_put_cipher_by_char(s,NULL,NULL);
840
841 sk=ssl_get_ciphers_by_id(s);
842 i=sk_SSL_CIPHER_find(sk,c);
843 if (i < 0)
844 {
845 /* we did not say we would use this cipher */
846 al=SSL_AD_ILLEGAL_PARAMETER;
847 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
848 goto f_err;
849 }
850
851 /* Depending on the session caching (internal/external), the cipher
852 and/or cipher_id values may not be set. Make sure that
853 cipher_id is set and use it for comparison. */
854 if (s->session->cipher)
855 s->session->cipher_id = s->session->cipher->id;
856 if (s->hit && (s->session->cipher_id != c->id))
857 {
858 if (!(s->options &
859 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
860 {
861 al=SSL_AD_ILLEGAL_PARAMETER;
862 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
863 goto f_err;
864 }
865 }
866 s->s3->tmp.new_cipher=c;
867
868 /* lets get the compression algorithm */
869 /* COMPRESSION */
870#ifdef OPENSSL_NO_COMP
871 if (*(p++) != 0)
872 {
873 al=SSL_AD_ILLEGAL_PARAMETER;
874 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
875 goto f_err;
876 }
877#else
878 j= *(p++);
879 if (j == 0)
880 comp=NULL;
881 else
882 comp=ssl3_comp_find(s->ctx->comp_methods,j);
883
884 if ((j != 0) && (comp == NULL))
885 {
886 al=SSL_AD_ILLEGAL_PARAMETER;
887 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
888 goto f_err;
889 }
890 else
891 {
892 s->s3->tmp.new_compression=comp;
893 }
894#endif
895#ifndef OPENSSL_NO_TLSEXT
896 /* TLS extensions*/
Brian Carlstrom98d58bb2010-03-09 09:56:55 -0800[diff] [blame]897 if (s->version >= SSL3_VERSION)
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]898 {
899 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
900 {
901 /* 'al' set by ssl_parse_serverhello_tlsext */
902 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
903 goto f_err;
904 }
905 if (ssl_check_serverhello_tlsext(s) <= 0)
906 {
907 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
908 goto err;
909 }
910 }
911#endif
912
913
914 if (p != (d+n))
915 {
916 /* wrong packet length */
917 al=SSL_AD_DECODE_ERROR;
918 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
919 goto err;
920 }
921
922 return(1);
923f_err:
924 ssl3_send_alert(s,SSL3_AL_FATAL,al);
925err:
926 return(-1);
927 }
928
929int ssl3_get_server_certificate(SSL *s)
930 {
931 int al,i,ok,ret= -1;
932 unsigned long n,nc,llen,l;
933 X509 *x=NULL;
934 const unsigned char *q,*p;
935 unsigned char *d;
936 STACK_OF(X509) *sk=NULL;
937 SESS_CERT *sc;
938 EVP_PKEY *pkey=NULL;
939 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
940
941 n=s->method->ssl_get_message(s,
942 SSL3_ST_CR_CERT_A,
943 SSL3_ST_CR_CERT_B,
944 -1,
945 s->max_cert_list,
946 &ok);
947
948 if (!ok) return((int)n);
949
950 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
951 ((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) &&
952 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
953 {
954 s->s3->tmp.reuse_message=1;
955 return(1);
956 }
957
958 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
959 {
960 al=SSL_AD_UNEXPECTED_MESSAGE;
961 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
962 goto f_err;
963 }
964 p=d=(unsigned char *)s->init_msg;
965
966 if ((sk=sk_X509_new_null()) == NULL)
967 {
968 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
969 goto err;
970 }
971
972 n2l3(p,llen);
973 if (llen+3 != n)
974 {
975 al=SSL_AD_DECODE_ERROR;
976 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
977 goto f_err;
978 }
979 for (nc=0; nc<llen; )
980 {
981 n2l3(p,l);
982 if ((l+nc+3) > llen)
983 {
984 al=SSL_AD_DECODE_ERROR;
985 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
986 goto f_err;
987 }
988
989 q=p;
990 x=d2i_X509(NULL,&q,l);
991 if (x == NULL)
992 {
993 al=SSL_AD_BAD_CERTIFICATE;
994 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
995 goto f_err;
996 }
997 if (q != (p+l))
998 {
999 al=SSL_AD_DECODE_ERROR;
1000 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1001 goto f_err;
1002 }
1003 if (!sk_X509_push(sk,x))
1004 {
1005 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1006 goto err;
1007 }
1008 x=NULL;
1009 nc+=l+3;
1010 p=q;
1011 }
1012
1013 i=ssl_verify_cert_chain(s,sk);
1014 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1015#ifndef OPENSSL_NO_KRB5
1016 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
1017 != (SSL_aKRB5|SSL_kKRB5)
1018#endif /* OPENSSL_NO_KRB5 */
1019 )
1020 {
1021 al=ssl_verify_alarm_type(s->verify_result);
1022 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
1023 goto f_err;
1024 }
1025 ERR_clear_error(); /* but we keep s->verify_result */
1026
1027 sc=ssl_sess_cert_new();
1028 if (sc == NULL) goto err;
1029
1030 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
1031 s->session->sess_cert=sc;
1032
1033 sc->cert_chain=sk;
1034 /* Inconsistency alert: cert_chain does include the peer's
1035 * certificate, which we don't include in s3_srvr.c */
1036 x=sk_X509_value(sk,0);
1037 sk=NULL;
1038 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1039
1040 pkey=X509_get_pubkey(x);
1041
1042 /* VRS: allow null cert if auth == KRB5 */
1043 need_cert = ((s->s3->tmp.new_cipher->algorithms
1044 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
1045 == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
1046
1047#ifdef KSSL_DEBUG
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]1048 printf("pkey,x = %p, %p\n", (void *)pkey,(void *)x);
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1049 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
1050 printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
1051 s->s3->tmp.new_cipher->algorithms, need_cert);
1052#endif /* KSSL_DEBUG */
1053
1054 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
1055 {
1056 x=NULL;
1057 al=SSL3_AL_FATAL;
1058 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1059 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1060 goto f_err;
1061 }
1062
1063 i=ssl_cert_type(x,pkey);
1064 if (need_cert && i < 0)
1065 {
1066 x=NULL;
1067 al=SSL3_AL_FATAL;
1068 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1069 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1070 goto f_err;
1071 }
1072
1073 if (need_cert)
1074 {
1075 sc->peer_cert_type=i;
1076 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1077 /* Why would the following ever happen?
1078 * We just created sc a couple of lines ago. */
1079 if (sc->peer_pkeys[i].x509 != NULL)
1080 X509_free(sc->peer_pkeys[i].x509);
1081 sc->peer_pkeys[i].x509=x;
1082 sc->peer_key= &(sc->peer_pkeys[i]);
1083
1084 if (s->session->peer != NULL)
1085 X509_free(s->session->peer);
1086 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1087 s->session->peer=x;
1088 }
1089 else
1090 {
1091 sc->peer_cert_type=i;
1092 sc->peer_key= NULL;
1093
1094 if (s->session->peer != NULL)
1095 X509_free(s->session->peer);
1096 s->session->peer=NULL;
1097 }
1098 s->session->verify_result = s->verify_result;
1099
1100 x=NULL;
1101 ret=1;
1102
1103 if (0)
1104 {
1105f_err:
1106 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1107 }
1108err:
1109 EVP_PKEY_free(pkey);
1110 X509_free(x);
1111 sk_X509_pop_free(sk,X509_free);
1112 return(ret);
1113 }
1114
1115int ssl3_get_key_exchange(SSL *s)
1116 {
1117#ifndef OPENSSL_NO_RSA
1118 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1119#endif
1120 EVP_MD_CTX md_ctx;
1121 unsigned char *param,*p;
1122 int al,i,j,param_len,ok;
1123 long n,alg;
1124 EVP_PKEY *pkey=NULL;
1125#ifndef OPENSSL_NO_RSA
1126 RSA *rsa=NULL;
1127#endif
1128#ifndef OPENSSL_NO_DH
1129 DH *dh=NULL;
1130#endif
1131#ifndef OPENSSL_NO_ECDH
1132 EC_KEY *ecdh = NULL;
1133 BN_CTX *bn_ctx = NULL;
1134 EC_POINT *srvr_ecpoint = NULL;
1135 int curve_nid = 0;
1136 int encoded_pt_len = 0;
1137#endif
1138
1139 /* use same message size as in ssl3_get_certificate_request()
1140 * as ServerKeyExchange message may be skipped */
1141 n=s->method->ssl_get_message(s,
1142 SSL3_ST_CR_KEY_EXCH_A,
1143 SSL3_ST_CR_KEY_EXCH_B,
1144 -1,
1145 s->max_cert_list,
1146 &ok);
1147
1148 if (!ok) return((int)n);
1149
1150 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1151 {
1152 s->s3->tmp.reuse_message=1;
1153 return(1);
1154 }
1155
1156 param=p=(unsigned char *)s->init_msg;
1157
1158 if (s->session->sess_cert != NULL)
1159 {
1160#ifndef OPENSSL_NO_RSA
1161 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1162 {
1163 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1164 s->session->sess_cert->peer_rsa_tmp=NULL;
1165 }
1166#endif
1167#ifndef OPENSSL_NO_DH
1168 if (s->session->sess_cert->peer_dh_tmp)
1169 {
1170 DH_free(s->session->sess_cert->peer_dh_tmp);
1171 s->session->sess_cert->peer_dh_tmp=NULL;
1172 }
1173#endif
1174#ifndef OPENSSL_NO_ECDH
1175 if (s->session->sess_cert->peer_ecdh_tmp)
1176 {
1177 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1178 s->session->sess_cert->peer_ecdh_tmp=NULL;
1179 }
1180#endif
1181 }
1182 else
1183 {
1184 s->session->sess_cert=ssl_sess_cert_new();
1185 }
1186
1187 param_len=0;
1188 alg=s->s3->tmp.new_cipher->algorithms;
1189 EVP_MD_CTX_init(&md_ctx);
1190
1191#ifndef OPENSSL_NO_RSA
1192 if (alg & SSL_kRSA)
1193 {
1194 if ((rsa=RSA_new()) == NULL)
1195 {
1196 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1197 goto err;
1198 }
1199 n2s(p,i);
1200 param_len=i+2;
1201 if (param_len > n)
1202 {
1203 al=SSL_AD_DECODE_ERROR;
1204 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1205 goto f_err;
1206 }
1207 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1208 {
1209 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1210 goto err;
1211 }
1212 p+=i;
1213
1214 n2s(p,i);
1215 param_len+=i+2;
1216 if (param_len > n)
1217 {
1218 al=SSL_AD_DECODE_ERROR;
1219 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1220 goto f_err;
1221 }
1222 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1223 {
1224 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1225 goto err;
1226 }
1227 p+=i;
1228 n-=param_len;
1229
1230 /* this should be because we are using an export cipher */
1231 if (alg & SSL_aRSA)
1232 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1233 else
1234 {
1235 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1236 goto err;
1237 }
1238 s->session->sess_cert->peer_rsa_tmp=rsa;
1239 rsa=NULL;
1240 }
1241#else /* OPENSSL_NO_RSA */
1242 if (0)
1243 ;
1244#endif
1245#ifndef OPENSSL_NO_DH
1246 else if (alg & SSL_kEDH)
1247 {
1248 if ((dh=DH_new()) == NULL)
1249 {
1250 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1251 goto err;
1252 }
1253 n2s(p,i);
1254 param_len=i+2;
1255 if (param_len > n)
1256 {
1257 al=SSL_AD_DECODE_ERROR;
1258 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1259 goto f_err;
1260 }
1261 if (!(dh->p=BN_bin2bn(p,i,NULL)))
1262 {
1263 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1264 goto err;
1265 }
1266 p+=i;
1267
1268 n2s(p,i);
1269 param_len+=i+2;
1270 if (param_len > n)
1271 {
1272 al=SSL_AD_DECODE_ERROR;
1273 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1274 goto f_err;
1275 }
1276 if (!(dh->g=BN_bin2bn(p,i,NULL)))
1277 {
1278 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1279 goto err;
1280 }
1281 p+=i;
1282
1283 n2s(p,i);
1284 param_len+=i+2;
1285 if (param_len > n)
1286 {
1287 al=SSL_AD_DECODE_ERROR;
1288 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1289 goto f_err;
1290 }
1291 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1292 {
1293 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1294 goto err;
1295 }
1296 p+=i;
1297 n-=param_len;
1298
1299#ifndef OPENSSL_NO_RSA
1300 if (alg & SSL_aRSA)
1301 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1302#else
1303 if (0)
1304 ;
1305#endif
1306#ifndef OPENSSL_NO_DSA
1307 else if (alg & SSL_aDSS)
1308 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1309#endif
1310 /* else anonymous DH, so no certificate or pkey. */
1311
1312 s->session->sess_cert->peer_dh_tmp=dh;
1313 dh=NULL;
1314 }
1315 else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
1316 {
1317 al=SSL_AD_ILLEGAL_PARAMETER;
1318 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1319 goto f_err;
1320 }
1321#endif /* !OPENSSL_NO_DH */
1322
1323#ifndef OPENSSL_NO_ECDH
1324 else if (alg & SSL_kECDHE)
1325 {
1326 EC_GROUP *ngroup;
1327 const EC_GROUP *group;
1328
1329 if ((ecdh=EC_KEY_new()) == NULL)
1330 {
1331 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1332 goto err;
1333 }
1334
1335 /* Extract elliptic curve parameters and the
1336 * server's ephemeral ECDH public key.
1337 * Keep accumulating lengths of various components in
1338 * param_len and make sure it never exceeds n.
1339 */
1340
1341 /* XXX: For now we only support named (not generic) curves
1342 * and the ECParameters in this case is just three bytes.
1343 */
1344 param_len=3;
1345 if ((param_len > n) ||
1346 (*p != NAMED_CURVE_TYPE) ||
1347 ((curve_nid = curve_id2nid(*(p + 2))) == 0))
1348 {
1349 al=SSL_AD_INTERNAL_ERROR;
1350 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1351 goto f_err;
1352 }
1353
1354 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1355 if (ngroup == NULL)
1356 {
1357 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1358 goto err;
1359 }
1360 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1361 {
1362 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1363 goto err;
1364 }
1365 EC_GROUP_free(ngroup);
1366
1367 group = EC_KEY_get0_group(ecdh);
1368
1369 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1370 (EC_GROUP_get_degree(group) > 163))
1371 {
1372 al=SSL_AD_EXPORT_RESTRICTION;
1373 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1374 goto f_err;
1375 }
1376
1377 p+=3;
1378
1379 /* Next, get the encoded ECPoint */
1380 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1381 ((bn_ctx = BN_CTX_new()) == NULL))
1382 {
1383 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1384 goto err;
1385 }
1386
1387 encoded_pt_len = *p; /* length of encoded point */
1388 p+=1;
1389 param_len += (1 + encoded_pt_len);
1390 if ((param_len > n) ||
1391 (EC_POINT_oct2point(group, srvr_ecpoint,
1392 p, encoded_pt_len, bn_ctx) == 0))
1393 {
1394 al=SSL_AD_DECODE_ERROR;
1395 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1396 goto f_err;
1397 }
1398
1399 n-=param_len;
1400 p+=encoded_pt_len;
1401
1402 /* The ECC/TLS specification does not mention
1403 * the use of DSA to sign ECParameters in the server
1404 * key exchange message. We do support RSA and ECDSA.
1405 */
1406 if (0) ;
1407#ifndef OPENSSL_NO_RSA
1408 else if (alg & SSL_aRSA)
1409 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1410#endif
1411#ifndef OPENSSL_NO_ECDSA
1412 else if (alg & SSL_aECDSA)
1413 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1414#endif
1415 /* else anonymous ECDH, so no certificate or pkey. */
1416 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1417 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1418 ecdh=NULL;
1419 BN_CTX_free(bn_ctx);
1420 EC_POINT_free(srvr_ecpoint);
1421 srvr_ecpoint = NULL;
1422 }
1423 else if (alg & SSL_kECDH)
1424 {
1425 al=SSL_AD_UNEXPECTED_MESSAGE;
1426 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1427 goto f_err;
1428 }
1429#endif /* !OPENSSL_NO_ECDH */
1430 if (alg & SSL_aFZA)
1431 {
1432 al=SSL_AD_HANDSHAKE_FAILURE;
1433 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1434 goto f_err;
1435 }
1436
1437
1438 /* p points to the next byte, there are 'n' bytes left */
1439
1440 /* if it was signed, check the signature */
1441 if (pkey != NULL)
1442 {
1443 n2s(p,i);
1444 n-=2;
1445 j=EVP_PKEY_size(pkey);
1446
1447 if ((i != n) || (n > j) || (n <= 0))
1448 {
1449 /* wrong packet length */
1450 al=SSL_AD_DECODE_ERROR;
1451 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1452 goto f_err;
1453 }
1454
1455#ifndef OPENSSL_NO_RSA
1456 if (pkey->type == EVP_PKEY_RSA)
1457 {
1458 int num;
1459
1460 j=0;
1461 q=md_buf;
1462 for (num=2; num > 0; num--)
1463 {
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]1464 EVP_MD_CTX_set_flags(&md_ctx,
1465 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1466 EVP_DigestInit_ex(&md_ctx,(num == 2)
1467 ?s->ctx->md5:s->ctx->sha1, NULL);
1468 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1469 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1470 EVP_DigestUpdate(&md_ctx,param,param_len);
1471 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1472 q+=i;
1473 j+=i;
1474 }
1475 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1476 pkey->pkey.rsa);
1477 if (i < 0)
1478 {
1479 al=SSL_AD_DECRYPT_ERROR;
1480 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1481 goto f_err;
1482 }
1483 if (i == 0)
1484 {
1485 /* bad signature */
1486 al=SSL_AD_DECRYPT_ERROR;
1487 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1488 goto f_err;
1489 }
1490 }
1491 else
1492#endif
1493#ifndef OPENSSL_NO_DSA
1494 if (pkey->type == EVP_PKEY_DSA)
1495 {
1496 /* lets do DSS */
1497 EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1498 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1499 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1500 EVP_VerifyUpdate(&md_ctx,param,param_len);
1501 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1502 {
1503 /* bad signature */
1504 al=SSL_AD_DECRYPT_ERROR;
1505 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1506 goto f_err;
1507 }
1508 }
1509 else
1510#endif
1511#ifndef OPENSSL_NO_ECDSA
1512 if (pkey->type == EVP_PKEY_EC)
1513 {
1514 /* let's do ECDSA */
1515 EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1516 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1517 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1518 EVP_VerifyUpdate(&md_ctx,param,param_len);
1519 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1520 {
1521 /* bad signature */
1522 al=SSL_AD_DECRYPT_ERROR;
1523 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1524 goto f_err;
1525 }
1526 }
1527 else
1528#endif
1529 {
1530 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1531 goto err;
1532 }
1533 }
1534 else
1535 {
1536 /* still data left over */
1537 if (!(alg & SSL_aNULL))
1538 {
1539 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1540 goto err;
1541 }
1542 if (n != 0)
1543 {
1544 al=SSL_AD_DECODE_ERROR;
1545 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1546 goto f_err;
1547 }
1548 }
1549 EVP_PKEY_free(pkey);
1550 EVP_MD_CTX_cleanup(&md_ctx);
1551 return(1);
1552f_err:
1553 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1554err:
1555 EVP_PKEY_free(pkey);
1556#ifndef OPENSSL_NO_RSA
1557 if (rsa != NULL)
1558 RSA_free(rsa);
1559#endif
1560#ifndef OPENSSL_NO_DH
1561 if (dh != NULL)
1562 DH_free(dh);
1563#endif
1564#ifndef OPENSSL_NO_ECDH
1565 BN_CTX_free(bn_ctx);
1566 EC_POINT_free(srvr_ecpoint);
1567 if (ecdh != NULL)
1568 EC_KEY_free(ecdh);
1569#endif
1570 EVP_MD_CTX_cleanup(&md_ctx);
1571 return(-1);
1572 }
1573
1574int ssl3_get_certificate_request(SSL *s)
1575 {
1576 int ok,ret=0;
1577 unsigned long n,nc,l;
1578 unsigned int llen,ctype_num,i;
1579 X509_NAME *xn=NULL;
1580 const unsigned char *p,*q;
1581 unsigned char *d;
1582 STACK_OF(X509_NAME) *ca_sk=NULL;
1583
1584 n=s->method->ssl_get_message(s,
1585 SSL3_ST_CR_CERT_REQ_A,
1586 SSL3_ST_CR_CERT_REQ_B,
1587 -1,
1588 s->max_cert_list,
1589 &ok);
1590
1591 if (!ok) return((int)n);
1592
1593 s->s3->tmp.cert_req=0;
1594
1595 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1596 {
1597 s->s3->tmp.reuse_message=1;
1598 return(1);
1599 }
1600
1601 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1602 {
1603 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1604 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1605 goto err;
1606 }
1607
1608 /* TLS does not like anon-DH with client cert */
1609 if (s->version > SSL3_VERSION)
1610 {
1611 l=s->s3->tmp.new_cipher->algorithms;
1612 if (l & SSL_aNULL)
1613 {
1614 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1615 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1616 goto err;
1617 }
1618 }
1619
1620 p=d=(unsigned char *)s->init_msg;
1621
1622 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1623 {
1624 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1625 goto err;
1626 }
1627
1628 /* get the certificate types */
1629 ctype_num= *(p++);
1630 if (ctype_num > SSL3_CT_NUMBER)
1631 ctype_num=SSL3_CT_NUMBER;
1632 for (i=0; i<ctype_num; i++)
1633 s->s3->tmp.ctype[i]= p[i];
1634 p+=ctype_num;
1635
1636 /* get the CA RDNs */
1637 n2s(p,llen);
1638#if 0
1639{
1640FILE *out;
1641out=fopen("/tmp/vsign.der","w");
1642fwrite(p,1,llen,out);
1643fclose(out);
1644}
1645#endif
1646
1647 if ((llen+ctype_num+2+1) != n)
1648 {
1649 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1650 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1651 goto err;
1652 }
1653
1654 for (nc=0; nc<llen; )
1655 {
1656 n2s(p,l);
1657 if ((l+nc+2) > llen)
1658 {
1659 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1660 goto cont; /* netscape bugs */
1661 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1662 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1663 goto err;
1664 }
1665
1666 q=p;
1667
1668 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1669 {
1670 /* If netscape tolerance is on, ignore errors */
1671 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1672 goto cont;
1673 else
1674 {
1675 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1676 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1677 goto err;
1678 }
1679 }
1680
1681 if (q != (p+l))
1682 {
1683 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1684 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1685 goto err;
1686 }
1687 if (!sk_X509_NAME_push(ca_sk,xn))
1688 {
1689 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1690 goto err;
1691 }
1692
1693 p+=l;
1694 nc+=l+2;
1695 }
1696
1697 if (0)
1698 {
1699cont:
1700 ERR_clear_error();
1701 }
1702
1703 /* we should setup a certificate to return.... */
1704 s->s3->tmp.cert_req=1;
1705 s->s3->tmp.ctype_num=ctype_num;
1706 if (s->s3->tmp.ca_names != NULL)
1707 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1708 s->s3->tmp.ca_names=ca_sk;
1709 ca_sk=NULL;
1710
1711 ret=1;
1712err:
1713 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1714 return(ret);
1715 }
1716
1717static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1718 {
1719 return(X509_NAME_cmp(*a,*b));
1720 }
1721#ifndef OPENSSL_NO_TLSEXT
1722int ssl3_get_new_session_ticket(SSL *s)
1723 {
1724 int ok,al,ret=0, ticklen;
1725 long n;
1726 const unsigned char *p;
1727 unsigned char *d;
1728
1729 n=s->method->ssl_get_message(s,
1730 SSL3_ST_CR_SESSION_TICKET_A,
1731 SSL3_ST_CR_SESSION_TICKET_B,
1732 -1,
1733 16384,
1734 &ok);
1735
1736 if (!ok)
1737 return((int)n);
1738
1739 if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
1740 {
1741 s->s3->tmp.reuse_message=1;
1742 return(1);
1743 }
1744 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET)
1745 {
1746 al=SSL_AD_UNEXPECTED_MESSAGE;
1747 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
1748 goto f_err;
1749 }
1750 if (n < 6)
1751 {
1752 /* need at least ticket_lifetime_hint + ticket length */
1753 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1754 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1755 goto f_err;
1756 }
Brian Carlstrom98d58bb2010-03-09 09:56:55 -0800[diff] [blame]1757
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1758 p=d=(unsigned char *)s->init_msg;
1759 n2l(p, s->session->tlsext_tick_lifetime_hint);
1760 n2s(p, ticklen);
1761 /* ticket_lifetime_hint + ticket_length + ticket */
1762 if (ticklen + 6 != n)
1763 {
1764 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1765 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1766 goto f_err;
1767 }
1768 if (s->session->tlsext_tick)
1769 {
1770 OPENSSL_free(s->session->tlsext_tick);
1771 s->session->tlsext_ticklen = 0;
1772 }
1773 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1774 if (!s->session->tlsext_tick)
1775 {
1776 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
1777 goto err;
1778 }
1779 memcpy(s->session->tlsext_tick, p, ticklen);
1780 s->session->tlsext_ticklen = ticklen;
Brian Carlstrom98d58bb2010-03-09 09:56:55 -0800[diff] [blame]1781 /* There are two ways to detect a resumed ticket sesion.
1782 * One is to set an appropriate session ID and then the server
1783 * must return a match in ServerHello. This allows the normal
1784 * client session ID matching to work and we know much
1785 * earlier that the ticket has been accepted.
1786 *
1787 * The other way is to set zero length session ID when the
1788 * ticket is presented and rely on the handshake to determine
1789 * session resumption.
1790 *
1791 * We choose the former approach because this fits in with
1792 * assumptions elsewhere in OpenSSL. The session ID is set
1793 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
1794 * ticket.
1795 */
1796 EVP_Digest(p, ticklen,
1797 s->session->session_id, &s->session->session_id_length,
1798#ifndef OPENSSL_NO_SHA256
1799 EVP_sha256(), NULL);
1800#else
1801 EVP_sha1(), NULL);
1802#endif
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1803 ret=1;
1804 return(ret);
1805f_err:
1806 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1807err:
1808 return(-1);
1809 }
1810
1811int ssl3_get_cert_status(SSL *s)
1812 {
1813 int ok, al;
1814 unsigned long resplen;
1815 long n;
1816 const unsigned char *p;
1817
1818 n=s->method->ssl_get_message(s,
1819 SSL3_ST_CR_CERT_STATUS_A,
1820 SSL3_ST_CR_CERT_STATUS_B,
1821 SSL3_MT_CERTIFICATE_STATUS,
1822 16384,
1823 &ok);
1824
1825 if (!ok) return((int)n);
1826 if (n < 4)
1827 {
1828 /* need at least status type + length */
1829 al = SSL_AD_DECODE_ERROR;
1830 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1831 goto f_err;
1832 }
1833 p = (unsigned char *)s->init_msg;
1834 if (*p++ != TLSEXT_STATUSTYPE_ocsp)
1835 {
1836 al = SSL_AD_DECODE_ERROR;
1837 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE);
1838 goto f_err;
1839 }
1840 n2l3(p, resplen);
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]1841 if (resplen + 4 != (unsigned long)n)
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1842 {
1843 al = SSL_AD_DECODE_ERROR;
1844 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1845 goto f_err;
1846 }
1847 if (s->tlsext_ocsp_resp)
1848 OPENSSL_free(s->tlsext_ocsp_resp);
1849 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
1850 if (!s->tlsext_ocsp_resp)
1851 {
1852 al = SSL_AD_INTERNAL_ERROR;
1853 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
1854 goto f_err;
1855 }
1856 s->tlsext_ocsp_resplen = resplen;
1857 if (s->ctx->tlsext_status_cb)
1858 {
1859 int ret;
1860 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1861 if (ret == 0)
1862 {
1863 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1864 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE);
1865 goto f_err;
1866 }
1867 if (ret < 0)
1868 {
1869 al = SSL_AD_INTERNAL_ERROR;
1870 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
1871 goto f_err;
1872 }
1873 }
1874 return 1;
1875f_err:
1876 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1877 return(-1);
1878 }
1879#endif
1880
1881int ssl3_get_server_done(SSL *s)
1882 {
1883 int ok,ret=0;
1884 long n;
1885
1886 n=s->method->ssl_get_message(s,
1887 SSL3_ST_CR_SRVR_DONE_A,
1888 SSL3_ST_CR_SRVR_DONE_B,
1889 SSL3_MT_SERVER_DONE,
1890 30, /* should be very small, like 0 :-) */
1891 &ok);
1892
1893 if (!ok) return((int)n);
1894 if (n > 0)
1895 {
1896 /* should contain no data */
1897 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1898 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1899 return -1;
1900 }
1901 ret=1;
1902 return(ret);
1903 }
1904
1905
1906int ssl3_send_client_key_exchange(SSL *s)
1907 {
1908 unsigned char *p,*d;
1909 int n;
1910 unsigned long l;
1911#ifndef OPENSSL_NO_RSA
1912 unsigned char *q;
1913 EVP_PKEY *pkey=NULL;
1914#endif
1915#ifndef OPENSSL_NO_KRB5
1916 KSSL_ERR kssl_err;
1917#endif /* OPENSSL_NO_KRB5 */
1918#ifndef OPENSSL_NO_ECDH
1919 EC_KEY *clnt_ecdh = NULL;
1920 const EC_POINT *srvr_ecpoint = NULL;
1921 EVP_PKEY *srvr_pub_pkey = NULL;
1922 unsigned char *encodedPoint = NULL;
1923 int encoded_pt_len = 0;
1924 BN_CTX * bn_ctx = NULL;
1925#endif
1926
1927 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1928 {
1929 d=(unsigned char *)s->init_buf->data;
1930 p= &(d[4]);
1931
1932 l=s->s3->tmp.new_cipher->algorithms;
1933
1934 /* Fool emacs indentation */
1935 if (0) {}
1936#ifndef OPENSSL_NO_RSA
1937 else if (l & SSL_kRSA)
1938 {
1939 RSA *rsa;
1940 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1941
1942 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1943 rsa=s->session->sess_cert->peer_rsa_tmp;
1944 else
1945 {
1946 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1947 if ((pkey == NULL) ||
1948 (pkey->type != EVP_PKEY_RSA) ||
1949 (pkey->pkey.rsa == NULL))
1950 {
1951 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1952 goto err;
1953 }
1954 rsa=pkey->pkey.rsa;
1955 EVP_PKEY_free(pkey);
1956 }
1957
1958 tmp_buf[0]=s->client_version>>8;
1959 tmp_buf[1]=s->client_version&0xff;
1960 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
1961 goto err;
1962
1963 s->session->master_key_length=sizeof tmp_buf;
1964
1965 q=p;
1966 /* Fix buf for TLS and beyond */
1967 if (s->version > SSL3_VERSION)
1968 p+=2;
1969 n=RSA_public_encrypt(sizeof tmp_buf,
1970 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1971#ifdef PKCS1_CHECK
1972 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
1973 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
1974#endif
1975 if (n <= 0)
1976 {
1977 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1978 goto err;
1979 }
1980
1981 /* Fix buf for TLS and beyond */
1982 if (s->version > SSL3_VERSION)
1983 {
1984 s2n(n,q);
1985 n+=2;
1986 }
1987
1988 s->session->master_key_length=
1989 s->method->ssl3_enc->generate_master_secret(s,
1990 s->session->master_key,
1991 tmp_buf,sizeof tmp_buf);
1992 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
1993 }
1994#endif
1995#ifndef OPENSSL_NO_KRB5
1996 else if (l & SSL_kKRB5)
1997 {
1998 krb5_error_code krb5rc;
1999 KSSL_CTX *kssl_ctx = s->kssl_ctx;
2000 /* krb5_data krb5_ap_req; */
2001 krb5_data *enc_ticket;
2002 krb5_data authenticator, *authp = NULL;
2003 EVP_CIPHER_CTX ciph_ctx;
2004 EVP_CIPHER *enc = NULL;
2005 unsigned char iv[EVP_MAX_IV_LENGTH];
2006 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2007 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2008 + EVP_MAX_IV_LENGTH];
2009 int padl, outl = sizeof(epms);
2010
2011 EVP_CIPHER_CTX_init(&ciph_ctx);
2012
2013#ifdef KSSL_DEBUG
2014 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
2015 l, SSL_kKRB5);
2016#endif /* KSSL_DEBUG */
2017
2018 authp = NULL;
2019#ifdef KRB5SENDAUTH
2020 if (KRB5SENDAUTH) authp = &authenticator;
2021#endif /* KRB5SENDAUTH */
2022
2023 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
2024 &kssl_err);
2025 enc = kssl_map_enc(kssl_ctx->enctype);
2026 if (enc == NULL)
2027 goto err;
2028#ifdef KSSL_DEBUG
2029 {
2030 printf("kssl_cget_tkt rtn %d\n", krb5rc);
2031 if (krb5rc && kssl_err.text)
2032 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
2033 }
2034#endif /* KSSL_DEBUG */
2035
2036 if (krb5rc)
2037 {
2038 ssl3_send_alert(s,SSL3_AL_FATAL,
2039 SSL_AD_HANDSHAKE_FAILURE);
2040 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2041 kssl_err.reason);
2042 goto err;
2043 }
2044
2045 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
2046 ** in place of RFC 2712 KerberosWrapper, as in:
2047 **
2048 ** Send ticket (copy to *p, set n = length)
2049 ** n = krb5_ap_req.length;
2050 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
2051 ** if (krb5_ap_req.data)
2052 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
2053 **
2054 ** Now using real RFC 2712 KerberosWrapper
2055 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
2056 ** Note: 2712 "opaque" types are here replaced
2057 ** with a 2-byte length followed by the value.
2058 ** Example:
2059 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
2060 ** Where "xx xx" = length bytes. Shown here with
2061 ** optional authenticator omitted.
2062 */
2063
2064 /* KerberosWrapper.Ticket */
2065 s2n(enc_ticket->length,p);
2066 memcpy(p, enc_ticket->data, enc_ticket->length);
2067 p+= enc_ticket->length;
2068 n = enc_ticket->length + 2;
2069
2070 /* KerberosWrapper.Authenticator */
2071 if (authp && authp->length)
2072 {
2073 s2n(authp->length,p);
2074 memcpy(p, authp->data, authp->length);
2075 p+= authp->length;
2076 n+= authp->length + 2;
2077
2078 free(authp->data);
2079 authp->data = NULL;
2080 authp->length = 0;
2081 }
2082 else
2083 {
2084 s2n(0,p);/* null authenticator length */
2085 n+=2;
2086 }
2087
2088 tmp_buf[0]=s->client_version>>8;
2089 tmp_buf[1]=s->client_version&0xff;
2090 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2091 goto err;
2092
2093 /* 20010420 VRS. Tried it this way; failed.
2094 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
2095 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
2096 ** kssl_ctx->length);
2097 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2098 */
2099
2100 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2101 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
2102 kssl_ctx->key,iv);
2103 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
2104 sizeof tmp_buf);
2105 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
2106 outl += padl;
2107 if (outl > sizeof epms)
2108 {
2109 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2110 goto err;
2111 }
2112 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2113
2114 /* KerberosWrapper.EncryptedPreMasterSecret */
2115 s2n(outl,p);
2116 memcpy(p, epms, outl);
2117 p+=outl;
2118 n+=outl + 2;
2119
2120 s->session->master_key_length=
2121 s->method->ssl3_enc->generate_master_secret(s,
2122 s->session->master_key,
2123 tmp_buf, sizeof tmp_buf);
2124
2125 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2126 OPENSSL_cleanse(epms, outl);
2127 }
2128#endif
2129#ifndef OPENSSL_NO_DH
2130 else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2131 {
2132 DH *dh_srvr,*dh_clnt;
2133
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]2134 if (s->session->sess_cert == NULL)
2135 {
2136 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2137 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
2138 goto err;
2139 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]2140
2141 if (s->session->sess_cert->peer_dh_tmp != NULL)
2142 dh_srvr=s->session->sess_cert->peer_dh_tmp;
2143 else
2144 {
2145 /* we get them from the cert */
2146 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2147 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2148 goto err;
2149 }
2150
2151 /* generate a new random key */
2152 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
2153 {
2154 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2155 goto err;
2156 }
2157 if (!DH_generate_key(dh_clnt))
2158 {
2159 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2160 goto err;
2161 }
2162
2163 /* use the 'p' output buffer for the DH key, but
2164 * make sure to clear it out afterwards */
2165
2166 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
2167
2168 if (n <= 0)
2169 {
2170 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2171 goto err;
2172 }
2173
2174 /* generate master key from the result */
2175 s->session->master_key_length=
2176 s->method->ssl3_enc->generate_master_secret(s,
2177 s->session->master_key,p,n);
2178 /* clean up */
2179 memset(p,0,n);
2180
2181 /* send off the data */
2182 n=BN_num_bytes(dh_clnt->pub_key);
2183 s2n(n,p);
2184 BN_bn2bin(dh_clnt->pub_key,p);
2185 n+=2;
2186
2187 DH_free(dh_clnt);
2188
2189 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2190 }
2191#endif
2192
2193#ifndef OPENSSL_NO_ECDH
2194 else if ((l & SSL_kECDH) || (l & SSL_kECDHE))
2195 {
2196 const EC_GROUP *srvr_group = NULL;
2197 EC_KEY *tkey;
2198 int ecdh_clnt_cert = 0;
2199 int field_size = 0;
2200
2201 /* Did we send out the client's
2202 * ECDH share for use in premaster
2203 * computation as part of client certificate?
2204 * If so, set ecdh_clnt_cert to 1.
2205 */
2206 if ((l & SSL_kECDH) && (s->cert != NULL))
2207 {
2208 /* XXX: For now, we do not support client
2209 * authentication using ECDH certificates.
2210 * To add such support, one needs to add
2211 * code that checks for appropriate
2212 * conditions and sets ecdh_clnt_cert to 1.
2213 * For example, the cert have an ECC
2214 * key on the same curve as the server's
2215 * and the key should be authorized for
2216 * key agreement.
2217 *
2218 * One also needs to add code in ssl3_connect
2219 * to skip sending the certificate verify
2220 * message.
2221 *
2222 * if ((s->cert->key->privatekey != NULL) &&
2223 * (s->cert->key->privatekey->type ==
2224 * EVP_PKEY_EC) && ...)
2225 * ecdh_clnt_cert = 1;
2226 */
2227 }
2228
2229 if (s->session->sess_cert->peer_ecdh_tmp != NULL)
2230 {
2231 tkey = s->session->sess_cert->peer_ecdh_tmp;
2232 }
2233 else
2234 {
2235 /* Get the Server Public Key from Cert */
2236 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2237 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2238 if ((srvr_pub_pkey == NULL) ||
2239 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2240 (srvr_pub_pkey->pkey.ec == NULL))
2241 {
2242 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2243 ERR_R_INTERNAL_ERROR);
2244 goto err;
2245 }
2246
2247 tkey = srvr_pub_pkey->pkey.ec;
2248 }
2249
2250 srvr_group = EC_KEY_get0_group(tkey);
2251 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2252
2253 if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
2254 {
2255 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2256 ERR_R_INTERNAL_ERROR);
2257 goto err;
2258 }
2259
2260 if ((clnt_ecdh=EC_KEY_new()) == NULL)
2261 {
2262 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2263 goto err;
2264 }
2265
2266 if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
2267 {
2268 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2269 goto err;
2270 }
2271 if (ecdh_clnt_cert)
2272 {
2273 /* Reuse key info from our certificate
2274 * We only need our private key to perform
2275 * the ECDH computation.
2276 */
2277 const BIGNUM *priv_key;
2278 tkey = s->cert->key->privatekey->pkey.ec;
2279 priv_key = EC_KEY_get0_private_key(tkey);
2280 if (priv_key == NULL)
2281 {
2282 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2283 goto err;
2284 }
2285 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2286 {
2287 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2288 goto err;
2289 }
2290 }
2291 else
2292 {
2293 /* Generate a new ECDH key pair */
2294 if (!(EC_KEY_generate_key(clnt_ecdh)))
2295 {
2296 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2297 goto err;
2298 }
2299 }
2300
2301 /* use the 'p' output buffer for the ECDH key, but
2302 * make sure to clear it out afterwards
2303 */
2304
2305 field_size = EC_GROUP_get_degree(srvr_group);
2306 if (field_size <= 0)
2307 {
2308 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2309 ERR_R_ECDH_LIB);
2310 goto err;
2311 }
2312 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2313 if (n <= 0)
2314 {
2315 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2316 ERR_R_ECDH_LIB);
2317 goto err;
2318 }
2319
2320 /* generate master key from the result */
2321 s->session->master_key_length = s->method->ssl3_enc \
2322 -> generate_master_secret(s,
2323 s->session->master_key,
2324 p, n);
2325
2326 memset(p, 0, n); /* clean up */
2327
2328 if (ecdh_clnt_cert)
2329 {
2330 /* Send empty client key exch message */
2331 n = 0;
2332 }
2333 else
2334 {
2335 /* First check the size of encoding and
2336 * allocate memory accordingly.
2337 */
2338 encoded_pt_len =
2339 EC_POINT_point2oct(srvr_group,
2340 EC_KEY_get0_public_key(clnt_ecdh),
2341 POINT_CONVERSION_UNCOMPRESSED,
2342 NULL, 0, NULL);
2343
2344 encodedPoint = (unsigned char *)
2345 OPENSSL_malloc(encoded_pt_len *
2346 sizeof(unsigned char));
2347 bn_ctx = BN_CTX_new();
2348 if ((encodedPoint == NULL) ||
2349 (bn_ctx == NULL))
2350 {
2351 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2352 goto err;
2353 }
2354
2355 /* Encode the public key */
2356 n = EC_POINT_point2oct(srvr_group,
2357 EC_KEY_get0_public_key(clnt_ecdh),
2358 POINT_CONVERSION_UNCOMPRESSED,
2359 encodedPoint, encoded_pt_len, bn_ctx);
2360
2361 *p = n; /* length of encoded point */
2362 /* Encoded point will be copied here */
2363 p += 1;
2364 /* copy the point */
2365 memcpy((unsigned char *)p, encodedPoint, n);
2366 /* increment n to account for length field */
2367 n += 1;
2368 }
2369
2370 /* Free allocated memory */
2371 BN_CTX_free(bn_ctx);
2372 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2373 if (clnt_ecdh != NULL)
2374 EC_KEY_free(clnt_ecdh);
2375 EVP_PKEY_free(srvr_pub_pkey);
2376 }
2377#endif /* !OPENSSL_NO_ECDH */
2378 else
2379 {
2380 ssl3_send_alert(s, SSL3_AL_FATAL,
2381 SSL_AD_HANDSHAKE_FAILURE);
2382 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2383 ERR_R_INTERNAL_ERROR);
2384 goto err;
2385 }
2386
2387 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2388 l2n3(n,d);
2389
2390 s->state=SSL3_ST_CW_KEY_EXCH_B;
2391 /* number of bytes to write */
2392 s->init_num=n+4;
2393 s->init_off=0;
2394 }
2395
2396 /* SSL3_ST_CW_KEY_EXCH_B */
2397 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2398err:
2399#ifndef OPENSSL_NO_ECDH
2400 BN_CTX_free(bn_ctx);
2401 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2402 if (clnt_ecdh != NULL)
2403 EC_KEY_free(clnt_ecdh);
2404 EVP_PKEY_free(srvr_pub_pkey);
2405#endif
2406 return(-1);
2407 }
2408
2409int ssl3_send_client_verify(SSL *s)
2410 {
2411 unsigned char *p,*d;
2412 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2413 EVP_PKEY *pkey;
2414#ifndef OPENSSL_NO_RSA
2415 unsigned u=0;
2416#endif
2417 unsigned long n;
2418#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
2419 int j;
2420#endif
2421
2422 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2423 {
2424 d=(unsigned char *)s->init_buf->data;
2425 p= &(d[4]);
2426 pkey=s->cert->key->privatekey;
2427
2428 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
2429 &(data[MD5_DIGEST_LENGTH]));
2430
2431#ifndef OPENSSL_NO_RSA
2432 if (pkey->type == EVP_PKEY_RSA)
2433 {
2434 s->method->ssl3_enc->cert_verify_mac(s,
2435 &(s->s3->finish_dgst1),&(data[0]));
2436 if (RSA_sign(NID_md5_sha1, data,
2437 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2438 &(p[2]), &u, pkey->pkey.rsa) <= 0 )
2439 {
2440 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
2441 goto err;
2442 }
2443 s2n(u,p);
2444 n=u+2;
2445 }
2446 else
2447#endif
2448#ifndef OPENSSL_NO_DSA
2449 if (pkey->type == EVP_PKEY_DSA)
2450 {
2451 if (!DSA_sign(pkey->save_type,
2452 &(data[MD5_DIGEST_LENGTH]),
2453 SHA_DIGEST_LENGTH,&(p[2]),
2454 (unsigned int *)&j,pkey->pkey.dsa))
2455 {
2456 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
2457 goto err;
2458 }
2459 s2n(j,p);
2460 n=j+2;
2461 }
2462 else
2463#endif
2464#ifndef OPENSSL_NO_ECDSA
2465 if (pkey->type == EVP_PKEY_EC)
2466 {
2467 if (!ECDSA_sign(pkey->save_type,
2468 &(data[MD5_DIGEST_LENGTH]),
2469 SHA_DIGEST_LENGTH,&(p[2]),
2470 (unsigned int *)&j,pkey->pkey.ec))
2471 {
2472 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2473 ERR_R_ECDSA_LIB);
2474 goto err;
2475 }
2476 s2n(j,p);
2477 n=j+2;
2478 }
2479 else
2480#endif
2481 {
2482 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
2483 goto err;
2484 }
2485 *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
2486 l2n3(n,d);
2487
2488 s->state=SSL3_ST_CW_CERT_VRFY_B;
2489 s->init_num=(int)n+4;
2490 s->init_off=0;
2491 }
2492 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2493err:
2494 return(-1);
2495 }
2496
2497int ssl3_send_client_certificate(SSL *s)
2498 {
2499 X509 *x509=NULL;
2500 EVP_PKEY *pkey=NULL;
2501 int i;
2502 unsigned long l;
2503
2504 if (s->state == SSL3_ST_CW_CERT_A)
2505 {
2506 if ((s->cert == NULL) ||
2507 (s->cert->key->x509 == NULL) ||
2508 (s->cert->key->privatekey == NULL))
2509 s->state=SSL3_ST_CW_CERT_B;
2510 else
2511 s->state=SSL3_ST_CW_CERT_C;
2512 }
2513
2514 /* We need to get a client cert */
2515 if (s->state == SSL3_ST_CW_CERT_B)
2516 {
2517 /* If we get an error, we need to
2518 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2519 * We then get retied later */
2520 i=0;
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]2521 i = ssl_do_client_cert_cb(s, &x509, &pkey);
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]2522 if (i < 0)
2523 {
2524 s->rwstate=SSL_X509_LOOKUP;
2525 return(-1);
2526 }
2527 s->rwstate=SSL_NOTHING;
2528 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2529 {
2530 s->state=SSL3_ST_CW_CERT_B;
2531 if ( !SSL_use_certificate(s,x509) ||
2532 !SSL_use_PrivateKey(s,pkey))
2533 i=0;
2534 }
2535 else if (i == 1)
2536 {
2537 i=0;
2538 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2539 }
2540
2541 if (x509 != NULL) X509_free(x509);
2542 if (pkey != NULL) EVP_PKEY_free(pkey);
2543 if (i == 0)
2544 {
2545 if (s->version == SSL3_VERSION)
2546 {
2547 s->s3->tmp.cert_req=0;
2548 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2549 return(1);
2550 }
2551 else
2552 {
2553 s->s3->tmp.cert_req=2;
2554 }
2555 }
2556
2557 /* Ok, we have a cert */
2558 s->state=SSL3_ST_CW_CERT_C;
2559 }
2560
2561 if (s->state == SSL3_ST_CW_CERT_C)
2562 {
2563 s->state=SSL3_ST_CW_CERT_D;
2564 l=ssl3_output_cert_chain(s,
2565 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
2566 s->init_num=(int)l;
2567 s->init_off=0;
2568 }
2569 /* SSL3_ST_CW_CERT_D */
2570 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2571 }
2572
2573#define has_bits(i,m) (((i)&(m)) == (m))
2574
2575int ssl3_check_cert_and_algorithm(SSL *s)
2576 {
2577 int i,idx;
2578 long algs;
2579 EVP_PKEY *pkey=NULL;
2580 SESS_CERT *sc;
2581#ifndef OPENSSL_NO_RSA
2582 RSA *rsa;
2583#endif
2584#ifndef OPENSSL_NO_DH
2585 DH *dh;
2586#endif
2587
2588 sc=s->session->sess_cert;
2589
2590 algs=s->s3->tmp.new_cipher->algorithms;
2591
2592 /* we don't have a certificate */
2593 if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
2594 return(1);
2595
2596 if (sc == NULL)
2597 {
2598 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
2599 goto err;
2600 }
2601
2602#ifndef OPENSSL_NO_RSA
2603 rsa=s->session->sess_cert->peer_rsa_tmp;
2604#endif
2605#ifndef OPENSSL_NO_DH
2606 dh=s->session->sess_cert->peer_dh_tmp;
2607#endif
2608
2609 /* This is the passed certificate */
2610
2611 idx=sc->peer_cert_type;
2612#ifndef OPENSSL_NO_ECDH
2613 if (idx == SSL_PKEY_ECC)
2614 {
2615 if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2616 s->s3->tmp.new_cipher) == 0)
2617 { /* check failed */
2618 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
2619 goto f_err;
2620 }
2621 else
2622 {
2623 return 1;
2624 }
2625 }
2626#endif
2627 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
2628 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
2629 EVP_PKEY_free(pkey);
2630
2631
2632 /* Check that we have a certificate if we require one */
2633 if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
2634 {
2635 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
2636 goto f_err;
2637 }
2638#ifndef OPENSSL_NO_DSA
2639 else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
2640 {
2641 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
2642 goto f_err;
2643 }
2644#endif
2645#ifndef OPENSSL_NO_RSA
2646 if ((algs & SSL_kRSA) &&
2647 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
2648 {
2649 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2650 goto f_err;
2651 }
2652#endif
2653#ifndef OPENSSL_NO_DH
2654 if ((algs & SSL_kEDH) &&
2655 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
2656 {
2657 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
2658 goto f_err;
2659 }
2660 else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
2661 {
2662 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
2663 goto f_err;
2664 }
2665#ifndef OPENSSL_NO_DSA
2666 else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
2667 {
2668 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
2669 goto f_err;
2670 }
2671#endif
2672#endif
2673
2674 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
2675 {
2676#ifndef OPENSSL_NO_RSA
2677 if (algs & SSL_kRSA)
2678 {
2679 if (rsa == NULL
2680 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2681 {
2682 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
2683 goto f_err;
2684 }
2685 }
2686 else
2687#endif
2688#ifndef OPENSSL_NO_DH
2689 if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2690 {
2691 if (dh == NULL
2692 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2693 {
2694 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
2695 goto f_err;
2696 }
2697 }
2698 else
2699#endif
2700 {
2701 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2702 goto f_err;
2703 }
2704 }
2705 return(1);
2706f_err:
2707 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2708err:
2709 return(0);
2710 }
2711
2712
2713#ifndef OPENSSL_NO_ECDH
2714/* This is the complement of nid2curve_id in s3_srvr.c. */
2715static int curve_id2nid(int curve_id)
2716{
2717 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2718 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2719 static int nid_list[26] =
2720 {
2721 0,
2722 NID_sect163k1, /* sect163k1 (1) */
2723 NID_sect163r1, /* sect163r1 (2) */
2724 NID_sect163r2, /* sect163r2 (3) */
2725 NID_sect193r1, /* sect193r1 (4) */
2726 NID_sect193r2, /* sect193r2 (5) */
2727 NID_sect233k1, /* sect233k1 (6) */
2728 NID_sect233r1, /* sect233r1 (7) */
2729 NID_sect239k1, /* sect239k1 (8) */
2730 NID_sect283k1, /* sect283k1 (9) */
2731 NID_sect283r1, /* sect283r1 (10) */
2732 NID_sect409k1, /* sect409k1 (11) */
2733 NID_sect409r1, /* sect409r1 (12) */
2734 NID_sect571k1, /* sect571k1 (13) */
2735 NID_sect571r1, /* sect571r1 (14) */
2736 NID_secp160k1, /* secp160k1 (15) */
2737 NID_secp160r1, /* secp160r1 (16) */
2738 NID_secp160r2, /* secp160r2 (17) */
2739 NID_secp192k1, /* secp192k1 (18) */
2740 NID_X9_62_prime192v1, /* secp192r1 (19) */
2741 NID_secp224k1, /* secp224k1 (20) */
2742 NID_secp224r1, /* secp224r1 (21) */
2743 NID_secp256k1, /* secp256k1 (22) */
2744 NID_X9_62_prime256v1, /* secp256r1 (23) */
2745 NID_secp384r1, /* secp384r1 (24) */
2746 NID_secp521r1 /* secp521r1 (25) */
2747 };
2748
2749 if ((curve_id < 1) || (curve_id > 25)) return 0;
2750
2751 return nid_list[curve_id];
2752}
2753#endif
2754
2755/* Check to see if handshake is full or resumed. Usually this is just a
2756 * case of checking to see if a cache hit has occurred. In the case of
2757 * session tickets we have to check the next message to be sure.
2758 */
2759
2760#ifndef OPENSSL_NO_TLSEXT
Brian Carlstrom98d58bb2010-03-09 09:56:55 -0800[diff] [blame]2761int ssl3_check_finished(SSL *s)
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]2762 {
2763 int ok;
2764 long n;
2765 /* If we have no ticket or session ID is non-zero length (a match of
2766 * a non-zero session length would never reach here) it cannot be a
2767 * resumed session.
2768 */
2769 if (!s->session->tlsext_tick || s->session->session_id_length)
2770 return 1;
2771 /* this function is called when we really expect a Certificate
2772 * message, so permit appropriate message length */
2773 n=s->method->ssl_get_message(s,
2774 SSL3_ST_CR_CERT_A,
2775 SSL3_ST_CR_CERT_B,
2776 -1,
2777 s->max_cert_list,
2778 &ok);
2779 if (!ok) return((int)n);
2780 s->s3->tmp.reuse_message = 1;
2781 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
2782 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
2783 return 2;
2784
2785 return 1;
2786 }
2787#endif
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]2788
2789int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2790 {
2791 int i = 0;
2792#ifndef OPENSSL_NO_ENGINE
2793 if (s->ctx->client_cert_engine)
2794 {
2795 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
2796 SSL_get_client_CA_list(s),
2797 px509, ppkey, NULL, NULL, NULL);
2798 if (i != 0)
2799 return i;
2800 }
2801#endif
2802 if (s->ctx->client_cert_cb)
2803 i = s->ctx->client_cert_cb(s,px509,ppkey);
2804 return i;
2805 }