OLD | NEW |
1 /* ssl/s3_srvr.c */ | 1 /* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */ |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 * All rights reserved. | 3 * All rights reserved. |
4 * | 4 * |
5 * This package is an SSL implementation written | 5 * This package is an SSL implementation written |
6 * by Eric Young (eay@cryptsoft.com). | 6 * by Eric Young (eay@cryptsoft.com). |
7 * The implementation was written so as to conform with Netscapes SSL. | 7 * The implementation was written so as to conform with Netscapes SSL. |
8 * | 8 * |
9 * This library is free for commercial and non-commercial use as long as | 9 * This library is free for commercial and non-commercial use as long as |
10 * the following conditions are aheared to. The following conditions | 10 * the following conditions are aheared to. The following conditions |
11 * apply to all code found in this distribution, be it the RC4, RSA, | 11 * apply to all code found in this distribution, be it the RC4, RSA, |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 * SUCH DAMAGE. | 51 * SUCH DAMAGE. |
52 * | 52 * |
53 * The licence and distribution terms for any publically available version or | 53 * The licence and distribution terms for any publically available version or |
54 * derivative of this code cannot be changed. i.e. this code cannot simply be | 54 * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 * copied and put under another distribution licence | 55 * copied and put under another distribution licence |
56 * [including the GNU Public Licence.] | 56 * [including the GNU Public Licence.] |
57 */ | 57 */ |
58 /* ==================================================================== | 58 /* ==================================================================== |
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. | 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
60 * | 60 * |
61 * Redistribution and use in source and binary forms, with or without | 61 * Redistribution and use in source and binary forms, with or without |
62 * modification, are permitted provided that the following conditions | 62 * modification, are permitted provided that the following conditions |
63 * are met: | 63 * are met: |
64 * | 64 * |
65 * 1. Redistributions of source code must retain the above copyright | 65 * 1. Redistributions of source code must retain the above copyright |
66 * notice, this list of conditions and the following disclaimer. | 66 * notice, this list of conditions and the following disclaimer. |
67 * | 67 * |
68 * 2. Redistributions in binary form must reproduce the above copyright | 68 * 2. Redistributions in binary form must reproduce the above copyright |
69 * notice, this list of conditions and the following disclaimer in | 69 * notice, this list of conditions and the following disclaimer in |
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
114 * Portions of the attached software ("Contribution") are developed by | 114 * Portions of the attached software ("Contribution") are developed by |
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. | 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. |
116 * | 116 * |
117 * The Contribution is licensed pursuant to the OpenSSL open source | 117 * The Contribution is licensed pursuant to the OpenSSL open source |
118 * license provided above. | 118 * license provided above. |
119 * | 119 * |
120 * ECC cipher suite support in OpenSSL originally written by | 120 * ECC cipher suite support in OpenSSL originally written by |
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. | 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. |
122 * | 122 * |
123 */ | 123 */ |
| 124 /* ==================================================================== |
| 125 * Copyright 2005 Nokia. All rights reserved. |
| 126 * |
| 127 * The portions of the attached software ("Contribution") is developed by |
| 128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source |
| 129 * license. |
| 130 * |
| 131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of |
| 132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites |
| 133 * support (see RFC 4279) to OpenSSL. |
| 134 * |
| 135 * No patent licenses or other rights except those expressly stated in |
| 136 * the OpenSSL open source license shall be deemed granted or received |
| 137 * expressly, by implication, estoppel, or otherwise. |
| 138 * |
| 139 * No assurances are provided by Nokia that the Contribution does not |
| 140 * infringe the patent or other intellectual property rights of any third |
| 141 * party or that the license provides you with all the necessary rights |
| 142 * to make use of the Contribution. |
| 143 * |
| 144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN |
| 145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA |
| 146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY |
| 147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR |
| 148 * OTHERWISE. |
| 149 */ |
124 | 150 |
125 #define REUSE_CIPHER_BUG | 151 #define REUSE_CIPHER_BUG |
126 #define NETSCAPE_HANG_BUG | 152 #define NETSCAPE_HANG_BUG |
127 | 153 |
128 #include <stdio.h> | 154 #include <stdio.h> |
129 #include "ssl_locl.h" | 155 #include "ssl_locl.h" |
130 #include "kssl_lcl.h" | 156 #include "kssl_lcl.h" |
131 #include <openssl/buffer.h> | 157 #include <openssl/buffer.h> |
132 #include <openssl/rand.h> | 158 #include <openssl/rand.h> |
133 #include <openssl/objects.h> | 159 #include <openssl/objects.h> |
134 #include <openssl/evp.h> | 160 #include <openssl/evp.h> |
135 #include <openssl/hmac.h> | 161 #include <openssl/hmac.h> |
136 #include <openssl/x509.h> | 162 #include <openssl/x509.h> |
137 #ifndef OPENSSL_NO_DH | 163 #ifndef OPENSSL_NO_DH |
138 #include <openssl/dh.h> | 164 #include <openssl/dh.h> |
139 #endif | 165 #endif |
140 #include <openssl/bn.h> | 166 #include <openssl/bn.h> |
141 #ifndef OPENSSL_NO_KRB5 | 167 #ifndef OPENSSL_NO_KRB5 |
142 #include <openssl/krb5_asn.h> | 168 #include <openssl/krb5_asn.h> |
143 #endif | 169 #endif |
144 #include <openssl/md5.h> | 170 #include <openssl/md5.h> |
145 | 171 |
146 #include "fnv1a64.h" | 172 static const SSL_METHOD *ssl3_get_server_method(int ver); |
147 | 173 |
148 static SSL_METHOD *ssl3_get_server_method(int ver); | 174 static const SSL_METHOD *ssl3_get_server_method(int ver) |
149 static int ssl3_snap_start_evaluate_handshake(SSL* s); | |
150 #ifndef OPENSSL_NO_ECDH | |
151 static int nid2curve_id(int nid); | |
152 #endif | |
153 | |
154 static SSL_METHOD *ssl3_get_server_method(int ver) | |
155 { | 175 { |
156 if (ver == SSL3_VERSION) | 176 if (ver == SSL3_VERSION) |
157 return(SSLv3_server_method()); | 177 return(SSLv3_server_method()); |
158 else | 178 else |
159 return(NULL); | 179 return(NULL); |
160 } | 180 } |
161 | 181 |
162 IMPLEMENT_ssl3_meth_func(SSLv3_server_method, | 182 IMPLEMENT_ssl3_meth_func(SSLv3_server_method, |
163 ssl3_accept, | 183 ssl3_accept, |
164 ssl_undefined_function, | 184 ssl_undefined_function, |
165 ssl3_get_server_method) | 185 ssl3_get_server_method) |
166 | 186 |
167 int ssl3_accept(SSL *s) | 187 int ssl3_accept(SSL *s) |
168 { | 188 { |
169 BUF_MEM *buf; | 189 BUF_MEM *buf; |
170 » unsigned long l,Time=(unsigned long)time(NULL); | 190 » unsigned long alg_k,Time=(unsigned long)time(NULL); |
171 void (*cb)(const SSL *ssl,int type,int val)=NULL; | 191 void (*cb)(const SSL *ssl,int type,int val)=NULL; |
172 int ret= -1; | 192 int ret= -1; |
173 int new_state,state,skip=0; | 193 int new_state,state,skip=0; |
174 | 194 |
175 RAND_add(&Time,sizeof(Time),0); | 195 RAND_add(&Time,sizeof(Time),0); |
176 ERR_clear_error(); | 196 ERR_clear_error(); |
177 clear_sys_error(); | 197 clear_sys_error(); |
178 | 198 |
179 if (s->info_callback != NULL) | 199 if (s->info_callback != NULL) |
180 cb=s->info_callback; | 200 cb=s->info_callback; |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
231 s->init_buf=buf; | 251 s->init_buf=buf; |
232 } | 252 } |
233 | 253 |
234 if (!ssl3_setup_buffers(s)) | 254 if (!ssl3_setup_buffers(s)) |
235 { | 255 { |
236 ret= -1; | 256 ret= -1; |
237 goto end; | 257 goto end; |
238 } | 258 } |
239 | 259 |
240 s->init_num=0; | 260 s->init_num=0; |
| 261 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; |
241 | 262 |
242 if (s->state != SSL_ST_RENEGOTIATE) | 263 if (s->state != SSL_ST_RENEGOTIATE) |
243 { | 264 { |
244 /* Ok, we now need to push on a buffering BIO so
that | 265 /* Ok, we now need to push on a buffering BIO so
that |
245 * the output is sent in a way that TCP likes :-
) | 266 * the output is sent in a way that TCP likes :-
) |
246 */ | 267 */ |
247 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto
end; } | 268 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto
end; } |
248 | 269 |
249 ssl3_init_finished_mac(s); | 270 ssl3_init_finished_mac(s); |
250 s->state=SSL3_ST_SR_CLNT_HELLO_A; | 271 s->state=SSL3_ST_SR_CLNT_HELLO_A; |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
288 s->state=SSL_ST_OK; | 309 s->state=SSL_ST_OK; |
289 break; | 310 break; |
290 | 311 |
291 case SSL3_ST_SR_CLNT_HELLO_A: | 312 case SSL3_ST_SR_CLNT_HELLO_A: |
292 case SSL3_ST_SR_CLNT_HELLO_B: | 313 case SSL3_ST_SR_CLNT_HELLO_B: |
293 case SSL3_ST_SR_CLNT_HELLO_C: | 314 case SSL3_ST_SR_CLNT_HELLO_C: |
294 | 315 |
295 s->shutdown=0; | 316 s->shutdown=0; |
296 ret=ssl3_get_client_hello(s); | 317 ret=ssl3_get_client_hello(s); |
297 if (ret <= 0) goto end; | 318 if (ret <= 0) goto end; |
| 319 |
298 s->new_session = 2; | 320 s->new_session = 2; |
299 s->state=SSL3_ST_SW_SRVR_HELLO_A; | 321 s->state=SSL3_ST_SW_SRVR_HELLO_A; |
300 s->init_num=0; | 322 s->init_num=0; |
301 break; | 323 break; |
302 | 324 |
303 case SSL3_ST_SW_SRVR_HELLO_A: | 325 case SSL3_ST_SW_SRVR_HELLO_A: |
304 case SSL3_ST_SW_SRVR_HELLO_B: | 326 case SSL3_ST_SW_SRVR_HELLO_B: |
305 ret=ssl3_send_server_hello(s); | 327 ret=ssl3_send_server_hello(s); |
306 if (ret == SERVER_RANDOM_VALIDATION_PENDING) | |
307 { | |
308 s->rwstate = SSL_SERVER_RANDOM_VALIDATE; | |
309 s->state = SSL3_ST_SW_SRVR_HELLO_A; | |
310 s->init_num = 0; | |
311 goto end; | |
312 } | |
313 if (ret <= 0) goto end; | 328 if (ret <= 0) goto end; |
314 #ifndef OPENSSL_NO_TLSEXT | 329 #ifndef OPENSSL_NO_TLSEXT |
315 if ((s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK)
!= SSL_kRSA && | |
316 (s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK)
!= SSL_kKRB5 && | |
317 (s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK)
!= SSL_kDHr && | |
318 (s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK)
!= SSL_kDHd && | |
319 (s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK)
!= SSL_kECDH && | |
320 s->s3->snap_start_requested) | |
321 { | |
322 /* There's no point in carrying on with a Snap | |
323 * Start handshake if we're using a cipher | |
324 * suite which is going to send a | |
325 * ServerKeyExchange message. */ | |
326 ssl3_snap_start_reset_for_recovery(s); | |
327 s->state = SSL3_ST_SW_SRVR_HELLO_A; | |
328 break; | |
329 } | |
330 | |
331 if (s->hit) | 330 if (s->hit) |
332 { | 331 { |
333 if (ssl3_snap_start_evaluate_handshake(s)) | |
334 break; | |
335 | |
336 if (s->tlsext_ticket_expected) | 332 if (s->tlsext_ticket_expected) |
337 s->state=SSL3_ST_SW_SESSION_TICKET_A; | 333 s->state=SSL3_ST_SW_SESSION_TICKET_A; |
338 else | 334 else |
339 s->state=SSL3_ST_SW_CHANGE_A; | 335 s->state=SSL3_ST_SW_CHANGE_A; |
340 } | 336 } |
341 #else | 337 #else |
342 if (s->hit) | 338 if (s->hit) |
343 s->state=SSL3_ST_SW_CHANGE_A; | 339 s->state=SSL3_ST_SW_CHANGE_A; |
344 #endif | 340 #endif |
345 else | 341 else |
346 s->state=SSL3_ST_SW_CERT_A; | 342 s->state=SSL3_ST_SW_CERT_A; |
347 s->init_num=0; | 343 s->init_num=0; |
348 break; | 344 break; |
349 | 345 |
350 case SSL3_ST_SW_CERT_A: | 346 case SSL3_ST_SW_CERT_A: |
351 case SSL3_ST_SW_CERT_B: | 347 case SSL3_ST_SW_CERT_B: |
352 » » » /* Check if it is anon DH or anon ECDH or KRB5 */ | 348 » » » /* Check if it is anon DH or anon ECDH, */ |
353 » » » if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) | 349 » » » /* normal PSK or KRB5 */ |
354 » » » » && !(s->s3->tmp.new_cipher->algorithms & SSL_aKR
B5)) | 350 » » » if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) |
| 351 » » » » && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL
_kPSK) |
| 352 » » » » && !(s->s3->tmp.new_cipher->algorithm_auth & SSL
_aKRB5)) |
355 { | 353 { |
356 ret=ssl3_send_server_certificate(s); | 354 ret=ssl3_send_server_certificate(s); |
357 if (ret <= 0) goto end; | 355 if (ret <= 0) goto end; |
358 #ifndef OPENSSL_NO_TLSEXT | 356 #ifndef OPENSSL_NO_TLSEXT |
359 if (s->tlsext_status_expected) | 357 if (s->tlsext_status_expected) |
360 s->state=SSL3_ST_SW_CERT_STATUS_A; | 358 s->state=SSL3_ST_SW_CERT_STATUS_A; |
361 else | 359 else |
362 s->state=SSL3_ST_SW_KEY_EXCH_A; | 360 s->state=SSL3_ST_SW_KEY_EXCH_A; |
363 } | 361 } |
364 else | 362 else |
365 { | 363 { |
366 skip = 1; | 364 skip = 1; |
367 s->state=SSL3_ST_SW_KEY_EXCH_A; | 365 s->state=SSL3_ST_SW_KEY_EXCH_A; |
368 } | 366 } |
369 #else | 367 #else |
370 } | 368 } |
371 else | 369 else |
372 skip=1; | 370 skip=1; |
373 | 371 |
374 s->state=SSL3_ST_SW_KEY_EXCH_A; | 372 s->state=SSL3_ST_SW_KEY_EXCH_A; |
375 #endif | 373 #endif |
376 s->init_num=0; | 374 s->init_num=0; |
377 break; | 375 break; |
378 | 376 |
379 case SSL3_ST_SW_KEY_EXCH_A: | 377 case SSL3_ST_SW_KEY_EXCH_A: |
380 case SSL3_ST_SW_KEY_EXCH_B: | 378 case SSL3_ST_SW_KEY_EXCH_B: |
381 » » » l=s->s3->tmp.new_cipher->algorithms; | 379 » » » alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
382 | 380 |
383 /* clear this, it may get reset by | 381 /* clear this, it may get reset by |
384 * send_server_key_exchange */ | 382 * send_server_key_exchange */ |
385 if ((s->options & SSL_OP_EPHEMERAL_RSA) | 383 if ((s->options & SSL_OP_EPHEMERAL_RSA) |
386 #ifndef OPENSSL_NO_KRB5 | 384 #ifndef OPENSSL_NO_KRB5 |
387 » » » » && !(l & SSL_KRB5) | 385 » » » » && !(alg_k & SSL_kKRB5) |
388 #endif /* OPENSSL_NO_KRB5 */ | 386 #endif /* OPENSSL_NO_KRB5 */ |
389 ) | 387 ) |
390 /* option SSL_OP_EPHEMERAL_RSA sends temporary R
SA key | 388 /* option SSL_OP_EPHEMERAL_RSA sends temporary R
SA key |
391 * even when forbidden by protocol specs | 389 * even when forbidden by protocol specs |
392 * (handshake may fail as clients are not requir
ed to | 390 * (handshake may fail as clients are not requir
ed to |
393 * be able to handle this) */ | 391 * be able to handle this) */ |
394 s->s3->tmp.use_rsa_tmp=1; | 392 s->s3->tmp.use_rsa_tmp=1; |
395 else | 393 else |
396 s->s3->tmp.use_rsa_tmp=0; | 394 s->s3->tmp.use_rsa_tmp=0; |
397 | 395 |
398 | 396 |
399 /* only send if a DH key exchange, fortezza or | 397 /* only send if a DH key exchange, fortezza or |
400 * RSA but we have a sign only certificate | 398 * RSA but we have a sign only certificate |
401 * | 399 * |
| 400 * PSK: may send PSK identity hints |
| 401 * |
402 * For ECC ciphersuites, we send a serverKeyExchange | 402 * For ECC ciphersuites, we send a serverKeyExchange |
403 * message only if the cipher suite is either | 403 * message only if the cipher suite is either |
404 * ECDH-anon or ECDHE. In other cases, the | 404 * ECDH-anon or ECDHE. In other cases, the |
405 » » » * server certificate contains the server's | 405 » » » * server certificate contains the server's |
406 * public key for key exchange. | 406 * public key for key exchange. |
407 */ | 407 */ |
408 if (s->s3->tmp.use_rsa_tmp | 408 if (s->s3->tmp.use_rsa_tmp |
409 » » » || (l & SSL_kECDHE) | 409 » » » /* PSK: send ServerKeyExchange if PSK identity |
410 » » » || (l & (SSL_DH|SSL_kFZA)) | 410 » » » * hint if provided */ |
411 » » » || ((l & SSL_kRSA) | 411 #ifndef OPENSSL_NO_PSK |
| 412 » » » || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) |
| 413 #endif |
| 414 » » » || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) |
| 415 » » » || (alg_k & SSL_kEECDH) |
| 416 » » » || ((alg_k & SSL_kRSA) |
412 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey
== NULL | 417 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey
== NULL |
413 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) | 418 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) |
414 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY
_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) | 419 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY
_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) |
415 ) | 420 ) |
416 ) | 421 ) |
417 ) | 422 ) |
418 ) | 423 ) |
419 { | 424 { |
420 ret=ssl3_send_server_key_exchange(s); | 425 ret=ssl3_send_server_key_exchange(s); |
421 if (ret <= 0) goto end; | 426 if (ret <= 0) goto end; |
422 } | 427 } |
423 else | 428 else |
424 skip=1; | 429 skip=1; |
425 | 430 |
426 s->state=SSL3_ST_SW_CERT_REQ_A; | 431 s->state=SSL3_ST_SW_CERT_REQ_A; |
427 s->init_num=0; | 432 s->init_num=0; |
428 break; | 433 break; |
429 | 434 |
430 case SSL3_ST_SW_CERT_REQ_A: | 435 case SSL3_ST_SW_CERT_REQ_A: |
431 case SSL3_ST_SW_CERT_REQ_B: | 436 case SSL3_ST_SW_CERT_REQ_B: |
432 if (/* don't request cert unless asked for it: */ | 437 if (/* don't request cert unless asked for it: */ |
433 !(s->verify_mode & SSL_VERIFY_PEER) || | 438 !(s->verify_mode & SSL_VERIFY_PEER) || |
434 /* if SSL_VERIFY_CLIENT_ONCE is set, | 439 /* if SSL_VERIFY_CLIENT_ONCE is set, |
435 * don't request cert during re-negotiation: */ | 440 * don't request cert during re-negotiation: */ |
436 ((s->session->peer != NULL) && | 441 ((s->session->peer != NULL) && |
437 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || | 442 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || |
438 /* never request cert in anonymous ciphersuites | 443 /* never request cert in anonymous ciphersuites |
439 * (see section "Certificate request" in SSL 3 d
rafts | 444 * (see section "Certificate request" in SSL 3 d
rafts |
440 * and in RFC 2246): */ | 445 * and in RFC 2246): */ |
441 » » » » ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
&& | 446 » » » » ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aN
ULL) && |
442 /* ... except when the application insists on v
erification | 447 /* ... except when the application insists on v
erification |
443 * (against the specs, but s3_clnt.c accepts th
is for SSL 3) */ | 448 * (against the specs, but s3_clnt.c accepts th
is for SSL 3) */ |
444 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_C
ERT)) || | 449 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_C
ERT)) || |
445 /* never request cert in Kerberos ciphersuites
*/ | 450 » » » » /* never request cert in Kerberos ciphersuites
*/ |
446 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) | 451 » » » » (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKR
B5) |
| 452 » » » » /* With normal PSK Certificates and |
| 453 » » » » * Certificate Requests are omitted */ |
| 454 » » » » || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_
kPSK)) |
447 { | 455 { |
448 /* no cert request */ | 456 /* no cert request */ |
449 skip=1; | 457 skip=1; |
450 s->s3->tmp.cert_request=0; | 458 s->s3->tmp.cert_request=0; |
451 s->state=SSL3_ST_SW_SRVR_DONE_A; | 459 s->state=SSL3_ST_SW_SRVR_DONE_A; |
452 } | 460 } |
453 else | 461 else |
454 { | 462 { |
455 s->s3->tmp.cert_request=1; | 463 s->s3->tmp.cert_request=1; |
456 ret=ssl3_send_certificate_request(s); | 464 ret=ssl3_send_certificate_request(s); |
457 if (ret <= 0) goto end; | 465 if (ret <= 0) goto end; |
458 #ifndef NETSCAPE_HANG_BUG | 466 #ifndef NETSCAPE_HANG_BUG |
459 s->state=SSL3_ST_SW_SRVR_DONE_A; | 467 s->state=SSL3_ST_SW_SRVR_DONE_A; |
460 #else | 468 #else |
461 s->state=SSL3_ST_SW_FLUSH; | 469 s->state=SSL3_ST_SW_FLUSH; |
462 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; | 470 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; |
463 #endif | 471 #endif |
464 s->init_num=0; | 472 s->init_num=0; |
465 } | 473 } |
466 break; | 474 break; |
467 | 475 |
468 case SSL3_ST_SW_SRVR_DONE_A: | 476 case SSL3_ST_SW_SRVR_DONE_A: |
469 case SSL3_ST_SW_SRVR_DONE_B: | 477 case SSL3_ST_SW_SRVR_DONE_B: |
470 ret=ssl3_send_server_done(s); | 478 ret=ssl3_send_server_done(s); |
471 if (ret <= 0) goto end; | 479 if (ret <= 0) goto end; |
472 | 480 » » » s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; |
473 » » » if (s->s3->snap_start_requested) | 481 » » » s->state=SSL3_ST_SW_FLUSH; |
474 » » » » { | |
475 » » » » if (ssl3_snap_start_evaluate_handshake(s)) | |
476 » » » » » break; | |
477 » » » » s->state = SSL3_ST_SR_CERT_A; | |
478 » » » » } | |
479 » » » else | |
480 » » » » { | |
481 » » » » » s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; | |
482 » » » » » s->state=SSL3_ST_SW_FLUSH; | |
483 » » » » } | |
484 | |
485 s->init_num=0; | 482 s->init_num=0; |
486 break; | 483 break; |
487 | 484 |
488 case SSL3_ST_SW_FLUSH: | 485 case SSL3_ST_SW_FLUSH: |
489 | 486 |
490 /* This code originally checked to see if | 487 /* This code originally checked to see if |
491 * any data was pending using BIO_CTRL_INFO | 488 * any data was pending using BIO_CTRL_INFO |
492 * and then flushed. This caused problems | 489 * and then flushed. This caused problems |
493 * as documented in PR#1939. The proposed | 490 * as documented in PR#1939. The proposed |
494 * fix doesn't completely resolve this issue | 491 * fix doesn't completely resolve this issue |
(...skipping 28 matching lines...) Expand all Loading... |
523 if (ret <= 0) goto end; | 520 if (ret <= 0) goto end; |
524 } | 521 } |
525 s->init_num=0; | 522 s->init_num=0; |
526 s->state=SSL3_ST_SR_KEY_EXCH_A; | 523 s->state=SSL3_ST_SR_KEY_EXCH_A; |
527 } | 524 } |
528 break; | 525 break; |
529 | 526 |
530 case SSL3_ST_SR_KEY_EXCH_A: | 527 case SSL3_ST_SR_KEY_EXCH_A: |
531 case SSL3_ST_SR_KEY_EXCH_B: | 528 case SSL3_ST_SR_KEY_EXCH_B: |
532 ret=ssl3_get_client_key_exchange(s); | 529 ret=ssl3_get_client_key_exchange(s); |
533 » » » if (ret <= 0) | 530 » » » if (ret <= 0) |
534 goto end; | 531 goto end; |
535 if (ret == 2) | 532 if (ret == 2) |
536 { | 533 { |
537 /* For the ECDH ciphersuites when | 534 /* For the ECDH ciphersuites when |
538 * the client sends its ECDH pub key in | 535 * the client sends its ECDH pub key in |
539 * a certificate, the CertificateVerify | 536 * a certificate, the CertificateVerify |
540 * message is not sent. | 537 * message is not sent. |
| 538 * Also for GOST ciphersuites when |
| 539 * the client uses its key from the certificate |
| 540 * for key exchange. |
541 */ | 541 */ |
| 542 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) |
| 543 s->state=SSL3_ST_SR_FINISHED_A; |
| 544 #else |
542 if (s->s3->next_proto_neg_seen) | 545 if (s->s3->next_proto_neg_seen) |
543 s->state=SSL3_ST_SR_NEXT_PROTO_A; | 546 s->state=SSL3_ST_SR_NEXT_PROTO_A; |
544 else | 547 else |
545 s->state=SSL3_ST_SR_FINISHED_A; | 548 s->state=SSL3_ST_SR_FINISHED_A; |
| 549 #endif |
546 s->init_num = 0; | 550 s->init_num = 0; |
547 } | 551 } |
548 » » » else | 552 » » » else |
549 { | 553 { |
| 554 int offset=0; |
| 555 int dgst_num; |
| 556 |
550 s->state=SSL3_ST_SR_CERT_VRFY_A; | 557 s->state=SSL3_ST_SR_CERT_VRFY_A; |
551 s->init_num=0; | 558 s->init_num=0; |
552 | 559 |
553 /* We need to get hashes here so if there is | 560 /* We need to get hashes here so if there is |
554 * a client cert, it can be verified | 561 * a client cert, it can be verified |
555 » » » » */ | 562 » » » » * FIXME - digest processing for CertificateVeri
fy |
556 » » » » s->method->ssl3_enc->cert_verify_mac(s, | 563 » » » » * should be generalized. But it is next step |
557 » » » » &(s->s3->finish_dgst1), | 564 » » » » */ |
558 » » » » &(s->s3->tmp.cert_verify_md[0])); | 565 » » » » if (s->s3->handshake_buffer) |
559 » » » » s->method->ssl3_enc->cert_verify_mac(s, | 566 » » » » » if (!ssl3_digest_cached_records(s)) |
560 » » » » &(s->s3->finish_dgst2), | 567 » » » » » » return -1; |
561 » » » » &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGT
H])); | 568 » » » » for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_nu
m++)» |
| 569 » » » » » if (s->s3->handshake_dgst[dgst_num]) |
| 570 » » » » » » { |
| 571 » » » » » » int dgst_size; |
| 572 |
| 573 » » » » » » s->method->ssl3_enc->cert_verify
_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify
_md[offset])); |
| 574 » » » » » » dgst_size=EVP_MD_CTX_size(s->s3-
>handshake_dgst[dgst_num]); |
| 575 » » » » » » if (dgst_size < 0) |
| 576 » » » » » » » { |
| 577 » » » » » » » ret = -1; |
| 578 » » » » » » » goto end; |
| 579 » » » » » » » } |
| 580 » » » » » » offset+=dgst_size; |
| 581 » » » » » » }» » |
562 } | 582 } |
563 break; | 583 break; |
564 | 584 |
565 case SSL3_ST_SR_CERT_VRFY_A: | 585 case SSL3_ST_SR_CERT_VRFY_A: |
566 case SSL3_ST_SR_CERT_VRFY_B: | 586 case SSL3_ST_SR_CERT_VRFY_B: |
567 | 587 |
568 /* we should decide if we expected this one */ | 588 /* we should decide if we expected this one */ |
569 ret=ssl3_get_cert_verify(s); | 589 ret=ssl3_get_cert_verify(s); |
570 if (ret <= 0) goto end; | 590 if (ret <= 0) goto end; |
571 | 591 |
| 592 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) |
| 593 s->state=SSL3_ST_SR_FINISHED_A; |
| 594 #else |
572 if (s->s3->next_proto_neg_seen) | 595 if (s->s3->next_proto_neg_seen) |
573 s->state=SSL3_ST_SR_NEXT_PROTO_A; | 596 s->state=SSL3_ST_SR_NEXT_PROTO_A; |
574 else | 597 else |
575 s->state=SSL3_ST_SR_FINISHED_A; | 598 s->state=SSL3_ST_SR_FINISHED_A; |
| 599 #endif |
576 s->init_num=0; | 600 s->init_num=0; |
577 break; | 601 break; |
578 | 602 |
| 603 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) |
579 case SSL3_ST_SR_NEXT_PROTO_A: | 604 case SSL3_ST_SR_NEXT_PROTO_A: |
580 case SSL3_ST_SR_NEXT_PROTO_B: | 605 case SSL3_ST_SR_NEXT_PROTO_B: |
581 ret=ssl3_get_next_proto(s); | 606 ret=ssl3_get_next_proto(s); |
582 if (ret <= 0) goto end; | 607 if (ret <= 0) goto end; |
583 s->init_num = 0; | 608 s->init_num = 0; |
584 s->state=SSL3_ST_SR_FINISHED_A; | 609 s->state=SSL3_ST_SR_FINISHED_A; |
585 break; | 610 break; |
| 611 #endif |
586 | 612 |
587 case SSL3_ST_SR_FINISHED_A: | 613 case SSL3_ST_SR_FINISHED_A: |
588 case SSL3_ST_SR_FINISHED_B: | 614 case SSL3_ST_SR_FINISHED_B: |
589 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, | 615 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, |
590 SSL3_ST_SR_FINISHED_B); | 616 SSL3_ST_SR_FINISHED_B); |
591 if (ret <= 0) goto end; | 617 if (ret <= 0) goto end; |
| 618 #ifndef OPENSSL_NO_TLSEXT |
| 619 if (s->tlsext_ticket_expected) |
| 620 s->state=SSL3_ST_SW_SESSION_TICKET_A; |
| 621 else if (s->hit) |
| 622 s->state=SSL_ST_OK; |
| 623 #else |
592 if (s->hit) | 624 if (s->hit) |
593 s->state=SSL_ST_OK; | 625 s->state=SSL_ST_OK; |
594 #ifndef OPENSSL_NO_TLSEXT | |
595 else if (s->tlsext_ticket_expected) | |
596 s->state=SSL3_ST_SW_SESSION_TICKET_A; | |
597 #endif | 626 #endif |
598 else | 627 else |
599 s->state=SSL3_ST_SW_CHANGE_A; | 628 s->state=SSL3_ST_SW_CHANGE_A; |
600 s->init_num=0; | 629 s->init_num=0; |
601 break; | 630 break; |
602 | 631 |
603 #ifndef OPENSSL_NO_TLSEXT | 632 #ifndef OPENSSL_NO_TLSEXT |
604 case SSL3_ST_SW_SESSION_TICKET_A: | 633 case SSL3_ST_SW_SESSION_TICKET_A: |
605 case SSL3_ST_SW_SESSION_TICKET_B: | 634 case SSL3_ST_SW_SESSION_TICKET_B: |
606 ret=ssl3_send_newsession_ticket(s); | 635 ret=ssl3_send_newsession_ticket(s); |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
645 case SSL3_ST_SW_FINISHED_A: | 674 case SSL3_ST_SW_FINISHED_A: |
646 case SSL3_ST_SW_FINISHED_B: | 675 case SSL3_ST_SW_FINISHED_B: |
647 ret=ssl3_send_finished(s, | 676 ret=ssl3_send_finished(s, |
648 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, | 677 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, |
649 s->method->ssl3_enc->server_finished_label, | 678 s->method->ssl3_enc->server_finished_label, |
650 s->method->ssl3_enc->server_finished_label_len); | 679 s->method->ssl3_enc->server_finished_label_len); |
651 if (ret <= 0) goto end; | 680 if (ret <= 0) goto end; |
652 s->state=SSL3_ST_SW_FLUSH; | 681 s->state=SSL3_ST_SW_FLUSH; |
653 if (s->hit) | 682 if (s->hit) |
654 { | 683 { |
| 684 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) |
| 685 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; |
| 686 #else |
655 if (s->s3->next_proto_neg_seen) | 687 if (s->s3->next_proto_neg_seen) |
656 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PR
OTO_A; | 688 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PR
OTO_A; |
657 else | 689 else |
658 s->s3->tmp.next_state=SSL3_ST_SR_FINISHE
D_A; | 690 s->s3->tmp.next_state=SSL3_ST_SR_FINISHE
D_A; |
| 691 #endif |
659 } | 692 } |
660 else | 693 else |
661 s->s3->tmp.next_state=SSL_ST_OK; | 694 s->s3->tmp.next_state=SSL_ST_OK; |
662 s->init_num=0; | 695 s->init_num=0; |
663 break; | 696 break; |
664 | 697 |
665 case SSL_ST_OK: | 698 case SSL_ST_OK: |
666 /* clean a few things up */ | 699 /* clean a few things up */ |
667 ssl3_cleanup_key_block(s); | 700 ssl3_cleanup_key_block(s); |
668 | 701 |
(...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
749 | 782 |
750 /* SSL3_ST_SW_HELLO_REQ_B */ | 783 /* SSL3_ST_SW_HELLO_REQ_B */ |
751 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 784 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
752 } | 785 } |
753 | 786 |
754 int ssl3_check_client_hello(SSL *s) | 787 int ssl3_check_client_hello(SSL *s) |
755 { | 788 { |
756 int ok; | 789 int ok; |
757 long n; | 790 long n; |
758 | 791 |
| 792 /* We only allow the client to restart the handshake once per |
| 793 * negotiation. */ |
| 794 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) |
| 795 { |
| 796 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTART
S); |
| 797 return -1; |
| 798 } |
| 799 |
759 /* this function is called when we really expect a Certificate message, | 800 /* this function is called when we really expect a Certificate message, |
760 * so permit appropriate message length */ | 801 * so permit appropriate message length */ |
761 n=s->method->ssl_get_message(s, | 802 n=s->method->ssl_get_message(s, |
762 SSL3_ST_SR_CERT_A, | 803 SSL3_ST_SR_CERT_A, |
763 SSL3_ST_SR_CERT_B, | 804 SSL3_ST_SR_CERT_B, |
764 -1, | 805 -1, |
765 s->max_cert_list, | 806 s->max_cert_list, |
766 &ok); | 807 &ok); |
767 if (!ok) return((int)n); | 808 if (!ok) return((int)n); |
768 s->s3->tmp.reuse_message = 1; | 809 s->s3->tmp.reuse_message = 1; |
769 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) | 810 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) |
770 { | 811 { |
771 /* Throw away what we have done so far in the current handshake, | 812 /* Throw away what we have done so far in the current handshake, |
772 » » * which will now be aborted. (A full SSL_clear would be too muc
h.) | 813 » » * which will now be aborted. (A full SSL_clear would be too muc
h.) */ |
773 » » * I hope that tmp.dh is the only thing that may need to be clea
red | |
774 » » * when a handshake is not completed ... */ | |
775 #ifndef OPENSSL_NO_DH | 814 #ifndef OPENSSL_NO_DH |
776 if (s->s3->tmp.dh != NULL) | 815 if (s->s3->tmp.dh != NULL) |
777 { | 816 { |
778 DH_free(s->s3->tmp.dh); | 817 DH_free(s->s3->tmp.dh); |
779 s->s3->tmp.dh = NULL; | 818 s->s3->tmp.dh = NULL; |
780 } | 819 } |
781 #endif | 820 #endif |
| 821 #ifndef OPENSSL_NO_ECDH |
| 822 if (s->s3->tmp.ecdh != NULL) |
| 823 { |
| 824 EC_KEY_free(s->s3->tmp.ecdh); |
| 825 s->s3->tmp.ecdh = NULL; |
| 826 } |
| 827 #endif |
| 828 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; |
782 return 2; | 829 return 2; |
783 } | 830 } |
784 return 1; | 831 return 1; |
785 } | 832 } |
786 | 833 |
787 int ssl3_get_client_hello(SSL *s) | 834 int ssl3_get_client_hello(SSL *s) |
788 { | 835 { |
789 int i,j,ok,al,ret= -1; | 836 int i,j,ok,al,ret= -1; |
790 unsigned int cookie_len; | 837 unsigned int cookie_len; |
791 long n; | 838 long n; |
(...skipping 29 matching lines...) Expand all Loading... |
821 | 868 |
822 /* use version from inside client hello, not from record header | 869 /* use version from inside client hello, not from record header |
823 * (may differ: see RFC 2246, Appendix E, second paragraph) */ | 870 * (may differ: see RFC 2246, Appendix E, second paragraph) */ |
824 s->client_version=(((int)p[0])<<8)|(int)p[1]; | 871 s->client_version=(((int)p[0])<<8)|(int)p[1]; |
825 p+=2; | 872 p+=2; |
826 | 873 |
827 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || | 874 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || |
828 (s->version != DTLS1_VERSION && s->client_version < s->version)) | 875 (s->version != DTLS1_VERSION && s->client_version < s->version)) |
829 { | 876 { |
830 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); | 877 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); |
831 » » if ((s->client_version>>8) == SSL3_VERSION_MAJOR) | 878 » » if ((s->client_version>>8) == SSL3_VERSION_MAJOR) |
832 { | 879 { |
833 /* similar to ssl3_get_record, send alert using remote v
ersion number */ | 880 /* similar to ssl3_get_record, send alert using remote v
ersion number */ |
834 s->version = s->client_version; | 881 s->version = s->client_version; |
835 } | 882 } |
836 al = SSL_AD_PROTOCOL_VERSION; | 883 al = SSL_AD_PROTOCOL_VERSION; |
837 goto f_err; | 884 goto f_err; |
838 } | 885 } |
839 | 886 |
840 /* If we require cookies and this ClientHello doesn't | 887 /* If we require cookies and this ClientHello doesn't |
841 * contain one, just return since we do not want to | 888 * contain one, just return since we do not want to |
(...skipping 21 matching lines...) Expand all Loading... |
863 /* Versions before 0.9.7 always allow session reuse during renegotiation | 910 /* Versions before 0.9.7 always allow session reuse during renegotiation |
864 * (i.e. when s->new_session is true), option | 911 * (i.e. when s->new_session is true), option |
865 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. | 912 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. |
866 * Maybe this optional behaviour should always have been the default, | 913 * Maybe this optional behaviour should always have been the default, |
867 * but we cannot safely change the default behaviour (or new application
s | 914 * but we cannot safely change the default behaviour (or new application
s |
868 * might be written that become totally unsecure when compiled with | 915 * might be written that become totally unsecure when compiled with |
869 * an earlier library version) | 916 * an earlier library version) |
870 */ | 917 */ |
871 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_REN
EGOTIATION))) | 918 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_REN
EGOTIATION))) |
872 { | 919 { |
| 920 if (!s->session_creation_enabled) |
| 921 { |
| 922 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE
); |
| 923 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT
_BE_CREATED); |
| 924 goto err; |
| 925 } |
873 if (!ssl_get_new_session(s,1)) | 926 if (!ssl_get_new_session(s,1)) |
874 goto err; | 927 goto err; |
875 } | 928 } |
876 else | 929 else |
877 { | 930 { |
878 i=ssl_get_prev_session(s, p, j, d + n); | 931 i=ssl_get_prev_session(s, p, j, d + n); |
879 if (i == 1) | 932 if (i == 1) |
880 { /* previous session */ | 933 { /* previous session */ |
881 s->hit=1; | 934 s->hit=1; |
882 } | 935 } |
883 else if (i == -1) | 936 else if (i == -1) |
884 goto err; | 937 goto err; |
885 else /* i == 0 */ | 938 else /* i == 0 */ |
886 { | 939 { |
| 940 if (!s->session_creation_enabled) |
| 941 { |
| 942 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE
_FAILURE); |
| 943 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION
_MAY_NOT_BE_CREATED); |
| 944 goto err; |
| 945 } |
887 if (!ssl_get_new_session(s,1)) | 946 if (!ssl_get_new_session(s,1)) |
888 goto err; | 947 goto err; |
889 } | 948 } |
890 } | 949 } |
891 | 950 |
892 p+=j; | 951 p+=j; |
893 | 952 |
894 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) | 953 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) |
895 { | 954 { |
896 /* cookie stuff */ | 955 /* cookie stuff */ |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
979 #ifdef CIPHER_DEBUG | 1038 #ifdef CIPHER_DEBUG |
980 printf("client [%2d of %2d]:%s\n", | 1039 printf("client [%2d of %2d]:%s\n", |
981 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); | 1040 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); |
982 #endif | 1041 #endif |
983 if (c->id == id) | 1042 if (c->id == id) |
984 { | 1043 { |
985 j=1; | 1044 j=1; |
986 break; | 1045 break; |
987 } | 1046 } |
988 } | 1047 } |
| 1048 /* Disabled because it can be used in a ciphersuite downgrade |
| 1049 * attack: CVE-2010-4180. |
| 1050 */ |
| 1051 #if 0 |
989 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_
BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) | 1052 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_
BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) |
990 { | 1053 { |
991 /* Special case as client bug workaround: the previously
used cipher may | 1054 /* Special case as client bug workaround: the previously
used cipher may |
992 * not be in the current list, the client instead might
be trying to | 1055 * not be in the current list, the client instead might
be trying to |
993 * continue using a cipher that before wasn't chosen due
to server | 1056 * continue using a cipher that before wasn't chosen due
to server |
994 * preferences. We'll have to reject the connection if
the cipher is not | 1057 * preferences. We'll have to reject the connection if
the cipher is not |
995 * enabled, though. */ | 1058 * enabled, though. */ |
996 c = sk_SSL_CIPHER_value(ciphers, 0); | 1059 c = sk_SSL_CIPHER_value(ciphers, 0); |
997 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) | 1060 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) |
998 { | 1061 { |
999 s->session->cipher = c; | 1062 s->session->cipher = c; |
1000 j = 1; | 1063 j = 1; |
1001 } | 1064 } |
1002 } | 1065 } |
| 1066 #endif |
1003 if (j == 0) | 1067 if (j == 0) |
1004 { | 1068 { |
1005 /* we need to have the cipher in the cipher | 1069 /* we need to have the cipher in the cipher |
1006 * list if we are asked to reuse it */ | 1070 * list if we are asked to reuse it */ |
1007 al=SSL_AD_ILLEGAL_PARAMETER; | 1071 al=SSL_AD_ILLEGAL_PARAMETER; |
1008 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER
_MISSING); | 1072 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER
_MISSING); |
1009 goto f_err; | 1073 goto f_err; |
1010 } | 1074 } |
1011 } | 1075 } |
1012 | 1076 |
(...skipping 29 matching lines...) Expand all Loading... |
1042 { | 1106 { |
1043 /* 'al' set by ssl_parse_clienthello_tlsext */ | 1107 /* 'al' set by ssl_parse_clienthello_tlsext */ |
1044 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); | 1108 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); |
1045 goto f_err; | 1109 goto f_err; |
1046 } | 1110 } |
1047 } | 1111 } |
1048 if (ssl_check_clienthello_tlsext(s) <= 0) { | 1112 if (ssl_check_clienthello_tlsext(s) <= 0) { |
1049 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLS
EXT); | 1113 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLS
EXT); |
1050 goto err; | 1114 goto err; |
1051 } | 1115 } |
| 1116 |
| 1117 /* Check if we want to use external pre-shared secret for this |
| 1118 * handshake for not reused session only. We need to generate |
| 1119 * server_random before calling tls_session_secret_cb in order to allow |
| 1120 * SessionTicket processing to use it in key derivation. */ |
| 1121 { |
| 1122 unsigned long Time; |
| 1123 unsigned char *pos; |
| 1124 Time=(unsigned long)time(NULL); /* Time */ |
| 1125 pos=s->s3->server_random; |
| 1126 l2n(Time,pos); |
| 1127 if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) |
| 1128 { |
| 1129 al=SSL_AD_INTERNAL_ERROR; |
| 1130 goto f_err; |
| 1131 } |
| 1132 } |
| 1133 |
| 1134 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) |
| 1135 { |
| 1136 SSL_CIPHER *pref_cipher=NULL; |
| 1137 |
| 1138 s->session->master_key_length=sizeof(s->session->master_key); |
| 1139 if(s->tls_session_secret_cb(s, s->session->master_key, &s->sessi
on->master_key_length, |
| 1140 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) |
| 1141 { |
| 1142 s->hit=1; |
| 1143 s->session->ciphers=ciphers; |
| 1144 s->session->verify_result=X509_V_OK; |
| 1145 |
| 1146 ciphers=NULL; |
| 1147 |
| 1148 /* check if some cipher was preferred by call back */ |
| 1149 pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_ciph
er(s, s->session->ciphers, SSL_get_ciphers(s)); |
| 1150 if (pref_cipher == NULL) |
| 1151 { |
| 1152 al=SSL_AD_HANDSHAKE_FAILURE; |
| 1153 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHAR
ED_CIPHER); |
| 1154 goto f_err; |
| 1155 } |
| 1156 |
| 1157 s->session->cipher=pref_cipher; |
| 1158 |
| 1159 if (s->cipher_list) |
| 1160 sk_SSL_CIPHER_free(s->cipher_list); |
| 1161 |
| 1162 if (s->cipher_list_by_id) |
| 1163 sk_SSL_CIPHER_free(s->cipher_list_by_id); |
| 1164 |
| 1165 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); |
| 1166 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->cip
hers); |
| 1167 } |
| 1168 } |
1052 #endif | 1169 #endif |
| 1170 |
1053 /* Worst case, we will use the NULL compression, but if we have other | 1171 /* Worst case, we will use the NULL compression, but if we have other |
1054 * options, we will now look for them. We have i-1 compression | 1172 * options, we will now look for them. We have i-1 compression |
1055 * algorithms from the client, starting at q. */ | 1173 * algorithms from the client, starting at q. */ |
1056 s->s3->tmp.new_compression=NULL; | 1174 s->s3->tmp.new_compression=NULL; |
1057 #ifndef OPENSSL_NO_COMP | 1175 #ifndef OPENSSL_NO_COMP |
1058 » if (s->ctx->comp_methods != NULL) | 1176 » /* This only happens if we have a cache hit */ |
| 1177 » if (s->session->compress_meth != 0) |
| 1178 » » { |
| 1179 » » int m, comp_id = s->session->compress_meth; |
| 1180 » » /* Perform sanity checks on resumed compression algorithm */ |
| 1181 » » /* Can't disable compression */ |
| 1182 » » if (s->options & SSL_OP_NO_COMPRESSION) |
| 1183 » » » { |
| 1184 » » » al=SSL_AD_INTERNAL_ERROR; |
| 1185 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_CO
MPRESSION); |
| 1186 » » » goto f_err; |
| 1187 » » » } |
| 1188 » » /* Look for resumed compression method */ |
| 1189 » » for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) |
| 1190 » » » { |
| 1191 » » » comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); |
| 1192 » » » if (comp_id == comp->id) |
| 1193 » » » » { |
| 1194 » » » » s->s3->tmp.new_compression=comp; |
| 1195 » » » » break; |
| 1196 » » » » } |
| 1197 » » » } |
| 1198 » » if (s->s3->tmp.new_compression == NULL) |
| 1199 » » » { |
| 1200 » » » al=SSL_AD_INTERNAL_ERROR; |
| 1201 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRES
SION_ALGORITHM); |
| 1202 » » » goto f_err; |
| 1203 » » » } |
| 1204 » » /* Look for resumed method in compression list */ |
| 1205 » » for (m = 0; m < i; m++) |
| 1206 » » » { |
| 1207 » » » if (q[m] == comp_id) |
| 1208 » » » » break; |
| 1209 » » » } |
| 1210 » » if (m >= i) |
| 1211 » » » { |
| 1212 » » » al=SSL_AD_ILLEGAL_PARAMETER; |
| 1213 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRE
SSSION_ALGORITHM_MISSING); |
| 1214 » » » goto f_err; |
| 1215 » » » } |
| 1216 » » } |
| 1217 » else if (s->hit) |
| 1218 » » comp = NULL; |
| 1219 » else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) |
1059 { /* See if we have a match */ | 1220 { /* See if we have a match */ |
1060 int m,nn,o,v,done=0; | 1221 int m,nn,o,v,done=0; |
1061 | 1222 |
1062 nn=sk_SSL_COMP_num(s->ctx->comp_methods); | 1223 nn=sk_SSL_COMP_num(s->ctx->comp_methods); |
1063 for (m=0; m<nn; m++) | 1224 for (m=0; m<nn; m++) |
1064 { | 1225 { |
1065 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); | 1226 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); |
1066 v=comp->id; | 1227 v=comp->id; |
1067 for (o=0; o<i; o++) | 1228 for (o=0; o<i; o++) |
1068 { | 1229 { |
1069 if (v == q[o]) | 1230 if (v == q[o]) |
1070 { | 1231 { |
1071 done=1; | 1232 done=1; |
1072 break; | 1233 break; |
1073 } | 1234 } |
1074 } | 1235 } |
1075 if (done) break; | 1236 if (done) break; |
1076 } | 1237 } |
1077 if (done) | 1238 if (done) |
1078 s->s3->tmp.new_compression=comp; | 1239 s->s3->tmp.new_compression=comp; |
1079 else | 1240 else |
1080 comp=NULL; | 1241 comp=NULL; |
1081 } | 1242 } |
1082 #endif | 1243 #else |
1083 | 1244 » /* If compression is disabled we'd better not try to resume a session |
1084 » /* TLS does not mind if there is extra stuff */ | 1245 » * using compression. |
1085 #if 0 /* SSL 3.0 does not mind either, so we should disable this test | 1246 » */ |
1086 * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, | 1247 » if (s->session->compress_meth != 0) |
1087 * in earlier SSLeay/OpenSSL releases this test existed but was buggy) *
/ | |
1088 » if (s->version == SSL3_VERSION) | |
1089 { | 1248 { |
1090 » » if (p < (d+n)) | 1249 » » al=SSL_AD_INTERNAL_ERROR; |
1091 » » » { | 1250 » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSIO
N); |
1092 » » » /* wrong number of bytes, | 1251 » » goto f_err; |
1093 » » » * there could be more to follow */ | |
1094 » » » al=SSL_AD_DECODE_ERROR; | |
1095 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH
); | |
1096 » » » goto f_err; | |
1097 » » » } | |
1098 } | 1252 } |
1099 #endif | 1253 #endif |
1100 | 1254 |
1101 /* Given s->session->ciphers and SSL_get_ciphers, we must | 1255 /* Given s->session->ciphers and SSL_get_ciphers, we must |
1102 * pick a cipher */ | 1256 * pick a cipher */ |
1103 | 1257 |
1104 if (!s->hit) | 1258 if (!s->hit) |
1105 { | 1259 { |
1106 #ifdef OPENSSL_NO_COMP | 1260 #ifdef OPENSSL_NO_COMP |
1107 s->session->compress_meth=0; | 1261 s->session->compress_meth=0; |
(...skipping 28 matching lines...) Expand all Loading... |
1136 STACK_OF(SSL_CIPHER) *sk; | 1290 STACK_OF(SSL_CIPHER) *sk; |
1137 SSL_CIPHER *nc=NULL; | 1291 SSL_CIPHER *nc=NULL; |
1138 SSL_CIPHER *ec=NULL; | 1292 SSL_CIPHER *ec=NULL; |
1139 | 1293 |
1140 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) | 1294 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) |
1141 { | 1295 { |
1142 sk=s->session->ciphers; | 1296 sk=s->session->ciphers; |
1143 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) | 1297 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) |
1144 { | 1298 { |
1145 c=sk_SSL_CIPHER_value(sk,i); | 1299 c=sk_SSL_CIPHER_value(sk,i); |
1146 » » » » if (c->algorithms & SSL_eNULL) | 1300 » » » » if (c->algorithm_enc & SSL_eNULL) |
1147 nc=c; | 1301 nc=c; |
1148 if (SSL_C_IS_EXPORT(c)) | 1302 if (SSL_C_IS_EXPORT(c)) |
1149 ec=c; | 1303 ec=c; |
1150 } | 1304 } |
1151 if (nc != NULL) | 1305 if (nc != NULL) |
1152 s->s3->tmp.new_cipher=nc; | 1306 s->s3->tmp.new_cipher=nc; |
1153 else if (ec != NULL) | 1307 else if (ec != NULL) |
1154 s->s3->tmp.new_cipher=ec; | 1308 s->s3->tmp.new_cipher=ec; |
1155 else | 1309 else |
1156 s->s3->tmp.new_cipher=s->session->cipher; | 1310 s->s3->tmp.new_cipher=s->session->cipher; |
1157 } | 1311 } |
1158 else | 1312 else |
1159 #endif | 1313 #endif |
1160 s->s3->tmp.new_cipher=s->session->cipher; | 1314 s->s3->tmp.new_cipher=s->session->cipher; |
1161 } | 1315 } |
| 1316 |
| 1317 if (!ssl3_digest_cached_records(s)) |
| 1318 goto f_err; |
1162 | 1319 |
1163 /* we now have the following setup. | 1320 /* we now have the following setup. |
1164 * client_random | 1321 * client_random |
1165 * cipher_list - our prefered list of ciphers | 1322 * cipher_list - our prefered list of ciphers |
1166 * ciphers - the clients prefered list of ciphers | 1323 * ciphers - the clients prefered list of ciphers |
1167 * compression - basically ignored right now | 1324 * compression - basically ignored right now |
1168 * ssl version is set - sslv3 | 1325 * ssl version is set - sslv3 |
1169 * s->session - The ssl session has been setup. | 1326 * s->session - The ssl session has been setup. |
1170 * s->hit - session reuse flag | 1327 * s->hit - session reuse flag |
1171 * s->tmp.new_cipher - the new cipher to use. | 1328 * s->tmp.new_cipher - the new cipher to use. |
1172 */ | 1329 */ |
1173 | 1330 |
1174 if (ret < 0) ret=1; | 1331 if (ret < 0) ret=1; |
1175 if (0) | 1332 if (0) |
1176 { | 1333 { |
1177 f_err: | 1334 f_err: |
1178 ssl3_send_alert(s,SSL3_AL_FATAL,al); | 1335 ssl3_send_alert(s,SSL3_AL_FATAL,al); |
1179 } | 1336 } |
1180 err: | 1337 err: |
1181 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); | 1338 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); |
1182 return(ret); | 1339 return(ret); |
1183 } | 1340 } |
1184 | 1341 |
1185 int ssl3_send_server_hello(SSL *s) | 1342 int ssl3_send_server_hello(SSL *s) |
1186 { | 1343 { |
1187 unsigned char *buf; | 1344 unsigned char *buf; |
1188 unsigned char *p,*d; | 1345 unsigned char *p,*d; |
1189 int i,sl; | 1346 int i,sl; |
1190 » unsigned long l,Time; | 1347 » unsigned long l; |
| 1348 #ifdef OPENSSL_NO_TLSEXT |
| 1349 » unsigned long Time; |
| 1350 #endif |
1191 | 1351 |
1192 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) | 1352 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) |
1193 { | 1353 { |
1194 buf=(unsigned char *)s->init_buf->data; | 1354 buf=(unsigned char *)s->init_buf->data; |
1195 » » if (!s->s3->snap_start_requested) | 1355 #ifdef OPENSSL_NO_TLSEXT |
1196 » » » { | 1356 » » p=s->s3->server_random; |
1197 » » » p=s->s3->server_random; | 1357 » » /* Generate server_random if it was not needed previously */ |
1198 » » » Time=(unsigned long)time(NULL);»» » /* Time
*/ | 1358 » » Time=(unsigned long)time(NULL);»» » /* Time */ |
1199 » » » l2n(Time,p); | 1359 » » l2n(Time,p); |
1200 » » » if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) | 1360 » » if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) |
1201 » » » » return -1; | 1361 » » » return -1; |
1202 » » » } | 1362 #endif |
1203 » » else if (s->s3->server_random_suggestion_valid == 0) | |
1204 » » » { | |
1205 » » » return SERVER_RANDOM_VALIDATION_PENDING; | |
1206 » » » } | |
1207 | |
1208 /* Do the message type and length last */ | 1363 /* Do the message type and length last */ |
1209 d=p= &(buf[4]); | 1364 d=p= &(buf[4]); |
1210 | 1365 |
1211 *(p++)=s->version>>8; | 1366 *(p++)=s->version>>8; |
1212 *(p++)=s->version&0xff; | 1367 *(p++)=s->version&0xff; |
1213 | 1368 |
1214 /* Random stuff */ | 1369 /* Random stuff */ |
1215 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); | 1370 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); |
1216 p+=SSL3_RANDOM_SIZE; | 1371 p+=SSL3_RANDOM_SIZE; |
1217 | 1372 |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1251 /* put the compression method */ | 1406 /* put the compression method */ |
1252 #ifdef OPENSSL_NO_COMP | 1407 #ifdef OPENSSL_NO_COMP |
1253 *(p++)=0; | 1408 *(p++)=0; |
1254 #else | 1409 #else |
1255 if (s->s3->tmp.new_compression == NULL) | 1410 if (s->s3->tmp.new_compression == NULL) |
1256 *(p++)=0; | 1411 *(p++)=0; |
1257 else | 1412 else |
1258 *(p++)=s->s3->tmp.new_compression->id; | 1413 *(p++)=s->s3->tmp.new_compression->id; |
1259 #endif | 1414 #endif |
1260 #ifndef OPENSSL_NO_TLSEXT | 1415 #ifndef OPENSSL_NO_TLSEXT |
| 1416 if (ssl_prepare_serverhello_tlsext(s) <= 0) |
| 1417 { |
| 1418 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TL
SEXT); |
| 1419 return -1; |
| 1420 } |
1261 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_
LENGTH)) == NULL) | 1421 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_
LENGTH)) == NULL) |
1262 { | 1422 { |
1263 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR
); | 1423 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR
); |
1264 return -1; | 1424 return -1; |
1265 } | 1425 } |
1266 #endif | 1426 #endif |
1267 /* do the header */ | 1427 /* do the header */ |
1268 l=(p-d); | 1428 l=(p-d); |
1269 d=buf; | 1429 d=buf; |
1270 *(d++)=SSL3_MT_SERVER_HELLO; | 1430 *(d++)=SSL3_MT_SERVER_HELLO; |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1330 int n; | 1490 int n; |
1331 CERT *cert; | 1491 CERT *cert; |
1332 BIGNUM *r[4]; | 1492 BIGNUM *r[4]; |
1333 int nr[4],kn; | 1493 int nr[4],kn; |
1334 BUF_MEM *buf; | 1494 BUF_MEM *buf; |
1335 EVP_MD_CTX md_ctx; | 1495 EVP_MD_CTX md_ctx; |
1336 | 1496 |
1337 EVP_MD_CTX_init(&md_ctx); | 1497 EVP_MD_CTX_init(&md_ctx); |
1338 if (s->state == SSL3_ST_SW_KEY_EXCH_A) | 1498 if (s->state == SSL3_ST_SW_KEY_EXCH_A) |
1339 { | 1499 { |
1340 » » type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; | 1500 » » type=s->s3->tmp.new_cipher->algorithm_mkey; |
1341 cert=s->cert; | 1501 cert=s->cert; |
1342 | 1502 |
1343 buf=s->init_buf; | 1503 buf=s->init_buf; |
1344 | 1504 |
1345 r[0]=r[1]=r[2]=r[3]=NULL; | 1505 r[0]=r[1]=r[2]=r[3]=NULL; |
1346 n=0; | 1506 n=0; |
1347 #ifndef OPENSSL_NO_RSA | 1507 #ifndef OPENSSL_NO_RSA |
1348 if (type & SSL_kRSA) | 1508 if (type & SSL_kRSA) |
1349 { | 1509 { |
1350 rsa=cert->rsa_tmp; | 1510 rsa=cert->rsa_tmp; |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1384 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cip
her)); | 1544 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cip
her)); |
1385 if (dhp == NULL) | 1545 if (dhp == NULL) |
1386 { | 1546 { |
1387 al=SSL_AD_HANDSHAKE_FAILURE; | 1547 al=SSL_AD_HANDSHAKE_FAILURE; |
1388 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R
_MISSING_TMP_DH_KEY); | 1548 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R
_MISSING_TMP_DH_KEY); |
1389 goto f_err; | 1549 goto f_err; |
1390 } | 1550 } |
1391 | 1551 |
1392 if (s->s3->tmp.dh != NULL) | 1552 if (s->s3->tmp.dh != NULL) |
1393 { | 1553 { |
1394 DH_free(dh); | |
1395 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_
R_INTERNAL_ERROR); | 1554 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_
R_INTERNAL_ERROR); |
1396 goto err; | 1555 goto err; |
1397 } | 1556 } |
1398 | 1557 |
1399 if ((dh=DHparams_dup(dhp)) == NULL) | 1558 if ((dh=DHparams_dup(dhp)) == NULL) |
1400 { | 1559 { |
1401 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R
_DH_LIB); | 1560 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R
_DH_LIB); |
1402 goto err; | 1561 goto err; |
1403 } | 1562 } |
1404 | 1563 |
(...skipping 20 matching lines...) Expand all Loading... |
1425 goto err; | 1584 goto err; |
1426 } | 1585 } |
1427 } | 1586 } |
1428 r[0]=dh->p; | 1587 r[0]=dh->p; |
1429 r[1]=dh->g; | 1588 r[1]=dh->g; |
1430 r[2]=dh->pub_key; | 1589 r[2]=dh->pub_key; |
1431 } | 1590 } |
1432 else | 1591 else |
1433 #endif | 1592 #endif |
1434 #ifndef OPENSSL_NO_ECDH | 1593 #ifndef OPENSSL_NO_ECDH |
1435 » » » if (type & SSL_kECDHE) | 1594 » » » if (type & SSL_kEECDH) |
1436 { | 1595 { |
1437 const EC_GROUP *group; | 1596 const EC_GROUP *group; |
1438 | 1597 |
1439 ecdhp=cert->ecdh_tmp; | 1598 ecdhp=cert->ecdh_tmp; |
1440 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) | 1599 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) |
1441 { | 1600 { |
1442 ecdhp=s->cert->ecdh_tmp_cb(s, | 1601 ecdhp=s->cert->ecdh_tmp_cb(s, |
1443 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), | 1602 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), |
1444 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cip
her)); | 1603 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cip
her)); |
1445 } | 1604 } |
1446 if (ecdhp == NULL) | 1605 if (ecdhp == NULL) |
1447 { | 1606 { |
1448 al=SSL_AD_HANDSHAKE_FAILURE; | 1607 al=SSL_AD_HANDSHAKE_FAILURE; |
1449 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R
_MISSING_TMP_ECDH_KEY); | 1608 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R
_MISSING_TMP_ECDH_KEY); |
1450 goto f_err; | 1609 goto f_err; |
1451 } | 1610 } |
1452 | 1611 |
1453 if (s->s3->tmp.ecdh != NULL) | 1612 if (s->s3->tmp.ecdh != NULL) |
1454 { | 1613 { |
1455 EC_KEY_free(s->s3->tmp.ecdh); | |
1456 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_
R_INTERNAL_ERROR); | 1614 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_
R_INTERNAL_ERROR); |
1457 goto err; | 1615 goto err; |
1458 } | 1616 } |
1459 | 1617 |
1460 /* Duplicate the ECDH structure. */ | 1618 /* Duplicate the ECDH structure. */ |
1461 if (ecdhp == NULL) | 1619 if (ecdhp == NULL) |
1462 { | 1620 { |
1463 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R
_ECDH_LIB); | 1621 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R
_ECDH_LIB); |
1464 goto err; | 1622 goto err; |
1465 } | 1623 } |
1466 » » » if (!EC_KEY_up_ref(ecdhp)) | 1624 » » » if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) |
1467 { | 1625 { |
1468 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R
_ECDH_LIB); | 1626 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R
_ECDH_LIB); |
1469 goto err; | 1627 goto err; |
1470 } | 1628 } |
1471 ecdh = ecdhp; | |
1472 | 1629 |
1473 s->s3->tmp.ecdh=ecdh; | 1630 s->s3->tmp.ecdh=ecdh; |
1474 if ((EC_KEY_get0_public_key(ecdh) == NULL) || | 1631 if ((EC_KEY_get0_public_key(ecdh) == NULL) || |
1475 (EC_KEY_get0_private_key(ecdh) == NULL) || | 1632 (EC_KEY_get0_private_key(ecdh) == NULL) || |
1476 (s->options & SSL_OP_SINGLE_ECDH_USE)) | 1633 (s->options & SSL_OP_SINGLE_ECDH_USE)) |
1477 { | 1634 { |
1478 if(!EC_KEY_generate_key(ecdh)) | 1635 if(!EC_KEY_generate_key(ecdh)) |
1479 { | 1636 { |
1480 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,E
RR_R_ECDH_LIB); | 1637 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,E
RR_R_ECDH_LIB); |
1481 goto err; | 1638 goto err; |
(...skipping 13 matching lines...) Expand all Loading... |
1495 { | 1652 { |
1496 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R
_ECGROUP_TOO_LARGE_FOR_CIPHER); | 1653 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R
_ECGROUP_TOO_LARGE_FOR_CIPHER); |
1497 goto err; | 1654 goto err; |
1498 } | 1655 } |
1499 | 1656 |
1500 /* XXX: For now, we only support ephemeral ECDH | 1657 /* XXX: For now, we only support ephemeral ECDH |
1501 * keys over named (not generic) curves. For | 1658 * keys over named (not generic) curves. For |
1502 * supported named curves, curve_id is non-zero. | 1659 * supported named curves, curve_id is non-zero. |
1503 */ | 1660 */ |
1504 if ((curve_id = | 1661 if ((curve_id = |
1505 » » » nid2curve_id(EC_GROUP_get_curve_name(group))) | 1662 » » » tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))
) |
1506 == 0) | 1663 == 0) |
1507 { | 1664 { |
1508 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R
_UNSUPPORTED_ELLIPTIC_CURVE); | 1665 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R
_UNSUPPORTED_ELLIPTIC_CURVE); |
1509 goto err; | 1666 goto err; |
1510 } | 1667 } |
1511 | 1668 |
1512 /* Encode the public key. | 1669 /* Encode the public key. |
1513 * First check the size of encoding and | 1670 * First check the size of encoding and |
1514 * allocate memory accordingly. | 1671 * allocate memory accordingly. |
1515 */ | 1672 */ |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1552 /* We'll generate the serverKeyExchange message | 1709 /* We'll generate the serverKeyExchange message |
1553 * explicitly so we can set these to NULLs | 1710 * explicitly so we can set these to NULLs |
1554 */ | 1711 */ |
1555 r[0]=NULL; | 1712 r[0]=NULL; |
1556 r[1]=NULL; | 1713 r[1]=NULL; |
1557 r[2]=NULL; | 1714 r[2]=NULL; |
1558 r[3]=NULL; | 1715 r[3]=NULL; |
1559 } | 1716 } |
1560 else | 1717 else |
1561 #endif /* !OPENSSL_NO_ECDH */ | 1718 #endif /* !OPENSSL_NO_ECDH */ |
| 1719 #ifndef OPENSSL_NO_PSK |
| 1720 if (type & SSL_kPSK) |
| 1721 { |
| 1722 /* reserve size for record length and PSK identi
ty hint*/ |
| 1723 n+=2+strlen(s->ctx->psk_identity_hint); |
| 1724 } |
| 1725 else |
| 1726 #endif /* !OPENSSL_NO_PSK */ |
1562 { | 1727 { |
1563 al=SSL_AD_HANDSHAKE_FAILURE; | 1728 al=SSL_AD_HANDSHAKE_FAILURE; |
1564 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN
_KEY_EXCHANGE_TYPE); | 1729 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN
_KEY_EXCHANGE_TYPE); |
1565 goto f_err; | 1730 goto f_err; |
1566 } | 1731 } |
1567 for (i=0; r[i] != NULL; i++) | 1732 for (i=0; r[i] != NULL; i++) |
1568 { | 1733 { |
1569 nr[i]=BN_num_bytes(r[i]); | 1734 nr[i]=BN_num_bytes(r[i]); |
1570 n+=2+nr[i]; | 1735 n+=2+nr[i]; |
1571 } | 1736 } |
1572 | 1737 |
1573 » » if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) | 1738 » » if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) |
| 1739 » » » && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) |
1574 { | 1740 { |
1575 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) | 1741 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) |
1576 == NULL) | 1742 == NULL) |
1577 { | 1743 { |
1578 al=SSL_AD_DECODE_ERROR; | 1744 al=SSL_AD_DECODE_ERROR; |
1579 goto f_err; | 1745 goto f_err; |
1580 } | 1746 } |
1581 kn=EVP_PKEY_size(pkey); | 1747 kn=EVP_PKEY_size(pkey); |
1582 } | 1748 } |
1583 else | 1749 else |
(...skipping 11 matching lines...) Expand all Loading... |
1595 p= &(d[4]); | 1761 p= &(d[4]); |
1596 | 1762 |
1597 for (i=0; r[i] != NULL; i++) | 1763 for (i=0; r[i] != NULL; i++) |
1598 { | 1764 { |
1599 s2n(nr[i],p); | 1765 s2n(nr[i],p); |
1600 BN_bn2bin(r[i],p); | 1766 BN_bn2bin(r[i],p); |
1601 p+=nr[i]; | 1767 p+=nr[i]; |
1602 } | 1768 } |
1603 | 1769 |
1604 #ifndef OPENSSL_NO_ECDH | 1770 #ifndef OPENSSL_NO_ECDH |
1605 » » if (type & SSL_kECDHE) | 1771 » » if (type & SSL_kEECDH) |
1606 { | 1772 { |
1607 /* XXX: For now, we only support named (not generic) cur
ves. | 1773 /* XXX: For now, we only support named (not generic) cur
ves. |
1608 * In this situation, the serverKeyExchange message has: | 1774 * In this situation, the serverKeyExchange message has: |
1609 * [1 byte CurveType], [2 byte CurveName] | 1775 * [1 byte CurveType], [2 byte CurveName] |
1610 * [1 byte length of encoded point], followed by | 1776 * [1 byte length of encoded point], followed by |
1611 * the actual encoded point itself | 1777 * the actual encoded point itself |
1612 */ | 1778 */ |
1613 *p = NAMED_CURVE_TYPE; | 1779 *p = NAMED_CURVE_TYPE; |
1614 p += 1; | 1780 p += 1; |
1615 *p = 0; | 1781 *p = 0; |
1616 p += 1; | 1782 p += 1; |
1617 *p = curve_id; | 1783 *p = curve_id; |
1618 p += 1; | 1784 p += 1; |
1619 *p = encodedlen; | 1785 *p = encodedlen; |
1620 p += 1; | 1786 p += 1; |
1621 memcpy((unsigned char*)p, | 1787 memcpy((unsigned char*)p, |
1622 (unsigned char *)encodedPoint, | 1788 (unsigned char *)encodedPoint, |
1623 encodedlen); | 1789 encodedlen); |
1624 OPENSSL_free(encodedPoint); | 1790 OPENSSL_free(encodedPoint); |
| 1791 encodedPoint = NULL; |
1625 p += encodedlen; | 1792 p += encodedlen; |
1626 } | 1793 } |
1627 #endif | 1794 #endif |
1628 | 1795 |
| 1796 #ifndef OPENSSL_NO_PSK |
| 1797 if (type & SSL_kPSK) |
| 1798 { |
| 1799 /* copy PSK identity hint */ |
| 1800 s2n(strlen(s->ctx->psk_identity_hint), p); |
| 1801 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->
ctx->psk_identity_hint)); |
| 1802 p+=strlen(s->ctx->psk_identity_hint); |
| 1803 } |
| 1804 #endif |
| 1805 |
1629 /* not anonymous */ | 1806 /* not anonymous */ |
1630 if (pkey != NULL) | 1807 if (pkey != NULL) |
1631 { | 1808 { |
1632 /* n is the length of the params, they start at &(d[4]) | 1809 /* n is the length of the params, they start at &(d[4]) |
1633 * and p points to the space at the end. */ | 1810 * and p points to the space at the end. */ |
1634 #ifndef OPENSSL_NO_RSA | 1811 #ifndef OPENSSL_NO_RSA |
1635 if (pkey->type == EVP_PKEY_RSA) | 1812 if (pkey->type == EVP_PKEY_RSA) |
1636 { | 1813 { |
1637 q=md_buf; | 1814 q=md_buf; |
1638 j=0; | 1815 j=0; |
1639 for (num=2; num > 0; num--) | 1816 for (num=2; num > 0; num--) |
1640 { | 1817 { |
1641 EVP_MD_CTX_set_flags(&md_ctx, | |
1642 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
1643 EVP_DigestInit_ex(&md_ctx,(num == 2) | 1818 EVP_DigestInit_ex(&md_ctx,(num == 2) |
1644 ?s->ctx->md5:s->ctx->sha1, NULL)
; | 1819 ?s->ctx->md5:s->ctx->sha1, NULL)
; |
1645 EVP_DigestUpdate(&md_ctx,&(s->s3->client
_random[0]),SSL3_RANDOM_SIZE); | 1820 EVP_DigestUpdate(&md_ctx,&(s->s3->client
_random[0]),SSL3_RANDOM_SIZE); |
1646 EVP_DigestUpdate(&md_ctx,&(s->s3->server
_random[0]),SSL3_RANDOM_SIZE); | 1821 EVP_DigestUpdate(&md_ctx,&(s->s3->server
_random[0]),SSL3_RANDOM_SIZE); |
1647 EVP_DigestUpdate(&md_ctx,&(d[4]),n); | 1822 EVP_DigestUpdate(&md_ctx,&(d[4]),n); |
1648 EVP_DigestFinal_ex(&md_ctx,q, | 1823 EVP_DigestFinal_ex(&md_ctx,q, |
1649 (unsigned int *)&i); | 1824 (unsigned int *)&i); |
1650 q+=i; | 1825 q+=i; |
1651 j+=i; | 1826 j+=i; |
1652 } | 1827 } |
(...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1816 /* SSL3_ST_SW_CERT_REQ_B */ | 1991 /* SSL3_ST_SW_CERT_REQ_B */ |
1817 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 1992 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
1818 err: | 1993 err: |
1819 return(-1); | 1994 return(-1); |
1820 } | 1995 } |
1821 | 1996 |
1822 int ssl3_get_client_key_exchange(SSL *s) | 1997 int ssl3_get_client_key_exchange(SSL *s) |
1823 { | 1998 { |
1824 int i,al,ok; | 1999 int i,al,ok; |
1825 long n; | 2000 long n; |
1826 » unsigned long l; | 2001 » unsigned long alg_k; |
1827 unsigned char *p; | 2002 unsigned char *p; |
1828 #ifndef OPENSSL_NO_RSA | 2003 #ifndef OPENSSL_NO_RSA |
1829 RSA *rsa=NULL; | 2004 RSA *rsa=NULL; |
1830 EVP_PKEY *pkey=NULL; | 2005 EVP_PKEY *pkey=NULL; |
1831 #endif | 2006 #endif |
1832 #ifndef OPENSSL_NO_DH | 2007 #ifndef OPENSSL_NO_DH |
1833 BIGNUM *pub=NULL; | 2008 BIGNUM *pub=NULL; |
1834 DH *dh_srvr; | 2009 DH *dh_srvr; |
1835 #endif | 2010 #endif |
1836 #ifndef OPENSSL_NO_KRB5 | 2011 #ifndef OPENSSL_NO_KRB5 |
1837 KSSL_ERR kssl_err; | 2012 » KSSL_ERR kssl_err; |
1838 #endif /* OPENSSL_NO_KRB5 */ | 2013 #endif /* OPENSSL_NO_KRB5 */ |
1839 | 2014 |
1840 #ifndef OPENSSL_NO_ECDH | 2015 #ifndef OPENSSL_NO_ECDH |
1841 EC_KEY *srvr_ecdh = NULL; | 2016 EC_KEY *srvr_ecdh = NULL; |
1842 EVP_PKEY *clnt_pub_pkey = NULL; | 2017 EVP_PKEY *clnt_pub_pkey = NULL; |
1843 EC_POINT *clnt_ecpoint = NULL; | 2018 EC_POINT *clnt_ecpoint = NULL; |
1844 BN_CTX *bn_ctx = NULL; | 2019 BN_CTX *bn_ctx = NULL; |
1845 #endif | 2020 #endif |
1846 | 2021 |
1847 n=s->method->ssl_get_message(s, | 2022 n=s->method->ssl_get_message(s, |
1848 SSL3_ST_SR_KEY_EXCH_A, | 2023 SSL3_ST_SR_KEY_EXCH_A, |
1849 SSL3_ST_SR_KEY_EXCH_B, | 2024 SSL3_ST_SR_KEY_EXCH_B, |
1850 SSL3_MT_CLIENT_KEY_EXCHANGE, | 2025 SSL3_MT_CLIENT_KEY_EXCHANGE, |
1851 2048, /* ??? */ | 2026 2048, /* ??? */ |
1852 &ok); | 2027 &ok); |
1853 | 2028 |
1854 if (!ok) return((int)n); | 2029 if (!ok) return((int)n); |
1855 p=(unsigned char *)s->init_msg; | 2030 p=(unsigned char *)s->init_msg; |
1856 | 2031 |
1857 » l=s->s3->tmp.new_cipher->algorithms; | 2032 » alg_k=s->s3->tmp.new_cipher->algorithm_mkey; |
1858 | 2033 |
1859 #ifndef OPENSSL_NO_RSA | 2034 #ifndef OPENSSL_NO_RSA |
1860 » if (l & SSL_kRSA) | 2035 » if (alg_k & SSL_kRSA) |
1861 { | 2036 { |
1862 /* FIX THIS UP EAY EAY EAY EAY */ | 2037 /* FIX THIS UP EAY EAY EAY EAY */ |
1863 if (s->s3->tmp.use_rsa_tmp) | 2038 if (s->s3->tmp.use_rsa_tmp) |
1864 { | 2039 { |
1865 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) | 2040 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) |
1866 rsa=s->cert->rsa_tmp; | 2041 rsa=s->cert->rsa_tmp; |
1867 /* Don't do a callback because rsa_tmp should | 2042 /* Don't do a callback because rsa_tmp should |
1868 * be sent already */ | 2043 * be sent already */ |
1869 if (rsa == NULL) | 2044 if (rsa == NULL) |
1870 { | 2045 { |
(...skipping 10 matching lines...) Expand all Loading... |
1881 (pkey->type != EVP_PKEY_RSA) || | 2056 (pkey->type != EVP_PKEY_RSA) || |
1882 (pkey->pkey.rsa == NULL)) | 2057 (pkey->pkey.rsa == NULL)) |
1883 { | 2058 { |
1884 al=SSL_AD_HANDSHAKE_FAILURE; | 2059 al=SSL_AD_HANDSHAKE_FAILURE; |
1885 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_
MISSING_RSA_CERTIFICATE); | 2060 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_
MISSING_RSA_CERTIFICATE); |
1886 goto f_err; | 2061 goto f_err; |
1887 } | 2062 } |
1888 rsa=pkey->pkey.rsa; | 2063 rsa=pkey->pkey.rsa; |
1889 } | 2064 } |
1890 | 2065 |
1891 » » /* TLS and [incidentally] DTLS, including pre-0.9.8f */ | 2066 » » /* TLS and [incidentally] DTLS{0xFEFF} */ |
1892 » » if (s->version > SSL3_VERSION && | 2067 » » if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) |
1893 » » s->client_version != DTLS1_BAD_VER) | |
1894 { | 2068 { |
1895 n2s(p,i); | 2069 n2s(p,i); |
1896 if (n != i+2) | 2070 if (n != i+2) |
1897 { | 2071 { |
1898 if (!(s->options & SSL_OP_TLS_D5_BUG)) | 2072 if (!(s->options & SSL_OP_TLS_D5_BUG)) |
1899 { | 2073 { |
1900 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANG
E,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); | 2074 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANG
E,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); |
1901 goto err; | 2075 goto err; |
1902 } | 2076 } |
1903 else | 2077 else |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1957 | 2131 |
1958 s->session->master_key_length= | 2132 s->session->master_key_length= |
1959 s->method->ssl3_enc->generate_master_secret(s, | 2133 s->method->ssl3_enc->generate_master_secret(s, |
1960 s->session->master_key, | 2134 s->session->master_key, |
1961 p,i); | 2135 p,i); |
1962 OPENSSL_cleanse(p,i); | 2136 OPENSSL_cleanse(p,i); |
1963 } | 2137 } |
1964 else | 2138 else |
1965 #endif | 2139 #endif |
1966 #ifndef OPENSSL_NO_DH | 2140 #ifndef OPENSSL_NO_DH |
1967 » » if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) | 2141 » » if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) |
1968 { | 2142 { |
1969 n2s(p,i); | 2143 n2s(p,i); |
1970 if (n != i+2) | 2144 if (n != i+2) |
1971 { | 2145 { |
1972 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) | 2146 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) |
1973 { | 2147 { |
1974 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_
DH_PUBLIC_VALUE_LENGTH_IS_WRONG); | 2148 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_
DH_PUBLIC_VALUE_LENGTH_IS_WRONG); |
1975 goto err; | 2149 goto err; |
1976 } | 2150 } |
1977 else | 2151 else |
(...skipping 26 matching lines...) Expand all Loading... |
2004 { | 2178 { |
2005 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); | 2179 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); |
2006 goto err; | 2180 goto err; |
2007 } | 2181 } |
2008 | 2182 |
2009 i=DH_compute_key(p,pub,dh_srvr); | 2183 i=DH_compute_key(p,pub,dh_srvr); |
2010 | 2184 |
2011 if (i <= 0) | 2185 if (i <= 0) |
2012 { | 2186 { |
2013 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); | 2187 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); |
| 2188 BN_clear_free(pub); |
2014 goto err; | 2189 goto err; |
2015 } | 2190 } |
2016 | 2191 |
2017 DH_free(s->s3->tmp.dh); | 2192 DH_free(s->s3->tmp.dh); |
2018 s->s3->tmp.dh=NULL; | 2193 s->s3->tmp.dh=NULL; |
2019 | 2194 |
2020 BN_clear_free(pub); | 2195 BN_clear_free(pub); |
2021 pub=NULL; | 2196 pub=NULL; |
2022 s->session->master_key_length= | 2197 s->session->master_key_length= |
2023 s->method->ssl3_enc->generate_master_secret(s, | 2198 s->method->ssl3_enc->generate_master_secret(s, |
2024 s->session->master_key,p,i); | 2199 s->session->master_key,p,i); |
2025 OPENSSL_cleanse(p,i); | 2200 OPENSSL_cleanse(p,i); |
2026 } | 2201 } |
2027 else | 2202 else |
2028 #endif | 2203 #endif |
2029 #ifndef OPENSSL_NO_KRB5 | 2204 #ifndef OPENSSL_NO_KRB5 |
2030 if (l & SSL_kKRB5) | 2205 » if (alg_k & SSL_kKRB5) |
2031 { | 2206 » » { |
2032 krb5_error_code»» krb5rc; | 2207 » » krb5_error_code»» krb5rc; |
2033 krb5_data enc_ticket; | 2208 krb5_data enc_ticket; |
2034 krb5_data authenticator; | 2209 krb5_data authenticator; |
2035 krb5_data enc_pms; | 2210 krb5_data enc_pms; |
2036 KSSL_CTX» » *kssl_ctx = s->kssl_ctx; | 2211 » » KSSL_CTX» » *kssl_ctx = s->kssl_ctx; |
2037 EVP_CIPHER_CTX ciph_ctx; | 2212 EVP_CIPHER_CTX ciph_ctx; |
2038 » » EVP_CIPHER» » *enc = NULL; | 2213 » » const EVP_CIPHER» *enc = NULL; |
2039 unsigned char iv[EVP_MAX_IV_LENGTH]; | 2214 unsigned char iv[EVP_MAX_IV_LENGTH]; |
2040 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH | 2215 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH |
2041 + EVP_MAX_BLOCK_LENGTH]; | 2216 » » » » » + EVP_MAX_BLOCK_LENGTH]; |
2042 » » int padl, outl; | 2217 » » int» » padl, outl; |
2043 krb5_timestamp authtime = 0; | 2218 krb5_timestamp authtime = 0; |
2044 krb5_ticket_times ttimes; | 2219 krb5_ticket_times ttimes; |
2045 | 2220 |
2046 EVP_CIPHER_CTX_init(&ciph_ctx); | 2221 EVP_CIPHER_CTX_init(&ciph_ctx); |
2047 | 2222 |
2048 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); | 2223 » » if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); |
2049 | 2224 |
2050 n2s(p,i); | 2225 n2s(p,i); |
2051 enc_ticket.length = i; | 2226 enc_ticket.length = i; |
2052 | 2227 |
2053 » » if (n < (int)enc_ticket.length + 6) | 2228 » » if (n < (long)(enc_ticket.length + 6)) |
2054 { | 2229 { |
2055 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2230 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2056 SSL_R_DATA_LENGTH_TOO_LONG); | 2231 SSL_R_DATA_LENGTH_TOO_LONG); |
2057 goto err; | 2232 goto err; |
2058 } | 2233 } |
2059 | 2234 |
2060 enc_ticket.data = (char *)p; | 2235 enc_ticket.data = (char *)p; |
2061 p+=enc_ticket.length; | 2236 p+=enc_ticket.length; |
2062 | 2237 |
2063 n2s(p,i); | 2238 n2s(p,i); |
2064 authenticator.length = i; | 2239 authenticator.length = i; |
2065 | 2240 |
2066 » » if (n < (int)(enc_ticket.length + authenticator.length) + 6) | 2241 » » if (n < (long)(enc_ticket.length + authenticator.length + 6)) |
2067 { | 2242 { |
2068 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2243 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2069 SSL_R_DATA_LENGTH_TOO_LONG); | 2244 SSL_R_DATA_LENGTH_TOO_LONG); |
2070 goto err; | 2245 goto err; |
2071 } | 2246 } |
2072 | 2247 |
2073 authenticator.data = (char *)p; | 2248 authenticator.data = (char *)p; |
2074 p+=authenticator.length; | 2249 p+=authenticator.length; |
2075 | 2250 |
2076 n2s(p,i); | 2251 n2s(p,i); |
(...skipping 12 matching lines...) Expand all Loading... |
2089 } | 2264 } |
2090 | 2265 |
2091 if (n != (long)(enc_ticket.length + authenticator.length + | 2266 if (n != (long)(enc_ticket.length + authenticator.length + |
2092 enc_pms.length + 6)) | 2267 enc_pms.length + 6)) |
2093 { | 2268 { |
2094 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2269 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2095 SSL_R_DATA_LENGTH_TOO_LONG); | 2270 SSL_R_DATA_LENGTH_TOO_LONG); |
2096 goto err; | 2271 goto err; |
2097 } | 2272 } |
2098 | 2273 |
2099 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, | 2274 » » if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, |
2100 &kssl_err)) != 0) | 2275 &kssl_err)) != 0) |
2101 { | 2276 » » » { |
2102 #ifdef KSSL_DEBUG | 2277 #ifdef KSSL_DEBUG |
2103 printf("kssl_sget_tkt rtn %d [%d]\n", | 2278 » » » printf("kssl_sget_tkt rtn %d [%d]\n", |
2104 krb5rc, kssl_err.reason); | 2279 » » » » krb5rc, kssl_err.reason); |
2105 if (kssl_err.text) | 2280 » » » if (kssl_err.text) |
2106 printf("kssl_err text= %s\n", kssl_err.text); | 2281 » » » » printf("kssl_err text= %s\n", kssl_err.text); |
2107 #endif /* KSSL_DEBUG */ | 2282 #endif /* KSSL_DEBUG */ |
2108 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2283 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2109 kssl_err.reason); | 2284 » » » » kssl_err.reason); |
2110 goto err; | 2285 » » » goto err; |
2111 } | 2286 » » » } |
2112 | 2287 |
2113 /* Note: no authenticator is not considered an error, | 2288 /* Note: no authenticator is not considered an error, |
2114 ** but will return authtime == 0. | 2289 ** but will return authtime == 0. |
2115 */ | 2290 */ |
2116 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, | 2291 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, |
2117 &authtime, &kssl_err)) != 0) | 2292 &authtime, &kssl_err)) != 0) |
2118 { | 2293 { |
2119 #ifdef KSSL_DEBUG | 2294 #ifdef KSSL_DEBUG |
2120 printf("kssl_check_authent rtn %d [%d]\n", | 2295 » » » printf("kssl_check_authent rtn %d [%d]\n", |
2121 krb5rc, kssl_err.reason); | 2296 » » » » krb5rc, kssl_err.reason); |
2122 if (kssl_err.text) | 2297 » » » if (kssl_err.text) |
2123 printf("kssl_err text= %s\n", kssl_err.text); | 2298 » » » » printf("kssl_err text= %s\n", kssl_err.text); |
2124 #endif /* KSSL_DEBUG */ | 2299 #endif /* KSSL_DEBUG */ |
2125 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2300 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2126 kssl_err.reason); | 2301 » » » » kssl_err.reason); |
2127 goto err; | 2302 » » » goto err; |
2128 } | 2303 } |
2129 | 2304 |
2130 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) | 2305 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) |
2131 { | 2306 { |
2132 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); | 2307 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); |
2133 goto err; | 2308 » » » goto err; |
2134 } | 2309 } |
2135 | 2310 |
2136 #ifdef KSSL_DEBUG | 2311 #ifdef KSSL_DEBUG |
2137 kssl_ctx_show(kssl_ctx); | 2312 » » kssl_ctx_show(kssl_ctx); |
2138 #endif /* KSSL_DEBUG */ | 2313 #endif /* KSSL_DEBUG */ |
2139 | 2314 |
2140 enc = kssl_map_enc(kssl_ctx->enctype); | 2315 enc = kssl_map_enc(kssl_ctx->enctype); |
2141 if (enc == NULL) | 2316 » » if (enc == NULL) |
2142 goto err; | 2317 » » goto err; |
2143 | 2318 |
2144 memset(iv, 0, sizeof iv); /* per RFC 1510 */ | 2319 memset(iv, 0, sizeof iv); /* per RFC 1510 */ |
2145 | 2320 |
2146 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) | 2321 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) |
2147 { | 2322 { |
2148 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2323 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2149 SSL_R_DECRYPTION_FAILED); | 2324 SSL_R_DECRYPTION_FAILED); |
2150 goto err; | 2325 goto err; |
2151 } | 2326 } |
2152 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, | 2327 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, |
(...skipping 26 matching lines...) Expand all Loading... |
2179 { | 2354 { |
2180 /* The premaster secret must contain the same version number
as the | 2355 /* The premaster secret must contain the same version number
as the |
2181 * ClientHello to detect version rollback attacks (strangely
, the | 2356 * ClientHello to detect version rollback attacks (strangely
, the |
2182 * protocol does not offer such protection for DH ciphersuit
es). | 2357 * protocol does not offer such protection for DH ciphersuit
es). |
2183 * However, buggy clients exist that send random bytes inste
ad of | 2358 * However, buggy clients exist that send random bytes inste
ad of |
2184 * the protocol version. | 2359 * the protocol version. |
2185 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
| 2360 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
|
2186 * (Perhaps we should have a separate BUG value for the Kerb
eros cipher) | 2361 * (Perhaps we should have a separate BUG value for the Kerb
eros cipher) |
2187 */ | 2362 */ |
2188 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) | 2363 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) |
2189 » » { | 2364 » » » { |
2190 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2191 SSL_AD_DECODE_ERROR); | 2366 SSL_AD_DECODE_ERROR); |
2192 goto err; | 2367 goto err; |
2193 } | 2368 } |
2194 } | 2369 } |
2195 | 2370 |
2196 EVP_CIPHER_CTX_cleanup(&ciph_ctx); | 2371 EVP_CIPHER_CTX_cleanup(&ciph_ctx); |
2197 | 2372 |
2198 s->session->master_key_length= | 2373 » » s->session->master_key_length= |
2199 s->method->ssl3_enc->generate_master_secret(s, | 2374 » » » s->method->ssl3_enc->generate_master_secret(s, |
2200 s->session->master_key, pms, outl); | 2375 » » » » s->session->master_key, pms, outl); |
2201 | 2376 |
2202 if (kssl_ctx->client_princ) | 2377 » » if (kssl_ctx->client_princ) |
2203 { | 2378 » » » { |
2204 size_t len = strlen(kssl_ctx->client_princ); | 2379 » » » size_t len = strlen(kssl_ctx->client_princ); |
2205 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) | 2380 » » » if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) |
2206 { | 2381 » » » » { |
2207 s->session->krb5_client_princ_len = len; | 2382 » » » » s->session->krb5_client_princ_len = len; |
2208 memcpy(s->session->krb5_client_princ,kssl_ctx->c
lient_princ,len); | 2383 » » » » memcpy(s->session->krb5_client_princ,kssl_ctx->c
lient_princ,len); |
2209 } | 2384 » » » » } |
2210 } | 2385 » » » } |
2211 | 2386 |
2212 | 2387 |
2213 /* Was doing kssl_ctx_free() here, | 2388 » » /* Was doing kssl_ctx_free() here, |
2214 ** but it caused problems for apache. | 2389 ** but it caused problems for apache. |
2215 ** kssl_ctx = kssl_ctx_free(kssl_ctx); | 2390 » » ** kssl_ctx = kssl_ctx_free(kssl_ctx); |
2216 ** if (s->kssl_ctx) s->kssl_ctx = NULL; | 2391 » » ** if (s->kssl_ctx) s->kssl_ctx = NULL; |
2217 */ | 2392 » » */ |
2218 } | 2393 » » } |
2219 else | 2394 else |
2220 #endif /* OPENSSL_NO_KRB5 */ | 2395 #endif /* OPENSSL_NO_KRB5 */ |
2221 | 2396 |
2222 #ifndef OPENSSL_NO_ECDH | 2397 #ifndef OPENSSL_NO_ECDH |
2223 » » if ((l & SSL_kECDH) || (l & SSL_kECDHE)) | 2398 » » if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) |
2224 { | 2399 { |
2225 int ret = 1; | 2400 int ret = 1; |
2226 int field_size = 0; | 2401 int field_size = 0; |
2227 const EC_KEY *tkey; | 2402 const EC_KEY *tkey; |
2228 const EC_GROUP *group; | 2403 const EC_GROUP *group; |
2229 const BIGNUM *priv_key; | 2404 const BIGNUM *priv_key; |
2230 | 2405 |
2231 /* initialize structures for server's ECDH key pair */ | 2406 » » /* initialize structures for server's ECDH key pair */ |
2232 if ((srvr_ecdh = EC_KEY_new()) == NULL) | 2407 if ((srvr_ecdh = EC_KEY_new()) == NULL) |
2233 { | 2408 { |
2234 » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2409 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2235 ERR_R_MALLOC_FAILURE); | 2410 ERR_R_MALLOC_FAILURE); |
2236 » goto err; | 2411 » » » goto err; |
2237 } | 2412 } |
2238 | 2413 |
2239 /* Let's get server private key and group information */ | 2414 /* Let's get server private key and group information */ |
2240 » » if (l & SSL_kECDH) | 2415 » » if (alg_k & (SSL_kECDHr|SSL_kECDHe)) |
2241 { | 2416 { |
2242 /* use the certificate */ | 2417 » » » /* use the certificate */ |
2243 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; | 2418 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; |
2244 } | 2419 } |
2245 else | 2420 else |
2246 { | 2421 { |
2247 /* use the ephermeral values we saved when | 2422 /* use the ephermeral values we saved when |
2248 * generating the ServerKeyExchange msg. | 2423 * generating the ServerKeyExchange msg. |
2249 */ | 2424 */ |
2250 tkey = s->s3->tmp.ecdh; | 2425 tkey = s->s3->tmp.ecdh; |
2251 } | 2426 } |
2252 | 2427 |
2253 group = EC_KEY_get0_group(tkey); | 2428 group = EC_KEY_get0_group(tkey); |
2254 priv_key = EC_KEY_get0_private_key(tkey); | 2429 priv_key = EC_KEY_get0_private_key(tkey); |
2255 | 2430 |
2256 if (!EC_KEY_set_group(srvr_ecdh, group) || | 2431 if (!EC_KEY_set_group(srvr_ecdh, group) || |
2257 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) | 2432 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) |
2258 { | 2433 { |
2259 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2434 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2260 ERR_R_EC_LIB); | 2435 ERR_R_EC_LIB); |
2261 goto err; | 2436 goto err; |
2262 } | 2437 } |
2263 | 2438 |
2264 /* Let's get client's public key */ | 2439 /* Let's get client's public key */ |
2265 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) | 2440 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) |
2266 { | 2441 { |
2267 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2442 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2268 ERR_R_MALLOC_FAILURE); | 2443 ERR_R_MALLOC_FAILURE); |
2269 goto err; | 2444 goto err; |
2270 } | 2445 } |
2271 | 2446 |
2272 if (n == 0L) | 2447 » » if (n == 0L) |
2273 { | 2448 » » » { |
2274 /* Client Publickey was in Client Certificate */ | 2449 /* Client Publickey was in Client Certificate */ |
2275 | 2450 |
2276 » » » if (l & SSL_kECDHE) | 2451 » » » if (alg_k & SSL_kEECDH) |
2277 { | 2452 { |
2278 al=SSL_AD_HANDSHAKE_FAILURE; | 2453 al=SSL_AD_HANDSHAKE_FAILURE; |
2279 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R
_MISSING_TMP_ECDH_KEY); | 2454 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R
_MISSING_TMP_ECDH_KEY); |
2280 goto f_err; | 2455 goto f_err; |
2281 } | 2456 } |
2282 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) | 2457 » » » if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) |
2283 == NULL) || | 2458 == NULL) || |
2284 (clnt_pub_pkey->type != EVP_PKEY_EC)) | 2459 (clnt_pub_pkey->type != EVP_PKEY_EC)) |
2285 » { | 2460 » » » » { |
2286 /* XXX: For now, we do not support client | 2461 /* XXX: For now, we do not support client |
2287 * authentication using ECDH certificates | 2462 * authentication using ECDH certificates |
2288 * so this branch (n == 0L) of the code is | 2463 * so this branch (n == 0L) of the code is |
2289 * never executed. When that support is | 2464 * never executed. When that support is |
2290 * added, we ought to ensure the key | 2465 * added, we ought to ensure the key |
2291 * received in the certificate is | 2466 * received in the certificate is |
2292 * authorized for key agreement. | 2467 * authorized for key agreement. |
2293 * ECDH_compute_key implicitly checks that | 2468 * ECDH_compute_key implicitly checks that |
2294 * the two ECDH shares are for the same | 2469 * the two ECDH shares are for the same |
2295 * group. | 2470 * group. |
2296 */ | 2471 */ |
2297 » al=SSL_AD_HANDSHAKE_FAILURE; | 2472 » » » » al=SSL_AD_HANDSHAKE_FAILURE; |
2298 » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2473 » » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2299 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); | 2474 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); |
2300 » goto f_err; | 2475 » » » » goto f_err; |
2301 » } | 2476 » » » » } |
2302 | 2477 |
2303 if (EC_POINT_copy(clnt_ecpoint, | 2478 if (EC_POINT_copy(clnt_ecpoint, |
2304 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0
) | 2479 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0
) |
2305 { | 2480 { |
2306 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2481 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2307 ERR_R_EC_LIB); | 2482 ERR_R_EC_LIB); |
2308 goto err; | 2483 goto err; |
2309 } | 2484 } |
2310 ret = 2; /* Skip certificate verify processing */ | 2485 » » » ret = 2; /* Skip certificate verify processing */ |
2311 } | 2486 » » » } |
2312 else | 2487 » » else |
2313 { | 2488 » » » { |
2314 /* Get client's public key from encoded point | 2489 /* Get client's public key from encoded point |
2315 * in the ClientKeyExchange message. | 2490 * in the ClientKeyExchange message. |
2316 */ | 2491 */ |
2317 if ((bn_ctx = BN_CTX_new()) == NULL) | 2492 if ((bn_ctx = BN_CTX_new()) == NULL) |
2318 { | 2493 { |
2319 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2494 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2320 ERR_R_MALLOC_FAILURE); | 2495 ERR_R_MALLOC_FAILURE); |
2321 goto err; | 2496 goto err; |
2322 } | 2497 } |
2323 | 2498 |
2324 /* Get encoded point length */ | 2499 » » » /* Get encoded point length */ |
2325 i = *p; | 2500 » » » i = *p; |
2326 p += 1; | 2501 p += 1; |
2327 if (EC_POINT_oct2point(group, | 2502 » » » if (n != 1 + i) |
| 2503 » » » » { |
| 2504 » » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 2505 » » » » ERR_R_EC_LIB); |
| 2506 » » » » goto err; |
| 2507 » » » » } |
| 2508 » » » if (EC_POINT_oct2point(group, |
2328 clnt_ecpoint, p, i, bn_ctx) == 0) | 2509 clnt_ecpoint, p, i, bn_ctx) == 0) |
2329 { | 2510 { |
2330 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2511 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2331 ERR_R_EC_LIB); | 2512 ERR_R_EC_LIB); |
2332 goto err; | 2513 goto err; |
2333 } | 2514 } |
2334 /* p is pointing to somewhere in the buffer | 2515 » » » /* p is pointing to somewhere in the buffer |
2335 * currently, so set it to the start | 2516 » » » * currently, so set it to the start |
2336 */ | 2517 » » » */ |
2337 p=(unsigned char *)s->init_buf->data; | 2518 » » » p=(unsigned char *)s->init_buf->data; |
2338 } | 2519 » » » } |
2339 | 2520 |
2340 /* Compute the shared pre-master secret */ | 2521 /* Compute the shared pre-master secret */ |
2341 field_size = EC_GROUP_get_degree(group); | 2522 field_size = EC_GROUP_get_degree(group); |
2342 if (field_size <= 0) | 2523 if (field_size <= 0) |
2343 { | 2524 { |
2344 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2525 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2345 ERR_R_ECDH_LIB); | 2526 ERR_R_ECDH_LIB); |
2346 goto err; | 2527 goto err; |
2347 } | 2528 } |
2348 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecd
h, NULL); | 2529 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecd
h, NULL); |
2349 if (i <= 0) | 2530 » » if (i <= 0) |
2350 { | 2531 » » » { |
2351 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2532 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2352 ERR_R_ECDH_LIB); | 2533 ERR_R_ECDH_LIB); |
2353 goto err; | 2534 » » » goto err; |
2354 } | 2535 » » » } |
2355 | 2536 |
2356 EVP_PKEY_free(clnt_pub_pkey); | 2537 EVP_PKEY_free(clnt_pub_pkey); |
2357 EC_POINT_free(clnt_ecpoint); | 2538 EC_POINT_free(clnt_ecpoint); |
2358 » » if (srvr_ecdh != NULL) | 2539 » » EC_KEY_free(srvr_ecdh); |
2359 » » » EC_KEY_free(srvr_ecdh); | |
2360 BN_CTX_free(bn_ctx); | 2540 BN_CTX_free(bn_ctx); |
| 2541 EC_KEY_free(s->s3->tmp.ecdh); |
| 2542 s->s3->tmp.ecdh = NULL; |
2361 | 2543 |
2362 /* Compute the master secret */ | 2544 /* Compute the master secret */ |
2363 s->session->master_key_length = s->method->ssl3_enc-> \ | 2545 » » s->session->master_key_length = s->method->ssl3_enc-> \ |
2364 generate_master_secret(s, s->session->master_key, p, i); | 2546 generate_master_secret(s, s->session->master_key, p, i); |
2365 | 2547 |
2366 OPENSSL_cleanse(p, i); | 2548 » » OPENSSL_cleanse(p, i); |
2367 return (ret); | 2549 » » return (ret); |
2368 } | 2550 } |
2369 else | 2551 else |
2370 #endif | 2552 #endif |
| 2553 #ifndef OPENSSL_NO_PSK |
| 2554 if (alg_k & SSL_kPSK) |
| 2555 { |
| 2556 unsigned char *t = NULL; |
| 2557 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; |
| 2558 unsigned int pre_ms_len = 0, psk_len = 0; |
| 2559 int psk_err = 1; |
| 2560 char tmp_id[PSK_MAX_IDENTITY_LEN+1]; |
| 2561 |
| 2562 al=SSL_AD_HANDSHAKE_FAILURE; |
| 2563 |
| 2564 n2s(p,i); |
| 2565 if (n != i+2) |
| 2566 { |
| 2567 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 2568 SSL_R_LENGTH_MISMATCH); |
| 2569 goto psk_err; |
| 2570 } |
| 2571 if (i > PSK_MAX_IDENTITY_LEN) |
| 2572 { |
| 2573 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 2574 SSL_R_DATA_LENGTH_TOO_LONG); |
| 2575 goto psk_err; |
| 2576 } |
| 2577 if (s->psk_server_callback == NULL) |
| 2578 { |
| 2579 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 2580 SSL_R_PSK_NO_SERVER_CB); |
| 2581 goto psk_err; |
| 2582 } |
| 2583 |
| 2584 /* Create guaranteed NULL-terminated identity |
| 2585 * string for the callback */ |
| 2586 memcpy(tmp_id, p, i); |
| 2587 memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); |
| 2588 psk_len = s->psk_server_callback(s, tmp_id, |
| 2589 psk_or_pre_ms, sizeof(psk_or_pre_ms)); |
| 2590 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); |
| 2591 |
| 2592 if (psk_len > PSK_MAX_PSK_LEN) |
| 2593 { |
| 2594 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 2595 ERR_R_INTERNAL_ERROR); |
| 2596 goto psk_err; |
| 2597 } |
| 2598 else if (psk_len == 0) |
| 2599 { |
| 2600 /* PSK related to the given identity not found *
/ |
| 2601 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 2602 SSL_R_PSK_IDENTITY_NOT_FOUND); |
| 2603 al=SSL_AD_UNKNOWN_PSK_IDENTITY; |
| 2604 goto psk_err; |
| 2605 } |
| 2606 |
| 2607 /* create PSK pre_master_secret */ |
| 2608 pre_ms_len=2+psk_len+2+psk_len; |
| 2609 t = psk_or_pre_ms; |
| 2610 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len)
; |
| 2611 s2n(psk_len, t); |
| 2612 memset(t, 0, psk_len); |
| 2613 t+=psk_len; |
| 2614 s2n(psk_len, t); |
| 2615 |
| 2616 if (s->session->psk_identity != NULL) |
| 2617 OPENSSL_free(s->session->psk_identity); |
| 2618 s->session->psk_identity = BUF_strdup((char *)p); |
| 2619 if (s->session->psk_identity == NULL) |
| 2620 { |
| 2621 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 2622 ERR_R_MALLOC_FAILURE); |
| 2623 goto psk_err; |
| 2624 } |
| 2625 |
| 2626 if (s->session->psk_identity_hint != NULL) |
| 2627 OPENSSL_free(s->session->psk_identity_hint); |
| 2628 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_i
dentity_hint); |
| 2629 if (s->ctx->psk_identity_hint != NULL && |
| 2630 s->session->psk_identity_hint == NULL) |
| 2631 { |
| 2632 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
| 2633 ERR_R_MALLOC_FAILURE); |
| 2634 goto psk_err; |
| 2635 } |
| 2636 |
| 2637 s->session->master_key_length= |
| 2638 s->method->ssl3_enc->generate_master_secret(s, |
| 2639 s->session->master_key, psk_or_pre_ms, p
re_ms_len); |
| 2640 psk_err = 0; |
| 2641 psk_err: |
| 2642 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); |
| 2643 if (psk_err != 0) |
| 2644 goto f_err; |
| 2645 } |
| 2646 else |
| 2647 #endif |
| 2648 if (alg_k & SSL_kGOST) |
| 2649 { |
| 2650 int ret = 0; |
| 2651 EVP_PKEY_CTX *pkey_ctx; |
| 2652 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; |
| 2653 unsigned char premaster_secret[32], *start; |
| 2654 size_t outlen=32, inlen; |
| 2655 unsigned long alg_a; |
| 2656 |
| 2657 /* Get our certificate private key*/ |
| 2658 alg_a = s->s3->tmp.new_cipher->algorithm_auth; |
| 2659 if (alg_a & SSL_aGOST94) |
| 2660 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; |
| 2661 else if (alg_a & SSL_aGOST01) |
| 2662 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; |
| 2663 |
| 2664 pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); |
| 2665 EVP_PKEY_decrypt_init(pkey_ctx); |
| 2666 /* If client certificate is present and is of the same t
ype, maybe |
| 2667 * use it for key exchange. Don't mind errors from |
| 2668 * EVP_PKEY_derive_set_peer, because it is completely va
lid to use |
| 2669 * a client certificate for authorization only. */ |
| 2670 client_pub_pkey = X509_get_pubkey(s->session->peer); |
| 2671 if (client_pub_pkey) |
| 2672 { |
| 2673 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pu
b_pkey) <= 0) |
| 2674 ERR_clear_error(); |
| 2675 } |
| 2676 /* Decrypt session key */ |
| 2677 if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) |
| 2678 { |
| 2679 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_
DECRYPTION_FAILED); |
| 2680 goto gerr; |
| 2681 } |
| 2682 if (p[1] == 0x81) |
| 2683 { |
| 2684 start = p+3; |
| 2685 inlen = p[2]; |
| 2686 } |
| 2687 else if (p[1] < 0x80) |
| 2688 { |
| 2689 start = p+2; |
| 2690 inlen = p[1]; |
| 2691 } |
| 2692 else |
| 2693 { |
| 2694 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_
DECRYPTION_FAILED); |
| 2695 goto gerr; |
| 2696 } |
| 2697 if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,s
tart,inlen) <=0) |
| 2698 |
| 2699 { |
| 2700 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_
DECRYPTION_FAILED); |
| 2701 goto gerr; |
| 2702 } |
| 2703 /* Generate master secret */ |
| 2704 s->session->master_key_length= |
| 2705 s->method->ssl3_enc->generate_master_secret(s, |
| 2706 s->session->master_key,premaster_secret,
32); |
| 2707 /* Check if pubkey from client certificate was used */ |
| 2708 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PE
ER_KEY, 2, NULL) > 0) |
| 2709 ret = 2; |
| 2710 else |
| 2711 ret = 1; |
| 2712 gerr: |
| 2713 EVP_PKEY_free(client_pub_pkey); |
| 2714 EVP_PKEY_CTX_free(pkey_ctx); |
| 2715 if (ret) |
| 2716 return ret; |
| 2717 else |
| 2718 goto err; |
| 2719 } |
| 2720 else |
2371 { | 2721 { |
2372 al=SSL_AD_HANDSHAKE_FAILURE; | 2722 al=SSL_AD_HANDSHAKE_FAILURE; |
2373 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | 2723 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, |
2374 SSL_R_UNKNOWN_CIPHER_TYPE); | 2724 SSL_R_UNKNOWN_CIPHER_TYPE); |
2375 goto f_err; | 2725 goto f_err; |
2376 } | 2726 } |
2377 | 2727 |
2378 return(1); | 2728 return(1); |
2379 f_err: | 2729 f_err: |
2380 ssl3_send_alert(s,SSL3_AL_FATAL,al); | 2730 ssl3_send_alert(s,SSL3_AL_FATAL,al); |
2381 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_E
CDH) | 2731 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_E
CDH) |
2382 err: | 2732 err: |
2383 #endif | 2733 #endif |
2384 #ifndef OPENSSL_NO_ECDH | 2734 #ifndef OPENSSL_NO_ECDH |
2385 EVP_PKEY_free(clnt_pub_pkey); | 2735 EVP_PKEY_free(clnt_pub_pkey); |
2386 EC_POINT_free(clnt_ecpoint); | 2736 EC_POINT_free(clnt_ecpoint); |
2387 if (srvr_ecdh != NULL) | 2737 if (srvr_ecdh != NULL) |
2388 EC_KEY_free(srvr_ecdh); | 2738 EC_KEY_free(srvr_ecdh); |
2389 BN_CTX_free(bn_ctx); | 2739 BN_CTX_free(bn_ctx); |
2390 #endif | 2740 #endif |
2391 return(-1); | 2741 return(-1); |
2392 } | 2742 } |
2393 | 2743 |
2394 /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It | |
2395 * sets the next_proto member in s if found */ | |
2396 int ssl3_get_next_proto(SSL *s) | |
2397 { | |
2398 int ok; | |
2399 unsigned proto_len, padding_len; | |
2400 long n; | |
2401 const unsigned char *p; | |
2402 | |
2403 /* Clients cannot send a NextProtocol message if we didn't see the | |
2404 * extension in their ClientHello */ | |
2405 if (!s->s3->next_proto_neg_seen) { | |
2406 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EX
TENSION); | |
2407 return -1; | |
2408 } | |
2409 | |
2410 n=s->method->ssl_get_message(s, | |
2411 SSL3_ST_SR_NEXT_PROTO_A, | |
2412 SSL3_ST_SR_NEXT_PROTO_B, | |
2413 SSL3_MT_NEXT_PROTO, | |
2414 129, | |
2415 &ok); | |
2416 | |
2417 if (!ok) | |
2418 return((int)n); | |
2419 | |
2420 /* s->state doesn't reflect whether ChangeCipherSpec has been received | |
2421 * in this handshake, but s->s3->change_cipher_spec does (will be reset | |
2422 * by ssl3_get_finished). */ | |
2423 if (!s->s3->change_cipher_spec) | |
2424 { | |
2425 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_C
CS); | |
2426 return -1; | |
2427 } | |
2428 | |
2429 if (n < 2) | |
2430 return 0; // The body must be > 1 bytes long */ | |
2431 | |
2432 p=(unsigned char *)s->init_msg; | |
2433 | |
2434 /* The payload looks like: | |
2435 * uint8 proto_len; | |
2436 * uint8 proto[proto_len]; | |
2437 * uint8 padding_len; | |
2438 * uint8 padding[padding_len]; | |
2439 */ | |
2440 proto_len = p[0]; | |
2441 if (proto_len + 2 > s->init_num) | |
2442 return 0; | |
2443 padding_len = p[proto_len + 1]; | |
2444 if (proto_len + padding_len + 2 != s->init_num) | |
2445 return 0; | |
2446 | |
2447 s->next_proto_negotiated = OPENSSL_malloc(proto_len); | |
2448 if (!s->next_proto_negotiated) { | |
2449 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE); | |
2450 return 0; | |
2451 } | |
2452 memcpy(s->next_proto_negotiated, p + 1, proto_len); | |
2453 s->next_proto_negotiated_len = proto_len; | |
2454 | |
2455 return 1; | |
2456 } | |
2457 | |
2458 int ssl3_get_cert_verify(SSL *s) | 2744 int ssl3_get_cert_verify(SSL *s) |
2459 { | 2745 { |
2460 EVP_PKEY *pkey=NULL; | 2746 EVP_PKEY *pkey=NULL; |
2461 unsigned char *p; | 2747 unsigned char *p; |
2462 int al,ok,ret=0; | 2748 int al,ok,ret=0; |
2463 long n; | 2749 long n; |
2464 int type=0,i,j; | 2750 int type=0,i,j; |
2465 X509 *peer; | 2751 X509 *peer; |
2466 | 2752 |
2467 n=s->method->ssl_get_message(s, | 2753 n=s->method->ssl_get_message(s, |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2514 | 2800 |
2515 if (s->s3->change_cipher_spec) | 2801 if (s->s3->change_cipher_spec) |
2516 { | 2802 { |
2517 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); | 2803 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); |
2518 al=SSL_AD_UNEXPECTED_MESSAGE; | 2804 al=SSL_AD_UNEXPECTED_MESSAGE; |
2519 goto f_err; | 2805 goto f_err; |
2520 } | 2806 } |
2521 | 2807 |
2522 /* we now have a signature that we need to verify */ | 2808 /* we now have a signature that we need to verify */ |
2523 p=(unsigned char *)s->init_msg; | 2809 p=(unsigned char *)s->init_msg; |
2524 » n2s(p,i); | 2810 » /* Check for broken implementations of GOST ciphersuites */ |
2525 » n-=2; | 2811 » /* If key is GOST and n is exactly 64, it is bare |
2526 » if (i > n) | 2812 » * signature without length field */ |
| 2813 » if (n==64 && (pkey->type==NID_id_GostR3410_94 || |
| 2814 » » pkey->type == NID_id_GostR3410_2001) ) |
2527 { | 2815 { |
2528 » » SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); | 2816 » » i=64; |
2529 » » al=SSL_AD_DECODE_ERROR; | 2817 » » } |
2530 » » goto f_err; | 2818 » else |
2531 » » } | 2819 » » {» |
2532 | 2820 » » n2s(p,i); |
| 2821 » » n-=2; |
| 2822 » » if (i > n) |
| 2823 » » » { |
| 2824 » » » SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH)
; |
| 2825 » » » al=SSL_AD_DECODE_ERROR; |
| 2826 » » » goto f_err; |
| 2827 » » » } |
| 2828 » } |
2533 j=EVP_PKEY_size(pkey); | 2829 j=EVP_PKEY_size(pkey); |
2534 if ((i > j) || (n > j) || (n <= 0)) | 2830 if ((i > j) || (n > j) || (n <= 0)) |
2535 { | 2831 { |
2536 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); | 2832 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); |
2537 al=SSL_AD_DECODE_ERROR; | 2833 al=SSL_AD_DECODE_ERROR; |
2538 goto f_err; | 2834 goto f_err; |
2539 } | 2835 } |
2540 | 2836 |
2541 #ifndef OPENSSL_NO_RSA | 2837 #ifndef OPENSSL_NO_RSA |
2542 if (pkey->type == EVP_PKEY_RSA) | 2838 if (pkey->type == EVP_PKEY_RSA) |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2585 { | 2881 { |
2586 /* bad signature */ | 2882 /* bad signature */ |
2587 al=SSL_AD_DECRYPT_ERROR; | 2883 al=SSL_AD_DECRYPT_ERROR; |
2588 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, | 2884 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, |
2589 SSL_R_BAD_ECDSA_SIGNATURE); | 2885 SSL_R_BAD_ECDSA_SIGNATURE); |
2590 goto f_err; | 2886 goto f_err; |
2591 } | 2887 } |
2592 } | 2888 } |
2593 else | 2889 else |
2594 #endif | 2890 #endif |
| 2891 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_
2001) |
| 2892 { unsigned char signature[64]; |
| 2893 int idx; |
| 2894 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL); |
| 2895 EVP_PKEY_verify_init(pctx); |
| 2896 if (i!=64) { |
| 2897 fprintf(stderr,"GOST signature length is %d",i); |
| 2898 } |
| 2899 for (idx=0;idx<64;idx++) { |
| 2900 signature[63-idx]=p[idx]; |
| 2901 } |
| 2902 j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_veri
fy_md,32); |
| 2903 EVP_PKEY_CTX_free(pctx); |
| 2904 if (j<=0) |
| 2905 { |
| 2906 al=SSL_AD_DECRYPT_ERROR; |
| 2907 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, |
| 2908 SSL_R_BAD_ECDSA_SIGNATURE); |
| 2909 goto f_err; |
| 2910 } |
| 2911 } |
| 2912 else |
2595 { | 2913 { |
2596 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); | 2914 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); |
2597 al=SSL_AD_UNSUPPORTED_CERTIFICATE; | 2915 al=SSL_AD_UNSUPPORTED_CERTIFICATE; |
2598 goto f_err; | 2916 goto f_err; |
2599 } | 2917 } |
2600 | 2918 |
2601 | 2919 |
2602 ret=1; | 2920 ret=1; |
2603 if (0) | 2921 if (0) |
2604 { | 2922 { |
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2767 } | 3085 } |
2768 | 3086 |
2769 int ssl3_send_server_certificate(SSL *s) | 3087 int ssl3_send_server_certificate(SSL *s) |
2770 { | 3088 { |
2771 unsigned long l; | 3089 unsigned long l; |
2772 X509 *x; | 3090 X509 *x; |
2773 | 3091 |
2774 if (s->state == SSL3_ST_SW_CERT_A) | 3092 if (s->state == SSL3_ST_SW_CERT_A) |
2775 { | 3093 { |
2776 x=ssl_get_server_send_cert(s); | 3094 x=ssl_get_server_send_cert(s); |
2777 » » if (x == NULL && | 3095 » » if (x == NULL) |
2778 /* VRS: allow null cert if auth == KRB5 */ | |
2779 (s->s3->tmp.new_cipher->algorithms | |
2780 & (SSL_MKEY_MASK|SSL_AUTH_MASK)) | |
2781 != (SSL_aKRB5|SSL_kKRB5)) | |
2782 { | 3096 { |
2783 » » » SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL
_ERROR); | 3097 » » » /* VRS: allow null cert if auth == KRB5 */ |
2784 » » » return(0); | 3098 » » » if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)
|| |
| 3099 » » » (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) |
| 3100 » » » » { |
| 3101 » » » » SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_
INTERNAL_ERROR); |
| 3102 » » » » return(0); |
| 3103 » » » » } |
2785 } | 3104 } |
2786 | 3105 |
2787 l=ssl3_output_cert_chain(s,x); | 3106 l=ssl3_output_cert_chain(s,x); |
2788 s->state=SSL3_ST_SW_CERT_B; | 3107 s->state=SSL3_ST_SW_CERT_B; |
2789 s->init_num=(int)l; | 3108 s->init_num=(int)l; |
2790 s->init_off=0; | 3109 s->init_off=0; |
2791 } | 3110 } |
2792 | 3111 |
2793 /* SSL3_ST_SW_CERT_B */ | 3112 /* SSL3_ST_SW_CERT_B */ |
2794 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 3113 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
2795 } | 3114 } |
2796 | |
2797 | |
2798 #ifndef OPENSSL_NO_ECDH | |
2799 /* This is the complement of curve_id2nid in s3_clnt.c. */ | |
2800 static int nid2curve_id(int nid) | |
2801 { | |
2802 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) | |
2803 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ | |
2804 switch (nid) { | |
2805 case NID_sect163k1: /* sect163k1 (1) */ | |
2806 return 1; | |
2807 case NID_sect163r1: /* sect163r1 (2) */ | |
2808 return 2; | |
2809 case NID_sect163r2: /* sect163r2 (3) */ | |
2810 return 3; | |
2811 case NID_sect193r1: /* sect193r1 (4) */ | |
2812 return 4; | |
2813 case NID_sect193r2: /* sect193r2 (5) */ | |
2814 return 5; | |
2815 case NID_sect233k1: /* sect233k1 (6) */ | |
2816 return 6; | |
2817 case NID_sect233r1: /* sect233r1 (7) */ | |
2818 return 7; | |
2819 case NID_sect239k1: /* sect239k1 (8) */ | |
2820 return 8; | |
2821 case NID_sect283k1: /* sect283k1 (9) */ | |
2822 return 9; | |
2823 case NID_sect283r1: /* sect283r1 (10) */ | |
2824 return 10; | |
2825 case NID_sect409k1: /* sect409k1 (11) */ | |
2826 return 11; | |
2827 case NID_sect409r1: /* sect409r1 (12) */ | |
2828 return 12; | |
2829 case NID_sect571k1: /* sect571k1 (13) */ | |
2830 return 13; | |
2831 case NID_sect571r1: /* sect571r1 (14) */ | |
2832 return 14; | |
2833 case NID_secp160k1: /* secp160k1 (15) */ | |
2834 return 15; | |
2835 case NID_secp160r1: /* secp160r1 (16) */ | |
2836 return 16; | |
2837 case NID_secp160r2: /* secp160r2 (17) */ | |
2838 return 17; | |
2839 case NID_secp192k1: /* secp192k1 (18) */ | |
2840 return 18; | |
2841 case NID_X9_62_prime192v1: /* secp192r1 (19) */ | |
2842 return 19; | |
2843 case NID_secp224k1: /* secp224k1 (20) */ | |
2844 return 20; | |
2845 case NID_secp224r1: /* secp224r1 (21) */ | |
2846 return 21; | |
2847 case NID_secp256k1: /* secp256k1 (22) */ | |
2848 return 22; | |
2849 case NID_X9_62_prime256v1: /* secp256r1 (23) */ | |
2850 return 23; | |
2851 case NID_secp384r1: /* secp384r1 (24) */ | |
2852 return 24; | |
2853 case NID_secp521r1: /* secp521r1 (25) */ | |
2854 return 25; | |
2855 default: | |
2856 return 0; | |
2857 } | |
2858 } | |
2859 #endif | |
2860 #ifndef OPENSSL_NO_TLSEXT | 3115 #ifndef OPENSSL_NO_TLSEXT |
2861 int ssl3_send_newsession_ticket(SSL *s) | 3116 int ssl3_send_newsession_ticket(SSL *s) |
2862 { | 3117 { |
2863 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) | 3118 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) |
2864 { | 3119 { |
2865 unsigned char *p, *senc, *macstart; | 3120 unsigned char *p, *senc, *macstart; |
2866 int len, slen; | 3121 int len, slen; |
2867 unsigned int hlen; | 3122 unsigned int hlen; |
2868 EVP_CIPHER_CTX ctx; | 3123 EVP_CIPHER_CTX ctx; |
2869 HMAC_CTX hctx; | 3124 HMAC_CTX hctx; |
(...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2992 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); | 3247 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); |
2993 /* number of bytes to write */ | 3248 /* number of bytes to write */ |
2994 s->init_num = 8 + s->tlsext_ocsp_resplen; | 3249 s->init_num = 8 + s->tlsext_ocsp_resplen; |
2995 s->state=SSL3_ST_SW_CERT_STATUS_B; | 3250 s->state=SSL3_ST_SW_CERT_STATUS_B; |
2996 s->init_off = 0; | 3251 s->init_off = 0; |
2997 } | 3252 } |
2998 | 3253 |
2999 /* SSL3_ST_SW_CERT_STATUS_B */ | 3254 /* SSL3_ST_SW_CERT_STATUS_B */ |
3000 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 3255 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); |
3001 } | 3256 } |
3002 #endif | |
3003 | 3257 |
3004 /* ssl3_snap_start_evaluate_handshake verifies the Snap Start prediction (if | 3258 # ifndef OPENSSL_NO_NPN |
3005 * this is a Snap Start handshake). If it returns non-zero, then we are | 3259 /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It |
3006 * entering recovery and |s->state| has been set accordingly. */ | 3260 * sets the next_proto member in s if found */ |
3007 static int ssl3_snap_start_evaluate_handshake(SSL* s) | 3261 int ssl3_get_next_proto(SSL *s) |
3008 { | 3262 { |
3009 » unsigned char digest[8]; | 3263 » int ok; |
| 3264 » unsigned proto_len, padding_len; |
| 3265 » long n; |
| 3266 » const unsigned char *p; |
3010 | 3267 |
3011 » if (!s->s3->snap_start_requested) | 3268 » /* Clients cannot send a NextProtocol message if we didn't see the |
| 3269 » * extension in their ClientHello */ |
| 3270 » if (!s->s3->next_proto_neg_seen) |
| 3271 » » { |
| 3272 » » SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EX
TENSION); |
| 3273 » » return -1; |
| 3274 » » } |
| 3275 |
| 3276 » n=s->method->ssl_get_message(s, |
| 3277 » » SSL3_ST_SR_NEXT_PROTO_A, |
| 3278 » » SSL3_ST_SR_NEXT_PROTO_B, |
| 3279 » » SSL3_MT_NEXT_PROTO, |
| 3280 » » 514, /* See the payload format below */ |
| 3281 » » &ok); |
| 3282 |
| 3283 » if (!ok) |
| 3284 » » return((int)n); |
| 3285 |
| 3286 » /* s->state doesn't reflect whether ChangeCipherSpec has been received |
| 3287 » * in this handshake, but s->s3->change_cipher_spec does (will be reset |
| 3288 » * by ssl3_get_finished). */ |
| 3289 » if (!s->s3->change_cipher_spec) |
| 3290 » » { |
| 3291 » » SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_C
CS); |
| 3292 » » return -1; |
| 3293 » » } |
| 3294 |
| 3295 » if (n < 2) |
| 3296 » » return 0; /* The body must be > 1 bytes long */ |
| 3297 |
| 3298 » p=(unsigned char *)s->init_msg; |
| 3299 |
| 3300 » /* The payload looks like: |
| 3301 » * uint8 proto_len; |
| 3302 » * uint8 proto[proto_len]; |
| 3303 » * uint8 padding_len; |
| 3304 » * uint8 padding[padding_len]; |
| 3305 » */ |
| 3306 » proto_len = p[0]; |
| 3307 » if (proto_len + 2 > s->init_num) |
| 3308 » » return 0; |
| 3309 » padding_len = p[proto_len + 1]; |
| 3310 » if (proto_len + padding_len + 2 != s->init_num) |
3012 return 0; | 3311 return 0; |
3013 | 3312 |
3014 » /* Drop the currently queued messages. Either we're entering recovery, | 3313 » s->next_proto_negotiated = OPENSSL_malloc(proto_len); |
3015 » * in which case they're wrong, or we're doing snap start, in which | 3314 » if (!s->next_proto_negotiated) |
3016 » * case we don't want to send them. */ | 3315 » » { |
3017 » if (!ssl_init_wbio_buffer(s, 1 /* push new BIO */)) | 3316 » » SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE); |
3018 » » return -1; | 3317 » » return 0; |
| 3318 » » } |
| 3319 » memcpy(s->next_proto_negotiated, p + 1, proto_len); |
| 3320 » s->next_proto_negotiated_len = proto_len; |
3019 | 3321 |
3020 » fnv1a64_final(digest, (FNV1A64*) s->s3->response_hash); | 3322 » return 1; |
3021 | |
3022 » /* Turn off FNV hashing of handshake messages. */ | |
3023 » s->s3->snap_start_requested = 0; | |
3024 | |
3025 » if (memcmp(digest, s->s3->predicted_response_hash, sizeof(digest)) != 0) | |
3026 » » { | |
3027 » » /* The predicted handshake didn't match. */ | |
3028 » » ssl3_snap_start_reset_for_recovery(s); | |
3029 » » s->state = SSL3_ST_SW_SRVR_HELLO_A; | |
3030 » » return 1; | |
3031 » » } | |
3032 | |
3033 » return 0; | |
3034 } | 3323 } |
3035 | 3324 # endif |
3036 /* ssl3_snap_start_reset_for_recovery is called is called when a Snap Start | 3325 #endif |
3037 * handshake is impossible because either the application layer has rejected | |
3038 * the client's suggested server random, or predicated_response_hash failed to | |
3039 * match response_hash */ | |
3040 int ssl3_snap_start_reset_for_recovery(SSL* s) | |
3041 » { | |
3042 » s->s3->snap_start_requested = 0; | |
3043 » s->s3->snap_start_records.left = 0; | |
3044 » s->init_num = 0; | |
3045 | |
3046 » /* Reset the handshake hash and hash in the original ClientHello. */ | |
3047 » ssl3_init_finished_mac(s); | |
3048 » ssl3_finish_mac(s, s->s3->snap_start_client_hello.buf, s->s3->snap_start
_client_hello.left); | |
3049 | |
3050 » OPENSSL_free(s->s3->snap_start_client_hello.buf); | |
3051 » s->s3->snap_start_client_hello.buf = NULL; | |
3052 | |
3053 » return 0; | |
3054 » } | |
OLD | NEW |