Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(182)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: openssl/ssl/s3_srvr.c

Issue 9254031: Upgrade chrome's OpenSSL to same version Android ships with. (Closed) Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/
Patch Set: '' Created 8 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « openssl/ssl/s3_pkt.c ('k') | openssl/ssl/ssl.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* ssl/s3_srvr.c */ 1 /* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 /* ==================================================================== 58 /* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
63 * are met: 63 * are met:
64 * 64 *
65 * 1. Redistributions of source code must retain the above copyright 65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer. 66 * notice, this list of conditions and the following disclaimer.
67 * 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright 68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in 69 * notice, this list of conditions and the following disclaimer in
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after
114 * Portions of the attached software ("Contribution") are developed by 114 * Portions of the attached software ("Contribution") are developed by
115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116 * 116 *
117 * The Contribution is licensed pursuant to the OpenSSL open source 117 * The Contribution is licensed pursuant to the OpenSSL open source
118 * license provided above. 118 * license provided above.
119 * 119 *
120 * ECC cipher suite support in OpenSSL originally written by 120 * ECC cipher suite support in OpenSSL originally written by
121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122 * 122 *
123 */ 123 */
124 /* ====================================================================
125 * Copyright 2005 Nokia. All rights reserved.
126 *
127 * The portions of the attached software ("Contribution") is developed by
128 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
129 * license.
130 *
131 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
132 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133 * support (see RFC 4279) to OpenSSL.
134 *
135 * No patent licenses or other rights except those expressly stated in
136 * the OpenSSL open source license shall be deemed granted or received
137 * expressly, by implication, estoppel, or otherwise.
138 *
139 * No assurances are provided by Nokia that the Contribution does not
140 * infringe the patent or other intellectual property rights of any third
141 * party or that the license provides you with all the necessary rights
142 * to make use of the Contribution.
143 *
144 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
148 * OTHERWISE.
149 */
124 150
125 #define REUSE_CIPHER_BUG 151 #define REUSE_CIPHER_BUG
126 #define NETSCAPE_HANG_BUG 152 #define NETSCAPE_HANG_BUG
127 153
128 #include <stdio.h> 154 #include <stdio.h>
129 #include "ssl_locl.h" 155 #include "ssl_locl.h"
130 #include "kssl_lcl.h" 156 #include "kssl_lcl.h"
131 #include <openssl/buffer.h> 157 #include <openssl/buffer.h>
132 #include <openssl/rand.h> 158 #include <openssl/rand.h>
133 #include <openssl/objects.h> 159 #include <openssl/objects.h>
134 #include <openssl/evp.h> 160 #include <openssl/evp.h>
135 #include <openssl/hmac.h> 161 #include <openssl/hmac.h>
136 #include <openssl/x509.h> 162 #include <openssl/x509.h>
137 #ifndef OPENSSL_NO_DH 163 #ifndef OPENSSL_NO_DH
138 #include <openssl/dh.h> 164 #include <openssl/dh.h>
139 #endif 165 #endif
140 #include <openssl/bn.h> 166 #include <openssl/bn.h>
141 #ifndef OPENSSL_NO_KRB5 167 #ifndef OPENSSL_NO_KRB5
142 #include <openssl/krb5_asn.h> 168 #include <openssl/krb5_asn.h>
143 #endif 169 #endif
144 #include <openssl/md5.h> 170 #include <openssl/md5.h>
145 171
146 #include "fnv1a64.h" 172 static const SSL_METHOD *ssl3_get_server_method(int ver);
147 173
148 static SSL_METHOD *ssl3_get_server_method(int ver); 174 static const SSL_METHOD *ssl3_get_server_method(int ver)
149 static int ssl3_snap_start_evaluate_handshake(SSL* s);
150 #ifndef OPENSSL_NO_ECDH
151 static int nid2curve_id(int nid);
152 #endif
153
154 static SSL_METHOD *ssl3_get_server_method(int ver)
155 { 175 {
156 if (ver == SSL3_VERSION) 176 if (ver == SSL3_VERSION)
157 return(SSLv3_server_method()); 177 return(SSLv3_server_method());
158 else 178 else
159 return(NULL); 179 return(NULL);
160 } 180 }
161 181
162 IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 182 IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
163 ssl3_accept, 183 ssl3_accept,
164 ssl_undefined_function, 184 ssl_undefined_function,
165 ssl3_get_server_method) 185 ssl3_get_server_method)
166 186
167 int ssl3_accept(SSL *s) 187 int ssl3_accept(SSL *s)
168 { 188 {
169 BUF_MEM *buf; 189 BUF_MEM *buf;
170 » unsigned long l,Time=(unsigned long)time(NULL); 190 » unsigned long alg_k,Time=(unsigned long)time(NULL);
171 void (*cb)(const SSL *ssl,int type,int val)=NULL; 191 void (*cb)(const SSL *ssl,int type,int val)=NULL;
172 int ret= -1; 192 int ret= -1;
173 int new_state,state,skip=0; 193 int new_state,state,skip=0;
174 194
175 RAND_add(&Time,sizeof(Time),0); 195 RAND_add(&Time,sizeof(Time),0);
176 ERR_clear_error(); 196 ERR_clear_error();
177 clear_sys_error(); 197 clear_sys_error();
178 198
179 if (s->info_callback != NULL) 199 if (s->info_callback != NULL)
180 cb=s->info_callback; 200 cb=s->info_callback;
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after
231 s->init_buf=buf; 251 s->init_buf=buf;
232 } 252 }
233 253
234 if (!ssl3_setup_buffers(s)) 254 if (!ssl3_setup_buffers(s))
235 { 255 {
236 ret= -1; 256 ret= -1;
237 goto end; 257 goto end;
238 } 258 }
239 259
240 s->init_num=0; 260 s->init_num=0;
261 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
241 262
242 if (s->state != SSL_ST_RENEGOTIATE) 263 if (s->state != SSL_ST_RENEGOTIATE)
243 { 264 {
244 /* Ok, we now need to push on a buffering BIO so that 265 /* Ok, we now need to push on a buffering BIO so that
245 * the output is sent in a way that TCP likes :- ) 266 * the output is sent in a way that TCP likes :- )
246 */ 267 */
247 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 268 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
248 269
249 ssl3_init_finished_mac(s); 270 ssl3_init_finished_mac(s);
250 s->state=SSL3_ST_SR_CLNT_HELLO_A; 271 s->state=SSL3_ST_SR_CLNT_HELLO_A;
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
288 s->state=SSL_ST_OK; 309 s->state=SSL_ST_OK;
289 break; 310 break;
290 311
291 case SSL3_ST_SR_CLNT_HELLO_A: 312 case SSL3_ST_SR_CLNT_HELLO_A:
292 case SSL3_ST_SR_CLNT_HELLO_B: 313 case SSL3_ST_SR_CLNT_HELLO_B:
293 case SSL3_ST_SR_CLNT_HELLO_C: 314 case SSL3_ST_SR_CLNT_HELLO_C:
294 315
295 s->shutdown=0; 316 s->shutdown=0;
296 ret=ssl3_get_client_hello(s); 317 ret=ssl3_get_client_hello(s);
297 if (ret <= 0) goto end; 318 if (ret <= 0) goto end;
319
298 s->new_session = 2; 320 s->new_session = 2;
299 s->state=SSL3_ST_SW_SRVR_HELLO_A; 321 s->state=SSL3_ST_SW_SRVR_HELLO_A;
300 s->init_num=0; 322 s->init_num=0;
301 break; 323 break;
302 324
303 case SSL3_ST_SW_SRVR_HELLO_A: 325 case SSL3_ST_SW_SRVR_HELLO_A:
304 case SSL3_ST_SW_SRVR_HELLO_B: 326 case SSL3_ST_SW_SRVR_HELLO_B:
305 ret=ssl3_send_server_hello(s); 327 ret=ssl3_send_server_hello(s);
306 if (ret == SERVER_RANDOM_VALIDATION_PENDING)
307 {
308 s->rwstate = SSL_SERVER_RANDOM_VALIDATE;
309 s->state = SSL3_ST_SW_SRVR_HELLO_A;
310 s->init_num = 0;
311 goto end;
312 }
313 if (ret <= 0) goto end; 328 if (ret <= 0) goto end;
314 #ifndef OPENSSL_NO_TLSEXT 329 #ifndef OPENSSL_NO_TLSEXT
315 if ((s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK) != SSL_kRSA &&
316 (s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK) != SSL_kKRB5 &&
317 (s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK) != SSL_kDHr &&
318 (s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK) != SSL_kDHd &&
319 (s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK) != SSL_kECDH &&
320 s->s3->snap_start_requested)
321 {
322 /* There's no point in carrying on with a Snap
323 * Start handshake if we're using a cipher
324 * suite which is going to send a
325 * ServerKeyExchange message. */
326 ssl3_snap_start_reset_for_recovery(s);
327 s->state = SSL3_ST_SW_SRVR_HELLO_A;
328 break;
329 }
330
331 if (s->hit) 330 if (s->hit)
332 { 331 {
333 if (ssl3_snap_start_evaluate_handshake(s))
334 break;
335
336 if (s->tlsext_ticket_expected) 332 if (s->tlsext_ticket_expected)
337 s->state=SSL3_ST_SW_SESSION_TICKET_A; 333 s->state=SSL3_ST_SW_SESSION_TICKET_A;
338 else 334 else
339 s->state=SSL3_ST_SW_CHANGE_A; 335 s->state=SSL3_ST_SW_CHANGE_A;
340 } 336 }
341 #else 337 #else
342 if (s->hit) 338 if (s->hit)
343 s->state=SSL3_ST_SW_CHANGE_A; 339 s->state=SSL3_ST_SW_CHANGE_A;
344 #endif 340 #endif
345 else 341 else
346 s->state=SSL3_ST_SW_CERT_A; 342 s->state=SSL3_ST_SW_CERT_A;
347 s->init_num=0; 343 s->init_num=0;
348 break; 344 break;
349 345
350 case SSL3_ST_SW_CERT_A: 346 case SSL3_ST_SW_CERT_A:
351 case SSL3_ST_SW_CERT_B: 347 case SSL3_ST_SW_CERT_B:
352 » » » /* Check if it is anon DH or anon ECDH or KRB5 */ 348 » » » /* Check if it is anon DH or anon ECDH, */
353 » » » if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) 349 » » » /* normal PSK or KRB5 */
354 » » » » && !(s->s3->tmp.new_cipher->algorithms & SSL_aKR B5)) 350 » » » if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
351 » » » » && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL _kPSK)
352 » » » » && !(s->s3->tmp.new_cipher->algorithm_auth & SSL _aKRB5))
355 { 353 {
356 ret=ssl3_send_server_certificate(s); 354 ret=ssl3_send_server_certificate(s);
357 if (ret <= 0) goto end; 355 if (ret <= 0) goto end;
358 #ifndef OPENSSL_NO_TLSEXT 356 #ifndef OPENSSL_NO_TLSEXT
359 if (s->tlsext_status_expected) 357 if (s->tlsext_status_expected)
360 s->state=SSL3_ST_SW_CERT_STATUS_A; 358 s->state=SSL3_ST_SW_CERT_STATUS_A;
361 else 359 else
362 s->state=SSL3_ST_SW_KEY_EXCH_A; 360 s->state=SSL3_ST_SW_KEY_EXCH_A;
363 } 361 }
364 else 362 else
365 { 363 {
366 skip = 1; 364 skip = 1;
367 s->state=SSL3_ST_SW_KEY_EXCH_A; 365 s->state=SSL3_ST_SW_KEY_EXCH_A;
368 } 366 }
369 #else 367 #else
370 } 368 }
371 else 369 else
372 skip=1; 370 skip=1;
373 371
374 s->state=SSL3_ST_SW_KEY_EXCH_A; 372 s->state=SSL3_ST_SW_KEY_EXCH_A;
375 #endif 373 #endif
376 s->init_num=0; 374 s->init_num=0;
377 break; 375 break;
378 376
379 case SSL3_ST_SW_KEY_EXCH_A: 377 case SSL3_ST_SW_KEY_EXCH_A:
380 case SSL3_ST_SW_KEY_EXCH_B: 378 case SSL3_ST_SW_KEY_EXCH_B:
381 » » » l=s->s3->tmp.new_cipher->algorithms; 379 » » » alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
382 380
383 /* clear this, it may get reset by 381 /* clear this, it may get reset by
384 * send_server_key_exchange */ 382 * send_server_key_exchange */
385 if ((s->options & SSL_OP_EPHEMERAL_RSA) 383 if ((s->options & SSL_OP_EPHEMERAL_RSA)
386 #ifndef OPENSSL_NO_KRB5 384 #ifndef OPENSSL_NO_KRB5
387 » » » » && !(l & SSL_KRB5) 385 » » » » && !(alg_k & SSL_kKRB5)
388 #endif /* OPENSSL_NO_KRB5 */ 386 #endif /* OPENSSL_NO_KRB5 */
389 ) 387 )
390 /* option SSL_OP_EPHEMERAL_RSA sends temporary R SA key 388 /* option SSL_OP_EPHEMERAL_RSA sends temporary R SA key
391 * even when forbidden by protocol specs 389 * even when forbidden by protocol specs
392 * (handshake may fail as clients are not requir ed to 390 * (handshake may fail as clients are not requir ed to
393 * be able to handle this) */ 391 * be able to handle this) */
394 s->s3->tmp.use_rsa_tmp=1; 392 s->s3->tmp.use_rsa_tmp=1;
395 else 393 else
396 s->s3->tmp.use_rsa_tmp=0; 394 s->s3->tmp.use_rsa_tmp=0;
397 395
398 396
399 /* only send if a DH key exchange, fortezza or 397 /* only send if a DH key exchange, fortezza or
400 * RSA but we have a sign only certificate 398 * RSA but we have a sign only certificate
401 * 399 *
400 * PSK: may send PSK identity hints
401 *
402 * For ECC ciphersuites, we send a serverKeyExchange 402 * For ECC ciphersuites, we send a serverKeyExchange
403 * message only if the cipher suite is either 403 * message only if the cipher suite is either
404 * ECDH-anon or ECDHE. In other cases, the 404 * ECDH-anon or ECDHE. In other cases, the
405 » » » * server certificate contains the server's 405 » » » * server certificate contains the server's
406 * public key for key exchange. 406 * public key for key exchange.
407 */ 407 */
408 if (s->s3->tmp.use_rsa_tmp 408 if (s->s3->tmp.use_rsa_tmp
409 » » » || (l & SSL_kECDHE) 409 » » » /* PSK: send ServerKeyExchange if PSK identity
410 » » » || (l & (SSL_DH|SSL_kFZA)) 410 » » » * hint if provided */
411 » » » || ((l & SSL_kRSA) 411 #ifndef OPENSSL_NO_PSK
412 » » » || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
413 #endif
414 » » » || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
415 » » » || (alg_k & SSL_kEECDH)
416 » » » || ((alg_k & SSL_kRSA)
412 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 417 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
413 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 418 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
414 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY _RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 419 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY _RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
415 ) 420 )
416 ) 421 )
417 ) 422 )
418 ) 423 )
419 { 424 {
420 ret=ssl3_send_server_key_exchange(s); 425 ret=ssl3_send_server_key_exchange(s);
421 if (ret <= 0) goto end; 426 if (ret <= 0) goto end;
422 } 427 }
423 else 428 else
424 skip=1; 429 skip=1;
425 430
426 s->state=SSL3_ST_SW_CERT_REQ_A; 431 s->state=SSL3_ST_SW_CERT_REQ_A;
427 s->init_num=0; 432 s->init_num=0;
428 break; 433 break;
429 434
430 case SSL3_ST_SW_CERT_REQ_A: 435 case SSL3_ST_SW_CERT_REQ_A:
431 case SSL3_ST_SW_CERT_REQ_B: 436 case SSL3_ST_SW_CERT_REQ_B:
432 if (/* don't request cert unless asked for it: */ 437 if (/* don't request cert unless asked for it: */
433 !(s->verify_mode & SSL_VERIFY_PEER) || 438 !(s->verify_mode & SSL_VERIFY_PEER) ||
434 /* if SSL_VERIFY_CLIENT_ONCE is set, 439 /* if SSL_VERIFY_CLIENT_ONCE is set,
435 * don't request cert during re-negotiation: */ 440 * don't request cert during re-negotiation: */
436 ((s->session->peer != NULL) && 441 ((s->session->peer != NULL) &&
437 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 442 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
438 /* never request cert in anonymous ciphersuites 443 /* never request cert in anonymous ciphersuites
439 * (see section "Certificate request" in SSL 3 d rafts 444 * (see section "Certificate request" in SSL 3 d rafts
440 * and in RFC 2246): */ 445 * and in RFC 2246): */
441 » » » » ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && 446 » » » » ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aN ULL) &&
442 /* ... except when the application insists on v erification 447 /* ... except when the application insists on v erification
443 * (against the specs, but s3_clnt.c accepts th is for SSL 3) */ 448 * (against the specs, but s3_clnt.c accepts th is for SSL 3) */
444 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_C ERT)) || 449 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_C ERT)) ||
445 /* never request cert in Kerberos ciphersuites */ 450 » » » » /* never request cert in Kerberos ciphersuites */
446 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 451 » » » » (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKR B5)
452 » » » » /* With normal PSK Certificates and
453 » » » » * Certificate Requests are omitted */
454 » » » » || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_ kPSK))
447 { 455 {
448 /* no cert request */ 456 /* no cert request */
449 skip=1; 457 skip=1;
450 s->s3->tmp.cert_request=0; 458 s->s3->tmp.cert_request=0;
451 s->state=SSL3_ST_SW_SRVR_DONE_A; 459 s->state=SSL3_ST_SW_SRVR_DONE_A;
452 } 460 }
453 else 461 else
454 { 462 {
455 s->s3->tmp.cert_request=1; 463 s->s3->tmp.cert_request=1;
456 ret=ssl3_send_certificate_request(s); 464 ret=ssl3_send_certificate_request(s);
457 if (ret <= 0) goto end; 465 if (ret <= 0) goto end;
458 #ifndef NETSCAPE_HANG_BUG 466 #ifndef NETSCAPE_HANG_BUG
459 s->state=SSL3_ST_SW_SRVR_DONE_A; 467 s->state=SSL3_ST_SW_SRVR_DONE_A;
460 #else 468 #else
461 s->state=SSL3_ST_SW_FLUSH; 469 s->state=SSL3_ST_SW_FLUSH;
462 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 470 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
463 #endif 471 #endif
464 s->init_num=0; 472 s->init_num=0;
465 } 473 }
466 break; 474 break;
467 475
468 case SSL3_ST_SW_SRVR_DONE_A: 476 case SSL3_ST_SW_SRVR_DONE_A:
469 case SSL3_ST_SW_SRVR_DONE_B: 477 case SSL3_ST_SW_SRVR_DONE_B:
470 ret=ssl3_send_server_done(s); 478 ret=ssl3_send_server_done(s);
471 if (ret <= 0) goto end; 479 if (ret <= 0) goto end;
472 480 » » » s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
473 » » » if (s->s3->snap_start_requested) 481 » » » s->state=SSL3_ST_SW_FLUSH;
474 » » » » {
475 » » » » if (ssl3_snap_start_evaluate_handshake(s))
476 » » » » » break;
477 » » » » s->state = SSL3_ST_SR_CERT_A;
478 » » » » }
479 » » » else
480 » » » » {
481 » » » » » s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
482 » » » » » s->state=SSL3_ST_SW_FLUSH;
483 » » » » }
484
485 s->init_num=0; 482 s->init_num=0;
486 break; 483 break;
487 484
488 case SSL3_ST_SW_FLUSH: 485 case SSL3_ST_SW_FLUSH:
489 486
490 /* This code originally checked to see if 487 /* This code originally checked to see if
491 * any data was pending using BIO_CTRL_INFO 488 * any data was pending using BIO_CTRL_INFO
492 * and then flushed. This caused problems 489 * and then flushed. This caused problems
493 * as documented in PR#1939. The proposed 490 * as documented in PR#1939. The proposed
494 * fix doesn't completely resolve this issue 491 * fix doesn't completely resolve this issue
(...skipping 28 matching lines...) Expand all
523 if (ret <= 0) goto end; 520 if (ret <= 0) goto end;
524 } 521 }
525 s->init_num=0; 522 s->init_num=0;
526 s->state=SSL3_ST_SR_KEY_EXCH_A; 523 s->state=SSL3_ST_SR_KEY_EXCH_A;
527 } 524 }
528 break; 525 break;
529 526
530 case SSL3_ST_SR_KEY_EXCH_A: 527 case SSL3_ST_SR_KEY_EXCH_A:
531 case SSL3_ST_SR_KEY_EXCH_B: 528 case SSL3_ST_SR_KEY_EXCH_B:
532 ret=ssl3_get_client_key_exchange(s); 529 ret=ssl3_get_client_key_exchange(s);
533 » » » if (ret <= 0) 530 » » » if (ret <= 0)
534 goto end; 531 goto end;
535 if (ret == 2) 532 if (ret == 2)
536 { 533 {
537 /* For the ECDH ciphersuites when 534 /* For the ECDH ciphersuites when
538 * the client sends its ECDH pub key in 535 * the client sends its ECDH pub key in
539 * a certificate, the CertificateVerify 536 * a certificate, the CertificateVerify
540 * message is not sent. 537 * message is not sent.
538 * Also for GOST ciphersuites when
539 * the client uses its key from the certificate
540 * for key exchange.
541 */ 541 */
542 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
543 s->state=SSL3_ST_SR_FINISHED_A;
544 #else
542 if (s->s3->next_proto_neg_seen) 545 if (s->s3->next_proto_neg_seen)
543 s->state=SSL3_ST_SR_NEXT_PROTO_A; 546 s->state=SSL3_ST_SR_NEXT_PROTO_A;
544 else 547 else
545 s->state=SSL3_ST_SR_FINISHED_A; 548 s->state=SSL3_ST_SR_FINISHED_A;
549 #endif
546 s->init_num = 0; 550 s->init_num = 0;
547 } 551 }
548 » » » else 552 » » » else
549 { 553 {
554 int offset=0;
555 int dgst_num;
556
550 s->state=SSL3_ST_SR_CERT_VRFY_A; 557 s->state=SSL3_ST_SR_CERT_VRFY_A;
551 s->init_num=0; 558 s->init_num=0;
552 559
553 /* We need to get hashes here so if there is 560 /* We need to get hashes here so if there is
554 * a client cert, it can be verified 561 * a client cert, it can be verified
555 » » » » */ 562 » » » » * FIXME - digest processing for CertificateVeri fy
556 » » » » s->method->ssl3_enc->cert_verify_mac(s, 563 » » » » * should be generalized. But it is next step
557 » » » » &(s->s3->finish_dgst1), 564 » » » » */
558 » » » » &(s->s3->tmp.cert_verify_md[0])); 565 » » » » if (s->s3->handshake_buffer)
559 » » » » s->method->ssl3_enc->cert_verify_mac(s, 566 » » » » » if (!ssl3_digest_cached_records(s))
560 » » » » &(s->s3->finish_dgst2), 567 » » » » » » return -1;
561 » » » » &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGT H])); 568 » » » » for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_nu m++)»
569 » » » » » if (s->s3->handshake_dgst[dgst_num])
570 » » » » » » {
571 » » » » » » int dgst_size;
572
573 » » » » » » s->method->ssl3_enc->cert_verify _mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify _md[offset]));
574 » » » » » » dgst_size=EVP_MD_CTX_size(s->s3- >handshake_dgst[dgst_num]);
575 » » » » » » if (dgst_size < 0)
576 » » » » » » » {
577 » » » » » » » ret = -1;
578 » » » » » » » goto end;
579 » » » » » » » }
580 » » » » » » offset+=dgst_size;
581 » » » » » » }» »
562 } 582 }
563 break; 583 break;
564 584
565 case SSL3_ST_SR_CERT_VRFY_A: 585 case SSL3_ST_SR_CERT_VRFY_A:
566 case SSL3_ST_SR_CERT_VRFY_B: 586 case SSL3_ST_SR_CERT_VRFY_B:
567 587
568 /* we should decide if we expected this one */ 588 /* we should decide if we expected this one */
569 ret=ssl3_get_cert_verify(s); 589 ret=ssl3_get_cert_verify(s);
570 if (ret <= 0) goto end; 590 if (ret <= 0) goto end;
571 591
592 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
593 s->state=SSL3_ST_SR_FINISHED_A;
594 #else
572 if (s->s3->next_proto_neg_seen) 595 if (s->s3->next_proto_neg_seen)
573 s->state=SSL3_ST_SR_NEXT_PROTO_A; 596 s->state=SSL3_ST_SR_NEXT_PROTO_A;
574 else 597 else
575 s->state=SSL3_ST_SR_FINISHED_A; 598 s->state=SSL3_ST_SR_FINISHED_A;
599 #endif
576 s->init_num=0; 600 s->init_num=0;
577 break; 601 break;
578 602
603 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
579 case SSL3_ST_SR_NEXT_PROTO_A: 604 case SSL3_ST_SR_NEXT_PROTO_A:
580 case SSL3_ST_SR_NEXT_PROTO_B: 605 case SSL3_ST_SR_NEXT_PROTO_B:
581 ret=ssl3_get_next_proto(s); 606 ret=ssl3_get_next_proto(s);
582 if (ret <= 0) goto end; 607 if (ret <= 0) goto end;
583 s->init_num = 0; 608 s->init_num = 0;
584 s->state=SSL3_ST_SR_FINISHED_A; 609 s->state=SSL3_ST_SR_FINISHED_A;
585 break; 610 break;
611 #endif
586 612
587 case SSL3_ST_SR_FINISHED_A: 613 case SSL3_ST_SR_FINISHED_A:
588 case SSL3_ST_SR_FINISHED_B: 614 case SSL3_ST_SR_FINISHED_B:
589 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 615 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
590 SSL3_ST_SR_FINISHED_B); 616 SSL3_ST_SR_FINISHED_B);
591 if (ret <= 0) goto end; 617 if (ret <= 0) goto end;
618 #ifndef OPENSSL_NO_TLSEXT
619 if (s->tlsext_ticket_expected)
620 s->state=SSL3_ST_SW_SESSION_TICKET_A;
621 else if (s->hit)
622 s->state=SSL_ST_OK;
623 #else
592 if (s->hit) 624 if (s->hit)
593 s->state=SSL_ST_OK; 625 s->state=SSL_ST_OK;
594 #ifndef OPENSSL_NO_TLSEXT
595 else if (s->tlsext_ticket_expected)
596 s->state=SSL3_ST_SW_SESSION_TICKET_A;
597 #endif 626 #endif
598 else 627 else
599 s->state=SSL3_ST_SW_CHANGE_A; 628 s->state=SSL3_ST_SW_CHANGE_A;
600 s->init_num=0; 629 s->init_num=0;
601 break; 630 break;
602 631
603 #ifndef OPENSSL_NO_TLSEXT 632 #ifndef OPENSSL_NO_TLSEXT
604 case SSL3_ST_SW_SESSION_TICKET_A: 633 case SSL3_ST_SW_SESSION_TICKET_A:
605 case SSL3_ST_SW_SESSION_TICKET_B: 634 case SSL3_ST_SW_SESSION_TICKET_B:
606 ret=ssl3_send_newsession_ticket(s); 635 ret=ssl3_send_newsession_ticket(s);
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
645 case SSL3_ST_SW_FINISHED_A: 674 case SSL3_ST_SW_FINISHED_A:
646 case SSL3_ST_SW_FINISHED_B: 675 case SSL3_ST_SW_FINISHED_B:
647 ret=ssl3_send_finished(s, 676 ret=ssl3_send_finished(s,
648 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 677 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
649 s->method->ssl3_enc->server_finished_label, 678 s->method->ssl3_enc->server_finished_label,
650 s->method->ssl3_enc->server_finished_label_len); 679 s->method->ssl3_enc->server_finished_label_len);
651 if (ret <= 0) goto end; 680 if (ret <= 0) goto end;
652 s->state=SSL3_ST_SW_FLUSH; 681 s->state=SSL3_ST_SW_FLUSH;
653 if (s->hit) 682 if (s->hit)
654 { 683 {
684 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
685 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
686 #else
655 if (s->s3->next_proto_neg_seen) 687 if (s->s3->next_proto_neg_seen)
656 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PR OTO_A; 688 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PR OTO_A;
657 else 689 else
658 s->s3->tmp.next_state=SSL3_ST_SR_FINISHE D_A; 690 s->s3->tmp.next_state=SSL3_ST_SR_FINISHE D_A;
691 #endif
659 } 692 }
660 else 693 else
661 s->s3->tmp.next_state=SSL_ST_OK; 694 s->s3->tmp.next_state=SSL_ST_OK;
662 s->init_num=0; 695 s->init_num=0;
663 break; 696 break;
664 697
665 case SSL_ST_OK: 698 case SSL_ST_OK:
666 /* clean a few things up */ 699 /* clean a few things up */
667 ssl3_cleanup_key_block(s); 700 ssl3_cleanup_key_block(s);
668 701
(...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after
749 782
750 /* SSL3_ST_SW_HELLO_REQ_B */ 783 /* SSL3_ST_SW_HELLO_REQ_B */
751 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 784 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
752 } 785 }
753 786
754 int ssl3_check_client_hello(SSL *s) 787 int ssl3_check_client_hello(SSL *s)
755 { 788 {
756 int ok; 789 int ok;
757 long n; 790 long n;
758 791
792 /* We only allow the client to restart the handshake once per
793 * negotiation. */
794 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
795 {
796 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTART S);
797 return -1;
798 }
799
759 /* this function is called when we really expect a Certificate message, 800 /* this function is called when we really expect a Certificate message,
760 * so permit appropriate message length */ 801 * so permit appropriate message length */
761 n=s->method->ssl_get_message(s, 802 n=s->method->ssl_get_message(s,
762 SSL3_ST_SR_CERT_A, 803 SSL3_ST_SR_CERT_A,
763 SSL3_ST_SR_CERT_B, 804 SSL3_ST_SR_CERT_B,
764 -1, 805 -1,
765 s->max_cert_list, 806 s->max_cert_list,
766 &ok); 807 &ok);
767 if (!ok) return((int)n); 808 if (!ok) return((int)n);
768 s->s3->tmp.reuse_message = 1; 809 s->s3->tmp.reuse_message = 1;
769 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 810 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
770 { 811 {
771 /* Throw away what we have done so far in the current handshake, 812 /* Throw away what we have done so far in the current handshake,
772 » » * which will now be aborted. (A full SSL_clear would be too muc h.) 813 » » * which will now be aborted. (A full SSL_clear would be too muc h.) */
773 » » * I hope that tmp.dh is the only thing that may need to be clea red
774 » » * when a handshake is not completed ... */
775 #ifndef OPENSSL_NO_DH 814 #ifndef OPENSSL_NO_DH
776 if (s->s3->tmp.dh != NULL) 815 if (s->s3->tmp.dh != NULL)
777 { 816 {
778 DH_free(s->s3->tmp.dh); 817 DH_free(s->s3->tmp.dh);
779 s->s3->tmp.dh = NULL; 818 s->s3->tmp.dh = NULL;
780 } 819 }
781 #endif 820 #endif
821 #ifndef OPENSSL_NO_ECDH
822 if (s->s3->tmp.ecdh != NULL)
823 {
824 EC_KEY_free(s->s3->tmp.ecdh);
825 s->s3->tmp.ecdh = NULL;
826 }
827 #endif
828 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
782 return 2; 829 return 2;
783 } 830 }
784 return 1; 831 return 1;
785 } 832 }
786 833
787 int ssl3_get_client_hello(SSL *s) 834 int ssl3_get_client_hello(SSL *s)
788 { 835 {
789 int i,j,ok,al,ret= -1; 836 int i,j,ok,al,ret= -1;
790 unsigned int cookie_len; 837 unsigned int cookie_len;
791 long n; 838 long n;
(...skipping 29 matching lines...) Expand all
821 868
822 /* use version from inside client hello, not from record header 869 /* use version from inside client hello, not from record header
823 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 870 * (may differ: see RFC 2246, Appendix E, second paragraph) */
824 s->client_version=(((int)p[0])<<8)|(int)p[1]; 871 s->client_version=(((int)p[0])<<8)|(int)p[1];
825 p+=2; 872 p+=2;
826 873
827 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 874 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
828 (s->version != DTLS1_VERSION && s->client_version < s->version)) 875 (s->version != DTLS1_VERSION && s->client_version < s->version))
829 { 876 {
830 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 877 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
831 » » if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 878 » » if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
832 { 879 {
833 /* similar to ssl3_get_record, send alert using remote v ersion number */ 880 /* similar to ssl3_get_record, send alert using remote v ersion number */
834 s->version = s->client_version; 881 s->version = s->client_version;
835 } 882 }
836 al = SSL_AD_PROTOCOL_VERSION; 883 al = SSL_AD_PROTOCOL_VERSION;
837 goto f_err; 884 goto f_err;
838 } 885 }
839 886
840 /* If we require cookies and this ClientHello doesn't 887 /* If we require cookies and this ClientHello doesn't
841 * contain one, just return since we do not want to 888 * contain one, just return since we do not want to
(...skipping 21 matching lines...) Expand all
863 /* Versions before 0.9.7 always allow session reuse during renegotiation 910 /* Versions before 0.9.7 always allow session reuse during renegotiation
864 * (i.e. when s->new_session is true), option 911 * (i.e. when s->new_session is true), option
865 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. 912 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
866 * Maybe this optional behaviour should always have been the default, 913 * Maybe this optional behaviour should always have been the default,
867 * but we cannot safely change the default behaviour (or new application s 914 * but we cannot safely change the default behaviour (or new application s
868 * might be written that become totally unsecure when compiled with 915 * might be written that become totally unsecure when compiled with
869 * an earlier library version) 916 * an earlier library version)
870 */ 917 */
871 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_REN EGOTIATION))) 918 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_REN EGOTIATION)))
872 { 919 {
920 if (!s->session_creation_enabled)
921 {
922 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE );
923 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT _BE_CREATED);
924 goto err;
925 }
873 if (!ssl_get_new_session(s,1)) 926 if (!ssl_get_new_session(s,1))
874 goto err; 927 goto err;
875 } 928 }
876 else 929 else
877 { 930 {
878 i=ssl_get_prev_session(s, p, j, d + n); 931 i=ssl_get_prev_session(s, p, j, d + n);
879 if (i == 1) 932 if (i == 1)
880 { /* previous session */ 933 { /* previous session */
881 s->hit=1; 934 s->hit=1;
882 } 935 }
883 else if (i == -1) 936 else if (i == -1)
884 goto err; 937 goto err;
885 else /* i == 0 */ 938 else /* i == 0 */
886 { 939 {
940 if (!s->session_creation_enabled)
941 {
942 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE _FAILURE);
943 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_SESSION _MAY_NOT_BE_CREATED);
944 goto err;
945 }
887 if (!ssl_get_new_session(s,1)) 946 if (!ssl_get_new_session(s,1))
888 goto err; 947 goto err;
889 } 948 }
890 } 949 }
891 950
892 p+=j; 951 p+=j;
893 952
894 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 953 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
895 { 954 {
896 /* cookie stuff */ 955 /* cookie stuff */
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after
979 #ifdef CIPHER_DEBUG 1038 #ifdef CIPHER_DEBUG
980 printf("client [%2d of %2d]:%s\n", 1039 printf("client [%2d of %2d]:%s\n",
981 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 1040 i,sk_num(ciphers),SSL_CIPHER_get_name(c));
982 #endif 1041 #endif
983 if (c->id == id) 1042 if (c->id == id)
984 { 1043 {
985 j=1; 1044 j=1;
986 break; 1045 break;
987 } 1046 }
988 } 1047 }
1048 /* Disabled because it can be used in a ciphersuite downgrade
1049 * attack: CVE-2010-4180.
1050 */
1051 #if 0
989 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_ BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 1052 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_ BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
990 { 1053 {
991 /* Special case as client bug workaround: the previously used cipher may 1054 /* Special case as client bug workaround: the previously used cipher may
992 * not be in the current list, the client instead might be trying to 1055 * not be in the current list, the client instead might be trying to
993 * continue using a cipher that before wasn't chosen due to server 1056 * continue using a cipher that before wasn't chosen due to server
994 * preferences. We'll have to reject the connection if the cipher is not 1057 * preferences. We'll have to reject the connection if the cipher is not
995 * enabled, though. */ 1058 * enabled, though. */
996 c = sk_SSL_CIPHER_value(ciphers, 0); 1059 c = sk_SSL_CIPHER_value(ciphers, 0);
997 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 1060 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0)
998 { 1061 {
999 s->session->cipher = c; 1062 s->session->cipher = c;
1000 j = 1; 1063 j = 1;
1001 } 1064 }
1002 } 1065 }
1066 #endif
1003 if (j == 0) 1067 if (j == 0)
1004 { 1068 {
1005 /* we need to have the cipher in the cipher 1069 /* we need to have the cipher in the cipher
1006 * list if we are asked to reuse it */ 1070 * list if we are asked to reuse it */
1007 al=SSL_AD_ILLEGAL_PARAMETER; 1071 al=SSL_AD_ILLEGAL_PARAMETER;
1008 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER _MISSING); 1072 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER _MISSING);
1009 goto f_err; 1073 goto f_err;
1010 } 1074 }
1011 } 1075 }
1012 1076
(...skipping 29 matching lines...) Expand all
1042 { 1106 {
1043 /* 'al' set by ssl_parse_clienthello_tlsext */ 1107 /* 'al' set by ssl_parse_clienthello_tlsext */
1044 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 1108 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
1045 goto f_err; 1109 goto f_err;
1046 } 1110 }
1047 } 1111 }
1048 if (ssl_check_clienthello_tlsext(s) <= 0) { 1112 if (ssl_check_clienthello_tlsext(s) <= 0) {
1049 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLS EXT); 1113 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLS EXT);
1050 goto err; 1114 goto err;
1051 } 1115 }
1116
1117 /* Check if we want to use external pre-shared secret for this
1118 * handshake for not reused session only. We need to generate
1119 * server_random before calling tls_session_secret_cb in order to allow
1120 * SessionTicket processing to use it in key derivation. */
1121 {
1122 unsigned long Time;
1123 unsigned char *pos;
1124 Time=(unsigned long)time(NULL); /* Time */
1125 pos=s->s3->server_random;
1126 l2n(Time,pos);
1127 if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
1128 {
1129 al=SSL_AD_INTERNAL_ERROR;
1130 goto f_err;
1131 }
1132 }
1133
1134 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
1135 {
1136 SSL_CIPHER *pref_cipher=NULL;
1137
1138 s->session->master_key_length=sizeof(s->session->master_key);
1139 if(s->tls_session_secret_cb(s, s->session->master_key, &s->sessi on->master_key_length,
1140 ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
1141 {
1142 s->hit=1;
1143 s->session->ciphers=ciphers;
1144 s->session->verify_result=X509_V_OK;
1145
1146 ciphers=NULL;
1147
1148 /* check if some cipher was preferred by call back */
1149 pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_ciph er(s, s->session->ciphers, SSL_get_ciphers(s));
1150 if (pref_cipher == NULL)
1151 {
1152 al=SSL_AD_HANDSHAKE_FAILURE;
1153 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHAR ED_CIPHER);
1154 goto f_err;
1155 }
1156
1157 s->session->cipher=pref_cipher;
1158
1159 if (s->cipher_list)
1160 sk_SSL_CIPHER_free(s->cipher_list);
1161
1162 if (s->cipher_list_by_id)
1163 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1164
1165 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1166 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->cip hers);
1167 }
1168 }
1052 #endif 1169 #endif
1170
1053 /* Worst case, we will use the NULL compression, but if we have other 1171 /* Worst case, we will use the NULL compression, but if we have other
1054 * options, we will now look for them. We have i-1 compression 1172 * options, we will now look for them. We have i-1 compression
1055 * algorithms from the client, starting at q. */ 1173 * algorithms from the client, starting at q. */
1056 s->s3->tmp.new_compression=NULL; 1174 s->s3->tmp.new_compression=NULL;
1057 #ifndef OPENSSL_NO_COMP 1175 #ifndef OPENSSL_NO_COMP
1058 » if (s->ctx->comp_methods != NULL) 1176 » /* This only happens if we have a cache hit */
1177 » if (s->session->compress_meth != 0)
1178 » » {
1179 » » int m, comp_id = s->session->compress_meth;
1180 » » /* Perform sanity checks on resumed compression algorithm */
1181 » » /* Can't disable compression */
1182 » » if (s->options & SSL_OP_NO_COMPRESSION)
1183 » » » {
1184 » » » al=SSL_AD_INTERNAL_ERROR;
1185 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_CO MPRESSION);
1186 » » » goto f_err;
1187 » » » }
1188 » » /* Look for resumed compression method */
1189 » » for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++)
1190 » » » {
1191 » » » comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
1192 » » » if (comp_id == comp->id)
1193 » » » » {
1194 » » » » s->s3->tmp.new_compression=comp;
1195 » » » » break;
1196 » » » » }
1197 » » » }
1198 » » if (s->s3->tmp.new_compression == NULL)
1199 » » » {
1200 » » » al=SSL_AD_INTERNAL_ERROR;
1201 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRES SION_ALGORITHM);
1202 » » » goto f_err;
1203 » » » }
1204 » » /* Look for resumed method in compression list */
1205 » » for (m = 0; m < i; m++)
1206 » » » {
1207 » » » if (q[m] == comp_id)
1208 » » » » break;
1209 » » » }
1210 » » if (m >= i)
1211 » » » {
1212 » » » al=SSL_AD_ILLEGAL_PARAMETER;
1213 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRE SSSION_ALGORITHM_MISSING);
1214 » » » goto f_err;
1215 » » » }
1216 » » }
1217 » else if (s->hit)
1218 » » comp = NULL;
1219 » else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
1059 { /* See if we have a match */ 1220 { /* See if we have a match */
1060 int m,nn,o,v,done=0; 1221 int m,nn,o,v,done=0;
1061 1222
1062 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1223 nn=sk_SSL_COMP_num(s->ctx->comp_methods);
1063 for (m=0; m<nn; m++) 1224 for (m=0; m<nn; m++)
1064 { 1225 {
1065 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1226 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
1066 v=comp->id; 1227 v=comp->id;
1067 for (o=0; o<i; o++) 1228 for (o=0; o<i; o++)
1068 { 1229 {
1069 if (v == q[o]) 1230 if (v == q[o])
1070 { 1231 {
1071 done=1; 1232 done=1;
1072 break; 1233 break;
1073 } 1234 }
1074 } 1235 }
1075 if (done) break; 1236 if (done) break;
1076 } 1237 }
1077 if (done) 1238 if (done)
1078 s->s3->tmp.new_compression=comp; 1239 s->s3->tmp.new_compression=comp;
1079 else 1240 else
1080 comp=NULL; 1241 comp=NULL;
1081 } 1242 }
1082 #endif 1243 #else
1083 1244 » /* If compression is disabled we'd better not try to resume a session
1084 » /* TLS does not mind if there is extra stuff */ 1245 » * using compression.
1085 #if 0 /* SSL 3.0 does not mind either, so we should disable this test 1246 » */
1086 * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, 1247 » if (s->session->compress_meth != 0)
1087 * in earlier SSLeay/OpenSSL releases this test existed but was buggy) * /
1088 » if (s->version == SSL3_VERSION)
1089 { 1248 {
1090 » » if (p < (d+n)) 1249 » » al=SSL_AD_INTERNAL_ERROR;
1091 » » » { 1250 » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSIO N);
1092 » » » /* wrong number of bytes, 1251 » » goto f_err;
1093 » » » * there could be more to follow */
1094 » » » al=SSL_AD_DECODE_ERROR;
1095 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH );
1096 » » » goto f_err;
1097 » » » }
1098 } 1252 }
1099 #endif 1253 #endif
1100 1254
1101 /* Given s->session->ciphers and SSL_get_ciphers, we must 1255 /* Given s->session->ciphers and SSL_get_ciphers, we must
1102 * pick a cipher */ 1256 * pick a cipher */
1103 1257
1104 if (!s->hit) 1258 if (!s->hit)
1105 { 1259 {
1106 #ifdef OPENSSL_NO_COMP 1260 #ifdef OPENSSL_NO_COMP
1107 s->session->compress_meth=0; 1261 s->session->compress_meth=0;
(...skipping 28 matching lines...) Expand all
1136 STACK_OF(SSL_CIPHER) *sk; 1290 STACK_OF(SSL_CIPHER) *sk;
1137 SSL_CIPHER *nc=NULL; 1291 SSL_CIPHER *nc=NULL;
1138 SSL_CIPHER *ec=NULL; 1292 SSL_CIPHER *ec=NULL;
1139 1293
1140 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1294 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
1141 { 1295 {
1142 sk=s->session->ciphers; 1296 sk=s->session->ciphers;
1143 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1297 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1144 { 1298 {
1145 c=sk_SSL_CIPHER_value(sk,i); 1299 c=sk_SSL_CIPHER_value(sk,i);
1146 » » » » if (c->algorithms & SSL_eNULL) 1300 » » » » if (c->algorithm_enc & SSL_eNULL)
1147 nc=c; 1301 nc=c;
1148 if (SSL_C_IS_EXPORT(c)) 1302 if (SSL_C_IS_EXPORT(c))
1149 ec=c; 1303 ec=c;
1150 } 1304 }
1151 if (nc != NULL) 1305 if (nc != NULL)
1152 s->s3->tmp.new_cipher=nc; 1306 s->s3->tmp.new_cipher=nc;
1153 else if (ec != NULL) 1307 else if (ec != NULL)
1154 s->s3->tmp.new_cipher=ec; 1308 s->s3->tmp.new_cipher=ec;
1155 else 1309 else
1156 s->s3->tmp.new_cipher=s->session->cipher; 1310 s->s3->tmp.new_cipher=s->session->cipher;
1157 } 1311 }
1158 else 1312 else
1159 #endif 1313 #endif
1160 s->s3->tmp.new_cipher=s->session->cipher; 1314 s->s3->tmp.new_cipher=s->session->cipher;
1161 } 1315 }
1316
1317 if (!ssl3_digest_cached_records(s))
1318 goto f_err;
1162 1319
1163 /* we now have the following setup. 1320 /* we now have the following setup.
1164 * client_random 1321 * client_random
1165 * cipher_list - our prefered list of ciphers 1322 * cipher_list - our prefered list of ciphers
1166 * ciphers - the clients prefered list of ciphers 1323 * ciphers - the clients prefered list of ciphers
1167 * compression - basically ignored right now 1324 * compression - basically ignored right now
1168 * ssl version is set - sslv3 1325 * ssl version is set - sslv3
1169 * s->session - The ssl session has been setup. 1326 * s->session - The ssl session has been setup.
1170 * s->hit - session reuse flag 1327 * s->hit - session reuse flag
1171 * s->tmp.new_cipher - the new cipher to use. 1328 * s->tmp.new_cipher - the new cipher to use.
1172 */ 1329 */
1173 1330
1174 if (ret < 0) ret=1; 1331 if (ret < 0) ret=1;
1175 if (0) 1332 if (0)
1176 { 1333 {
1177 f_err: 1334 f_err:
1178 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1335 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1179 } 1336 }
1180 err: 1337 err:
1181 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); 1338 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
1182 return(ret); 1339 return(ret);
1183 } 1340 }
1184 1341
1185 int ssl3_send_server_hello(SSL *s) 1342 int ssl3_send_server_hello(SSL *s)
1186 { 1343 {
1187 unsigned char *buf; 1344 unsigned char *buf;
1188 unsigned char *p,*d; 1345 unsigned char *p,*d;
1189 int i,sl; 1346 int i,sl;
1190 » unsigned long l,Time; 1347 » unsigned long l;
1348 #ifdef OPENSSL_NO_TLSEXT
1349 » unsigned long Time;
1350 #endif
1191 1351
1192 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1352 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
1193 { 1353 {
1194 buf=(unsigned char *)s->init_buf->data; 1354 buf=(unsigned char *)s->init_buf->data;
1195 » » if (!s->s3->snap_start_requested) 1355 #ifdef OPENSSL_NO_TLSEXT
1196 » » » { 1356 » » p=s->s3->server_random;
1197 » » » p=s->s3->server_random; 1357 » » /* Generate server_random if it was not needed previously */
1198 » » » Time=(unsigned long)time(NULL);»» » /* Time */ 1358 » » Time=(unsigned long)time(NULL);»» » /* Time */
1199 » » » l2n(Time,p); 1359 » » l2n(Time,p);
1200 » » » if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 1360 » » if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
1201 » » » » return -1; 1361 » » » return -1;
1202 » » » } 1362 #endif
1203 » » else if (s->s3->server_random_suggestion_valid == 0)
1204 » » » {
1205 » » » return SERVER_RANDOM_VALIDATION_PENDING;
1206 » » » }
1207
1208 /* Do the message type and length last */ 1363 /* Do the message type and length last */
1209 d=p= &(buf[4]); 1364 d=p= &(buf[4]);
1210 1365
1211 *(p++)=s->version>>8; 1366 *(p++)=s->version>>8;
1212 *(p++)=s->version&0xff; 1367 *(p++)=s->version&0xff;
1213 1368
1214 /* Random stuff */ 1369 /* Random stuff */
1215 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1370 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
1216 p+=SSL3_RANDOM_SIZE; 1371 p+=SSL3_RANDOM_SIZE;
1217 1372
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after
1251 /* put the compression method */ 1406 /* put the compression method */
1252 #ifdef OPENSSL_NO_COMP 1407 #ifdef OPENSSL_NO_COMP
1253 *(p++)=0; 1408 *(p++)=0;
1254 #else 1409 #else
1255 if (s->s3->tmp.new_compression == NULL) 1410 if (s->s3->tmp.new_compression == NULL)
1256 *(p++)=0; 1411 *(p++)=0;
1257 else 1412 else
1258 *(p++)=s->s3->tmp.new_compression->id; 1413 *(p++)=s->s3->tmp.new_compression->id;
1259 #endif 1414 #endif
1260 #ifndef OPENSSL_NO_TLSEXT 1415 #ifndef OPENSSL_NO_TLSEXT
1416 if (ssl_prepare_serverhello_tlsext(s) <= 0)
1417 {
1418 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TL SEXT);
1419 return -1;
1420 }
1261 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_ LENGTH)) == NULL) 1421 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_ LENGTH)) == NULL)
1262 { 1422 {
1263 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR ); 1423 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR );
1264 return -1; 1424 return -1;
1265 } 1425 }
1266 #endif 1426 #endif
1267 /* do the header */ 1427 /* do the header */
1268 l=(p-d); 1428 l=(p-d);
1269 d=buf; 1429 d=buf;
1270 *(d++)=SSL3_MT_SERVER_HELLO; 1430 *(d++)=SSL3_MT_SERVER_HELLO;
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after
1330 int n; 1490 int n;
1331 CERT *cert; 1491 CERT *cert;
1332 BIGNUM *r[4]; 1492 BIGNUM *r[4];
1333 int nr[4],kn; 1493 int nr[4],kn;
1334 BUF_MEM *buf; 1494 BUF_MEM *buf;
1335 EVP_MD_CTX md_ctx; 1495 EVP_MD_CTX md_ctx;
1336 1496
1337 EVP_MD_CTX_init(&md_ctx); 1497 EVP_MD_CTX_init(&md_ctx);
1338 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1498 if (s->state == SSL3_ST_SW_KEY_EXCH_A)
1339 { 1499 {
1340 » » type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 1500 » » type=s->s3->tmp.new_cipher->algorithm_mkey;
1341 cert=s->cert; 1501 cert=s->cert;
1342 1502
1343 buf=s->init_buf; 1503 buf=s->init_buf;
1344 1504
1345 r[0]=r[1]=r[2]=r[3]=NULL; 1505 r[0]=r[1]=r[2]=r[3]=NULL;
1346 n=0; 1506 n=0;
1347 #ifndef OPENSSL_NO_RSA 1507 #ifndef OPENSSL_NO_RSA
1348 if (type & SSL_kRSA) 1508 if (type & SSL_kRSA)
1349 { 1509 {
1350 rsa=cert->rsa_tmp; 1510 rsa=cert->rsa_tmp;
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after
1384 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cip her)); 1544 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cip her));
1385 if (dhp == NULL) 1545 if (dhp == NULL)
1386 { 1546 {
1387 al=SSL_AD_HANDSHAKE_FAILURE; 1547 al=SSL_AD_HANDSHAKE_FAILURE;
1388 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R _MISSING_TMP_DH_KEY); 1548 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R _MISSING_TMP_DH_KEY);
1389 goto f_err; 1549 goto f_err;
1390 } 1550 }
1391 1551
1392 if (s->s3->tmp.dh != NULL) 1552 if (s->s3->tmp.dh != NULL)
1393 { 1553 {
1394 DH_free(dh);
1395 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_ R_INTERNAL_ERROR); 1554 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_ R_INTERNAL_ERROR);
1396 goto err; 1555 goto err;
1397 } 1556 }
1398 1557
1399 if ((dh=DHparams_dup(dhp)) == NULL) 1558 if ((dh=DHparams_dup(dhp)) == NULL)
1400 { 1559 {
1401 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R _DH_LIB); 1560 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R _DH_LIB);
1402 goto err; 1561 goto err;
1403 } 1562 }
1404 1563
(...skipping 20 matching lines...) Expand all
1425 goto err; 1584 goto err;
1426 } 1585 }
1427 } 1586 }
1428 r[0]=dh->p; 1587 r[0]=dh->p;
1429 r[1]=dh->g; 1588 r[1]=dh->g;
1430 r[2]=dh->pub_key; 1589 r[2]=dh->pub_key;
1431 } 1590 }
1432 else 1591 else
1433 #endif 1592 #endif
1434 #ifndef OPENSSL_NO_ECDH 1593 #ifndef OPENSSL_NO_ECDH
1435 » » » if (type & SSL_kECDHE) 1594 » » » if (type & SSL_kEECDH)
1436 { 1595 {
1437 const EC_GROUP *group; 1596 const EC_GROUP *group;
1438 1597
1439 ecdhp=cert->ecdh_tmp; 1598 ecdhp=cert->ecdh_tmp;
1440 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1599 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
1441 { 1600 {
1442 ecdhp=s->cert->ecdh_tmp_cb(s, 1601 ecdhp=s->cert->ecdh_tmp_cb(s,
1443 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1602 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1444 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cip her)); 1603 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cip her));
1445 } 1604 }
1446 if (ecdhp == NULL) 1605 if (ecdhp == NULL)
1447 { 1606 {
1448 al=SSL_AD_HANDSHAKE_FAILURE; 1607 al=SSL_AD_HANDSHAKE_FAILURE;
1449 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R _MISSING_TMP_ECDH_KEY); 1608 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R _MISSING_TMP_ECDH_KEY);
1450 goto f_err; 1609 goto f_err;
1451 } 1610 }
1452 1611
1453 if (s->s3->tmp.ecdh != NULL) 1612 if (s->s3->tmp.ecdh != NULL)
1454 { 1613 {
1455 EC_KEY_free(s->s3->tmp.ecdh);
1456 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_ R_INTERNAL_ERROR); 1614 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_ R_INTERNAL_ERROR);
1457 goto err; 1615 goto err;
1458 } 1616 }
1459 1617
1460 /* Duplicate the ECDH structure. */ 1618 /* Duplicate the ECDH structure. */
1461 if (ecdhp == NULL) 1619 if (ecdhp == NULL)
1462 { 1620 {
1463 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R _ECDH_LIB); 1621 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R _ECDH_LIB);
1464 goto err; 1622 goto err;
1465 } 1623 }
1466 » » » if (!EC_KEY_up_ref(ecdhp)) 1624 » » » if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
1467 { 1625 {
1468 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R _ECDH_LIB); 1626 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R _ECDH_LIB);
1469 goto err; 1627 goto err;
1470 } 1628 }
1471 ecdh = ecdhp;
1472 1629
1473 s->s3->tmp.ecdh=ecdh; 1630 s->s3->tmp.ecdh=ecdh;
1474 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1631 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1475 (EC_KEY_get0_private_key(ecdh) == NULL) || 1632 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1476 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1633 (s->options & SSL_OP_SINGLE_ECDH_USE))
1477 { 1634 {
1478 if(!EC_KEY_generate_key(ecdh)) 1635 if(!EC_KEY_generate_key(ecdh))
1479 { 1636 {
1480 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,E RR_R_ECDH_LIB); 1637 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,E RR_R_ECDH_LIB);
1481 goto err; 1638 goto err;
(...skipping 13 matching lines...) Expand all
1495 { 1652 {
1496 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R _ECGROUP_TOO_LARGE_FOR_CIPHER); 1653 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R _ECGROUP_TOO_LARGE_FOR_CIPHER);
1497 goto err; 1654 goto err;
1498 } 1655 }
1499 1656
1500 /* XXX: For now, we only support ephemeral ECDH 1657 /* XXX: For now, we only support ephemeral ECDH
1501 * keys over named (not generic) curves. For 1658 * keys over named (not generic) curves. For
1502 * supported named curves, curve_id is non-zero. 1659 * supported named curves, curve_id is non-zero.
1503 */ 1660 */
1504 if ((curve_id = 1661 if ((curve_id =
1505 » » » nid2curve_id(EC_GROUP_get_curve_name(group))) 1662 » » » tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)) )
1506 == 0) 1663 == 0)
1507 { 1664 {
1508 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R _UNSUPPORTED_ELLIPTIC_CURVE); 1665 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R _UNSUPPORTED_ELLIPTIC_CURVE);
1509 goto err; 1666 goto err;
1510 } 1667 }
1511 1668
1512 /* Encode the public key. 1669 /* Encode the public key.
1513 * First check the size of encoding and 1670 * First check the size of encoding and
1514 * allocate memory accordingly. 1671 * allocate memory accordingly.
1515 */ 1672 */
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
1552 /* We'll generate the serverKeyExchange message 1709 /* We'll generate the serverKeyExchange message
1553 * explicitly so we can set these to NULLs 1710 * explicitly so we can set these to NULLs
1554 */ 1711 */
1555 r[0]=NULL; 1712 r[0]=NULL;
1556 r[1]=NULL; 1713 r[1]=NULL;
1557 r[2]=NULL; 1714 r[2]=NULL;
1558 r[3]=NULL; 1715 r[3]=NULL;
1559 } 1716 }
1560 else 1717 else
1561 #endif /* !OPENSSL_NO_ECDH */ 1718 #endif /* !OPENSSL_NO_ECDH */
1719 #ifndef OPENSSL_NO_PSK
1720 if (type & SSL_kPSK)
1721 {
1722 /* reserve size for record length and PSK identi ty hint*/
1723 n+=2+strlen(s->ctx->psk_identity_hint);
1724 }
1725 else
1726 #endif /* !OPENSSL_NO_PSK */
1562 { 1727 {
1563 al=SSL_AD_HANDSHAKE_FAILURE; 1728 al=SSL_AD_HANDSHAKE_FAILURE;
1564 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN _KEY_EXCHANGE_TYPE); 1729 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN _KEY_EXCHANGE_TYPE);
1565 goto f_err; 1730 goto f_err;
1566 } 1731 }
1567 for (i=0; r[i] != NULL; i++) 1732 for (i=0; r[i] != NULL; i++)
1568 { 1733 {
1569 nr[i]=BN_num_bytes(r[i]); 1734 nr[i]=BN_num_bytes(r[i]);
1570 n+=2+nr[i]; 1735 n+=2+nr[i];
1571 } 1736 }
1572 1737
1573 » » if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 1738 » » if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1739 » » » && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
1574 { 1740 {
1575 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1741 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
1576 == NULL) 1742 == NULL)
1577 { 1743 {
1578 al=SSL_AD_DECODE_ERROR; 1744 al=SSL_AD_DECODE_ERROR;
1579 goto f_err; 1745 goto f_err;
1580 } 1746 }
1581 kn=EVP_PKEY_size(pkey); 1747 kn=EVP_PKEY_size(pkey);
1582 } 1748 }
1583 else 1749 else
(...skipping 11 matching lines...) Expand all
1595 p= &(d[4]); 1761 p= &(d[4]);
1596 1762
1597 for (i=0; r[i] != NULL; i++) 1763 for (i=0; r[i] != NULL; i++)
1598 { 1764 {
1599 s2n(nr[i],p); 1765 s2n(nr[i],p);
1600 BN_bn2bin(r[i],p); 1766 BN_bn2bin(r[i],p);
1601 p+=nr[i]; 1767 p+=nr[i];
1602 } 1768 }
1603 1769
1604 #ifndef OPENSSL_NO_ECDH 1770 #ifndef OPENSSL_NO_ECDH
1605 » » if (type & SSL_kECDHE) 1771 » » if (type & SSL_kEECDH)
1606 { 1772 {
1607 /* XXX: For now, we only support named (not generic) cur ves. 1773 /* XXX: For now, we only support named (not generic) cur ves.
1608 * In this situation, the serverKeyExchange message has: 1774 * In this situation, the serverKeyExchange message has:
1609 * [1 byte CurveType], [2 byte CurveName] 1775 * [1 byte CurveType], [2 byte CurveName]
1610 * [1 byte length of encoded point], followed by 1776 * [1 byte length of encoded point], followed by
1611 * the actual encoded point itself 1777 * the actual encoded point itself
1612 */ 1778 */
1613 *p = NAMED_CURVE_TYPE; 1779 *p = NAMED_CURVE_TYPE;
1614 p += 1; 1780 p += 1;
1615 *p = 0; 1781 *p = 0;
1616 p += 1; 1782 p += 1;
1617 *p = curve_id; 1783 *p = curve_id;
1618 p += 1; 1784 p += 1;
1619 *p = encodedlen; 1785 *p = encodedlen;
1620 p += 1; 1786 p += 1;
1621 memcpy((unsigned char*)p, 1787 memcpy((unsigned char*)p,
1622 (unsigned char *)encodedPoint, 1788 (unsigned char *)encodedPoint,
1623 encodedlen); 1789 encodedlen);
1624 OPENSSL_free(encodedPoint); 1790 OPENSSL_free(encodedPoint);
1791 encodedPoint = NULL;
1625 p += encodedlen; 1792 p += encodedlen;
1626 } 1793 }
1627 #endif 1794 #endif
1628 1795
1796 #ifndef OPENSSL_NO_PSK
1797 if (type & SSL_kPSK)
1798 {
1799 /* copy PSK identity hint */
1800 s2n(strlen(s->ctx->psk_identity_hint), p);
1801 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s-> ctx->psk_identity_hint));
1802 p+=strlen(s->ctx->psk_identity_hint);
1803 }
1804 #endif
1805
1629 /* not anonymous */ 1806 /* not anonymous */
1630 if (pkey != NULL) 1807 if (pkey != NULL)
1631 { 1808 {
1632 /* n is the length of the params, they start at &(d[4]) 1809 /* n is the length of the params, they start at &(d[4])
1633 * and p points to the space at the end. */ 1810 * and p points to the space at the end. */
1634 #ifndef OPENSSL_NO_RSA 1811 #ifndef OPENSSL_NO_RSA
1635 if (pkey->type == EVP_PKEY_RSA) 1812 if (pkey->type == EVP_PKEY_RSA)
1636 { 1813 {
1637 q=md_buf; 1814 q=md_buf;
1638 j=0; 1815 j=0;
1639 for (num=2; num > 0; num--) 1816 for (num=2; num > 0; num--)
1640 { 1817 {
1641 EVP_MD_CTX_set_flags(&md_ctx,
1642 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1643 EVP_DigestInit_ex(&md_ctx,(num == 2) 1818 EVP_DigestInit_ex(&md_ctx,(num == 2)
1644 ?s->ctx->md5:s->ctx->sha1, NULL) ; 1819 ?s->ctx->md5:s->ctx->sha1, NULL) ;
1645 EVP_DigestUpdate(&md_ctx,&(s->s3->client _random[0]),SSL3_RANDOM_SIZE); 1820 EVP_DigestUpdate(&md_ctx,&(s->s3->client _random[0]),SSL3_RANDOM_SIZE);
1646 EVP_DigestUpdate(&md_ctx,&(s->s3->server _random[0]),SSL3_RANDOM_SIZE); 1821 EVP_DigestUpdate(&md_ctx,&(s->s3->server _random[0]),SSL3_RANDOM_SIZE);
1647 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1822 EVP_DigestUpdate(&md_ctx,&(d[4]),n);
1648 EVP_DigestFinal_ex(&md_ctx,q, 1823 EVP_DigestFinal_ex(&md_ctx,q,
1649 (unsigned int *)&i); 1824 (unsigned int *)&i);
1650 q+=i; 1825 q+=i;
1651 j+=i; 1826 j+=i;
1652 } 1827 }
(...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after
1816 /* SSL3_ST_SW_CERT_REQ_B */ 1991 /* SSL3_ST_SW_CERT_REQ_B */
1817 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1992 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1818 err: 1993 err:
1819 return(-1); 1994 return(-1);
1820 } 1995 }
1821 1996
1822 int ssl3_get_client_key_exchange(SSL *s) 1997 int ssl3_get_client_key_exchange(SSL *s)
1823 { 1998 {
1824 int i,al,ok; 1999 int i,al,ok;
1825 long n; 2000 long n;
1826 » unsigned long l; 2001 » unsigned long alg_k;
1827 unsigned char *p; 2002 unsigned char *p;
1828 #ifndef OPENSSL_NO_RSA 2003 #ifndef OPENSSL_NO_RSA
1829 RSA *rsa=NULL; 2004 RSA *rsa=NULL;
1830 EVP_PKEY *pkey=NULL; 2005 EVP_PKEY *pkey=NULL;
1831 #endif 2006 #endif
1832 #ifndef OPENSSL_NO_DH 2007 #ifndef OPENSSL_NO_DH
1833 BIGNUM *pub=NULL; 2008 BIGNUM *pub=NULL;
1834 DH *dh_srvr; 2009 DH *dh_srvr;
1835 #endif 2010 #endif
1836 #ifndef OPENSSL_NO_KRB5 2011 #ifndef OPENSSL_NO_KRB5
1837 KSSL_ERR kssl_err; 2012 » KSSL_ERR kssl_err;
1838 #endif /* OPENSSL_NO_KRB5 */ 2013 #endif /* OPENSSL_NO_KRB5 */
1839 2014
1840 #ifndef OPENSSL_NO_ECDH 2015 #ifndef OPENSSL_NO_ECDH
1841 EC_KEY *srvr_ecdh = NULL; 2016 EC_KEY *srvr_ecdh = NULL;
1842 EVP_PKEY *clnt_pub_pkey = NULL; 2017 EVP_PKEY *clnt_pub_pkey = NULL;
1843 EC_POINT *clnt_ecpoint = NULL; 2018 EC_POINT *clnt_ecpoint = NULL;
1844 BN_CTX *bn_ctx = NULL; 2019 BN_CTX *bn_ctx = NULL;
1845 #endif 2020 #endif
1846 2021
1847 n=s->method->ssl_get_message(s, 2022 n=s->method->ssl_get_message(s,
1848 SSL3_ST_SR_KEY_EXCH_A, 2023 SSL3_ST_SR_KEY_EXCH_A,
1849 SSL3_ST_SR_KEY_EXCH_B, 2024 SSL3_ST_SR_KEY_EXCH_B,
1850 SSL3_MT_CLIENT_KEY_EXCHANGE, 2025 SSL3_MT_CLIENT_KEY_EXCHANGE,
1851 2048, /* ??? */ 2026 2048, /* ??? */
1852 &ok); 2027 &ok);
1853 2028
1854 if (!ok) return((int)n); 2029 if (!ok) return((int)n);
1855 p=(unsigned char *)s->init_msg; 2030 p=(unsigned char *)s->init_msg;
1856 2031
1857 » l=s->s3->tmp.new_cipher->algorithms; 2032 » alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1858 2033
1859 #ifndef OPENSSL_NO_RSA 2034 #ifndef OPENSSL_NO_RSA
1860 » if (l & SSL_kRSA) 2035 » if (alg_k & SSL_kRSA)
1861 { 2036 {
1862 /* FIX THIS UP EAY EAY EAY EAY */ 2037 /* FIX THIS UP EAY EAY EAY EAY */
1863 if (s->s3->tmp.use_rsa_tmp) 2038 if (s->s3->tmp.use_rsa_tmp)
1864 { 2039 {
1865 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 2040 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
1866 rsa=s->cert->rsa_tmp; 2041 rsa=s->cert->rsa_tmp;
1867 /* Don't do a callback because rsa_tmp should 2042 /* Don't do a callback because rsa_tmp should
1868 * be sent already */ 2043 * be sent already */
1869 if (rsa == NULL) 2044 if (rsa == NULL)
1870 { 2045 {
(...skipping 10 matching lines...) Expand all
1881 (pkey->type != EVP_PKEY_RSA) || 2056 (pkey->type != EVP_PKEY_RSA) ||
1882 (pkey->pkey.rsa == NULL)) 2057 (pkey->pkey.rsa == NULL))
1883 { 2058 {
1884 al=SSL_AD_HANDSHAKE_FAILURE; 2059 al=SSL_AD_HANDSHAKE_FAILURE;
1885 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_ MISSING_RSA_CERTIFICATE); 2060 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_ MISSING_RSA_CERTIFICATE);
1886 goto f_err; 2061 goto f_err;
1887 } 2062 }
1888 rsa=pkey->pkey.rsa; 2063 rsa=pkey->pkey.rsa;
1889 } 2064 }
1890 2065
1891 » » /* TLS and [incidentally] DTLS, including pre-0.9.8f */ 2066 » » /* TLS and [incidentally] DTLS{0xFEFF} */
1892 » » if (s->version > SSL3_VERSION && 2067 » » if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER)
1893 » » s->client_version != DTLS1_BAD_VER)
1894 { 2068 {
1895 n2s(p,i); 2069 n2s(p,i);
1896 if (n != i+2) 2070 if (n != i+2)
1897 { 2071 {
1898 if (!(s->options & SSL_OP_TLS_D5_BUG)) 2072 if (!(s->options & SSL_OP_TLS_D5_BUG))
1899 { 2073 {
1900 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANG E,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 2074 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANG E,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1901 goto err; 2075 goto err;
1902 } 2076 }
1903 else 2077 else
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after
1957 2131
1958 s->session->master_key_length= 2132 s->session->master_key_length=
1959 s->method->ssl3_enc->generate_master_secret(s, 2133 s->method->ssl3_enc->generate_master_secret(s,
1960 s->session->master_key, 2134 s->session->master_key,
1961 p,i); 2135 p,i);
1962 OPENSSL_cleanse(p,i); 2136 OPENSSL_cleanse(p,i);
1963 } 2137 }
1964 else 2138 else
1965 #endif 2139 #endif
1966 #ifndef OPENSSL_NO_DH 2140 #ifndef OPENSSL_NO_DH
1967 » » if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2141 » » if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1968 { 2142 {
1969 n2s(p,i); 2143 n2s(p,i);
1970 if (n != i+2) 2144 if (n != i+2)
1971 { 2145 {
1972 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) 2146 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
1973 { 2147 {
1974 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_ DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 2148 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_ DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1975 goto err; 2149 goto err;
1976 } 2150 }
1977 else 2151 else
(...skipping 26 matching lines...) Expand all
2004 { 2178 {
2005 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB); 2179 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
2006 goto err; 2180 goto err;
2007 } 2181 }
2008 2182
2009 i=DH_compute_key(p,pub,dh_srvr); 2183 i=DH_compute_key(p,pub,dh_srvr);
2010 2184
2011 if (i <= 0) 2185 if (i <= 0)
2012 { 2186 {
2013 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2187 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2188 BN_clear_free(pub);
2014 goto err; 2189 goto err;
2015 } 2190 }
2016 2191
2017 DH_free(s->s3->tmp.dh); 2192 DH_free(s->s3->tmp.dh);
2018 s->s3->tmp.dh=NULL; 2193 s->s3->tmp.dh=NULL;
2019 2194
2020 BN_clear_free(pub); 2195 BN_clear_free(pub);
2021 pub=NULL; 2196 pub=NULL;
2022 s->session->master_key_length= 2197 s->session->master_key_length=
2023 s->method->ssl3_enc->generate_master_secret(s, 2198 s->method->ssl3_enc->generate_master_secret(s,
2024 s->session->master_key,p,i); 2199 s->session->master_key,p,i);
2025 OPENSSL_cleanse(p,i); 2200 OPENSSL_cleanse(p,i);
2026 } 2201 }
2027 else 2202 else
2028 #endif 2203 #endif
2029 #ifndef OPENSSL_NO_KRB5 2204 #ifndef OPENSSL_NO_KRB5
2030 if (l & SSL_kKRB5) 2205 » if (alg_k & SSL_kKRB5)
2031 { 2206 » » {
2032 krb5_error_code»» krb5rc; 2207 » » krb5_error_code»» krb5rc;
2033 krb5_data enc_ticket; 2208 krb5_data enc_ticket;
2034 krb5_data authenticator; 2209 krb5_data authenticator;
2035 krb5_data enc_pms; 2210 krb5_data enc_pms;
2036 KSSL_CTX» » *kssl_ctx = s->kssl_ctx; 2211 » » KSSL_CTX» » *kssl_ctx = s->kssl_ctx;
2037 EVP_CIPHER_CTX ciph_ctx; 2212 EVP_CIPHER_CTX ciph_ctx;
2038 » » EVP_CIPHER» » *enc = NULL; 2213 » » const EVP_CIPHER» *enc = NULL;
2039 unsigned char iv[EVP_MAX_IV_LENGTH]; 2214 unsigned char iv[EVP_MAX_IV_LENGTH];
2040 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2215 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
2041 + EVP_MAX_BLOCK_LENGTH]; 2216 » » » » » + EVP_MAX_BLOCK_LENGTH];
2042 » » int padl, outl; 2217 » » int» » padl, outl;
2043 krb5_timestamp authtime = 0; 2218 krb5_timestamp authtime = 0;
2044 krb5_ticket_times ttimes; 2219 krb5_ticket_times ttimes;
2045 2220
2046 EVP_CIPHER_CTX_init(&ciph_ctx); 2221 EVP_CIPHER_CTX_init(&ciph_ctx);
2047 2222
2048 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2223 » » if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
2049 2224
2050 n2s(p,i); 2225 n2s(p,i);
2051 enc_ticket.length = i; 2226 enc_ticket.length = i;
2052 2227
2053 » » if (n < (int)enc_ticket.length + 6) 2228 » » if (n < (long)(enc_ticket.length + 6))
2054 { 2229 {
2055 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2230 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2056 SSL_R_DATA_LENGTH_TOO_LONG); 2231 SSL_R_DATA_LENGTH_TOO_LONG);
2057 goto err; 2232 goto err;
2058 } 2233 }
2059 2234
2060 enc_ticket.data = (char *)p; 2235 enc_ticket.data = (char *)p;
2061 p+=enc_ticket.length; 2236 p+=enc_ticket.length;
2062 2237
2063 n2s(p,i); 2238 n2s(p,i);
2064 authenticator.length = i; 2239 authenticator.length = i;
2065 2240
2066 » » if (n < (int)(enc_ticket.length + authenticator.length) + 6) 2241 » » if (n < (long)(enc_ticket.length + authenticator.length + 6))
2067 { 2242 {
2068 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2243 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2069 SSL_R_DATA_LENGTH_TOO_LONG); 2244 SSL_R_DATA_LENGTH_TOO_LONG);
2070 goto err; 2245 goto err;
2071 } 2246 }
2072 2247
2073 authenticator.data = (char *)p; 2248 authenticator.data = (char *)p;
2074 p+=authenticator.length; 2249 p+=authenticator.length;
2075 2250
2076 n2s(p,i); 2251 n2s(p,i);
(...skipping 12 matching lines...) Expand all
2089 } 2264 }
2090 2265
2091 if (n != (long)(enc_ticket.length + authenticator.length + 2266 if (n != (long)(enc_ticket.length + authenticator.length +
2092 enc_pms.length + 6)) 2267 enc_pms.length + 6))
2093 { 2268 {
2094 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2269 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2095 SSL_R_DATA_LENGTH_TOO_LONG); 2270 SSL_R_DATA_LENGTH_TOO_LONG);
2096 goto err; 2271 goto err;
2097 } 2272 }
2098 2273
2099 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2274 » » if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
2100 &kssl_err)) != 0) 2275 &kssl_err)) != 0)
2101 { 2276 » » » {
2102 #ifdef KSSL_DEBUG 2277 #ifdef KSSL_DEBUG
2103 printf("kssl_sget_tkt rtn %d [%d]\n", 2278 » » » printf("kssl_sget_tkt rtn %d [%d]\n",
2104 krb5rc, kssl_err.reason); 2279 » » » » krb5rc, kssl_err.reason);
2105 if (kssl_err.text) 2280 » » » if (kssl_err.text)
2106 printf("kssl_err text= %s\n", kssl_err.text); 2281 » » » » printf("kssl_err text= %s\n", kssl_err.text);
2107 #endif /* KSSL_DEBUG */ 2282 #endif /* KSSL_DEBUG */
2108 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2283 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2109 kssl_err.reason); 2284 » » » » kssl_err.reason);
2110 goto err; 2285 » » » goto err;
2111 } 2286 » » » }
2112 2287
2113 /* Note: no authenticator is not considered an error, 2288 /* Note: no authenticator is not considered an error,
2114 ** but will return authtime == 0. 2289 ** but will return authtime == 0.
2115 */ 2290 */
2116 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2291 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
2117 &authtime, &kssl_err)) != 0) 2292 &authtime, &kssl_err)) != 0)
2118 { 2293 {
2119 #ifdef KSSL_DEBUG 2294 #ifdef KSSL_DEBUG
2120 printf("kssl_check_authent rtn %d [%d]\n", 2295 » » » printf("kssl_check_authent rtn %d [%d]\n",
2121 krb5rc, kssl_err.reason); 2296 » » » » krb5rc, kssl_err.reason);
2122 if (kssl_err.text) 2297 » » » if (kssl_err.text)
2123 printf("kssl_err text= %s\n", kssl_err.text); 2298 » » » » printf("kssl_err text= %s\n", kssl_err.text);
2124 #endif /* KSSL_DEBUG */ 2299 #endif /* KSSL_DEBUG */
2125 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2300 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2126 kssl_err.reason); 2301 » » » » kssl_err.reason);
2127 goto err; 2302 » » » goto err;
2128 } 2303 }
2129 2304
2130 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2305 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
2131 { 2306 {
2132 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2307 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
2133 goto err; 2308 » » » goto err;
2134 } 2309 }
2135 2310
2136 #ifdef KSSL_DEBUG 2311 #ifdef KSSL_DEBUG
2137 kssl_ctx_show(kssl_ctx); 2312 » » kssl_ctx_show(kssl_ctx);
2138 #endif /* KSSL_DEBUG */ 2313 #endif /* KSSL_DEBUG */
2139 2314
2140 enc = kssl_map_enc(kssl_ctx->enctype); 2315 enc = kssl_map_enc(kssl_ctx->enctype);
2141 if (enc == NULL) 2316 » » if (enc == NULL)
2142 goto err; 2317 » » goto err;
2143 2318
2144 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2319 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2145 2320
2146 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2321 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
2147 { 2322 {
2148 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2323 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2149 SSL_R_DECRYPTION_FAILED); 2324 SSL_R_DECRYPTION_FAILED);
2150 goto err; 2325 goto err;
2151 } 2326 }
2152 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2327 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
(...skipping 26 matching lines...) Expand all
2179 { 2354 {
2180 /* The premaster secret must contain the same version number as the 2355 /* The premaster secret must contain the same version number as the
2181 * ClientHello to detect version rollback attacks (strangely , the 2356 * ClientHello to detect version rollback attacks (strangely , the
2182 * protocol does not offer such protection for DH ciphersuit es). 2357 * protocol does not offer such protection for DH ciphersuit es).
2183 * However, buggy clients exist that send random bytes inste ad of 2358 * However, buggy clients exist that send random bytes inste ad of
2184 * the protocol version. 2359 * the protocol version.
2185 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2360 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
2186 * (Perhaps we should have a separate BUG value for the Kerb eros cipher) 2361 * (Perhaps we should have a separate BUG value for the Kerb eros cipher)
2187 */ 2362 */
2188 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2363 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
2189 » » { 2364 » » » {
2190 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2191 SSL_AD_DECODE_ERROR); 2366 SSL_AD_DECODE_ERROR);
2192 goto err; 2367 goto err;
2193 } 2368 }
2194 } 2369 }
2195 2370
2196 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2371 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2197 2372
2198 s->session->master_key_length= 2373 » » s->session->master_key_length=
2199 s->method->ssl3_enc->generate_master_secret(s, 2374 » » » s->method->ssl3_enc->generate_master_secret(s,
2200 s->session->master_key, pms, outl); 2375 » » » » s->session->master_key, pms, outl);
2201 2376
2202 if (kssl_ctx->client_princ) 2377 » » if (kssl_ctx->client_princ)
2203 { 2378 » » » {
2204 size_t len = strlen(kssl_ctx->client_princ); 2379 » » » size_t len = strlen(kssl_ctx->client_princ);
2205 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2380 » » » if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
2206 { 2381 » » » » {
2207 s->session->krb5_client_princ_len = len; 2382 » » » » s->session->krb5_client_princ_len = len;
2208 memcpy(s->session->krb5_client_princ,kssl_ctx->c lient_princ,len); 2383 » » » » memcpy(s->session->krb5_client_princ,kssl_ctx->c lient_princ,len);
2209 } 2384 » » » » }
2210 } 2385 » » » }
2211 2386
2212 2387
2213 /* Was doing kssl_ctx_free() here, 2388 » » /* Was doing kssl_ctx_free() here,
2214 ** but it caused problems for apache. 2389 ** but it caused problems for apache.
2215 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2390 » » ** kssl_ctx = kssl_ctx_free(kssl_ctx);
2216 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2391 » » ** if (s->kssl_ctx) s->kssl_ctx = NULL;
2217 */ 2392 » » */
2218 } 2393 » » }
2219 else 2394 else
2220 #endif /* OPENSSL_NO_KRB5 */ 2395 #endif /* OPENSSL_NO_KRB5 */
2221 2396
2222 #ifndef OPENSSL_NO_ECDH 2397 #ifndef OPENSSL_NO_ECDH
2223 » » if ((l & SSL_kECDH) || (l & SSL_kECDHE)) 2398 » » if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
2224 { 2399 {
2225 int ret = 1; 2400 int ret = 1;
2226 int field_size = 0; 2401 int field_size = 0;
2227 const EC_KEY *tkey; 2402 const EC_KEY *tkey;
2228 const EC_GROUP *group; 2403 const EC_GROUP *group;
2229 const BIGNUM *priv_key; 2404 const BIGNUM *priv_key;
2230 2405
2231 /* initialize structures for server's ECDH key pair */ 2406 » » /* initialize structures for server's ECDH key pair */
2232 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2407 if ((srvr_ecdh = EC_KEY_new()) == NULL)
2233 { 2408 {
2234 » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2409 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2235 ERR_R_MALLOC_FAILURE); 2410 ERR_R_MALLOC_FAILURE);
2236 » goto err; 2411 » » » goto err;
2237 } 2412 }
2238 2413
2239 /* Let's get server private key and group information */ 2414 /* Let's get server private key and group information */
2240 » » if (l & SSL_kECDH) 2415 » » if (alg_k & (SSL_kECDHr|SSL_kECDHe))
2241 { 2416 {
2242 /* use the certificate */ 2417 » » » /* use the certificate */
2243 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2418 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2244 } 2419 }
2245 else 2420 else
2246 { 2421 {
2247 /* use the ephermeral values we saved when 2422 /* use the ephermeral values we saved when
2248 * generating the ServerKeyExchange msg. 2423 * generating the ServerKeyExchange msg.
2249 */ 2424 */
2250 tkey = s->s3->tmp.ecdh; 2425 tkey = s->s3->tmp.ecdh;
2251 } 2426 }
2252 2427
2253 group = EC_KEY_get0_group(tkey); 2428 group = EC_KEY_get0_group(tkey);
2254 priv_key = EC_KEY_get0_private_key(tkey); 2429 priv_key = EC_KEY_get0_private_key(tkey);
2255 2430
2256 if (!EC_KEY_set_group(srvr_ecdh, group) || 2431 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2257 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2432 !EC_KEY_set_private_key(srvr_ecdh, priv_key))
2258 { 2433 {
2259 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2434 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2260 ERR_R_EC_LIB); 2435 ERR_R_EC_LIB);
2261 goto err; 2436 goto err;
2262 } 2437 }
2263 2438
2264 /* Let's get client's public key */ 2439 /* Let's get client's public key */
2265 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2440 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL)
2266 { 2441 {
2267 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2442 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2268 ERR_R_MALLOC_FAILURE); 2443 ERR_R_MALLOC_FAILURE);
2269 goto err; 2444 goto err;
2270 } 2445 }
2271 2446
2272 if (n == 0L) 2447 » » if (n == 0L)
2273 { 2448 » » » {
2274 /* Client Publickey was in Client Certificate */ 2449 /* Client Publickey was in Client Certificate */
2275 2450
2276 » » » if (l & SSL_kECDHE) 2451 » » » if (alg_k & SSL_kEECDH)
2277 { 2452 {
2278 al=SSL_AD_HANDSHAKE_FAILURE; 2453 al=SSL_AD_HANDSHAKE_FAILURE;
2279 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R _MISSING_TMP_ECDH_KEY); 2454 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R _MISSING_TMP_ECDH_KEY);
2280 goto f_err; 2455 goto f_err;
2281 } 2456 }
2282 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2457 » » » if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
2283 == NULL) || 2458 == NULL) ||
2284 (clnt_pub_pkey->type != EVP_PKEY_EC)) 2459 (clnt_pub_pkey->type != EVP_PKEY_EC))
2285 » { 2460 » » » » {
2286 /* XXX: For now, we do not support client 2461 /* XXX: For now, we do not support client
2287 * authentication using ECDH certificates 2462 * authentication using ECDH certificates
2288 * so this branch (n == 0L) of the code is 2463 * so this branch (n == 0L) of the code is
2289 * never executed. When that support is 2464 * never executed. When that support is
2290 * added, we ought to ensure the key 2465 * added, we ought to ensure the key
2291 * received in the certificate is 2466 * received in the certificate is
2292 * authorized for key agreement. 2467 * authorized for key agreement.
2293 * ECDH_compute_key implicitly checks that 2468 * ECDH_compute_key implicitly checks that
2294 * the two ECDH shares are for the same 2469 * the two ECDH shares are for the same
2295 * group. 2470 * group.
2296 */ 2471 */
2297 » al=SSL_AD_HANDSHAKE_FAILURE; 2472 » » » » al=SSL_AD_HANDSHAKE_FAILURE;
2298 » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2473 » » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2299 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2474 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2300 » goto f_err; 2475 » » » » goto f_err;
2301 » } 2476 » » » » }
2302 2477
2303 if (EC_POINT_copy(clnt_ecpoint, 2478 if (EC_POINT_copy(clnt_ecpoint,
2304 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0 ) 2479 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0 )
2305 { 2480 {
2306 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2481 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2307 ERR_R_EC_LIB); 2482 ERR_R_EC_LIB);
2308 goto err; 2483 goto err;
2309 } 2484 }
2310 ret = 2; /* Skip certificate verify processing */ 2485 » » » ret = 2; /* Skip certificate verify processing */
2311 } 2486 » » » }
2312 else 2487 » » else
2313 { 2488 » » » {
2314 /* Get client's public key from encoded point 2489 /* Get client's public key from encoded point
2315 * in the ClientKeyExchange message. 2490 * in the ClientKeyExchange message.
2316 */ 2491 */
2317 if ((bn_ctx = BN_CTX_new()) == NULL) 2492 if ((bn_ctx = BN_CTX_new()) == NULL)
2318 { 2493 {
2319 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2494 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2320 ERR_R_MALLOC_FAILURE); 2495 ERR_R_MALLOC_FAILURE);
2321 goto err; 2496 goto err;
2322 } 2497 }
2323 2498
2324 /* Get encoded point length */ 2499 » » » /* Get encoded point length */
2325 i = *p; 2500 » » » i = *p;
2326 p += 1; 2501 p += 1;
2327 if (EC_POINT_oct2point(group, 2502 » » » if (n != 1 + i)
2503 » » » » {
2504 » » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2505 » » » » ERR_R_EC_LIB);
2506 » » » » goto err;
2507 » » » » }
2508 » » » if (EC_POINT_oct2point(group,
2328 clnt_ecpoint, p, i, bn_ctx) == 0) 2509 clnt_ecpoint, p, i, bn_ctx) == 0)
2329 { 2510 {
2330 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2511 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2331 ERR_R_EC_LIB); 2512 ERR_R_EC_LIB);
2332 goto err; 2513 goto err;
2333 } 2514 }
2334 /* p is pointing to somewhere in the buffer 2515 » » » /* p is pointing to somewhere in the buffer
2335 * currently, so set it to the start 2516 » » » * currently, so set it to the start
2336 */ 2517 » » » */
2337 p=(unsigned char *)s->init_buf->data; 2518 » » » p=(unsigned char *)s->init_buf->data;
2338 } 2519 » » » }
2339 2520
2340 /* Compute the shared pre-master secret */ 2521 /* Compute the shared pre-master secret */
2341 field_size = EC_GROUP_get_degree(group); 2522 field_size = EC_GROUP_get_degree(group);
2342 if (field_size <= 0) 2523 if (field_size <= 0)
2343 { 2524 {
2344 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2525 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2345 ERR_R_ECDH_LIB); 2526 ERR_R_ECDH_LIB);
2346 goto err; 2527 goto err;
2347 } 2528 }
2348 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecd h, NULL); 2529 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecd h, NULL);
2349 if (i <= 0) 2530 » » if (i <= 0)
2350 { 2531 » » » {
2351 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2532 » » » SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2352 ERR_R_ECDH_LIB); 2533 ERR_R_ECDH_LIB);
2353 goto err; 2534 » » » goto err;
2354 } 2535 » » » }
2355 2536
2356 EVP_PKEY_free(clnt_pub_pkey); 2537 EVP_PKEY_free(clnt_pub_pkey);
2357 EC_POINT_free(clnt_ecpoint); 2538 EC_POINT_free(clnt_ecpoint);
2358 » » if (srvr_ecdh != NULL) 2539 » » EC_KEY_free(srvr_ecdh);
2359 » » » EC_KEY_free(srvr_ecdh);
2360 BN_CTX_free(bn_ctx); 2540 BN_CTX_free(bn_ctx);
2541 EC_KEY_free(s->s3->tmp.ecdh);
2542 s->s3->tmp.ecdh = NULL;
2361 2543
2362 /* Compute the master secret */ 2544 /* Compute the master secret */
2363 s->session->master_key_length = s->method->ssl3_enc-> \ 2545 » » s->session->master_key_length = s->method->ssl3_enc-> \
2364 generate_master_secret(s, s->session->master_key, p, i); 2546 generate_master_secret(s, s->session->master_key, p, i);
2365 2547
2366 OPENSSL_cleanse(p, i); 2548 » » OPENSSL_cleanse(p, i);
2367 return (ret); 2549 » » return (ret);
2368 } 2550 }
2369 else 2551 else
2370 #endif 2552 #endif
2553 #ifndef OPENSSL_NO_PSK
2554 if (alg_k & SSL_kPSK)
2555 {
2556 unsigned char *t = NULL;
2557 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
2558 unsigned int pre_ms_len = 0, psk_len = 0;
2559 int psk_err = 1;
2560 char tmp_id[PSK_MAX_IDENTITY_LEN+1];
2561
2562 al=SSL_AD_HANDSHAKE_FAILURE;
2563
2564 n2s(p,i);
2565 if (n != i+2)
2566 {
2567 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2568 SSL_R_LENGTH_MISMATCH);
2569 goto psk_err;
2570 }
2571 if (i > PSK_MAX_IDENTITY_LEN)
2572 {
2573 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2574 SSL_R_DATA_LENGTH_TOO_LONG);
2575 goto psk_err;
2576 }
2577 if (s->psk_server_callback == NULL)
2578 {
2579 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2580 SSL_R_PSK_NO_SERVER_CB);
2581 goto psk_err;
2582 }
2583
2584 /* Create guaranteed NULL-terminated identity
2585 * string for the callback */
2586 memcpy(tmp_id, p, i);
2587 memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
2588 psk_len = s->psk_server_callback(s, tmp_id,
2589 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2590 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1);
2591
2592 if (psk_len > PSK_MAX_PSK_LEN)
2593 {
2594 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2595 ERR_R_INTERNAL_ERROR);
2596 goto psk_err;
2597 }
2598 else if (psk_len == 0)
2599 {
2600 /* PSK related to the given identity not found * /
2601 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2602 SSL_R_PSK_IDENTITY_NOT_FOUND);
2603 al=SSL_AD_UNKNOWN_PSK_IDENTITY;
2604 goto psk_err;
2605 }
2606
2607 /* create PSK pre_master_secret */
2608 pre_ms_len=2+psk_len+2+psk_len;
2609 t = psk_or_pre_ms;
2610 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len) ;
2611 s2n(psk_len, t);
2612 memset(t, 0, psk_len);
2613 t+=psk_len;
2614 s2n(psk_len, t);
2615
2616 if (s->session->psk_identity != NULL)
2617 OPENSSL_free(s->session->psk_identity);
2618 s->session->psk_identity = BUF_strdup((char *)p);
2619 if (s->session->psk_identity == NULL)
2620 {
2621 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2622 ERR_R_MALLOC_FAILURE);
2623 goto psk_err;
2624 }
2625
2626 if (s->session->psk_identity_hint != NULL)
2627 OPENSSL_free(s->session->psk_identity_hint);
2628 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_i dentity_hint);
2629 if (s->ctx->psk_identity_hint != NULL &&
2630 s->session->psk_identity_hint == NULL)
2631 {
2632 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2633 ERR_R_MALLOC_FAILURE);
2634 goto psk_err;
2635 }
2636
2637 s->session->master_key_length=
2638 s->method->ssl3_enc->generate_master_secret(s,
2639 s->session->master_key, psk_or_pre_ms, p re_ms_len);
2640 psk_err = 0;
2641 psk_err:
2642 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2643 if (psk_err != 0)
2644 goto f_err;
2645 }
2646 else
2647 #endif
2648 if (alg_k & SSL_kGOST)
2649 {
2650 int ret = 0;
2651 EVP_PKEY_CTX *pkey_ctx;
2652 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
2653 unsigned char premaster_secret[32], *start;
2654 size_t outlen=32, inlen;
2655 unsigned long alg_a;
2656
2657 /* Get our certificate private key*/
2658 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2659 if (alg_a & SSL_aGOST94)
2660 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
2661 else if (alg_a & SSL_aGOST01)
2662 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2663
2664 pkey_ctx = EVP_PKEY_CTX_new(pk,NULL);
2665 EVP_PKEY_decrypt_init(pkey_ctx);
2666 /* If client certificate is present and is of the same t ype, maybe
2667 * use it for key exchange. Don't mind errors from
2668 * EVP_PKEY_derive_set_peer, because it is completely va lid to use
2669 * a client certificate for authorization only. */
2670 client_pub_pkey = X509_get_pubkey(s->session->peer);
2671 if (client_pub_pkey)
2672 {
2673 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pu b_pkey) <= 0)
2674 ERR_clear_error();
2675 }
2676 /* Decrypt session key */
2677 if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED)))
2678 {
2679 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_ DECRYPTION_FAILED);
2680 goto gerr;
2681 }
2682 if (p[1] == 0x81)
2683 {
2684 start = p+3;
2685 inlen = p[2];
2686 }
2687 else if (p[1] < 0x80)
2688 {
2689 start = p+2;
2690 inlen = p[1];
2691 }
2692 else
2693 {
2694 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_ DECRYPTION_FAILED);
2695 goto gerr;
2696 }
2697 if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,s tart,inlen) <=0)
2698
2699 {
2700 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_ DECRYPTION_FAILED);
2701 goto gerr;
2702 }
2703 /* Generate master secret */
2704 s->session->master_key_length=
2705 s->method->ssl3_enc->generate_master_secret(s,
2706 s->session->master_key,premaster_secret, 32);
2707 /* Check if pubkey from client certificate was used */
2708 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PE ER_KEY, 2, NULL) > 0)
2709 ret = 2;
2710 else
2711 ret = 1;
2712 gerr:
2713 EVP_PKEY_free(client_pub_pkey);
2714 EVP_PKEY_CTX_free(pkey_ctx);
2715 if (ret)
2716 return ret;
2717 else
2718 goto err;
2719 }
2720 else
2371 { 2721 {
2372 al=SSL_AD_HANDSHAKE_FAILURE; 2722 al=SSL_AD_HANDSHAKE_FAILURE;
2373 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2723 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2374 SSL_R_UNKNOWN_CIPHER_TYPE); 2724 SSL_R_UNKNOWN_CIPHER_TYPE);
2375 goto f_err; 2725 goto f_err;
2376 } 2726 }
2377 2727
2378 return(1); 2728 return(1);
2379 f_err: 2729 f_err:
2380 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2730 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2381 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_E CDH) 2731 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_E CDH)
2382 err: 2732 err:
2383 #endif 2733 #endif
2384 #ifndef OPENSSL_NO_ECDH 2734 #ifndef OPENSSL_NO_ECDH
2385 EVP_PKEY_free(clnt_pub_pkey); 2735 EVP_PKEY_free(clnt_pub_pkey);
2386 EC_POINT_free(clnt_ecpoint); 2736 EC_POINT_free(clnt_ecpoint);
2387 if (srvr_ecdh != NULL) 2737 if (srvr_ecdh != NULL)
2388 EC_KEY_free(srvr_ecdh); 2738 EC_KEY_free(srvr_ecdh);
2389 BN_CTX_free(bn_ctx); 2739 BN_CTX_free(bn_ctx);
2390 #endif 2740 #endif
2391 return(-1); 2741 return(-1);
2392 } 2742 }
2393 2743
2394 /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
2395 * sets the next_proto member in s if found */
2396 int ssl3_get_next_proto(SSL *s)
2397 {
2398 int ok;
2399 unsigned proto_len, padding_len;
2400 long n;
2401 const unsigned char *p;
2402
2403 /* Clients cannot send a NextProtocol message if we didn't see the
2404 * extension in their ClientHello */
2405 if (!s->s3->next_proto_neg_seen) {
2406 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EX TENSION);
2407 return -1;
2408 }
2409
2410 n=s->method->ssl_get_message(s,
2411 SSL3_ST_SR_NEXT_PROTO_A,
2412 SSL3_ST_SR_NEXT_PROTO_B,
2413 SSL3_MT_NEXT_PROTO,
2414 129,
2415 &ok);
2416
2417 if (!ok)
2418 return((int)n);
2419
2420 /* s->state doesn't reflect whether ChangeCipherSpec has been received
2421 * in this handshake, but s->s3->change_cipher_spec does (will be reset
2422 * by ssl3_get_finished). */
2423 if (!s->s3->change_cipher_spec)
2424 {
2425 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_C CS);
2426 return -1;
2427 }
2428
2429 if (n < 2)
2430 return 0; // The body must be > 1 bytes long */
2431
2432 p=(unsigned char *)s->init_msg;
2433
2434 /* The payload looks like:
2435 * uint8 proto_len;
2436 * uint8 proto[proto_len];
2437 * uint8 padding_len;
2438 * uint8 padding[padding_len];
2439 */
2440 proto_len = p[0];
2441 if (proto_len + 2 > s->init_num)
2442 return 0;
2443 padding_len = p[proto_len + 1];
2444 if (proto_len + padding_len + 2 != s->init_num)
2445 return 0;
2446
2447 s->next_proto_negotiated = OPENSSL_malloc(proto_len);
2448 if (!s->next_proto_negotiated) {
2449 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
2450 return 0;
2451 }
2452 memcpy(s->next_proto_negotiated, p + 1, proto_len);
2453 s->next_proto_negotiated_len = proto_len;
2454
2455 return 1;
2456 }
2457
2458 int ssl3_get_cert_verify(SSL *s) 2744 int ssl3_get_cert_verify(SSL *s)
2459 { 2745 {
2460 EVP_PKEY *pkey=NULL; 2746 EVP_PKEY *pkey=NULL;
2461 unsigned char *p; 2747 unsigned char *p;
2462 int al,ok,ret=0; 2748 int al,ok,ret=0;
2463 long n; 2749 long n;
2464 int type=0,i,j; 2750 int type=0,i,j;
2465 X509 *peer; 2751 X509 *peer;
2466 2752
2467 n=s->method->ssl_get_message(s, 2753 n=s->method->ssl_get_message(s,
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after
2514 2800
2515 if (s->s3->change_cipher_spec) 2801 if (s->s3->change_cipher_spec)
2516 { 2802 {
2517 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2803 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
2518 al=SSL_AD_UNEXPECTED_MESSAGE; 2804 al=SSL_AD_UNEXPECTED_MESSAGE;
2519 goto f_err; 2805 goto f_err;
2520 } 2806 }
2521 2807
2522 /* we now have a signature that we need to verify */ 2808 /* we now have a signature that we need to verify */
2523 p=(unsigned char *)s->init_msg; 2809 p=(unsigned char *)s->init_msg;
2524 » n2s(p,i); 2810 » /* Check for broken implementations of GOST ciphersuites */
2525 » n-=2; 2811 » /* If key is GOST and n is exactly 64, it is bare
2526 » if (i > n) 2812 » * signature without length field */
2813 » if (n==64 && (pkey->type==NID_id_GostR3410_94 ||
2814 » » pkey->type == NID_id_GostR3410_2001) )
2527 { 2815 {
2528 » » SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2816 » » i=64;
2529 » » al=SSL_AD_DECODE_ERROR; 2817 » » }
2530 » » goto f_err; 2818 » else
2531 » » } 2819 » » {»
2532 2820 » » n2s(p,i);
2821 » » n-=2;
2822 » » if (i > n)
2823 » » » {
2824 » » » SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH) ;
2825 » » » al=SSL_AD_DECODE_ERROR;
2826 » » » goto f_err;
2827 » » » }
2828 » }
2533 j=EVP_PKEY_size(pkey); 2829 j=EVP_PKEY_size(pkey);
2534 if ((i > j) || (n > j) || (n <= 0)) 2830 if ((i > j) || (n > j) || (n <= 0))
2535 { 2831 {
2536 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE); 2832 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
2537 al=SSL_AD_DECODE_ERROR; 2833 al=SSL_AD_DECODE_ERROR;
2538 goto f_err; 2834 goto f_err;
2539 } 2835 }
2540 2836
2541 #ifndef OPENSSL_NO_RSA 2837 #ifndef OPENSSL_NO_RSA
2542 if (pkey->type == EVP_PKEY_RSA) 2838 if (pkey->type == EVP_PKEY_RSA)
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after
2585 { 2881 {
2586 /* bad signature */ 2882 /* bad signature */
2587 al=SSL_AD_DECRYPT_ERROR; 2883 al=SSL_AD_DECRYPT_ERROR;
2588 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2884 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2589 SSL_R_BAD_ECDSA_SIGNATURE); 2885 SSL_R_BAD_ECDSA_SIGNATURE);
2590 goto f_err; 2886 goto f_err;
2591 } 2887 }
2592 } 2888 }
2593 else 2889 else
2594 #endif 2890 #endif
2891 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_ 2001)
2892 { unsigned char signature[64];
2893 int idx;
2894 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL);
2895 EVP_PKEY_verify_init(pctx);
2896 if (i!=64) {
2897 fprintf(stderr,"GOST signature length is %d",i);
2898 }
2899 for (idx=0;idx<64;idx++) {
2900 signature[63-idx]=p[idx];
2901 }
2902 j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_veri fy_md,32);
2903 EVP_PKEY_CTX_free(pctx);
2904 if (j<=0)
2905 {
2906 al=SSL_AD_DECRYPT_ERROR;
2907 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2908 SSL_R_BAD_ECDSA_SIGNATURE);
2909 goto f_err;
2910 }
2911 }
2912 else
2595 { 2913 {
2596 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2914 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
2597 al=SSL_AD_UNSUPPORTED_CERTIFICATE; 2915 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
2598 goto f_err; 2916 goto f_err;
2599 } 2917 }
2600 2918
2601 2919
2602 ret=1; 2920 ret=1;
2603 if (0) 2921 if (0)
2604 { 2922 {
(...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after
2767 } 3085 }
2768 3086
2769 int ssl3_send_server_certificate(SSL *s) 3087 int ssl3_send_server_certificate(SSL *s)
2770 { 3088 {
2771 unsigned long l; 3089 unsigned long l;
2772 X509 *x; 3090 X509 *x;
2773 3091
2774 if (s->state == SSL3_ST_SW_CERT_A) 3092 if (s->state == SSL3_ST_SW_CERT_A)
2775 { 3093 {
2776 x=ssl_get_server_send_cert(s); 3094 x=ssl_get_server_send_cert(s);
2777 » » if (x == NULL && 3095 » » if (x == NULL)
2778 /* VRS: allow null cert if auth == KRB5 */
2779 (s->s3->tmp.new_cipher->algorithms
2780 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
2781 != (SSL_aKRB5|SSL_kKRB5))
2782 { 3096 {
2783 » » » SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL _ERROR); 3097 » » » /* VRS: allow null cert if auth == KRB5 */
2784 » » » return(0); 3098 » » » if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
3099 » » » (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5))
3100 » » » » {
3101 » » » » SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_ INTERNAL_ERROR);
3102 » » » » return(0);
3103 » » » » }
2785 } 3104 }
2786 3105
2787 l=ssl3_output_cert_chain(s,x); 3106 l=ssl3_output_cert_chain(s,x);
2788 s->state=SSL3_ST_SW_CERT_B; 3107 s->state=SSL3_ST_SW_CERT_B;
2789 s->init_num=(int)l; 3108 s->init_num=(int)l;
2790 s->init_off=0; 3109 s->init_off=0;
2791 } 3110 }
2792 3111
2793 /* SSL3_ST_SW_CERT_B */ 3112 /* SSL3_ST_SW_CERT_B */
2794 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3113 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2795 } 3114 }
2796
2797
2798 #ifndef OPENSSL_NO_ECDH
2799 /* This is the complement of curve_id2nid in s3_clnt.c. */
2800 static int nid2curve_id(int nid)
2801 {
2802 /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2803 * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2804 switch (nid) {
2805 case NID_sect163k1: /* sect163k1 (1) */
2806 return 1;
2807 case NID_sect163r1: /* sect163r1 (2) */
2808 return 2;
2809 case NID_sect163r2: /* sect163r2 (3) */
2810 return 3;
2811 case NID_sect193r1: /* sect193r1 (4) */
2812 return 4;
2813 case NID_sect193r2: /* sect193r2 (5) */
2814 return 5;
2815 case NID_sect233k1: /* sect233k1 (6) */
2816 return 6;
2817 case NID_sect233r1: /* sect233r1 (7) */
2818 return 7;
2819 case NID_sect239k1: /* sect239k1 (8) */
2820 return 8;
2821 case NID_sect283k1: /* sect283k1 (9) */
2822 return 9;
2823 case NID_sect283r1: /* sect283r1 (10) */
2824 return 10;
2825 case NID_sect409k1: /* sect409k1 (11) */
2826 return 11;
2827 case NID_sect409r1: /* sect409r1 (12) */
2828 return 12;
2829 case NID_sect571k1: /* sect571k1 (13) */
2830 return 13;
2831 case NID_sect571r1: /* sect571r1 (14) */
2832 return 14;
2833 case NID_secp160k1: /* secp160k1 (15) */
2834 return 15;
2835 case NID_secp160r1: /* secp160r1 (16) */
2836 return 16;
2837 case NID_secp160r2: /* secp160r2 (17) */
2838 return 17;
2839 case NID_secp192k1: /* secp192k1 (18) */
2840 return 18;
2841 case NID_X9_62_prime192v1: /* secp192r1 (19) */
2842 return 19;
2843 case NID_secp224k1: /* secp224k1 (20) */
2844 return 20;
2845 case NID_secp224r1: /* secp224r1 (21) */
2846 return 21;
2847 case NID_secp256k1: /* secp256k1 (22) */
2848 return 22;
2849 case NID_X9_62_prime256v1: /* secp256r1 (23) */
2850 return 23;
2851 case NID_secp384r1: /* secp384r1 (24) */
2852 return 24;
2853 case NID_secp521r1: /* secp521r1 (25) */
2854 return 25;
2855 default:
2856 return 0;
2857 }
2858 }
2859 #endif
2860 #ifndef OPENSSL_NO_TLSEXT 3115 #ifndef OPENSSL_NO_TLSEXT
2861 int ssl3_send_newsession_ticket(SSL *s) 3116 int ssl3_send_newsession_ticket(SSL *s)
2862 { 3117 {
2863 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 3118 if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
2864 { 3119 {
2865 unsigned char *p, *senc, *macstart; 3120 unsigned char *p, *senc, *macstart;
2866 int len, slen; 3121 int len, slen;
2867 unsigned int hlen; 3122 unsigned int hlen;
2868 EVP_CIPHER_CTX ctx; 3123 EVP_CIPHER_CTX ctx;
2869 HMAC_CTX hctx; 3124 HMAC_CTX hctx;
(...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after
2992 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 3247 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
2993 /* number of bytes to write */ 3248 /* number of bytes to write */
2994 s->init_num = 8 + s->tlsext_ocsp_resplen; 3249 s->init_num = 8 + s->tlsext_ocsp_resplen;
2995 s->state=SSL3_ST_SW_CERT_STATUS_B; 3250 s->state=SSL3_ST_SW_CERT_STATUS_B;
2996 s->init_off = 0; 3251 s->init_off = 0;
2997 } 3252 }
2998 3253
2999 /* SSL3_ST_SW_CERT_STATUS_B */ 3254 /* SSL3_ST_SW_CERT_STATUS_B */
3000 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3255 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3001 } 3256 }
3002 #endif
3003 3257
3004 /* ssl3_snap_start_evaluate_handshake verifies the Snap Start prediction (if 3258 # ifndef OPENSSL_NO_NPN
3005 * this is a Snap Start handshake). If it returns non-zero, then we are 3259 /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
3006 * entering recovery and |s->state| has been set accordingly. */ 3260 * sets the next_proto member in s if found */
3007 static int ssl3_snap_start_evaluate_handshake(SSL* s) 3261 int ssl3_get_next_proto(SSL *s)
3008 { 3262 {
3009 » unsigned char digest[8]; 3263 » int ok;
3264 » unsigned proto_len, padding_len;
3265 » long n;
3266 » const unsigned char *p;
3010 3267
3011 » if (!s->s3->snap_start_requested) 3268 » /* Clients cannot send a NextProtocol message if we didn't see the
3269 » * extension in their ClientHello */
3270 » if (!s->s3->next_proto_neg_seen)
3271 » » {
3272 » » SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EX TENSION);
3273 » » return -1;
3274 » » }
3275
3276 » n=s->method->ssl_get_message(s,
3277 » » SSL3_ST_SR_NEXT_PROTO_A,
3278 » » SSL3_ST_SR_NEXT_PROTO_B,
3279 » » SSL3_MT_NEXT_PROTO,
3280 » » 514, /* See the payload format below */
3281 » » &ok);
3282
3283 » if (!ok)
3284 » » return((int)n);
3285
3286 » /* s->state doesn't reflect whether ChangeCipherSpec has been received
3287 » * in this handshake, but s->s3->change_cipher_spec does (will be reset
3288 » * by ssl3_get_finished). */
3289 » if (!s->s3->change_cipher_spec)
3290 » » {
3291 » » SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_C CS);
3292 » » return -1;
3293 » » }
3294
3295 » if (n < 2)
3296 » » return 0; /* The body must be > 1 bytes long */
3297
3298 » p=(unsigned char *)s->init_msg;
3299
3300 » /* The payload looks like:
3301 » * uint8 proto_len;
3302 » * uint8 proto[proto_len];
3303 » * uint8 padding_len;
3304 » * uint8 padding[padding_len];
3305 » */
3306 » proto_len = p[0];
3307 » if (proto_len + 2 > s->init_num)
3308 » » return 0;
3309 » padding_len = p[proto_len + 1];
3310 » if (proto_len + padding_len + 2 != s->init_num)
3012 return 0; 3311 return 0;
3013 3312
3014 » /* Drop the currently queued messages. Either we're entering recovery, 3313 » s->next_proto_negotiated = OPENSSL_malloc(proto_len);
3015 » * in which case they're wrong, or we're doing snap start, in which 3314 » if (!s->next_proto_negotiated)
3016 » * case we don't want to send them. */ 3315 » » {
3017 » if (!ssl_init_wbio_buffer(s, 1 /* push new BIO */)) 3316 » » SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
3018 » » return -1; 3317 » » return 0;
3318 » » }
3319 » memcpy(s->next_proto_negotiated, p + 1, proto_len);
3320 » s->next_proto_negotiated_len = proto_len;
3019 3321
3020 » fnv1a64_final(digest, (FNV1A64*) s->s3->response_hash); 3322 » return 1;
3021
3022 » /* Turn off FNV hashing of handshake messages. */
3023 » s->s3->snap_start_requested = 0;
3024
3025 » if (memcmp(digest, s->s3->predicted_response_hash, sizeof(digest)) != 0)
3026 » » {
3027 » » /* The predicted handshake didn't match. */
3028 » » ssl3_snap_start_reset_for_recovery(s);
3029 » » s->state = SSL3_ST_SW_SRVR_HELLO_A;
3030 » » return 1;
3031 » » }
3032
3033 » return 0;
3034 } 3323 }
3035 3324 # endif
3036 /* ssl3_snap_start_reset_for_recovery is called is called when a Snap Start 3325 #endif
3037 * handshake is impossible because either the application layer has rejected
3038 * the client's suggested server random, or predicated_response_hash failed to
3039 * match response_hash */
3040 int ssl3_snap_start_reset_for_recovery(SSL* s)
3041 » {
3042 » s->s3->snap_start_requested = 0;
3043 » s->s3->snap_start_records.left = 0;
3044 » s->init_num = 0;
3045
3046 » /* Reset the handshake hash and hash in the original ClientHello. */
3047 » ssl3_init_finished_mac(s);
3048 » ssl3_finish_mac(s, s->s3->snap_start_client_hello.buf, s->s3->snap_start _client_hello.left);
3049
3050 » OPENSSL_free(s->s3->snap_start_client_hello.buf);
3051 » s->s3->snap_start_client_hello.buf = NULL;
3052
3053 » return 0;
3054 » }
OLDNEW
« no previous file with comments | « openssl/ssl/s3_pkt.c ('k') | openssl/ssl/ssl.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698