995c8298b8a1ac7f8262a5d20a79af7577cad443
[openssl.git] / ssl / s3_clnt.c
1 /* ssl/s3_clnt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  *
114  * Portions of the attached software ("Contribution") are developed by 
115  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116  *
117  * The Contribution is licensed pursuant to the OpenSSL open source
118  * license provided above.
119  *
120  * ECC cipher suite support in OpenSSL originally written by
121  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122  *
123  */
124
125 #include <stdio.h>
126 #include "ssl_locl.h"
127 #include "kssl_lcl.h"
128 #include <openssl/buffer.h>
129 #include <openssl/rand.h>
130 #include <openssl/objects.h>
131 #include <openssl/evp.h>
132 #include <openssl/md5.h>
133 #ifndef OPENSSL_NO_DH
134 #include <openssl/dh.h>
135 #endif
136 #include <openssl/bn.h>
137
138 static const SSL_METHOD *ssl3_get_client_method(int ver);
139 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
140
141 #ifndef OPENSSL_NO_ECDH
142 static int curve_id2nid(int curve_id);
143 int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
144 #endif
145
146 static const SSL_METHOD *ssl3_get_client_method(int ver)
147         {
148         if (ver == SSL3_VERSION)
149                 return(SSLv3_client_method());
150         else
151                 return(NULL);
152         }
153
154 IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
155                         ssl_undefined_function,
156                         ssl3_connect,
157                         ssl3_get_client_method)
158
159 int ssl3_connect(SSL *s)
160         {
161         BUF_MEM *buf=NULL;
162         unsigned long Time=(unsigned long)time(NULL),l;
163         long num1;
164         void (*cb)(const SSL *ssl,int type,int val)=NULL;
165         int ret= -1;
166         int new_state,state,skip=0;;
167
168         RAND_add(&Time,sizeof(Time),0);
169         ERR_clear_error();
170         clear_sys_error();
171
172         if (s->info_callback != NULL)
173                 cb=s->info_callback;
174         else if (s->ctx->info_callback != NULL)
175                 cb=s->ctx->info_callback;
176         
177         s->in_handshake++;
178         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
179
180         for (;;)
181                 {
182                 state=s->state;
183
184                 switch(s->state)
185                         {
186                 case SSL_ST_RENEGOTIATE:
187                         s->new_session=1;
188                         s->state=SSL_ST_CONNECT;
189                         s->ctx->stats.sess_connect_renegotiate++;
190                         /* break */
191                 case SSL_ST_BEFORE:
192                 case SSL_ST_CONNECT:
193                 case SSL_ST_BEFORE|SSL_ST_CONNECT:
194                 case SSL_ST_OK|SSL_ST_CONNECT:
195
196                         s->server=0;
197                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
198
199                         if ((s->version & 0xff00 ) != 0x0300)
200                                 {
201                                 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
202                                 ret = -1;
203                                 goto end;
204                                 }
205                                 
206                         /* s->version=SSL3_VERSION; */
207                         s->type=SSL_ST_CONNECT;
208
209                         if (s->init_buf == NULL)
210                                 {
211                                 if ((buf=BUF_MEM_new()) == NULL)
212                                         {
213                                         ret= -1;
214                                         goto end;
215                                         }
216                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
217                                         {
218                                         ret= -1;
219                                         goto end;
220                                         }
221                                 s->init_buf=buf;
222                                 buf=NULL;
223                                 }
224
225                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
226
227                         /* setup buffing BIO */
228                         if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
229
230                         /* don't push the buffering BIO quite yet */
231
232                         ssl3_init_finished_mac(s);
233
234                         s->state=SSL3_ST_CW_CLNT_HELLO_A;
235                         s->ctx->stats.sess_connect++;
236                         s->init_num=0;
237                         break;
238
239                 case SSL3_ST_CW_CLNT_HELLO_A:
240                 case SSL3_ST_CW_CLNT_HELLO_B:
241
242                         s->shutdown=0;
243                         ret=ssl3_client_hello(s);
244                         if (ret <= 0) goto end;
245                         s->state=SSL3_ST_CR_SRVR_HELLO_A;
246                         s->init_num=0;
247
248                         /* turn on buffering for the next lot of output */
249                         if (s->bbio != s->wbio)
250                                 s->wbio=BIO_push(s->bbio,s->wbio);
251
252                         break;
253
254                 case SSL3_ST_CR_SRVR_HELLO_A:
255                 case SSL3_ST_CR_SRVR_HELLO_B:
256                         ret=ssl3_get_server_hello(s);
257                         if (ret <= 0) goto end;
258
259                         if (s->hit)
260                                 s->state=SSL3_ST_CR_FINISHED_A;
261                         else
262                                 s->state=SSL3_ST_CR_CERT_A;
263                         s->init_num=0;
264                         break;
265
266                 case SSL3_ST_CR_CERT_A:
267                 case SSL3_ST_CR_CERT_B:
268                         /* Check if it is anon DH/ECDH */
269                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
270                                 {
271                                 ret=ssl3_get_server_certificate(s);
272                                 if (ret <= 0) goto end;
273                                 }
274                         else
275                                 skip=1;
276                         s->state=SSL3_ST_CR_KEY_EXCH_A;
277                         s->init_num=0;
278                         break;
279
280                 case SSL3_ST_CR_KEY_EXCH_A:
281                 case SSL3_ST_CR_KEY_EXCH_B:
282                         ret=ssl3_get_key_exchange(s);
283                         if (ret <= 0) goto end;
284                         s->state=SSL3_ST_CR_CERT_REQ_A;
285                         s->init_num=0;
286
287                         /* at this point we check that we have the
288                          * required stuff from the server */
289                         if (!ssl3_check_cert_and_algorithm(s))
290                                 {
291                                 ret= -1;
292                                 goto end;
293                                 }
294                         break;
295
296                 case SSL3_ST_CR_CERT_REQ_A:
297                 case SSL3_ST_CR_CERT_REQ_B:
298                         ret=ssl3_get_certificate_request(s);
299                         if (ret <= 0) goto end;
300                         s->state=SSL3_ST_CR_SRVR_DONE_A;
301                         s->init_num=0;
302                         break;
303
304                 case SSL3_ST_CR_SRVR_DONE_A:
305                 case SSL3_ST_CR_SRVR_DONE_B:
306                         ret=ssl3_get_server_done(s);
307                         if (ret <= 0) goto end;
308                         if (s->s3->tmp.cert_req)
309                                 s->state=SSL3_ST_CW_CERT_A;
310                         else
311                                 s->state=SSL3_ST_CW_KEY_EXCH_A;
312                         s->init_num=0;
313
314                         break;
315
316                 case SSL3_ST_CW_CERT_A:
317                 case SSL3_ST_CW_CERT_B:
318                 case SSL3_ST_CW_CERT_C:
319                 case SSL3_ST_CW_CERT_D:
320                         ret=ssl3_send_client_certificate(s);
321                         if (ret <= 0) goto end;
322                         s->state=SSL3_ST_CW_KEY_EXCH_A;
323                         s->init_num=0;
324                         break;
325
326                 case SSL3_ST_CW_KEY_EXCH_A:
327                 case SSL3_ST_CW_KEY_EXCH_B:
328                         ret=ssl3_send_client_key_exchange(s);
329                         if (ret <= 0) goto end;
330                         l=s->s3->tmp.new_cipher->algorithms;
331                         /* EAY EAY EAY need to check for DH fix cert
332                          * sent back */
333                         /* For TLS, cert_req is set to 2, so a cert chain
334                          * of nothing is sent, but no verify packet is sent */
335                         /* XXX: For now, we do not support client 
336                          * authentication in ECDH cipher suites with
337                          * ECDH (rather than ECDSA) certificates.
338                          * We need to skip the certificate verify 
339                          * message when client's ECDH public key is sent 
340                          * inside the client certificate.
341                          */
342                         if (s->s3->tmp.cert_req == 1)
343                                 {
344                                 s->state=SSL3_ST_CW_CERT_VRFY_A;
345                                 }
346                         else
347                                 {
348                                 s->state=SSL3_ST_CW_CHANGE_A;
349                                 s->s3->change_cipher_spec=0;
350                                 }
351
352                         s->init_num=0;
353                         break;
354
355                 case SSL3_ST_CW_CERT_VRFY_A:
356                 case SSL3_ST_CW_CERT_VRFY_B:
357                         ret=ssl3_send_client_verify(s);
358                         if (ret <= 0) goto end;
359                         s->state=SSL3_ST_CW_CHANGE_A;
360                         s->init_num=0;
361                         s->s3->change_cipher_spec=0;
362                         break;
363
364                 case SSL3_ST_CW_CHANGE_A:
365                 case SSL3_ST_CW_CHANGE_B:
366                         ret=ssl3_send_change_cipher_spec(s,
367                                 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
368                         if (ret <= 0) goto end;
369                         s->state=SSL3_ST_CW_FINISHED_A;
370                         s->init_num=0;
371
372                         s->session->cipher=s->s3->tmp.new_cipher;
373 #ifdef OPENSSL_NO_COMP
374                         s->session->compress_meth=0;
375 #else
376                         if (s->s3->tmp.new_compression == NULL)
377                                 s->session->compress_meth=0;
378                         else
379                                 s->session->compress_meth=
380                                         s->s3->tmp.new_compression->id;
381 #endif
382                         if (!s->method->ssl3_enc->setup_key_block(s))
383                                 {
384                                 ret= -1;
385                                 goto end;
386                                 }
387
388                         if (!s->method->ssl3_enc->change_cipher_state(s,
389                                 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
390                                 {
391                                 ret= -1;
392                                 goto end;
393                                 }
394
395                         break;
396
397                 case SSL3_ST_CW_FINISHED_A:
398                 case SSL3_ST_CW_FINISHED_B:
399                         ret=ssl3_send_finished(s,
400                                 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
401                                 s->method->ssl3_enc->client_finished_label,
402                                 s->method->ssl3_enc->client_finished_label_len);
403                         if (ret <= 0) goto end;
404                         s->state=SSL3_ST_CW_FLUSH;
405
406                         /* clear flags */
407                         s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
408                         if (s->hit)
409                                 {
410                                 s->s3->tmp.next_state=SSL_ST_OK;
411                                 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
412                                         {
413                                         s->state=SSL_ST_OK;
414                                         s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
415                                         s->s3->delay_buf_pop_ret=0;
416                                         }
417                                 }
418                         else
419                                 {
420                                 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
421                                 }
422                         s->init_num=0;
423                         break;
424
425                 case SSL3_ST_CR_FINISHED_A:
426                 case SSL3_ST_CR_FINISHED_B:
427
428                         ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
429                                 SSL3_ST_CR_FINISHED_B);
430                         if (ret <= 0) goto end;
431
432                         if (s->hit)
433                                 s->state=SSL3_ST_CW_CHANGE_A;
434                         else
435                                 s->state=SSL_ST_OK;
436                         s->init_num=0;
437                         break;
438
439                 case SSL3_ST_CW_FLUSH:
440                         /* number of bytes to be flushed */
441                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
442                         if (num1 > 0)
443                                 {
444                                 s->rwstate=SSL_WRITING;
445                                 num1=BIO_flush(s->wbio);
446                                 if (num1 <= 0) { ret= -1; goto end; }
447                                 s->rwstate=SSL_NOTHING;
448                                 }
449
450                         s->state=s->s3->tmp.next_state;
451                         break;
452
453                 case SSL_ST_OK:
454                         /* clean a few things up */
455                         ssl3_cleanup_key_block(s);
456
457                         if (s->init_buf != NULL)
458                                 {
459                                 BUF_MEM_free(s->init_buf);
460                                 s->init_buf=NULL;
461                                 }
462
463                         /* If we are not 'joining' the last two packets,
464                          * remove the buffering now */
465                         if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
466                                 ssl_free_wbio_buffer(s);
467                         /* else do it later in ssl3_write */
468
469                         s->init_num=0;
470                         s->new_session=0;
471
472                         ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
473                         if (s->hit) s->ctx->stats.sess_hit++;
474
475                         ret=1;
476                         /* s->server=0; */
477                         s->handshake_func=ssl3_connect;
478                         s->ctx->stats.sess_connect_good++;
479
480                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
481
482                         goto end;
483                         /* break; */
484                         
485                 default:
486                         SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
487                         ret= -1;
488                         goto end;
489                         /* break; */
490                         }
491
492                 /* did we do anything */
493                 if (!s->s3->tmp.reuse_message && !skip)
494                         {
495                         if (s->debug)
496                                 {
497                                 if ((ret=BIO_flush(s->wbio)) <= 0)
498                                         goto end;
499                                 }
500
501                         if ((cb != NULL) && (s->state != state))
502                                 {
503                                 new_state=s->state;
504                                 s->state=state;
505                                 cb(s,SSL_CB_CONNECT_LOOP,1);
506                                 s->state=new_state;
507                                 }
508                         }
509                 skip=0;
510                 }
511 end:
512         s->in_handshake--;
513         if (buf != NULL)
514                 BUF_MEM_free(buf);
515         if (cb != NULL)
516                 cb(s,SSL_CB_CONNECT_EXIT,ret);
517         return(ret);
518         }
519
520
521 int ssl3_client_hello(SSL *s)
522         {
523         unsigned char *buf;
524         unsigned char *p,*d;
525         int i;
526         unsigned long Time,l;
527 #ifndef OPENSSL_NO_COMP
528         int j;
529         SSL_COMP *comp;
530 #endif
531
532         buf=(unsigned char *)s->init_buf->data;
533         if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
534                 {
535                 if ((s->session == NULL) ||
536                         (s->session->ssl_version != s->version) ||
537                         (s->session->not_resumable))
538                         {
539                         if (!ssl_get_new_session(s,0))
540                                 goto err;
541                         }
542                 /* else use the pre-loaded session */
543
544                 p=s->s3->client_random;
545                 Time=(unsigned long)time(NULL);                 /* Time */
546                 l2n(Time,p);
547                 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
548                         goto err;
549
550                 /* Do the message type and length last */
551                 d=p= &(buf[4]);
552
553                 *(p++)=s->version>>8;
554                 *(p++)=s->version&0xff;
555                 s->client_version=s->version;
556
557                 /* Random stuff */
558                 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
559                 p+=SSL3_RANDOM_SIZE;
560
561                 /* Session ID */
562                 if (s->new_session)
563                         i=0;
564                 else
565                         i=s->session->session_id_length;
566                 *(p++)=i;
567                 if (i != 0)
568                         {
569                         if (i > (int)sizeof(s->session->session_id))
570                                 {
571                                 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
572                                 goto err;
573                                 }
574                         memcpy(p,s->session->session_id,i);
575                         p+=i;
576                         }
577                 
578                 /* Ciphers supported */
579                 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
580                 if (i == 0)
581                         {
582                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
583                         goto err;
584                         }
585                 s2n(i,p);
586                 p+=i;
587
588                 /* COMPRESSION */
589 #ifdef OPENSSL_NO_COMP
590                 *(p++)=1;
591 #else
592
593                 if ((s->options & SSL_OP_NO_COMPRESSION)
594                                         || !s->ctx->comp_methods)
595                         j=0;
596                 else
597                         j=sk_SSL_COMP_num(s->ctx->comp_methods);
598                 *(p++)=1+j;
599                 for (i=0; i<j; i++)
600                         {
601                         comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
602                         *(p++)=comp->id;
603                         }
604 #endif
605                 *(p++)=0; /* Add the NULL method */
606 #ifndef OPENSSL_NO_TLSEXT
607                 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
608                         {
609                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
610                         goto err;
611                         }
612 #endif
613                 
614                 l=(p-d);
615                 d=buf;
616                 *(d++)=SSL3_MT_CLIENT_HELLO;
617                 l2n3(l,d);
618
619                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
620                 /* number of bytes to write */
621                 s->init_num=p-buf;
622                 s->init_off=0;
623                 }
624
625         /* SSL3_ST_CW_CLNT_HELLO_B */
626         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
627 err:
628         return(-1);
629         }
630
631 int ssl3_get_server_hello(SSL *s)
632         {
633         STACK_OF(SSL_CIPHER) *sk;
634         SSL_CIPHER *c;
635         unsigned char *p,*d;
636         int i,al,ok;
637         unsigned int j;
638         long n;
639 #ifndef OPENSSL_NO_COMP
640         SSL_COMP *comp;
641 #endif
642
643         n=s->method->ssl_get_message(s,
644                 SSL3_ST_CR_SRVR_HELLO_A,
645                 SSL3_ST_CR_SRVR_HELLO_B,
646                 -1,
647                 300, /* ?? */
648                 &ok);
649
650         if (!ok) return((int)n);
651
652         if ( SSL_version(s) == DTLS1_VERSION)
653                 {
654                 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
655                         {
656                         if ( s->d1->send_cookie == 0)
657                                 {
658                                 s->s3->tmp.reuse_message = 1;
659                                 return 1;
660                                 }
661                         else /* already sent a cookie */
662                                 {
663                                 al=SSL_AD_UNEXPECTED_MESSAGE;
664                                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
665                                 goto f_err;
666                                 }
667                         }
668                 }
669         
670         if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
671                 {
672                 al=SSL_AD_UNEXPECTED_MESSAGE;
673                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
674                 goto f_err;
675                 }
676
677         d=p=(unsigned char *)s->init_msg;
678
679         if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
680                 {
681                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
682                 s->version=(s->version&0xff00)|p[1];
683                 al=SSL_AD_PROTOCOL_VERSION;
684                 goto f_err;
685                 }
686         p+=2;
687
688         /* load the server hello data */
689         /* load the server random */
690         memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
691         p+=SSL3_RANDOM_SIZE;
692
693         /* get the session-id */
694         j= *(p++);
695
696         if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
697                 {
698                 al=SSL_AD_ILLEGAL_PARAMETER;
699                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
700                 goto f_err;
701                 }
702
703         if (j != 0 && j == s->session->session_id_length
704             && memcmp(p,s->session->session_id,j) == 0)
705             {
706             if(s->sid_ctx_length != s->session->sid_ctx_length
707                || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
708                 {
709                 /* actually a client application bug */
710                 al=SSL_AD_ILLEGAL_PARAMETER;
711                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
712                 goto f_err;
713                 }
714             s->hit=1;
715             }
716         else    /* a miss or crap from the other end */
717                 {
718                 /* If we were trying for session-id reuse, make a new
719                  * SSL_SESSION so we don't stuff up other people */
720                 s->hit=0;
721                 if (s->session->session_id_length > 0)
722                         {
723                         if (!ssl_get_new_session(s,0))
724                                 {
725                                 al=SSL_AD_INTERNAL_ERROR;
726                                 goto f_err;
727                                 }
728                         }
729                 s->session->session_id_length=j;
730                 memcpy(s->session->session_id,p,j); /* j could be 0 */
731                 }
732         p+=j;
733         c=ssl_get_cipher_by_char(s,p);
734         if (c == NULL)
735                 {
736                 /* unknown cipher */
737                 al=SSL_AD_ILLEGAL_PARAMETER;
738                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
739                 goto f_err;
740                 }
741         p+=ssl_put_cipher_by_char(s,NULL,NULL);
742
743         sk=ssl_get_ciphers_by_id(s);
744         i=sk_SSL_CIPHER_find(sk,c);
745         if (i < 0)
746                 {
747                 /* we did not say we would use this cipher */
748                 al=SSL_AD_ILLEGAL_PARAMETER;
749                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
750                 goto f_err;
751                 }
752
753         /* Depending on the session caching (internal/external), the cipher
754            and/or cipher_id values may not be set. Make sure that
755            cipher_id is set and use it for comparison. */
756         if (s->session->cipher)
757                 s->session->cipher_id = s->session->cipher->id;
758         if (s->hit && (s->session->cipher_id != c->id))
759                 {
760                 if (!(s->options &
761                         SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
762                         {
763                         al=SSL_AD_ILLEGAL_PARAMETER;
764                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
765                         goto f_err;
766                         }
767                 }
768         s->s3->tmp.new_cipher=c;
769
770         /* lets get the compression algorithm */
771         /* COMPRESSION */
772 #ifdef OPENSSL_NO_COMP
773         if (*(p++) != 0)
774                 {
775                 al=SSL_AD_ILLEGAL_PARAMETER;
776                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
777                 goto f_err;
778                 }
779 #else
780         j= *(p++);
781         if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))
782                 comp=NULL;
783         else
784                 comp=ssl3_comp_find(s->ctx->comp_methods,j);
785         
786         if ((j != 0) && (comp == NULL))
787                 {
788                 al=SSL_AD_ILLEGAL_PARAMETER;
789                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
790                 goto f_err;
791                 }
792         else
793                 {
794                 s->s3->tmp.new_compression=comp;
795                 }
796 #endif
797 #ifndef OPENSSL_NO_TLSEXT
798         /* TLS extensions*/
799         if (s->version > SSL3_VERSION)
800                 {
801                 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
802                         {
803                         /* 'al' set by ssl_parse_serverhello_tlsext */
804                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
805                         goto f_err; 
806                         }
807                 if (ssl_check_tlsext(s,0) <= 0)
808                         {
809                         SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
810                                 goto err;
811                         }
812                 }
813 #endif
814
815         if (p != (d+n))
816                 {
817                 /* wrong packet length */
818                 al=SSL_AD_DECODE_ERROR;
819                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
820                 goto err;
821                 }
822
823         return(1);
824 f_err:
825         ssl3_send_alert(s,SSL3_AL_FATAL,al);
826 err:
827         return(-1);
828         }
829
830 int ssl3_get_server_certificate(SSL *s)
831         {
832         int al,i,ok,ret= -1;
833         unsigned long n,nc,llen,l;
834         X509 *x=NULL;
835         const unsigned char *q,*p;
836         unsigned char *d;
837         STACK_OF(X509) *sk=NULL;
838         SESS_CERT *sc;
839         EVP_PKEY *pkey=NULL;
840         int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
841
842         n=s->method->ssl_get_message(s,
843                 SSL3_ST_CR_CERT_A,
844                 SSL3_ST_CR_CERT_B,
845                 -1,
846                 s->max_cert_list,
847                 &ok);
848
849         if (!ok) return((int)n);
850
851         if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
852                 {
853                 s->s3->tmp.reuse_message=1;
854                 return(1);
855                 }
856
857         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
858                 {
859                 al=SSL_AD_UNEXPECTED_MESSAGE;
860                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
861                 goto f_err;
862                 }
863         p=d=(unsigned char *)s->init_msg;
864
865         if ((sk=sk_X509_new_null()) == NULL)
866                 {
867                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
868                 goto err;
869                 }
870
871         n2l3(p,llen);
872         if (llen+3 != n)
873                 {
874                 al=SSL_AD_DECODE_ERROR;
875                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
876                 goto f_err;
877                 }
878         for (nc=0; nc<llen; )
879                 {
880                 n2l3(p,l);
881                 if ((l+nc+3) > llen)
882                         {
883                         al=SSL_AD_DECODE_ERROR;
884                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
885                         goto f_err;
886                         }
887
888                 q=p;
889                 x=d2i_X509(NULL,&q,l);
890                 if (x == NULL)
891                         {
892                         al=SSL_AD_BAD_CERTIFICATE;
893                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
894                         goto f_err;
895                         }
896                 if (q != (p+l))
897                         {
898                         al=SSL_AD_DECODE_ERROR;
899                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
900                         goto f_err;
901                         }
902                 if (!sk_X509_push(sk,x))
903                         {
904                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
905                         goto err;
906                         }
907                 x=NULL;
908                 nc+=l+3;
909                 p=q;
910                 }
911
912         i=ssl_verify_cert_chain(s,sk);
913         if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
914 #ifndef OPENSSL_NO_KRB5
915                 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
916                 != (SSL_aKRB5|SSL_kKRB5)
917 #endif /* OPENSSL_NO_KRB5 */
918                 )
919                 {
920                 al=ssl_verify_alarm_type(s->verify_result);
921                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
922                 goto f_err; 
923                 }
924         ERR_clear_error(); /* but we keep s->verify_result */
925
926         sc=ssl_sess_cert_new();
927         if (sc == NULL) goto err;
928
929         if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
930         s->session->sess_cert=sc;
931
932         sc->cert_chain=sk;
933         /* Inconsistency alert: cert_chain does include the peer's
934          * certificate, which we don't include in s3_srvr.c */
935         x=sk_X509_value(sk,0);
936         sk=NULL;
937         /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
938
939         pkey=X509_get_pubkey(x);
940
941         /* VRS: allow null cert if auth == KRB5 */
942         need_cert =     ((s->s3->tmp.new_cipher->algorithms
943                          & (SSL_MKEY_MASK|SSL_AUTH_MASK))
944                          == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
945
946 #ifdef KSSL_DEBUG
947         printf("pkey,x = %p, %p\n", pkey,x);
948         printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
949         printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
950                 s->s3->tmp.new_cipher->algorithms, need_cert);
951 #endif    /* KSSL_DEBUG */
952
953         if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
954                 {
955                 x=NULL;
956                 al=SSL3_AL_FATAL;
957                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
958                         SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
959                 goto f_err;
960                 }
961
962         i=ssl_cert_type(x,pkey);
963         if (need_cert && i < 0)
964                 {
965                 x=NULL;
966                 al=SSL3_AL_FATAL;
967                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
968                         SSL_R_UNKNOWN_CERTIFICATE_TYPE);
969                 goto f_err;
970                 }
971
972         if (need_cert)
973                 {
974                 sc->peer_cert_type=i;
975                 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
976                 /* Why would the following ever happen?
977                  * We just created sc a couple of lines ago. */
978                 if (sc->peer_pkeys[i].x509 != NULL)
979                         X509_free(sc->peer_pkeys[i].x509);
980                 sc->peer_pkeys[i].x509=x;
981                 sc->peer_key= &(sc->peer_pkeys[i]);
982
983                 if (s->session->peer != NULL)
984                         X509_free(s->session->peer);
985                 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
986                 s->session->peer=x;
987                 }
988         else
989                 {
990                 sc->peer_cert_type=i;
991                 sc->peer_key= NULL;
992
993                 if (s->session->peer != NULL)
994                         X509_free(s->session->peer);
995                 s->session->peer=NULL;
996                 }
997         s->session->verify_result = s->verify_result;
998
999         x=NULL;
1000         ret=1;
1001
1002         if (0)
1003                 {
1004 f_err:
1005                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1006                 }
1007 err:
1008         EVP_PKEY_free(pkey);
1009         X509_free(x);
1010         sk_X509_pop_free(sk,X509_free);
1011         return(ret);
1012         }
1013
1014 int ssl3_get_key_exchange(SSL *s)
1015         {
1016 #ifndef OPENSSL_NO_RSA
1017         unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1018 #endif
1019         EVP_MD_CTX md_ctx;
1020         unsigned char *param,*p;
1021         int al,i,j,param_len,ok;
1022         long n,alg;
1023         EVP_PKEY *pkey=NULL;
1024 #ifndef OPENSSL_NO_RSA
1025         RSA *rsa=NULL;
1026 #endif
1027 #ifndef OPENSSL_NO_DH
1028         DH *dh=NULL;
1029 #endif
1030 #ifndef OPENSSL_NO_ECDH
1031         EC_KEY *ecdh = NULL;
1032         BN_CTX *bn_ctx = NULL;
1033         EC_POINT *srvr_ecpoint = NULL;
1034         int curve_nid = 0;
1035         int encoded_pt_len = 0;
1036 #endif
1037
1038         /* use same message size as in ssl3_get_certificate_request()
1039          * as ServerKeyExchange message may be skipped */
1040         n=s->method->ssl_get_message(s,
1041                 SSL3_ST_CR_KEY_EXCH_A,
1042                 SSL3_ST_CR_KEY_EXCH_B,
1043                 -1,
1044                 s->max_cert_list,
1045                 &ok);
1046
1047         if (!ok) return((int)n);
1048
1049         if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1050                 {
1051                 s->s3->tmp.reuse_message=1;
1052                 return(1);
1053                 }
1054
1055         param=p=(unsigned char *)s->init_msg;
1056
1057         if (s->session->sess_cert != NULL)
1058                 {
1059 #ifndef OPENSSL_NO_RSA
1060                 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1061                         {
1062                         RSA_free(s->session->sess_cert->peer_rsa_tmp);
1063                         s->session->sess_cert->peer_rsa_tmp=NULL;
1064                         }
1065 #endif
1066 #ifndef OPENSSL_NO_DH
1067                 if (s->session->sess_cert->peer_dh_tmp)
1068                         {
1069                         DH_free(s->session->sess_cert->peer_dh_tmp);
1070                         s->session->sess_cert->peer_dh_tmp=NULL;
1071                         }
1072 #endif
1073 #ifndef OPENSSL_NO_ECDH
1074                 if (s->session->sess_cert->peer_ecdh_tmp)
1075                         {
1076                         EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1077                         s->session->sess_cert->peer_ecdh_tmp=NULL;
1078                         }
1079 #endif
1080                 }
1081         else
1082                 {
1083                 s->session->sess_cert=ssl_sess_cert_new();
1084                 }
1085
1086         param_len=0;
1087         alg=s->s3->tmp.new_cipher->algorithms;
1088         EVP_MD_CTX_init(&md_ctx);
1089
1090 #ifndef OPENSSL_NO_RSA
1091         if (alg & SSL_kRSA)
1092                 {
1093                 if ((rsa=RSA_new()) == NULL)
1094                         {
1095                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1096                         goto err;
1097                         }
1098                 n2s(p,i);
1099                 param_len=i+2;
1100                 if (param_len > n)
1101                         {
1102                         al=SSL_AD_DECODE_ERROR;
1103                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1104                         goto f_err;
1105                         }
1106                 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1107                         {
1108                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1109                         goto err;
1110                         }
1111                 p+=i;
1112
1113                 n2s(p,i);
1114                 param_len+=i+2;
1115                 if (param_len > n)
1116                         {
1117                         al=SSL_AD_DECODE_ERROR;
1118                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1119                         goto f_err;
1120                         }
1121                 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1122                         {
1123                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1124                         goto err;
1125                         }
1126                 p+=i;
1127                 n-=param_len;
1128
1129                 /* this should be because we are using an export cipher */
1130                 if (alg & SSL_aRSA)
1131                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1132                 else
1133                         {
1134                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1135                         goto err;
1136                         }
1137                 s->session->sess_cert->peer_rsa_tmp=rsa;
1138                 rsa=NULL;
1139                 }
1140 #else /* OPENSSL_NO_RSA */
1141         if (0)
1142                 ;
1143 #endif
1144 #ifndef OPENSSL_NO_DH
1145         else if (alg & SSL_kEDH)
1146                 {
1147                 if ((dh=DH_new()) == NULL)
1148                         {
1149                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1150                         goto err;
1151                         }
1152                 n2s(p,i);
1153                 param_len=i+2;
1154                 if (param_len > n)
1155                         {
1156                         al=SSL_AD_DECODE_ERROR;
1157                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1158                         goto f_err;
1159                         }
1160                 if (!(dh->p=BN_bin2bn(p,i,NULL)))
1161                         {
1162                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1163                         goto err;
1164                         }
1165                 p+=i;
1166
1167                 n2s(p,i);
1168                 param_len+=i+2;
1169                 if (param_len > n)
1170                         {
1171                         al=SSL_AD_DECODE_ERROR;
1172                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1173                         goto f_err;
1174                         }
1175                 if (!(dh->g=BN_bin2bn(p,i,NULL)))
1176                         {
1177                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1178                         goto err;
1179                         }
1180                 p+=i;
1181
1182                 n2s(p,i);
1183                 param_len+=i+2;
1184                 if (param_len > n)
1185                         {
1186                         al=SSL_AD_DECODE_ERROR;
1187                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1188                         goto f_err;
1189                         }
1190                 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1191                         {
1192                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1193                         goto err;
1194                         }
1195                 p+=i;
1196                 n-=param_len;
1197
1198 #ifndef OPENSSL_NO_RSA
1199                 if (alg & SSL_aRSA)
1200                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1201 #else
1202                 if (0)
1203                         ;
1204 #endif
1205 #ifndef OPENSSL_NO_DSA
1206                 else if (alg & SSL_aDSS)
1207                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1208 #endif
1209                 /* else anonymous DH, so no certificate or pkey. */
1210
1211                 s->session->sess_cert->peer_dh_tmp=dh;
1212                 dh=NULL;
1213                 }
1214         else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
1215                 {
1216                 al=SSL_AD_ILLEGAL_PARAMETER;
1217                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1218                 goto f_err;
1219                 }
1220 #endif /* !OPENSSL_NO_DH */
1221
1222 #ifndef OPENSSL_NO_ECDH
1223         else if (alg & SSL_kECDHE)
1224                 {
1225                 EC_GROUP *ngroup;
1226                 const EC_GROUP *group;
1227
1228                 if ((ecdh=EC_KEY_new()) == NULL)
1229                         {
1230                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1231                         goto err;
1232                         }
1233
1234                 /* Extract elliptic curve parameters and the
1235                  * server's ephemeral ECDH public key.
1236                  * Keep accumulating lengths of various components in
1237                  * param_len and make sure it never exceeds n.
1238                  */
1239
1240                 /* XXX: For now we only support named (not generic) curves
1241                  * and the ECParameters in this case is just three bytes.
1242                  */
1243                 param_len=3;
1244                 if ((param_len > n) ||
1245                     (*p != NAMED_CURVE_TYPE) || 
1246                     ((curve_nid = curve_id2nid(*(p + 2))) == 0)) 
1247                         {
1248                         al=SSL_AD_INTERNAL_ERROR;
1249                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1250                         goto f_err;
1251                         }
1252
1253                 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1254                 if (ngroup == NULL)
1255                         {
1256                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1257                         goto err;
1258                         }
1259                 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1260                         {
1261                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1262                         goto err;
1263                         }
1264                 EC_GROUP_free(ngroup);
1265
1266                 group = EC_KEY_get0_group(ecdh);
1267
1268                 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1269                     (EC_GROUP_get_degree(group) > 163))
1270                         {
1271                         al=SSL_AD_EXPORT_RESTRICTION;
1272                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1273                         goto f_err;
1274                         }
1275
1276                 p+=3;
1277
1278                 /* Next, get the encoded ECPoint */
1279                 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1280                     ((bn_ctx = BN_CTX_new()) == NULL))
1281                         {
1282                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1283                         goto err;
1284                         }
1285
1286                 encoded_pt_len = *p;  /* length of encoded point */
1287                 p+=1;
1288                 param_len += (1 + encoded_pt_len);
1289                 if ((param_len > n) ||
1290                     (EC_POINT_oct2point(group, srvr_ecpoint, 
1291                         p, encoded_pt_len, bn_ctx) == 0))
1292                         {
1293                         al=SSL_AD_DECODE_ERROR;
1294                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1295                         goto f_err;
1296                         }
1297
1298                 n-=param_len;
1299                 p+=encoded_pt_len;
1300
1301                 /* The ECC/TLS specification does not mention
1302                  * the use of DSA to sign ECParameters in the server
1303                  * key exchange message. We do support RSA and ECDSA.
1304                  */
1305                 if (0) ;
1306 #ifndef OPENSSL_NO_RSA
1307                 else if (alg & SSL_aRSA)
1308                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1309 #endif
1310 #ifndef OPENSSL_NO_ECDSA
1311                 else if (alg & SSL_aECDSA)
1312                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1313 #endif
1314                 /* else anonymous ECDH, so no certificate or pkey. */
1315                 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1316                 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1317                 ecdh=NULL;
1318                 BN_CTX_free(bn_ctx);
1319                 EC_POINT_free(srvr_ecpoint);
1320                 srvr_ecpoint = NULL;
1321                 }
1322         else if (alg & SSL_kECDH)
1323                 {
1324                 al=SSL_AD_UNEXPECTED_MESSAGE;
1325                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1326                 goto f_err;
1327                 }
1328 #endif /* !OPENSSL_NO_ECDH */
1329         if (alg & SSL_aFZA)
1330                 {
1331                 al=SSL_AD_HANDSHAKE_FAILURE;
1332                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1333                 goto f_err;
1334                 }
1335
1336
1337         /* p points to the next byte, there are 'n' bytes left */
1338
1339         /* if it was signed, check the signature */
1340         if (pkey != NULL)
1341                 {
1342                 n2s(p,i);
1343                 n-=2;
1344                 j=EVP_PKEY_size(pkey);
1345
1346                 if ((i != n) || (n > j) || (n <= 0))
1347                         {
1348                         /* wrong packet length */
1349                         al=SSL_AD_DECODE_ERROR;
1350                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1351                         goto f_err;
1352                         }
1353
1354 #ifndef OPENSSL_NO_RSA
1355                 if (pkey->type == EVP_PKEY_RSA)
1356                         {
1357                         int num;
1358
1359                         j=0;
1360                         q=md_buf;
1361                         for (num=2; num > 0; num--)
1362                                 {
1363                                 EVP_DigestInit_ex(&md_ctx,(num == 2)
1364                                         ?s->ctx->md5:s->ctx->sha1, NULL);
1365                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1366                                 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1367                                 EVP_DigestUpdate(&md_ctx,param,param_len);
1368                                 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1369                                 q+=i;
1370                                 j+=i;
1371                                 }
1372                         i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1373                                                                 pkey->pkey.rsa);
1374                         if (i < 0)
1375                                 {
1376                                 al=SSL_AD_DECRYPT_ERROR;
1377                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1378                                 goto f_err;
1379                                 }
1380                         if (i == 0)
1381                                 {
1382                                 /* bad signature */
1383                                 al=SSL_AD_DECRYPT_ERROR;
1384                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1385                                 goto f_err;
1386                                 }
1387                         }
1388                 else
1389 #endif
1390 #ifndef OPENSSL_NO_DSA
1391                         if (pkey->type == EVP_PKEY_DSA)
1392                         {
1393                         /* lets do DSS */
1394                         EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1395                         EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1396                         EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1397                         EVP_VerifyUpdate(&md_ctx,param,param_len);
1398                         if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1399                                 {
1400                                 /* bad signature */
1401                                 al=SSL_AD_DECRYPT_ERROR;
1402                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1403                                 goto f_err;
1404                                 }
1405                         }
1406                 else
1407 #endif
1408 #ifndef OPENSSL_NO_ECDSA
1409                         if (pkey->type == EVP_PKEY_EC)
1410                         {
1411                         /* let's do ECDSA */
1412                         EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1413                         EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1414                         EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1415                         EVP_VerifyUpdate(&md_ctx,param,param_len);
1416                         if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1417                                 {
1418                                 /* bad signature */
1419                                 al=SSL_AD_DECRYPT_ERROR;
1420                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1421                                 goto f_err;
1422                                 }
1423                         }
1424                 else
1425 #endif
1426                         {
1427                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1428                         goto err;
1429                         }
1430                 }
1431         else
1432                 {
1433                 /* still data left over */
1434                 if (!(alg & SSL_aNULL))
1435                         {
1436                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1437                         goto err;
1438                         }
1439                 if (n != 0)
1440                         {
1441                         al=SSL_AD_DECODE_ERROR;
1442                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1443                         goto f_err;
1444                         }
1445                 }
1446         EVP_PKEY_free(pkey);
1447         EVP_MD_CTX_cleanup(&md_ctx);
1448         return(1);
1449 f_err:
1450         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1451 err:
1452         EVP_PKEY_free(pkey);
1453 #ifndef OPENSSL_NO_RSA
1454         if (rsa != NULL)
1455                 RSA_free(rsa);
1456 #endif
1457 #ifndef OPENSSL_NO_DH
1458         if (dh != NULL)
1459                 DH_free(dh);
1460 #endif
1461 #ifndef OPENSSL_NO_ECDH
1462         BN_CTX_free(bn_ctx);
1463         EC_POINT_free(srvr_ecpoint);
1464         if (ecdh != NULL)
1465                 EC_KEY_free(ecdh);
1466 #endif
1467         EVP_MD_CTX_cleanup(&md_ctx);
1468         return(-1);
1469         }
1470
1471 int ssl3_get_certificate_request(SSL *s)
1472         {
1473         int ok,ret=0;
1474         unsigned long n,nc,l;
1475         unsigned int llen,ctype_num,i;
1476         X509_NAME *xn=NULL;
1477         const unsigned char *p,*q;
1478         unsigned char *d;
1479         STACK_OF(X509_NAME) *ca_sk=NULL;
1480
1481         n=s->method->ssl_get_message(s,
1482                 SSL3_ST_CR_CERT_REQ_A,
1483                 SSL3_ST_CR_CERT_REQ_B,
1484                 -1,
1485                 s->max_cert_list,
1486                 &ok);
1487
1488         if (!ok) return((int)n);
1489
1490         s->s3->tmp.cert_req=0;
1491
1492         if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1493                 {
1494                 s->s3->tmp.reuse_message=1;
1495                 return(1);
1496                 }
1497
1498         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1499                 {
1500                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1501                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1502                 goto err;
1503                 }
1504
1505         /* TLS does not like anon-DH with client cert */
1506         if (s->version > SSL3_VERSION)
1507                 {
1508                 l=s->s3->tmp.new_cipher->algorithms;
1509                 if (l & SSL_aNULL)
1510                         {
1511                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1512                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1513                         goto err;
1514                         }
1515                 }
1516
1517         p=d=(unsigned char *)s->init_msg;
1518
1519         if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1520                 {
1521                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1522                 goto err;
1523                 }
1524
1525         /* get the certificate types */
1526         ctype_num= *(p++);
1527         if (ctype_num > SSL3_CT_NUMBER)
1528                 ctype_num=SSL3_CT_NUMBER;
1529         for (i=0; i<ctype_num; i++)
1530                 s->s3->tmp.ctype[i]= p[i];
1531         p+=ctype_num;
1532
1533         /* get the CA RDNs */
1534         n2s(p,llen);
1535 #if 0
1536 {
1537 FILE *out;
1538 out=fopen("/tmp/vsign.der","w");
1539 fwrite(p,1,llen,out);
1540 fclose(out);
1541 }
1542 #endif
1543
1544         if ((llen+ctype_num+2+1) != n)
1545                 {
1546                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1547                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1548                 goto err;
1549                 }
1550
1551         for (nc=0; nc<llen; )
1552                 {
1553                 n2s(p,l);
1554                 if ((l+nc+2) > llen)
1555                         {
1556                         if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1557                                 goto cont; /* netscape bugs */
1558                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1559                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1560                         goto err;
1561                         }
1562
1563                 q=p;
1564
1565                 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1566                         {
1567                         /* If netscape tolerance is on, ignore errors */
1568                         if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1569                                 goto cont;
1570                         else
1571                                 {
1572                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1573                                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1574                                 goto err;
1575                                 }
1576                         }
1577
1578                 if (q != (p+l))
1579                         {
1580                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1581                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1582                         goto err;
1583                         }
1584                 if (!sk_X509_NAME_push(ca_sk,xn))
1585                         {
1586                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1587                         goto err;
1588                         }
1589
1590                 p+=l;
1591                 nc+=l+2;
1592                 }
1593
1594         if (0)
1595                 {
1596 cont:
1597                 ERR_clear_error();
1598                 }
1599
1600         /* we should setup a certificate to return.... */
1601         s->s3->tmp.cert_req=1;
1602         s->s3->tmp.ctype_num=ctype_num;
1603         if (s->s3->tmp.ca_names != NULL)
1604                 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1605         s->s3->tmp.ca_names=ca_sk;
1606         ca_sk=NULL;
1607
1608         ret=1;
1609 err:
1610         if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1611         return(ret);
1612         }
1613
1614 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1615         {
1616         return(X509_NAME_cmp(*a,*b));
1617         }
1618
1619 int ssl3_get_server_done(SSL *s)
1620         {
1621         int ok,ret=0;
1622         long n;
1623
1624         n=s->method->ssl_get_message(s,
1625                 SSL3_ST_CR_SRVR_DONE_A,
1626                 SSL3_ST_CR_SRVR_DONE_B,
1627                 SSL3_MT_SERVER_DONE,
1628                 30, /* should be very small, like 0 :-) */
1629                 &ok);
1630
1631         if (!ok) return((int)n);
1632         if (n > 0)
1633                 {
1634                 /* should contain no data */
1635                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1636                 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1637                 return -1;
1638                 }
1639         ret=1;
1640         return(ret);
1641         }
1642
1643
1644 int ssl3_send_client_key_exchange(SSL *s)
1645         {
1646         unsigned char *p,*d;
1647         int n;
1648         unsigned long l;
1649 #ifndef OPENSSL_NO_RSA
1650         unsigned char *q;
1651         EVP_PKEY *pkey=NULL;
1652 #endif
1653 #ifndef OPENSSL_NO_KRB5
1654         KSSL_ERR kssl_err;
1655 #endif /* OPENSSL_NO_KRB5 */
1656 #ifndef OPENSSL_NO_ECDH
1657         EC_KEY *clnt_ecdh = NULL;
1658         const EC_POINT *srvr_ecpoint = NULL;
1659         EVP_PKEY *srvr_pub_pkey = NULL;
1660         unsigned char *encodedPoint = NULL;
1661         int encoded_pt_len = 0;
1662         BN_CTX * bn_ctx = NULL;
1663 #endif
1664
1665         if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1666                 {
1667                 d=(unsigned char *)s->init_buf->data;
1668                 p= &(d[4]);
1669
1670                 l=s->s3->tmp.new_cipher->algorithms;
1671
1672                 /* Fool emacs indentation */
1673                 if (0) {}
1674 #ifndef OPENSSL_NO_RSA
1675                 else if (l & SSL_kRSA)
1676                         {
1677                         RSA *rsa;
1678                         unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1679
1680                         if (s->session->sess_cert->peer_rsa_tmp != NULL)
1681                                 rsa=s->session->sess_cert->peer_rsa_tmp;
1682                         else
1683                                 {
1684                                 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1685                                 if ((pkey == NULL) ||
1686                                         (pkey->type != EVP_PKEY_RSA) ||
1687                                         (pkey->pkey.rsa == NULL))
1688                                         {
1689                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1690                                         goto err;
1691                                         }
1692                                 rsa=pkey->pkey.rsa;
1693                                 EVP_PKEY_free(pkey);
1694                                 }
1695                                 
1696                         tmp_buf[0]=s->client_version>>8;
1697                         tmp_buf[1]=s->client_version&0xff;
1698                         if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
1699                                         goto err;
1700
1701                         s->session->master_key_length=sizeof tmp_buf;
1702
1703                         q=p;
1704                         /* Fix buf for TLS and beyond */
1705                         if (s->version > SSL3_VERSION)
1706                                 p+=2;
1707                         n=RSA_public_encrypt(sizeof tmp_buf,
1708                                 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1709 #ifdef PKCS1_CHECK
1710                         if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
1711                         if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
1712 #endif
1713                         if (n <= 0)
1714                                 {
1715                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1716                                 goto err;
1717                                 }
1718
1719                         /* Fix buf for TLS and beyond */
1720                         if (s->version > SSL3_VERSION)
1721                                 {
1722                                 s2n(n,q);
1723                                 n+=2;
1724                                 }
1725
1726                         s->session->master_key_length=
1727                                 s->method->ssl3_enc->generate_master_secret(s,
1728                                         s->session->master_key,
1729                                         tmp_buf,sizeof tmp_buf);
1730                         OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
1731                         }
1732 #endif
1733 #ifndef OPENSSL_NO_KRB5
1734                 else if (l & SSL_kKRB5)
1735                         {
1736                         krb5_error_code krb5rc;
1737                         KSSL_CTX        *kssl_ctx = s->kssl_ctx;
1738                         /*  krb5_data   krb5_ap_req;  */
1739                         krb5_data       *enc_ticket;
1740                         krb5_data       authenticator, *authp = NULL;
1741                         EVP_CIPHER_CTX  ciph_ctx;
1742                         EVP_CIPHER      *enc = NULL;
1743                         unsigned char   iv[EVP_MAX_IV_LENGTH];
1744                         unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1745                         unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH 
1746                                                 + EVP_MAX_IV_LENGTH];
1747                         int             padl, outl = sizeof(epms);
1748
1749                         EVP_CIPHER_CTX_init(&ciph_ctx);
1750
1751 #ifdef KSSL_DEBUG
1752                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
1753                                 l, SSL_kKRB5);
1754 #endif  /* KSSL_DEBUG */
1755
1756                         authp = NULL;
1757 #ifdef KRB5SENDAUTH
1758                         if (KRB5SENDAUTH)  authp = &authenticator;
1759 #endif  /* KRB5SENDAUTH */
1760
1761                         krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
1762                                 &kssl_err);
1763                         enc = kssl_map_enc(kssl_ctx->enctype);
1764                         if (enc == NULL)
1765                             goto err;
1766 #ifdef KSSL_DEBUG
1767                         {
1768                         printf("kssl_cget_tkt rtn %d\n", krb5rc);
1769                         if (krb5rc && kssl_err.text)
1770                           printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
1771                         }
1772 #endif  /* KSSL_DEBUG */
1773
1774                         if (krb5rc)
1775                                 {
1776                                 ssl3_send_alert(s,SSL3_AL_FATAL,
1777                                                 SSL_AD_HANDSHAKE_FAILURE);
1778                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1779                                                 kssl_err.reason);
1780                                 goto err;
1781                                 }
1782
1783                         /*  20010406 VRS - Earlier versions used KRB5 AP_REQ
1784                         **  in place of RFC 2712 KerberosWrapper, as in:
1785                         **
1786                         **  Send ticket (copy to *p, set n = length)
1787                         **  n = krb5_ap_req.length;
1788                         **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
1789                         **  if (krb5_ap_req.data)  
1790                         **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
1791                         **
1792                         **  Now using real RFC 2712 KerberosWrapper
1793                         **  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
1794                         **  Note: 2712 "opaque" types are here replaced
1795                         **  with a 2-byte length followed by the value.
1796                         **  Example:
1797                         **  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
1798                         **  Where "xx xx" = length bytes.  Shown here with
1799                         **  optional authenticator omitted.
1800                         */
1801
1802                         /*  KerberosWrapper.Ticket              */
1803                         s2n(enc_ticket->length,p);
1804                         memcpy(p, enc_ticket->data, enc_ticket->length);
1805                         p+= enc_ticket->length;
1806                         n = enc_ticket->length + 2;
1807
1808                         /*  KerberosWrapper.Authenticator       */
1809                         if (authp  &&  authp->length)  
1810                                 {
1811                                 s2n(authp->length,p);
1812                                 memcpy(p, authp->data, authp->length);
1813                                 p+= authp->length;
1814                                 n+= authp->length + 2;
1815                                 
1816                                 free(authp->data);
1817                                 authp->data = NULL;
1818                                 authp->length = 0;
1819                                 }
1820                         else
1821                                 {
1822                                 s2n(0,p);/*  null authenticator length  */
1823                                 n+=2;
1824                                 }
1825  
1826                         if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
1827                             goto err;
1828
1829                         /*  20010420 VRS.  Tried it this way; failed.
1830                         **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
1831                         **      EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
1832                         **                              kssl_ctx->length);
1833                         **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
1834                         */
1835
1836                         memset(iv, 0, sizeof iv);  /* per RFC 1510 */
1837                         EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
1838                                 kssl_ctx->key,iv);
1839                         EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
1840                                 sizeof tmp_buf);
1841                         EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
1842                         outl += padl;
1843                         if (outl > sizeof epms)
1844                                 {
1845                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1846                                 goto err;
1847                                 }
1848                         EVP_CIPHER_CTX_cleanup(&ciph_ctx);
1849
1850                         /*  KerberosWrapper.EncryptedPreMasterSecret    */
1851                         s2n(outl,p);
1852                         memcpy(p, epms, outl);
1853                         p+=outl;
1854                         n+=outl + 2;
1855
1856                         s->session->master_key_length=
1857                                 s->method->ssl3_enc->generate_master_secret(s,
1858                                         s->session->master_key,
1859                                         tmp_buf, sizeof tmp_buf);
1860
1861                         OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
1862                         OPENSSL_cleanse(epms, outl);
1863                         }
1864 #endif
1865 #ifndef OPENSSL_NO_DH
1866                 else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1867                         {
1868                         DH *dh_srvr,*dh_clnt;
1869
1870                         if (s->session->sess_cert->peer_dh_tmp != NULL)
1871                                 dh_srvr=s->session->sess_cert->peer_dh_tmp;
1872                         else
1873                                 {
1874                                 /* we get them from the cert */
1875                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1876                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1877                                 goto err;
1878                                 }
1879                         
1880                         /* generate a new random key */
1881                         if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
1882                                 {
1883                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1884                                 goto err;
1885                                 }
1886                         if (!DH_generate_key(dh_clnt))
1887                                 {
1888                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1889                                 goto err;
1890                                 }
1891
1892                         /* use the 'p' output buffer for the DH key, but
1893                          * make sure to clear it out afterwards */
1894
1895                         n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
1896
1897                         if (n <= 0)
1898                                 {
1899                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1900                                 goto err;
1901                                 }
1902
1903                         /* generate master key from the result */
1904                         s->session->master_key_length=
1905                                 s->method->ssl3_enc->generate_master_secret(s,
1906                                         s->session->master_key,p,n);
1907                         /* clean up */
1908                         memset(p,0,n);
1909
1910                         /* send off the data */
1911                         n=BN_num_bytes(dh_clnt->pub_key);
1912                         s2n(n,p);
1913                         BN_bn2bin(dh_clnt->pub_key,p);
1914                         n+=2;
1915
1916                         DH_free(dh_clnt);
1917
1918                         /* perhaps clean things up a bit EAY EAY EAY EAY*/
1919                         }
1920 #endif
1921
1922 #ifndef OPENSSL_NO_ECDH 
1923                 else if ((l & SSL_kECDH) || (l & SSL_kECDHE))
1924                         {
1925                         const EC_GROUP *srvr_group = NULL;
1926                         EC_KEY *tkey;
1927                         int ecdh_clnt_cert = 0;
1928                         int field_size = 0;
1929
1930                         /* Did we send out the client's
1931                          * ECDH share for use in premaster
1932                          * computation as part of client certificate?
1933                          * If so, set ecdh_clnt_cert to 1.
1934                          */
1935                         if ((l & SSL_kECDH) && (s->cert != NULL)) 
1936                                 {
1937                                 /* XXX: For now, we do not support client
1938                                  * authentication using ECDH certificates.
1939                                  * To add such support, one needs to add
1940                                  * code that checks for appropriate 
1941                                  * conditions and sets ecdh_clnt_cert to 1.
1942                                  * For example, the cert have an ECC
1943                                  * key on the same curve as the server's
1944                                  * and the key should be authorized for
1945                                  * key agreement.
1946                                  *
1947                                  * One also needs to add code in ssl3_connect
1948                                  * to skip sending the certificate verify
1949                                  * message.
1950                                  *
1951                                  * if ((s->cert->key->privatekey != NULL) &&
1952                                  *     (s->cert->key->privatekey->type ==
1953                                  *      EVP_PKEY_EC) && ...)
1954                                  * ecdh_clnt_cert = 1;
1955                                  */
1956                                 }
1957
1958                         if (s->session->sess_cert->peer_ecdh_tmp != NULL)
1959                                 {
1960                                 tkey = s->session->sess_cert->peer_ecdh_tmp;
1961                                 }
1962                         else
1963                                 {
1964                                 /* Get the Server Public Key from Cert */
1965                                 srvr_pub_pkey = X509_get_pubkey(s->session-> \
1966                                     sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1967                                 if ((srvr_pub_pkey == NULL) ||
1968                                     (srvr_pub_pkey->type != EVP_PKEY_EC) ||
1969                                     (srvr_pub_pkey->pkey.ec == NULL))
1970                                         {
1971                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1972                                             ERR_R_INTERNAL_ERROR);
1973                                         goto err;
1974                                         }
1975
1976                                 tkey = srvr_pub_pkey->pkey.ec;
1977                                 }
1978
1979                         srvr_group   = EC_KEY_get0_group(tkey);
1980                         srvr_ecpoint = EC_KEY_get0_public_key(tkey);
1981
1982                         if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
1983                                 {
1984                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1985                                     ERR_R_INTERNAL_ERROR);
1986                                 goto err;
1987                                 }
1988
1989                         if ((clnt_ecdh=EC_KEY_new()) == NULL) 
1990                                 {
1991                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1992                                 goto err;
1993                                 }
1994
1995                         if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
1996                                 {
1997                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
1998                                 goto err;
1999                                 }
2000                         if (ecdh_clnt_cert) 
2001                                 { 
2002                                 /* Reuse key info from our certificate
2003                                  * We only need our private key to perform
2004                                  * the ECDH computation.
2005                                  */
2006                                 const BIGNUM *priv_key;
2007                                 tkey = s->cert->key->privatekey->pkey.ec;
2008                                 priv_key = EC_KEY_get0_private_key(tkey);
2009                                 if (priv_key == NULL)
2010                                         {
2011                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2012                                         goto err;
2013                                         }
2014                                 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2015                                         {
2016                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2017                                         goto err;
2018                                         }
2019                                 }
2020                         else 
2021                                 {
2022                                 /* Generate a new ECDH key pair */
2023                                 if (!(EC_KEY_generate_key(clnt_ecdh)))
2024                                         {
2025                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2026                                         goto err;
2027                                         }
2028                                 }
2029
2030                         /* use the 'p' output buffer for the ECDH key, but
2031                          * make sure to clear it out afterwards
2032                          */
2033
2034                         field_size = EC_GROUP_get_degree(srvr_group);
2035                         if (field_size <= 0)
2036                                 {
2037                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
2038                                        ERR_R_ECDH_LIB);
2039                                 goto err;
2040                                 }
2041                         n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2042                         if (n <= 0)
2043                                 {
2044                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
2045                                        ERR_R_ECDH_LIB);
2046                                 goto err;
2047                                 }
2048
2049                         /* generate master key from the result */
2050                         s->session->master_key_length = s->method->ssl3_enc \
2051                             -> generate_master_secret(s, 
2052                                 s->session->master_key,
2053                                 p, n);
2054
2055                         memset(p, 0, n); /* clean up */
2056
2057                         if (ecdh_clnt_cert) 
2058                                 {
2059                                 /* Send empty client key exch message */
2060                                 n = 0;
2061                                 }
2062                         else 
2063                                 {
2064                                 /* First check the size of encoding and
2065                                  * allocate memory accordingly.
2066                                  */
2067                                 encoded_pt_len = 
2068                                     EC_POINT_point2oct(srvr_group, 
2069                                         EC_KEY_get0_public_key(clnt_ecdh), 
2070                                         POINT_CONVERSION_UNCOMPRESSED, 
2071                                         NULL, 0, NULL);
2072
2073                                 encodedPoint = (unsigned char *) 
2074                                     OPENSSL_malloc(encoded_pt_len * 
2075                                         sizeof(unsigned char)); 
2076                                 bn_ctx = BN_CTX_new();
2077                                 if ((encodedPoint == NULL) || 
2078                                     (bn_ctx == NULL)) 
2079                                         {
2080                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2081                                         goto err;
2082                                         }
2083
2084                                 /* Encode the public key */
2085                                 n = EC_POINT_point2oct(srvr_group, 
2086                                     EC_KEY_get0_public_key(clnt_ecdh), 
2087                                     POINT_CONVERSION_UNCOMPRESSED, 
2088                                     encodedPoint, encoded_pt_len, bn_ctx);
2089
2090                                 *p = n; /* length of encoded point */
2091                                 /* Encoded point will be copied here */
2092                                 p += 1; 
2093                                 /* copy the point */
2094                                 memcpy((unsigned char *)p, encodedPoint, n);
2095                                 /* increment n to account for length field */
2096                                 n += 1; 
2097                                 }
2098
2099                         /* Free allocated memory */
2100                         BN_CTX_free(bn_ctx);
2101                         if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2102                         if (clnt_ecdh != NULL) 
2103                                  EC_KEY_free(clnt_ecdh);
2104                         EVP_PKEY_free(srvr_pub_pkey);
2105                         }
2106 #endif /* !OPENSSL_NO_ECDH */
2107                 else
2108                         {
2109                         ssl3_send_alert(s, SSL3_AL_FATAL,
2110                             SSL_AD_HANDSHAKE_FAILURE);
2111                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2112                             ERR_R_INTERNAL_ERROR);
2113                         goto err;
2114                         }
2115                 
2116                 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2117                 l2n3(n,d);
2118
2119                 s->state=SSL3_ST_CW_KEY_EXCH_B;
2120                 /* number of bytes to write */
2121                 s->init_num=n+4;
2122                 s->init_off=0;
2123                 }
2124
2125         /* SSL3_ST_CW_KEY_EXCH_B */
2126         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2127 err:
2128 #ifndef OPENSSL_NO_ECDH
2129         BN_CTX_free(bn_ctx);
2130         if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2131         if (clnt_ecdh != NULL) 
2132                 EC_KEY_free(clnt_ecdh);
2133         EVP_PKEY_free(srvr_pub_pkey);
2134 #endif
2135         return(-1);
2136         }
2137
2138 int ssl3_send_client_verify(SSL *s)
2139         {
2140         unsigned char *p,*d;
2141         unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2142         EVP_PKEY *pkey;
2143 #ifndef OPENSSL_NO_RSA
2144         unsigned u=0;
2145 #endif
2146         unsigned long n;
2147 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
2148         int j;
2149 #endif
2150
2151         if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2152                 {
2153                 d=(unsigned char *)s->init_buf->data;
2154                 p= &(d[4]);
2155                 pkey=s->cert->key->privatekey;
2156
2157                 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
2158                         &(data[MD5_DIGEST_LENGTH]));
2159
2160 #ifndef OPENSSL_NO_RSA
2161                 if (pkey->type == EVP_PKEY_RSA)
2162                         {
2163                         s->method->ssl3_enc->cert_verify_mac(s,
2164                                 &(s->s3->finish_dgst1),&(data[0]));
2165                         if (RSA_sign(NID_md5_sha1, data,
2166                                          MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2167                                         &(p[2]), &u, pkey->pkey.rsa) <= 0 )
2168                                 {
2169                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
2170                                 goto err;
2171                                 }
2172                         s2n(u,p);
2173                         n=u+2;
2174                         }
2175                 else
2176 #endif
2177 #ifndef OPENSSL_NO_DSA
2178                         if (pkey->type == EVP_PKEY_DSA)
2179                         {
2180                         if (!DSA_sign(pkey->save_type,
2181                                 &(data[MD5_DIGEST_LENGTH]),
2182                                 SHA_DIGEST_LENGTH,&(p[2]),
2183                                 (unsigned int *)&j,pkey->pkey.dsa))
2184                                 {
2185                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
2186                                 goto err;
2187                                 }
2188                         s2n(j,p);
2189                         n=j+2;
2190                         }
2191                 else
2192 #endif
2193 #ifndef OPENSSL_NO_ECDSA
2194                         if (pkey->type == EVP_PKEY_EC)
2195                         {
2196                         if (!ECDSA_sign(pkey->save_type,
2197                                 &(data[MD5_DIGEST_LENGTH]),
2198                                 SHA_DIGEST_LENGTH,&(p[2]),
2199                                 (unsigned int *)&j,pkey->pkey.ec))
2200                                 {
2201                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2202                                     ERR_R_ECDSA_LIB);
2203                                 goto err;
2204                                 }
2205                         s2n(j,p);
2206                         n=j+2;
2207                         }
2208                 else
2209 #endif
2210                         {
2211                         SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
2212                         goto err;
2213                         }
2214                 *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
2215                 l2n3(n,d);
2216
2217                 s->state=SSL3_ST_CW_CERT_VRFY_B;
2218                 s->init_num=(int)n+4;
2219                 s->init_off=0;
2220                 }
2221         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2222 err:
2223         return(-1);
2224         }
2225
2226 int ssl3_send_client_certificate(SSL *s)
2227         {
2228         X509 *x509=NULL;
2229         EVP_PKEY *pkey=NULL;
2230         int i;
2231         unsigned long l;
2232
2233         if (s->state == SSL3_ST_CW_CERT_A)
2234                 {
2235                 if ((s->cert == NULL) ||
2236                         (s->cert->key->x509 == NULL) ||
2237                         (s->cert->key->privatekey == NULL))
2238                         s->state=SSL3_ST_CW_CERT_B;
2239                 else
2240                         s->state=SSL3_ST_CW_CERT_C;
2241                 }
2242
2243         /* We need to get a client cert */
2244         if (s->state == SSL3_ST_CW_CERT_B)
2245                 {
2246                 /* If we get an error, we need to
2247                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2248                  * We then get retied later */
2249                 i=0;
2250                 if (s->ctx->client_cert_cb != NULL)
2251                         i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
2252                 if (i < 0)
2253                         {
2254                         s->rwstate=SSL_X509_LOOKUP;
2255                         return(-1);
2256                         }
2257                 s->rwstate=SSL_NOTHING;
2258                 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2259                         {
2260                         s->state=SSL3_ST_CW_CERT_B;
2261                         if (    !SSL_use_certificate(s,x509) ||
2262                                 !SSL_use_PrivateKey(s,pkey))
2263                                 i=0;
2264                         }
2265                 else if (i == 1)
2266                         {
2267                         i=0;
2268                         SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2269                         }
2270
2271                 if (x509 != NULL) X509_free(x509);
2272                 if (pkey != NULL) EVP_PKEY_free(pkey);
2273                 if (i == 0)
2274                         {
2275                         if (s->version == SSL3_VERSION)
2276                                 {
2277                                 s->s3->tmp.cert_req=0;
2278                                 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2279                                 return(1);
2280                                 }
2281                         else
2282                                 {
2283                                 s->s3->tmp.cert_req=2;
2284                                 }
2285                         }
2286
2287                 /* Ok, we have a cert */
2288                 s->state=SSL3_ST_CW_CERT_C;
2289                 }
2290
2291         if (s->state == SSL3_ST_CW_CERT_C)
2292                 {
2293                 s->state=SSL3_ST_CW_CERT_D;
2294                 l=ssl3_output_cert_chain(s,
2295                         (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
2296                 s->init_num=(int)l;
2297                 s->init_off=0;
2298                 }
2299         /* SSL3_ST_CW_CERT_D */
2300         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2301         }
2302
2303 #define has_bits(i,m)   (((i)&(m)) == (m))
2304
2305 int ssl3_check_cert_and_algorithm(SSL *s)
2306         {
2307         int i,idx;
2308         long algs;
2309         EVP_PKEY *pkey=NULL;
2310         SESS_CERT *sc;
2311 #ifndef OPENSSL_NO_RSA
2312         RSA *rsa;
2313 #endif
2314 #ifndef OPENSSL_NO_DH
2315         DH *dh;
2316 #endif
2317
2318         sc=s->session->sess_cert;
2319
2320         if (sc == NULL)
2321                 {
2322                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
2323                 goto err;
2324                 }
2325
2326         algs=s->s3->tmp.new_cipher->algorithms;
2327
2328         /* we don't have a certificate */
2329         if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
2330                 return(1);
2331
2332 #ifndef OPENSSL_NO_RSA
2333         rsa=s->session->sess_cert->peer_rsa_tmp;
2334 #endif
2335 #ifndef OPENSSL_NO_DH
2336         dh=s->session->sess_cert->peer_dh_tmp;
2337 #endif
2338
2339         /* This is the passed certificate */
2340
2341         idx=sc->peer_cert_type;
2342 #ifndef OPENSSL_NO_ECDH
2343         if (idx == SSL_PKEY_ECC)
2344                 {
2345                 if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2346                     s->s3->tmp.new_cipher) == 0) 
2347                         { /* check failed */
2348                         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
2349                         goto f_err;                     
2350                         }
2351                 else 
2352                         {
2353                         return 1;
2354                         }
2355                 }
2356 #endif
2357         pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
2358         i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
2359         EVP_PKEY_free(pkey);
2360
2361         
2362         /* Check that we have a certificate if we require one */
2363         if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
2364                 {
2365                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
2366                 goto f_err;
2367                 }
2368 #ifndef OPENSSL_NO_DSA
2369         else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
2370                 {
2371                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
2372                 goto f_err;
2373                 }
2374 #endif
2375 #ifndef OPENSSL_NO_RSA
2376         if ((algs & SSL_kRSA) &&
2377                 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
2378                 {
2379                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2380                 goto f_err;
2381                 }
2382 #endif
2383 #ifndef OPENSSL_NO_DH
2384         if ((algs & SSL_kEDH) &&
2385                 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
2386                 {
2387                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
2388                 goto f_err;
2389                 }
2390         else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
2391                 {
2392                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
2393                 goto f_err;
2394                 }
2395 #ifndef OPENSSL_NO_DSA
2396         else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
2397                 {
2398                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
2399                 goto f_err;
2400                 }
2401 #endif
2402 #endif
2403
2404         if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
2405                 {
2406 #ifndef OPENSSL_NO_RSA
2407                 if (algs & SSL_kRSA)
2408                         {
2409                         if (rsa == NULL
2410                             || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2411                                 {
2412                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
2413                                 goto f_err;
2414                                 }
2415                         }
2416                 else
2417 #endif
2418 #ifndef OPENSSL_NO_DH
2419                         if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2420                             {
2421                             if (dh == NULL
2422                                 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2423                                 {
2424                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
2425                                 goto f_err;
2426                                 }
2427                         }
2428                 else
2429 #endif
2430                         {
2431                         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2432                         goto f_err;
2433                         }
2434                 }
2435         return(1);
2436 f_err:
2437         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2438 err:
2439         return(0);
2440         }
2441
2442
2443 #ifndef OPENSSL_NO_ECDH
2444 /* This is the complement of nid2curve_id in s3_srvr.c. */
2445 static int curve_id2nid(int curve_id)
2446 {
2447         /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2448          * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2449         static int nid_list[26] =
2450         {
2451                 0,
2452                 NID_sect163k1, /* sect163k1 (1) */
2453                 NID_sect163r1, /* sect163r1 (2) */
2454                 NID_sect163r2, /* sect163r2 (3) */
2455                 NID_sect193r1, /* sect193r1 (4) */ 
2456                 NID_sect193r2, /* sect193r2 (5) */ 
2457                 NID_sect233k1, /* sect233k1 (6) */
2458                 NID_sect233r1, /* sect233r1 (7) */ 
2459                 NID_sect239k1, /* sect239k1 (8) */ 
2460                 NID_sect283k1, /* sect283k1 (9) */
2461                 NID_sect283r1, /* sect283r1 (10) */ 
2462                 NID_sect409k1, /* sect409k1 (11) */ 
2463                 NID_sect409r1, /* sect409r1 (12) */
2464                 NID_sect571k1, /* sect571k1 (13) */ 
2465                 NID_sect571r1, /* sect571r1 (14) */ 
2466                 NID_secp160k1, /* secp160k1 (15) */
2467                 NID_secp160r1, /* secp160r1 (16) */ 
2468                 NID_secp160r2, /* secp160r2 (17) */ 
2469                 NID_secp192k1, /* secp192k1 (18) */
2470                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
2471                 NID_secp224k1, /* secp224k1 (20) */ 
2472                 NID_secp224r1, /* secp224r1 (21) */
2473                 NID_secp256k1, /* secp256k1 (22) */ 
2474                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
2475                 NID_secp384r1, /* secp384r1 (24) */
2476                 NID_secp521r1  /* secp521r1 (25) */     
2477         };
2478         
2479         if ((curve_id < 1) || (curve_id > 25)) return 0;
2480
2481         return nid_list[curve_id];
2482 }
2483 #endif