* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
#include <openssl/md5.h>
static SSL_METHOD *ssl3_get_server_method(int ver);
-static int ssl3_get_client_hello(SSL *s);
-static int ssl3_check_client_hello(SSL *s);
-static int ssl3_send_server_hello(SSL *s);
-static int ssl3_send_server_key_exchange(SSL *s);
-static int ssl3_send_certificate_request(SSL *s);
-static int ssl3_send_server_done(SSL *s);
-static int ssl3_get_client_key_exchange(SSL *s);
-static int ssl3_get_client_certificate(SSL *s);
-static int ssl3_get_cert_verify(SSL *s);
-static int ssl3_send_hello_request(SSL *s);
#ifndef OPENSSL_NO_ECDH
static int nid2curve_id(int nid);
return(ret);
}
-static int ssl3_send_hello_request(SSL *s)
+int ssl3_send_hello_request(SSL *s)
{
unsigned char *p;
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}
-static int ssl3_check_client_hello(SSL *s)
+int ssl3_check_client_hello(SSL *s)
{
int ok;
long n;
/* this function is called when we really expect a Certificate message,
* so permit appropriate message length */
- n=ssl3_get_message(s,
+ n=s->method->ssl_get_message(s,
SSL3_ST_SR_CERT_A,
SSL3_ST_SR_CERT_B,
-1,
return 1;
}
-static int ssl3_get_client_hello(SSL *s)
+int ssl3_get_client_hello(SSL *s)
{
int i,j,ok,al,ret= -1;
+ unsigned int cookie_len;
long n;
unsigned long id;
unsigned char *p,*d,*q;
s->first_packet=1;
s->state=SSL3_ST_SR_CLNT_HELLO_B;
}
- n=ssl3_get_message(s,
+ n=s->method->ssl_get_message(s,
SSL3_ST_SR_CLNT_HELLO_B,
SSL3_ST_SR_CLNT_HELLO_C,
SSL3_MT_CLIENT_HELLO,
}
p+=j;
+
+ if (SSL_version(s) == DTLS1_VERSION)
+ {
+ /* cookie stuff */
+ cookie_len = *(p++);
+
+ if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
+ s->d1->send_cookie == 0)
+ {
+ /* HelloVerifyMessage has already been sent */
+ if ( cookie_len != s->d1->cookie_len)
+ {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
+ goto f_err;
+ }
+ }
+
+ /*
+ * The ClientHello may contain a cookie even if the
+ * HelloVerify message has not been sent--make sure that it
+ * does not cause an overflow.
+ */
+ if ( cookie_len > sizeof(s->d1->rcvd_cookie))
+ {
+ /* too much data */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
+ goto f_err;
+ }
+
+ /* verify the cookie if appropriate option is set. */
+ if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
+ cookie_len > 0)
+ {
+ memcpy(s->d1->rcvd_cookie, p, cookie_len);
+
+ if ( s->ctx->app_verify_cookie_cb != NULL)
+ {
+ if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
+ cookie_len) == 0)
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+ SSL_R_COOKIE_MISMATCH);
+ goto f_err;
+ }
+ /* else cookie verification succeeded */
+ }
+ else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie,
+ s->d1->cookie_len) != 0) /* default verification */
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+ SSL_R_COOKIE_MISMATCH);
+ goto f_err;
+ }
+ }
+
+ p += cookie_len;
+ }
+
n2s(p,i);
if ((i == 0) && (j != 0))
{
if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
{
/* Very bad for multi-threading.... */
- s->session->cipher=sk_SSL_CIPHER_value(ciphers,
- 0);
+ s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0);
}
else
{
return(ret);
}
-static int ssl3_send_server_hello(SSL *s)
+int ssl3_send_server_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
p=s->s3->server_random;
Time=time(NULL); /* Time */
l2n(Time,p);
- RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
+ if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+ return -1;
/* Do the message type and length last */
d=p= &(buf[4]);
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}
-static int ssl3_send_server_done(SSL *s)
+int ssl3_send_server_done(SSL *s)
{
unsigned char *p;
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}
-static int ssl3_send_server_key_exchange(SSL *s)
+int ssl3_send_server_key_exchange(SSL *s)
{
#ifndef OPENSSL_NO_RSA
unsigned char *q;
}
if (!EC_KEY_up_ref(ecdhp))
{
- SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB);
+ SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
goto err;
}
ecdh = ecdhp;
return(-1);
}
-static int ssl3_send_certificate_request(SSL *s)
+int ssl3_send_certificate_request(SSL *s)
{
unsigned char *p,*d;
int i,j,nl,off,n;
static const int KDF1_SHA1_len = 20;
-static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen)
+static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
{
#ifndef OPENSSL_NO_SHA
- if (outlen != SHA_DIGEST_LENGTH)
+ if (*outlen < SHA_DIGEST_LENGTH)
return NULL;
+ else
+ *outlen = SHA_DIGEST_LENGTH;
return SHA1(in, inlen, out);
#else
return NULL;
#endif
}
-static int ssl3_get_client_key_exchange(SSL *s)
+int ssl3_get_client_key_exchange(SSL *s)
{
int i,al,ok;
long n;
BN_CTX *bn_ctx = NULL;
#endif
- n=ssl3_get_message(s,
+ n=s->method->ssl_get_message(s,
SSL3_ST_SR_KEY_EXCH_A,
SSL3_ST_SR_KEY_EXCH_B,
SSL3_MT_CLIENT_KEY_EXCHANGE,
i = SSL_MAX_MASTER_KEY_LENGTH;
p[0] = s->client_version >> 8;
p[1] = s->client_version & 0xff;
- RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+ if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
+ goto err;
}
s->session->master_key_length=
if (kssl_err.text)
printf("kssl_err text= %s\n", kssl_err.text);
#endif /* KSSL_DEBUG */
- SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
kssl_err.reason);
goto err;
}
if (kssl_err.text)
printf("kssl_err text= %s\n", kssl_err.text);
#endif /* KSSL_DEBUG */
- SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
kssl_err.reason);
goto err;
}
if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
{
- SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc);
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
goto err;
}
return(-1);
}
-static int ssl3_get_cert_verify(SSL *s)
+int ssl3_get_cert_verify(SSL *s)
{
EVP_PKEY *pkey=NULL;
unsigned char *p;
int type=0,i,j;
X509 *peer;
- n=ssl3_get_message(s,
+ n=s->method->ssl_get_message(s,
SSL3_ST_SR_CERT_VRFY_A,
SSL3_ST_SR_CERT_VRFY_B,
-1,
return(ret);
}
-static int ssl3_get_client_certificate(SSL *s)
+int ssl3_get_client_certificate(SSL *s)
{
int i,ok,al,ret= -1;
X509 *x=NULL;
unsigned char *d;
STACK_OF(X509) *sk=NULL;
- n=ssl3_get_message(s,
+ n=s->method->ssl_get_message(s,
SSL3_ST_SR_CERT_A,
SSL3_ST_SR_CERT_B,
-1,