62571ef5d1bcb7709b49e121c2d0cc516c67759e
[openssl.git] / ssl / s3_clnt.c
1 /* ssl/s3_clnt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <stdio.h>
113 #include <openssl/buffer.h>
114 #include <openssl/rand.h>
115 #include <openssl/objects.h>
116 #include <openssl/evp.h>
117 #include "ssl_locl.h"
118 #include "kssl_lcl.h"
119 #include <openssl/md5.h>
120
121 static SSL_METHOD *ssl3_get_client_method(int ver);
122 static int ssl3_client_hello(SSL *s);
123 static int ssl3_get_server_hello(SSL *s);
124 static int ssl3_get_certificate_request(SSL *s);
125 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
126 static int ssl3_get_server_done(SSL *s);
127 static int ssl3_send_client_verify(SSL *s);
128 static int ssl3_send_client_certificate(SSL *s);
129 static int ssl3_send_client_key_exchange(SSL *s);
130 static int ssl3_get_key_exchange(SSL *s);
131 static int ssl3_get_server_certificate(SSL *s);
132 static int ssl3_check_cert_and_algorithm(SSL *s);
133 static SSL_METHOD *ssl3_get_client_method(int ver)
134         {
135         if (ver == SSL3_VERSION)
136                 return(SSLv3_client_method());
137         else
138                 return(NULL);
139         }
140
141 SSL_METHOD *SSLv3_client_method(void)
142         {
143         static int init=1;
144         static SSL_METHOD SSLv3_client_data;
145
146         if (init)
147                 {
148                 init=0;
149                 memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
150                         sizeof(SSL_METHOD));
151                 SSLv3_client_data.ssl_connect=ssl3_connect;
152                 SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
153                 }
154         return(&SSLv3_client_data);
155         }
156
157 int ssl3_connect(SSL *s)
158         {
159         BUF_MEM *buf;
160         unsigned long Time=time(NULL),l;
161         long num1;
162         void (*cb)(const SSL *ssl,int type,int val)=NULL;
163         int ret= -1;
164         int new_state,state,skip=0;;
165
166         RAND_add(&Time,sizeof(Time),0);
167         ERR_clear_error();
168         clear_sys_error();
169
170         if (s->info_callback != NULL)
171                 cb=s->info_callback;
172         else if (s->ctx->info_callback != NULL)
173                 cb=s->ctx->info_callback;
174         
175         s->in_handshake++;
176         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
177
178         for (;;)
179                 {
180                 state=s->state;
181
182                 switch(s->state)
183                         {
184                 case SSL_ST_RENEGOTIATE:
185                         s->new_session=1;
186                         s->state=SSL_ST_CONNECT;
187                         s->ctx->stats.sess_connect_renegotiate++;
188                         /* break */
189                 case SSL_ST_BEFORE:
190                 case SSL_ST_CONNECT:
191                 case SSL_ST_BEFORE|SSL_ST_CONNECT:
192                 case SSL_ST_OK|SSL_ST_CONNECT:
193
194                         s->server=0;
195                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
196
197                         if ((s->version & 0xff00 ) != 0x0300)
198                                 {
199                                 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
200                                 ret = -1;
201                                 goto end;
202                                 }
203                                 
204                         /* s->version=SSL3_VERSION; */
205                         s->type=SSL_ST_CONNECT;
206
207                         if (s->init_buf == NULL)
208                                 {
209                                 if ((buf=BUF_MEM_new()) == NULL)
210                                         {
211                                         ret= -1;
212                                         goto end;
213                                         }
214                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
215                                         {
216                                         ret= -1;
217                                         goto end;
218                                         }
219                                 s->init_buf=buf;
220                                 }
221
222                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
223
224                         /* setup buffing BIO */
225                         if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
226
227                         /* don't push the buffering BIO quite yet */
228
229                         ssl3_init_finished_mac(s);
230
231                         s->state=SSL3_ST_CW_CLNT_HELLO_A;
232                         s->ctx->stats.sess_connect++;
233                         s->init_num=0;
234                         break;
235
236                 case SSL3_ST_CW_CLNT_HELLO_A:
237                 case SSL3_ST_CW_CLNT_HELLO_B:
238
239                         s->shutdown=0;
240                         ret=ssl3_client_hello(s);
241                         if (ret <= 0) goto end;
242                         s->state=SSL3_ST_CR_SRVR_HELLO_A;
243                         s->init_num=0;
244
245                         /* turn on buffering for the next lot of output */
246                         if (s->bbio != s->wbio)
247                                 s->wbio=BIO_push(s->bbio,s->wbio);
248
249                         break;
250
251                 case SSL3_ST_CR_SRVR_HELLO_A:
252                 case SSL3_ST_CR_SRVR_HELLO_B:
253                         ret=ssl3_get_server_hello(s);
254                         if (ret <= 0) goto end;
255                         if (s->hit)
256                                 s->state=SSL3_ST_CR_FINISHED_A;
257                         else
258                                 s->state=SSL3_ST_CR_CERT_A;
259                         s->init_num=0;
260                         break;
261
262                 case SSL3_ST_CR_CERT_A:
263                 case SSL3_ST_CR_CERT_B:
264                         /* Check if it is anon DH */
265                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
266                                 {
267                                 ret=ssl3_get_server_certificate(s);
268                                 if (ret <= 0) goto end;
269                                 }
270                         else
271                                 skip=1;
272                         s->state=SSL3_ST_CR_KEY_EXCH_A;
273                         s->init_num=0;
274                         break;
275
276                 case SSL3_ST_CR_KEY_EXCH_A:
277                 case SSL3_ST_CR_KEY_EXCH_B:
278                         ret=ssl3_get_key_exchange(s);
279                         if (ret <= 0) goto end;
280                         s->state=SSL3_ST_CR_CERT_REQ_A;
281                         s->init_num=0;
282
283                         /* at this point we check that we have the
284                          * required stuff from the server */
285                         if (!ssl3_check_cert_and_algorithm(s))
286                                 {
287                                 ret= -1;
288                                 goto end;
289                                 }
290                         break;
291
292                 case SSL3_ST_CR_CERT_REQ_A:
293                 case SSL3_ST_CR_CERT_REQ_B:
294                         ret=ssl3_get_certificate_request(s);
295                         if (ret <= 0) goto end;
296                         s->state=SSL3_ST_CR_SRVR_DONE_A;
297                         s->init_num=0;
298                         break;
299
300                 case SSL3_ST_CR_SRVR_DONE_A:
301                 case SSL3_ST_CR_SRVR_DONE_B:
302                         ret=ssl3_get_server_done(s);
303                         if (ret <= 0) goto end;
304                         if (s->s3->tmp.cert_req)
305                                 s->state=SSL3_ST_CW_CERT_A;
306                         else
307                                 s->state=SSL3_ST_CW_KEY_EXCH_A;
308                         s->init_num=0;
309
310                         break;
311
312                 case SSL3_ST_CW_CERT_A:
313                 case SSL3_ST_CW_CERT_B:
314                 case SSL3_ST_CW_CERT_C:
315                 case SSL3_ST_CW_CERT_D:
316                         ret=ssl3_send_client_certificate(s);
317                         if (ret <= 0) goto end;
318                         s->state=SSL3_ST_CW_KEY_EXCH_A;
319                         s->init_num=0;
320                         break;
321
322                 case SSL3_ST_CW_KEY_EXCH_A:
323                 case SSL3_ST_CW_KEY_EXCH_B:
324                         ret=ssl3_send_client_key_exchange(s);
325                         if (ret <= 0) goto end;
326                         l=s->s3->tmp.new_cipher->algorithms;
327                         /* EAY EAY EAY need to check for DH fix cert
328                          * sent back */
329                         /* For TLS, cert_req is set to 2, so a cert chain
330                          * of nothing is sent, but no verify packet is sent */
331                         if (s->s3->tmp.cert_req == 1)
332                                 {
333                                 s->state=SSL3_ST_CW_CERT_VRFY_A;
334                                 }
335                         else
336                                 {
337                                 s->state=SSL3_ST_CW_CHANGE_A;
338                                 s->s3->change_cipher_spec=0;
339                                 }
340
341                         s->init_num=0;
342                         break;
343
344                 case SSL3_ST_CW_CERT_VRFY_A:
345                 case SSL3_ST_CW_CERT_VRFY_B:
346                         ret=ssl3_send_client_verify(s);
347                         if (ret <= 0) goto end;
348                         s->state=SSL3_ST_CW_CHANGE_A;
349                         s->init_num=0;
350                         s->s3->change_cipher_spec=0;
351                         break;
352
353                 case SSL3_ST_CW_CHANGE_A:
354                 case SSL3_ST_CW_CHANGE_B:
355                         ret=ssl3_send_change_cipher_spec(s,
356                                 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
357                         if (ret <= 0) goto end;
358                         s->state=SSL3_ST_CW_FINISHED_A;
359                         s->init_num=0;
360
361                         s->session->cipher=s->s3->tmp.new_cipher;
362                         if (s->s3->tmp.new_compression == NULL)
363                                 s->session->compress_meth=0;
364                         else
365                                 s->session->compress_meth=
366                                         s->s3->tmp.new_compression->id;
367                         if (!s->method->ssl3_enc->setup_key_block(s))
368                                 {
369                                 ret= -1;
370                                 goto end;
371                                 }
372
373                         if (!s->method->ssl3_enc->change_cipher_state(s,
374                                 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
375                                 {
376                                 ret= -1;
377                                 goto end;
378                                 }
379
380                         break;
381
382                 case SSL3_ST_CW_FINISHED_A:
383                 case SSL3_ST_CW_FINISHED_B:
384                         ret=ssl3_send_finished(s,
385                                 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
386                                 s->method->ssl3_enc->client_finished_label,
387                                 s->method->ssl3_enc->client_finished_label_len);
388                         if (ret <= 0) goto end;
389                         s->state=SSL3_ST_CW_FLUSH;
390
391                         /* clear flags */
392                         s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
393                         if (s->hit)
394                                 {
395                                 s->s3->tmp.next_state=SSL_ST_OK;
396                                 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
397                                         {
398                                         s->state=SSL_ST_OK;
399                                         s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
400                                         s->s3->delay_buf_pop_ret=0;
401                                         }
402                                 }
403                         else
404                                 {
405                                 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
406                                 }
407                         s->init_num=0;
408                         break;
409
410                 case SSL3_ST_CR_FINISHED_A:
411                 case SSL3_ST_CR_FINISHED_B:
412
413                         ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
414                                 SSL3_ST_CR_FINISHED_B);
415                         if (ret <= 0) goto end;
416
417                         if (s->hit)
418                                 s->state=SSL3_ST_CW_CHANGE_A;
419                         else
420                                 s->state=SSL_ST_OK;
421                         s->init_num=0;
422                         break;
423
424                 case SSL3_ST_CW_FLUSH:
425                         /* number of bytes to be flushed */
426                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
427                         if (num1 > 0)
428                                 {
429                                 s->rwstate=SSL_WRITING;
430                                 num1=BIO_flush(s->wbio);
431                                 if (num1 <= 0) { ret= -1; goto end; }
432                                 s->rwstate=SSL_NOTHING;
433                                 }
434
435                         s->state=s->s3->tmp.next_state;
436                         break;
437
438                 case SSL_ST_OK:
439                         /* clean a few things up */
440                         ssl3_cleanup_key_block(s);
441
442                         if (s->init_buf != NULL)
443                                 {
444                                 BUF_MEM_free(s->init_buf);
445                                 s->init_buf=NULL;
446                                 }
447
448                         /* If we are not 'joining' the last two packets,
449                          * remove the buffering now */
450                         if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
451                                 ssl_free_wbio_buffer(s);
452                         /* else do it later in ssl3_write */
453
454                         s->init_num=0;
455                         s->new_session=0;
456
457                         ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
458                         if (s->hit) s->ctx->stats.sess_hit++;
459
460                         ret=1;
461                         /* s->server=0; */
462                         s->handshake_func=ssl3_connect;
463                         s->ctx->stats.sess_connect_good++;
464
465                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
466
467                         goto end;
468                         /* break; */
469                         
470                 default:
471                         SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
472                         ret= -1;
473                         goto end;
474                         /* break; */
475                         }
476
477                 /* did we do anything */
478                 if (!s->s3->tmp.reuse_message && !skip)
479                         {
480                         if (s->debug)
481                                 {
482                                 if ((ret=BIO_flush(s->wbio)) <= 0)
483                                         goto end;
484                                 }
485
486                         if ((cb != NULL) && (s->state != state))
487                                 {
488                                 new_state=s->state;
489                                 s->state=state;
490                                 cb(s,SSL_CB_CONNECT_LOOP,1);
491                                 s->state=new_state;
492                                 }
493                         }
494                 skip=0;
495                 }
496 end:
497         s->in_handshake--;
498         if (cb != NULL)
499                 cb(s,SSL_CB_CONNECT_EXIT,ret);
500         return(ret);
501         }
502
503
504 static int ssl3_client_hello(SSL *s)
505         {
506         unsigned char *buf;
507         unsigned char *p,*d;
508         int i,j;
509         unsigned long Time,l;
510         SSL_COMP *comp;
511
512         buf=(unsigned char *)s->init_buf->data;
513         if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
514                 {
515                 if ((s->session == NULL) ||
516                         (s->session->ssl_version != s->version) ||
517                         (s->session->not_resumable))
518                         {
519                         if (!ssl_get_new_session(s,0))
520                                 goto err;
521                         }
522                 /* else use the pre-loaded session */
523
524                 p=s->s3->client_random;
525                 Time=time(NULL);                        /* Time */
526                 l2n(Time,p);
527                 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
528
529                 /* Do the message type and length last */
530                 d=p= &(buf[4]);
531
532                 *(p++)=s->version>>8;
533                 *(p++)=s->version&0xff;
534                 s->client_version=s->version;
535
536                 /* Random stuff */
537                 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
538                 p+=SSL3_RANDOM_SIZE;
539
540                 /* Session ID */
541                 if (s->new_session)
542                         i=0;
543                 else
544                         i=s->session->session_id_length;
545                 *(p++)=i;
546                 if (i != 0)
547                         {
548                         memcpy(p,s->session->session_id,i);
549                         p+=i;
550                         }
551                 
552                 /* Ciphers supported */
553                 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
554                 if (i == 0)
555                         {
556                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
557                         goto err;
558                         }
559                 s2n(i,p);
560                 p+=i;
561
562                 /* COMPRESSION */
563                 if (s->ctx->comp_methods == NULL)
564                         j=0;
565                 else
566                         j=sk_SSL_COMP_num(s->ctx->comp_methods);
567                 *(p++)=1+j;
568                 for (i=0; i<j; i++)
569                         {
570                         comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
571                         *(p++)=comp->id;
572                         }
573                 *(p++)=0; /* Add the NULL method */
574                 
575                 l=(p-d);
576                 d=buf;
577                 *(d++)=SSL3_MT_CLIENT_HELLO;
578                 l2n3(l,d);
579
580                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
581                 /* number of bytes to write */
582                 s->init_num=p-buf;
583                 s->init_off=0;
584                 }
585
586         /* SSL3_ST_CW_CLNT_HELLO_B */
587         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
588 err:
589         return(-1);
590         }
591
592 static int ssl3_get_server_hello(SSL *s)
593         {
594         STACK_OF(SSL_CIPHER) *sk;
595         SSL_CIPHER *c;
596         unsigned char *p,*d;
597         int i,al,ok;
598         unsigned int j;
599         long n;
600         SSL_COMP *comp;
601
602         n=ssl3_get_message(s,
603                 SSL3_ST_CR_SRVR_HELLO_A,
604                 SSL3_ST_CR_SRVR_HELLO_B,
605                 SSL3_MT_SERVER_HELLO,
606                 300, /* ?? */
607                 &ok);
608
609         if (!ok) return((int)n);
610         d=p=(unsigned char *)s->init_msg;
611
612         if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
613                 {
614                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
615                 s->version=(s->version&0xff00)|p[1];
616                 al=SSL_AD_PROTOCOL_VERSION;
617                 goto f_err;
618                 }
619         p+=2;
620
621         /* load the server hello data */
622         /* load the server random */
623         memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
624         p+=SSL3_RANDOM_SIZE;
625
626         /* get the session-id */
627         j= *(p++);
628
629         if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
630                 {
631                 /* SSLref returns 16 :-( */
632                 if (j < SSL2_SSL_SESSION_ID_LENGTH)
633                         {
634                         al=SSL_AD_ILLEGAL_PARAMETER;
635                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
636                         goto f_err;
637                         }
638                 }
639         if (j != 0 && j == s->session->session_id_length
640             && memcmp(p,s->session->session_id,j) == 0)
641             {
642             if(s->sid_ctx_length != s->session->sid_ctx_length
643                || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
644                 {
645                 al=SSL_AD_ILLEGAL_PARAMETER;
646                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
647                 goto f_err;
648                 }
649             s->hit=1;
650             }
651         else    /* a miss or crap from the other end */
652                 {
653                 /* If we were trying for session-id reuse, make a new
654                  * SSL_SESSION so we don't stuff up other people */
655                 s->hit=0;
656                 if (s->session->session_id_length > 0)
657                         {
658                         if (!ssl_get_new_session(s,0))
659                                 {
660                                 al=SSL_AD_INTERNAL_ERROR;
661                                 goto f_err;
662                                 }
663                         }
664                 s->session->session_id_length=j;
665                 memcpy(s->session->session_id,p,j); /* j could be 0 */
666                 }
667         p+=j;
668         c=ssl_get_cipher_by_char(s,p);
669         if (c == NULL)
670                 {
671                 /* unknown cipher */
672                 al=SSL_AD_ILLEGAL_PARAMETER;
673                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
674                 goto f_err;
675                 }
676         p+=ssl_put_cipher_by_char(s,NULL,NULL);
677
678         sk=ssl_get_ciphers_by_id(s);
679         i=sk_SSL_CIPHER_find(sk,c);
680         if (i < 0)
681                 {
682                 /* we did not say we would use this cipher */
683                 al=SSL_AD_ILLEGAL_PARAMETER;
684                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
685                 goto f_err;
686                 }
687
688         if (s->hit && (s->session->cipher != c))
689                 {
690                 if (!(s->options &
691                         SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
692                         {
693                         al=SSL_AD_ILLEGAL_PARAMETER;
694                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
695                         goto f_err;
696                         }
697                 }
698         s->s3->tmp.new_cipher=c;
699
700         /* lets get the compression algorithm */
701         /* COMPRESSION */
702         j= *(p++);
703         if (j == 0)
704                 comp=NULL;
705         else
706                 comp=ssl3_comp_find(s->ctx->comp_methods,j);
707         
708         if ((j != 0) && (comp == NULL))
709                 {
710                 al=SSL_AD_ILLEGAL_PARAMETER;
711                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
712                 goto f_err;
713                 }
714         else
715                 {
716                 s->s3->tmp.new_compression=comp;
717                 }
718
719         if (p != (d+n))
720                 {
721                 /* wrong packet length */
722                 al=SSL_AD_DECODE_ERROR;
723                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
724                 goto err;
725                 }
726
727         return(1);
728 f_err:
729         ssl3_send_alert(s,SSL3_AL_FATAL,al);
730 err:
731         return(-1);
732         }
733
734 static int ssl3_get_server_certificate(SSL *s)
735         {
736         int al,i,ok,ret= -1;
737         unsigned long n,nc,llen,l;
738         X509 *x=NULL;
739         unsigned char *p,*d,*q;
740         STACK_OF(X509) *sk=NULL;
741         SESS_CERT *sc;
742         EVP_PKEY *pkey=NULL;
743         int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
744
745         n=ssl3_get_message(s,
746                 SSL3_ST_CR_CERT_A,
747                 SSL3_ST_CR_CERT_B,
748                 -1,
749                 s->max_cert_list,
750                 &ok);
751
752         if (!ok) return((int)n);
753
754         if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
755                 {
756                 s->s3->tmp.reuse_message=1;
757                 return(1);
758                 }
759
760         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
761                 {
762                 al=SSL_AD_UNEXPECTED_MESSAGE;
763                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
764                 goto f_err;
765                 }
766         d=p=(unsigned char *)s->init_msg;
767
768         if ((sk=sk_X509_new_null()) == NULL)
769                 {
770                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
771                 goto err;
772                 }
773
774         n2l3(p,llen);
775         if (llen+3 != n)
776                 {
777                 al=SSL_AD_DECODE_ERROR;
778                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
779                 goto f_err;
780                 }
781         for (nc=0; nc<llen; )
782                 {
783                 n2l3(p,l);
784                 if ((l+nc+3) > llen)
785                         {
786                         al=SSL_AD_DECODE_ERROR;
787                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
788                         goto f_err;
789                         }
790
791                 q=p;
792                 x=d2i_X509(NULL,&q,l);
793                 if (x == NULL)
794                         {
795                         al=SSL_AD_BAD_CERTIFICATE;
796                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
797                         goto f_err;
798                         }
799                 if (q != (p+l))
800                         {
801                         al=SSL_AD_DECODE_ERROR;
802                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
803                         goto f_err;
804                         }
805                 if (!sk_X509_push(sk,x))
806                         {
807                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
808                         goto err;
809                         }
810                 x=NULL;
811                 nc+=l+3;
812                 p=q;
813                 }
814
815         i=ssl_verify_cert_chain(s,sk);
816         if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
817 #ifndef OPENSSL_NO_KRB5
818                 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
819                 != (SSL_aKRB5|SSL_kKRB5)
820 #endif /* OPENSSL_NO_KRB5 */
821                 )
822                 {
823                 al=ssl_verify_alarm_type(s->verify_result);
824                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
825                 goto f_err; 
826                 }
827         ERR_clear_error(); /* but we keep s->verify_result */
828
829         sc=ssl_sess_cert_new();
830         if (sc == NULL) goto err;
831
832         if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
833         s->session->sess_cert=sc;
834
835         sc->cert_chain=sk;
836         /* Inconsistency alert: cert_chain does include the peer's
837          * certificate, which we don't include in s3_srvr.c */
838         x=sk_X509_value(sk,0);
839         sk=NULL;
840         /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
841
842         pkey=X509_get_pubkey(x);
843
844         /* VRS: allow null cert if auth == KRB5 */
845         need_cert =     ((s->s3->tmp.new_cipher->algorithms
846                         & (SSL_MKEY_MASK|SSL_AUTH_MASK))
847                         == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
848
849 #ifdef KSSL_DEBUG
850         printf("pkey,x = %p, %p\n", pkey,x);
851         printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
852         printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
853                 s->s3->tmp.new_cipher->algorithms, need_cert);
854 #endif    /* KSSL_DEBUG */
855
856         if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
857                 {
858                 x=NULL;
859                 al=SSL3_AL_FATAL;
860                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
861                         SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
862                 goto f_err;
863                 }
864
865         i=ssl_cert_type(x,pkey);
866         if (need_cert && i < 0)
867                 {
868                 x=NULL;
869                 al=SSL3_AL_FATAL;
870                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
871                         SSL_R_UNKNOWN_CERTIFICATE_TYPE);
872                 goto f_err;
873                 }
874
875         if (need_cert)
876                 {
877                 sc->peer_cert_type=i;
878                 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
879                 /* Why would the following ever happen?
880                  * We just created sc a couple of lines ago. */
881                 if (sc->peer_pkeys[i].x509 != NULL)
882                         X509_free(sc->peer_pkeys[i].x509);
883                 sc->peer_pkeys[i].x509=x;
884                 sc->peer_key= &(sc->peer_pkeys[i]);
885
886                 if (s->session->peer != NULL)
887                         X509_free(s->session->peer);
888                 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
889                 s->session->peer=x;
890                 }
891         else
892                 {
893                 sc->peer_cert_type=i;
894                 sc->peer_key= NULL;
895
896                 if (s->session->peer != NULL)
897                         X509_free(s->session->peer);
898                 s->session->peer=NULL;
899                 }
900         s->session->verify_result = s->verify_result;
901
902         x=NULL;
903         ret=1;
904
905         if (0)
906                 {
907 f_err:
908                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
909                 }
910 err:
911         EVP_PKEY_free(pkey);
912         X509_free(x);
913         sk_X509_pop_free(sk,X509_free);
914         return(ret);
915         }
916
917 static int ssl3_get_key_exchange(SSL *s)
918         {
919 #ifndef OPENSSL_NO_RSA
920         unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
921 #endif
922         EVP_MD_CTX md_ctx;
923         unsigned char *param,*p;
924         int al,i,j,param_len,ok;
925         long n,alg;
926         EVP_PKEY *pkey=NULL;
927 #ifndef OPENSSL_NO_RSA
928         RSA *rsa=NULL;
929 #endif
930 #ifndef OPENSSL_NO_DH
931         DH *dh=NULL;
932 #endif
933
934         /* use same message size as in ssl3_get_certificate_request()
935          * as ServerKeyExchange message may be skipped */
936         n=ssl3_get_message(s,
937                 SSL3_ST_CR_KEY_EXCH_A,
938                 SSL3_ST_CR_KEY_EXCH_B,
939                 -1,
940                 s->max_cert_list,
941                 &ok);
942
943         if (!ok) return((int)n);
944
945         if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
946                 {
947                 s->s3->tmp.reuse_message=1;
948                 return(1);
949                 }
950
951         param=p=(unsigned char *)s->init_msg;
952
953         if (s->session->sess_cert != NULL)
954                 {
955 #ifndef OPENSSL_NO_RSA
956                 if (s->session->sess_cert->peer_rsa_tmp != NULL)
957                         {
958                         RSA_free(s->session->sess_cert->peer_rsa_tmp);
959                         s->session->sess_cert->peer_rsa_tmp=NULL;
960                         }
961 #endif
962 #ifndef OPENSSL_NO_DH
963                 if (s->session->sess_cert->peer_dh_tmp)
964                         {
965                         DH_free(s->session->sess_cert->peer_dh_tmp);
966                         s->session->sess_cert->peer_dh_tmp=NULL;
967                         }
968 #endif
969                 }
970         else
971                 {
972                 s->session->sess_cert=ssl_sess_cert_new();
973                 }
974
975         param_len=0;
976         alg=s->s3->tmp.new_cipher->algorithms;
977         EVP_MD_CTX_init(&md_ctx);
978
979 #ifndef OPENSSL_NO_RSA
980         if (alg & SSL_kRSA)
981                 {
982                 if ((rsa=RSA_new()) == NULL)
983                         {
984                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
985                         goto err;
986                         }
987                 n2s(p,i);
988                 param_len=i+2;
989                 if (param_len > n)
990                         {
991                         al=SSL_AD_DECODE_ERROR;
992                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
993                         goto f_err;
994                         }
995                 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
996                         {
997                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
998                         goto err;
999                         }
1000                 p+=i;
1001
1002                 n2s(p,i);
1003                 param_len+=i+2;
1004                 if (param_len > n)
1005                         {
1006                         al=SSL_AD_DECODE_ERROR;
1007                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1008                         goto f_err;
1009                         }
1010                 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1011                         {
1012                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1013                         goto err;
1014                         }
1015                 p+=i;
1016                 n-=param_len;
1017
1018                 /* this should be because we are using an export cipher */
1019                 if (alg & SSL_aRSA)
1020                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1021                 else
1022                         {
1023                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1024                         goto err;
1025                         }
1026                 s->session->sess_cert->peer_rsa_tmp=rsa;
1027                 rsa=NULL;
1028                 }
1029 #else /* OPENSSL_NO_RSA */
1030         if (0)
1031                 ;
1032 #endif
1033 #ifndef OPENSSL_NO_DH
1034         else if (alg & SSL_kEDH)
1035                 {
1036                 if ((dh=DH_new()) == NULL)
1037                         {
1038                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1039                         goto err;
1040                         }
1041                 n2s(p,i);
1042                 param_len=i+2;
1043                 if (param_len > n)
1044                         {
1045                         al=SSL_AD_DECODE_ERROR;
1046                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1047                         goto f_err;
1048                         }
1049                 if (!(dh->p=BN_bin2bn(p,i,NULL)))
1050                         {
1051                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1052                         goto err;
1053                         }
1054                 p+=i;
1055
1056                 n2s(p,i);
1057                 param_len+=i+2;
1058                 if (param_len > n)
1059                         {
1060                         al=SSL_AD_DECODE_ERROR;
1061                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1062                         goto f_err;
1063                         }
1064                 if (!(dh->g=BN_bin2bn(p,i,NULL)))
1065                         {
1066                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1067                         goto err;
1068                         }
1069                 p+=i;
1070
1071                 n2s(p,i);
1072                 param_len+=i+2;
1073                 if (param_len > n)
1074                         {
1075                         al=SSL_AD_DECODE_ERROR;
1076                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1077                         goto f_err;
1078                         }
1079                 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1080                         {
1081                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1082                         goto err;
1083                         }
1084                 p+=i;
1085                 n-=param_len;
1086
1087 #ifndef OPENSSL_NO_RSA
1088                 if (alg & SSL_aRSA)
1089                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1090 #else
1091                 if (0)
1092                         ;
1093 #endif
1094 #ifndef OPENSSL_NO_DSA
1095                 else if (alg & SSL_aDSS)
1096                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1097 #endif
1098                 /* else anonymous DH, so no certificate or pkey. */
1099
1100                 s->session->sess_cert->peer_dh_tmp=dh;
1101                 dh=NULL;
1102                 }
1103         else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
1104                 {
1105                 al=SSL_AD_ILLEGAL_PARAMETER;
1106                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1107                 goto f_err;
1108                 }
1109 #endif /* !OPENSSL_NO_DH */
1110         if (alg & SSL_aFZA)
1111                 {
1112                 al=SSL_AD_HANDSHAKE_FAILURE;
1113                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1114                 goto f_err;
1115                 }
1116
1117
1118         /* p points to the next byte, there are 'n' bytes left */
1119
1120
1121         /* if it was signed, check the signature */
1122         if (pkey != NULL)
1123                 {
1124                 n2s(p,i);
1125                 n-=2;
1126                 j=EVP_PKEY_size(pkey);
1127
1128                 if ((i != n) || (n > j) || (n <= 0))
1129                         {
1130                         /* wrong packet length */
1131                         al=SSL_AD_DECODE_ERROR;
1132                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1133                         goto f_err;
1134                         }
1135
1136 #ifndef OPENSSL_NO_RSA
1137                 if (pkey->type == EVP_PKEY_RSA)
1138                         {
1139                         int num;
1140
1141                         j=0;
1142                         q=md_buf;
1143                         for (num=2; num > 0; num--)
1144                                 {
1145                                 EVP_DigestInit_ex(&md_ctx,(num == 2)
1146                                         ?s->ctx->md5:s->ctx->sha1, NULL);
1147                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1148                                 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1149                                 EVP_DigestUpdate(&md_ctx,param,param_len);
1150                                 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1151                                 q+=i;
1152                                 j+=i;
1153                                 }
1154                         i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1155                                                                 pkey->pkey.rsa);
1156                         if (i < 0)
1157                                 {
1158                                 al=SSL_AD_DECRYPT_ERROR;
1159                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1160                                 goto f_err;
1161                                 }
1162                         if (i == 0)
1163                                 {
1164                                 /* bad signature */
1165                                 al=SSL_AD_DECRYPT_ERROR;
1166                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1167                                 goto f_err;
1168                                 }
1169                         }
1170                 else
1171 #endif
1172 #ifndef OPENSSL_NO_DSA
1173                         if (pkey->type == EVP_PKEY_DSA)
1174                         {
1175                         /* lets do DSS */
1176                         EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1177                         EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1178                         EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1179                         EVP_VerifyUpdate(&md_ctx,param,param_len);
1180                         if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1181                                 {
1182                                 /* bad signature */
1183                                 al=SSL_AD_DECRYPT_ERROR;
1184                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1185                                 goto f_err;
1186                                 }
1187                         }
1188                 else
1189 #endif
1190                         {
1191                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1192                         goto err;
1193                         }
1194                 }
1195         else
1196                 {
1197                 /* still data left over */
1198                 if (!(alg & SSL_aNULL))
1199                         {
1200                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1201                         goto err;
1202                         }
1203                 if (n != 0)
1204                         {
1205                         al=SSL_AD_DECODE_ERROR;
1206                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1207                         goto f_err;
1208                         }
1209                 }
1210         EVP_PKEY_free(pkey);
1211         EVP_MD_CTX_cleanup(&md_ctx);
1212         return(1);
1213 f_err:
1214         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1215 err:
1216         EVP_PKEY_free(pkey);
1217 #ifndef OPENSSL_NO_RSA
1218         if (rsa != NULL)
1219                 RSA_free(rsa);
1220 #endif
1221 #ifndef OPENSSL_NO_DH
1222         if (dh != NULL)
1223                 DH_free(dh);
1224 #endif
1225         EVP_MD_CTX_cleanup(&md_ctx);
1226         return(-1);
1227         }
1228
1229 static int ssl3_get_certificate_request(SSL *s)
1230         {
1231         int ok,ret=0;
1232         unsigned long n,nc,l;
1233         unsigned int llen,ctype_num,i;
1234         X509_NAME *xn=NULL;
1235         unsigned char *p,*d,*q;
1236         STACK_OF(X509_NAME) *ca_sk=NULL;
1237
1238         n=ssl3_get_message(s,
1239                 SSL3_ST_CR_CERT_REQ_A,
1240                 SSL3_ST_CR_CERT_REQ_B,
1241                 -1,
1242                 s->max_cert_list,
1243                 &ok);
1244
1245         if (!ok) return((int)n);
1246
1247         s->s3->tmp.cert_req=0;
1248
1249         if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1250                 {
1251                 s->s3->tmp.reuse_message=1;
1252                 return(1);
1253                 }
1254
1255         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1256                 {
1257                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1258                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1259                 goto err;
1260                 }
1261
1262         /* TLS does not like anon-DH with client cert */
1263         if (s->version > SSL3_VERSION)
1264                 {
1265                 l=s->s3->tmp.new_cipher->algorithms;
1266                 if (l & SSL_aNULL)
1267                         {
1268                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1269                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1270                         goto err;
1271                         }
1272                 }
1273
1274         d=p=(unsigned char *)s->init_msg;
1275
1276         if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1277                 {
1278                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1279                 goto err;
1280                 }
1281
1282         /* get the certificate types */
1283         ctype_num= *(p++);
1284         if (ctype_num > SSL3_CT_NUMBER)
1285                 ctype_num=SSL3_CT_NUMBER;
1286         for (i=0; i<ctype_num; i++)
1287                 s->s3->tmp.ctype[i]= p[i];
1288         p+=ctype_num;
1289
1290         /* get the CA RDNs */
1291         n2s(p,llen);
1292 #if 0
1293 {
1294 FILE *out;
1295 out=fopen("/tmp/vsign.der","w");
1296 fwrite(p,1,llen,out);
1297 fclose(out);
1298 }
1299 #endif
1300
1301         if ((llen+ctype_num+2+1) != n)
1302                 {
1303                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1304                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1305                 goto err;
1306                 }
1307
1308         for (nc=0; nc<llen; )
1309                 {
1310                 n2s(p,l);
1311                 if ((l+nc+2) > llen)
1312                         {
1313                         if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1314                                 goto cont; /* netscape bugs */
1315                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1316                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1317                         goto err;
1318                         }
1319
1320                 q=p;
1321
1322                 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1323                         {
1324                         /* If netscape tolerance is on, ignore errors */
1325                         if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1326                                 goto cont;
1327                         else
1328                                 {
1329                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1330                                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1331                                 goto err;
1332                                 }
1333                         }
1334
1335                 if (q != (p+l))
1336                         {
1337                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1338                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1339                         goto err;
1340                         }
1341                 if (!sk_X509_NAME_push(ca_sk,xn))
1342                         {
1343                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1344                         goto err;
1345                         }
1346
1347                 p+=l;
1348                 nc+=l+2;
1349                 }
1350
1351         if (0)
1352                 {
1353 cont:
1354                 ERR_clear_error();
1355                 }
1356
1357         /* we should setup a certificate to return.... */
1358         s->s3->tmp.cert_req=1;
1359         s->s3->tmp.ctype_num=ctype_num;
1360         if (s->s3->tmp.ca_names != NULL)
1361                 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1362         s->s3->tmp.ca_names=ca_sk;
1363         ca_sk=NULL;
1364
1365         ret=1;
1366 err:
1367         if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1368         return(ret);
1369         }
1370
1371 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1372         {
1373         return(X509_NAME_cmp(*a,*b));
1374         }
1375
1376 static int ssl3_get_server_done(SSL *s)
1377         {
1378         int ok,ret=0;
1379         long n;
1380
1381         n=ssl3_get_message(s,
1382                 SSL3_ST_CR_SRVR_DONE_A,
1383                 SSL3_ST_CR_SRVR_DONE_B,
1384                 SSL3_MT_SERVER_DONE,
1385                 30, /* should be very small, like 0 :-) */
1386                 &ok);
1387
1388         if (!ok) return((int)n);
1389         if (n > 0)
1390                 {
1391                 /* should contain no data */
1392                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1393                 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1394                 return -1;
1395                 }
1396         ret=1;
1397         return(ret);
1398         }
1399
1400 static int ssl3_send_client_key_exchange(SSL *s)
1401         {
1402         unsigned char *p,*d;
1403         int n;
1404         unsigned long l;
1405 #ifndef OPENSSL_NO_RSA
1406         unsigned char *q;
1407         EVP_PKEY *pkey=NULL;
1408 #endif
1409 #ifndef OPENSSL_NO_KRB5
1410         KSSL_ERR kssl_err;
1411 #endif /* OPENSSL_NO_KRB5 */
1412
1413         if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1414                 {
1415                 d=(unsigned char *)s->init_buf->data;
1416                 p= &(d[4]);
1417
1418                 l=s->s3->tmp.new_cipher->algorithms;
1419
1420                 /* Fool emacs indentation */
1421                 if (0) {}
1422 #ifndef OPENSSL_NO_RSA
1423                 else if (l & SSL_kRSA)
1424                         {
1425                         RSA *rsa;
1426                         unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1427
1428                         if (s->session->sess_cert->peer_rsa_tmp != NULL)
1429                                 rsa=s->session->sess_cert->peer_rsa_tmp;
1430                         else
1431                                 {
1432                                 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1433                                 if ((pkey == NULL) ||
1434                                         (pkey->type != EVP_PKEY_RSA) ||
1435                                         (pkey->pkey.rsa == NULL))
1436                                         {
1437                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1438                                         goto err;
1439                                         }
1440                                 rsa=pkey->pkey.rsa;
1441                                 EVP_PKEY_free(pkey);
1442                                 }
1443                                 
1444                         tmp_buf[0]=s->client_version>>8;
1445                         tmp_buf[1]=s->client_version&0xff;
1446                         if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
1447                                         goto err;
1448
1449                         s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
1450
1451                         q=p;
1452                         /* Fix buf for TLS and beyond */
1453                         if (s->version > SSL3_VERSION)
1454                                 p+=2;
1455                         n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
1456                                 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1457 #ifdef PKCS1_CHECK
1458                         if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
1459                         if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
1460 #endif
1461                         if (n <= 0)
1462                                 {
1463                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1464                                 goto err;
1465                                 }
1466
1467                         /* Fix buf for TLS and beyond */
1468                         if (s->version > SSL3_VERSION)
1469                                 {
1470                                 s2n(n,q);
1471                                 n+=2;
1472                                 }
1473
1474                         s->session->master_key_length=
1475                                 s->method->ssl3_enc->generate_master_secret(s,
1476                                         s->session->master_key,
1477                                         tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
1478                         memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
1479                         }
1480 #endif
1481 #ifndef OPENSSL_NO_KRB5
1482                 else if (l & SSL_kKRB5)
1483                         {
1484                         krb5_error_code krb5rc;
1485                         KSSL_CTX        *kssl_ctx = s->kssl_ctx;
1486                         /*  krb5_data   krb5_ap_req;  */
1487                         krb5_data       *enc_ticket;
1488                         krb5_data       authenticator, *authp = NULL;
1489                         EVP_CIPHER_CTX  ciph_ctx;
1490                         EVP_CIPHER      *enc = NULL;
1491                         unsigned char   iv[EVP_MAX_IV_LENGTH];
1492                         unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1493                         unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH 
1494                                                 + EVP_MAX_IV_LENGTH];
1495                         int             padl, outl = sizeof(epms);
1496
1497 #ifdef KSSL_DEBUG
1498                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
1499                                 l, SSL_kKRB5);
1500 #endif  /* KSSL_DEBUG */
1501
1502                         authp = NULL;
1503 #ifdef KRB5SENDAUTH
1504                         if (KRB5SENDAUTH)  authp = &authenticator;
1505 #endif  /* KRB5SENDAUTH */
1506
1507                         krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
1508                                 &kssl_err);
1509                         enc = kssl_map_enc(kssl_ctx->enctype);
1510                         if (enc == NULL)
1511                             goto err;
1512 #ifdef KSSL_DEBUG
1513                         {
1514                         printf("kssl_cget_tkt rtn %d\n", krb5rc);
1515                         if (krb5rc && kssl_err.text)
1516                           printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
1517                         }
1518 #endif  /* KSSL_DEBUG */
1519
1520                         if (krb5rc)
1521                                 {
1522                                 ssl3_send_alert(s,SSL3_AL_FATAL,
1523                                                 SSL_AD_HANDSHAKE_FAILURE);
1524                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1525                                                 kssl_err.reason);
1526                                 goto err;
1527                                 }
1528
1529                         /*  20010406 VRS - Earlier versions used KRB5 AP_REQ
1530                         **  in place of RFC 2712 KerberosWrapper, as in:
1531                         **
1532                         **  Send ticket (copy to *p, set n = length)
1533                         **  n = krb5_ap_req.length;
1534                         **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
1535                         **  if (krb5_ap_req.data)  
1536                         **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
1537                         **
1538                         **  Now using real RFC 2712 KerberosWrapper
1539                         **  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
1540                         **  Note: 2712 "opaque" types are here replaced
1541                         **  with a 2-byte length followed by the value.
1542                         **  Example:
1543                         **  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
1544                         **  Where "xx xx" = length bytes.  Shown here with
1545                         **  optional authenticator omitted.
1546                         */
1547
1548                         /*  KerberosWrapper.Ticket              */
1549                         s2n(enc_ticket->length,p);
1550                         memcpy(p, enc_ticket->data, enc_ticket->length);
1551                         p+= enc_ticket->length;
1552                         n = enc_ticket->length + 2;
1553
1554                         /*  KerberosWrapper.Authenticator       */
1555                         if (authp  &&  authp->length)  
1556                                 {
1557                                 s2n(authp->length,p);
1558                                 memcpy(p, authp->data, authp->length);
1559                                 p+= authp->length;
1560                                 n+= authp->length + 2;
1561                                 
1562                                 free(authp->data);
1563                                 authp->data = NULL;
1564                                 authp->length = 0;
1565                                 }
1566                         else
1567                                 {
1568                                 s2n(0,p);/*  null authenticator length  */
1569                                 n+=2;
1570                                 }
1571  
1572                         if (RAND_bytes(tmp_buf,SSL_MAX_MASTER_KEY_LENGTH) <= 0)
1573                             goto err;
1574
1575                         /*  20010420 VRS.  Tried it this way; failed.
1576                         **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
1577                         **      EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
1578                         **                              kssl_ctx->length);
1579                         **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
1580                         */
1581
1582                         memset(iv, 0, EVP_MAX_IV_LENGTH);  /* per RFC 1510 */
1583                         EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
1584                                 kssl_ctx->key,iv);
1585                         EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
1586                                 SSL_MAX_MASTER_KEY_LENGTH);
1587                         EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
1588                         outl += padl;
1589                         EVP_CIPHER_CTX_cleanup(&ciph_ctx);
1590
1591                         /*  KerberosWrapper.EncryptedPreMasterSecret    */
1592                         s2n(outl,p);
1593                         memcpy(p, epms, outl);
1594                         p+=outl;
1595                         n+=outl + 2;
1596
1597                         s->session->master_key_length=
1598                                 s->method->ssl3_enc->generate_master_secret(s,
1599                                         s->session->master_key,
1600                                         tmp_buf, SSL_MAX_MASTER_KEY_LENGTH);
1601
1602                         memset(tmp_buf, 0, SSL_MAX_MASTER_KEY_LENGTH);
1603                         memset(epms, 0, outl);
1604                         }
1605 #endif
1606 #ifndef OPENSSL_NO_DH
1607                 else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1608                         {
1609                         DH *dh_srvr,*dh_clnt;
1610
1611                         if (s->session->sess_cert->peer_dh_tmp != NULL)
1612                                 dh_srvr=s->session->sess_cert->peer_dh_tmp;
1613                         else
1614                                 {
1615                                 /* we get them from the cert */
1616                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1617                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1618                                 goto err;
1619                                 }
1620                         
1621                         /* generate a new random key */
1622                         if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
1623                                 {
1624                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1625                                 goto err;
1626                                 }
1627                         if (!DH_generate_key(dh_clnt))
1628                                 {
1629                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1630                                 goto err;
1631                                 }
1632
1633                         /* use the 'p' output buffer for the DH key, but
1634                          * make sure to clear it out afterwards */
1635
1636                         n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
1637
1638                         if (n <= 0)
1639                                 {
1640                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1641                                 goto err;
1642                                 }
1643
1644                         /* generate master key from the result */
1645                         s->session->master_key_length=
1646                                 s->method->ssl3_enc->generate_master_secret(s,
1647                                         s->session->master_key,p,n);
1648                         /* clean up */
1649                         memset(p,0,n);
1650
1651                         /* send off the data */
1652                         n=BN_num_bytes(dh_clnt->pub_key);
1653                         s2n(n,p);
1654                         BN_bn2bin(dh_clnt->pub_key,p);
1655                         n+=2;
1656
1657                         DH_free(dh_clnt);
1658
1659                         /* perhaps clean things up a bit EAY EAY EAY EAY*/
1660                         }
1661 #endif
1662                 else
1663                         {
1664                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1665                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1666                         goto err;
1667                         }
1668                 
1669                 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
1670                 l2n3(n,d);
1671
1672                 s->state=SSL3_ST_CW_KEY_EXCH_B;
1673                 /* number of bytes to write */
1674                 s->init_num=n+4;
1675                 s->init_off=0;
1676                 }
1677
1678         /* SSL3_ST_CW_KEY_EXCH_B */
1679         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1680 err:
1681         return(-1);
1682         }
1683
1684 static int ssl3_send_client_verify(SSL *s)
1685         {
1686         unsigned char *p,*d;
1687         unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
1688         EVP_PKEY *pkey;
1689 #ifndef OPENSSL_NO_RSA
1690         unsigned u=0;
1691 #endif
1692         unsigned long n;
1693 #ifndef OPENSSL_NO_DSA
1694         int j;
1695 #endif
1696
1697         if (s->state == SSL3_ST_CW_CERT_VRFY_A)
1698                 {
1699                 d=(unsigned char *)s->init_buf->data;
1700                 p= &(d[4]);
1701                 pkey=s->cert->key->privatekey;
1702
1703                 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
1704                         &(data[MD5_DIGEST_LENGTH]));
1705
1706 #ifndef OPENSSL_NO_RSA
1707                 if (pkey->type == EVP_PKEY_RSA)
1708                         {
1709                         s->method->ssl3_enc->cert_verify_mac(s,
1710                                 &(s->s3->finish_dgst1),&(data[0]));
1711                         if (RSA_sign(NID_md5_sha1, data,
1712                                          MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
1713                                         &(p[2]), &u, pkey->pkey.rsa) <= 0 )
1714                                 {
1715                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
1716                                 goto err;
1717                                 }
1718                         s2n(u,p);
1719                         n=u+2;
1720                         }
1721                 else
1722 #endif
1723 #ifndef OPENSSL_NO_DSA
1724                         if (pkey->type == EVP_PKEY_DSA)
1725                         {
1726                         if (!DSA_sign(pkey->save_type,
1727                                 &(data[MD5_DIGEST_LENGTH]),
1728                                 SHA_DIGEST_LENGTH,&(p[2]),
1729                                 (unsigned int *)&j,pkey->pkey.dsa))
1730                                 {
1731                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
1732                                 goto err;
1733                                 }
1734                         s2n(j,p);
1735                         n=j+2;
1736                         }
1737                 else
1738 #endif
1739                         {
1740                         SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
1741                         goto err;
1742                         }
1743                 *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
1744                 l2n3(n,d);
1745
1746                 s->init_num=(int)n+4;
1747                 s->init_off=0;
1748                 }
1749         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1750 err:
1751         return(-1);
1752         }
1753
1754 static int ssl3_send_client_certificate(SSL *s)
1755         {
1756         X509 *x509=NULL;
1757         EVP_PKEY *pkey=NULL;
1758         int i;
1759         unsigned long l;
1760
1761         if (s->state == SSL3_ST_CW_CERT_A)
1762                 {
1763                 if ((s->cert == NULL) ||
1764                         (s->cert->key->x509 == NULL) ||
1765                         (s->cert->key->privatekey == NULL))
1766                         s->state=SSL3_ST_CW_CERT_B;
1767                 else
1768                         s->state=SSL3_ST_CW_CERT_C;
1769                 }
1770
1771         /* We need to get a client cert */
1772         if (s->state == SSL3_ST_CW_CERT_B)
1773                 {
1774                 /* If we get an error, we need to
1775                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
1776                  * We then get retied later */
1777                 i=0;
1778                 if (s->ctx->client_cert_cb != NULL)
1779                         i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
1780                 if (i < 0)
1781                         {
1782                         s->rwstate=SSL_X509_LOOKUP;
1783                         return(-1);
1784                         }
1785                 s->rwstate=SSL_NOTHING;
1786                 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
1787                         {
1788                         s->state=SSL3_ST_CW_CERT_B;
1789                         if (    !SSL_use_certificate(s,x509) ||
1790                                 !SSL_use_PrivateKey(s,pkey))
1791                                 i=0;
1792                         }
1793                 else if (i == 1)
1794                         {
1795                         i=0;
1796                         SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
1797                         }
1798
1799                 if (x509 != NULL) X509_free(x509);
1800                 if (pkey != NULL) EVP_PKEY_free(pkey);
1801                 if (i == 0)
1802                         {
1803                         if (s->version == SSL3_VERSION)
1804                                 {
1805                                 s->s3->tmp.cert_req=0;
1806                                 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
1807                                 return(1);
1808                                 }
1809                         else
1810                                 {
1811                                 s->s3->tmp.cert_req=2;
1812                                 }
1813                         }
1814
1815                 /* Ok, we have a cert */
1816                 s->state=SSL3_ST_CW_CERT_C;
1817                 }
1818
1819         if (s->state == SSL3_ST_CW_CERT_C)
1820                 {
1821                 s->state=SSL3_ST_CW_CERT_D;
1822                 l=ssl3_output_cert_chain(s,
1823                         (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
1824                 s->init_num=(int)l;
1825                 s->init_off=0;
1826                 }
1827         /* SSL3_ST_CW_CERT_D */
1828         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1829         }
1830
1831 #define has_bits(i,m)   (((i)&(m)) == (m))
1832
1833 static int ssl3_check_cert_and_algorithm(SSL *s)
1834         {
1835         int i,idx;
1836         long algs;
1837         EVP_PKEY *pkey=NULL;
1838         SESS_CERT *sc;
1839 #ifndef OPENSSL_NO_RSA
1840         RSA *rsa;
1841 #endif
1842 #ifndef OPENSSL_NO_DH
1843         DH *dh;
1844 #endif
1845
1846         sc=s->session->sess_cert;
1847
1848         if (sc == NULL)
1849                 {
1850                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
1851                 goto err;
1852                 }
1853
1854         algs=s->s3->tmp.new_cipher->algorithms;
1855
1856         /* we don't have a certificate */
1857         if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
1858                 return(1);
1859
1860 #ifndef OPENSSL_NO_RSA
1861         rsa=s->session->sess_cert->peer_rsa_tmp;
1862 #endif
1863 #ifndef OPENSSL_NO_DH
1864         dh=s->session->sess_cert->peer_dh_tmp;
1865 #endif
1866
1867         /* This is the passed certificate */
1868
1869         idx=sc->peer_cert_type;
1870         pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
1871         i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
1872         EVP_PKEY_free(pkey);
1873
1874         
1875         /* Check that we have a certificate if we require one */
1876         if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
1877                 {
1878                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
1879                 goto f_err;
1880                 }
1881 #ifndef OPENSSL_NO_DSA
1882         else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
1883                 {
1884                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
1885                 goto f_err;
1886                 }
1887 #endif
1888 #ifndef OPENSSL_NO_RSA
1889         if ((algs & SSL_kRSA) &&
1890                 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
1891                 {
1892                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
1893                 goto f_err;
1894                 }
1895 #endif
1896 #ifndef OPENSSL_NO_DH
1897         if ((algs & SSL_kEDH) &&
1898                 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
1899                 {
1900                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
1901                 goto f_err;
1902                 }
1903         else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
1904                 {
1905                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
1906                 goto f_err;
1907                 }
1908 #ifndef OPENSSL_NO_DSA
1909         else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
1910                 {
1911                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
1912                 goto f_err;
1913                 }
1914 #endif
1915 #endif
1916
1917         if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
1918                 {
1919 #ifndef OPENSSL_NO_RSA
1920                 if (algs & SSL_kRSA)
1921                         {
1922                         if (rsa == NULL
1923                             || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
1924                                 {
1925                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
1926                                 goto f_err;
1927                                 }
1928                         }
1929                 else
1930 #endif
1931 #ifndef OPENSSL_NO_DH
1932                         if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1933                             {
1934                             if (dh == NULL
1935                                 || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
1936                                 {
1937                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
1938                                 goto f_err;
1939                                 }
1940                         }
1941                 else
1942 #endif
1943                         {
1944                         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1945                         goto f_err;
1946                         }
1947                 }
1948         return(1);
1949 f_err:
1950         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1951 err:
1952         return(0);
1953         }
1954