projects / openssl.git / blob
? search:


7a4f2566420708527c617b7f659f788bd6b93249
[openssl.git] / ssl / s3_clnt.c
1 /* ssl/s3_clnt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  *
114  * Portions of the attached software ("Contribution") are developed by 
115  * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116  *
117  * The Contribution is licensed pursuant to the OpenSSL open source
118  * license provided above.
119  *
120  * ECC cipher suite support in OpenSSL originally written by
121  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122  *
123  */
124
125 #include <stdio.h>
126 #include "ssl_locl.h"
127 #include "kssl_lcl.h"
128 #include <openssl/buffer.h>
129 #include <openssl/rand.h>
130 #include <openssl/objects.h>
131 #include <openssl/evp.h>
132 #include <openssl/md5.h>
133 #ifndef OPENSSL_NO_DH
134 #include <openssl/dh.h>
135 #endif
136 #include <openssl/bn.h>
137
138 static const SSL_METHOD *ssl3_get_client_method(int ver);
139 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
140
141 #ifndef OPENSSL_NO_ECDH
142 static int curve_id2nid(int curve_id);
143 int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
144 #endif
145
146 static const SSL_METHOD *ssl3_get_client_method(int ver)
147         {
148         if (ver == SSL3_VERSION)
149                 return(SSLv3_client_method());
150         else
151                 return(NULL);
152         }
153
154 IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
155                         ssl_undefined_function,
156                         ssl3_connect,
157                         ssl3_get_client_method)
158
159 int ssl3_connect(SSL *s)
160         {
161         BUF_MEM *buf=NULL;
162         unsigned long Time=(unsigned long)time(NULL),l;
163         long num1;
164         void (*cb)(const SSL *ssl,int type,int val)=NULL;
165         int ret= -1;
166         int new_state,state,skip=0;;
167
168         RAND_add(&Time,sizeof(Time),0);
169         ERR_clear_error();
170         clear_sys_error();
171
172         if (s->info_callback != NULL)
173                 cb=s->info_callback;
174         else if (s->ctx->info_callback != NULL)
175                 cb=s->ctx->info_callback;
176         
177         s->in_handshake++;
178         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
179
180         for (;;)
181                 {
182                 state=s->state;
183
184                 switch(s->state)
185                         {
186                 case SSL_ST_RENEGOTIATE:
187                         s->new_session=1;
188                         s->state=SSL_ST_CONNECT;
189                         s->ctx->stats.sess_connect_renegotiate++;
190                         /* break */
191                 case SSL_ST_BEFORE:
192                 case SSL_ST_CONNECT:
193                 case SSL_ST_BEFORE|SSL_ST_CONNECT:
194                 case SSL_ST_OK|SSL_ST_CONNECT:
195
196                         s->server=0;
197                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
198
199                         if ((s->version & 0xff00 ) != 0x0300)
200                                 {
201                                 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
202                                 ret = -1;
203                                 goto end;
204                                 }
205                                 
206                         /* s->version=SSL3_VERSION; */
207                         s->type=SSL_ST_CONNECT;
208
209                         if (s->init_buf == NULL)
210                                 {
211                                 if ((buf=BUF_MEM_new()) == NULL)
212                                         {
213                                         ret= -1;
214                                         goto end;
215                                         }
216                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
217                                         {
218                                         ret= -1;
219                                         goto end;
220                                         }
221                                 s->init_buf=buf;
222                                 buf=NULL;
223                                 }
224
225                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
226
227                         /* setup buffing BIO */
228                         if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
229
230                         /* don't push the buffering BIO quite yet */
231
232                         ssl3_init_finished_mac(s);
233
234                         s->state=SSL3_ST_CW_CLNT_HELLO_A;
235                         s->ctx->stats.sess_connect++;
236                         s->init_num=0;
237                         break;
238
239                 case SSL3_ST_CW_CLNT_HELLO_A:
240                 case SSL3_ST_CW_CLNT_HELLO_B:
241
242                         s->shutdown=0;
243                         ret=ssl3_client_hello(s);
244                         if (ret <= 0) goto end;
245                         s->state=SSL3_ST_CR_SRVR_HELLO_A;
246                         s->init_num=0;
247
248                         /* turn on buffering for the next lot of output */
249                         if (s->bbio != s->wbio)
250                                 s->wbio=BIO_push(s->bbio,s->wbio);
251
252                         break;
253
254                 case SSL3_ST_CR_SRVR_HELLO_A:
255                 case SSL3_ST_CR_SRVR_HELLO_B:
256                         ret=ssl3_get_server_hello(s);
257                         if (ret <= 0) goto end;
258 #ifndef OPENSSL_NO_TLSEXT
259                         {
260                                 int extension_error = 0,al;
261                                 if ((al = ssl_check_Hello_TLS_extensions(s,&extension_error)) != SSL_ERROR_NONE){
262                                         ret = -1;
263                                         SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
264                                         goto end;
265                                 }
266                         }
267 #endif
268                         if (s->hit)
269                                 s->state=SSL3_ST_CR_FINISHED_A;
270                         else
271                                 s->state=SSL3_ST_CR_CERT_A;
272                         s->init_num=0;
273                         break;
274
275                 case SSL3_ST_CR_CERT_A:
276                 case SSL3_ST_CR_CERT_B:
277                         /* Check if it is anon DH/ECDH */
278                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
279                                 {
280                                 ret=ssl3_get_server_certificate(s);
281                                 if (ret <= 0) goto end;
282                                 }
283                         else
284                                 skip=1;
285                         s->state=SSL3_ST_CR_KEY_EXCH_A;
286                         s->init_num=0;
287                         break;
288
289                 case SSL3_ST_CR_KEY_EXCH_A:
290                 case SSL3_ST_CR_KEY_EXCH_B:
291                         ret=ssl3_get_key_exchange(s);
292                         if (ret <= 0) goto end;
293                         s->state=SSL3_ST_CR_CERT_REQ_A;
294                         s->init_num=0;
295
296                         /* at this point we check that we have the
297                          * required stuff from the server */
298                         if (!ssl3_check_cert_and_algorithm(s))
299                                 {
300                                 ret= -1;
301                                 goto end;
302                                 }
303                         break;
304
305                 case SSL3_ST_CR_CERT_REQ_A:
306                 case SSL3_ST_CR_CERT_REQ_B:
307                         ret=ssl3_get_certificate_request(s);
308                         if (ret <= 0) goto end;
309                         s->state=SSL3_ST_CR_SRVR_DONE_A;
310                         s->init_num=0;
311                         break;
312
313                 case SSL3_ST_CR_SRVR_DONE_A:
314                 case SSL3_ST_CR_SRVR_DONE_B:
315                         ret=ssl3_get_server_done(s);
316                         if (ret <= 0) goto end;
317                         if (s->s3->tmp.cert_req)
318                                 s->state=SSL3_ST_CW_CERT_A;
319                         else
320                                 s->state=SSL3_ST_CW_KEY_EXCH_A;
321                         s->init_num=0;
322
323                         break;
324
325                 case SSL3_ST_CW_CERT_A:
326                 case SSL3_ST_CW_CERT_B:
327                 case SSL3_ST_CW_CERT_C:
328                 case SSL3_ST_CW_CERT_D:
329                         ret=ssl3_send_client_certificate(s);
330                         if (ret <= 0) goto end;
331                         s->state=SSL3_ST_CW_KEY_EXCH_A;
332                         s->init_num=0;
333                         break;
334
335                 case SSL3_ST_CW_KEY_EXCH_A:
336                 case SSL3_ST_CW_KEY_EXCH_B:
337                         ret=ssl3_send_client_key_exchange(s);
338                         if (ret <= 0) goto end;
339                         l=s->s3->tmp.new_cipher->algorithms;
340                         /* EAY EAY EAY need to check for DH fix cert
341                          * sent back */
342                         /* For TLS, cert_req is set to 2, so a cert chain
343                          * of nothing is sent, but no verify packet is sent */
344                         /* XXX: For now, we do not support client 
345                          * authentication in ECDH cipher suites with
346                          * ECDH (rather than ECDSA) certificates.
347                          * We need to skip the certificate verify 
348                          * message when client's ECDH public key is sent 
349                          * inside the client certificate.
350                          */
351                         if (s->s3->tmp.cert_req == 1)
352                                 {
353                                 s->state=SSL3_ST_CW_CERT_VRFY_A;
354                                 }
355                         else
356                                 {
357                                 s->state=SSL3_ST_CW_CHANGE_A;
358                                 s->s3->change_cipher_spec=0;
359                                 }
360
361                         s->init_num=0;
362                         break;
363
364                 case SSL3_ST_CW_CERT_VRFY_A:
365                 case SSL3_ST_CW_CERT_VRFY_B:
366                         ret=ssl3_send_client_verify(s);
367                         if (ret <= 0) goto end;
368                         s->state=SSL3_ST_CW_CHANGE_A;
369                         s->init_num=0;
370                         s->s3->change_cipher_spec=0;
371                         break;
372
373                 case SSL3_ST_CW_CHANGE_A:
374                 case SSL3_ST_CW_CHANGE_B:
375                         ret=ssl3_send_change_cipher_spec(s,
376                                 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
377                         if (ret <= 0) goto end;
378                         s->state=SSL3_ST_CW_FINISHED_A;
379                         s->init_num=0;
380
381                         s->session->cipher=s->s3->tmp.new_cipher;
382 #ifdef OPENSSL_NO_COMP
383                         s->session->compress_meth=0;
384 #else
385                         if (s->s3->tmp.new_compression == NULL)
386                                 s->session->compress_meth=0;
387                         else
388                                 s->session->compress_meth=
389                                         s->s3->tmp.new_compression->id;
390 #endif
391                         if (!s->method->ssl3_enc->setup_key_block(s))
392                                 {
393                                 ret= -1;
394                                 goto end;
395                                 }
396
397                         if (!s->method->ssl3_enc->change_cipher_state(s,
398                                 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
399                                 {
400                                 ret= -1;
401                                 goto end;
402                                 }
403
404                         break;
405
406                 case SSL3_ST_CW_FINISHED_A:
407                 case SSL3_ST_CW_FINISHED_B:
408                         ret=ssl3_send_finished(s,
409                                 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
410                                 s->method->ssl3_enc->client_finished_label,
411                                 s->method->ssl3_enc->client_finished_label_len);
412                         if (ret <= 0) goto end;
413                         s->state=SSL3_ST_CW_FLUSH;
414
415                         /* clear flags */
416                         s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
417                         if (s->hit)
418                                 {
419                                 s->s3->tmp.next_state=SSL_ST_OK;
420                                 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
421                                         {
422                                         s->state=SSL_ST_OK;
423                                         s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
424                                         s->s3->delay_buf_pop_ret=0;
425                                         }
426                                 }
427                         else
428                                 {
429                                 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
430                                 }
431                         s->init_num=0;
432                         break;
433
434                 case SSL3_ST_CR_FINISHED_A:
435                 case SSL3_ST_CR_FINISHED_B:
436
437                         ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
438                                 SSL3_ST_CR_FINISHED_B);
439                         if (ret <= 0) goto end;
440
441                         if (s->hit)
442                                 s->state=SSL3_ST_CW_CHANGE_A;
443                         else
444                                 s->state=SSL_ST_OK;
445                         s->init_num=0;
446                         break;
447
448                 case SSL3_ST_CW_FLUSH:
449                         /* number of bytes to be flushed */
450                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
451                         if (num1 > 0)
452                                 {
453                                 s->rwstate=SSL_WRITING;
454                                 num1=BIO_flush(s->wbio);
455                                 if (num1 <= 0) { ret= -1; goto end; }
456                                 s->rwstate=SSL_NOTHING;
457                                 }
458
459                         s->state=s->s3->tmp.next_state;
460                         break;
461
462                 case SSL_ST_OK:
463                         /* clean a few things up */
464                         ssl3_cleanup_key_block(s);
465
466                         if (s->init_buf != NULL)
467                                 {
468                                 BUF_MEM_free(s->init_buf);
469                                 s->init_buf=NULL;
470                                 }
471
472                         /* If we are not 'joining' the last two packets,
473                          * remove the buffering now */
474                         if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
475                                 ssl_free_wbio_buffer(s);
476                         /* else do it later in ssl3_write */
477
478                         s->init_num=0;
479                         s->new_session=0;
480
481                         ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
482                         if (s->hit) s->ctx->stats.sess_hit++;
483
484                         ret=1;
485                         /* s->server=0; */
486                         s->handshake_func=ssl3_connect;
487                         s->ctx->stats.sess_connect_good++;
488
489                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
490
491                         goto end;
492                         /* break; */
493                         
494                 default:
495                         SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
496                         ret= -1;
497                         goto end;
498                         /* break; */
499                         }
500
501                 /* did we do anything */
502                 if (!s->s3->tmp.reuse_message && !skip)
503                         {
504                         if (s->debug)
505                                 {
506                                 if ((ret=BIO_flush(s->wbio)) <= 0)
507                                         goto end;
508                                 }
509
510                         if ((cb != NULL) && (s->state != state))
511                                 {
512                                 new_state=s->state;
513                                 s->state=state;
514                                 cb(s,SSL_CB_CONNECT_LOOP,1);
515                                 s->state=new_state;
516                                 }
517                         }
518                 skip=0;
519                 }
520 end:
521         s->in_handshake--;
522         if (buf != NULL)
523                 BUF_MEM_free(buf);
524         if (cb != NULL)
525                 cb(s,SSL_CB_CONNECT_EXIT,ret);
526         return(ret);
527         }
528
529
530 int ssl3_client_hello(SSL *s)
531         {
532         unsigned char *buf;
533         unsigned char *p,*d;
534         int i;
535         unsigned long Time,l;
536 #ifndef OPENSSL_NO_COMP
537         int j;
538         SSL_COMP *comp;
539 #endif
540
541         buf=(unsigned char *)s->init_buf->data;
542         if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
543                 {
544                 if ((s->session == NULL) ||
545                         (s->session->ssl_version != s->version) ||
546                         (s->session->not_resumable))
547                         {
548                         if (!ssl_get_new_session(s,0))
549                                 goto err;
550                         }
551                 /* else use the pre-loaded session */
552
553                 p=s->s3->client_random;
554                 Time=(unsigned long)time(NULL);                 /* Time */
555                 l2n(Time,p);
556                 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
557                         goto err;
558
559                 /* Do the message type and length last */
560                 d=p= &(buf[4]);
561
562                 *(p++)=s->version>>8;
563                 *(p++)=s->version&0xff;
564                 s->client_version=s->version;
565
566                 /* Random stuff */
567                 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
568                 p+=SSL3_RANDOM_SIZE;
569
570                 /* Session ID */
571                 if (s->new_session)
572                         i=0;
573                 else
574                         i=s->session->session_id_length;
575                 *(p++)=i;
576                 if (i != 0)
577                         {
578                         if (i > (int)sizeof(s->session->session_id))
579                                 {
580                                 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
581                                 goto err;
582                                 }
583                         memcpy(p,s->session->session_id,i);
584                         p+=i;
585                         }
586                 
587                 /* Ciphers supported */
588                 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
589                 if (i == 0)
590                         {
591                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
592                         goto err;
593                         }
594                 s2n(i,p);
595                 p+=i;
596
597                 /* COMPRESSION */
598 #ifdef OPENSSL_NO_COMP
599                 *(p++)=1;
600 #else
601
602                 if ((s->options & SSL_OP_NO_COMPRESSION)
603                                         || !s->ctx->comp_methods)
604                         j=0;
605                 else
606                         j=sk_SSL_COMP_num(s->ctx->comp_methods);
607                 *(p++)=1+j;
608                 for (i=0; i<j; i++)
609                         {
610                         comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
611                         *(p++)=comp->id;
612                         }
613 #endif
614                 *(p++)=0; /* Add the NULL method */
615 #ifndef OPENSSL_NO_TLSEXT
616                 if ((p = ssl_add_ClientHello_TLS_extensions(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
617                 {
618                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
619                         goto err;
620                 }
621 #endif
622                 
623                 l=(p-d);
624                 d=buf;
625                 *(d++)=SSL3_MT_CLIENT_HELLO;
626                 l2n3(l,d);
627
628                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
629                 /* number of bytes to write */
630                 s->init_num=p-buf;
631                 s->init_off=0;
632                 }
633
634         /* SSL3_ST_CW_CLNT_HELLO_B */
635         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
636 err:
637         return(-1);
638         }
639
640 int ssl3_get_server_hello(SSL *s)
641         {
642         STACK_OF(SSL_CIPHER) *sk;
643         SSL_CIPHER *c;
644         unsigned char *p,*d;
645         int i,al,ok;
646         unsigned int j;
647         long n;
648 #ifndef OPENSSL_NO_COMP
649         SSL_COMP *comp;
650 #endif
651
652         n=s->method->ssl_get_message(s,
653                 SSL3_ST_CR_SRVR_HELLO_A,
654                 SSL3_ST_CR_SRVR_HELLO_B,
655                 -1,
656                 300, /* ?? */
657                 &ok);
658
659         if (!ok) return((int)n);
660
661         if ( SSL_version(s) == DTLS1_VERSION)
662                 {
663                 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
664                         {
665                         if ( s->d1->send_cookie == 0)
666                                 {
667                                 s->s3->tmp.reuse_message = 1;
668                                 return 1;
669                                 }
670                         else /* already sent a cookie */
671                                 {
672                                 al=SSL_AD_UNEXPECTED_MESSAGE;
673                                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
674                                 goto f_err;
675                                 }
676                         }
677                 }
678         
679         if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
680                 {
681                 al=SSL_AD_UNEXPECTED_MESSAGE;
682                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
683                 goto f_err;
684                 }
685
686         d=p=(unsigned char *)s->init_msg;
687
688         if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
689                 {
690                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
691                 s->version=(s->version&0xff00)|p[1];
692                 al=SSL_AD_PROTOCOL_VERSION;
693                 goto f_err;
694                 }
695         p+=2;
696
697         /* load the server hello data */
698         /* load the server random */
699         memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
700         p+=SSL3_RANDOM_SIZE;
701
702         /* get the session-id */
703         j= *(p++);
704
705         if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
706                 {
707                 al=SSL_AD_ILLEGAL_PARAMETER;
708                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
709                 goto f_err;
710                 }
711
712         if (j != 0 && j == s->session->session_id_length
713             && memcmp(p,s->session->session_id,j) == 0)
714             {
715             if(s->sid_ctx_length != s->session->sid_ctx_length
716                || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
717                 {
718                 /* actually a client application bug */
719                 al=SSL_AD_ILLEGAL_PARAMETER;
720                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
721                 goto f_err;
722                 }
723             s->hit=1;
724             }
725         else    /* a miss or crap from the other end */
726                 {
727                 /* If we were trying for session-id reuse, make a new
728                  * SSL_SESSION so we don't stuff up other people */
729                 s->hit=0;
730                 if (s->session->session_id_length > 0)
731                         {
732                         if (!ssl_get_new_session(s,0))
733                                 {
734                                 al=SSL_AD_INTERNAL_ERROR;
735                                 goto f_err;
736                                 }
737                         }
738                 s->session->session_id_length=j;
739                 memcpy(s->session->session_id,p,j); /* j could be 0 */
740                 }
741         p+=j;
742         c=ssl_get_cipher_by_char(s,p);
743         if (c == NULL)
744                 {
745                 /* unknown cipher */
746                 al=SSL_AD_ILLEGAL_PARAMETER;
747                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
748                 goto f_err;
749                 }
750         p+=ssl_put_cipher_by_char(s,NULL,NULL);
751
752         sk=ssl_get_ciphers_by_id(s);
753         i=sk_SSL_CIPHER_find(sk,c);
754         if (i < 0)
755                 {
756                 /* we did not say we would use this cipher */
757                 al=SSL_AD_ILLEGAL_PARAMETER;
758                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
759                 goto f_err;
760                 }
761
762         /* Depending on the session caching (internal/external), the cipher
763            and/or cipher_id values may not be set. Make sure that
764            cipher_id is set and use it for comparison. */
765         if (s->session->cipher)
766                 s->session->cipher_id = s->session->cipher->id;
767         if (s->hit && (s->session->cipher_id != c->id))
768                 {
769                 if (!(s->options &
770                         SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
771                         {
772                         al=SSL_AD_ILLEGAL_PARAMETER;
773                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
774                         goto f_err;
775                         }
776                 }
777         s->s3->tmp.new_cipher=c;
778
779         /* lets get the compression algorithm */
780         /* COMPRESSION */
781 #ifdef OPENSSL_NO_COMP
782         if (*(p++) != 0)
783                 {
784                 al=SSL_AD_ILLEGAL_PARAMETER;
785                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
786                 goto f_err;
787                 }
788 #else
789         j= *(p++);
790         if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))
791                 comp=NULL;
792         else
793                 comp=ssl3_comp_find(s->ctx->comp_methods,j);
794         
795         if ((j != 0) && (comp == NULL))
796                 {
797                 al=SSL_AD_ILLEGAL_PARAMETER;
798                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
799                 goto f_err;
800                 }
801         else
802                 {
803                 s->s3->tmp.new_compression=comp;
804                 }
805 #endif
806 #ifndef OPENSSL_NO_TLSEXT
807         /* TLS extensions*/
808         if (s->version > SSL3_VERSION)
809         {
810                 if ((al = ssl_parse_ServerHello_TLS_extensions(s,&p,d,n)) != SSL_ERROR_NONE){
811                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
812                         goto f_err; 
813                 }
814         }
815 #endif
816
817         if (p != (d+n))
818                 {
819                 /* wrong packet length */
820                 al=SSL_AD_DECODE_ERROR;
821                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
822                 goto err;
823                 }
824
825         return(1);
826 f_err:
827         ssl3_send_alert(s,SSL3_AL_FATAL,al);
828 err:
829         return(-1);
830         }
831
832 int ssl3_get_server_certificate(SSL *s)
833         {
834         int al,i,ok,ret= -1;
835         unsigned long n,nc,llen,l;
836         X509 *x=NULL;
837         const unsigned char *q,*p;
838         unsigned char *d;
839         STACK_OF(X509) *sk=NULL;
840         SESS_CERT *sc;
841         EVP_PKEY *pkey=NULL;
842         int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
843
844         n=s->method->ssl_get_message(s,
845                 SSL3_ST_CR_CERT_A,
846                 SSL3_ST_CR_CERT_B,
847                 -1,
848                 s->max_cert_list,
849                 &ok);
850
851         if (!ok) return((int)n);
852
853         if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
854                 {
855                 s->s3->tmp.reuse_message=1;
856                 return(1);
857                 }
858
859         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
860                 {
861                 al=SSL_AD_UNEXPECTED_MESSAGE;
862                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
863                 goto f_err;
864                 }
865         p=d=(unsigned char *)s->init_msg;
866
867         if ((sk=sk_X509_new_null()) == NULL)
868                 {
869                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
870                 goto err;
871                 }
872
873         n2l3(p,llen);
874         if (llen+3 != n)
875                 {
876                 al=SSL_AD_DECODE_ERROR;
877                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
878                 goto f_err;
879                 }
880         for (nc=0; nc<llen; )
881                 {
882                 n2l3(p,l);
883                 if ((l+nc+3) > llen)
884                         {
885                         al=SSL_AD_DECODE_ERROR;
886                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
887                         goto f_err;
888                         }
889
890                 q=p;
891                 x=d2i_X509(NULL,&q,l);
892                 if (x == NULL)
893                         {
894                         al=SSL_AD_BAD_CERTIFICATE;
895                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
896                         goto f_err;
897                         }
898                 if (q != (p+l))
899                         {
900                         al=SSL_AD_DECODE_ERROR;
901                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
902                         goto f_err;
903                         }
904                 if (!sk_X509_push(sk,x))
905                         {
906                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
907                         goto err;
908                         }
909                 x=NULL;
910                 nc+=l+3;
911                 p=q;
912                 }
913
914         i=ssl_verify_cert_chain(s,sk);
915         if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
916 #ifndef OPENSSL_NO_KRB5
917                 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
918                 != (SSL_aKRB5|SSL_kKRB5)
919 #endif /* OPENSSL_NO_KRB5 */
920                 )
921                 {
922                 al=ssl_verify_alarm_type(s->verify_result);
923                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
924                 goto f_err; 
925                 }
926         ERR_clear_error(); /* but we keep s->verify_result */
927
928         sc=ssl_sess_cert_new();
929         if (sc == NULL) goto err;
930
931         if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
932         s->session->sess_cert=sc;
933
934         sc->cert_chain=sk;
935         /* Inconsistency alert: cert_chain does include the peer's
936          * certificate, which we don't include in s3_srvr.c */
937         x=sk_X509_value(sk,0);
938         sk=NULL;
939         /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
940
941         pkey=X509_get_pubkey(x);
942
943         /* VRS: allow null cert if auth == KRB5 */
944         need_cert =     ((s->s3->tmp.new_cipher->algorithms
945                          & (SSL_MKEY_MASK|SSL_AUTH_MASK))
946                          == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
947
948 #ifdef KSSL_DEBUG
949         printf("pkey,x = %p, %p\n", pkey,x);
950         printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
951         printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
952                 s->s3->tmp.new_cipher->algorithms, need_cert);
953 #endif    /* KSSL_DEBUG */
954
955         if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
956                 {
957                 x=NULL;
958                 al=SSL3_AL_FATAL;
959                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
960                         SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
961                 goto f_err;
962                 }
963
964         i=ssl_cert_type(x,pkey);
965         if (need_cert && i < 0)
966                 {
967                 x=NULL;
968                 al=SSL3_AL_FATAL;
969                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
970                         SSL_R_UNKNOWN_CERTIFICATE_TYPE);
971                 goto f_err;
972                 }
973
974         if (need_cert)
975                 {
976                 sc->peer_cert_type=i;
977                 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
978                 /* Why would the following ever happen?
979                  * We just created sc a couple of lines ago. */
980                 if (sc->peer_pkeys[i].x509 != NULL)
981                         X509_free(sc->peer_pkeys[i].x509);
982                 sc->peer_pkeys[i].x509=x;
983                 sc->peer_key= &(sc->peer_pkeys[i]);
984
985                 if (s->session->peer != NULL)
986                         X509_free(s->session->peer);
987                 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
988                 s->session->peer=x;
989                 }
990         else
991                 {
992                 sc->peer_cert_type=i;
993                 sc->peer_key= NULL;
994
995                 if (s->session->peer != NULL)
996                         X509_free(s->session->peer);
997                 s->session->peer=NULL;
998                 }
999         s->session->verify_result = s->verify_result;
1000
1001         x=NULL;
1002         ret=1;
1003
1004         if (0)
1005                 {
1006 f_err:
1007                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1008                 }
1009 err:
1010         EVP_PKEY_free(pkey);
1011         X509_free(x);
1012         sk_X509_pop_free(sk,X509_free);
1013         return(ret);
1014         }
1015
1016 int ssl3_get_key_exchange(SSL *s)
1017         {
1018 #ifndef OPENSSL_NO_RSA
1019         unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1020 #endif
1021         EVP_MD_CTX md_ctx;
1022         unsigned char *param,*p;
1023         int al,i,j,param_len,ok;
1024         long n,alg;
1025         EVP_PKEY *pkey=NULL;
1026 #ifndef OPENSSL_NO_RSA
1027         RSA *rsa=NULL;
1028 #endif
1029 #ifndef OPENSSL_NO_DH
1030         DH *dh=NULL;
1031 #endif
1032 #ifndef OPENSSL_NO_ECDH
1033         EC_KEY *ecdh = NULL;
1034         BN_CTX *bn_ctx = NULL;
1035         EC_POINT *srvr_ecpoint = NULL;
1036         int curve_nid = 0;
1037         int encoded_pt_len = 0;
1038 #endif
1039
1040         /* use same message size as in ssl3_get_certificate_request()
1041          * as ServerKeyExchange message may be skipped */
1042         n=s->method->ssl_get_message(s,
1043                 SSL3_ST_CR_KEY_EXCH_A,
1044                 SSL3_ST_CR_KEY_EXCH_B,
1045                 -1,
1046                 s->max_cert_list,
1047                 &ok);
1048
1049         if (!ok) return((int)n);
1050
1051         if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1052                 {
1053                 s->s3->tmp.reuse_message=1;
1054                 return(1);
1055                 }
1056
1057         param=p=(unsigned char *)s->init_msg;
1058
1059         if (s->session->sess_cert != NULL)
1060                 {
1061 #ifndef OPENSSL_NO_RSA
1062                 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1063                         {
1064                         RSA_free(s->session->sess_cert->peer_rsa_tmp);
1065                         s->session->sess_cert->peer_rsa_tmp=NULL;
1066                         }
1067 #endif
1068 #ifndef OPENSSL_NO_DH
1069                 if (s->session->sess_cert->peer_dh_tmp)
1070                         {
1071                         DH_free(s->session->sess_cert->peer_dh_tmp);
1072                         s->session->sess_cert->peer_dh_tmp=NULL;
1073                         }
1074 #endif
1075 #ifndef OPENSSL_NO_ECDH
1076                 if (s->session->sess_cert->peer_ecdh_tmp)
1077                         {
1078                         EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1079                         s->session->sess_cert->peer_ecdh_tmp=NULL;
1080                         }
1081 #endif
1082                 }
1083         else
1084                 {
1085                 s->session->sess_cert=ssl_sess_cert_new();
1086                 }
1087
1088         param_len=0;
1089         alg=s->s3->tmp.new_cipher->algorithms;
1090         EVP_MD_CTX_init(&md_ctx);
1091
1092 #ifndef OPENSSL_NO_RSA
1093         if (alg & SSL_kRSA)
1094                 {
1095                 if ((rsa=RSA_new()) == NULL)
1096                         {
1097                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1098                         goto err;
1099                         }
1100                 n2s(p,i);
1101                 param_len=i+2;
1102                 if (param_len > n)
1103                         {
1104                         al=SSL_AD_DECODE_ERROR;
1105                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1106                         goto f_err;
1107                         }
1108                 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1109                         {
1110                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1111                         goto err;
1112                         }
1113                 p+=i;
1114
1115                 n2s(p,i);
1116                 param_len+=i+2;
1117                 if (param_len > n)
1118                         {
1119                         al=SSL_AD_DECODE_ERROR;
1120                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1121                         goto f_err;
1122                         }
1123                 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1124                         {
1125                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1126                         goto err;
1127                         }
1128                 p+=i;
1129                 n-=param_len;
1130
1131                 /* this should be because we are using an export cipher */
1132                 if (alg & SSL_aRSA)
1133                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1134                 else
1135                         {
1136                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1137                         goto err;
1138                         }
1139                 s->session->sess_cert->peer_rsa_tmp=rsa;
1140                 rsa=NULL;
1141                 }
1142 #else /* OPENSSL_NO_RSA */
1143         if (0)
1144                 ;
1145 #endif
1146 #ifndef OPENSSL_NO_DH
1147         else if (alg & SSL_kEDH)
1148                 {
1149                 if ((dh=DH_new()) == NULL)
1150                         {
1151                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1152                         goto err;
1153                         }
1154                 n2s(p,i);
1155                 param_len=i+2;
1156                 if (param_len > n)
1157                         {
1158                         al=SSL_AD_DECODE_ERROR;
1159                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1160                         goto f_err;
1161                         }
1162                 if (!(dh->p=BN_bin2bn(p,i,NULL)))
1163                         {
1164                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1165                         goto err;
1166                         }
1167                 p+=i;
1168
1169                 n2s(p,i);
1170                 param_len+=i+2;
1171                 if (param_len > n)
1172                         {
1173                         al=SSL_AD_DECODE_ERROR;
1174                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1175                         goto f_err;
1176                         }
1177                 if (!(dh->g=BN_bin2bn(p,i,NULL)))
1178                         {
1179                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1180                         goto err;
1181                         }
1182                 p+=i;
1183
1184                 n2s(p,i);
1185                 param_len+=i+2;
1186                 if (param_len > n)
1187                         {
1188                         al=SSL_AD_DECODE_ERROR;
1189                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1190                         goto f_err;
1191                         }
1192                 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1193                         {
1194                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1195                         goto err;
1196                         }
1197                 p+=i;
1198                 n-=param_len;
1199
1200 #ifndef OPENSSL_NO_RSA
1201                 if (alg & SSL_aRSA)
1202                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1203 #else
1204                 if (0)
1205                         ;
1206 #endif
1207 #ifndef OPENSSL_NO_DSA
1208                 else if (alg & SSL_aDSS)
1209                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1210 #endif
1211                 /* else anonymous DH, so no certificate or pkey. */
1212
1213                 s->session->sess_cert->peer_dh_tmp=dh;
1214                 dh=NULL;
1215                 }
1216         else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
1217                 {
1218                 al=SSL_AD_ILLEGAL_PARAMETER;
1219                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1220                 goto f_err;
1221                 }
1222 #endif /* !OPENSSL_NO_DH */
1223
1224 #ifndef OPENSSL_NO_ECDH
1225         else if (alg & SSL_kECDHE)
1226                 {
1227                 EC_GROUP *ngroup;
1228                 const EC_GROUP *group;
1229
1230                 if ((ecdh=EC_KEY_new()) == NULL)
1231                         {
1232                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1233                         goto err;
1234                         }
1235
1236                 /* Extract elliptic curve parameters and the
1237                  * server's ephemeral ECDH public key.
1238                  * Keep accumulating lengths of various components in
1239                  * param_len and make sure it never exceeds n.
1240                  */
1241
1242                 /* XXX: For now we only support named (not generic) curves
1243                  * and the ECParameters in this case is just three bytes.
1244                  */
1245                 param_len=3;
1246                 if ((param_len > n) ||
1247                     (*p != NAMED_CURVE_TYPE) || 
1248                     ((curve_nid = curve_id2nid(*(p + 2))) == 0)) 
1249                         {
1250                         al=SSL_AD_INTERNAL_ERROR;
1251                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1252                         goto f_err;
1253                         }
1254
1255                 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1256                 if (ngroup == NULL)
1257                         {
1258                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1259                         goto err;
1260                         }
1261                 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1262                         {
1263                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1264                         goto err;
1265                         }
1266                 EC_GROUP_free(ngroup);
1267
1268                 group = EC_KEY_get0_group(ecdh);
1269
1270                 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1271                     (EC_GROUP_get_degree(group) > 163))
1272                         {
1273                         al=SSL_AD_EXPORT_RESTRICTION;
1274                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1275                         goto f_err;
1276                         }
1277
1278                 p+=3;
1279
1280                 /* Next, get the encoded ECPoint */
1281                 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1282                     ((bn_ctx = BN_CTX_new()) == NULL))
1283                         {
1284                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1285                         goto err;
1286                         }
1287
1288                 encoded_pt_len = *p;  /* length of encoded point */
1289                 p+=1;
1290                 param_len += (1 + encoded_pt_len);
1291                 if ((param_len > n) ||
1292                     (EC_POINT_oct2point(group, srvr_ecpoint, 
1293                         p, encoded_pt_len, bn_ctx) == 0))
1294                         {
1295                         al=SSL_AD_DECODE_ERROR;
1296                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1297                         goto f_err;
1298                         }
1299
1300                 n-=param_len;
1301                 p+=encoded_pt_len;
1302
1303                 /* The ECC/TLS specification does not mention
1304                  * the use of DSA to sign ECParameters in the server
1305                  * key exchange message. We do support RSA and ECDSA.
1306                  */
1307                 if (0) ;
1308 #ifndef OPENSSL_NO_RSA
1309                 else if (alg & SSL_aRSA)
1310                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1311 #endif
1312 #ifndef OPENSSL_NO_ECDSA
1313                 else if (alg & SSL_aECDSA)
1314                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1315 #endif
1316                 /* else anonymous ECDH, so no certificate or pkey. */
1317                 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1318                 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1319                 ecdh=NULL;
1320                 BN_CTX_free(bn_ctx);
1321                 EC_POINT_free(srvr_ecpoint);
1322                 srvr_ecpoint = NULL;
1323                 }
1324         else if (alg & SSL_kECDH)
1325                 {
1326                 al=SSL_AD_UNEXPECTED_MESSAGE;
1327                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1328                 goto f_err;
1329                 }
1330 #endif /* !OPENSSL_NO_ECDH */
1331         if (alg & SSL_aFZA)
1332                 {
1333                 al=SSL_AD_HANDSHAKE_FAILURE;
1334                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1335                 goto f_err;
1336                 }
1337
1338
1339         /* p points to the next byte, there are 'n' bytes left */
1340
1341         /* if it was signed, check the signature */
1342         if (pkey != NULL)
1343                 {
1344                 n2s(p,i);
1345                 n-=2;
1346                 j=EVP_PKEY_size(pkey);
1347
1348                 if ((i != n) || (n > j) || (n <= 0))
1349                         {
1350                         /* wrong packet length */
1351                         al=SSL_AD_DECODE_ERROR;
1352                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1353                         goto f_err;
1354                         }
1355
1356 #ifndef OPENSSL_NO_RSA
1357                 if (pkey->type == EVP_PKEY_RSA)
1358                         {
1359                         int num;
1360
1361                         j=0;
1362                         q=md_buf;
1363                         for (num=2; num > 0; num--)
1364                                 {
1365                                 EVP_DigestInit_ex(&md_ctx,(num == 2)
1366                                         ?s->ctx->md5:s->ctx->sha1, NULL);
1367                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1368                                 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1369                                 EVP_DigestUpdate(&md_ctx,param,param_len);
1370                                 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1371                                 q+=i;
1372                                 j+=i;
1373                                 }
1374                         i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1375                                                                 pkey->pkey.rsa);
1376                         if (i < 0)
1377                                 {
1378                                 al=SSL_AD_DECRYPT_ERROR;
1379                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1380                                 goto f_err;
1381                                 }
1382                         if (i == 0)
1383                                 {
1384                                 /* bad signature */
1385                                 al=SSL_AD_DECRYPT_ERROR;
1386                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1387                                 goto f_err;
1388                                 }
1389                         }
1390                 else
1391 #endif
1392 #ifndef OPENSSL_NO_DSA
1393                         if (pkey->type == EVP_PKEY_DSA)
1394                         {
1395                         /* lets do DSS */
1396                         EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1397                         EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1398                         EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1399                         EVP_VerifyUpdate(&md_ctx,param,param_len);
1400                         if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1401                                 {
1402                                 /* bad signature */
1403                                 al=SSL_AD_DECRYPT_ERROR;
1404                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1405                                 goto f_err;
1406                                 }
1407                         }
1408                 else
1409 #endif
1410 #ifndef OPENSSL_NO_ECDSA
1411                         if (pkey->type == EVP_PKEY_EC)
1412                         {
1413                         /* let's do ECDSA */
1414                         EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1415                         EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1416                         EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1417                         EVP_VerifyUpdate(&md_ctx,param,param_len);
1418                         if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1419                                 {
1420                                 /* bad signature */
1421                                 al=SSL_AD_DECRYPT_ERROR;
1422                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1423                                 goto f_err;
1424                                 }
1425                         }
1426                 else
1427 #endif
1428                         {
1429                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1430                         goto err;
1431                         }
1432                 }
1433         else
1434                 {
1435                 /* still data left over */
1436                 if (!(alg & SSL_aNULL))
1437                         {
1438                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1439                         goto err;
1440                         }
1441                 if (n != 0)
1442                         {
1443                         al=SSL_AD_DECODE_ERROR;
1444                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1445                         goto f_err;
1446                         }
1447                 }
1448         EVP_PKEY_free(pkey);
1449         EVP_MD_CTX_cleanup(&md_ctx);
1450         return(1);
1451 f_err:
1452         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1453 err:
1454         EVP_PKEY_free(pkey);
1455 #ifndef OPENSSL_NO_RSA
1456         if (rsa != NULL)
1457                 RSA_free(rsa);
1458 #endif
1459 #ifndef OPENSSL_NO_DH
1460         if (dh != NULL)
1461                 DH_free(dh);
1462 #endif
1463 #ifndef OPENSSL_NO_ECDH
1464         BN_CTX_free(bn_ctx);
1465         EC_POINT_free(srvr_ecpoint);
1466         if (ecdh != NULL)
1467                 EC_KEY_free(ecdh);
1468 #endif
1469         EVP_MD_CTX_cleanup(&md_ctx);
1470         return(-1);
1471         }
1472
1473 int ssl3_get_certificate_request(SSL *s)
1474         {
1475         int ok,ret=0;
1476         unsigned long n,nc,l;
1477         unsigned int llen,ctype_num,i;
1478         X509_NAME *xn=NULL;
1479         const unsigned char *p,*q;
1480         unsigned char *d;
1481         STACK_OF(X509_NAME) *ca_sk=NULL;
1482
1483         n=s->method->ssl_get_message(s,
1484                 SSL3_ST_CR_CERT_REQ_A,
1485                 SSL3_ST_CR_CERT_REQ_B,
1486                 -1,
1487                 s->max_cert_list,
1488                 &ok);
1489
1490         if (!ok) return((int)n);
1491
1492         s->s3->tmp.cert_req=0;
1493
1494         if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1495                 {
1496                 s->s3->tmp.reuse_message=1;
1497                 return(1);
1498                 }
1499
1500         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1501                 {
1502                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1503                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1504                 goto err;
1505                 }
1506
1507         /* TLS does not like anon-DH with client cert */
1508         if (s->version > SSL3_VERSION)
1509                 {
1510                 l=s->s3->tmp.new_cipher->algorithms;
1511                 if (l & SSL_aNULL)
1512                         {
1513                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1514                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1515                         goto err;
1516                         }
1517                 }
1518
1519         p=d=(unsigned char *)s->init_msg;
1520
1521         if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1522                 {
1523                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1524                 goto err;
1525                 }
1526
1527         /* get the certificate types */
1528         ctype_num= *(p++);
1529         if (ctype_num > SSL3_CT_NUMBER)
1530                 ctype_num=SSL3_CT_NUMBER;
1531         for (i=0; i<ctype_num; i++)
1532                 s->s3->tmp.ctype[i]= p[i];
1533         p+=ctype_num;
1534
1535         /* get the CA RDNs */
1536         n2s(p,llen);
1537 #if 0
1538 {
1539 FILE *out;
1540 out=fopen("/tmp/vsign.der","w");
1541 fwrite(p,1,llen,out);
1542 fclose(out);
1543 }
1544 #endif
1545
1546         if ((llen+ctype_num+2+1) != n)
1547                 {
1548                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1549                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1550                 goto err;
1551                 }
1552
1553         for (nc=0; nc<llen; )
1554                 {
1555                 n2s(p,l);
1556                 if ((l+nc+2) > llen)
1557                         {
1558                         if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1559                                 goto cont; /* netscape bugs */
1560                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1561                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1562                         goto err;
1563                         }
1564
1565                 q=p;
1566
1567                 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1568                         {
1569                         /* If netscape tolerance is on, ignore errors */
1570                         if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1571                                 goto cont;
1572                         else
1573                                 {
1574                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1575                                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1576                                 goto err;
1577                                 }
1578                         }
1579
1580                 if (q != (p+l))
1581                         {
1582                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1583                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1584                         goto err;
1585                         }
1586                 if (!sk_X509_NAME_push(ca_sk,xn))
1587                         {
1588                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1589                         goto err;
1590                         }
1591
1592                 p+=l;
1593                 nc+=l+2;
1594                 }
1595
1596         if (0)
1597                 {
1598 cont:
1599                 ERR_clear_error();
1600                 }
1601
1602         /* we should setup a certificate to return.... */
1603         s->s3->tmp.cert_req=1;
1604         s->s3->tmp.ctype_num=ctype_num;
1605         if (s->s3->tmp.ca_names != NULL)
1606                 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1607         s->s3->tmp.ca_names=ca_sk;
1608         ca_sk=NULL;
1609
1610         ret=1;
1611 err:
1612         if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1613         return(ret);
1614         }
1615
1616 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1617         {
1618         return(X509_NAME_cmp(*a,*b));
1619         }
1620
1621 int ssl3_get_server_done(SSL *s)
1622         {
1623         int ok,ret=0;
1624         long n;
1625
1626         n=s->method->ssl_get_message(s,
1627                 SSL3_ST_CR_SRVR_DONE_A,
1628                 SSL3_ST_CR_SRVR_DONE_B,
1629                 SSL3_MT_SERVER_DONE,
1630                 30, /* should be very small, like 0 :-) */
1631                 &ok);
1632
1633         if (!ok) return((int)n);
1634         if (n > 0)
1635                 {
1636                 /* should contain no data */
1637                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1638                 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1639                 return -1;
1640                 }
1641         ret=1;
1642         return(ret);
1643         }
1644
1645
1646 int ssl3_send_client_key_exchange(SSL *s)
1647         {
1648         unsigned char *p,*d;
1649         int n;
1650         unsigned long l;
1651 #ifndef OPENSSL_NO_RSA
1652         unsigned char *q;
1653         EVP_PKEY *pkey=NULL;
1654 #endif
1655 #ifndef OPENSSL_NO_KRB5
1656         KSSL_ERR kssl_err;
1657 #endif /* OPENSSL_NO_KRB5 */
1658 #ifndef OPENSSL_NO_ECDH
1659         EC_KEY *clnt_ecdh = NULL;
1660         const EC_POINT *srvr_ecpoint = NULL;
1661         EVP_PKEY *srvr_pub_pkey = NULL;
1662         unsigned char *encodedPoint = NULL;
1663         int encoded_pt_len = 0;
1664         BN_CTX * bn_ctx = NULL;
1665 #endif
1666
1667         if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1668                 {
1669                 d=(unsigned char *)s->init_buf->data;
1670                 p= &(d[4]);
1671
1672                 l=s->s3->tmp.new_cipher->algorithms;
1673
1674                 /* Fool emacs indentation */
1675                 if (0) {}
1676 #ifndef OPENSSL_NO_RSA
1677                 else if (l & SSL_kRSA)
1678                         {
1679                         RSA *rsa;
1680                         unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1681
1682                         if (s->session->sess_cert->peer_rsa_tmp != NULL)
1683                                 rsa=s->session->sess_cert->peer_rsa_tmp;
1684                         else
1685                                 {
1686                                 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1687                                 if ((pkey == NULL) ||
1688                                         (pkey->type != EVP_PKEY_RSA) ||
1689                                         (pkey->pkey.rsa == NULL))
1690                                         {
1691                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1692                                         goto err;
1693                                         }
1694                                 rsa=pkey->pkey.rsa;
1695                                 EVP_PKEY_free(pkey);
1696                                 }
1697                                 
1698                         tmp_buf[0]=s->client_version>>8;
1699                         tmp_buf[1]=s->client_version&0xff;
1700                         if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
1701                                         goto err;
1702
1703                         s->session->master_key_length=sizeof tmp_buf;
1704
1705                         q=p;
1706                         /* Fix buf for TLS and beyond */
1707                         if (s->version > SSL3_VERSION)
1708                                 p+=2;
1709                         n=RSA_public_encrypt(sizeof tmp_buf,
1710                                 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1711 #ifdef PKCS1_CHECK
1712                         if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
1713                         if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
1714 #endif
1715                         if (n <= 0)
1716                                 {
1717                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1718                                 goto err;
1719                                 }
1720
1721                         /* Fix buf for TLS and beyond */
1722                         if (s->version > SSL3_VERSION)
1723                                 {
1724                                 s2n(n,q);
1725                                 n+=2;
1726                                 }
1727
1728                         s->session->master_key_length=
1729                                 s->method->ssl3_enc->generate_master_secret(s,
1730                                         s->session->master_key,
1731                                         tmp_buf,sizeof tmp_buf);
1732                         OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
1733                         }
1734 #endif
1735 #ifndef OPENSSL_NO_KRB5
1736                 else if (l & SSL_kKRB5)
1737                         {
1738                         krb5_error_code krb5rc;
1739                         KSSL_CTX        *kssl_ctx = s->kssl_ctx;
1740                         /*  krb5_data   krb5_ap_req;  */
1741                         krb5_data       *enc_ticket;
1742                         krb5_data       authenticator, *authp = NULL;
1743                         EVP_CIPHER_CTX  ciph_ctx;
1744                         EVP_CIPHER      *enc = NULL;
1745                         unsigned char   iv[EVP_MAX_IV_LENGTH];
1746                         unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1747                         unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH 
1748                                                 + EVP_MAX_IV_LENGTH];
1749                         int             padl, outl = sizeof(epms);
1750
1751                         EVP_CIPHER_CTX_init(&ciph_ctx);
1752
1753 #ifdef KSSL_DEBUG
1754                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
1755                                 l, SSL_kKRB5);
1756 #endif  /* KSSL_DEBUG */
1757
1758                         authp = NULL;
1759 #ifdef KRB5SENDAUTH
1760                         if (KRB5SENDAUTH)  authp = &authenticator;
1761 #endif  /* KRB5SENDAUTH */
1762
1763                         krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
1764                                 &kssl_err);
1765                         enc = kssl_map_enc(kssl_ctx->enctype);
1766                         if (enc == NULL)
1767                             goto err;
1768 #ifdef KSSL_DEBUG
1769                         {
1770                         printf("kssl_cget_tkt rtn %d\n", krb5rc);
1771                         if (krb5rc && kssl_err.text)
1772                           printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
1773                         }
1774 #endif  /* KSSL_DEBUG */
1775
1776                         if (krb5rc)
1777                                 {
1778                                 ssl3_send_alert(s,SSL3_AL_FATAL,
1779                                                 SSL_AD_HANDSHAKE_FAILURE);
1780                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1781                                                 kssl_err.reason);
1782                                 goto err;
1783                                 }
1784
1785                         /*  20010406 VRS - Earlier versions used KRB5 AP_REQ
1786                         **  in place of RFC 2712 KerberosWrapper, as in:
1787                         **
1788                         **  Send ticket (copy to *p, set n = length)
1789                         **  n = krb5_ap_req.length;
1790                         **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
1791                         **  if (krb5_ap_req.data)  
1792                         **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
1793                         **
1794                         **  Now using real RFC 2712 KerberosWrapper
1795                         **  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
1796                         **  Note: 2712 "opaque" types are here replaced
1797                         **  with a 2-byte length followed by the value.
1798                         **  Example:
1799                         **  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
1800                         **  Where "xx xx" = length bytes.  Shown here with
1801                         **  optional authenticator omitted.
1802                         */
1803
1804                         /*  KerberosWrapper.Ticket              */
1805                         s2n(enc_ticket->length,p);
1806                         memcpy(p, enc_ticket->data, enc_ticket->length);
1807                         p+= enc_ticket->length;
1808                         n = enc_ticket->length + 2;
1809
1810                         /*  KerberosWrapper.Authenticator       */
1811                         if (authp  &&  authp->length)  
1812                                 {
1813                                 s2n(authp->length,p);
1814                                 memcpy(p, authp->data, authp->length);
1815                                 p+= authp->length;
1816                                 n+= authp->length + 2;
1817                                 
1818                                 free(authp->data);
1819                                 authp->data = NULL;
1820                                 authp->length = 0;
1821                                 }
1822                         else
1823                                 {
1824                                 s2n(0,p);/*  null authenticator length  */
1825                                 n+=2;
1826                                 }
1827  
1828                         if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
1829                             goto err;
1830
1831                         /*  20010420 VRS.  Tried it this way; failed.
1832                         **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
1833                         **      EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
1834                         **                              kssl_ctx->length);
1835                         **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
1836                         */
1837
1838                         memset(iv, 0, sizeof iv);  /* per RFC 1510 */
1839                         EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
1840                                 kssl_ctx->key,iv);
1841                         EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
1842                                 sizeof tmp_buf);
1843                         EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
1844                         outl += padl;
1845                         if (outl > sizeof epms)
1846                                 {
1847                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1848                                 goto err;
1849                                 }
1850                         EVP_CIPHER_CTX_cleanup(&ciph_ctx);
1851
1852                         /*  KerberosWrapper.EncryptedPreMasterSecret    */
1853                         s2n(outl,p);
1854                         memcpy(p, epms, outl);
1855                         p+=outl;
1856                         n+=outl + 2;
1857
1858                         s->session->master_key_length=
1859                                 s->method->ssl3_enc->generate_master_secret(s,
1860                                         s->session->master_key,
1861                                         tmp_buf, sizeof tmp_buf);
1862
1863                         OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
1864                         OPENSSL_cleanse(epms, outl);
1865                         }
1866 #endif
1867 #ifndef OPENSSL_NO_DH
1868                 else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1869                         {
1870                         DH *dh_srvr,*dh_clnt;
1871
1872                         if (s->session->sess_cert->peer_dh_tmp != NULL)
1873                                 dh_srvr=s->session->sess_cert->peer_dh_tmp;
1874                         else
1875                                 {
1876                                 /* we get them from the cert */
1877                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1878                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1879                                 goto err;
1880                                 }
1881                         
1882                         /* generate a new random key */
1883                         if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
1884                                 {
1885                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1886                                 goto err;
1887                                 }
1888                         if (!DH_generate_key(dh_clnt))
1889                                 {
1890                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1891                                 goto err;
1892                                 }
1893
1894                         /* use the 'p' output buffer for the DH key, but
1895                          * make sure to clear it out afterwards */
1896
1897                         n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
1898
1899                         if (n <= 0)
1900                                 {
1901                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1902                                 goto err;
1903                                 }
1904
1905                         /* generate master key from the result */
1906                         s->session->master_key_length=
1907                                 s->method->ssl3_enc->generate_master_secret(s,
1908                                         s->session->master_key,p,n);
1909                         /* clean up */
1910                         memset(p,0,n);
1911
1912                         /* send off the data */
1913                         n=BN_num_bytes(dh_clnt->pub_key);
1914                         s2n(n,p);
1915                         BN_bn2bin(dh_clnt->pub_key,p);
1916                         n+=2;
1917
1918                         DH_free(dh_clnt);
1919
1920                         /* perhaps clean things up a bit EAY EAY EAY EAY*/
1921                         }
1922 #endif
1923
1924 #ifndef OPENSSL_NO_ECDH 
1925                 else if ((l & SSL_kECDH) || (l & SSL_kECDHE))
1926                         {
1927                         const EC_GROUP *srvr_group = NULL;
1928                         EC_KEY *tkey;
1929                         int ecdh_clnt_cert = 0;
1930                         int field_size = 0;
1931
1932                         /* Did we send out the client's
1933                          * ECDH share for use in premaster
1934                          * computation as part of client certificate?
1935                          * If so, set ecdh_clnt_cert to 1.
1936                          */
1937                         if ((l & SSL_kECDH) && (s->cert != NULL)) 
1938                                 {
1939                                 /* XXX: For now, we do not support client
1940                                  * authentication using ECDH certificates.
1941                                  * To add such support, one needs to add
1942                                  * code that checks for appropriate 
1943                                  * conditions and sets ecdh_clnt_cert to 1.
1944                                  * For example, the cert have an ECC
1945                                  * key on the same curve as the server's
1946                                  * and the key should be authorized for
1947                                  * key agreement.
1948                                  *
1949                                  * One also needs to add code in ssl3_connect
1950                                  * to skip sending the certificate verify
1951                                  * message.
1952                                  *
1953                                  * if ((s->cert->key->privatekey != NULL) &&
1954                                  *     (s->cert->key->privatekey->type ==
1955                                  *      EVP_PKEY_EC) && ...)
1956                                  * ecdh_clnt_cert = 1;
1957                                  */
1958                                 }
1959
1960                         if (s->session->sess_cert->peer_ecdh_tmp != NULL)
1961                                 {
1962                                 tkey = s->session->sess_cert->peer_ecdh_tmp;
1963                                 }
1964                         else
1965                                 {
1966                                 /* Get the Server Public Key from Cert */
1967                                 srvr_pub_pkey = X509_get_pubkey(s->session-> \
1968                                     sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1969                                 if ((srvr_pub_pkey == NULL) ||
1970                                     (srvr_pub_pkey->type != EVP_PKEY_EC) ||
1971                                     (srvr_pub_pkey->pkey.ec == NULL))
1972                                         {
1973                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1974                                             ERR_R_INTERNAL_ERROR);
1975                                         goto err;
1976                                         }
1977
1978                                 tkey = srvr_pub_pkey->pkey.ec;
1979                                 }
1980
1981                         srvr_group   = EC_KEY_get0_group(tkey);
1982                         srvr_ecpoint = EC_KEY_get0_public_key(tkey);
1983
1984                         if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
1985                                 {
1986                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1987                                     ERR_R_INTERNAL_ERROR);
1988                                 goto err;
1989                                 }
1990
1991                         if ((clnt_ecdh=EC_KEY_new()) == NULL) 
1992                                 {
1993                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1994                                 goto err;
1995                                 }
1996
1997                         if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
1998                                 {
1999                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2000                                 goto err;
2001                                 }
2002                         if (ecdh_clnt_cert) 
2003                                 { 
2004                                 /* Reuse key info from our certificate
2005                                  * We only need our private key to perform
2006                                  * the ECDH computation.
2007                                  */
2008                                 const BIGNUM *priv_key;
2009                                 tkey = s->cert->key->privatekey->pkey.ec;
2010                                 priv_key = EC_KEY_get0_private_key(tkey);
2011                                 if (priv_key == NULL)
2012                                         {
2013                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2014                                         goto err;
2015                                         }
2016                                 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2017                                         {
2018                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2019                                         goto err;
2020                                         }
2021                                 }
2022                         else 
2023                                 {
2024                                 /* Generate a new ECDH key pair */
2025                                 if (!(EC_KEY_generate_key(clnt_ecdh)))
2026                                         {
2027                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2028                                         goto err;
2029                                         }
2030                                 }
2031
2032                         /* use the 'p' output buffer for the ECDH key, but
2033                          * make sure to clear it out afterwards
2034                          */
2035
2036                         field_size = EC_GROUP_get_degree(srvr_group);
2037                         if (field_size <= 0)
2038                                 {
2039                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
2040                                        ERR_R_ECDH_LIB);
2041                                 goto err;
2042                                 }
2043                         n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2044                         if (n <= 0)
2045                                 {
2046                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
2047                                        ERR_R_ECDH_LIB);
2048                                 goto err;
2049                                 }
2050
2051                         /* generate master key from the result */
2052                         s->session->master_key_length = s->method->ssl3_enc \
2053                             -> generate_master_secret(s, 
2054                                 s->session->master_key,
2055                                 p, n);
2056
2057                         memset(p, 0, n); /* clean up */
2058
2059                         if (ecdh_clnt_cert) 
2060                                 {
2061                                 /* Send empty client key exch message */
2062                                 n = 0;
2063                                 }
2064                         else 
2065                                 {
2066                                 /* First check the size of encoding and
2067                                  * allocate memory accordingly.
2068                                  */
2069                                 encoded_pt_len = 
2070                                     EC_POINT_point2oct(srvr_group, 
2071                                         EC_KEY_get0_public_key(clnt_ecdh), 
2072                                         POINT_CONVERSION_UNCOMPRESSED, 
2073                                         NULL, 0, NULL);
2074
2075                                 encodedPoint = (unsigned char *) 
2076                                     OPENSSL_malloc(encoded_pt_len * 
2077                                         sizeof(unsigned char)); 
2078                                 bn_ctx = BN_CTX_new();
2079                                 if ((encodedPoint == NULL) || 
2080                                     (bn_ctx == NULL)) 
2081                                         {
2082                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2083                                         goto err;
2084                                         }
2085
2086                                 /* Encode the public key */
2087                                 n = EC_POINT_point2oct(srvr_group, 
2088                                     EC_KEY_get0_public_key(clnt_ecdh), 
2089                                     POINT_CONVERSION_UNCOMPRESSED, 
2090                                     encodedPoint, encoded_pt_len, bn_ctx);
2091
2092                                 *p = n; /* length of encoded point */
2093                                 /* Encoded point will be copied here */
2094                                 p += 1; 
2095                                 /* copy the point */
2096                                 memcpy((unsigned char *)p, encodedPoint, n);
2097                                 /* increment n to account for length field */
2098                                 n += 1; 
2099                                 }
2100
2101                         /* Free allocated memory */
2102                         BN_CTX_free(bn_ctx);
2103                         if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2104                         if (clnt_ecdh != NULL) 
2105                                  EC_KEY_free(clnt_ecdh);
2106                         EVP_PKEY_free(srvr_pub_pkey);
2107                         }
2108 #endif /* !OPENSSL_NO_ECDH */
2109                 else
2110                         {
2111                         ssl3_send_alert(s, SSL3_AL_FATAL,
2112                             SSL_AD_HANDSHAKE_FAILURE);
2113                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2114                             ERR_R_INTERNAL_ERROR);
2115                         goto err;
2116                         }
2117                 
2118                 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2119                 l2n3(n,d);
2120
2121                 s->state=SSL3_ST_CW_KEY_EXCH_B;
2122                 /* number of bytes to write */
2123                 s->init_num=n+4;
2124                 s->init_off=0;
2125                 }
2126
2127         /* SSL3_ST_CW_KEY_EXCH_B */
2128         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2129 err:
2130 #ifndef OPENSSL_NO_ECDH
2131         BN_CTX_free(bn_ctx);
2132         if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2133         if (clnt_ecdh != NULL) 
2134                 EC_KEY_free(clnt_ecdh);
2135         EVP_PKEY_free(srvr_pub_pkey);
2136 #endif
2137         return(-1);
2138         }
2139
2140 int ssl3_send_client_verify(SSL *s)
2141         {
2142         unsigned char *p,*d;
2143         unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2144         EVP_PKEY *pkey;
2145 #ifndef OPENSSL_NO_RSA
2146         unsigned u=0;
2147 #endif
2148         unsigned long n;
2149 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
2150         int j;
2151 #endif
2152
2153         if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2154                 {
2155                 d=(unsigned char *)s->init_buf->data;
2156                 p= &(d[4]);
2157                 pkey=s->cert->key->privatekey;
2158
2159                 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
2160                         &(data[MD5_DIGEST_LENGTH]));
2161
2162 #ifndef OPENSSL_NO_RSA
2163                 if (pkey->type == EVP_PKEY_RSA)
2164                         {
2165                         s->method->ssl3_enc->cert_verify_mac(s,
2166                                 &(s->s3->finish_dgst1),&(data[0]));
2167                         if (RSA_sign(NID_md5_sha1, data,
2168                                          MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2169                                         &(p[2]), &u, pkey->pkey.rsa) <= 0 )
2170                                 {
2171                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
2172                                 goto err;
2173                                 }
2174                         s2n(u,p);
2175                         n=u+2;
2176                         }
2177                 else
2178 #endif
2179 #ifndef OPENSSL_NO_DSA
2180                         if (pkey->type == EVP_PKEY_DSA)
2181                         {
2182                         if (!DSA_sign(pkey->save_type,
2183                                 &(data[MD5_DIGEST_LENGTH]),
2184                                 SHA_DIGEST_LENGTH,&(p[2]),
2185                                 (unsigned int *)&j,pkey->pkey.dsa))
2186                                 {
2187                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
2188                                 goto err;
2189                                 }
2190                         s2n(j,p);
2191                         n=j+2;
2192                         }
2193                 else
2194 #endif
2195 #ifndef OPENSSL_NO_ECDSA
2196                         if (pkey->type == EVP_PKEY_EC)
2197                         {
2198                         if (!ECDSA_sign(pkey->save_type,
2199                                 &(data[MD5_DIGEST_LENGTH]),
2200                                 SHA_DIGEST_LENGTH,&(p[2]),
2201                                 (unsigned int *)&j,pkey->pkey.ec))
2202                                 {
2203                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2204                                     ERR_R_ECDSA_LIB);
2205                                 goto err;
2206                                 }
2207                         s2n(j,p);
2208                         n=j+2;
2209                         }
2210                 else
2211 #endif
2212                         {
2213                         SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
2214                         goto err;
2215                         }
2216                 *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
2217                 l2n3(n,d);
2218
2219                 s->state=SSL3_ST_CW_CERT_VRFY_B;
2220                 s->init_num=(int)n+4;
2221                 s->init_off=0;
2222                 }
2223         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2224 err:
2225         return(-1);
2226         }
2227
2228 int ssl3_send_client_certificate(SSL *s)
2229         {
2230         X509 *x509=NULL;
2231         EVP_PKEY *pkey=NULL;
2232         int i;
2233         unsigned long l;
2234
2235         if (s->state == SSL3_ST_CW_CERT_A)
2236                 {
2237                 if ((s->cert == NULL) ||
2238                         (s->cert->key->x509 == NULL) ||
2239                         (s->cert->key->privatekey == NULL))
2240                         s->state=SSL3_ST_CW_CERT_B;
2241                 else
2242                         s->state=SSL3_ST_CW_CERT_C;
2243                 }
2244
2245         /* We need to get a client cert */
2246         if (s->state == SSL3_ST_CW_CERT_B)
2247                 {
2248                 /* If we get an error, we need to
2249                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2250                  * We then get retied later */
2251                 i=0;
2252                 if (s->ctx->client_cert_cb != NULL)
2253                         i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
2254                 if (i < 0)
2255                         {
2256                         s->rwstate=SSL_X509_LOOKUP;
2257                         return(-1);
2258                         }
2259                 s->rwstate=SSL_NOTHING;
2260                 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
2261                         {
2262                         s->state=SSL3_ST_CW_CERT_B;
2263                         if (    !SSL_use_certificate(s,x509) ||
2264                                 !SSL_use_PrivateKey(s,pkey))
2265                                 i=0;
2266                         }
2267                 else if (i == 1)
2268                         {
2269                         i=0;
2270                         SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2271                         }
2272
2273                 if (x509 != NULL) X509_free(x509);
2274                 if (pkey != NULL) EVP_PKEY_free(pkey);
2275                 if (i == 0)
2276                         {
2277                         if (s->version == SSL3_VERSION)
2278                                 {
2279                                 s->s3->tmp.cert_req=0;
2280                                 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
2281                                 return(1);
2282                                 }
2283                         else
2284                                 {
2285                                 s->s3->tmp.cert_req=2;
2286                                 }
2287                         }
2288
2289                 /* Ok, we have a cert */
2290                 s->state=SSL3_ST_CW_CERT_C;
2291                 }
2292
2293         if (s->state == SSL3_ST_CW_CERT_C)
2294                 {
2295                 s->state=SSL3_ST_CW_CERT_D;
2296                 l=ssl3_output_cert_chain(s,
2297                         (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
2298                 s->init_num=(int)l;
2299                 s->init_off=0;
2300                 }
2301         /* SSL3_ST_CW_CERT_D */
2302         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2303         }
2304
2305 #define has_bits(i,m)   (((i)&(m)) == (m))
2306
2307 int ssl3_check_cert_and_algorithm(SSL *s)
2308         {
2309         int i,idx;
2310         long algs;
2311         EVP_PKEY *pkey=NULL;
2312         SESS_CERT *sc;
2313 #ifndef OPENSSL_NO_RSA
2314         RSA *rsa;
2315 #endif
2316 #ifndef OPENSSL_NO_DH
2317         DH *dh;
2318 #endif
2319
2320         sc=s->session->sess_cert;
2321
2322         if (sc == NULL)
2323                 {
2324                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
2325                 goto err;
2326                 }
2327
2328         algs=s->s3->tmp.new_cipher->algorithms;
2329
2330         /* we don't have a certificate */
2331         if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
2332                 return(1);
2333
2334 #ifndef OPENSSL_NO_RSA
2335         rsa=s->session->sess_cert->peer_rsa_tmp;
2336 #endif
2337 #ifndef OPENSSL_NO_DH
2338         dh=s->session->sess_cert->peer_dh_tmp;
2339 #endif
2340
2341         /* This is the passed certificate */
2342
2343         idx=sc->peer_cert_type;
2344 #ifndef OPENSSL_NO_ECDH
2345         if (idx == SSL_PKEY_ECC)
2346                 {
2347                 if (check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2348                     s->s3->tmp.new_cipher) == 0) 
2349                         { /* check failed */
2350                         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
2351                         goto f_err;                     
2352                         }
2353                 else 
2354                         {
2355                         return 1;
2356                         }
2357                 }
2358 #endif
2359         pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
2360         i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
2361         EVP_PKEY_free(pkey);
2362
2363         
2364         /* Check that we have a certificate if we require one */
2365         if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
2366                 {
2367                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
2368                 goto f_err;
2369                 }
2370 #ifndef OPENSSL_NO_DSA
2371         else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
2372                 {
2373                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
2374                 goto f_err;
2375                 }
2376 #endif
2377 #ifndef OPENSSL_NO_RSA
2378         if ((algs & SSL_kRSA) &&
2379                 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
2380                 {
2381                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2382                 goto f_err;
2383                 }
2384 #endif
2385 #ifndef OPENSSL_NO_DH
2386         if ((algs & SSL_kEDH) &&
2387                 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
2388                 {
2389                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
2390                 goto f_err;
2391                 }
2392         else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
2393                 {
2394                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
2395                 goto f_err;
2396                 }
2397 #ifndef OPENSSL_NO_DSA
2398         else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
2399                 {
2400                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
2401                 goto f_err;
2402                 }
2403 #endif
2404 #endif
2405
2406         if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
2407                 {
2408 #ifndef OPENSSL_NO_RSA
2409                 if (algs & SSL_kRSA)
2410                         {
2411                         if (rsa == NULL
2412                             || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2413                                 {
2414                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
2415                                 goto f_err;
2416                                 }
2417                         }
2418                 else
2419 #endif
2420 #ifndef OPENSSL_NO_DH
2421                         if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2422                             {
2423                             if (dh == NULL
2424                                 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
2425                                 {
2426                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
2427                                 goto f_err;
2428                                 }
2429                         }
2430                 else
2431 #endif
2432                         {
2433                         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2434                         goto f_err;
2435                         }
2436                 }
2437         return(1);
2438 f_err:
2439         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2440 err:
2441         return(0);
2442         }
2443
2444
2445 #ifndef OPENSSL_NO_ECDH
2446 /* This is the complement of nid2curve_id in s3_srvr.c. */
2447 static int curve_id2nid(int curve_id)
2448 {
2449         /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2450          * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2451         static int nid_list[26] =
2452         {
2453                 0,
2454                 NID_sect163k1, /* sect163k1 (1) */
2455                 NID_sect163r1, /* sect163r1 (2) */
2456                 NID_sect163r2, /* sect163r2 (3) */
2457                 NID_sect193r1, /* sect193r1 (4) */ 
2458                 NID_sect193r2, /* sect193r2 (5) */ 
2459                 NID_sect233k1, /* sect233k1 (6) */
2460                 NID_sect233r1, /* sect233r1 (7) */ 
2461                 NID_sect239k1, /* sect239k1 (8) */ 
2462                 NID_sect283k1, /* sect283k1 (9) */
2463                 NID_sect283r1, /* sect283r1 (10) */ 
2464                 NID_sect409k1, /* sect409k1 (11) */ 
2465                 NID_sect409r1, /* sect409r1 (12) */
2466                 NID_sect571k1, /* sect571k1 (13) */ 
2467                 NID_sect571r1, /* sect571r1 (14) */ 
2468                 NID_secp160k1, /* secp160k1 (15) */
2469                 NID_secp160r1, /* secp160r1 (16) */ 
2470                 NID_secp160r2, /* secp160r2 (17) */ 
2471                 NID_secp192k1, /* secp192k1 (18) */
2472                 NID_X9_62_prime192v1, /* secp192r1 (19) */ 
2473                 NID_secp224k1, /* secp224k1 (20) */ 
2474                 NID_secp224r1, /* secp224r1 (21) */
2475                 NID_secp256k1, /* secp256k1 (22) */ 
2476                 NID_X9_62_prime256v1, /* secp256r1 (23) */ 
2477                 NID_secp384r1, /* secp384r1 (24) */
2478                 NID_secp521r1  /* secp521r1 (25) */     
2479         };
2480         
2481         if ((curve_id < 1) || (curve_id > 25)) return 0;
2482
2483         return nid_list[curve_id];
2484 }
2485 #endif
Unnamed repository; edit this file 'description' to name the repository.