b2649ed9986cc3297e04a10bdb26ac61f7add5d3
[openssl.git] / ssl / s3_clnt.c
1 /* ssl/s3_clnt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #include <stdio.h>
60 #include "buffer.h"
61 #include "rand.h"
62 #include "objects.h"
63 #include "evp.h"
64 #include "ssl_locl.h"
65
66 #define BREAK break
67 /* SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
68  * SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
69  * SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
70  * SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
71  * SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
72  * SSLerr(SSL_F_SSL3_GET_SERVER_DONE,ERR_R_MALLOC_FAILURE);
73 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
74  */
75
76 #ifndef NOPROTO
77 static SSL_METHOD *ssl3_get_client_method(int ver);
78 static int ssl3_client_hello(SSL *s);
79 static int ssl3_get_server_hello(SSL *s);
80 static int ssl3_get_certificate_request(SSL *s);
81 static int ca_dn_cmp(X509_NAME **a,X509_NAME **b);
82 static int ssl3_get_server_done(SSL *s);
83 static int ssl3_send_client_verify(SSL *s);
84 static int ssl3_send_client_certificate(SSL *s);
85 static int ssl3_send_client_key_exchange(SSL *s);
86 static int ssl3_get_key_exchange(SSL *s);
87 static int ssl3_get_server_certificate(SSL *s);
88 static int ssl3_check_cert_and_algorithm(SSL *s);
89 #else
90 static SSL_METHOD *ssl3_get_client_method();
91 static int ssl3_client_hello();
92 static int ssl3_get_server_hello();
93 static int ssl3_get_certificate_request();
94 static int ca_dn_cmp();
95 static int ssl3_get_server_done();
96 static int ssl3_send_client_verify();
97 static int ssl3_send_client_certificate();
98 static int ssl3_send_client_key_exchange();
99 static int ssl3_get_key_exchange();
100 static int ssl3_get_server_certificate();
101 static int ssl3_check_cert_and_algorithm();
102 #endif
103
104 static SSL_METHOD *ssl3_get_client_method(ver)
105 int ver;
106         {
107         if (ver == SSL3_VERSION)
108                 return(SSLv3_client_method());
109         else
110                 return(NULL);
111         }
112
113 SSL_METHOD *SSLv3_client_method()
114         {
115         static int init=1;
116         static SSL_METHOD SSLv3_client_data;
117
118         if (init)
119                 {
120                 init=0;
121                 memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
122                         sizeof(SSL_METHOD));
123                 SSLv3_client_data.ssl_connect=ssl3_connect;
124                 SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
125                 }
126         return(&SSLv3_client_data);
127         }
128
129 int ssl3_connect(s)
130 SSL *s;
131         {
132         BUF_MEM *buf;
133         unsigned long Time=time(NULL),l;
134         long num1;
135         void (*cb)()=NULL;
136         int ret= -1;
137         int new_state,state,skip=0;;
138
139         RAND_seed(&Time,sizeof(Time));
140         ERR_clear_error();
141         clear_sys_error();
142
143         if (s->info_callback != NULL)
144                 cb=s->info_callback;
145         else if (s->ctx->info_callback != NULL)
146                 cb=s->ctx->info_callback;
147         
148         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
149         s->in_handshake++;
150
151         for (;;)
152                 {
153                 state=s->state;
154
155                 switch(s->state)
156                         {
157                 case SSL_ST_RENEGOTIATE:
158                         s->new_session=1;
159                         s->state=SSL_ST_CONNECT;
160                         s->ctx->stats.sess_connect_renegotiate++;
161                         /* break */
162                 case SSL_ST_BEFORE:
163                 case SSL_ST_CONNECT:
164                 case SSL_ST_BEFORE|SSL_ST_CONNECT:
165                 case SSL_ST_OK|SSL_ST_CONNECT:
166
167                         s->server=0;
168                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
169
170                         if ((s->version & 0xff00 ) != 0x0300)
171                                 abort();
172                         /* s->version=SSL3_VERSION; */
173                         s->type=SSL_ST_CONNECT;
174
175                         if (s->init_buf == NULL)
176                                 {
177                                 if ((buf=BUF_MEM_new()) == NULL)
178                                         {
179                                         ret= -1;
180                                         goto end;
181                                         }
182                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
183                                         {
184                                         ret= -1;
185                                         goto end;
186                                         }
187                                 s->init_buf=buf;
188                                 }
189
190                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
191
192                         /* setup buffing BIO */
193                         if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
194
195                         /* don't push the buffering BIO quite yet */
196
197                         ssl3_init_finished_mac(s);
198
199                         s->state=SSL3_ST_CW_CLNT_HELLO_A;
200                         s->ctx->stats.sess_connect++;
201                         s->init_num=0;
202                         break;
203
204                 case SSL3_ST_CW_CLNT_HELLO_A:
205                 case SSL3_ST_CW_CLNT_HELLO_B:
206
207                         s->shutdown=0;
208                         ret=ssl3_client_hello(s);
209                         if (ret <= 0) goto end;
210                         s->state=SSL3_ST_CR_SRVR_HELLO_A;
211                         s->init_num=0;
212
213                         /* turn on buffering for the next lot of output */
214                         if (s->bbio != s->wbio)
215                                 s->wbio=BIO_push(s->bbio,s->wbio);
216
217                         break;
218
219                 case SSL3_ST_CR_SRVR_HELLO_A:
220                 case SSL3_ST_CR_SRVR_HELLO_B:
221                         ret=ssl3_get_server_hello(s);
222                         if (ret <= 0) goto end;
223                         if (s->hit)
224                                 s->state=SSL3_ST_CR_FINISHED_A;
225                         else
226                                 s->state=SSL3_ST_CR_CERT_A;
227                         s->init_num=0;
228                         break;
229
230                 case SSL3_ST_CR_CERT_A:
231                 case SSL3_ST_CR_CERT_B:
232                         /* Check if it is anon DH */
233                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
234                                 {
235                                 ret=ssl3_get_server_certificate(s);
236                                 if (ret <= 0) goto end;
237                                 }
238                         else
239                                 skip=1;
240                         s->state=SSL3_ST_CR_KEY_EXCH_A;
241                         s->init_num=0;
242                         break;
243
244                 case SSL3_ST_CR_KEY_EXCH_A:
245                 case SSL3_ST_CR_KEY_EXCH_B:
246                         ret=ssl3_get_key_exchange(s);
247                         if (ret <= 0) goto end;
248                         s->state=SSL3_ST_CR_CERT_REQ_A;
249                         s->init_num=0;
250
251                         /* at this point we check that we have the
252                          * required stuff from the server */
253                         if (!ssl3_check_cert_and_algorithm(s))
254                                 {
255                                 ret= -1;
256                                 goto end;
257                                 }
258                         break;
259
260                 case SSL3_ST_CR_CERT_REQ_A:
261                 case SSL3_ST_CR_CERT_REQ_B:
262                         ret=ssl3_get_certificate_request(s);
263                         if (ret <= 0) goto end;
264                         s->state=SSL3_ST_CR_SRVR_DONE_A;
265                         s->init_num=0;
266                         break;
267
268                 case SSL3_ST_CR_SRVR_DONE_A:
269                 case SSL3_ST_CR_SRVR_DONE_B:
270                         ret=ssl3_get_server_done(s);
271                         if (ret <= 0) goto end;
272                         if (s->s3->tmp.cert_req)
273                                 s->state=SSL3_ST_CW_CERT_A;
274                         else
275                                 s->state=SSL3_ST_CW_KEY_EXCH_A;
276                         s->init_num=0;
277
278                         break;
279
280                 case SSL3_ST_CW_CERT_A:
281                 case SSL3_ST_CW_CERT_B:
282                 case SSL3_ST_CW_CERT_C:
283                         ret=ssl3_send_client_certificate(s);
284                         if (ret <= 0) goto end;
285                         s->state=SSL3_ST_CW_KEY_EXCH_A;
286                         s->init_num=0;
287                         break;
288
289                 case SSL3_ST_CW_KEY_EXCH_A:
290                 case SSL3_ST_CW_KEY_EXCH_B:
291                         ret=ssl3_send_client_key_exchange(s);
292                         if (ret <= 0) goto end;
293                         l=s->s3->tmp.new_cipher->algorithms;
294                         /* EAY EAY EAY need to check for DH fix cert
295                          * sent back */
296                         /* For TLS, cert_req is set to 2, so a cert chain
297                          * of nothing is sent, but no verify packet is sent */
298                         if (s->s3->tmp.cert_req == 1)
299                                 {
300                                 s->state=SSL3_ST_CW_CERT_VRFY_A;
301                                 }
302                         else
303                                 {
304                                 s->state=SSL3_ST_CW_CHANGE_A;
305                                 s->s3->change_cipher_spec=0;
306                                 }
307
308                         s->init_num=0;
309                         break;
310
311                 case SSL3_ST_CW_CERT_VRFY_A:
312                 case SSL3_ST_CW_CERT_VRFY_B:
313                         ret=ssl3_send_client_verify(s);
314                         if (ret <= 0) goto end;
315                         s->state=SSL3_ST_CW_CHANGE_A;
316                         s->init_num=0;
317                         s->s3->change_cipher_spec=0;
318                         break;
319
320                 case SSL3_ST_CW_CHANGE_A:
321                 case SSL3_ST_CW_CHANGE_B:
322                         ret=ssl3_send_change_cipher_spec(s,
323                                 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
324                         if (ret <= 0) goto end;
325                         s->state=SSL3_ST_CW_FINISHED_A;
326                         s->init_num=0;
327
328                         s->session->cipher=s->s3->tmp.new_cipher;
329                         if (s->s3->tmp.new_compression == NULL)
330                                 s->session->compress_meth=0;
331                         else
332                                 s->session->compress_meth=
333                                         s->s3->tmp.new_compression->id;
334                         if (!s->method->ssl3_enc->setup_key_block(s))
335                                 {
336                                 ret= -1;
337                                 goto end;
338                                 }
339
340                         if (!s->method->ssl3_enc->change_cipher_state(s,
341                                 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
342                                 {
343                                 ret= -1;
344                                 goto end;
345                                 }
346
347                         break;
348
349                 case SSL3_ST_CW_FINISHED_A:
350                 case SSL3_ST_CW_FINISHED_B:
351                         ret=ssl3_send_finished(s,
352                                 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
353                                 s->method->ssl3_enc->client_finished,
354                                 s->method->ssl3_enc->client_finished_len);
355                         if (ret <= 0) goto end;
356                         s->state=SSL3_ST_CW_FLUSH;
357
358                         /* clear flags */
359                         s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
360                         if (s->hit)
361                                 {
362                                 s->s3->tmp.next_state=SSL_ST_OK;
363                                 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
364                                         {
365                                         s->state=SSL_ST_OK;
366                                         s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
367                                         s->s3->delay_buf_pop_ret=0;
368                                         }
369                                 }
370                         else
371                                 {
372                                 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
373                                 }
374                         s->init_num=0;
375                         break;
376
377                 case SSL3_ST_CR_FINISHED_A:
378                 case SSL3_ST_CR_FINISHED_B:
379
380                         ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
381                                 SSL3_ST_CR_FINISHED_B);
382                         if (ret <= 0) goto end;
383
384                         if (s->hit)
385                                 s->state=SSL3_ST_CW_CHANGE_A;
386                         else
387                                 s->state=SSL_ST_OK;
388                         s->init_num=0;
389                         break;
390
391                 case SSL3_ST_CW_FLUSH:
392                         /* number of bytes to be flushed */
393                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
394                         if (num1 > 0)
395                                 {
396                                 s->rwstate=SSL_WRITING;
397                                 num1=BIO_flush(s->wbio);
398                                 if (num1 <= 0) { ret= -1; goto end; }
399                                 s->rwstate=SSL_NOTHING;
400                                 }
401
402                         s->state=s->s3->tmp.next_state;
403                         break;
404
405                 case SSL_ST_OK:
406                         /* clean a few things up */
407                         ssl3_cleanup_key_block(s);
408
409                         if (s->init_buf != NULL)
410                                 {
411                                 BUF_MEM_free(s->init_buf);
412                                 s->init_buf=NULL;
413                                 }
414
415                         /* If we are not 'joining' the last two packets,
416                          * remove the buffering now */
417                         if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
418                                 ssl_free_wbio_buffer(s);
419                         /* else do it later in ssl3_write */
420
421                         s->init_num=0;
422                         s->new_session=0;
423
424                         ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
425                         if (s->hit) s->ctx->stats.sess_hit++;
426
427                         ret=1;
428                         /* s->server=0; */
429                         s->handshake_func=ssl3_connect;
430                         s->ctx->stats.sess_connect_good++;
431
432                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
433
434                         goto end;
435                         /* break; */
436                         
437                 default:
438                         SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
439                         ret= -1;
440                         goto end;
441                         /* break; */
442                         }
443
444                 /* did we do anything */
445                 if (!s->s3->tmp.reuse_message && !skip)
446                         {
447                         if (s->debug)
448                                 {
449                                 if ((ret=BIO_flush(s->wbio)) <= 0)
450                                         goto end;
451                                 }
452
453                         if ((cb != NULL) && (s->state != state))
454                                 {
455                                 new_state=s->state;
456                                 s->state=state;
457                                 cb(s,SSL_CB_CONNECT_LOOP,1);
458                                 s->state=new_state;
459                                 }
460                         }
461                 skip=0;
462                 }
463 end:
464         if (cb != NULL)
465                 cb(s,SSL_CB_CONNECT_EXIT,ret);
466         s->in_handshake--;
467         return(ret);
468         }
469
470
471 static int ssl3_client_hello(s)
472 SSL *s;
473         {
474         unsigned char *buf;
475         unsigned char *p,*d;
476         int i,j;
477         unsigned long Time,l;
478         SSL_COMP *comp;
479
480         buf=(unsigned char *)s->init_buf->data;
481         if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
482                 {
483                 if ((s->session == NULL) ||
484                         (s->session->ssl_version != s->version) ||
485                         (s->session->not_resumable))
486                         {
487                         if (!ssl_get_new_session(s,0))
488                                 goto err;
489                         }
490                 /* else use the pre-loaded session */
491
492                 p=s->s3->client_random;
493                 Time=time(NULL);                        /* Time */
494                 l2n(Time,p);
495                 RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
496
497                 /* Do the message type and length last */
498                 d=p= &(buf[4]);
499
500                 *(p++)=s->version>>8;
501                 *(p++)=s->version&0xff;
502                 s->client_version=s->version;
503
504                 /* Random stuff */
505                 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
506                 p+=SSL3_RANDOM_SIZE;
507
508                 /* Session ID */
509                 if (s->new_session)
510                         i=0;
511                 else
512                         i=s->session->session_id_length;
513                 *(p++)=i;
514                 if (i != 0)
515                         {
516                         memcpy(p,s->session->session_id,i);
517                         p+=i;
518                         }
519                 
520                 /* Ciphers supported */
521                 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
522                 if (i == 0)
523                         {
524                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
525                         goto err;
526                         }
527                 s2n(i,p);
528                 p+=i;
529
530                 /* COMPRESSION */
531                 if (s->ctx->comp_methods == NULL)
532                         j=0;
533                 else
534                         j=sk_num(s->ctx->comp_methods);
535                 *(p++)=1+j;
536                 for (i=0; i<j; i++)
537                         {
538                         comp=(SSL_COMP *)sk_value(s->ctx->comp_methods,i);
539                         *(p++)=comp->id;
540                         }
541                 *(p++)=0; /* Add the NULL method */
542                 
543                 l=(p-d);
544                 d=buf;
545                 *(d++)=SSL3_MT_CLIENT_HELLO;
546                 l2n3(l,d);
547
548                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
549                 /* number of bytes to write */
550                 s->init_num=p-buf;
551                 s->init_off=0;
552                 }
553
554         /* SSL3_ST_CW_CLNT_HELLO_B */
555         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
556 err:
557         return(-1);
558         }
559
560 static int ssl3_get_server_hello(s)
561 SSL *s;
562         {
563         STACK *sk;
564         SSL_CIPHER *c;
565         unsigned char *p,*d;
566         int i,al,ok;
567         unsigned int j;
568         long n;
569         SSL_COMP *comp;
570
571         n=ssl3_get_message(s,
572                 SSL3_ST_CR_SRVR_HELLO_A,
573                 SSL3_ST_CR_SRVR_HELLO_B,
574                 SSL3_MT_SERVER_HELLO,
575                 300, /* ?? */
576                 &ok);
577
578         if (!ok) return((int)n);
579         d=p=(unsigned char *)s->init_buf->data;
580
581         if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
582                 {
583                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
584                 s->version=(s->version&0xff00)|p[1];
585                 al=SSL_AD_PROTOCOL_VERSION;
586                 goto f_err;
587                 }
588         p+=2;
589
590         /* load the server hello data */
591         /* load the server random */
592         memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
593         p+=SSL3_RANDOM_SIZE;
594
595         /* get the session-id */
596         j= *(p++);
597
598         if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
599                 {
600                 /* SSLref returns 16 :-( */
601                 if (j < SSL2_SSL_SESSION_ID_LENGTH)
602                         {
603                         al=SSL_AD_ILLEGAL_PARAMETER;
604                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
605                         goto f_err;
606                         }
607                 }
608         if ((j != 0) && (j == s->session->session_id_length) &&
609                 (memcmp(p,s->session->session_id,j) == 0))
610                 s->hit=1;
611         else    /* a miss or crap from the other end */
612                 {
613                 /* If we were trying for session-id reuse, make a new
614                  * SSL_SESSION so we don't stuff up other people */
615                 s->hit=0;
616                 if (s->session->session_id_length > 0)
617                         {
618                         if (!ssl_get_new_session(s,0))
619                                 {
620                                 al=SSL_AD_INTERNAL_ERROR;
621                                 goto f_err;
622                                 }
623                         }
624                 s->session->session_id_length=j;
625                 memcpy(s->session->session_id,p,j); /* j could be 0 */
626                 }
627         p+=j;
628         c=ssl_get_cipher_by_char(s,p);
629         if (c == NULL)
630                 {
631                 /* unknown cipher */
632                 al=SSL_AD_ILLEGAL_PARAMETER;
633                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
634                 goto f_err;
635                 }
636         p+=ssl_put_cipher_by_char(s,NULL,NULL);
637
638         sk=ssl_get_ciphers_by_id(s);
639         i=sk_find(sk,(char *)c);
640         if (i < 0)
641                 {
642                 /* we did not say we would use this cipher */
643                 al=SSL_AD_ILLEGAL_PARAMETER;
644                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
645                 goto f_err;
646                 }
647
648         if (s->hit && (s->session->cipher != c))
649                 {
650                 if (!(s->options &
651                         SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
652                         {
653                         al=SSL_AD_ILLEGAL_PARAMETER;
654                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
655                         goto f_err;
656                         }
657                 }
658         s->s3->tmp.new_cipher=c;
659
660         /* lets get the compression algorithm */
661         /* COMPRESSION */
662         j= *(p++);
663         if (j == 0)
664                 comp=NULL;
665         else
666                 comp=ssl3_comp_find(s->ctx->comp_methods,j);
667         
668         if ((j != 0) && (comp == NULL))
669                 {
670                 al=SSL_AD_ILLEGAL_PARAMETER;
671                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
672                 goto f_err;
673                 }
674         else
675                 {
676                 s->s3->tmp.new_compression=comp;
677                 }
678
679         if (p != (d+n))
680                 {
681                 /* wrong packet length */
682                 al=SSL_AD_DECODE_ERROR;
683                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
684                 goto err;
685                 }
686
687         return(1);
688 f_err:
689         ssl3_send_alert(s,SSL3_AL_FATAL,al);
690 err:
691         return(-1);
692         }
693
694 static int ssl3_get_server_certificate(s)
695 SSL *s;
696         {
697         int al,i,ok,ret= -1;
698         unsigned long n,nc,llen,l;
699         X509 *x=NULL;
700         unsigned char *p,*d,*q;
701         STACK *sk=NULL;
702         CERT *c;
703         EVP_PKEY *pkey=NULL;
704
705         n=ssl3_get_message(s,
706                 SSL3_ST_CR_CERT_A,
707                 SSL3_ST_CR_CERT_B,
708                 -1,
709 #if defined(MSDOS) && !defined(WIN32)
710                 1024*30, /* 30k max cert list :-) */
711 #else
712                 1024*100, /* 100k max cert list :-) */
713 #endif
714                 &ok);
715
716         if (!ok) return((int)n);
717
718         if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
719                 {
720                 s->s3->tmp.reuse_message=1;
721                 return(1);
722                 }
723
724         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
725                 {
726                 al=SSL_AD_UNEXPECTED_MESSAGE;
727                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
728                 goto f_err;
729                 }
730         d=p=(unsigned char *)s->init_buf->data;
731
732         if ((sk=sk_new_null()) == NULL)
733                 {
734                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
735                 goto err;
736                 }
737
738         n2l3(p,llen);
739         if (llen+3 != n)
740                 {
741                 al=SSL_AD_DECODE_ERROR;
742                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
743                 goto f_err;
744                 }
745         for (nc=0; nc<llen; )
746                 {
747                 n2l3(p,l);
748                 if ((l+nc+3) > llen)
749                         {
750                         al=SSL_AD_DECODE_ERROR;
751                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
752                         goto f_err;
753                         }
754
755                 q=p;
756                 x=d2i_X509(NULL,&q,l);
757                 if (x == NULL)
758                         {
759                         al=SSL_AD_BAD_CERTIFICATE;
760                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
761                         goto f_err;
762                         }
763                 if (q != (p+l))
764                         {
765                         al=SSL_AD_DECODE_ERROR;
766                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
767                         goto f_err;
768                         }
769                 if (!sk_push(sk,(char *)x))
770                         {
771                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
772                         goto err;
773                         }
774                 x=NULL;
775                 nc+=l+3;
776                 p=q;
777                 }
778
779         i=ssl_verify_cert_chain(s,sk);
780         if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
781                 {
782                 al=ssl_verify_alarm_type(s->verify_result);
783                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
784                 goto f_err; 
785                 }
786
787         c=ssl_cert_new();
788         if (c == NULL) goto err;
789
790         if (s->session->cert) ssl_cert_free(s->session->cert);
791         s->session->cert=c;
792
793         c->cert_chain=sk;
794         x=(X509 *)sk_value(sk,0);
795         sk=NULL;
796
797         pkey=X509_get_pubkey(x);
798
799         if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
800                 {
801                 x=NULL;
802                 al=SSL3_AL_FATAL;
803                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
804                 goto f_err;
805                 }
806
807         i=ssl_cert_type(x,pkey);
808         if (i < 0)
809                 {
810                 x=NULL;
811                 al=SSL3_AL_FATAL;
812                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
813                 goto f_err;
814                 }
815
816         c->cert_type=i;
817         CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
818         if (c->pkeys[i].x509 != NULL)
819                 X509_free(c->pkeys[i].x509);
820         c->pkeys[i].x509=x;
821         c->key= &(c->pkeys[i]);
822
823         if ((s->session != NULL) && (s->session->peer != NULL)) 
824                 X509_free(s->session->peer);
825         CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
826         s->session->peer=x;
827
828         x=NULL;
829         ret=1;
830
831         if (0)
832                 {
833 f_err:
834                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
835                 }
836 err:
837         EVP_PKEY_free(pkey);
838         X509_free(x);
839         sk_pop_free(sk,X509_free);
840         return(ret);
841         }
842
843 static int ssl3_get_key_exchange(s)
844 SSL *s;
845         {
846 #ifndef NO_RSA
847         unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
848 #endif
849         EVP_MD_CTX md_ctx;
850         unsigned char *param,*p;
851         int al,i,j,param_len,ok;
852         long n,alg;
853         EVP_PKEY *pkey=NULL;
854         RSA *rsa=NULL;
855 #ifndef NO_DH
856         DH *dh=NULL;
857 #endif
858
859         n=ssl3_get_message(s,
860                 SSL3_ST_CR_KEY_EXCH_A,
861                 SSL3_ST_CR_KEY_EXCH_B,
862                 -1,
863                 1024*8, /* ?? */
864                 &ok);
865
866         if (!ok) return((int)n);
867
868         if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
869                 {
870                 s->s3->tmp.reuse_message=1;
871                 return(1);
872                 }
873
874         param=p=(unsigned char *)s->init_buf->data;
875
876         if (s->session->cert != NULL)
877                 {
878 #ifndef NO_RSA
879                 if (s->session->cert->rsa_tmp != NULL)
880                         {
881                         RSA_free(s->session->cert->rsa_tmp);
882                         s->session->cert->rsa_tmp=NULL;
883                         }
884 #endif
885 #ifndef NO_DH
886                 if (s->session->cert->dh_tmp)
887                         {
888                         DH_free(s->session->cert->dh_tmp);
889                         s->session->cert->dh_tmp=NULL;
890                         }
891 #endif
892                 }
893         else
894                 {
895                 s->session->cert=ssl_cert_new();
896                 }
897
898         param_len=0;
899         alg=s->s3->tmp.new_cipher->algorithms;
900
901 #ifndef NO_RSA
902         if (alg & SSL_kRSA)
903                 {
904                 if ((rsa=RSA_new()) == NULL)
905                         {
906                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
907                         goto err;
908                         }
909                 n2s(p,i);
910                 param_len=i+2;
911                 if (param_len > n)
912                         {
913                         al=SSL_AD_DECODE_ERROR;
914                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
915                         goto f_err;
916                         }
917                 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
918                         {
919                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
920                         goto err;
921                         }
922                 p+=i;
923
924                 n2s(p,i);
925                 param_len+=i+2;
926                 if (param_len > n)
927                         {
928                         al=SSL_AD_DECODE_ERROR;
929                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
930                         goto f_err;
931                         }
932                 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
933                         {
934                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
935                         goto err;
936                         }
937                 p+=i;
938                 n-=param_len;
939
940 /*              s->session->cert->rsa_tmp=rsa;*/
941                 /* this should be because we are using an export cipher */
942                 if (alg & SSL_aRSA)
943                         pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509);
944                 else
945                         {
946                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
947                         goto err;
948                         }
949                 s->session->cert->rsa_tmp=rsa;
950                 }
951         else
952 #endif
953 #ifndef NO_DH
954                 if (alg & SSL_kEDH)
955                 {
956                 if ((dh=DH_new()) == NULL)
957                         {
958                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
959                         goto err;
960                         }
961                 n2s(p,i);
962                 param_len=i+2;
963                 if (param_len > n)
964                         {
965                         al=SSL_AD_DECODE_ERROR;
966                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
967                         goto f_err;
968                         }
969                 if (!(dh->p=BN_bin2bn(p,i,NULL)))
970                         {
971                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
972                         goto err;
973                         }
974                 p+=i;
975
976                 n2s(p,i);
977                 param_len+=i+2;
978                 if (param_len > n)
979                         {
980                         al=SSL_AD_DECODE_ERROR;
981                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
982                         goto f_err;
983                         }
984                 if (!(dh->g=BN_bin2bn(p,i,NULL)))
985                         {
986                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
987                         goto err;
988                         }
989                 p+=i;
990
991                 n2s(p,i);
992                 param_len+=i+2;
993                 if (param_len > n)
994                         {
995                         al=SSL_AD_DECODE_ERROR;
996                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
997                         goto f_err;
998                         }
999                 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1000                         {
1001                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1002                         goto err;
1003                         }
1004                 p+=i;
1005                 n-=param_len;
1006
1007 #ifndef NO_RSA
1008                 if (alg & SSL_aRSA)
1009                         pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509);
1010                 else
1011 #endif
1012 #ifndef NO_DSA
1013                 if (alg & SSL_aDSS)
1014                         pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_DSA_SIGN].x509);
1015 #endif
1016                 /* else anonymous DH, so no certificate or pkey. */
1017
1018                 s->session->cert->dh_tmp=dh;
1019                 dh=NULL;
1020                 }
1021         else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
1022                 {
1023                 al=SSL_AD_ILLEGAL_PARAMETER;
1024                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1025                 goto f_err;
1026                 }
1027 #endif
1028         if (alg & SSL_aFZA)
1029                 {
1030                 al=SSL_AD_HANDSHAKE_FAILURE;
1031                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1032                 goto f_err;
1033                 }
1034
1035
1036         /* p points to the next byte, there are 'n' bytes left */
1037
1038
1039         /* if it was signed, check the signature */
1040         if (pkey != NULL)
1041                 {
1042                 n2s(p,i);
1043                 n-=2;
1044                 j=EVP_PKEY_size(pkey);
1045
1046                 if ((i != n) || (n > j) || (n <= 0))
1047                         {
1048                         /* wrong packet length */
1049                         al=SSL_AD_DECODE_ERROR;
1050                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1051                         goto f_err;
1052                         }
1053
1054 #ifndef NO_RSA
1055                 if (pkey->type == EVP_PKEY_RSA)
1056                         {
1057                         int num;
1058
1059                         j=0;
1060                         q=md_buf;
1061                         for (num=2; num > 0; num--)
1062                                 {
1063                                 EVP_DigestInit(&md_ctx,(num == 2)
1064                                         ?s->ctx->md5:s->ctx->sha1);
1065                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1066                                 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1067                                 EVP_DigestUpdate(&md_ctx,param,param_len);
1068                                 EVP_DigestFinal(&md_ctx,q,(unsigned int *)&i);
1069                                 q+=i;
1070                                 j+=i;
1071                                 }
1072                         i=RSA_public_decrypt((int)n,p,p,pkey->pkey.rsa,
1073                                 RSA_PKCS1_PADDING);
1074                         if (i <= 0)
1075                                 {
1076                                 al=SSL_AD_DECRYPT_ERROR;
1077                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1078                                 goto f_err;
1079                                 }
1080                         if ((j != i) || (memcmp(p,md_buf,i) != 0))
1081                                 {
1082                                 /* bad signature */
1083                                 al=SSL_AD_DECRYPT_ERROR;
1084                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1085                                 goto f_err;
1086                                 }
1087                         }
1088                 else
1089 #endif
1090 #ifndef NO_DSA
1091                         if (pkey->type == EVP_PKEY_DSA)
1092                         {
1093                         /* lets do DSS */
1094                         EVP_VerifyInit(&md_ctx,EVP_dss1());
1095                         EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1096                         EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1097                         EVP_VerifyUpdate(&md_ctx,param,param_len);
1098                         if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1099                                 {
1100                                 /* bad signature */
1101                                 al=SSL_AD_DECRYPT_ERROR;
1102                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1103                                 goto f_err;
1104                                 }
1105                         }
1106                 else
1107 #endif
1108                         {
1109                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1110                         goto err;
1111                         }
1112                 }
1113         else
1114                 {
1115                 /* still data left over */
1116                 if (!(alg & SSL_aNULL))
1117                         {
1118                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1119                         goto err;
1120                         }
1121                 if (n != 0)
1122                         {
1123                         al=SSL_AD_DECODE_ERROR;
1124                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1125                         goto f_err;
1126                         }
1127                 }
1128         EVP_PKEY_free(pkey);
1129         return(1);
1130 f_err:
1131         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1132 err:
1133         EVP_PKEY_free(pkey);
1134         return(-1);
1135         }
1136
1137 static int ssl3_get_certificate_request(s)
1138 SSL *s;
1139         {
1140         int ok,ret=0;
1141         unsigned long n,nc,l;
1142         unsigned int llen,ctype_num,i;
1143         X509_NAME *xn=NULL;
1144         unsigned char *p,*d,*q;
1145         STACK *ca_sk=NULL;
1146
1147         n=ssl3_get_message(s,
1148                 SSL3_ST_CR_CERT_REQ_A,
1149                 SSL3_ST_CR_CERT_REQ_B,
1150                 -1,
1151 #if defined(MSDOS) && !defined(WIN32)
1152                 1024*30,  /* 30k max cert list :-) */
1153 #else
1154                 1024*100, /* 100k max cert list :-) */
1155 #endif
1156                 &ok);
1157
1158         if (!ok) return((int)n);
1159
1160         s->s3->tmp.cert_req=0;
1161
1162         if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1163                 {
1164                 s->s3->tmp.reuse_message=1;
1165                 return(1);
1166                 }
1167
1168         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1169                 {
1170                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1171                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1172                 goto err;
1173                 }
1174
1175         /* TLS does not like anon-DH with client cert */
1176         if (s->version > SSL3_VERSION)
1177                 {
1178                 l=s->s3->tmp.new_cipher->algorithms;
1179                 if (l & SSL_aNULL)
1180                         {
1181                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1182                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1183                         goto err;
1184                         }
1185                 }
1186
1187         d=p=(unsigned char *)s->init_buf->data;
1188
1189         if ((ca_sk=sk_new(ca_dn_cmp)) == NULL)
1190                 {
1191                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1192                 goto err;
1193                 }
1194
1195         /* get the certificate types */
1196         ctype_num= *(p++);
1197         if (ctype_num > SSL3_CT_NUMBER)
1198                 ctype_num=SSL3_CT_NUMBER;
1199         for (i=0; i<ctype_num; i++)
1200                 s->s3->tmp.ctype[i]= p[i];
1201         p+=ctype_num;
1202
1203         /* get the CA RDNs */
1204         n2s(p,llen);
1205 #if 0
1206 {
1207 FILE *out;
1208 out=fopen("/tmp/vsign.der","w");
1209 fwrite(p,1,llen,out);
1210 fclose(out);
1211 }
1212 #endif
1213
1214         if ((llen+ctype_num+2+1) != n)
1215                 {
1216                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1217                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1218                 goto err;
1219                 }
1220
1221         for (nc=0; nc<llen; )
1222                 {
1223                 n2s(p,l);
1224                 if ((l+nc+2) > llen)
1225                         {
1226                         if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1227                                 goto cont; /* netscape bugs */
1228                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1229                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1230                         goto err;
1231                         }
1232
1233                 q=p;
1234
1235                 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1236                         {
1237                         /* If netscape tollerance is on, ignore errors */
1238                         if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1239                                 goto cont;
1240                         else
1241                                 {
1242                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1243                                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1244                                 goto err;
1245                                 }
1246                         }
1247
1248                 if (q != (p+l))
1249                         {
1250                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1251                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1252                         goto err;
1253                         }
1254                 if (!sk_push(ca_sk,(char *)xn))
1255                         {
1256                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1257                         goto err;
1258                         }
1259
1260                 p+=l;
1261                 nc+=l+2;
1262                 }
1263
1264         if (0)
1265                 {
1266 cont:
1267                 ERR_clear_error();
1268                 }
1269
1270         /* we should setup a certficate to return.... */
1271         s->s3->tmp.cert_req=1;
1272         s->s3->tmp.ctype_num=ctype_num;
1273         if (s->s3->tmp.ca_names != NULL)
1274                 sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1275         s->s3->tmp.ca_names=ca_sk;
1276         ca_sk=NULL;
1277
1278         ret=1;
1279 err:
1280         if (ca_sk != NULL) sk_pop_free(ca_sk,X509_NAME_free);
1281         return(ret);
1282         }
1283
1284 static int ca_dn_cmp(a,b)
1285 X509_NAME **a,**b;
1286         {
1287         return(X509_NAME_cmp(*a,*b));
1288         }
1289
1290 static int ssl3_get_server_done(s)
1291 SSL *s;
1292         {
1293         int ok,ret=0;
1294         long n;
1295
1296         n=ssl3_get_message(s,
1297                 SSL3_ST_CR_SRVR_DONE_A,
1298                 SSL3_ST_CR_SRVR_DONE_B,
1299                 SSL3_MT_SERVER_DONE,
1300                 30, /* should be very small, like 0 :-) */
1301                 &ok);
1302
1303         if (!ok) return((int)n);
1304         if (n > 0)
1305                 {
1306                 /* should contain no data */
1307                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1308                 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1309                 }
1310         ret=1;
1311         return(ret);
1312         }
1313
1314 static int ssl3_send_client_key_exchange(s)
1315 SSL *s;
1316         {
1317         unsigned char *p,*q,*d;
1318         int n;
1319         unsigned long l;
1320         EVP_PKEY *pkey=NULL;
1321
1322         if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1323                 {
1324                 d=(unsigned char *)s->init_buf->data;
1325                 p= &(d[4]);
1326
1327                 l=s->s3->tmp.new_cipher->algorithms;
1328
1329 #ifndef NO_RSA
1330                 if (l & SSL_kRSA)
1331                         {
1332                         RSA *rsa;
1333                         unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1334
1335                         if (s->session->cert->rsa_tmp != NULL)
1336                                 rsa=s->session->cert->rsa_tmp;
1337                         else
1338                                 {
1339                                 pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509);
1340                                 if ((pkey == NULL) ||
1341                                         (pkey->type != EVP_PKEY_RSA) ||
1342                                         (pkey->pkey.rsa == NULL))
1343                                         {
1344                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1345                                         goto err;
1346                                         }
1347                                 rsa=pkey->pkey.rsa;
1348                                 }
1349                                 
1350                         tmp_buf[0]=s->client_version>>8;
1351                         tmp_buf[1]=s->client_version&0xff;
1352                         RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
1353
1354                         s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
1355
1356                         q=p;
1357                         /* Fix buf for TLS and beyond */
1358                         if (s->version > SSL3_VERSION)
1359                                 p+=2;
1360                         n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
1361                                 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1362 #ifdef PKCS1_CHECK
1363                         if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
1364                         if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
1365 #endif
1366                         if (n <= 0)
1367                                 {
1368                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1369                                 goto err;
1370                                 }
1371
1372                         /* Fix buf for TLS and beyond */
1373                         if (s->version > SSL3_VERSION)
1374                                 {
1375                                 s2n(n,q);
1376                                 n+=2;
1377                                 }
1378
1379                         s->session->master_key_length=
1380                                 s->method->ssl3_enc->generate_master_secret(s,
1381                                         s->session->master_key,
1382                                         tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
1383                         memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
1384                         }
1385                 else
1386 #endif
1387 #ifndef NO_DH
1388                 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1389                         {
1390                         DH *dh_srvr,*dh_clnt;
1391
1392                         if (s->session->cert->dh_tmp != NULL)
1393                                 dh_srvr=s->session->cert->dh_tmp;
1394                         else
1395                                 {
1396                                 /* we get them from the cert */
1397                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1398                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1399                                 goto err;
1400                                 }
1401                         
1402                         /* generate a new random key */
1403                         if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
1404                                 {
1405                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1406                                 goto err;
1407                                 }
1408                         if (!DH_generate_key(dh_clnt))
1409                                 {
1410                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1411                                 goto err;
1412                                 }
1413
1414                         /* use the 'p' output buffer for the DH key, but
1415                          * make sure to clear it out afterwards */
1416
1417                         n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
1418
1419                         if (n <= 0)
1420                                 {
1421                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1422                                 goto err;
1423                                 }
1424
1425                         /* generate master key from the result */
1426                         s->session->master_key_length=
1427                                 s->method->ssl3_enc->generate_master_secret(s,
1428                                         s->session->master_key,p,n);
1429                         /* clean up */
1430                         memset(p,0,n);
1431
1432                         /* send off the data */
1433                         n=BN_num_bytes(dh_clnt->pub_key);
1434                         s2n(n,p);
1435                         BN_bn2bin(dh_clnt->pub_key,p);
1436                         n+=2;
1437
1438                         DH_free(dh_clnt);
1439
1440                         /* perhaps clean things up a bit EAY EAY EAY EAY*/
1441                         }
1442                 else
1443 #endif
1444                         {
1445                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1446                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1447                         goto err;
1448                         }
1449                 
1450                 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
1451                 l2n3(n,d);
1452
1453                 s->state=SSL3_ST_CW_KEY_EXCH_B;
1454                 /* number of bytes to write */
1455                 s->init_num=n+4;
1456                 s->init_off=0;
1457                 }
1458
1459         /* SSL3_ST_CW_KEY_EXCH_B */
1460         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1461 err:
1462         return(-1);
1463         }
1464
1465 static int ssl3_send_client_verify(s)
1466 SSL *s;
1467         {
1468         unsigned char *p,*d;
1469         unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
1470         EVP_PKEY *pkey;
1471         int i=0;
1472         unsigned long n;
1473 #ifndef NO_DSA
1474         int j;
1475 #endif
1476
1477         if (s->state == SSL3_ST_CW_CERT_VRFY_A)
1478                 {
1479                 d=(unsigned char *)s->init_buf->data;
1480                 p= &(d[4]);
1481                 pkey=s->cert->key->privatekey;
1482
1483                 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
1484                         &(data[MD5_DIGEST_LENGTH]));
1485
1486 #ifndef NO_RSA
1487                 if (pkey->type == EVP_PKEY_RSA)
1488                         {
1489                         s->method->ssl3_enc->cert_verify_mac(s,
1490                                 &(s->s3->finish_dgst1),&(data[0]));
1491                         i=RSA_private_encrypt(
1492                                 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
1493                                 data,&(p[2]),pkey->pkey.rsa,
1494                                 RSA_PKCS1_PADDING);
1495                         if (i <= 0)
1496                                 {
1497                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
1498                                 goto err;
1499                                 }
1500                         s2n(i,p);
1501                         n=i+2;
1502                         }
1503                 else
1504 #endif
1505 #ifndef NO_DSA
1506                         if (pkey->type == EVP_PKEY_DSA)
1507                         {
1508                         if (!DSA_sign(pkey->save_type,
1509                                 &(data[MD5_DIGEST_LENGTH]),
1510                                 SHA_DIGEST_LENGTH,&(p[2]),
1511                                 (unsigned int *)&j,pkey->pkey.dsa))
1512                                 {
1513                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
1514                                 goto err;
1515                                 }
1516                         s2n(j,p);
1517                         n=j+2;
1518                         }
1519                 else
1520 #endif
1521                         {
1522                         SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,SSL_R_INTERNAL_ERROR);
1523                         goto err;
1524                         }
1525                 *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
1526                 l2n3(n,d);
1527
1528                 s->init_num=(int)n+4;
1529                 s->init_off=0;
1530                 }
1531         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1532 err:
1533         return(-1);
1534         }
1535
1536 static int ssl3_send_client_certificate(s)
1537 SSL *s;
1538         {
1539         X509 *x509=NULL;
1540         EVP_PKEY *pkey=NULL;
1541         int i;
1542         unsigned long l;
1543
1544         if (s->state == SSL3_ST_CW_CERT_A)
1545                 {
1546                 if ((s->cert == NULL) ||
1547                         (s->cert->key->x509 == NULL) ||
1548                         (s->cert->key->privatekey == NULL))
1549                         s->state=SSL3_ST_CW_CERT_B;
1550                 else
1551                         s->state=SSL3_ST_CW_CERT_C;
1552                 }
1553
1554         /* We need to get a client cert */
1555         if (s->state == SSL3_ST_CW_CERT_B)
1556                 {
1557                 /* If we get an error, we need to
1558                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
1559                  * We then get retied later */
1560                 i=0;
1561                 if (s->ctx->client_cert_cb != NULL)
1562                         i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
1563                 if (i < 0)
1564                         {
1565                         s->rwstate=SSL_X509_LOOKUP;
1566                         return(-1);
1567                         }
1568                 s->rwstate=SSL_NOTHING;
1569                 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
1570                         {
1571                         s->state=SSL3_ST_CW_CERT_B;
1572                         if (    !SSL_use_certificate(s,x509) ||
1573                                 !SSL_use_PrivateKey(s,pkey))
1574                                 i=0;
1575                         }
1576                 else if (i == 1)
1577                         {
1578                         i=0;
1579                         SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
1580                         }
1581
1582                 if (x509 != NULL) X509_free(x509);
1583                 if (pkey != NULL) EVP_PKEY_free(pkey);
1584                 if (i == 0)
1585                         {
1586                         if (s->version == SSL3_VERSION)
1587                                 {
1588                                 s->s3->tmp.cert_req=0;
1589                                 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
1590                                 return(1);
1591                                 }
1592                         else
1593                                 {
1594                                 s->s3->tmp.cert_req=2;
1595                                 }
1596                         }
1597
1598                 /* Ok, we have a cert */
1599                 s->state=SSL3_ST_CW_CERT_C;
1600                 }
1601
1602         if (s->state == SSL3_ST_CW_CERT_C)
1603                 {
1604                 s->state=SSL3_ST_CW_CERT_D;
1605                 l=ssl3_output_cert_chain(s,
1606                         (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
1607                 s->init_num=(int)l;
1608                 s->init_off=0;
1609                 }
1610         /* SSL3_ST_CW_CERT_D */
1611         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1612         }
1613
1614 #define has_bits(i,m)   (((i)&(m)) == (m))
1615
1616 static int ssl3_check_cert_and_algorithm(s)
1617 SSL *s;
1618         {
1619         int i,idx;
1620         long algs;
1621         EVP_PKEY *pkey=NULL;
1622         CERT *c;
1623         RSA *rsa;
1624         DH *dh;
1625
1626         c=s->session->cert;
1627
1628         if (c == NULL)
1629                 {
1630                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR);
1631                 goto err;
1632                 }
1633
1634         algs=s->s3->tmp.new_cipher->algorithms;
1635
1636         /* we don't have a certificate */
1637         if (algs & (SSL_aDH|SSL_aNULL))
1638                 return(1);
1639
1640         rsa=s->session->cert->rsa_tmp;
1641         dh=s->session->cert->dh_tmp;
1642
1643         /* This is the passed certificate */
1644
1645         idx=c->cert_type;
1646         pkey=X509_get_pubkey(c->pkeys[idx].x509);
1647         i=X509_certificate_type(c->pkeys[idx].x509,pkey);
1648         EVP_PKEY_free(pkey);
1649
1650         
1651         /* Check that we have a certificate if we require one */
1652         if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
1653                 {
1654                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
1655                 goto f_err;
1656                 }
1657 #ifndef NO_DSA
1658         else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
1659                 {
1660                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
1661                 goto f_err;
1662                 }
1663 #endif
1664
1665         if ((algs & SSL_kRSA) &&
1666                 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
1667                 {
1668                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
1669                 goto f_err;
1670                 }
1671 #ifndef NO_DH
1672         else if ((algs & SSL_kEDH) &&
1673                 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
1674                 {
1675                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
1676                 goto f_err;
1677                 }
1678         else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
1679                 {
1680                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
1681                 goto f_err;
1682                 }
1683 #ifndef NO_DSA
1684         else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
1685                 {
1686                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
1687                 goto f_err;
1688                 }
1689 #endif
1690 #endif
1691
1692         if ((algs & SSL_EXP) && !has_bits(i,EVP_PKT_EXP))
1693                 {
1694 #ifndef NO_RSA
1695                 if (algs & SSL_kRSA)
1696                         {
1697                         if ((rsa == NULL) || (RSA_size(rsa) > 512))
1698                                 {
1699                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
1700                                 goto f_err;
1701                                 }
1702                         }
1703                 else
1704 #endif
1705 #ifndef NO_DH
1706                         if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1707                         {
1708                         if ((dh == NULL) || (DH_size(dh) > 512))
1709                                 {
1710                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
1711                                 goto f_err;
1712                                 }
1713                         }
1714                 else
1715 #endif
1716                         {
1717                         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1718                         goto f_err;
1719                         }
1720                 }
1721         return(1);
1722 f_err:
1723         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1724 err:
1725         return(0);
1726         }
1727