cec0e3b35ae5e7b27649e444e9924aef3e077119
[openssl.git] / ssl / s3_clnt.c
1 /* ssl/s3_clnt.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #include <stdio.h>
60 #include <openssl/buffer.h>
61 #include <openssl/rand.h>
62 #include <openssl/objects.h>
63 #include <openssl/md5.h>
64 #include <openssl/sha.h>
65 #include <openssl/evp.h>
66 #include "ssl_locl.h"
67
68 static SSL_METHOD *ssl3_get_client_method(int ver);
69 static int ssl3_client_hello(SSL *s);
70 static int ssl3_get_server_hello(SSL *s);
71 static int ssl3_get_certificate_request(SSL *s);
72 static int ca_dn_cmp(X509_NAME **a,X509_NAME **b);
73 static int ssl3_get_server_done(SSL *s);
74 static int ssl3_send_client_verify(SSL *s);
75 static int ssl3_send_client_certificate(SSL *s);
76 static int ssl3_send_client_key_exchange(SSL *s);
77 static int ssl3_get_key_exchange(SSL *s);
78 static int ssl3_get_server_certificate(SSL *s);
79 static int ssl3_check_cert_and_algorithm(SSL *s);
80 static SSL_METHOD *ssl3_get_client_method(int ver)
81         {
82         if (ver == SSL3_VERSION)
83                 return(SSLv3_client_method());
84         else
85                 return(NULL);
86         }
87
88 SSL_METHOD *SSLv3_client_method(void)
89         {
90         static int init=1;
91         static SSL_METHOD SSLv3_client_data;
92
93         if (init)
94                 {
95                 init=0;
96                 memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
97                         sizeof(SSL_METHOD));
98                 SSLv3_client_data.ssl_connect=ssl3_connect;
99                 SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
100                 }
101         return(&SSLv3_client_data);
102         }
103
104 int ssl3_connect(SSL *s)
105         {
106         BUF_MEM *buf;
107         unsigned long Time=time(NULL),l;
108         long num1;
109         void (*cb)()=NULL;
110         int ret= -1;
111         int new_state,state,skip=0;;
112
113         RAND_add(&Time,sizeof(Time),0);
114         ERR_clear_error();
115         clear_sys_error();
116
117         if (s->info_callback != NULL)
118                 cb=s->info_callback;
119         else if (s->ctx->info_callback != NULL)
120                 cb=s->ctx->info_callback;
121         
122         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
123         s->in_handshake++;
124
125         for (;;)
126                 {
127                 state=s->state;
128
129                 switch(s->state)
130                         {
131                 case SSL_ST_RENEGOTIATE:
132                         s->new_session=1;
133                         s->state=SSL_ST_CONNECT;
134                         s->ctx->stats.sess_connect_renegotiate++;
135                         /* break */
136                 case SSL_ST_BEFORE:
137                 case SSL_ST_CONNECT:
138                 case SSL_ST_BEFORE|SSL_ST_CONNECT:
139                 case SSL_ST_OK|SSL_ST_CONNECT:
140
141                         s->server=0;
142                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
143
144                         if ((s->version & 0xff00 ) != 0x0300)
145                                 abort();
146                         /* s->version=SSL3_VERSION; */
147                         s->type=SSL_ST_CONNECT;
148
149                         if (s->init_buf == NULL)
150                                 {
151                                 if ((buf=BUF_MEM_new()) == NULL)
152                                         {
153                                         ret= -1;
154                                         goto end;
155                                         }
156                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
157                                         {
158                                         ret= -1;
159                                         goto end;
160                                         }
161                                 s->init_buf=buf;
162                                 }
163
164                         if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
165
166                         /* setup buffing BIO */
167                         if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
168
169                         /* don't push the buffering BIO quite yet */
170
171                         ssl3_init_finished_mac(s);
172
173                         s->state=SSL3_ST_CW_CLNT_HELLO_A;
174                         s->ctx->stats.sess_connect++;
175                         s->init_num=0;
176                         break;
177
178                 case SSL3_ST_CW_CLNT_HELLO_A:
179                 case SSL3_ST_CW_CLNT_HELLO_B:
180
181                         s->shutdown=0;
182                         ret=ssl3_client_hello(s);
183                         if (ret <= 0) goto end;
184                         s->state=SSL3_ST_CR_SRVR_HELLO_A;
185                         s->init_num=0;
186
187                         /* turn on buffering for the next lot of output */
188                         if (s->bbio != s->wbio)
189                                 s->wbio=BIO_push(s->bbio,s->wbio);
190
191                         break;
192
193                 case SSL3_ST_CR_SRVR_HELLO_A:
194                 case SSL3_ST_CR_SRVR_HELLO_B:
195                         ret=ssl3_get_server_hello(s);
196                         if (ret <= 0) goto end;
197                         if (s->hit)
198                                 s->state=SSL3_ST_CR_FINISHED_A;
199                         else
200                                 s->state=SSL3_ST_CR_CERT_A;
201                         s->init_num=0;
202                         break;
203
204                 case SSL3_ST_CR_CERT_A:
205                 case SSL3_ST_CR_CERT_B:
206                         /* Check if it is anon DH */
207                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
208                                 {
209                                 ret=ssl3_get_server_certificate(s);
210                                 if (ret <= 0) goto end;
211                                 }
212                         else
213                                 skip=1;
214                         s->state=SSL3_ST_CR_KEY_EXCH_A;
215                         s->init_num=0;
216                         break;
217
218                 case SSL3_ST_CR_KEY_EXCH_A:
219                 case SSL3_ST_CR_KEY_EXCH_B:
220                         ret=ssl3_get_key_exchange(s);
221                         if (ret <= 0) goto end;
222                         s->state=SSL3_ST_CR_CERT_REQ_A;
223                         s->init_num=0;
224
225                         /* at this point we check that we have the
226                          * required stuff from the server */
227                         if (!ssl3_check_cert_and_algorithm(s))
228                                 {
229                                 ret= -1;
230                                 goto end;
231                                 }
232                         break;
233
234                 case SSL3_ST_CR_CERT_REQ_A:
235                 case SSL3_ST_CR_CERT_REQ_B:
236                         ret=ssl3_get_certificate_request(s);
237                         if (ret <= 0) goto end;
238                         s->state=SSL3_ST_CR_SRVR_DONE_A;
239                         s->init_num=0;
240                         break;
241
242                 case SSL3_ST_CR_SRVR_DONE_A:
243                 case SSL3_ST_CR_SRVR_DONE_B:
244                         ret=ssl3_get_server_done(s);
245                         if (ret <= 0) goto end;
246                         if (s->s3->tmp.cert_req)
247                                 s->state=SSL3_ST_CW_CERT_A;
248                         else
249                                 s->state=SSL3_ST_CW_KEY_EXCH_A;
250                         s->init_num=0;
251
252                         break;
253
254                 case SSL3_ST_CW_CERT_A:
255                 case SSL3_ST_CW_CERT_B:
256                 case SSL3_ST_CW_CERT_C:
257                 case SSL3_ST_CW_CERT_D:
258                         ret=ssl3_send_client_certificate(s);
259                         if (ret <= 0) goto end;
260                         s->state=SSL3_ST_CW_KEY_EXCH_A;
261                         s->init_num=0;
262                         break;
263
264                 case SSL3_ST_CW_KEY_EXCH_A:
265                 case SSL3_ST_CW_KEY_EXCH_B:
266                         ret=ssl3_send_client_key_exchange(s);
267                         if (ret <= 0) goto end;
268                         l=s->s3->tmp.new_cipher->algorithms;
269                         /* EAY EAY EAY need to check for DH fix cert
270                          * sent back */
271                         /* For TLS, cert_req is set to 2, so a cert chain
272                          * of nothing is sent, but no verify packet is sent */
273                         if (s->s3->tmp.cert_req == 1)
274                                 {
275                                 s->state=SSL3_ST_CW_CERT_VRFY_A;
276                                 }
277                         else
278                                 {
279                                 s->state=SSL3_ST_CW_CHANGE_A;
280                                 s->s3->change_cipher_spec=0;
281                                 }
282
283                         s->init_num=0;
284                         break;
285
286                 case SSL3_ST_CW_CERT_VRFY_A:
287                 case SSL3_ST_CW_CERT_VRFY_B:
288                         ret=ssl3_send_client_verify(s);
289                         if (ret <= 0) goto end;
290                         s->state=SSL3_ST_CW_CHANGE_A;
291                         s->init_num=0;
292                         s->s3->change_cipher_spec=0;
293                         break;
294
295                 case SSL3_ST_CW_CHANGE_A:
296                 case SSL3_ST_CW_CHANGE_B:
297                         ret=ssl3_send_change_cipher_spec(s,
298                                 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
299                         if (ret <= 0) goto end;
300                         s->state=SSL3_ST_CW_FINISHED_A;
301                         s->init_num=0;
302
303                         s->session->cipher=s->s3->tmp.new_cipher;
304                         if (s->s3->tmp.new_compression == NULL)
305                                 s->session->compress_meth=0;
306                         else
307                                 s->session->compress_meth=
308                                         s->s3->tmp.new_compression->id;
309                         if (!s->method->ssl3_enc->setup_key_block(s))
310                                 {
311                                 ret= -1;
312                                 goto end;
313                                 }
314
315                         if (!s->method->ssl3_enc->change_cipher_state(s,
316                                 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
317                                 {
318                                 ret= -1;
319                                 goto end;
320                                 }
321
322                         break;
323
324                 case SSL3_ST_CW_FINISHED_A:
325                 case SSL3_ST_CW_FINISHED_B:
326                         ret=ssl3_send_finished(s,
327                                 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
328                                 s->method->ssl3_enc->client_finished_label,
329                                 s->method->ssl3_enc->client_finished_label_len);
330                         if (ret <= 0) goto end;
331                         s->state=SSL3_ST_CW_FLUSH;
332
333                         /* clear flags */
334                         s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
335                         if (s->hit)
336                                 {
337                                 s->s3->tmp.next_state=SSL_ST_OK;
338                                 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
339                                         {
340                                         s->state=SSL_ST_OK;
341                                         s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
342                                         s->s3->delay_buf_pop_ret=0;
343                                         }
344                                 }
345                         else
346                                 {
347                                 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
348                                 }
349                         s->init_num=0;
350                         break;
351
352                 case SSL3_ST_CR_FINISHED_A:
353                 case SSL3_ST_CR_FINISHED_B:
354
355                         ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
356                                 SSL3_ST_CR_FINISHED_B);
357                         if (ret <= 0) goto end;
358
359                         if (s->hit)
360                                 s->state=SSL3_ST_CW_CHANGE_A;
361                         else
362                                 s->state=SSL_ST_OK;
363                         s->init_num=0;
364                         break;
365
366                 case SSL3_ST_CW_FLUSH:
367                         /* number of bytes to be flushed */
368                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
369                         if (num1 > 0)
370                                 {
371                                 s->rwstate=SSL_WRITING;
372                                 num1=BIO_flush(s->wbio);
373                                 if (num1 <= 0) { ret= -1; goto end; }
374                                 s->rwstate=SSL_NOTHING;
375                                 }
376
377                         s->state=s->s3->tmp.next_state;
378                         break;
379
380                 case SSL_ST_OK:
381                         /* clean a few things up */
382                         ssl3_cleanup_key_block(s);
383
384                         if (s->init_buf != NULL)
385                                 {
386                                 BUF_MEM_free(s->init_buf);
387                                 s->init_buf=NULL;
388                                 }
389
390                         /* If we are not 'joining' the last two packets,
391                          * remove the buffering now */
392                         if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
393                                 ssl_free_wbio_buffer(s);
394                         /* else do it later in ssl3_write */
395
396                         s->init_num=0;
397                         s->new_session=0;
398
399                         ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
400                         if (s->hit) s->ctx->stats.sess_hit++;
401
402                         ret=1;
403                         /* s->server=0; */
404                         s->handshake_func=ssl3_connect;
405                         s->ctx->stats.sess_connect_good++;
406
407                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
408
409                         goto end;
410                         /* break; */
411                         
412                 default:
413                         SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
414                         ret= -1;
415                         goto end;
416                         /* break; */
417                         }
418
419                 /* did we do anything */
420                 if (!s->s3->tmp.reuse_message && !skip)
421                         {
422                         if (s->debug)
423                                 {
424                                 if ((ret=BIO_flush(s->wbio)) <= 0)
425                                         goto end;
426                                 }
427
428                         if ((cb != NULL) && (s->state != state))
429                                 {
430                                 new_state=s->state;
431                                 s->state=state;
432                                 cb(s,SSL_CB_CONNECT_LOOP,1);
433                                 s->state=new_state;
434                                 }
435                         }
436                 skip=0;
437                 }
438 end:
439         if (cb != NULL)
440                 cb(s,SSL_CB_CONNECT_EXIT,ret);
441         s->in_handshake--;
442         return(ret);
443         }
444
445
446 static int ssl3_client_hello(SSL *s)
447         {
448         unsigned char *buf;
449         unsigned char *p,*d;
450         int i,j;
451         unsigned long Time,l;
452         SSL_COMP *comp;
453
454         buf=(unsigned char *)s->init_buf->data;
455         if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
456                 {
457                 if ((s->session == NULL) ||
458                         (s->session->ssl_version != s->version) ||
459                         (s->session->not_resumable))
460                         {
461                         if (!ssl_get_new_session(s,0))
462                                 goto err;
463                         }
464                 /* else use the pre-loaded session */
465
466                 p=s->s3->client_random;
467                 Time=time(NULL);                        /* Time */
468                 l2n(Time,p);
469                 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
470
471                 /* Do the message type and length last */
472                 d=p= &(buf[4]);
473
474                 *(p++)=s->version>>8;
475                 *(p++)=s->version&0xff;
476                 s->client_version=s->version;
477
478                 /* Random stuff */
479                 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
480                 p+=SSL3_RANDOM_SIZE;
481
482                 /* Session ID */
483                 if (s->new_session)
484                         i=0;
485                 else
486                         i=s->session->session_id_length;
487                 *(p++)=i;
488                 if (i != 0)
489                         {
490                         memcpy(p,s->session->session_id,i);
491                         p+=i;
492                         }
493                 
494                 /* Ciphers supported */
495                 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
496                 if (i == 0)
497                         {
498                         SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
499                         goto err;
500                         }
501                 s2n(i,p);
502                 p+=i;
503
504                 /* COMPRESSION */
505                 if (s->ctx->comp_methods == NULL)
506                         j=0;
507                 else
508                         j=sk_SSL_COMP_num(s->ctx->comp_methods);
509                 *(p++)=1+j;
510                 for (i=0; i<j; i++)
511                         {
512                         comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
513                         *(p++)=comp->id;
514                         }
515                 *(p++)=0; /* Add the NULL method */
516                 
517                 l=(p-d);
518                 d=buf;
519                 *(d++)=SSL3_MT_CLIENT_HELLO;
520                 l2n3(l,d);
521
522                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
523                 /* number of bytes to write */
524                 s->init_num=p-buf;
525                 s->init_off=0;
526                 }
527
528         /* SSL3_ST_CW_CLNT_HELLO_B */
529         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
530 err:
531         return(-1);
532         }
533
534 static int ssl3_get_server_hello(SSL *s)
535         {
536         STACK_OF(SSL_CIPHER) *sk;
537         SSL_CIPHER *c;
538         unsigned char *p,*d;
539         int i,al,ok;
540         unsigned int j;
541         long n;
542         SSL_COMP *comp;
543
544         n=ssl3_get_message(s,
545                 SSL3_ST_CR_SRVR_HELLO_A,
546                 SSL3_ST_CR_SRVR_HELLO_B,
547                 SSL3_MT_SERVER_HELLO,
548                 300, /* ?? */
549                 &ok);
550
551         if (!ok) return((int)n);
552         d=p=(unsigned char *)s->init_buf->data;
553
554         if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
555                 {
556                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
557                 s->version=(s->version&0xff00)|p[1];
558                 al=SSL_AD_PROTOCOL_VERSION;
559                 goto f_err;
560                 }
561         p+=2;
562
563         /* load the server hello data */
564         /* load the server random */
565         memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
566         p+=SSL3_RANDOM_SIZE;
567
568         /* get the session-id */
569         j= *(p++);
570
571         if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
572                 {
573                 /* SSLref returns 16 :-( */
574                 if (j < SSL2_SSL_SESSION_ID_LENGTH)
575                         {
576                         al=SSL_AD_ILLEGAL_PARAMETER;
577                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
578                         goto f_err;
579                         }
580                 }
581         if (j != 0 && j == s->session->session_id_length
582             && memcmp(p,s->session->session_id,j) == 0)
583             {
584             if(s->sid_ctx_length != s->session->sid_ctx_length
585                || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
586                 {
587                 al=SSL_AD_ILLEGAL_PARAMETER;
588                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
589                 goto f_err;
590                 }
591             s->hit=1;
592             }
593         else    /* a miss or crap from the other end */
594                 {
595                 /* If we were trying for session-id reuse, make a new
596                  * SSL_SESSION so we don't stuff up other people */
597                 s->hit=0;
598                 if (s->session->session_id_length > 0)
599                         {
600                         if (!ssl_get_new_session(s,0))
601                                 {
602                                 al=SSL_AD_INTERNAL_ERROR;
603                                 goto f_err;
604                                 }
605                         }
606                 s->session->session_id_length=j;
607                 memcpy(s->session->session_id,p,j); /* j could be 0 */
608                 }
609         p+=j;
610         c=ssl_get_cipher_by_char(s,p);
611         if (c == NULL)
612                 {
613                 /* unknown cipher */
614                 al=SSL_AD_ILLEGAL_PARAMETER;
615                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
616                 goto f_err;
617                 }
618         p+=ssl_put_cipher_by_char(s,NULL,NULL);
619
620         sk=ssl_get_ciphers_by_id(s);
621         i=sk_SSL_CIPHER_find(sk,c);
622         if (i < 0)
623                 {
624                 /* we did not say we would use this cipher */
625                 al=SSL_AD_ILLEGAL_PARAMETER;
626                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
627                 goto f_err;
628                 }
629
630         if (s->hit && (s->session->cipher != c))
631                 {
632                 if (!(s->options &
633                         SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
634                         {
635                         al=SSL_AD_ILLEGAL_PARAMETER;
636                         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
637                         goto f_err;
638                         }
639                 }
640         s->s3->tmp.new_cipher=c;
641
642         /* lets get the compression algorithm */
643         /* COMPRESSION */
644         j= *(p++);
645         if (j == 0)
646                 comp=NULL;
647         else
648                 comp=ssl3_comp_find(s->ctx->comp_methods,j);
649         
650         if ((j != 0) && (comp == NULL))
651                 {
652                 al=SSL_AD_ILLEGAL_PARAMETER;
653                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
654                 goto f_err;
655                 }
656         else
657                 {
658                 s->s3->tmp.new_compression=comp;
659                 }
660
661         if (p != (d+n))
662                 {
663                 /* wrong packet length */
664                 al=SSL_AD_DECODE_ERROR;
665                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
666                 goto err;
667                 }
668
669         return(1);
670 f_err:
671         ssl3_send_alert(s,SSL3_AL_FATAL,al);
672 err:
673         return(-1);
674         }
675
676 static int ssl3_get_server_certificate(SSL *s)
677         {
678         int al,i,ok,ret= -1;
679         unsigned long n,nc,llen,l;
680         X509 *x=NULL;
681         unsigned char *p,*d,*q;
682         STACK_OF(X509) *sk=NULL;
683         SESS_CERT *sc;
684         EVP_PKEY *pkey=NULL;
685
686         n=ssl3_get_message(s,
687                 SSL3_ST_CR_CERT_A,
688                 SSL3_ST_CR_CERT_B,
689                 -1,
690 #if defined(MSDOS) && !defined(WIN32)
691                 1024*30, /* 30k max cert list :-) */
692 #else
693                 1024*100, /* 100k max cert list :-) */
694 #endif
695                 &ok);
696
697         if (!ok) return((int)n);
698
699         if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
700                 {
701                 s->s3->tmp.reuse_message=1;
702                 return(1);
703                 }
704
705         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
706                 {
707                 al=SSL_AD_UNEXPECTED_MESSAGE;
708                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
709                 goto f_err;
710                 }
711         d=p=(unsigned char *)s->init_buf->data;
712
713         if ((sk=sk_X509_new_null()) == NULL)
714                 {
715                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
716                 goto err;
717                 }
718
719         n2l3(p,llen);
720         if (llen+3 != n)
721                 {
722                 al=SSL_AD_DECODE_ERROR;
723                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
724                 goto f_err;
725                 }
726         for (nc=0; nc<llen; )
727                 {
728                 n2l3(p,l);
729                 if ((l+nc+3) > llen)
730                         {
731                         al=SSL_AD_DECODE_ERROR;
732                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
733                         goto f_err;
734                         }
735
736                 q=p;
737                 x=d2i_X509(NULL,&q,l);
738                 if (x == NULL)
739                         {
740                         al=SSL_AD_BAD_CERTIFICATE;
741                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
742                         goto f_err;
743                         }
744                 if (q != (p+l))
745                         {
746                         al=SSL_AD_DECODE_ERROR;
747                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
748                         goto f_err;
749                         }
750                 if (!sk_X509_push(sk,x))
751                         {
752                         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
753                         goto err;
754                         }
755                 x=NULL;
756                 nc+=l+3;
757                 p=q;
758                 }
759
760         i=ssl_verify_cert_chain(s,sk);
761         if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
762                 {
763                 al=ssl_verify_alarm_type(s->verify_result);
764                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
765                 goto f_err; 
766                 }
767
768         sc=ssl_sess_cert_new();
769         if (sc == NULL) goto err;
770
771         if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
772         s->session->sess_cert=sc;
773
774         sc->cert_chain=sk;
775         x=sk_X509_value(sk,0);
776         sk=NULL;
777
778         pkey=X509_get_pubkey(x);
779
780         if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
781                 {
782                 x=NULL;
783                 al=SSL3_AL_FATAL;
784                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
785                 goto f_err;
786                 }
787
788         i=ssl_cert_type(x,pkey);
789         if (i < 0)
790                 {
791                 x=NULL;
792                 al=SSL3_AL_FATAL;
793                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
794                 goto f_err;
795                 }
796
797         sc->peer_cert_type=i;
798         CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
799         if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen?
800                                                                                  * We just created sc a couple of
801                                                                                  * lines ago. */
802                 X509_free(sc->peer_pkeys[i].x509);
803         sc->peer_pkeys[i].x509=x;
804         sc->peer_key= &(sc->peer_pkeys[i]);
805
806         if (s->session->peer != NULL)
807                 X509_free(s->session->peer);
808         CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
809         s->session->peer=x;
810
811         x=NULL;
812         ret=1;
813
814         if (0)
815                 {
816 f_err:
817                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
818                 }
819 err:
820         EVP_PKEY_free(pkey);
821         X509_free(x);
822         sk_X509_pop_free(sk,X509_free);
823         return(ret);
824         }
825
826 static int ssl3_get_key_exchange(SSL *s)
827         {
828 #ifndef NO_RSA
829         unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
830 #endif
831         EVP_MD_CTX md_ctx;
832         unsigned char *param,*p;
833         int al,i,j,param_len,ok;
834         long n,alg;
835         EVP_PKEY *pkey=NULL;
836 #ifndef NO_RSA
837         RSA *rsa=NULL;
838 #endif
839 #ifndef NO_DH
840         DH *dh=NULL;
841 #endif
842
843         n=ssl3_get_message(s,
844                 SSL3_ST_CR_KEY_EXCH_A,
845                 SSL3_ST_CR_KEY_EXCH_B,
846                 -1,
847                 1024*8, /* ?? */
848                 &ok);
849
850         if (!ok) return((int)n);
851
852         if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
853                 {
854                 s->s3->tmp.reuse_message=1;
855                 return(1);
856                 }
857
858         param=p=(unsigned char *)s->init_buf->data;
859
860         if (s->session->sess_cert != NULL)
861                 {
862 #ifndef NO_RSA
863                 if (s->session->sess_cert->peer_rsa_tmp != NULL)
864                         {
865                         RSA_free(s->session->sess_cert->peer_rsa_tmp);
866                         s->session->sess_cert->peer_rsa_tmp=NULL;
867                         }
868 #endif
869 #ifndef NO_DH
870                 if (s->session->sess_cert->peer_dh_tmp)
871                         {
872                         DH_free(s->session->sess_cert->peer_dh_tmp);
873                         s->session->sess_cert->peer_dh_tmp=NULL;
874                         }
875 #endif
876                 }
877         else
878                 {
879                 s->session->sess_cert=ssl_sess_cert_new();
880                 }
881
882         param_len=0;
883         alg=s->s3->tmp.new_cipher->algorithms;
884
885 #ifndef NO_RSA
886         if (alg & SSL_kRSA)
887                 {
888                 if ((rsa=RSA_new()) == NULL)
889                         {
890                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
891                         goto err;
892                         }
893                 n2s(p,i);
894                 param_len=i+2;
895                 if (param_len > n)
896                         {
897                         al=SSL_AD_DECODE_ERROR;
898                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
899                         goto f_err;
900                         }
901                 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
902                         {
903                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
904                         goto err;
905                         }
906                 p+=i;
907
908                 n2s(p,i);
909                 param_len+=i+2;
910                 if (param_len > n)
911                         {
912                         al=SSL_AD_DECODE_ERROR;
913                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
914                         goto f_err;
915                         }
916                 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
917                         {
918                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
919                         goto err;
920                         }
921                 p+=i;
922                 n-=param_len;
923
924                 /* this should be because we are using an export cipher */
925                 if (alg & SSL_aRSA)
926                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
927                 else
928                         {
929                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
930                         goto err;
931                         }
932                 s->session->sess_cert->peer_rsa_tmp=rsa;
933                 rsa=NULL;
934                 }
935         else
936 #endif
937 #ifndef NO_DH
938                 if (alg & SSL_kEDH)
939                 {
940                 if ((dh=DH_new()) == NULL)
941                         {
942                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
943                         goto err;
944                         }
945                 n2s(p,i);
946                 param_len=i+2;
947                 if (param_len > n)
948                         {
949                         al=SSL_AD_DECODE_ERROR;
950                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
951                         goto f_err;
952                         }
953                 if (!(dh->p=BN_bin2bn(p,i,NULL)))
954                         {
955                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
956                         goto err;
957                         }
958                 p+=i;
959
960                 n2s(p,i);
961                 param_len+=i+2;
962                 if (param_len > n)
963                         {
964                         al=SSL_AD_DECODE_ERROR;
965                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
966                         goto f_err;
967                         }
968                 if (!(dh->g=BN_bin2bn(p,i,NULL)))
969                         {
970                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
971                         goto err;
972                         }
973                 p+=i;
974
975                 n2s(p,i);
976                 param_len+=i+2;
977                 if (param_len > n)
978                         {
979                         al=SSL_AD_DECODE_ERROR;
980                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
981                         goto f_err;
982                         }
983                 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
984                         {
985                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
986                         goto err;
987                         }
988                 p+=i;
989                 n-=param_len;
990
991 #ifndef NO_RSA
992                 if (alg & SSL_aRSA)
993                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
994                 else
995 #endif
996 #ifndef NO_DSA
997                 if (alg & SSL_aDSS)
998                         pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
999 #endif
1000                 /* else anonymous DH, so no certificate or pkey. */
1001
1002                 s->session->sess_cert->peer_dh_tmp=dh;
1003                 dh=NULL;
1004                 }
1005         else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
1006                 {
1007                 al=SSL_AD_ILLEGAL_PARAMETER;
1008                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1009                 goto f_err;
1010                 }
1011 #endif
1012         if (alg & SSL_aFZA)
1013                 {
1014                 al=SSL_AD_HANDSHAKE_FAILURE;
1015                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1016                 goto f_err;
1017                 }
1018
1019
1020         /* p points to the next byte, there are 'n' bytes left */
1021
1022
1023         /* if it was signed, check the signature */
1024         if (pkey != NULL)
1025                 {
1026                 n2s(p,i);
1027                 n-=2;
1028                 j=EVP_PKEY_size(pkey);
1029
1030                 if ((i != n) || (n > j) || (n <= 0))
1031                         {
1032                         /* wrong packet length */
1033                         al=SSL_AD_DECODE_ERROR;
1034                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1035                         goto f_err;
1036                         }
1037
1038 #ifndef NO_RSA
1039                 if (pkey->type == EVP_PKEY_RSA)
1040                         {
1041                         int num;
1042
1043                         j=0;
1044                         q=md_buf;
1045                         for (num=2; num > 0; num--)
1046                                 {
1047                                 EVP_DigestInit(&md_ctx,(num == 2)
1048                                         ?s->ctx->md5:s->ctx->sha1);
1049                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1050                                 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1051                                 EVP_DigestUpdate(&md_ctx,param,param_len);
1052                                 EVP_DigestFinal(&md_ctx,q,(unsigned int *)&i);
1053                                 q+=i;
1054                                 j+=i;
1055                                 }
1056                         i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1057                                                                 pkey->pkey.rsa);
1058                         if (i < 0)
1059                                 {
1060                                 al=SSL_AD_DECRYPT_ERROR;
1061                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1062                                 goto f_err;
1063                                 }
1064                         if (i == 0)
1065                                 {
1066                                 /* bad signature */
1067                                 al=SSL_AD_DECRYPT_ERROR;
1068                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1069                                 goto f_err;
1070                                 }
1071                         }
1072                 else
1073 #endif
1074 #ifndef NO_DSA
1075                         if (pkey->type == EVP_PKEY_DSA)
1076                         {
1077                         /* lets do DSS */
1078                         EVP_VerifyInit(&md_ctx,EVP_dss1());
1079                         EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1080                         EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1081                         EVP_VerifyUpdate(&md_ctx,param,param_len);
1082                         if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
1083                                 {
1084                                 /* bad signature */
1085                                 al=SSL_AD_DECRYPT_ERROR;
1086                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1087                                 goto f_err;
1088                                 }
1089                         }
1090                 else
1091 #endif
1092                         {
1093                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1094                         goto err;
1095                         }
1096                 }
1097         else
1098                 {
1099                 /* still data left over */
1100                 if (!(alg & SSL_aNULL))
1101                         {
1102                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1103                         goto err;
1104                         }
1105                 if (n != 0)
1106                         {
1107                         al=SSL_AD_DECODE_ERROR;
1108                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1109                         goto f_err;
1110                         }
1111                 }
1112         EVP_PKEY_free(pkey);
1113         return(1);
1114 f_err:
1115         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1116 err:
1117         EVP_PKEY_free(pkey);
1118 #ifndef NO_RSA
1119         if (rsa != NULL)
1120                 RSA_free(rsa);
1121 #endif
1122 #ifndef NO_DH
1123         if (dh != NULL)
1124                 DH_free(dh);
1125 #endif
1126         return(-1);
1127         }
1128
1129 static int ssl3_get_certificate_request(SSL *s)
1130         {
1131         int ok,ret=0;
1132         unsigned long n,nc,l;
1133         unsigned int llen,ctype_num,i;
1134         X509_NAME *xn=NULL;
1135         unsigned char *p,*d,*q;
1136         STACK_OF(X509_NAME) *ca_sk=NULL;
1137
1138         n=ssl3_get_message(s,
1139                 SSL3_ST_CR_CERT_REQ_A,
1140                 SSL3_ST_CR_CERT_REQ_B,
1141                 -1,
1142 #if defined(MSDOS) && !defined(WIN32)
1143                 1024*30,  /* 30k max cert list :-) */
1144 #else
1145                 1024*100, /* 100k max cert list :-) */
1146 #endif
1147                 &ok);
1148
1149         if (!ok) return((int)n);
1150
1151         s->s3->tmp.cert_req=0;
1152
1153         if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1154                 {
1155                 s->s3->tmp.reuse_message=1;
1156                 return(1);
1157                 }
1158
1159         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1160                 {
1161                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1162                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1163                 goto err;
1164                 }
1165
1166         /* TLS does not like anon-DH with client cert */
1167         if (s->version > SSL3_VERSION)
1168                 {
1169                 l=s->s3->tmp.new_cipher->algorithms;
1170                 if (l & SSL_aNULL)
1171                         {
1172                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1173                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1174                         goto err;
1175                         }
1176                 }
1177
1178         d=p=(unsigned char *)s->init_buf->data;
1179
1180         if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1181                 {
1182                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1183                 goto err;
1184                 }
1185
1186         /* get the certificate types */
1187         ctype_num= *(p++);
1188         if (ctype_num > SSL3_CT_NUMBER)
1189                 ctype_num=SSL3_CT_NUMBER;
1190         for (i=0; i<ctype_num; i++)
1191                 s->s3->tmp.ctype[i]= p[i];
1192         p+=ctype_num;
1193
1194         /* get the CA RDNs */
1195         n2s(p,llen);
1196 #if 0
1197 {
1198 FILE *out;
1199 out=fopen("/tmp/vsign.der","w");
1200 fwrite(p,1,llen,out);
1201 fclose(out);
1202 }
1203 #endif
1204
1205         if ((llen+ctype_num+2+1) != n)
1206                 {
1207                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1208                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1209                 goto err;
1210                 }
1211
1212         for (nc=0; nc<llen; )
1213                 {
1214                 n2s(p,l);
1215                 if ((l+nc+2) > llen)
1216                         {
1217                         if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1218                                 goto cont; /* netscape bugs */
1219                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1220                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1221                         goto err;
1222                         }
1223
1224                 q=p;
1225
1226                 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1227                         {
1228                         /* If netscape tollerance is on, ignore errors */
1229                         if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1230                                 goto cont;
1231                         else
1232                                 {
1233                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1234                                 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1235                                 goto err;
1236                                 }
1237                         }
1238
1239                 if (q != (p+l))
1240                         {
1241                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1242                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1243                         goto err;
1244                         }
1245                 if (!sk_X509_NAME_push(ca_sk,xn))
1246                         {
1247                         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1248                         goto err;
1249                         }
1250
1251                 p+=l;
1252                 nc+=l+2;
1253                 }
1254
1255         if (0)
1256                 {
1257 cont:
1258                 ERR_clear_error();
1259                 }
1260
1261         /* we should setup a certficate to return.... */
1262         s->s3->tmp.cert_req=1;
1263         s->s3->tmp.ctype_num=ctype_num;
1264         if (s->s3->tmp.ca_names != NULL)
1265                 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1266         s->s3->tmp.ca_names=ca_sk;
1267         ca_sk=NULL;
1268
1269         ret=1;
1270 err:
1271         if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1272         return(ret);
1273         }
1274
1275 static int ca_dn_cmp(X509_NAME **a, X509_NAME **b)
1276         {
1277         return(X509_NAME_cmp(*a,*b));
1278         }
1279
1280 static int ssl3_get_server_done(SSL *s)
1281         {
1282         int ok,ret=0;
1283         long n;
1284
1285         n=ssl3_get_message(s,
1286                 SSL3_ST_CR_SRVR_DONE_A,
1287                 SSL3_ST_CR_SRVR_DONE_B,
1288                 SSL3_MT_SERVER_DONE,
1289                 30, /* should be very small, like 0 :-) */
1290                 &ok);
1291
1292         if (!ok) return((int)n);
1293         if (n > 0)
1294                 {
1295                 /* should contain no data */
1296                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1297                 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1298                 }
1299         ret=1;
1300         return(ret);
1301         }
1302
1303 static int ssl3_send_client_key_exchange(SSL *s)
1304         {
1305         unsigned char *p,*d;
1306         int n;
1307         unsigned long l;
1308 #ifndef NO_RSA
1309         unsigned char *q;
1310         EVP_PKEY *pkey=NULL;
1311 #endif
1312
1313         if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1314                 {
1315                 d=(unsigned char *)s->init_buf->data;
1316                 p= &(d[4]);
1317
1318                 l=s->s3->tmp.new_cipher->algorithms;
1319
1320 #ifndef NO_RSA
1321                 if (l & SSL_kRSA)
1322                         {
1323                         RSA *rsa;
1324                         unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1325
1326                         if (s->session->sess_cert->peer_rsa_tmp != NULL)
1327                                 rsa=s->session->sess_cert->peer_rsa_tmp;
1328                         else
1329                                 {
1330                                 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1331                                 if ((pkey == NULL) ||
1332                                         (pkey->type != EVP_PKEY_RSA) ||
1333                                         (pkey->pkey.rsa == NULL))
1334                                         {
1335                                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1336                                         goto err;
1337                                         }
1338                                 rsa=pkey->pkey.rsa;
1339                                 EVP_PKEY_free(pkey);
1340                                 }
1341                                 
1342                         tmp_buf[0]=s->client_version>>8;
1343                         tmp_buf[1]=s->client_version&0xff;
1344                         if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
1345                                         goto err;
1346
1347                         s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
1348
1349                         q=p;
1350                         /* Fix buf for TLS and beyond */
1351                         if (s->version > SSL3_VERSION)
1352                                 p+=2;
1353                         n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
1354                                 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
1355 #ifdef PKCS1_CHECK
1356                         if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
1357                         if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
1358 #endif
1359                         if (n <= 0)
1360                                 {
1361                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
1362                                 goto err;
1363                                 }
1364
1365                         /* Fix buf for TLS and beyond */
1366                         if (s->version > SSL3_VERSION)
1367                                 {
1368                                 s2n(n,q);
1369                                 n+=2;
1370                                 }
1371
1372                         s->session->master_key_length=
1373                                 s->method->ssl3_enc->generate_master_secret(s,
1374                                         s->session->master_key,
1375                                         tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
1376                         memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
1377                         }
1378                 else
1379 #endif
1380 #ifndef NO_DH
1381                 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1382                         {
1383                         DH *dh_srvr,*dh_clnt;
1384
1385                         if (s->session->sess_cert->peer_dh_tmp != NULL)
1386                                 dh_srvr=s->session->sess_cert->peer_dh_tmp;
1387                         else
1388                                 {
1389                                 /* we get them from the cert */
1390                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1391                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1392                                 goto err;
1393                                 }
1394                         
1395                         /* generate a new random key */
1396                         if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
1397                                 {
1398                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1399                                 goto err;
1400                                 }
1401                         if (!DH_generate_key(dh_clnt))
1402                                 {
1403                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1404                                 goto err;
1405                                 }
1406
1407                         /* use the 'p' output buffer for the DH key, but
1408                          * make sure to clear it out afterwards */
1409
1410                         n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
1411
1412                         if (n <= 0)
1413                                 {
1414                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1415                                 goto err;
1416                                 }
1417
1418                         /* generate master key from the result */
1419                         s->session->master_key_length=
1420                                 s->method->ssl3_enc->generate_master_secret(s,
1421                                         s->session->master_key,p,n);
1422                         /* clean up */
1423                         memset(p,0,n);
1424
1425                         /* send off the data */
1426                         n=BN_num_bytes(dh_clnt->pub_key);
1427                         s2n(n,p);
1428                         BN_bn2bin(dh_clnt->pub_key,p);
1429                         n+=2;
1430
1431                         DH_free(dh_clnt);
1432
1433                         /* perhaps clean things up a bit EAY EAY EAY EAY*/
1434                         }
1435                 else
1436 #endif
1437                         {
1438                         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1439                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
1440                         goto err;
1441                         }
1442                 
1443                 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
1444                 l2n3(n,d);
1445
1446                 s->state=SSL3_ST_CW_KEY_EXCH_B;
1447                 /* number of bytes to write */
1448                 s->init_num=n+4;
1449                 s->init_off=0;
1450                 }
1451
1452         /* SSL3_ST_CW_KEY_EXCH_B */
1453         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1454 err:
1455         return(-1);
1456         }
1457
1458 static int ssl3_send_client_verify(SSL *s)
1459         {
1460         unsigned char *p,*d;
1461         unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
1462         EVP_PKEY *pkey;
1463 #ifndef NO_RSA
1464         unsigned u=0;
1465 #endif
1466         unsigned long n;
1467 #ifndef NO_DSA
1468         int j;
1469 #endif
1470
1471         if (s->state == SSL3_ST_CW_CERT_VRFY_A)
1472                 {
1473                 d=(unsigned char *)s->init_buf->data;
1474                 p= &(d[4]);
1475                 pkey=s->cert->key->privatekey;
1476
1477                 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
1478                         &(data[MD5_DIGEST_LENGTH]));
1479
1480 #ifndef NO_RSA
1481                 if (pkey->type == EVP_PKEY_RSA)
1482                         {
1483                         s->method->ssl3_enc->cert_verify_mac(s,
1484                                 &(s->s3->finish_dgst1),&(data[0]));
1485                         if (RSA_sign(NID_md5_sha1, data,
1486                                          MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
1487                                         &(p[2]), &u, pkey->pkey.rsa) <= 0 )
1488                                 {
1489                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
1490                                 goto err;
1491                                 }
1492                         s2n(u,p);
1493                         n=u+2;
1494                         }
1495                 else
1496 #endif
1497 #ifndef NO_DSA
1498                         if (pkey->type == EVP_PKEY_DSA)
1499                         {
1500                         if (!DSA_sign(pkey->save_type,
1501                                 &(data[MD5_DIGEST_LENGTH]),
1502                                 SHA_DIGEST_LENGTH,&(p[2]),
1503                                 (unsigned int *)&j,pkey->pkey.dsa))
1504                                 {
1505                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
1506                                 goto err;
1507                                 }
1508                         s2n(j,p);
1509                         n=j+2;
1510                         }
1511                 else
1512 #endif
1513                         {
1514                         SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,SSL_R_INTERNAL_ERROR);
1515                         goto err;
1516                         }
1517                 *(d++)=SSL3_MT_CERTIFICATE_VERIFY;
1518                 l2n3(n,d);
1519
1520                 s->init_num=(int)n+4;
1521                 s->init_off=0;
1522                 }
1523         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1524 err:
1525         return(-1);
1526         }
1527
1528 static int ssl3_send_client_certificate(SSL *s)
1529         {
1530         X509 *x509=NULL;
1531         EVP_PKEY *pkey=NULL;
1532         int i;
1533         unsigned long l;
1534
1535         if (s->state == SSL3_ST_CW_CERT_A)
1536                 {
1537                 if ((s->cert == NULL) ||
1538                         (s->cert->key->x509 == NULL) ||
1539                         (s->cert->key->privatekey == NULL))
1540                         s->state=SSL3_ST_CW_CERT_B;
1541                 else
1542                         s->state=SSL3_ST_CW_CERT_C;
1543                 }
1544
1545         /* We need to get a client cert */
1546         if (s->state == SSL3_ST_CW_CERT_B)
1547                 {
1548                 /* If we get an error, we need to
1549                  * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
1550                  * We then get retied later */
1551                 i=0;
1552                 if (s->ctx->client_cert_cb != NULL)
1553                         i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
1554                 if (i < 0)
1555                         {
1556                         s->rwstate=SSL_X509_LOOKUP;
1557                         return(-1);
1558                         }
1559                 s->rwstate=SSL_NOTHING;
1560                 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
1561                         {
1562                         s->state=SSL3_ST_CW_CERT_B;
1563                         if (    !SSL_use_certificate(s,x509) ||
1564                                 !SSL_use_PrivateKey(s,pkey))
1565                                 i=0;
1566                         }
1567                 else if (i == 1)
1568                         {
1569                         i=0;
1570                         SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
1571                         }
1572
1573                 if (x509 != NULL) X509_free(x509);
1574                 if (pkey != NULL) EVP_PKEY_free(pkey);
1575                 if (i == 0)
1576                         {
1577                         if (s->version == SSL3_VERSION)
1578                                 {
1579                                 s->s3->tmp.cert_req=0;
1580                                 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
1581                                 return(1);
1582                                 }
1583                         else
1584                                 {
1585                                 s->s3->tmp.cert_req=2;
1586                                 }
1587                         }
1588
1589                 /* Ok, we have a cert */
1590                 s->state=SSL3_ST_CW_CERT_C;
1591                 }
1592
1593         if (s->state == SSL3_ST_CW_CERT_C)
1594                 {
1595                 s->state=SSL3_ST_CW_CERT_D;
1596                 l=ssl3_output_cert_chain(s,
1597                         (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
1598                 s->init_num=(int)l;
1599                 s->init_off=0;
1600                 }
1601         /* SSL3_ST_CW_CERT_D */
1602         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1603         }
1604
1605 #define has_bits(i,m)   (((i)&(m)) == (m))
1606
1607 static int ssl3_check_cert_and_algorithm(SSL *s)
1608         {
1609         int i,idx;
1610         long algs;
1611         EVP_PKEY *pkey=NULL;
1612         SESS_CERT *sc;
1613 #ifndef NO_RSA
1614         RSA *rsa;
1615 #endif
1616 #ifndef NO_DH
1617         DH *dh;
1618 #endif
1619
1620         sc=s->session->sess_cert;
1621
1622         if (sc == NULL)
1623                 {
1624                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR);
1625                 goto err;
1626                 }
1627
1628         algs=s->s3->tmp.new_cipher->algorithms;
1629
1630         /* we don't have a certificate */
1631         if (algs & (SSL_aDH|SSL_aNULL))
1632                 return(1);
1633
1634 #ifndef NO_RSA
1635         rsa=s->session->sess_cert->peer_rsa_tmp;
1636 #endif
1637 #ifndef NO_DH
1638         dh=s->session->sess_cert->peer_dh_tmp;
1639 #endif
1640
1641         /* This is the passed certificate */
1642
1643         idx=sc->peer_cert_type;
1644         pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509);
1645         i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey);
1646         EVP_PKEY_free(pkey);
1647
1648         
1649         /* Check that we have a certificate if we require one */
1650         if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
1651                 {
1652                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
1653                 goto f_err;
1654                 }
1655 #ifndef NO_DSA
1656         else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
1657                 {
1658                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
1659                 goto f_err;
1660                 }
1661 #endif
1662 #ifndef NO_RSA
1663         if ((algs & SSL_kRSA) &&
1664                 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
1665                 {
1666                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
1667                 goto f_err;
1668                 }
1669 #endif
1670 #ifndef NO_DH
1671         if ((algs & SSL_kEDH) &&
1672                 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
1673                 {
1674                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
1675                 goto f_err;
1676                 }
1677         else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
1678                 {
1679                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
1680                 goto f_err;
1681                 }
1682 #ifndef NO_DSA
1683         else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
1684                 {
1685                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
1686                 goto f_err;
1687                 }
1688 #endif
1689 #endif
1690
1691         if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP))
1692                 {
1693 #ifndef NO_RSA
1694                 if (algs & SSL_kRSA)
1695                         {
1696                         if (rsa == NULL
1697                             || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs))
1698                                 {
1699                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
1700                                 goto f_err;
1701                                 }
1702                         }
1703                 else
1704 #endif
1705 #ifndef NO_DH
1706                         if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1707                             {
1708                             if (dh == NULL
1709                                 || DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs))
1710                                 {
1711                                 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
1712                                 goto f_err;
1713                                 }
1714                         }
1715                 else
1716 #endif
1717                         {
1718                         SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1719                         goto f_err;
1720                         }
1721                 }
1722         return(1);
1723 f_err:
1724         ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
1725 err:
1726         return(0);
1727         }
1728