-Wall implies -Wuninitialized.
[openssl.git] / ssl / s3_srvr.c
1 /* ssl/s3_srvr.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #define REUSE_CIPHER_BUG
60
61 #include <stdio.h>
62 #include "buffer.h"
63 #include "rand.h"
64 #include "objects.h"
65 #include "evp.h"
66 #include "x509.h"
67 #include "ssl_locl.h"
68
69 #define BREAK   break
70 /* SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_MALLOC_FAILURE);
71  * SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
72  * SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
73  * SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_MALLOC_FAILURE);
74  * SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
75  */
76
77 #ifndef NOPROTO
78 static SSL_METHOD *ssl3_get_server_method(int ver);
79 static int ssl3_get_client_hello(SSL *s);
80 static int ssl3_send_server_hello(SSL *s);
81 static int ssl3_send_server_key_exchange(SSL *s);
82 static int ssl3_send_certificate_request(SSL *s);
83 static int ssl3_send_server_done(SSL *s);
84 static int ssl3_get_cert_verify(SSL *s);
85 static int ssl3_get_client_key_exchange(SSL *s);
86 static int ssl3_get_client_certificate(SSL *s);
87 static int ssl3_send_hello_request(SSL *s);
88
89 #else
90
91 static SSL_METHOD *ssl3_get_server_method();
92 static int ssl3_get_client_hello();
93 static int ssl3_send_server_hello();
94 static int ssl3_send_server_key_exchange();
95 static int ssl3_send_certificate_request();
96 static int ssl3_send_server_done();
97 static int ssl3_get_cert_verify();
98 static int ssl3_get_client_key_exchange();
99 static int ssl3_get_client_certificate();
100 static int ssl3_send_hello_request();
101
102 #endif
103
104 static SSL_METHOD *ssl3_get_server_method(int ver)
105         {
106         if (ver == SSL3_VERSION)
107                 return(SSLv3_server_method());
108         else
109                 return(NULL);
110         }
111
112 SSL_METHOD *SSLv3_server_method(void)
113         {
114         static int init=1;
115         static SSL_METHOD SSLv3_server_data;
116
117         if (init)
118                 {
119                 init=0;
120                 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
121                         sizeof(SSL_METHOD));
122                 SSLv3_server_data.ssl_accept=ssl3_accept;
123                 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
124                 }
125         return(&SSLv3_server_data);
126         }
127
128 int ssl3_accept(SSL *s)
129         {
130         BUF_MEM *buf;
131         unsigned long l,Time=time(NULL);
132         void (*cb)()=NULL;
133         long num1;
134         int ret= -1;
135         CERT *ct;
136         int new_state,state,skip=0;
137
138         RAND_seed(&Time,sizeof(Time));
139         ERR_clear_error();
140         clear_sys_error();
141
142         if (s->info_callback != NULL)
143                 cb=s->info_callback;
144         else if (s->ctx->info_callback != NULL)
145                 cb=s->ctx->info_callback;
146
147         /* init things to blank */
148         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
149         s->in_handshake++;
150
151 #ifdef undef
152         /* FIX THIS EAY EAY EAY */
153         /* we don't actually need a cert, we just need a cert or a DH_tmp */
154         if (((s->session == NULL) || (s->session->cert == NULL)) &&
155                 (s->cert == NULL))
156                 {
157                 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
158                 ret= -1;
159                 goto end;
160                 }
161 #endif
162
163         for (;;)
164                 {
165                 state=s->state;
166
167                 switch (s->state)
168                         {
169                 case SSL_ST_RENEGOTIATE:
170                         s->new_session=1;
171                         /* s->state=SSL_ST_ACCEPT; */
172
173                 case SSL_ST_BEFORE:
174                 case SSL_ST_ACCEPT:
175                 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
176                 case SSL_ST_OK|SSL_ST_ACCEPT:
177
178                         s->server=1;
179                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
180
181                         if ((s->version>>8) != 3)
182                                 abort();
183                         /* s->version=SSL3_VERSION; */
184                         s->type=SSL_ST_ACCEPT;
185
186                         if (s->init_buf == NULL)
187                                 {
188                                 if ((buf=BUF_MEM_new()) == NULL)
189                                         {
190                                         ret= -1;
191                                         goto end;
192                                         }
193                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
194                                         {
195                                         ret= -1;
196                                         goto end;
197                                         }
198                                 s->init_buf=buf;
199                                 }
200
201                         if (!ssl3_setup_buffers(s))
202                                 {
203                                 ret= -1;
204                                 goto end;
205                                 }
206
207                         /* Ok, we now need to push on a buffering BIO so that
208                          * the output is sent in a way that TCP likes :-)
209                          */
210                         if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
211
212                         s->init_num=0;
213
214                         if (s->state != SSL_ST_RENEGOTIATE)
215                                 {
216                                 s->state=SSL3_ST_SR_CLNT_HELLO_A;
217                                 ssl3_init_finished_mac(s);
218                                 s->ctx->stats.sess_accept++;
219                                 }
220                         else
221                                 {
222                                 s->ctx->stats.sess_accept_renegotiate++;
223                                 s->state=SSL3_ST_SW_HELLO_REQ_A;
224                                 }
225                         break;
226
227                 case SSL3_ST_SW_HELLO_REQ_A:
228                 case SSL3_ST_SW_HELLO_REQ_B:
229
230                         s->shutdown=0;
231                         ret=ssl3_send_hello_request(s);
232                         if (ret <= 0) goto end;
233                         s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
234                         s->state=SSL3_ST_SW_FLUSH;
235                         s->init_num=0;
236
237                         ssl3_init_finished_mac(s);
238                         break;
239
240                 case SSL3_ST_SW_HELLO_REQ_C:
241                         s->state=SSL_ST_OK;
242                         ret=1;
243                         goto end;
244                         /* break; */
245
246                 case SSL3_ST_SR_CLNT_HELLO_A:
247                 case SSL3_ST_SR_CLNT_HELLO_B:
248                 case SSL3_ST_SR_CLNT_HELLO_C:
249
250                         s->shutdown=0;
251                         ret=ssl3_get_client_hello(s);
252                         if (ret <= 0) goto end;
253                         s->state=SSL3_ST_SW_SRVR_HELLO_A;
254                         s->init_num=0;
255                         break;
256
257                 case SSL3_ST_SW_SRVR_HELLO_A:
258                 case SSL3_ST_SW_SRVR_HELLO_B:
259                         ret=ssl3_send_server_hello(s);
260                         if (ret <= 0) goto end;
261
262                         if (s->hit)
263                                 s->state=SSL3_ST_SW_CHANGE_A;
264                         else
265                                 s->state=SSL3_ST_SW_CERT_A;
266                         s->init_num=0;
267                         break;
268
269                 case SSL3_ST_SW_CERT_A:
270                 case SSL3_ST_SW_CERT_B:
271                         /* Check if it is anon DH */
272                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
273                                 {
274                                 ret=ssl3_send_server_certificate(s);
275                                 if (ret <= 0) goto end;
276                                 }
277                         else
278                                 skip=1;
279                         s->state=SSL3_ST_SW_KEY_EXCH_A;
280                         s->init_num=0;
281                         break;
282
283                 case SSL3_ST_SW_KEY_EXCH_A:
284                 case SSL3_ST_SW_KEY_EXCH_B:
285                         l=s->s3->tmp.new_cipher->algorithms;
286                         if (s->session->cert == NULL)
287                                 {
288                                 if (s->cert != NULL)
289                                         {
290                                         CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
291                                         s->session->cert=s->cert;
292                                         }
293                                 else
294                                         {
295                                         CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT);
296                                         s->session->cert=s->ctx->default_cert;
297                                         }
298                                 }
299                         ct=s->session->cert;
300
301                         /* clear this, it may get reset by
302                          * send_server_key_exchange */
303                         if (s->options & SSL_OP_EPHEMERAL_RSA)
304                                 s->s3->tmp.use_rsa_tmp=1;
305                         else
306                                 s->s3->tmp.use_rsa_tmp=0;
307
308                         /* only send if a DH key exchange, fortezza or
309                          * RSA but we have a sign only certificate */
310                         if (s->s3->tmp.use_rsa_tmp
311                             || (l & (SSL_DH|SSL_kFZA))
312                             || ((l & SSL_kRSA)
313                                 && (ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
314                                     || (SSL_IS_EXPORT(l)
315                                         && EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
316                                         )
317                                     )
318                                 )
319                             )
320                                 {
321                                 ret=ssl3_send_server_key_exchange(s);
322                                 if (ret <= 0) goto end;
323                                 }
324                         else
325                                 skip=1;
326
327                         s->state=SSL3_ST_SW_CERT_REQ_A;
328                         s->init_num=0;
329                         break;
330
331                 case SSL3_ST_SW_CERT_REQ_A:
332                 case SSL3_ST_SW_CERT_REQ_B:
333                         if (!(s->verify_mode & SSL_VERIFY_PEER) ||
334                                 ((s->session->peer != NULL) &&
335                                  (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
336                                 {
337                                 /* no cert request */
338                                 skip=1;
339                                 s->s3->tmp.cert_request=0;
340                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
341                                 }
342                         else
343                                 {
344                                 s->s3->tmp.cert_request=1;
345                                 ret=ssl3_send_certificate_request(s);
346                                 if (ret <= 0) goto end;
347                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
348                                 s->init_num=0;
349                                 }
350                         break;
351
352                 case SSL3_ST_SW_SRVR_DONE_A:
353                 case SSL3_ST_SW_SRVR_DONE_B:
354                         ret=ssl3_send_server_done(s);
355                         if (ret <= 0) goto end;
356                         s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
357                         s->state=SSL3_ST_SW_FLUSH;
358                         s->init_num=0;
359                         break;
360                 
361                 case SSL3_ST_SW_FLUSH:
362                         /* number of bytes to be flushed */
363                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
364                         if (num1 > 0)
365                                 {
366                                 s->rwstate=SSL_WRITING;
367                                 num1=BIO_flush(s->wbio);
368                                 if (num1 <= 0) { ret= -1; goto end; }
369                                 s->rwstate=SSL_NOTHING;
370                                 }
371
372                         s->state=s->s3->tmp.next_state;
373                         break;
374
375                 case SSL3_ST_SR_CERT_A:
376                 case SSL3_ST_SR_CERT_B:
377                         /* could be sent for a DH cert, even if we
378                          * have not asked for it :-) */
379                         ret=ssl3_get_client_certificate(s);
380                         if (ret <= 0) goto end;
381                         s->init_num=0;
382                         s->state=SSL3_ST_SR_KEY_EXCH_A;
383                         break;
384
385                 case SSL3_ST_SR_KEY_EXCH_A:
386                 case SSL3_ST_SR_KEY_EXCH_B:
387                         ret=ssl3_get_client_key_exchange(s);
388                         if (ret <= 0) goto end;
389                         s->state=SSL3_ST_SR_CERT_VRFY_A;
390                         s->init_num=0;
391
392                         /* We need to get hashes here so if there is
393                          * a client cert, it can be verified */ 
394                         s->method->ssl3_enc->cert_verify_mac(s,
395                                 &(s->s3->finish_dgst1),
396                                 &(s->s3->tmp.finish_md[0]));
397                         s->method->ssl3_enc->cert_verify_mac(s,
398                                 &(s->s3->finish_dgst2),
399                                 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]));
400
401                         break;
402
403                 case SSL3_ST_SR_CERT_VRFY_A:
404                 case SSL3_ST_SR_CERT_VRFY_B:
405
406                         /* we should decide if we expected this one */
407                         ret=ssl3_get_cert_verify(s);
408                         if (ret <= 0) goto end;
409
410                         s->state=SSL3_ST_SR_FINISHED_A;
411                         s->init_num=0;
412                         break;
413
414                 case SSL3_ST_SR_FINISHED_A:
415                 case SSL3_ST_SR_FINISHED_B:
416                         ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
417                                 SSL3_ST_SR_FINISHED_B);
418                         if (ret <= 0) goto end;
419                         if (s->hit)
420                                 s->state=SSL_ST_OK;
421                         else
422                                 s->state=SSL3_ST_SW_CHANGE_A;
423                         s->init_num=0;
424                         break;
425
426                 case SSL3_ST_SW_CHANGE_A:
427                 case SSL3_ST_SW_CHANGE_B:
428
429                         s->session->cipher=s->s3->tmp.new_cipher;
430                         if (!s->method->ssl3_enc->setup_key_block(s))
431                                 { ret= -1; goto end; }
432
433                         ret=ssl3_send_change_cipher_spec(s,
434                                 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
435
436                         if (ret <= 0) goto end;
437                         s->state=SSL3_ST_SW_FINISHED_A;
438                         s->init_num=0;
439
440                         if (!s->method->ssl3_enc->change_cipher_state(s,
441                                 SSL3_CHANGE_CIPHER_SERVER_WRITE))
442                                 {
443                                 ret= -1;
444                                 goto end;
445                                 }
446
447                         break;
448
449                 case SSL3_ST_SW_FINISHED_A:
450                 case SSL3_ST_SW_FINISHED_B:
451                         ret=ssl3_send_finished(s,
452                                 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
453                                 s->method->ssl3_enc->server_finished,
454                                 s->method->ssl3_enc->server_finished_len);
455                         if (ret <= 0) goto end;
456                         s->state=SSL3_ST_SW_FLUSH;
457                         if (s->hit)
458                                 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
459                         else
460                                 s->s3->tmp.next_state=SSL_ST_OK;
461                         s->init_num=0;
462                         break;
463
464                 case SSL_ST_OK:
465                         /* clean a few things up */
466                         ssl3_cleanup_key_block(s);
467
468                         BUF_MEM_free(s->init_buf);
469                         s->init_buf=NULL;
470
471                         /* remove buffering on output */
472                         ssl_free_wbio_buffer(s);
473
474                         s->new_session=0;
475                         s->init_num=0;
476
477                         ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
478
479                         s->ctx->stats.sess_accept_good++;
480                         /* s->server=1; */
481                         s->handshake_func=ssl3_accept;
482                         ret=1;
483
484                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
485
486                         goto end;
487                         /* break; */
488
489                 default:
490                         SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
491                         ret= -1;
492                         goto end;
493                         /* break; */
494                         }
495                 
496                 if (!s->s3->tmp.reuse_message && !skip)
497                         {
498                         if (s->debug)
499                                 {
500                                 if ((ret=BIO_flush(s->wbio)) <= 0)
501                                         goto end;
502                                 }
503
504
505                         if ((cb != NULL) && (s->state != state))
506                                 {
507                                 new_state=s->state;
508                                 s->state=state;
509                                 cb(s,SSL_CB_ACCEPT_LOOP,1);
510                                 s->state=new_state;
511                                 }
512                         }
513                 skip=0;
514                 }
515 end:
516         /* BIO_flush(s->wbio); */
517
518         if (cb != NULL)
519                 cb(s,SSL_CB_ACCEPT_EXIT,ret);
520         s->in_handshake--;
521         return(ret);
522         }
523
524 static int ssl3_send_hello_request(SSL *s)
525         {
526         unsigned char *p;
527
528         if (s->state == SSL3_ST_SW_HELLO_REQ_A)
529                 {
530                 p=(unsigned char *)s->init_buf->data;
531                 *(p++)=SSL3_MT_CLIENT_REQUEST;
532                 *(p++)=0;
533                 *(p++)=0;
534                 *(p++)=0;
535
536                 s->state=SSL3_ST_SW_HELLO_REQ_B;
537                 /* number of bytes to write */
538                 s->init_num=4;
539                 s->init_off=0;
540                 }
541
542         /* SSL3_ST_SW_HELLO_REQ_B */
543         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
544         }
545
546 static int ssl3_get_client_hello(SSL *s)
547         {
548         int i,j,ok,al,ret= -1;
549         long n;
550         unsigned long id;
551         unsigned char *p,*d,*q;
552         SSL_CIPHER *c;
553         SSL_COMP *comp=NULL;
554         STACK_OF(SSL_CIPHER) *ciphers=NULL;
555
556         /* We do this so that we will respond with our native type.
557          * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
558          * This down switching should be handled by a different method.
559          * If we are SSLv3, we will respond with SSLv3, even if prompted with
560          * TLSv1.
561          */
562         if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
563                 {
564                 s->first_packet=1;
565                 s->state=SSL3_ST_SR_CLNT_HELLO_B;
566                 }
567         n=ssl3_get_message(s,
568                 SSL3_ST_SR_CLNT_HELLO_B,
569                 SSL3_ST_SR_CLNT_HELLO_C,
570                 SSL3_MT_CLIENT_HELLO,
571                 SSL3_RT_MAX_PLAIN_LENGTH,
572                 &ok);
573
574         if (!ok) return((int)n);
575         d=p=(unsigned char *)s->init_buf->data;
576
577         /* The version number has already been checked in ssl3_get_message.
578          * I a native TLSv1/SSLv3 method, the match must be correct except
579          * perhaps for the first message */
580 /*      s->client_version=(((int)p[0])<<8)|(int)p[1]; */
581         p+=2;
582
583         /* load the client random */
584         memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
585         p+=SSL3_RANDOM_SIZE;
586
587         /* get the session-id */
588         j= *(p++);
589
590         s->hit=0;
591         if (j == 0)
592                 {
593                 if (!ssl_get_new_session(s,1))
594                         goto err;
595                 }
596         else
597                 {
598                 i=ssl_get_prev_session(s,p,j);
599                 if (i == 1)
600                         { /* previous session */
601                         s->hit=1;
602                         }
603                 else
604                         {
605                         if (!ssl_get_new_session(s,1))
606                                 goto err;
607                         }
608                 }
609
610         p+=j;
611         n2s(p,i);
612         if ((i == 0) && (j != 0))
613                 {
614                 /* we need a cipher if we are not resuming a session */
615                 al=SSL_AD_ILLEGAL_PARAMETER;
616                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
617                 goto f_err;
618                 }
619         if ((i+p) > (d+n))
620                 {
621                 /* not enough data */
622                 al=SSL_AD_DECODE_ERROR;
623                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
624                 goto f_err;
625                 }
626         if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
627                 == NULL))
628                 {
629                 goto err;
630                 }
631         p+=i;
632
633         /* If it is a hit, check that the cipher is in the list */
634         if ((s->hit) && (i > 0))
635                 {
636                 j=0;
637                 id=s->session->cipher->id;
638
639 #ifdef CIPHER_DEBUG
640                 printf("client sent %d ciphers\n",sk_num(ciphers));
641 #endif
642                 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
643                         {
644                         c=sk_SSL_CIPHER_value(ciphers,i);
645 #ifdef CIPHER_DEBUG
646                         printf("client [%2d of %2d]:%s\n",
647                                 i,sk_num(ciphers),SSL_CIPHER_get_name(c));
648 #endif
649                         if (c->id == id)
650                                 {
651                                 j=1;
652                                 break;
653                                 }
654                         }
655                 if (j == 0)
656                         {
657                         if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
658                                 {
659                                 /* Very bad for multi-threading.... */
660                                 s->session->cipher=sk_SSL_CIPHER_value(ciphers,
661                                                                        0);
662                                 }
663                         else
664                                 {
665                                 /* we need to have the cipher in the cipher
666                                  * list if we are asked to reuse it */
667                                 al=SSL_AD_ILLEGAL_PARAMETER;
668                                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
669                                 goto f_err;
670                                 }
671                         }
672                 }
673
674         /* compression */
675         i= *(p++);
676         q=p;
677         for (j=0; j<i; j++)
678                 {
679                 if (p[j] == 0) break;
680                 }
681
682         p+=i;
683         if (j >= i)
684                 {
685                 /* no compress */
686                 al=SSL_AD_DECODE_ERROR;
687                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
688                 goto f_err;
689                 }
690
691         /* Worst case, we will use the NULL compression, but if we have other
692          * options, we will now look for them.  We have i-1 compression
693          * algorithms from the client, starting at q. */
694         s->s3->tmp.new_compression=NULL;
695         if (s->ctx->comp_methods != NULL)
696                 { /* See if we have a match */
697                 int m,nn,o,v,done=0;
698
699                 nn=sk_SSL_COMP_num(s->ctx->comp_methods);
700                 for (m=0; m<nn; m++)
701                         {
702                         comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
703                         v=comp->id;
704                         for (o=0; o<i; o++)
705                                 {
706                                 if (v == q[o])
707                                         {
708                                         done=1;
709                                         break;
710                                         }
711                                 }
712                         if (done) break;
713                         }
714                 if (done)
715                         s->s3->tmp.new_compression=comp;
716                 else
717                         comp=NULL;
718                 }
719
720         /* TLS does not mind if there is extra stuff */
721         if (s->version == SSL3_VERSION)
722                 {
723                 if (p > (d+n))
724                         {
725                         /* wrong number of bytes,
726                          * there could be more to follow */
727                         al=SSL_AD_DECODE_ERROR;
728                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
729                         goto f_err;
730                         }
731                 }
732
733         /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
734          * pick a cipher */
735
736         if (!s->hit)
737                 {
738                 s->session->compress_meth=(comp == NULL)?0:comp->id;
739                 if (s->session->ciphers != NULL)
740                         sk_SSL_CIPHER_free(s->session->ciphers);
741                 s->session->ciphers=ciphers;
742                 if (ciphers == NULL)
743                         {
744                         al=SSL_AD_ILLEGAL_PARAMETER;
745                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
746                         goto f_err;
747                         }
748                 ciphers=NULL;
749                 c=ssl3_choose_cipher(s,s->session->ciphers,
750                                      ssl_get_ciphers_by_id(s));
751
752                 if (c == NULL)
753                         {
754                         al=SSL_AD_HANDSHAKE_FAILURE;
755                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
756                         goto f_err;
757                         }
758                 s->s3->tmp.new_cipher=c;
759                 }
760         else
761                 {
762                 /* Session-id reuse */
763 #ifdef REUSE_CIPHER_BUG
764                 STACK_OF(SSL_CIPHER) *sk;
765                 SSL_CIPHER *nc=NULL;
766                 SSL_CIPHER *ec=NULL;
767
768                 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
769                         {
770                         sk=s->session->ciphers;
771                         for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
772                                 {
773                                 c=sk_SSL_CIPHER_value(sk,i);
774                                 if (c->algorithms & SSL_eNULL)
775                                         nc=c;
776                                 if (SSL_C_IS_EXPORT(c))
777                                         ec=c;
778                                 }
779                         if (nc != NULL)
780                                 s->s3->tmp.new_cipher=nc;
781                         else if (ec != NULL)
782                                 s->s3->tmp.new_cipher=ec;
783                         else
784                                 s->s3->tmp.new_cipher=s->session->cipher;
785                         }
786                 else
787 #endif
788                 s->s3->tmp.new_cipher=s->session->cipher;
789                 }
790         
791         /* we now have the following setup. 
792          * client_random
793          * cipher_list          - our prefered list of ciphers
794          * ciphers              - the clients prefered list of ciphers
795          * compression          - basically ignored right now
796          * ssl version is set   - sslv3
797          * s->session           - The ssl session has been setup.
798          * s->hit               - sesson reuse flag
799          * s->tmp.new_cipher    - the new cipher to use.
800          */
801
802         ret=1;
803         if (0)
804                 {
805 f_err:
806                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
807                 }
808 err:
809         if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
810         return(ret);
811         }
812
813 static int ssl3_send_server_hello(SSL *s)
814         {
815         unsigned char *buf;
816         unsigned char *p,*d;
817         int i,sl;
818         unsigned long l,Time;
819
820         if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
821                 {
822                 buf=(unsigned char *)s->init_buf->data;
823                 p=s->s3->server_random;
824                 Time=time(NULL);                        /* Time */
825                 l2n(Time,p);
826                 RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
827                 /* Do the message type and length last */
828                 d=p= &(buf[4]);
829
830                 *(p++)=s->version>>8;
831                 *(p++)=s->version&0xff;
832
833                 /* Random stuff */
834                 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
835                 p+=SSL3_RANDOM_SIZE;
836
837                 /* now in theory we have 3 options to sending back the
838                  * session id.  If it is a re-use, we send back the
839                  * old session-id, if it is a new session, we send
840                  * back the new session-id or we send back a 0 length
841                  * session-id if we want it to be single use.
842                  * Currently I will not implement the '0' length session-id
843                  * 12-Jan-98 - I'll now support the '0' length stuff.
844                  */
845                 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
846                         s->session->session_id_length=0;
847
848                 sl=s->session->session_id_length;
849                 *(p++)=sl;
850                 memcpy(p,s->session->session_id,sl);
851                 p+=sl;
852
853                 /* put the cipher */
854                 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
855                 p+=i;
856
857                 /* put the compression method */
858                 if (s->s3->tmp.new_compression == NULL)
859                         *(p++)=0;
860                 else
861                         *(p++)=s->s3->tmp.new_compression->id;
862
863                 /* do the header */
864                 l=(p-d);
865                 d=buf;
866                 *(d++)=SSL3_MT_SERVER_HELLO;
867                 l2n3(l,d);
868
869                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
870                 /* number of bytes to write */
871                 s->init_num=p-buf;
872                 s->init_off=0;
873                 }
874
875         /* SSL3_ST_CW_CLNT_HELLO_B */
876         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
877         }
878
879 static int ssl3_send_server_done(SSL *s)
880         {
881         unsigned char *p;
882
883         if (s->state == SSL3_ST_SW_SRVR_DONE_A)
884                 {
885                 p=(unsigned char *)s->init_buf->data;
886
887                 /* do the header */
888                 *(p++)=SSL3_MT_SERVER_DONE;
889                 *(p++)=0;
890                 *(p++)=0;
891                 *(p++)=0;
892
893                 s->state=SSL3_ST_SW_SRVR_DONE_B;
894                 /* number of bytes to write */
895                 s->init_num=4;
896                 s->init_off=0;
897                 }
898
899         /* SSL3_ST_CW_CLNT_HELLO_B */
900         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
901         }
902
903 static int ssl3_send_server_key_exchange(SSL *s)
904         {
905 #ifndef NO_RSA
906         unsigned char *q;
907         int j,num;
908         RSA *rsa;
909         unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
910 #endif
911 #ifndef NO_DH
912         DH *dh,*dhp;
913 #endif
914         EVP_PKEY *pkey;
915         unsigned char *p,*d;
916         int al,i;
917         unsigned long type;
918         int n;
919         CERT *cert;
920         BIGNUM *r[4];
921         int nr[4],kn;
922         BUF_MEM *buf;
923         EVP_MD_CTX md_ctx;
924
925         if (s->state == SSL3_ST_SW_KEY_EXCH_A)
926                 {
927                 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
928                 cert=s->session->cert;
929
930                 buf=s->init_buf;
931
932                 r[0]=r[1]=r[2]=r[3]=NULL;
933                 n=0;
934 #ifndef NO_RSA
935                 if (type & SSL_kRSA)
936                         {
937                         rsa=cert->rsa_tmp;
938                         if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
939                                 {
940                                 rsa=s->ctx->default_cert->rsa_tmp_cb(s,
941                                       SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
942                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
943                                 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
944                                 cert->rsa_tmp=rsa;
945                                 }
946                         if (rsa == NULL)
947                                 {
948                                 al=SSL_AD_HANDSHAKE_FAILURE;
949                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
950                                 goto f_err;
951                                 }
952                         r[0]=rsa->n;
953                         r[1]=rsa->e;
954                         s->s3->tmp.use_rsa_tmp=1;
955                         }
956                 else
957 #endif
958 #ifndef NO_DH
959                         if (type & SSL_kEDH)
960                         {
961                         dhp=cert->dh_tmp;
962                         if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
963                                 dhp=cert->dh_tmp_cb(s,
964                                       !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
965                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
966                         if (dhp == NULL)
967                                 {
968                                 al=SSL_AD_HANDSHAKE_FAILURE;
969                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
970                                 goto f_err;
971                                 }
972                         if ((dh=DHparams_dup(dhp)) == NULL)
973                                 {
974                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
975                                 goto err;
976                                 }
977
978                         s->s3->tmp.dh=dh;
979                         if ((dhp->pub_key == NULL ||
980                              dhp->priv_key == NULL ||
981                              (s->options & SSL_OP_SINGLE_DH_USE)))
982                                 {
983                                 if(!DH_generate_key(dh))
984                                     {
985                                     SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
986                                            ERR_R_DH_LIB);
987                                     goto err;
988                                     }
989                                 }
990                         else
991                                 {
992                                 dh->pub_key=BN_dup(dhp->pub_key);
993                                 dh->priv_key=BN_dup(dhp->priv_key);
994                                 if ((dh->pub_key == NULL) ||
995                                         (dh->priv_key == NULL))
996                                         {
997                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
998                                         goto err;
999                                         }
1000                                 }
1001                         r[0]=dh->p;
1002                         r[1]=dh->g;
1003                         r[2]=dh->pub_key;
1004                         }
1005                 else 
1006 #endif
1007                         {
1008                         al=SSL_AD_HANDSHAKE_FAILURE;
1009                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1010                         goto f_err;
1011                         }
1012                 for (i=0; r[i] != NULL; i++)
1013                         {
1014                         nr[i]=BN_num_bytes(r[i]);
1015                         n+=2+nr[i];
1016                         }
1017
1018                 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
1019                         {
1020                         if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
1021                                 == NULL)
1022                                 {
1023                                 al=SSL_AD_DECODE_ERROR;
1024                                 goto f_err;
1025                                 }
1026                         kn=EVP_PKEY_size(pkey);
1027                         }
1028                 else
1029                         {
1030                         pkey=NULL;
1031                         kn=0;
1032                         }
1033
1034                 if (!BUF_MEM_grow(buf,n+4+kn))
1035                         {
1036                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1037                         goto err;
1038                         }
1039                 d=(unsigned char *)s->init_buf->data;
1040                 p= &(d[4]);
1041
1042                 for (i=0; r[i] != NULL; i++)
1043                         {
1044                         s2n(nr[i],p);
1045                         BN_bn2bin(r[i],p);
1046                         p+=nr[i];
1047                         }
1048
1049                 /* not anonymous */
1050                 if (pkey != NULL)
1051                         {
1052                         /* n is the length of the params, they start at &(d[4])
1053                          * and p points to the space at the end. */
1054 #ifndef NO_RSA
1055                         if (pkey->type == EVP_PKEY_RSA)
1056                                 {
1057                                 q=md_buf;
1058                                 j=0;
1059                                 for (num=2; num > 0; num--)
1060                                         {
1061                                         EVP_DigestInit(&md_ctx,(num == 2)
1062                                                 ?s->ctx->md5:s->ctx->sha1);
1063                                         EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1064                                         EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1065                                         EVP_DigestUpdate(&md_ctx,&(d[4]),n);
1066                                         EVP_DigestFinal(&md_ctx,q,
1067                                                 (unsigned int *)&i);
1068                                         q+=i;
1069                                         j+=i;
1070                                         }
1071                                 i=RSA_private_encrypt(j,md_buf,&(p[2]),
1072                                         pkey->pkey.rsa,RSA_PKCS1_PADDING);
1073                                 if (i <= 0)
1074                                         {
1075                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1076                                         goto err;
1077                                         }
1078                                 s2n(i,p);
1079                                 n+=i+2;
1080                                 }
1081                         else
1082 #endif
1083 #if !defined(NO_DSA)
1084                                 if (pkey->type == EVP_PKEY_DSA)
1085                                 {
1086                                 /* lets do DSS */
1087                                 EVP_SignInit(&md_ctx,EVP_dss1());
1088                                 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1089                                 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1090                                 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1091                                 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1092                                         (unsigned int *)&i,pkey))
1093                                         {
1094                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
1095                                         goto err;
1096                                         }
1097                                 s2n(i,p);
1098                                 n+=i+2;
1099                                 }
1100                         else
1101 #endif
1102                                 {
1103                                 /* Is this error check actually needed? */
1104                                 al=SSL_AD_HANDSHAKE_FAILURE;
1105                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
1106                                 goto f_err;
1107                                 }
1108                         }
1109
1110                 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
1111                 l2n3(n,d);
1112
1113                 /* we should now have things packed up, so lets send
1114                  * it off */
1115                 s->init_num=n+4;
1116                 s->init_off=0;
1117                 }
1118
1119         /* SSL3_ST_SW_KEY_EXCH_B */
1120         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1121 f_err:
1122         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1123 err:
1124         return(-1);
1125         }
1126
1127 static int ssl3_send_certificate_request(SSL *s)
1128         {
1129         unsigned char *p,*d;
1130         int i,j,nl,off,n;
1131         STACK_OF(X509_NAME) *sk=NULL;
1132         X509_NAME *name;
1133         BUF_MEM *buf;
1134
1135         if (s->state == SSL3_ST_SW_CERT_REQ_A)
1136                 {
1137                 buf=s->init_buf;
1138
1139                 d=p=(unsigned char *)&(buf->data[4]);
1140
1141                 /* get the list of acceptable cert types */
1142                 p++;
1143                 n=ssl3_get_req_cert_type(s,p);
1144                 d[0]=n;
1145                 p+=n;
1146                 n++;
1147
1148                 off=n;
1149                 p+=2;
1150                 n+=2;
1151
1152                 sk=SSL_get_client_CA_list(s);
1153                 nl=0;
1154                 if (sk != NULL)
1155                         {
1156                         for (i=0; i<sk_X509_NAME_num(sk); i++)
1157                                 {
1158                                 name=sk_X509_NAME_value(sk,i);
1159                                 j=i2d_X509_NAME(name,NULL);
1160                                 if (!BUF_MEM_grow(buf,4+n+j+2))
1161                                         {
1162                                         SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1163                                         goto err;
1164                                         }
1165                                 p=(unsigned char *)&(buf->data[4+n]);
1166                                 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1167                                         {
1168                                         s2n(j,p);
1169                                         i2d_X509_NAME(name,&p);
1170                                         n+=2+j;
1171                                         nl+=2+j;
1172                                         }
1173                                 else
1174                                         {
1175                                         d=p;
1176                                         i2d_X509_NAME(name,&p);
1177                                         j-=2; s2n(j,d); j+=2;
1178                                         n+=j;
1179                                         nl+=j;
1180                                         }
1181                                 }
1182                         }
1183                 /* else no CA names */
1184                 p=(unsigned char *)&(buf->data[4+off]);
1185                 s2n(nl,p);
1186
1187                 d=(unsigned char *)buf->data;
1188                 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
1189                 l2n3(n,d);
1190
1191                 /* we should now have things packed up, so lets send
1192                  * it off */
1193
1194                 s->init_num=n+4;
1195                 s->init_off=0;
1196                 }
1197
1198         /* SSL3_ST_SW_CERT_REQ_B */
1199         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1200 err:
1201         return(-1);
1202         }
1203
1204 static int ssl3_get_client_key_exchange(SSL *s)
1205         {
1206         int i,al,ok;
1207         long n;
1208         unsigned long l;
1209         unsigned char *p;
1210         RSA *rsa=NULL;
1211         EVP_PKEY *pkey=NULL;
1212 #ifndef NO_DH
1213         BIGNUM *pub=NULL;
1214         DH *dh_srvr;
1215 #endif
1216
1217         n=ssl3_get_message(s,
1218                 SSL3_ST_SR_KEY_EXCH_A,
1219                 SSL3_ST_SR_KEY_EXCH_B,
1220                 SSL3_MT_CLIENT_KEY_EXCHANGE,
1221                 400, /* ???? */
1222                 &ok);
1223
1224         if (!ok) return((int)n);
1225         p=(unsigned char *)s->init_buf->data;
1226
1227         l=s->s3->tmp.new_cipher->algorithms;
1228
1229 #ifndef NO_RSA
1230         if (l & SSL_kRSA)
1231                 {
1232                 /* FIX THIS UP EAY EAY EAY EAY */
1233                 if (s->s3->tmp.use_rsa_tmp)
1234                         {
1235                         if ((s->session->cert != NULL) &&
1236                                 (s->session->cert->rsa_tmp != NULL))
1237                                 rsa=s->session->cert->rsa_tmp;
1238                         else if ((s->ctx->default_cert != NULL) &&
1239                                 (s->ctx->default_cert->rsa_tmp != NULL))
1240                                 rsa=s->ctx->default_cert->rsa_tmp;
1241                         /* Don't do a callback because rsa_tmp should
1242                          * be sent already */
1243                         if (rsa == NULL)
1244                                 {
1245                                 al=SSL_AD_HANDSHAKE_FAILURE;
1246                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
1247                                 goto f_err;
1248
1249                                 }
1250                         }
1251                 else
1252                         {
1253                         pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1254                         if (    (pkey == NULL) ||
1255                                 (pkey->type != EVP_PKEY_RSA) ||
1256                                 (pkey->pkey.rsa == NULL))
1257                                 {
1258                                 al=SSL_AD_HANDSHAKE_FAILURE;
1259                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
1260                                 goto f_err;
1261                                 }
1262                         rsa=pkey->pkey.rsa;
1263                         }
1264
1265                 /* TLS */
1266                 if (s->version > SSL3_VERSION)
1267                         {
1268                         n2s(p,i);
1269                         if (n != i+2)
1270                                 {
1271                                 if (!(s->options & SSL_OP_TLS_D5_BUG))
1272                                         {
1273                                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1274                                         goto err;
1275                                         }
1276                                 else
1277                                         p-=2;
1278                                 }
1279                         else
1280                                 n=i;
1281                         }
1282
1283                 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
1284
1285 #if 1
1286                 /* If a bad decrypt, use a random master key */
1287                 if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
1288                         ((p[0] != (s->client_version>>8)) ||
1289                          (p[1] != (s->client_version & 0xff))))
1290                         {
1291                         int bad=1;
1292
1293                         if ((i == SSL_MAX_MASTER_KEY_LENGTH) &&
1294                                 (p[0] == (s->version>>8)) &&
1295                                 (p[1] == 0))
1296                                 {
1297                                 if (s->options & SSL_OP_TLS_ROLLBACK_BUG)
1298                                         bad=0;
1299                                 }
1300                         if (bad)
1301                                 {
1302                                 p[0]=(s->version>>8);
1303                                 p[1]=(s->version & 0xff);
1304                                 RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
1305                                 i=SSL_MAX_MASTER_KEY_LENGTH;
1306                                 }
1307                         /* else, an SSLeay bug, ssl only server, tls client */
1308                         }
1309 #else
1310                 if (i != SSL_MAX_MASTER_KEY_LENGTH)
1311                         {
1312                         al=SSL_AD_DECODE_ERROR;
1313                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1314                         goto f_err;
1315                         }
1316
1317                 if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff)))
1318                         {
1319                         al=SSL_AD_DECODE_ERROR;
1320                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1321                         goto f_err;
1322                         }
1323 #endif
1324
1325                 s->session->master_key_length=
1326                         s->method->ssl3_enc->generate_master_secret(s,
1327                                 s->session->master_key,
1328                                 p,i);
1329                 memset(p,0,i);
1330                 }
1331         else
1332 #endif
1333 #ifndef NO_DH
1334                 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1335                 {
1336                 n2s(p,i);
1337                 if (n != i+2)
1338                         {
1339                         if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
1340                                 {
1341                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1342                                 goto err;
1343                                 }
1344                         else
1345                                 {
1346                                 p-=2;
1347                                 i=(int)n;
1348                                 }
1349                         }
1350
1351                 if (n == 0L) /* the parameters are in the cert */
1352                         {
1353                         al=SSL_AD_HANDSHAKE_FAILURE;
1354                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1355                         goto f_err;
1356                         }
1357                 else
1358                         {
1359                         if (s->s3->tmp.dh == NULL)
1360                                 {
1361                                 al=SSL_AD_HANDSHAKE_FAILURE;
1362                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1363                                 goto f_err;
1364                                 }
1365                         else
1366                                 dh_srvr=s->s3->tmp.dh;
1367                         }
1368
1369                 pub=BN_bin2bn(p,i,NULL);
1370                 if (pub == NULL)
1371                         {
1372                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
1373                         goto err;
1374                         }
1375
1376                 i=DH_compute_key(p,pub,dh_srvr);
1377
1378                 if (i <= 0)
1379                         {
1380                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1381                         goto err;
1382                         }
1383
1384                 DH_free(s->s3->tmp.dh);
1385                 s->s3->tmp.dh=NULL;
1386
1387                 BN_clear_free(pub);
1388                 pub=NULL;
1389                 s->session->master_key_length=
1390                         s->method->ssl3_enc->generate_master_secret(s,
1391                                 s->session->master_key,p,i);
1392                 }
1393         else
1394 #endif
1395                 {
1396                 al=SSL_AD_HANDSHAKE_FAILURE;
1397                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
1398                 goto f_err;
1399                 }
1400
1401         return(1);
1402 f_err:
1403         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1404 #if !defined(NO_DH) || !defined(NO_RSA)
1405 err:
1406 #endif
1407         return(-1);
1408         }
1409
1410 static int ssl3_get_cert_verify(SSL *s)
1411         {
1412         EVP_PKEY *pkey=NULL;
1413         unsigned char *p;
1414         int al,ok,ret=0;
1415         long n;
1416         int type=0,i,j;
1417         X509 *peer;
1418
1419         n=ssl3_get_message(s,
1420                 SSL3_ST_SR_CERT_VRFY_A,
1421                 SSL3_ST_SR_CERT_VRFY_B,
1422                 -1,
1423                 512, /* 512? */
1424                 &ok);
1425
1426         if (!ok) return((int)n);
1427
1428         if (s->session->peer != NULL)
1429                 {
1430                 peer=s->session->peer;
1431                 pkey=X509_get_pubkey(peer);
1432                 type=X509_certificate_type(peer,pkey);
1433                 }
1434         else
1435                 {
1436                 peer=NULL;
1437                 pkey=NULL;
1438                 }
1439
1440         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
1441                 {
1442                 s->s3->tmp.reuse_message=1;
1443                 if ((peer != NULL) && (type | EVP_PKT_SIGN))
1444                         {
1445                         al=SSL_AD_UNEXPECTED_MESSAGE;
1446                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
1447                         goto f_err;
1448                         }
1449                 ret=1;
1450                 goto end;
1451                 }
1452
1453         if (peer == NULL)
1454                 {
1455                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
1456                 al=SSL_AD_UNEXPECTED_MESSAGE;
1457                 goto f_err;
1458                 }
1459
1460         if (!(type & EVP_PKT_SIGN))
1461                 {
1462                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
1463                 al=SSL_AD_ILLEGAL_PARAMETER;
1464                 goto f_err;
1465                 }
1466
1467         if (s->s3->change_cipher_spec)
1468                 {
1469                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
1470                 al=SSL_AD_UNEXPECTED_MESSAGE;
1471                 goto f_err;
1472                 }
1473
1474         /* we now have a signature that we need to verify */
1475         p=(unsigned char *)s->init_buf->data;
1476         n2s(p,i);
1477         n-=2;
1478         if (i > n)
1479                 {
1480                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
1481                 al=SSL_AD_DECODE_ERROR;
1482                 goto f_err;
1483                 }
1484
1485         j=EVP_PKEY_size(pkey);
1486         if ((i > j) || (n > j) || (n <= 0))
1487                 {
1488                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
1489                 al=SSL_AD_DECODE_ERROR;
1490                 goto f_err;
1491                 }
1492
1493 #ifndef NO_RSA 
1494         if (pkey->type == EVP_PKEY_RSA)
1495                 {
1496                 i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING);
1497                 if (i < 0)
1498                         {
1499                         al=SSL_AD_DECRYPT_ERROR;
1500                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
1501                         goto f_err;
1502                         }
1503                 if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) ||
1504                         memcmp(&(s->s3->tmp.finish_md[0]),p,
1505                                 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
1506                         {
1507                         al=SSL_AD_DECRYPT_ERROR;
1508                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
1509                         goto f_err;
1510                         }
1511                 }
1512         else
1513 #endif
1514 #ifndef NO_DSA
1515                 if (pkey->type == EVP_PKEY_DSA)
1516                 {
1517                 j=DSA_verify(pkey->save_type,
1518                         &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]),
1519                         SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
1520                 if (j <= 0)
1521                         {
1522                         /* bad signature */
1523                         al=SSL_AD_DECRYPT_ERROR;
1524                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
1525                         goto f_err;
1526                         }
1527                 }
1528         else
1529 #endif
1530                 {
1531                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
1532                 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
1533                 goto f_err;
1534                 }
1535
1536
1537         ret=1;
1538         if (0)
1539                 {
1540 f_err:
1541                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1542                 }
1543 end:
1544         EVP_PKEY_free(pkey);
1545         return(ret);
1546         }
1547
1548 static int ssl3_get_client_certificate(SSL *s)
1549         {
1550         int i,ok,al,ret= -1;
1551         X509 *x=NULL;
1552         unsigned long l,nc,llen,n;
1553         unsigned char *p,*d,*q;
1554         STACK_OF(X509) *sk=NULL;
1555
1556         n=ssl3_get_message(s,
1557                 SSL3_ST_SR_CERT_A,
1558                 SSL3_ST_SR_CERT_B,
1559                 -1,
1560 #if defined(MSDOS) && !defined(WIN32)
1561                 1024*30, /* 30k max cert list :-) */
1562 #else
1563                 1024*100, /* 100k max cert list :-) */
1564 #endif
1565                 &ok);
1566
1567         if (!ok) return((int)n);
1568
1569         if      (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
1570                 {
1571                 if (    (s->verify_mode & SSL_VERIFY_PEER) &&
1572                         (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1573                         {
1574                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1575                         al=SSL_AD_HANDSHAKE_FAILURE;
1576                         goto f_err;
1577                         }
1578                 /* If tls asked for a client cert we must return a 0 list */
1579                 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
1580                         {
1581                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
1582                         al=SSL_AD_UNEXPECTED_MESSAGE;
1583                         goto f_err;
1584                         }
1585                 s->s3->tmp.reuse_message=1;
1586                 return(1);
1587                 }
1588
1589         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1590                 {
1591                 al=SSL_AD_UNEXPECTED_MESSAGE;
1592                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
1593                 goto f_err;
1594                 }
1595         d=p=(unsigned char *)s->init_buf->data;
1596
1597         if ((sk=sk_X509_new_null()) == NULL)
1598                 {
1599                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1600                 goto err;
1601                 }
1602
1603         n2l3(p,llen);
1604         if (llen+3 != n)
1605                 {
1606                 al=SSL_AD_DECODE_ERROR;
1607                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1608                 goto f_err;
1609                 }
1610         for (nc=0; nc<llen; )
1611                 {
1612                 n2l3(p,l);
1613                 if ((l+nc+3) > llen)
1614                         {
1615                         al=SSL_AD_DECODE_ERROR;
1616                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1617                         goto f_err;
1618                         }
1619
1620                 q=p;
1621                 x=d2i_X509(NULL,&p,l);
1622                 if (x == NULL)
1623                         {
1624                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
1625                         goto err;
1626                         }
1627                 if (p != (q+l))
1628                         {
1629                         al=SSL_AD_DECODE_ERROR;
1630                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1631                         goto f_err;
1632                         }
1633                 if (!sk_X509_push(sk,x))
1634                         {
1635                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1636                         goto err;
1637                         }
1638                 x=NULL;
1639                 nc+=l+3;
1640                 }
1641
1642         if (sk_X509_num(sk) <= 0)
1643                 {
1644                 /* TLS does not mind 0 certs returned */
1645                 if (s->version == SSL3_VERSION)
1646                         {
1647                         al=SSL_AD_HANDSHAKE_FAILURE;
1648                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
1649                         goto f_err;
1650                         }
1651                 /* Fail for TLS only if we required a certificate */
1652                 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
1653                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1654                         {
1655                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1656                         al=SSL_AD_HANDSHAKE_FAILURE;
1657                         goto f_err;
1658                         }
1659                 }
1660         else
1661                 {
1662                 i=ssl_verify_cert_chain(s,sk);
1663                 if (!i)
1664                         {
1665                         al=ssl_verify_alarm_type(s->verify_result);
1666                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
1667                         goto f_err;
1668                         }
1669                 }
1670
1671         /* This should not be needed */
1672         if (s->session->peer != NULL)
1673                 X509_free(s->session->peer);
1674         s->session->peer=sk_X509_shift(sk);
1675         s->session->cert->cert_chain=sk;
1676         sk=NULL;
1677
1678         ret=1;
1679         if (0)
1680                 {
1681 f_err:
1682                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1683                 }
1684 err:
1685         if (x != NULL) X509_free(x);
1686         if (sk != NULL) sk_X509_pop_free(sk,X509_free);
1687         return(ret);
1688         }
1689
1690 int ssl3_send_server_certificate(SSL *s)
1691         {
1692         unsigned long l;
1693         X509 *x;
1694
1695         if (s->state == SSL3_ST_SW_CERT_A)
1696                 {
1697                 x=ssl_get_server_send_cert(s);
1698                 if (x == NULL)
1699                         {
1700                         SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
1701                         return(0);
1702                         }
1703
1704                 l=ssl3_output_cert_chain(s,x);
1705                 s->state=SSL3_ST_SW_CERT_B;
1706                 s->init_num=(int)l;
1707                 s->init_off=0;
1708                 }
1709
1710         /* SSL3_ST_SW_CERT_B */
1711         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1712         }