Fix yet another bug for client hello handling.
[openssl.git] / ssl / s3_srvr.c
1 /* ssl/s3_srvr.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #define REUSE_CIPHER_BUG
60
61 #include <stdio.h>
62 #include <openssl/buffer.h>
63 #include <openssl/rand.h>
64 #include <openssl/objects.h>
65 #include <openssl/md5.h>
66 #include <openssl/sha.h>
67 #include <openssl/evp.h>
68 #include <openssl/x509.h>
69 #include "ssl_locl.h"
70
71 static SSL_METHOD *ssl3_get_server_method(int ver);
72 static int ssl3_get_client_hello(SSL *s);
73 static int ssl3_send_server_hello(SSL *s);
74 static int ssl3_send_server_key_exchange(SSL *s);
75 static int ssl3_send_certificate_request(SSL *s);
76 static int ssl3_send_server_done(SSL *s);
77 static int ssl3_get_cert_verify(SSL *s);
78 static int ssl3_get_client_key_exchange(SSL *s);
79 static int ssl3_get_client_certificate(SSL *s);
80 static int ssl3_send_hello_request(SSL *s);
81
82 static SSL_METHOD *ssl3_get_server_method(int ver)
83         {
84         if (ver == SSL3_VERSION)
85                 return(SSLv3_server_method());
86         else
87                 return(NULL);
88         }
89
90 SSL_METHOD *SSLv3_server_method(void)
91         {
92         static int init=1;
93         static SSL_METHOD SSLv3_server_data;
94
95         if (init)
96                 {
97                 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
98                         sizeof(SSL_METHOD));
99                 SSLv3_server_data.ssl_accept=ssl3_accept;
100                 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
101                 init=0;
102                 }
103         return(&SSLv3_server_data);
104         }
105
106 int ssl3_accept(SSL *s)
107         {
108         BUF_MEM *buf;
109         unsigned long l,Time=time(NULL);
110         void (*cb)()=NULL;
111         long num1;
112         int ret= -1;
113         int new_state,state,skip=0;
114
115         RAND_seed(&Time,sizeof(Time));
116         ERR_clear_error();
117         clear_sys_error();
118
119         if (s->info_callback != NULL)
120                 cb=s->info_callback;
121         else if (s->ctx->info_callback != NULL)
122                 cb=s->ctx->info_callback;
123
124         /* init things to blank */
125         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
126         s->in_handshake++;
127
128         if (s->cert == NULL)
129                 {
130                 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
131                 return(-1);
132                 }
133
134         for (;;)
135                 {
136                 state=s->state;
137
138                 switch (s->state)
139                         {
140                 case SSL_ST_RENEGOTIATE:
141                         s->new_session=1;
142                         /* s->state=SSL_ST_ACCEPT; */
143
144                 case SSL_ST_BEFORE:
145                 case SSL_ST_ACCEPT:
146                 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
147                 case SSL_ST_OK|SSL_ST_ACCEPT:
148
149                         s->server=1;
150                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
151
152                         if ((s->version>>8) != 3)
153                                 abort();
154                         /* s->version=SSL3_VERSION; */
155                         s->type=SSL_ST_ACCEPT;
156
157                         if (s->init_buf == NULL)
158                                 {
159                                 if ((buf=BUF_MEM_new()) == NULL)
160                                         {
161                                         ret= -1;
162                                         goto end;
163                                         }
164                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
165                                         {
166                                         ret= -1;
167                                         goto end;
168                                         }
169                                 s->init_buf=buf;
170                                 }
171
172                         if (!ssl3_setup_buffers(s))
173                                 {
174                                 ret= -1;
175                                 goto end;
176                                 }
177
178                         /* Ok, we now need to push on a buffering BIO so that
179                          * the output is sent in a way that TCP likes :-)
180                          */
181                         if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
182
183                         s->init_num=0;
184
185                         if (s->state != SSL_ST_RENEGOTIATE)
186                                 {
187                                 s->state=SSL3_ST_SR_CLNT_HELLO_A;
188                                 ssl3_init_finished_mac(s);
189                                 s->ctx->stats.sess_accept++;
190                                 }
191                         else
192                                 {
193                                 s->ctx->stats.sess_accept_renegotiate++;
194                                 s->state=SSL3_ST_SW_HELLO_REQ_A;
195                                 }
196                         break;
197
198                 case SSL3_ST_SW_HELLO_REQ_A:
199                 case SSL3_ST_SW_HELLO_REQ_B:
200
201                         s->shutdown=0;
202                         ret=ssl3_send_hello_request(s);
203                         if (ret <= 0) goto end;
204                         s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
205                         s->state=SSL3_ST_SW_FLUSH;
206                         s->init_num=0;
207
208                         ssl3_init_finished_mac(s);
209                         break;
210
211                 case SSL3_ST_SW_HELLO_REQ_C:
212                         s->state=SSL_ST_OK;
213                         ret=1;
214                         goto end;
215                         /* break; */
216
217                 case SSL3_ST_SR_CLNT_HELLO_A:
218                 case SSL3_ST_SR_CLNT_HELLO_B:
219                 case SSL3_ST_SR_CLNT_HELLO_C:
220
221                         s->shutdown=0;
222                         ret=ssl3_get_client_hello(s);
223                         if (ret <= 0) goto end;
224                         s->state=SSL3_ST_SW_SRVR_HELLO_A;
225                         s->init_num=0;
226                         break;
227
228                 case SSL3_ST_SW_SRVR_HELLO_A:
229                 case SSL3_ST_SW_SRVR_HELLO_B:
230                         ret=ssl3_send_server_hello(s);
231                         if (ret <= 0) goto end;
232
233                         if (s->hit)
234                                 s->state=SSL3_ST_SW_CHANGE_A;
235                         else
236                                 s->state=SSL3_ST_SW_CERT_A;
237                         s->init_num=0;
238                         break;
239
240                 case SSL3_ST_SW_CERT_A:
241                 case SSL3_ST_SW_CERT_B:
242                         /* Check if it is anon DH */
243                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
244                                 {
245                                 ret=ssl3_send_server_certificate(s);
246                                 if (ret <= 0) goto end;
247                                 }
248                         else
249                                 skip=1;
250                         s->state=SSL3_ST_SW_KEY_EXCH_A;
251                         s->init_num=0;
252                         break;
253
254                 case SSL3_ST_SW_KEY_EXCH_A:
255                 case SSL3_ST_SW_KEY_EXCH_B:
256                         l=s->s3->tmp.new_cipher->algorithms;
257
258                         /* clear this, it may get reset by
259                          * send_server_key_exchange */
260                         if (s->options & SSL_OP_EPHEMERAL_RSA)
261                                 s->s3->tmp.use_rsa_tmp=1;
262                         else
263                                 s->s3->tmp.use_rsa_tmp=0;
264
265                         /* only send if a DH key exchange, fortezza or
266                          * RSA but we have a sign only certificate */
267                         if (s->s3->tmp.use_rsa_tmp
268                             || (l & (SSL_DH|SSL_kFZA))
269                             || ((l & SSL_kRSA)
270                                 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
271                                     || (SSL_IS_EXPORT(l)
272                                         && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
273                                         )
274                                     )
275                                 )
276                             )
277                                 {
278                                 ret=ssl3_send_server_key_exchange(s);
279                                 if (ret <= 0) goto end;
280                                 }
281                         else
282                                 skip=1;
283
284                         s->state=SSL3_ST_SW_CERT_REQ_A;
285                         s->init_num=0;
286                         break;
287
288                 case SSL3_ST_SW_CERT_REQ_A:
289                 case SSL3_ST_SW_CERT_REQ_B:
290                         if (!(s->verify_mode & SSL_VERIFY_PEER) ||
291                                 ((s->session->peer != NULL) &&
292                                  (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
293                                 {
294                                 /* no cert request */
295                                 skip=1;
296                                 s->s3->tmp.cert_request=0;
297                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
298                                 }
299                         else
300                                 {
301                                 s->s3->tmp.cert_request=1;
302                                 ret=ssl3_send_certificate_request(s);
303                                 if (ret <= 0) goto end;
304                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
305                                 s->init_num=0;
306                                 }
307                         break;
308
309                 case SSL3_ST_SW_SRVR_DONE_A:
310                 case SSL3_ST_SW_SRVR_DONE_B:
311                         ret=ssl3_send_server_done(s);
312                         if (ret <= 0) goto end;
313                         s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
314                         s->state=SSL3_ST_SW_FLUSH;
315                         s->init_num=0;
316                         break;
317                 
318                 case SSL3_ST_SW_FLUSH:
319                         /* number of bytes to be flushed */
320                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
321                         if (num1 > 0)
322                                 {
323                                 s->rwstate=SSL_WRITING;
324                                 num1=BIO_flush(s->wbio);
325                                 if (num1 <= 0) { ret= -1; goto end; }
326                                 s->rwstate=SSL_NOTHING;
327                                 }
328
329                         s->state=s->s3->tmp.next_state;
330                         break;
331
332                 case SSL3_ST_SR_CERT_A:
333                 case SSL3_ST_SR_CERT_B:
334                         /* could be sent for a DH cert, even if we
335                          * have not asked for it :-) */
336                         ret=ssl3_get_client_certificate(s);
337                         if (ret <= 0) goto end;
338                         s->init_num=0;
339                         s->state=SSL3_ST_SR_KEY_EXCH_A;
340                         break;
341
342                 case SSL3_ST_SR_KEY_EXCH_A:
343                 case SSL3_ST_SR_KEY_EXCH_B:
344                         ret=ssl3_get_client_key_exchange(s);
345                         if (ret <= 0) goto end;
346                         s->state=SSL3_ST_SR_CERT_VRFY_A;
347                         s->init_num=0;
348
349                         /* We need to get hashes here so if there is
350                          * a client cert, it can be verified */ 
351                         s->method->ssl3_enc->cert_verify_mac(s,
352                                 &(s->s3->finish_dgst1),
353                                 &(s->s3->tmp.finish_md[0]));
354                         s->method->ssl3_enc->cert_verify_mac(s,
355                                 &(s->s3->finish_dgst2),
356                                 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]));
357
358                         break;
359
360                 case SSL3_ST_SR_CERT_VRFY_A:
361                 case SSL3_ST_SR_CERT_VRFY_B:
362
363                         /* we should decide if we expected this one */
364                         ret=ssl3_get_cert_verify(s);
365                         if (ret <= 0) goto end;
366
367                         s->state=SSL3_ST_SR_FINISHED_A;
368                         s->init_num=0;
369                         break;
370
371                 case SSL3_ST_SR_FINISHED_A:
372                 case SSL3_ST_SR_FINISHED_B:
373                         ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
374                                 SSL3_ST_SR_FINISHED_B);
375                         if (ret <= 0) goto end;
376                         if (s->hit)
377                                 s->state=SSL_ST_OK;
378                         else
379                                 s->state=SSL3_ST_SW_CHANGE_A;
380                         s->init_num=0;
381                         break;
382
383                 case SSL3_ST_SW_CHANGE_A:
384                 case SSL3_ST_SW_CHANGE_B:
385
386                         s->session->cipher=s->s3->tmp.new_cipher;
387                         if (!s->method->ssl3_enc->setup_key_block(s))
388                                 { ret= -1; goto end; }
389
390                         ret=ssl3_send_change_cipher_spec(s,
391                                 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
392
393                         if (ret <= 0) goto end;
394                         s->state=SSL3_ST_SW_FINISHED_A;
395                         s->init_num=0;
396
397                         if (!s->method->ssl3_enc->change_cipher_state(s,
398                                 SSL3_CHANGE_CIPHER_SERVER_WRITE))
399                                 {
400                                 ret= -1;
401                                 goto end;
402                                 }
403
404                         break;
405
406                 case SSL3_ST_SW_FINISHED_A:
407                 case SSL3_ST_SW_FINISHED_B:
408                         ret=ssl3_send_finished(s,
409                                 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
410                                 s->method->ssl3_enc->server_finished,
411                                 s->method->ssl3_enc->server_finished_len);
412                         if (ret <= 0) goto end;
413                         s->state=SSL3_ST_SW_FLUSH;
414                         if (s->hit)
415                                 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
416                         else
417                                 s->s3->tmp.next_state=SSL_ST_OK;
418                         s->init_num=0;
419                         break;
420
421                 case SSL_ST_OK:
422                         /* clean a few things up */
423                         ssl3_cleanup_key_block(s);
424
425                         BUF_MEM_free(s->init_buf);
426                         s->init_buf=NULL;
427
428                         /* remove buffering on output */
429                         ssl_free_wbio_buffer(s);
430
431                         s->new_session=0;
432                         s->init_num=0;
433
434                         ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
435
436                         s->ctx->stats.sess_accept_good++;
437                         /* s->server=1; */
438                         s->handshake_func=ssl3_accept;
439                         ret=1;
440
441                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
442
443                         goto end;
444                         /* break; */
445
446                 default:
447                         SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
448                         ret= -1;
449                         goto end;
450                         /* break; */
451                         }
452                 
453                 if (!s->s3->tmp.reuse_message && !skip)
454                         {
455                         if (s->debug)
456                                 {
457                                 if ((ret=BIO_flush(s->wbio)) <= 0)
458                                         goto end;
459                                 }
460
461
462                         if ((cb != NULL) && (s->state != state))
463                                 {
464                                 new_state=s->state;
465                                 s->state=state;
466                                 cb(s,SSL_CB_ACCEPT_LOOP,1);
467                                 s->state=new_state;
468                                 }
469                         }
470                 skip=0;
471                 }
472 end:
473         /* BIO_flush(s->wbio); */
474
475         if (cb != NULL)
476                 cb(s,SSL_CB_ACCEPT_EXIT,ret);
477         s->in_handshake--;
478         return(ret);
479         }
480
481 static int ssl3_send_hello_request(SSL *s)
482         {
483         unsigned char *p;
484
485         if (s->state == SSL3_ST_SW_HELLO_REQ_A)
486                 {
487                 p=(unsigned char *)s->init_buf->data;
488                 *(p++)=SSL3_MT_CLIENT_REQUEST;
489                 *(p++)=0;
490                 *(p++)=0;
491                 *(p++)=0;
492
493                 s->state=SSL3_ST_SW_HELLO_REQ_B;
494                 /* number of bytes to write */
495                 s->init_num=4;
496                 s->init_off=0;
497                 }
498
499         /* SSL3_ST_SW_HELLO_REQ_B */
500         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
501         }
502
503 static int ssl3_get_client_hello(SSL *s)
504         {
505         int i,j,ok,al,ret= -1;
506         long n;
507         unsigned long id;
508         unsigned char *p,*d,*q;
509         SSL_CIPHER *c;
510         SSL_COMP *comp=NULL;
511         STACK_OF(SSL_CIPHER) *ciphers=NULL;
512
513         /* We do this so that we will respond with our native type.
514          * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
515          * This down switching should be handled by a different method.
516          * If we are SSLv3, we will respond with SSLv3, even if prompted with
517          * TLSv1.
518          */
519         if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
520                 {
521                 s->first_packet=1;
522                 s->state=SSL3_ST_SR_CLNT_HELLO_B;
523                 }
524         n=ssl3_get_message(s,
525                 SSL3_ST_SR_CLNT_HELLO_B,
526                 SSL3_ST_SR_CLNT_HELLO_C,
527                 SSL3_MT_CLIENT_HELLO,
528                 SSL3_RT_MAX_PLAIN_LENGTH,
529                 &ok);
530
531         if (!ok) return((int)n);
532         d=p=(unsigned char *)s->init_buf->data;
533
534         /* use version from inside client hello, not from record header
535          * (may differ: see RFC 2246, Appendix E, second paragraph) */
536         s->client_version=(((int)p[0])<<8)|(int)p[1];
537         p+=2;
538
539         /* load the client random */
540         memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
541         p+=SSL3_RANDOM_SIZE;
542
543         /* get the session-id */
544         j= *(p++);
545
546         s->hit=0;
547         if (j == 0)
548                 {
549                 if (!ssl_get_new_session(s,1))
550                         goto err;
551                 }
552         else
553                 {
554                 i=ssl_get_prev_session(s,p,j);
555                 if (i == 1)
556                         { /* previous session */
557                         s->hit=1;
558                         }
559                 else if (i == -1)
560                         goto err;
561                 else /* i == 0 */
562                         {
563                         if (!ssl_get_new_session(s,1))
564                                 goto err;
565                         }
566                 }
567
568         p+=j;
569         n2s(p,i);
570         if ((i == 0) && (j != 0))
571                 {
572                 /* we need a cipher if we are not resuming a session */
573                 al=SSL_AD_ILLEGAL_PARAMETER;
574                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
575                 goto f_err;
576                 }
577         if ((i+p) > (d+n))
578                 {
579                 /* not enough data */
580                 al=SSL_AD_DECODE_ERROR;
581                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
582                 goto f_err;
583                 }
584         if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
585                 == NULL))
586                 {
587                 goto err;
588                 }
589         p+=i;
590
591         /* If it is a hit, check that the cipher is in the list */
592         if ((s->hit) && (i > 0))
593                 {
594                 j=0;
595                 id=s->session->cipher->id;
596
597 #ifdef CIPHER_DEBUG
598                 printf("client sent %d ciphers\n",sk_num(ciphers));
599 #endif
600                 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
601                         {
602                         c=sk_SSL_CIPHER_value(ciphers,i);
603 #ifdef CIPHER_DEBUG
604                         printf("client [%2d of %2d]:%s\n",
605                                 i,sk_num(ciphers),SSL_CIPHER_get_name(c));
606 #endif
607                         if (c->id == id)
608                                 {
609                                 j=1;
610                                 break;
611                                 }
612                         }
613                 if (j == 0)
614                         {
615                         if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
616                                 {
617                                 /* Very bad for multi-threading.... */
618                                 s->session->cipher=sk_SSL_CIPHER_value(ciphers,
619                                                                        0);
620                                 }
621                         else
622                                 {
623                                 /* we need to have the cipher in the cipher
624                                  * list if we are asked to reuse it */
625                                 al=SSL_AD_ILLEGAL_PARAMETER;
626                                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
627                                 goto f_err;
628                                 }
629                         }
630                 }
631
632         /* compression */
633         i= *(p++);
634         q=p;
635         for (j=0; j<i; j++)
636                 {
637                 if (p[j] == 0) break;
638                 }
639
640         p+=i;
641         if (j >= i)
642                 {
643                 /* no compress */
644                 al=SSL_AD_DECODE_ERROR;
645                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
646                 goto f_err;
647                 }
648
649         /* Worst case, we will use the NULL compression, but if we have other
650          * options, we will now look for them.  We have i-1 compression
651          * algorithms from the client, starting at q. */
652         s->s3->tmp.new_compression=NULL;
653         if (s->ctx->comp_methods != NULL)
654                 { /* See if we have a match */
655                 int m,nn,o,v,done=0;
656
657                 nn=sk_SSL_COMP_num(s->ctx->comp_methods);
658                 for (m=0; m<nn; m++)
659                         {
660                         comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
661                         v=comp->id;
662                         for (o=0; o<i; o++)
663                                 {
664                                 if (v == q[o])
665                                         {
666                                         done=1;
667                                         break;
668                                         }
669                                 }
670                         if (done) break;
671                         }
672                 if (done)
673                         s->s3->tmp.new_compression=comp;
674                 else
675                         comp=NULL;
676                 }
677
678         /* TLS does not mind if there is extra stuff */
679         if (s->version == SSL3_VERSION)
680                 {
681                 if (p > (d+n))
682                         {
683                         /* wrong number of bytes,
684                          * there could be more to follow */
685                         al=SSL_AD_DECODE_ERROR;
686                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
687                         goto f_err;
688                         }
689                 }
690
691         /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
692          * pick a cipher */
693
694         if (!s->hit)
695                 {
696                 s->session->compress_meth=(comp == NULL)?0:comp->id;
697                 if (s->session->ciphers != NULL)
698                         sk_SSL_CIPHER_free(s->session->ciphers);
699                 s->session->ciphers=ciphers;
700                 if (ciphers == NULL)
701                         {
702                         al=SSL_AD_ILLEGAL_PARAMETER;
703                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
704                         goto f_err;
705                         }
706                 ciphers=NULL;
707                 c=ssl3_choose_cipher(s,s->session->ciphers,
708                                      ssl_get_ciphers_by_id(s));
709
710                 if (c == NULL)
711                         {
712                         al=SSL_AD_HANDSHAKE_FAILURE;
713                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
714                         goto f_err;
715                         }
716                 s->s3->tmp.new_cipher=c;
717                 }
718         else
719                 {
720                 /* Session-id reuse */
721 #ifdef REUSE_CIPHER_BUG
722                 STACK_OF(SSL_CIPHER) *sk;
723                 SSL_CIPHER *nc=NULL;
724                 SSL_CIPHER *ec=NULL;
725
726                 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
727                         {
728                         sk=s->session->ciphers;
729                         for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
730                                 {
731                                 c=sk_SSL_CIPHER_value(sk,i);
732                                 if (c->algorithms & SSL_eNULL)
733                                         nc=c;
734                                 if (SSL_C_IS_EXPORT(c))
735                                         ec=c;
736                                 }
737                         if (nc != NULL)
738                                 s->s3->tmp.new_cipher=nc;
739                         else if (ec != NULL)
740                                 s->s3->tmp.new_cipher=ec;
741                         else
742                                 s->s3->tmp.new_cipher=s->session->cipher;
743                         }
744                 else
745 #endif
746                 s->s3->tmp.new_cipher=s->session->cipher;
747                 }
748         
749         /* we now have the following setup. 
750          * client_random
751          * cipher_list          - our prefered list of ciphers
752          * ciphers              - the clients prefered list of ciphers
753          * compression          - basically ignored right now
754          * ssl version is set   - sslv3
755          * s->session           - The ssl session has been setup.
756          * s->hit               - sesson reuse flag
757          * s->tmp.new_cipher    - the new cipher to use.
758          */
759
760         ret=1;
761         if (0)
762                 {
763 f_err:
764                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
765                 }
766 err:
767         if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
768         return(ret);
769         }
770
771 static int ssl3_send_server_hello(SSL *s)
772         {
773         unsigned char *buf;
774         unsigned char *p,*d;
775         int i,sl;
776         unsigned long l,Time;
777
778         if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
779                 {
780                 buf=(unsigned char *)s->init_buf->data;
781                 p=s->s3->server_random;
782                 Time=time(NULL);                        /* Time */
783                 l2n(Time,p);
784                 RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
785                 /* Do the message type and length last */
786                 d=p= &(buf[4]);
787
788                 *(p++)=s->version>>8;
789                 *(p++)=s->version&0xff;
790
791                 /* Random stuff */
792                 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
793                 p+=SSL3_RANDOM_SIZE;
794
795                 /* now in theory we have 3 options to sending back the
796                  * session id.  If it is a re-use, we send back the
797                  * old session-id, if it is a new session, we send
798                  * back the new session-id or we send back a 0 length
799                  * session-id if we want it to be single use.
800                  * Currently I will not implement the '0' length session-id
801                  * 12-Jan-98 - I'll now support the '0' length stuff.
802                  */
803                 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
804                         s->session->session_id_length=0;
805
806                 sl=s->session->session_id_length;
807                 *(p++)=sl;
808                 memcpy(p,s->session->session_id,sl);
809                 p+=sl;
810
811                 /* put the cipher */
812                 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
813                 p+=i;
814
815                 /* put the compression method */
816                 if (s->s3->tmp.new_compression == NULL)
817                         *(p++)=0;
818                 else
819                         *(p++)=s->s3->tmp.new_compression->id;
820
821                 /* do the header */
822                 l=(p-d);
823                 d=buf;
824                 *(d++)=SSL3_MT_SERVER_HELLO;
825                 l2n3(l,d);
826
827                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
828                 /* number of bytes to write */
829                 s->init_num=p-buf;
830                 s->init_off=0;
831                 }
832
833         /* SSL3_ST_CW_CLNT_HELLO_B */
834         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
835         }
836
837 static int ssl3_send_server_done(SSL *s)
838         {
839         unsigned char *p;
840
841         if (s->state == SSL3_ST_SW_SRVR_DONE_A)
842                 {
843                 p=(unsigned char *)s->init_buf->data;
844
845                 /* do the header */
846                 *(p++)=SSL3_MT_SERVER_DONE;
847                 *(p++)=0;
848                 *(p++)=0;
849                 *(p++)=0;
850
851                 s->state=SSL3_ST_SW_SRVR_DONE_B;
852                 /* number of bytes to write */
853                 s->init_num=4;
854                 s->init_off=0;
855                 }
856
857         /* SSL3_ST_CW_CLNT_HELLO_B */
858         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
859         }
860
861 static int ssl3_send_server_key_exchange(SSL *s)
862         {
863 #ifndef NO_RSA
864         unsigned char *q;
865         int j,num;
866         RSA *rsa;
867         unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
868 #endif
869 #ifndef NO_DH
870         DH *dh,*dhp;
871 #endif
872         EVP_PKEY *pkey;
873         unsigned char *p,*d;
874         int al,i;
875         unsigned long type;
876         int n;
877         CERT *cert;
878         BIGNUM *r[4];
879         int nr[4],kn;
880         BUF_MEM *buf;
881         EVP_MD_CTX md_ctx;
882
883         if (s->state == SSL3_ST_SW_KEY_EXCH_A)
884                 {
885                 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
886                 cert=s->cert;
887
888                 buf=s->init_buf;
889
890                 r[0]=r[1]=r[2]=r[3]=NULL;
891                 n=0;
892 #ifndef NO_RSA
893                 if (type & SSL_kRSA)
894                         {
895                         rsa=cert->rsa_tmp;
896                         if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
897                                 {
898                                 rsa=s->cert->rsa_tmp_cb(s,
899                                       SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
900                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
901                                 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
902                                 cert->rsa_tmp=rsa;
903                                 }
904                         if (rsa == NULL)
905                                 {
906                                 al=SSL_AD_HANDSHAKE_FAILURE;
907                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
908                                 goto f_err;
909                                 }
910                         r[0]=rsa->n;
911                         r[1]=rsa->e;
912                         s->s3->tmp.use_rsa_tmp=1;
913                         }
914                 else
915 #endif
916 #ifndef NO_DH
917                         if (type & SSL_kEDH)
918                         {
919                         dhp=cert->dh_tmp;
920                         if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
921                                 dhp=s->cert->dh_tmp_cb(s,
922                                       !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
923                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
924                         if (dhp == NULL)
925                                 {
926                                 al=SSL_AD_HANDSHAKE_FAILURE;
927                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
928                                 goto f_err;
929                                 }
930                         if ((dh=DHparams_dup(dhp)) == NULL)
931                                 {
932                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
933                                 goto err;
934                                 }
935
936                         s->s3->tmp.dh=dh;
937                         if ((dhp->pub_key == NULL ||
938                              dhp->priv_key == NULL ||
939                              (s->options & SSL_OP_SINGLE_DH_USE)))
940                                 {
941                                 if(!DH_generate_key(dh))
942                                     {
943                                     SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
944                                            ERR_R_DH_LIB);
945                                     goto err;
946                                     }
947                                 }
948                         else
949                                 {
950                                 dh->pub_key=BN_dup(dhp->pub_key);
951                                 dh->priv_key=BN_dup(dhp->priv_key);
952                                 if ((dh->pub_key == NULL) ||
953                                         (dh->priv_key == NULL))
954                                         {
955                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
956                                         goto err;
957                                         }
958                                 }
959                         r[0]=dh->p;
960                         r[1]=dh->g;
961                         r[2]=dh->pub_key;
962                         }
963                 else 
964 #endif
965                         {
966                         al=SSL_AD_HANDSHAKE_FAILURE;
967                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
968                         goto f_err;
969                         }
970                 for (i=0; r[i] != NULL; i++)
971                         {
972                         nr[i]=BN_num_bytes(r[i]);
973                         n+=2+nr[i];
974                         }
975
976                 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
977                         {
978                         if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
979                                 == NULL)
980                                 {
981                                 al=SSL_AD_DECODE_ERROR;
982                                 goto f_err;
983                                 }
984                         kn=EVP_PKEY_size(pkey);
985                         }
986                 else
987                         {
988                         pkey=NULL;
989                         kn=0;
990                         }
991
992                 if (!BUF_MEM_grow(buf,n+4+kn))
993                         {
994                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
995                         goto err;
996                         }
997                 d=(unsigned char *)s->init_buf->data;
998                 p= &(d[4]);
999
1000                 for (i=0; r[i] != NULL; i++)
1001                         {
1002                         s2n(nr[i],p);
1003                         BN_bn2bin(r[i],p);
1004                         p+=nr[i];
1005                         }
1006
1007                 /* not anonymous */
1008                 if (pkey != NULL)
1009                         {
1010                         /* n is the length of the params, they start at &(d[4])
1011                          * and p points to the space at the end. */
1012 #ifndef NO_RSA
1013                         if (pkey->type == EVP_PKEY_RSA)
1014                                 {
1015                                 q=md_buf;
1016                                 j=0;
1017                                 for (num=2; num > 0; num--)
1018                                         {
1019                                         EVP_DigestInit(&md_ctx,(num == 2)
1020                                                 ?s->ctx->md5:s->ctx->sha1);
1021                                         EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1022                                         EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1023                                         EVP_DigestUpdate(&md_ctx,&(d[4]),n);
1024                                         EVP_DigestFinal(&md_ctx,q,
1025                                                 (unsigned int *)&i);
1026                                         q+=i;
1027                                         j+=i;
1028                                         }
1029                                 i=RSA_private_encrypt(j,md_buf,&(p[2]),
1030                                         pkey->pkey.rsa,RSA_PKCS1_PADDING);
1031                                 if (i <= 0)
1032                                         {
1033                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1034                                         goto err;
1035                                         }
1036                                 s2n(i,p);
1037                                 n+=i+2;
1038                                 }
1039                         else
1040 #endif
1041 #if !defined(NO_DSA)
1042                                 if (pkey->type == EVP_PKEY_DSA)
1043                                 {
1044                                 /* lets do DSS */
1045                                 EVP_SignInit(&md_ctx,EVP_dss1());
1046                                 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1047                                 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1048                                 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1049                                 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1050                                         (unsigned int *)&i,pkey))
1051                                         {
1052                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
1053                                         goto err;
1054                                         }
1055                                 s2n(i,p);
1056                                 n+=i+2;
1057                                 }
1058                         else
1059 #endif
1060                                 {
1061                                 /* Is this error check actually needed? */
1062                                 al=SSL_AD_HANDSHAKE_FAILURE;
1063                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
1064                                 goto f_err;
1065                                 }
1066                         }
1067
1068                 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
1069                 l2n3(n,d);
1070
1071                 /* we should now have things packed up, so lets send
1072                  * it off */
1073                 s->init_num=n+4;
1074                 s->init_off=0;
1075                 }
1076
1077         /* SSL3_ST_SW_KEY_EXCH_B */
1078         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1079 f_err:
1080         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1081 err:
1082         return(-1);
1083         }
1084
1085 static int ssl3_send_certificate_request(SSL *s)
1086         {
1087         unsigned char *p,*d;
1088         int i,j,nl,off,n;
1089         STACK_OF(X509_NAME) *sk=NULL;
1090         X509_NAME *name;
1091         BUF_MEM *buf;
1092
1093         if (s->state == SSL3_ST_SW_CERT_REQ_A)
1094                 {
1095                 buf=s->init_buf;
1096
1097                 d=p=(unsigned char *)&(buf->data[4]);
1098
1099                 /* get the list of acceptable cert types */
1100                 p++;
1101                 n=ssl3_get_req_cert_type(s,p);
1102                 d[0]=n;
1103                 p+=n;
1104                 n++;
1105
1106                 off=n;
1107                 p+=2;
1108                 n+=2;
1109
1110                 sk=SSL_get_client_CA_list(s);
1111                 nl=0;
1112                 if (sk != NULL)
1113                         {
1114                         for (i=0; i<sk_X509_NAME_num(sk); i++)
1115                                 {
1116                                 name=sk_X509_NAME_value(sk,i);
1117                                 j=i2d_X509_NAME(name,NULL);
1118                                 if (!BUF_MEM_grow(buf,4+n+j+2))
1119                                         {
1120                                         SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1121                                         goto err;
1122                                         }
1123                                 p=(unsigned char *)&(buf->data[4+n]);
1124                                 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1125                                         {
1126                                         s2n(j,p);
1127                                         i2d_X509_NAME(name,&p);
1128                                         n+=2+j;
1129                                         nl+=2+j;
1130                                         }
1131                                 else
1132                                         {
1133                                         d=p;
1134                                         i2d_X509_NAME(name,&p);
1135                                         j-=2; s2n(j,d); j+=2;
1136                                         n+=j;
1137                                         nl+=j;
1138                                         }
1139                                 }
1140                         }
1141                 /* else no CA names */
1142                 p=(unsigned char *)&(buf->data[4+off]);
1143                 s2n(nl,p);
1144
1145                 d=(unsigned char *)buf->data;
1146                 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
1147                 l2n3(n,d);
1148
1149                 /* we should now have things packed up, so lets send
1150                  * it off */
1151
1152                 s->init_num=n+4;
1153                 s->init_off=0;
1154                 }
1155
1156         /* SSL3_ST_SW_CERT_REQ_B */
1157         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1158 err:
1159         return(-1);
1160         }
1161
1162 static int ssl3_get_client_key_exchange(SSL *s)
1163         {
1164         int i,al,ok;
1165         long n;
1166         unsigned long l;
1167         unsigned char *p;
1168 #ifndef NO_RSA
1169         RSA *rsa=NULL;
1170         EVP_PKEY *pkey=NULL;
1171 #endif
1172 #ifndef NO_DH
1173         BIGNUM *pub=NULL;
1174         DH *dh_srvr;
1175 #endif
1176
1177         n=ssl3_get_message(s,
1178                 SSL3_ST_SR_KEY_EXCH_A,
1179                 SSL3_ST_SR_KEY_EXCH_B,
1180                 SSL3_MT_CLIENT_KEY_EXCHANGE,
1181                 400, /* ???? */
1182                 &ok);
1183
1184         if (!ok) return((int)n);
1185         p=(unsigned char *)s->init_buf->data;
1186
1187         l=s->s3->tmp.new_cipher->algorithms;
1188
1189 #ifndef NO_RSA
1190         if (l & SSL_kRSA)
1191                 {
1192                 /* FIX THIS UP EAY EAY EAY EAY */
1193                 if (s->s3->tmp.use_rsa_tmp)
1194                         {
1195                         if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
1196                                 rsa=s->cert->rsa_tmp;
1197                         /* Don't do a callback because rsa_tmp should
1198                          * be sent already */
1199                         if (rsa == NULL)
1200                                 {
1201                                 al=SSL_AD_HANDSHAKE_FAILURE;
1202                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
1203                                 goto f_err;
1204
1205                                 }
1206                         }
1207                 else
1208                         {
1209                         pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1210                         if (    (pkey == NULL) ||
1211                                 (pkey->type != EVP_PKEY_RSA) ||
1212                                 (pkey->pkey.rsa == NULL))
1213                                 {
1214                                 al=SSL_AD_HANDSHAKE_FAILURE;
1215                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
1216                                 goto f_err;
1217                                 }
1218                         rsa=pkey->pkey.rsa;
1219                         }
1220
1221                 /* TLS */
1222                 if (s->version > SSL3_VERSION)
1223                         {
1224                         n2s(p,i);
1225                         if (n != i+2)
1226                                 {
1227                                 if (!(s->options & SSL_OP_TLS_D5_BUG))
1228                                         {
1229                                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1230                                         goto err;
1231                                         }
1232                                 else
1233                                         p-=2;
1234                                 }
1235                         else
1236                                 n=i;
1237                         }
1238
1239                 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
1240
1241 #if 0
1242                 /* If a bad decrypt, use a random master key */
1243                 if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
1244                         ((p[0] != (s->client_version>>8)) ||
1245                          (p[1] != (s->client_version & 0xff))))
1246                         {
1247                         int bad=1;
1248
1249                         if ((i == SSL_MAX_MASTER_KEY_LENGTH) &&
1250                                 (p[0] == (s->version>>8)) &&
1251                                 (p[1] == 0))
1252                                 {
1253                                 if (s->options & SSL_OP_TLS_ROLLBACK_BUG)
1254                                         bad=0;
1255                                 }
1256                         if (bad)
1257                                 {
1258                                 p[0]=(s->version>>8);
1259                                 p[1]=(s->version & 0xff);
1260                                 RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
1261                                 i=SSL_MAX_MASTER_KEY_LENGTH;
1262                                 }
1263                         /* else, an SSLeay bug, ssl only server, tls client */
1264                         }
1265 #else
1266                 if (i != SSL_MAX_MASTER_KEY_LENGTH)
1267                         {
1268                         al=SSL_AD_DECODE_ERROR;
1269                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1270                         goto f_err;
1271                         }
1272
1273                 if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff)))
1274                         {
1275                         al=SSL_AD_DECODE_ERROR;
1276                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1277                         goto f_err;
1278                         }
1279 #endif
1280
1281                 s->session->master_key_length=
1282                         s->method->ssl3_enc->generate_master_secret(s,
1283                                 s->session->master_key,
1284                                 p,i);
1285                 memset(p,0,i);
1286                 }
1287         else
1288 #endif
1289 #ifndef NO_DH
1290                 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1291                 {
1292                 n2s(p,i);
1293                 if (n != i+2)
1294                         {
1295                         if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
1296                                 {
1297                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1298                                 goto err;
1299                                 }
1300                         else
1301                                 {
1302                                 p-=2;
1303                                 i=(int)n;
1304                                 }
1305                         }
1306
1307                 if (n == 0L) /* the parameters are in the cert */
1308                         {
1309                         al=SSL_AD_HANDSHAKE_FAILURE;
1310                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1311                         goto f_err;
1312                         }
1313                 else
1314                         {
1315                         if (s->s3->tmp.dh == NULL)
1316                                 {
1317                                 al=SSL_AD_HANDSHAKE_FAILURE;
1318                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1319                                 goto f_err;
1320                                 }
1321                         else
1322                                 dh_srvr=s->s3->tmp.dh;
1323                         }
1324
1325                 pub=BN_bin2bn(p,i,NULL);
1326                 if (pub == NULL)
1327                         {
1328                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
1329                         goto err;
1330                         }
1331
1332                 i=DH_compute_key(p,pub,dh_srvr);
1333
1334                 if (i <= 0)
1335                         {
1336                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1337                         goto err;
1338                         }
1339
1340                 DH_free(s->s3->tmp.dh);
1341                 s->s3->tmp.dh=NULL;
1342
1343                 BN_clear_free(pub);
1344                 pub=NULL;
1345                 s->session->master_key_length=
1346                         s->method->ssl3_enc->generate_master_secret(s,
1347                                 s->session->master_key,p,i);
1348                 }
1349         else
1350 #endif
1351                 {
1352                 al=SSL_AD_HANDSHAKE_FAILURE;
1353                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
1354                 goto f_err;
1355                 }
1356
1357         return(1);
1358 f_err:
1359         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1360 #if !defined(NO_DH) || !defined(NO_RSA)
1361 err:
1362 #endif
1363         return(-1);
1364         }
1365
1366 static int ssl3_get_cert_verify(SSL *s)
1367         {
1368         EVP_PKEY *pkey=NULL;
1369         unsigned char *p;
1370         int al,ok,ret=0;
1371         long n;
1372         int type=0,i,j;
1373         X509 *peer;
1374
1375         n=ssl3_get_message(s,
1376                 SSL3_ST_SR_CERT_VRFY_A,
1377                 SSL3_ST_SR_CERT_VRFY_B,
1378                 -1,
1379                 512, /* 512? */
1380                 &ok);
1381
1382         if (!ok) return((int)n);
1383
1384         if (s->session->peer != NULL)
1385                 {
1386                 peer=s->session->peer;
1387                 pkey=X509_get_pubkey(peer);
1388                 type=X509_certificate_type(peer,pkey);
1389                 }
1390         else
1391                 {
1392                 peer=NULL;
1393                 pkey=NULL;
1394                 }
1395
1396         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
1397                 {
1398                 s->s3->tmp.reuse_message=1;
1399                 if ((peer != NULL) && (type | EVP_PKT_SIGN))
1400                         {
1401                         al=SSL_AD_UNEXPECTED_MESSAGE;
1402                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
1403                         goto f_err;
1404                         }
1405                 ret=1;
1406                 goto end;
1407                 }
1408
1409         if (peer == NULL)
1410                 {
1411                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
1412                 al=SSL_AD_UNEXPECTED_MESSAGE;
1413                 goto f_err;
1414                 }
1415
1416         if (!(type & EVP_PKT_SIGN))
1417                 {
1418                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
1419                 al=SSL_AD_ILLEGAL_PARAMETER;
1420                 goto f_err;
1421                 }
1422
1423         if (s->s3->change_cipher_spec)
1424                 {
1425                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
1426                 al=SSL_AD_UNEXPECTED_MESSAGE;
1427                 goto f_err;
1428                 }
1429
1430         /* we now have a signature that we need to verify */
1431         p=(unsigned char *)s->init_buf->data;
1432         n2s(p,i);
1433         n-=2;
1434         if (i > n)
1435                 {
1436                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
1437                 al=SSL_AD_DECODE_ERROR;
1438                 goto f_err;
1439                 }
1440
1441         j=EVP_PKEY_size(pkey);
1442         if ((i > j) || (n > j) || (n <= 0))
1443                 {
1444                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
1445                 al=SSL_AD_DECODE_ERROR;
1446                 goto f_err;
1447                 }
1448
1449 #ifndef NO_RSA 
1450         if (pkey->type == EVP_PKEY_RSA)
1451                 {
1452                 i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING);
1453                 if (i < 0)
1454                         {
1455                         al=SSL_AD_DECRYPT_ERROR;
1456                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
1457                         goto f_err;
1458                         }
1459                 if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) ||
1460                         memcmp(&(s->s3->tmp.finish_md[0]),p,
1461                                 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
1462                         {
1463                         al=SSL_AD_DECRYPT_ERROR;
1464                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
1465                         goto f_err;
1466                         }
1467                 }
1468         else
1469 #endif
1470 #ifndef NO_DSA
1471                 if (pkey->type == EVP_PKEY_DSA)
1472                 {
1473                 j=DSA_verify(pkey->save_type,
1474                         &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]),
1475                         SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
1476                 if (j <= 0)
1477                         {
1478                         /* bad signature */
1479                         al=SSL_AD_DECRYPT_ERROR;
1480                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
1481                         goto f_err;
1482                         }
1483                 }
1484         else
1485 #endif
1486                 {
1487                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
1488                 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
1489                 goto f_err;
1490                 }
1491
1492
1493         ret=1;
1494         if (0)
1495                 {
1496 f_err:
1497                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1498                 }
1499 end:
1500         EVP_PKEY_free(pkey);
1501         return(ret);
1502         }
1503
1504 static int ssl3_get_client_certificate(SSL *s)
1505         {
1506         int i,ok,al,ret= -1;
1507         X509 *x=NULL;
1508         unsigned long l,nc,llen,n;
1509         unsigned char *p,*d,*q;
1510         STACK_OF(X509) *sk=NULL;
1511
1512         n=ssl3_get_message(s,
1513                 SSL3_ST_SR_CERT_A,
1514                 SSL3_ST_SR_CERT_B,
1515                 -1,
1516 #if defined(MSDOS) && !defined(WIN32)
1517                 1024*30, /* 30k max cert list :-) */
1518 #else
1519                 1024*100, /* 100k max cert list :-) */
1520 #endif
1521                 &ok);
1522
1523         if (!ok) return((int)n);
1524
1525         if      (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
1526                 {
1527                 if (    (s->verify_mode & SSL_VERIFY_PEER) &&
1528                         (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1529                         {
1530                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1531                         al=SSL_AD_HANDSHAKE_FAILURE;
1532                         goto f_err;
1533                         }
1534                 /* If tls asked for a client cert we must return a 0 list */
1535                 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
1536                         {
1537                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
1538                         al=SSL_AD_UNEXPECTED_MESSAGE;
1539                         goto f_err;
1540                         }
1541                 s->s3->tmp.reuse_message=1;
1542                 return(1);
1543                 }
1544
1545         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1546                 {
1547                 al=SSL_AD_UNEXPECTED_MESSAGE;
1548                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
1549                 goto f_err;
1550                 }
1551         d=p=(unsigned char *)s->init_buf->data;
1552
1553         if ((sk=sk_X509_new_null()) == NULL)
1554                 {
1555                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1556                 goto err;
1557                 }
1558
1559         n2l3(p,llen);
1560         if (llen+3 != n)
1561                 {
1562                 al=SSL_AD_DECODE_ERROR;
1563                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1564                 goto f_err;
1565                 }
1566         for (nc=0; nc<llen; )
1567                 {
1568                 n2l3(p,l);
1569                 if ((l+nc+3) > llen)
1570                         {
1571                         al=SSL_AD_DECODE_ERROR;
1572                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1573                         goto f_err;
1574                         }
1575
1576                 q=p;
1577                 x=d2i_X509(NULL,&p,l);
1578                 if (x == NULL)
1579                         {
1580                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
1581                         goto err;
1582                         }
1583                 if (p != (q+l))
1584                         {
1585                         al=SSL_AD_DECODE_ERROR;
1586                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1587                         goto f_err;
1588                         }
1589                 if (!sk_X509_push(sk,x))
1590                         {
1591                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1592                         goto err;
1593                         }
1594                 x=NULL;
1595                 nc+=l+3;
1596                 }
1597
1598         if (sk_X509_num(sk) <= 0)
1599                 {
1600                 /* TLS does not mind 0 certs returned */
1601                 if (s->version == SSL3_VERSION)
1602                         {
1603                         al=SSL_AD_HANDSHAKE_FAILURE;
1604                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
1605                         goto f_err;
1606                         }
1607                 /* Fail for TLS only if we required a certificate */
1608                 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
1609                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1610                         {
1611                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1612                         al=SSL_AD_HANDSHAKE_FAILURE;
1613                         goto f_err;
1614                         }
1615                 }
1616         else
1617                 {
1618                 i=ssl_verify_cert_chain(s,sk);
1619                 if (!i)
1620                         {
1621                         al=ssl_verify_alarm_type(s->verify_result);
1622                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
1623                         goto f_err;
1624                         }
1625                 }
1626
1627         if (s->session->peer != NULL) /* This should not be needed */
1628                 X509_free(s->session->peer);
1629         s->session->peer=sk_X509_shift(sk);
1630
1631         /* With the current implementation, sess_cert will always be NULL
1632          * when we arrive here. */
1633         if (s->session->sess_cert == NULL)
1634                 {
1635                 s->session->sess_cert = ssl_sess_cert_new();
1636                 if (s->session->sess_cert == NULL)
1637                         {
1638                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1639                         goto err;
1640                         }
1641                 }
1642         if (s->session->sess_cert->cert_chain != NULL)
1643                 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
1644         s->session->sess_cert->cert_chain=sk;
1645
1646         sk=NULL;
1647
1648         ret=1;
1649         if (0)
1650                 {
1651 f_err:
1652                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1653                 }
1654 err:
1655         if (x != NULL) X509_free(x);
1656         if (sk != NULL) sk_X509_pop_free(sk,X509_free);
1657         return(ret);
1658         }
1659
1660 int ssl3_send_server_certificate(SSL *s)
1661         {
1662         unsigned long l;
1663         X509 *x;
1664
1665         if (s->state == SSL3_ST_SW_CERT_A)
1666                 {
1667                 x=ssl_get_server_send_cert(s);
1668                 if (x == NULL)
1669                         {
1670                         SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
1671                         return(0);
1672                         }
1673
1674                 l=ssl3_output_cert_chain(s,x);
1675                 s->state=SSL3_ST_SW_CERT_B;
1676                 s->init_num=(int)l;
1677                 s->init_off=0;
1678                 }
1679
1680         /* SSL3_ST_SW_CERT_B */
1681         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1682         }