projects / openssl.git / blob
? search:


d211fd48cb404f77b6378e72d62b7b84b0948f5e
[openssl.git] / ssl / s3_srvr.c
1 /* ssl/s3_srvr.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #define REUSE_CIPHER_BUG
113 #define NETSCAPE_HANG_BUG
114
115
116 #include <stdio.h>
117 #include <openssl/buffer.h>
118 #include <openssl/rand.h>
119 #include <openssl/objects.h>
120 #include <openssl/md5.h>
121 #include <openssl/sha.h>
122 #include <openssl/evp.h>
123 #include <openssl/x509.h>
124 #include "ssl_locl.h"
125 #include "cryptlib.h"
126
127 static SSL_METHOD *ssl3_get_server_method(int ver);
128 static int ssl3_get_client_hello(SSL *s);
129 static int ssl3_check_client_hello(SSL *s);
130 static int ssl3_send_server_hello(SSL *s);
131 static int ssl3_send_server_key_exchange(SSL *s);
132 static int ssl3_send_certificate_request(SSL *s);
133 static int ssl3_send_server_done(SSL *s);
134 static int ssl3_get_client_key_exchange(SSL *s);
135 static int ssl3_get_client_certificate(SSL *s);
136 static int ssl3_get_cert_verify(SSL *s);
137 static int ssl3_send_hello_request(SSL *s);
138
139 static SSL_METHOD *ssl3_get_server_method(int ver)
140         {
141         if (ver == SSL3_VERSION)
142                 return(SSLv3_server_method());
143         else
144                 return(NULL);
145         }
146
147 SSL_METHOD *SSLv3_server_method(void)
148         {
149         static int init=1;
150         static SSL_METHOD SSLv3_server_data;
151
152         if (init)
153                 {
154                 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
155                         sizeof(SSL_METHOD));
156                 SSLv3_server_data.ssl_accept=ssl3_accept;
157                 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
158                 init=0;
159                 }
160         return(&SSLv3_server_data);
161         }
162
163 int ssl3_accept(SSL *s)
164         {
165         BUF_MEM *buf;
166         unsigned long l,Time=time(NULL);
167         void (*cb)()=NULL;
168         long num1;
169         int ret= -1;
170         int new_state,state,skip=0;
171
172         RAND_add(&Time,sizeof(Time),0);
173         ERR_clear_error();
174         clear_sys_error();
175
176         if (s->info_callback != NULL)
177                 cb=s->info_callback;
178         else if (s->ctx->info_callback != NULL)
179                 cb=s->ctx->info_callback;
180
181         /* init things to blank */
182         s->in_handshake++;
183         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
184
185         if (s->cert == NULL)
186                 {
187                 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
188                 return(-1);
189                 }
190
191         for (;;)
192                 {
193                 state=s->state;
194
195                 switch (s->state)
196                         {
197                 case SSL_ST_RENEGOTIATE:
198                         s->new_session=1;
199                         /* s->state=SSL_ST_ACCEPT; */
200
201                 case SSL_ST_BEFORE:
202                 case SSL_ST_ACCEPT:
203                 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
204                 case SSL_ST_OK|SSL_ST_ACCEPT:
205
206                         s->server=1;
207                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
208
209                         if ((s->version>>8) != 3)
210                                 {
211                                 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_INTERNAL_ERROR);
212                                 return -1;
213                                 }
214                         s->type=SSL_ST_ACCEPT;
215
216                         if (s->init_buf == NULL)
217                                 {
218                                 if ((buf=BUF_MEM_new()) == NULL)
219                                         {
220                                         ret= -1;
221                                         goto end;
222                                         }
223                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
224                                         {
225                                         ret= -1;
226                                         goto end;
227                                         }
228                                 s->init_buf=buf;
229                                 }
230
231                         if (!ssl3_setup_buffers(s))
232                                 {
233                                 ret= -1;
234                                 goto end;
235                                 }
236
237                         s->init_num=0;
238
239                         if (s->state != SSL_ST_RENEGOTIATE)
240                                 {
241                                 /* Ok, we now need to push on a buffering BIO so that
242                                  * the output is sent in a way that TCP likes :-)
243                                  */
244                                 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
245                                 
246                                 ssl3_init_finished_mac(s);
247                                 s->state=SSL3_ST_SR_CLNT_HELLO_A;
248                                 s->ctx->stats.sess_accept++;
249                                 }
250                         else
251                                 {
252                                 /* s->state == SSL_ST_RENEGOTIATE,
253                                  * we will just send a HelloRequest */
254                                 s->ctx->stats.sess_accept_renegotiate++;
255                                 s->state=SSL3_ST_SW_HELLO_REQ_A;
256                                 }
257                         break;
258
259                 case SSL3_ST_SW_HELLO_REQ_A:
260                 case SSL3_ST_SW_HELLO_REQ_B:
261
262                         s->shutdown=0;
263                         ret=ssl3_send_hello_request(s);
264                         if (ret <= 0) goto end;
265                         s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
266                         s->state=SSL3_ST_SW_FLUSH;
267                         s->init_num=0;
268
269                         ssl3_init_finished_mac(s);
270                         break;
271
272                 case SSL3_ST_SW_HELLO_REQ_C:
273                         s->state=SSL_ST_OK;
274                         break;
275
276                 case SSL3_ST_SR_CLNT_HELLO_A:
277                 case SSL3_ST_SR_CLNT_HELLO_B:
278                 case SSL3_ST_SR_CLNT_HELLO_C:
279
280                         s->shutdown=0;
281                         ret=ssl3_get_client_hello(s);
282                         if (ret <= 0) goto end;
283                         s->new_session = 2;
284                         s->state=SSL3_ST_SW_SRVR_HELLO_A;
285                         s->init_num=0;
286                         break;
287
288                 case SSL3_ST_SW_SRVR_HELLO_A:
289                 case SSL3_ST_SW_SRVR_HELLO_B:
290                         ret=ssl3_send_server_hello(s);
291                         if (ret <= 0) goto end;
292
293                         if (s->hit)
294                                 s->state=SSL3_ST_SW_CHANGE_A;
295                         else
296                                 s->state=SSL3_ST_SW_CERT_A;
297                         s->init_num=0;
298                         break;
299
300                 case SSL3_ST_SW_CERT_A:
301                 case SSL3_ST_SW_CERT_B:
302                         /* Check if it is anon DH */
303                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
304                                 {
305                                 ret=ssl3_send_server_certificate(s);
306                                 if (ret <= 0) goto end;
307                                 }
308                         else
309                                 skip=1;
310                         s->state=SSL3_ST_SW_KEY_EXCH_A;
311                         s->init_num=0;
312                         break;
313
314                 case SSL3_ST_SW_KEY_EXCH_A:
315                 case SSL3_ST_SW_KEY_EXCH_B:
316                         l=s->s3->tmp.new_cipher->algorithms;
317
318                         /* clear this, it may get reset by
319                          * send_server_key_exchange */
320                         if (s->options & SSL_OP_EPHEMERAL_RSA)
321                                 s->s3->tmp.use_rsa_tmp=1;
322                         else
323                                 s->s3->tmp.use_rsa_tmp=0;
324
325                         /* only send if a DH key exchange, fortezza or
326                          * RSA but we have a sign only certificate */
327                         if (s->s3->tmp.use_rsa_tmp
328                             || (l & (SSL_DH|SSL_kFZA))
329                             || ((l & SSL_kRSA)
330                                 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
331                                     || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
332                                         && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
333                                         )
334                                     )
335                                 )
336                             )
337                                 {
338                                 ret=ssl3_send_server_key_exchange(s);
339                                 if (ret <= 0) goto end;
340                                 }
341                         else
342                                 skip=1;
343
344                         s->state=SSL3_ST_SW_CERT_REQ_A;
345                         s->init_num=0;
346                         break;
347
348                 case SSL3_ST_SW_CERT_REQ_A:
349                 case SSL3_ST_SW_CERT_REQ_B:
350                         if (/* don't request cert unless asked for it: */
351                                 !(s->verify_mode & SSL_VERIFY_PEER) ||
352                                 /* if SSL_VERIFY_CLIENT_ONCE is set,
353                                  * don't request cert during re-negotiation: */
354                                 ((s->session->peer != NULL) &&
355                                  (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
356                                 /* never request cert in anonymous ciphersuites
357                                  * (see section "Certificate request" in SSL 3 drafts
358                                  * and in RFC 2246): */
359                                 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
360                                  /* ... except when the application insists on verification
361                                   * (against the specs, but s3_clnt.c accepts this for SSL 3) */
362                                  !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
363                                 {
364                                 /* no cert request */
365                                 skip=1;
366                                 s->s3->tmp.cert_request=0;
367                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
368                                 }
369                         else
370                                 {
371                                 s->s3->tmp.cert_request=1;
372                                 ret=ssl3_send_certificate_request(s);
373                                 if (ret <= 0) goto end;
374 #ifndef NETSCAPE_HANG_BUG
375                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
376 #else
377                                 s->state=SSL3_ST_SW_FLUSH;
378                                 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
379 #endif
380                                 s->init_num=0;
381                                 }
382                         break;
383
384                 case SSL3_ST_SW_SRVR_DONE_A:
385                 case SSL3_ST_SW_SRVR_DONE_B:
386                         ret=ssl3_send_server_done(s);
387                         if (ret <= 0) goto end;
388                         s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
389                         s->state=SSL3_ST_SW_FLUSH;
390                         s->init_num=0;
391                         break;
392                 
393                 case SSL3_ST_SW_FLUSH:
394                         /* number of bytes to be flushed */
395                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
396                         if (num1 > 0)
397                                 {
398                                 s->rwstate=SSL_WRITING;
399                                 num1=BIO_flush(s->wbio);
400                                 if (num1 <= 0) { ret= -1; goto end; }
401                                 s->rwstate=SSL_NOTHING;
402                                 }
403
404                         s->state=s->s3->tmp.next_state;
405                         break;
406
407                 case SSL3_ST_SR_CERT_A:
408                 case SSL3_ST_SR_CERT_B:
409                         /* Check for second client hello (MS SGC) */
410                         ret = ssl3_check_client_hello(s);
411                         if (ret <= 0)
412                                 goto end;
413                         if (ret == 2)
414                                 s->state = SSL3_ST_SR_CLNT_HELLO_C;
415                         else {
416                                 /* could be sent for a DH cert, even if we
417                                  * have not asked for it :-) */
418                                 ret=ssl3_get_client_certificate(s);
419                                 if (ret <= 0) goto end;
420                                 s->init_num=0;
421                                 s->state=SSL3_ST_SR_KEY_EXCH_A;
422                         }
423                         break;
424
425                 case SSL3_ST_SR_KEY_EXCH_A:
426                 case SSL3_ST_SR_KEY_EXCH_B:
427                         ret=ssl3_get_client_key_exchange(s);
428                         if (ret <= 0) goto end;
429                         s->state=SSL3_ST_SR_CERT_VRFY_A;
430                         s->init_num=0;
431
432                         /* We need to get hashes here so if there is
433                          * a client cert, it can be verified */ 
434                         s->method->ssl3_enc->cert_verify_mac(s,
435                                 &(s->s3->finish_dgst1),
436                                 &(s->s3->tmp.cert_verify_md[0]));
437                         s->method->ssl3_enc->cert_verify_mac(s,
438                                 &(s->s3->finish_dgst2),
439                                 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
440
441                         break;
442
443                 case SSL3_ST_SR_CERT_VRFY_A:
444                 case SSL3_ST_SR_CERT_VRFY_B:
445
446                         /* we should decide if we expected this one */
447                         ret=ssl3_get_cert_verify(s);
448                         if (ret <= 0) goto end;
449
450                         s->state=SSL3_ST_SR_FINISHED_A;
451                         s->init_num=0;
452                         break;
453
454                 case SSL3_ST_SR_FINISHED_A:
455                 case SSL3_ST_SR_FINISHED_B:
456                         ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
457                                 SSL3_ST_SR_FINISHED_B);
458                         if (ret <= 0) goto end;
459                         if (s->hit)
460                                 s->state=SSL_ST_OK;
461                         else
462                                 s->state=SSL3_ST_SW_CHANGE_A;
463                         s->init_num=0;
464                         break;
465
466                 case SSL3_ST_SW_CHANGE_A:
467                 case SSL3_ST_SW_CHANGE_B:
468
469                         s->session->cipher=s->s3->tmp.new_cipher;
470                         if (!s->method->ssl3_enc->setup_key_block(s))
471                                 { ret= -1; goto end; }
472
473                         ret=ssl3_send_change_cipher_spec(s,
474                                 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
475
476                         if (ret <= 0) goto end;
477                         s->state=SSL3_ST_SW_FINISHED_A;
478                         s->init_num=0;
479
480                         if (!s->method->ssl3_enc->change_cipher_state(s,
481                                 SSL3_CHANGE_CIPHER_SERVER_WRITE))
482                                 {
483                                 ret= -1;
484                                 goto end;
485                                 }
486
487                         break;
488
489                 case SSL3_ST_SW_FINISHED_A:
490                 case SSL3_ST_SW_FINISHED_B:
491                         ret=ssl3_send_finished(s,
492                                 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
493                                 s->method->ssl3_enc->server_finished_label,
494                                 s->method->ssl3_enc->server_finished_label_len);
495                         if (ret <= 0) goto end;
496                         s->state=SSL3_ST_SW_FLUSH;
497                         if (s->hit)
498                                 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
499                         else
500                                 s->s3->tmp.next_state=SSL_ST_OK;
501                         s->init_num=0;
502                         break;
503
504                 case SSL_ST_OK:
505                         /* clean a few things up */
506                         ssl3_cleanup_key_block(s);
507
508                         BUF_MEM_free(s->init_buf);
509                         s->init_buf=NULL;
510
511                         /* remove buffering on output */
512                         ssl_free_wbio_buffer(s);
513
514                         s->init_num=0;
515
516                         if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
517                                 {
518                                 /* actually not necessarily a 'new' session  */
519                                 
520                                 s->new_session=0;
521                                 
522                                 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
523                                 
524                                 s->ctx->stats.sess_accept_good++;
525                                 /* s->server=1; */
526                                 s->handshake_func=ssl3_accept;
527
528                                 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
529                                 }
530                         
531                         ret = 1;
532                         goto end;
533                         /* break; */
534
535                 default:
536                         SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
537                         ret= -1;
538                         goto end;
539                         /* break; */
540                         }
541                 
542                 if (!s->s3->tmp.reuse_message && !skip)
543                         {
544                         if (s->debug)
545                                 {
546                                 if ((ret=BIO_flush(s->wbio)) <= 0)
547                                         goto end;
548                                 }
549
550
551                         if ((cb != NULL) && (s->state != state))
552                                 {
553                                 new_state=s->state;
554                                 s->state=state;
555                                 cb(s,SSL_CB_ACCEPT_LOOP,1);
556                                 s->state=new_state;
557                                 }
558                         }
559                 skip=0;
560                 }
561 end:
562         /* BIO_flush(s->wbio); */
563
564         s->in_handshake--;
565         if (cb != NULL)
566                 cb(s,SSL_CB_ACCEPT_EXIT,ret);
567         return(ret);
568         }
569
570 static int ssl3_send_hello_request(SSL *s)
571         {
572         unsigned char *p;
573
574         if (s->state == SSL3_ST_SW_HELLO_REQ_A)
575                 {
576                 p=(unsigned char *)s->init_buf->data;
577                 *(p++)=SSL3_MT_HELLO_REQUEST;
578                 *(p++)=0;
579                 *(p++)=0;
580                 *(p++)=0;
581
582                 s->state=SSL3_ST_SW_HELLO_REQ_B;
583                 /* number of bytes to write */
584                 s->init_num=4;
585                 s->init_off=0;
586                 }
587
588         /* SSL3_ST_SW_HELLO_REQ_B */
589         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
590         }
591
592 static int ssl3_check_client_hello(SSL *s)
593         {
594         int ok;
595         long n;
596
597         /* this function is called when we really expect a Certificate message,
598          * so permit appropriate message length */
599         n=ssl3_get_message(s,
600                 SSL3_ST_SR_CERT_A,
601                 SSL3_ST_SR_CERT_B,
602                 -1,
603 #if defined(MSDOS) && !defined(WIN32)
604                 1024*30, /* 30k max cert list :-) */
605 #else
606                 1024*100, /* 100k max cert list :-) */
607 #endif
608                 &ok);
609         if (!ok) return((int)n);
610         s->s3->tmp.reuse_message = 1;
611         if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
612                 {
613                 /* Throw away what we have done so far in the current handshake,
614                  * which will now be aborted. (A full SSL_clear would be too much.)
615                  * I hope that tmp.dh is the only thing that may need to be cleared
616                  * when a handshake is not completed ... */
617 #ifndef NO_DH
618                 if (s->s3->tmp.dh != NULL)
619                         {
620                         DH_free(s->s3->tmp.dh);
621                         s->s3->tmp.dh = NULL;
622                         }
623 #endif
624                 return 2;
625                 }
626         return 1;
627 }
628
629 static int ssl3_get_client_hello(SSL *s)
630         {
631         int i,j,ok,al,ret= -1;
632         long n;
633         unsigned long id;
634         unsigned char *p,*d,*q;
635         SSL_CIPHER *c;
636         SSL_COMP *comp=NULL;
637         STACK_OF(SSL_CIPHER) *ciphers=NULL;
638
639         /* We do this so that we will respond with our native type.
640          * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
641          * This down switching should be handled by a different method.
642          * If we are SSLv3, we will respond with SSLv3, even if prompted with
643          * TLSv1.
644          */
645         if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
646                 {
647                 s->first_packet=1;
648                 s->state=SSL3_ST_SR_CLNT_HELLO_B;
649                 }
650         n=ssl3_get_message(s,
651                 SSL3_ST_SR_CLNT_HELLO_B,
652                 SSL3_ST_SR_CLNT_HELLO_C,
653                 SSL3_MT_CLIENT_HELLO,
654                 SSL3_RT_MAX_PLAIN_LENGTH,
655                 &ok);
656
657         if (!ok) return((int)n);
658         d=p=(unsigned char *)s->init_buf->data;
659
660         /* use version from inside client hello, not from record header
661          * (may differ: see RFC 2246, Appendix E, second paragraph) */
662         s->client_version=(((int)p[0])<<8)|(int)p[1];
663         p+=2;
664
665         if (s->client_version < s->version)
666                 {
667                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
668                 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 
669                         {
670                         /* similar to ssl3_get_record, send alert using remote version number */
671                         s->version = s->client_version;
672                         }
673                 al = SSL_AD_PROTOCOL_VERSION;
674                 goto f_err;
675                 }
676
677         /* load the client random */
678         memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
679         p+=SSL3_RANDOM_SIZE;
680
681         /* get the session-id */
682         j= *(p++);
683
684         s->hit=0;
685         if (j == 0)
686                 {
687                 if (!ssl_get_new_session(s,1))
688                         goto err;
689                 }
690         else
691                 {
692                 i=ssl_get_prev_session(s,p,j);
693                 if (i == 1)
694                         { /* previous session */
695                         s->hit=1;
696                         }
697                 else if (i == -1)
698                         goto err;
699                 else /* i == 0 */
700                         {
701                         if (!ssl_get_new_session(s,1))
702                                 goto err;
703                         }
704                 }
705
706         p+=j;
707         n2s(p,i);
708         if ((i == 0) && (j != 0))
709                 {
710                 /* we need a cipher if we are not resuming a session */
711                 al=SSL_AD_ILLEGAL_PARAMETER;
712                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
713                 goto f_err;
714                 }
715         if ((p+i) >= (d+n))
716                 {
717                 /* not enough data */
718                 al=SSL_AD_DECODE_ERROR;
719                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
720                 goto f_err;
721                 }
722         if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
723                 == NULL))
724                 {
725                 goto err;
726                 }
727         p+=i;
728
729         /* If it is a hit, check that the cipher is in the list */
730         if ((s->hit) && (i > 0))
731                 {
732                 j=0;
733                 id=s->session->cipher->id;
734
735 #ifdef CIPHER_DEBUG
736                 printf("client sent %d ciphers\n",sk_num(ciphers));
737 #endif
738                 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
739                         {
740                         c=sk_SSL_CIPHER_value(ciphers,i);
741 #ifdef CIPHER_DEBUG
742                         printf("client [%2d of %2d]:%s\n",
743                                 i,sk_num(ciphers),SSL_CIPHER_get_name(c));
744 #endif
745                         if (c->id == id)
746                                 {
747                                 j=1;
748                                 break;
749                                 }
750                         }
751                 if (j == 0)
752                         {
753                         if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
754                                 {
755                                 /* Very bad for multi-threading.... */
756                                 s->session->cipher=sk_SSL_CIPHER_value(ciphers,
757                                                                        0);
758                                 }
759                         else
760                                 {
761                                 /* we need to have the cipher in the cipher
762                                  * list if we are asked to reuse it */
763                                 al=SSL_AD_ILLEGAL_PARAMETER;
764                                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
765                                 goto f_err;
766                                 }
767                         }
768                 }
769
770         /* compression */
771         i= *(p++);
772         if ((p+i) > (d+n))
773                 {
774                 /* not enough data */
775                 al=SSL_AD_DECODE_ERROR;
776                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
777                 goto f_err;
778                 }
779         q=p;
780         for (j=0; j<i; j++)
781                 {
782                 if (p[j] == 0) break;
783                 }
784
785         p+=i;
786         if (j >= i)
787                 {
788                 /* no compress */
789                 al=SSL_AD_DECODE_ERROR;
790                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
791                 goto f_err;
792                 }
793
794         /* Worst case, we will use the NULL compression, but if we have other
795          * options, we will now look for them.  We have i-1 compression
796          * algorithms from the client, starting at q. */
797         s->s3->tmp.new_compression=NULL;
798         if (s->ctx->comp_methods != NULL)
799                 { /* See if we have a match */
800                 int m,nn,o,v,done=0;
801
802                 nn=sk_SSL_COMP_num(s->ctx->comp_methods);
803                 for (m=0; m<nn; m++)
804                         {
805                         comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
806                         v=comp->id;
807                         for (o=0; o<i; o++)
808                                 {
809                                 if (v == q[o])
810                                         {
811                                         done=1;
812                                         break;
813                                         }
814                                 }
815                         if (done) break;
816                         }
817                 if (done)
818                         s->s3->tmp.new_compression=comp;
819                 else
820                         comp=NULL;
821                 }
822
823         /* TLS does not mind if there is extra stuff */
824         if (s->version == SSL3_VERSION)
825                 {
826                 if (p < (d+n))
827                         {
828                         /* wrong number of bytes,
829                          * there could be more to follow */
830                         al=SSL_AD_DECODE_ERROR;
831                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
832                         goto f_err;
833                         }
834                 }
835
836         /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
837          * pick a cipher */
838
839         if (!s->hit)
840                 {
841                 s->session->compress_meth=(comp == NULL)?0:comp->id;
842                 if (s->session->ciphers != NULL)
843                         sk_SSL_CIPHER_free(s->session->ciphers);
844                 s->session->ciphers=ciphers;
845                 if (ciphers == NULL)
846                         {
847                         al=SSL_AD_ILLEGAL_PARAMETER;
848                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
849                         goto f_err;
850                         }
851                 ciphers=NULL;
852                 c=ssl3_choose_cipher(s,s->session->ciphers,
853                                      ssl_get_ciphers_by_id(s));
854
855                 if (c == NULL)
856                         {
857                         al=SSL_AD_HANDSHAKE_FAILURE;
858                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
859                         goto f_err;
860                         }
861                 s->s3->tmp.new_cipher=c;
862                 }
863         else
864                 {
865                 /* Session-id reuse */
866 #ifdef REUSE_CIPHER_BUG
867                 STACK_OF(SSL_CIPHER) *sk;
868                 SSL_CIPHER *nc=NULL;
869                 SSL_CIPHER *ec=NULL;
870
871                 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
872                         {
873                         sk=s->session->ciphers;
874                         for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
875                                 {
876                                 c=sk_SSL_CIPHER_value(sk,i);
877                                 if (c->algorithms & SSL_eNULL)
878                                         nc=c;
879                                 if (SSL_C_IS_EXPORT(c))
880                                         ec=c;
881                                 }
882                         if (nc != NULL)
883                                 s->s3->tmp.new_cipher=nc;
884                         else if (ec != NULL)
885                                 s->s3->tmp.new_cipher=ec;
886                         else
887                                 s->s3->tmp.new_cipher=s->session->cipher;
888                         }
889                 else
890 #endif
891                 s->s3->tmp.new_cipher=s->session->cipher;
892                 }
893         
894         /* we now have the following setup. 
895          * client_random
896          * cipher_list          - our prefered list of ciphers
897          * ciphers              - the clients prefered list of ciphers
898          * compression          - basically ignored right now
899          * ssl version is set   - sslv3
900          * s->session           - The ssl session has been setup.
901          * s->hit               - session reuse flag
902          * s->tmp.new_cipher    - the new cipher to use.
903          */
904
905         ret=1;
906         if (0)
907                 {
908 f_err:
909                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
910                 }
911 err:
912         if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
913         return(ret);
914         }
915
916 static int ssl3_send_server_hello(SSL *s)
917         {
918         unsigned char *buf;
919         unsigned char *p,*d;
920         int i,sl;
921         unsigned long l,Time;
922
923         if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
924                 {
925                 buf=(unsigned char *)s->init_buf->data;
926                 p=s->s3->server_random;
927                 Time=time(NULL);                        /* Time */
928                 l2n(Time,p);
929                 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
930                 /* Do the message type and length last */
931                 d=p= &(buf[4]);
932
933                 *(p++)=s->version>>8;
934                 *(p++)=s->version&0xff;
935
936                 /* Random stuff */
937                 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
938                 p+=SSL3_RANDOM_SIZE;
939
940                 /* now in theory we have 3 options to sending back the
941                  * session id.  If it is a re-use, we send back the
942                  * old session-id, if it is a new session, we send
943                  * back the new session-id or we send back a 0 length
944                  * session-id if we want it to be single use.
945                  * Currently I will not implement the '0' length session-id
946                  * 12-Jan-98 - I'll now support the '0' length stuff.
947                  */
948                 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
949                         s->session->session_id_length=0;
950
951                 sl=s->session->session_id_length;
952                 die(sl <= sizeof s->session->session_id);
953                 *(p++)=sl;
954                 memcpy(p,s->session->session_id,sl);
955                 p+=sl;
956
957                 /* put the cipher */
958                 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
959                 p+=i;
960
961                 /* put the compression method */
962                 if (s->s3->tmp.new_compression == NULL)
963                         *(p++)=0;
964                 else
965                         *(p++)=s->s3->tmp.new_compression->id;
966
967                 /* do the header */
968                 l=(p-d);
969                 d=buf;
970                 *(d++)=SSL3_MT_SERVER_HELLO;
971                 l2n3(l,d);
972
973                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
974                 /* number of bytes to write */
975                 s->init_num=p-buf;
976                 s->init_off=0;
977                 }
978
979         /* SSL3_ST_CW_CLNT_HELLO_B */
980         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
981         }
982
983 static int ssl3_send_server_done(SSL *s)
984         {
985         unsigned char *p;
986
987         if (s->state == SSL3_ST_SW_SRVR_DONE_A)
988                 {
989                 p=(unsigned char *)s->init_buf->data;
990
991                 /* do the header */
992                 *(p++)=SSL3_MT_SERVER_DONE;
993                 *(p++)=0;
994                 *(p++)=0;
995                 *(p++)=0;
996
997                 s->state=SSL3_ST_SW_SRVR_DONE_B;
998                 /* number of bytes to write */
999                 s->init_num=4;
1000                 s->init_off=0;
1001                 }
1002
1003         /* SSL3_ST_CW_CLNT_HELLO_B */
1004         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1005         }
1006
1007 static int ssl3_send_server_key_exchange(SSL *s)
1008         {
1009 #ifndef NO_RSA
1010         unsigned char *q;
1011         int j,num;
1012         RSA *rsa;
1013         unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
1014         unsigned int u;
1015 #endif
1016 #ifndef NO_DH
1017         DH *dh=NULL,*dhp;
1018 #endif
1019         EVP_PKEY *pkey;
1020         unsigned char *p,*d;
1021         int al,i;
1022         unsigned long type;
1023         int n;
1024         CERT *cert;
1025         BIGNUM *r[4];
1026         int nr[4],kn;
1027         BUF_MEM *buf;
1028         EVP_MD_CTX md_ctx;
1029
1030         if (s->state == SSL3_ST_SW_KEY_EXCH_A)
1031                 {
1032                 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
1033                 cert=s->cert;
1034
1035                 buf=s->init_buf;
1036
1037                 r[0]=r[1]=r[2]=r[3]=NULL;
1038                 n=0;
1039 #ifndef NO_RSA
1040                 if (type & SSL_kRSA)
1041                         {
1042                         rsa=cert->rsa_tmp;
1043                         if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
1044                                 {
1045                                 rsa=s->cert->rsa_tmp_cb(s,
1046                                       SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1047                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1048                                 if(rsa == NULL)
1049                                 {
1050                                         al=SSL_AD_HANDSHAKE_FAILURE;
1051                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1052                                         goto f_err;
1053                                 }
1054                                 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
1055                                 cert->rsa_tmp=rsa;
1056                                 }
1057                         if (rsa == NULL)
1058                                 {
1059                                 al=SSL_AD_HANDSHAKE_FAILURE;
1060                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
1061                                 goto f_err;
1062                                 }
1063                         r[0]=rsa->n;
1064                         r[1]=rsa->e;
1065                         s->s3->tmp.use_rsa_tmp=1;
1066                         }
1067                 else
1068 #endif
1069 #ifndef NO_DH
1070                         if (type & SSL_kEDH)
1071                         {
1072                         dhp=cert->dh_tmp;
1073                         if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
1074                                 dhp=s->cert->dh_tmp_cb(s,
1075                                       SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1076                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1077                         if (dhp == NULL)
1078                                 {
1079                                 al=SSL_AD_HANDSHAKE_FAILURE;
1080                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1081                                 goto f_err;
1082                                 }
1083
1084                         if (s->s3->tmp.dh != NULL)
1085                                 {
1086                                 DH_free(dh);
1087                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR);
1088                                 goto err;
1089                                 }
1090
1091                         if ((dh=DHparams_dup(dhp)) == NULL)
1092                                 {
1093                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1094                                 goto err;
1095                                 }
1096
1097                         s->s3->tmp.dh=dh;
1098                         if ((dhp->pub_key == NULL ||
1099                              dhp->priv_key == NULL ||
1100                              (s->options & SSL_OP_SINGLE_DH_USE)))
1101                                 {
1102                                 if(!DH_generate_key(dh))
1103                                     {
1104                                     SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1105                                            ERR_R_DH_LIB);
1106                                     goto err;
1107                                     }
1108                                 }
1109                         else
1110                                 {
1111                                 dh->pub_key=BN_dup(dhp->pub_key);
1112                                 dh->priv_key=BN_dup(dhp->priv_key);
1113                                 if ((dh->pub_key == NULL) ||
1114                                         (dh->priv_key == NULL))
1115                                         {
1116                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1117                                         goto err;
1118                                         }
1119                                 }
1120                         r[0]=dh->p;
1121                         r[1]=dh->g;
1122                         r[2]=dh->pub_key;
1123                         }
1124                 else 
1125 #endif
1126                         {
1127                         al=SSL_AD_HANDSHAKE_FAILURE;
1128                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1129                         goto f_err;
1130                         }
1131                 for (i=0; r[i] != NULL; i++)
1132                         {
1133                         nr[i]=BN_num_bytes(r[i]);
1134                         n+=2+nr[i];
1135                         }
1136
1137                 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
1138                         {
1139                         if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
1140                                 == NULL)
1141                                 {
1142                                 al=SSL_AD_DECODE_ERROR;
1143                                 goto f_err;
1144                                 }
1145                         kn=EVP_PKEY_size(pkey);
1146                         }
1147                 else
1148                         {
1149                         pkey=NULL;
1150                         kn=0;
1151                         }
1152
1153                 if (!BUF_MEM_grow(buf,n+4+kn))
1154                         {
1155                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1156                         goto err;
1157                         }
1158                 d=(unsigned char *)s->init_buf->data;
1159                 p= &(d[4]);
1160
1161                 for (i=0; r[i] != NULL; i++)
1162                         {
1163                         s2n(nr[i],p);
1164                         BN_bn2bin(r[i],p);
1165                         p+=nr[i];
1166                         }
1167
1168                 /* not anonymous */
1169                 if (pkey != NULL)
1170                         {
1171                         /* n is the length of the params, they start at &(d[4])
1172                          * and p points to the space at the end. */
1173 #ifndef NO_RSA
1174                         if (pkey->type == EVP_PKEY_RSA)
1175                                 {
1176                                 q=md_buf;
1177                                 j=0;
1178                                 for (num=2; num > 0; num--)
1179                                         {
1180                                         EVP_DigestInit(&md_ctx,(num == 2)
1181                                                 ?s->ctx->md5:s->ctx->sha1);
1182                                         EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1183                                         EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1184                                         EVP_DigestUpdate(&md_ctx,&(d[4]),n);
1185                                         EVP_DigestFinal(&md_ctx,q,
1186                                                 (unsigned int *)&i);
1187                                         q+=i;
1188                                         j+=i;
1189                                         }
1190                                 if (RSA_sign(NID_md5_sha1, md_buf, j,
1191                                         &(p[2]), &u, pkey->pkey.rsa) <= 0)
1192                                         {
1193                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1194                                         goto err;
1195                                         }
1196                                 s2n(u,p);
1197                                 n+=u+2;
1198                                 }
1199                         else
1200 #endif
1201 #if !defined(NO_DSA)
1202                                 if (pkey->type == EVP_PKEY_DSA)
1203                                 {
1204                                 /* lets do DSS */
1205                                 EVP_SignInit(&md_ctx,EVP_dss1());
1206                                 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1207                                 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1208                                 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1209                                 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1210                                         (unsigned int *)&i,pkey))
1211                                         {
1212                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
1213                                         goto err;
1214                                         }
1215                                 s2n(i,p);
1216                                 n+=i+2;
1217                                 }
1218                         else
1219 #endif
1220                                 {
1221                                 /* Is this error check actually needed? */
1222                                 al=SSL_AD_HANDSHAKE_FAILURE;
1223                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
1224                                 goto f_err;
1225                                 }
1226                         }
1227
1228                 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
1229                 l2n3(n,d);
1230
1231                 /* we should now have things packed up, so lets send
1232                  * it off */
1233                 s->init_num=n+4;
1234                 s->init_off=0;
1235                 }
1236
1237         s->state = SSL3_ST_SW_KEY_EXCH_B;
1238         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1239 f_err:
1240         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1241 err:
1242         return(-1);
1243         }
1244
1245 static int ssl3_send_certificate_request(SSL *s)
1246         {
1247         unsigned char *p,*d;
1248         int i,j,nl,off,n;
1249         STACK_OF(X509_NAME) *sk=NULL;
1250         X509_NAME *name;
1251         BUF_MEM *buf;
1252
1253         if (s->state == SSL3_ST_SW_CERT_REQ_A)
1254                 {
1255                 buf=s->init_buf;
1256
1257                 d=p=(unsigned char *)&(buf->data[4]);
1258
1259                 /* get the list of acceptable cert types */
1260                 p++;
1261                 n=ssl3_get_req_cert_type(s,p);
1262                 d[0]=n;
1263                 p+=n;
1264                 n++;
1265
1266                 off=n;
1267                 p+=2;
1268                 n+=2;
1269
1270                 sk=SSL_get_client_CA_list(s);
1271                 nl=0;
1272                 if (sk != NULL)
1273                         {
1274                         for (i=0; i<sk_X509_NAME_num(sk); i++)
1275                                 {
1276                                 name=sk_X509_NAME_value(sk,i);
1277                                 j=i2d_X509_NAME(name,NULL);
1278                                 if (!BUF_MEM_grow(buf,4+n+j+2))
1279                                         {
1280                                         SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1281                                         goto err;
1282                                         }
1283                                 p=(unsigned char *)&(buf->data[4+n]);
1284                                 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1285                                         {
1286                                         s2n(j,p);
1287                                         i2d_X509_NAME(name,&p);
1288                                         n+=2+j;
1289                                         nl+=2+j;
1290                                         }
1291                                 else
1292                                         {
1293                                         d=p;
1294                                         i2d_X509_NAME(name,&p);
1295                                         j-=2; s2n(j,d); j+=2;
1296                                         n+=j;
1297                                         nl+=j;
1298                                         }
1299                                 }
1300                         }
1301                 /* else no CA names */
1302                 p=(unsigned char *)&(buf->data[4+off]);
1303                 s2n(nl,p);
1304
1305                 d=(unsigned char *)buf->data;
1306                 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
1307                 l2n3(n,d);
1308
1309                 /* we should now have things packed up, so lets send
1310                  * it off */
1311
1312                 s->init_num=n+4;
1313                 s->init_off=0;
1314 #ifdef NETSCAPE_HANG_BUG
1315                 p=(unsigned char *)s->init_buf->data + s->init_num;
1316
1317                 /* do the header */
1318                 *(p++)=SSL3_MT_SERVER_DONE;
1319                 *(p++)=0;
1320                 *(p++)=0;
1321                 *(p++)=0;
1322                 s->init_num += 4;
1323 #endif
1324
1325                 }
1326
1327         /* SSL3_ST_SW_CERT_REQ_B */
1328         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1329 err:
1330         return(-1);
1331         }
1332
1333 static int ssl3_get_client_key_exchange(SSL *s)
1334         {
1335         int i,al,ok;
1336         long n;
1337         unsigned long l;
1338         unsigned char *p;
1339 #ifndef NO_RSA
1340         RSA *rsa=NULL;
1341         EVP_PKEY *pkey=NULL;
1342 #endif
1343 #ifndef NO_DH
1344         BIGNUM *pub=NULL;
1345         DH *dh_srvr;
1346 #endif
1347
1348         n=ssl3_get_message(s,
1349                 SSL3_ST_SR_KEY_EXCH_A,
1350                 SSL3_ST_SR_KEY_EXCH_B,
1351                 SSL3_MT_CLIENT_KEY_EXCHANGE,
1352                 2048, /* ???? */
1353                 &ok);
1354
1355         if (!ok) return((int)n);
1356         p=(unsigned char *)s->init_buf->data;
1357
1358         l=s->s3->tmp.new_cipher->algorithms;
1359
1360 #ifndef NO_RSA
1361         if (l & SSL_kRSA)
1362                 {
1363                 /* FIX THIS UP EAY EAY EAY EAY */
1364                 if (s->s3->tmp.use_rsa_tmp)
1365                         {
1366                         if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
1367                                 rsa=s->cert->rsa_tmp;
1368                         /* Don't do a callback because rsa_tmp should
1369                          * be sent already */
1370                         if (rsa == NULL)
1371                                 {
1372                                 al=SSL_AD_HANDSHAKE_FAILURE;
1373                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
1374                                 goto f_err;
1375
1376                                 }
1377                         }
1378                 else
1379                         {
1380                         pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1381                         if (    (pkey == NULL) ||
1382                                 (pkey->type != EVP_PKEY_RSA) ||
1383                                 (pkey->pkey.rsa == NULL))
1384                                 {
1385                                 al=SSL_AD_HANDSHAKE_FAILURE;
1386                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
1387                                 goto f_err;
1388                                 }
1389                         rsa=pkey->pkey.rsa;
1390                         }
1391
1392                 /* TLS */
1393                 if (s->version > SSL3_VERSION)
1394                         {
1395                         n2s(p,i);
1396                         if (n != i+2)
1397                                 {
1398                                 if (!(s->options & SSL_OP_TLS_D5_BUG))
1399                                         {
1400                                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1401                                         goto err;
1402                                         }
1403                                 else
1404                                         p-=2;
1405                                 }
1406                         else
1407                                 n=i;
1408                         }
1409
1410                 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
1411
1412                 al = -1;
1413                 
1414                 if (i != SSL_MAX_MASTER_KEY_LENGTH)
1415                         {
1416                         al=SSL_AD_DECODE_ERROR;
1417                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1418                         }
1419
1420                 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
1421                         {
1422                         /* The premaster secret must contain the same version number as the
1423                          * ClientHello to detect version rollback attacks (strangely, the
1424                          * protocol does not offer such protection for DH ciphersuites).
1425                          * However, buggy clients exist that send the negotiated protocol
1426                          * version instead if the server does not support the requested
1427                          * protocol version.
1428                          * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
1429                         if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
1430                                 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
1431                                 {
1432                                 al=SSL_AD_DECODE_ERROR;
1433                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1434                                 goto f_err;
1435                                 }
1436                         }
1437
1438                 if (al != -1)
1439                         {
1440 #if 0
1441                         goto f_err;
1442 #else
1443                         /* Some decryption failure -- use random value instead as countermeasure
1444                          * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
1445                          * (see RFC 2246, section 7.4.7.1).
1446                          * But note that due to length and protocol version checking, the
1447                          * attack is impractical anyway (see section 5 in D. Bleichenbacher:
1448                          * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
1449                          * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
1450                          */
1451                         ERR_clear_error();
1452                         i = SSL_MAX_MASTER_KEY_LENGTH;
1453                         p[0] = s->client_version >> 8;
1454                         p[1] = s->client_version & 0xff;
1455                         RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
1456 #endif
1457                         }
1458         
1459                 s->session->master_key_length=
1460                         s->method->ssl3_enc->generate_master_secret(s,
1461                                 s->session->master_key,
1462                                 p,i);
1463                 memset(p,0,i);
1464                 }
1465         else
1466 #endif
1467 #ifndef NO_DH
1468                 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1469                 {
1470                 n2s(p,i);
1471                 if (n != i+2)
1472                         {
1473                         if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
1474                                 {
1475                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1476                                 goto err;
1477                                 }
1478                         else
1479                                 {
1480                                 p-=2;
1481                                 i=(int)n;
1482                                 }
1483                         }
1484
1485                 if (n == 0L) /* the parameters are in the cert */
1486                         {
1487                         al=SSL_AD_HANDSHAKE_FAILURE;
1488                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1489                         goto f_err;
1490                         }
1491                 else
1492                         {
1493                         if (s->s3->tmp.dh == NULL)
1494                                 {
1495                                 al=SSL_AD_HANDSHAKE_FAILURE;
1496                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1497                                 goto f_err;
1498                                 }
1499                         else
1500                                 dh_srvr=s->s3->tmp.dh;
1501                         }
1502
1503                 pub=BN_bin2bn(p,i,NULL);
1504                 if (pub == NULL)
1505                         {
1506                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
1507                         goto err;
1508                         }
1509
1510                 i=DH_compute_key(p,pub,dh_srvr);
1511
1512                 if (i <= 0)
1513                         {
1514                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1515                         goto err;
1516                         }
1517
1518                 DH_free(s->s3->tmp.dh);
1519                 s->s3->tmp.dh=NULL;
1520
1521                 BN_clear_free(pub);
1522                 pub=NULL;
1523                 s->session->master_key_length=
1524                         s->method->ssl3_enc->generate_master_secret(s,
1525                                 s->session->master_key,p,i);
1526                 memset(p,0,i);
1527                 }
1528         else
1529 #endif
1530                 {
1531                 al=SSL_AD_HANDSHAKE_FAILURE;
1532                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
1533                 goto f_err;
1534                 }
1535
1536         return(1);
1537 f_err:
1538         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1539 #if !defined(NO_DH) || !defined(NO_RSA)
1540 err:
1541 #endif
1542         return(-1);
1543         }
1544
1545 static int ssl3_get_cert_verify(SSL *s)
1546         {
1547         EVP_PKEY *pkey=NULL;
1548         unsigned char *p;
1549         int al,ok,ret=0;
1550         long n;
1551         int type=0,i,j;
1552         X509 *peer;
1553
1554         n=ssl3_get_message(s,
1555                 SSL3_ST_SR_CERT_VRFY_A,
1556                 SSL3_ST_SR_CERT_VRFY_B,
1557                 -1,
1558                 512, /* 512? */
1559                 &ok);
1560
1561         if (!ok) return((int)n);
1562
1563         if (s->session->peer != NULL)
1564                 {
1565                 peer=s->session->peer;
1566                 pkey=X509_get_pubkey(peer);
1567                 type=X509_certificate_type(peer,pkey);
1568                 }
1569         else
1570                 {
1571                 peer=NULL;
1572                 pkey=NULL;
1573                 }
1574
1575         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
1576                 {
1577                 s->s3->tmp.reuse_message=1;
1578                 if ((peer != NULL) && (type | EVP_PKT_SIGN))
1579                         {
1580                         al=SSL_AD_UNEXPECTED_MESSAGE;
1581                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
1582                         goto f_err;
1583                         }
1584                 ret=1;
1585                 goto end;
1586                 }
1587
1588         if (peer == NULL)
1589                 {
1590                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
1591                 al=SSL_AD_UNEXPECTED_MESSAGE;
1592                 goto f_err;
1593                 }
1594
1595         if (!(type & EVP_PKT_SIGN))
1596                 {
1597                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
1598                 al=SSL_AD_ILLEGAL_PARAMETER;
1599                 goto f_err;
1600                 }
1601
1602         if (s->s3->change_cipher_spec)
1603                 {
1604                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
1605                 al=SSL_AD_UNEXPECTED_MESSAGE;
1606                 goto f_err;
1607                 }
1608
1609         /* we now have a signature that we need to verify */
1610         p=(unsigned char *)s->init_buf->data;
1611         n2s(p,i);
1612         n-=2;
1613         if (i > n)
1614                 {
1615                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
1616                 al=SSL_AD_DECODE_ERROR;
1617                 goto f_err;
1618                 }
1619
1620         j=EVP_PKEY_size(pkey);
1621         if ((i > j) || (n > j) || (n <= 0))
1622                 {
1623                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
1624                 al=SSL_AD_DECODE_ERROR;
1625                 goto f_err;
1626                 }
1627
1628 #ifndef NO_RSA 
1629         if (pkey->type == EVP_PKEY_RSA)
1630                 {
1631                 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
1632                         MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 
1633                                                         pkey->pkey.rsa);
1634                 if (i < 0)
1635                         {
1636                         al=SSL_AD_DECRYPT_ERROR;
1637                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
1638                         goto f_err;
1639                         }
1640                 if (i == 0)
1641                         {
1642                         al=SSL_AD_DECRYPT_ERROR;
1643                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
1644                         goto f_err;
1645                         }
1646                 }
1647         else
1648 #endif
1649 #ifndef NO_DSA
1650                 if (pkey->type == EVP_PKEY_DSA)
1651                 {
1652                 j=DSA_verify(pkey->save_type,
1653                         &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
1654                         SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
1655                 if (j <= 0)
1656                         {
1657                         /* bad signature */
1658                         al=SSL_AD_DECRYPT_ERROR;
1659                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
1660                         goto f_err;
1661                         }
1662                 }
1663         else
1664 #endif
1665                 {
1666                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
1667                 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
1668                 goto f_err;
1669                 }
1670
1671
1672         ret=1;
1673         if (0)
1674                 {
1675 f_err:
1676                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1677                 }
1678 end:
1679         EVP_PKEY_free(pkey);
1680         return(ret);
1681         }
1682
1683 static int ssl3_get_client_certificate(SSL *s)
1684         {
1685         int i,ok,al,ret= -1;
1686         X509 *x=NULL;
1687         unsigned long l,nc,llen,n;
1688         unsigned char *p,*d,*q;
1689         STACK_OF(X509) *sk=NULL;
1690
1691         n=ssl3_get_message(s,
1692                 SSL3_ST_SR_CERT_A,
1693                 SSL3_ST_SR_CERT_B,
1694                 -1,
1695 #if defined(MSDOS) && !defined(WIN32)
1696                 1024*30, /* 30k max cert list :-) */
1697 #else
1698                 1024*100, /* 100k max cert list :-) */
1699 #endif
1700                 &ok);
1701
1702         if (!ok) return((int)n);
1703
1704         if      (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
1705                 {
1706                 if (    (s->verify_mode & SSL_VERIFY_PEER) &&
1707                         (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1708                         {
1709                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1710                         al=SSL_AD_HANDSHAKE_FAILURE;
1711                         goto f_err;
1712                         }
1713                 /* If tls asked for a client cert, the client must return a 0 list */
1714                 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
1715                         {
1716                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
1717                         al=SSL_AD_UNEXPECTED_MESSAGE;
1718                         goto f_err;
1719                         }
1720                 s->s3->tmp.reuse_message=1;
1721                 return(1);
1722                 }
1723
1724         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1725                 {
1726                 al=SSL_AD_UNEXPECTED_MESSAGE;
1727                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
1728                 goto f_err;
1729                 }
1730         d=p=(unsigned char *)s->init_buf->data;
1731
1732         if ((sk=sk_X509_new_null()) == NULL)
1733                 {
1734                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1735                 goto err;
1736                 }
1737
1738         n2l3(p,llen);
1739         if (llen+3 != n)
1740                 {
1741                 al=SSL_AD_DECODE_ERROR;
1742                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1743                 goto f_err;
1744                 }
1745         for (nc=0; nc<llen; )
1746                 {
1747                 n2l3(p,l);
1748                 if ((l+nc+3) > llen)
1749                         {
1750                         al=SSL_AD_DECODE_ERROR;
1751                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1752                         goto f_err;
1753                         }
1754
1755                 q=p;
1756                 x=d2i_X509(NULL,&p,l);
1757                 if (x == NULL)
1758                         {
1759                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
1760                         goto err;
1761                         }
1762                 if (p != (q+l))
1763                         {
1764                         al=SSL_AD_DECODE_ERROR;
1765                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1766                         goto f_err;
1767                         }
1768                 if (!sk_X509_push(sk,x))
1769                         {
1770                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1771                         goto err;
1772                         }
1773                 x=NULL;
1774                 nc+=l+3;
1775                 }
1776
1777         if (sk_X509_num(sk) <= 0)
1778                 {
1779                 /* TLS does not mind 0 certs returned */
1780                 if (s->version == SSL3_VERSION)
1781                         {
1782                         al=SSL_AD_HANDSHAKE_FAILURE;
1783                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
1784                         goto f_err;
1785                         }
1786                 /* Fail for TLS only if we required a certificate */
1787                 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
1788                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1789                         {
1790                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1791                         al=SSL_AD_HANDSHAKE_FAILURE;
1792                         goto f_err;
1793                         }
1794                 }
1795         else
1796                 {
1797                 i=ssl_verify_cert_chain(s,sk);
1798                 if (!i)
1799                         {
1800                         al=ssl_verify_alarm_type(s->verify_result);
1801                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
1802                         goto f_err;
1803                         }
1804                 }
1805
1806         if (s->session->peer != NULL) /* This should not be needed */
1807                 X509_free(s->session->peer);
1808         s->session->peer=sk_X509_shift(sk);
1809         s->session->verify_result = s->verify_result;
1810
1811         /* With the current implementation, sess_cert will always be NULL
1812          * when we arrive here. */
1813         if (s->session->sess_cert == NULL)
1814                 {
1815                 s->session->sess_cert = ssl_sess_cert_new();
1816                 if (s->session->sess_cert == NULL)
1817                         {
1818                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1819                         goto err;
1820                         }
1821                 }
1822         if (s->session->sess_cert->cert_chain != NULL)
1823                 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
1824         s->session->sess_cert->cert_chain=sk;
1825         /* Inconsistency alert: cert_chain does *not* include the
1826          * peer's own certificate, while we do include it in s3_clnt.c */
1827
1828         sk=NULL;
1829
1830         ret=1;
1831         if (0)
1832                 {
1833 f_err:
1834                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1835                 }
1836 err:
1837         if (x != NULL) X509_free(x);
1838         if (sk != NULL) sk_X509_pop_free(sk,X509_free);
1839         return(ret);
1840         }
1841
1842 int ssl3_send_server_certificate(SSL *s)
1843         {
1844         unsigned long l;
1845         X509 *x;
1846
1847         if (s->state == SSL3_ST_SW_CERT_A)
1848                 {
1849                 x=ssl_get_server_send_cert(s);
1850                 if (x == NULL)
1851                         {
1852                         SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
1853                         return(0);
1854                         }
1855
1856                 l=ssl3_output_cert_chain(s,x);
1857                 s->state=SSL3_ST_SW_CERT_B;
1858                 s->init_num=(int)l;
1859                 s->init_off=0;
1860                 }
1861
1862         /* SSL3_ST_SW_CERT_B */
1863         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1864         }
Unnamed repository; edit this file 'description' to name the repository.