ddf377c1224ffa6f9eaac76efb0dcbac415dc795
[openssl.git] / ssl / s3_srvr.c
1 /* ssl/s3_srvr.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #define REUSE_CIPHER_BUG
60
61 #include <stdio.h>
62 #include "buffer.h"
63 #include "rand.h"
64 #include "objects.h"
65 #include "evp.h"
66 #include "x509.h"
67 #include "ssl_locl.h"
68
69 #define BREAK   break
70 /* SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_MALLOC_FAILURE);
71  * SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
72  * SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
73  * SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_MALLOC_FAILURE);
74  * SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
75  */
76
77 #ifndef NOPROTO
78 static SSL_METHOD *ssl3_get_server_method(int ver);
79 static int ssl3_get_client_hello(SSL *s);
80 static int ssl3_send_server_hello(SSL *s);
81 static int ssl3_send_server_key_exchange(SSL *s);
82 static int ssl3_send_certificate_request(SSL *s);
83 static int ssl3_send_server_done(SSL *s);
84 static int ssl3_get_cert_verify(SSL *s);
85 static int ssl3_get_client_key_exchange(SSL *s);
86 static int ssl3_get_client_certificate(SSL *s);
87 static int ssl3_send_hello_request(SSL *s);
88
89 #else
90
91 static SSL_METHOD *ssl3_get_server_method();
92 static int ssl3_get_client_hello();
93 static int ssl3_send_server_hello();
94 static int ssl3_send_server_key_exchange();
95 static int ssl3_send_certificate_request();
96 static int ssl3_send_server_done();
97 static int ssl3_get_cert_verify();
98 static int ssl3_get_client_key_exchange();
99 static int ssl3_get_client_certificate();
100 static int ssl3_send_hello_request();
101
102 #endif
103
104 static SSL_METHOD *ssl3_get_server_method(ver)
105 int ver;
106         {
107         if (ver == SSL3_VERSION)
108                 return(SSLv3_server_method());
109         else
110                 return(NULL);
111         }
112
113 SSL_METHOD *SSLv3_server_method()
114         {
115         static int init=1;
116         static SSL_METHOD SSLv3_server_data;
117
118         if (init)
119                 {
120                 init=0;
121                 memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
122                         sizeof(SSL_METHOD));
123                 SSLv3_server_data.ssl_accept=ssl3_accept;
124                 SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
125                 }
126         return(&SSLv3_server_data);
127         }
128
129 int ssl3_accept(s)
130 SSL *s;
131         {
132         BUF_MEM *buf;
133         unsigned long l,Time=time(NULL);
134         void (*cb)()=NULL;
135         long num1;
136         int ret= -1;
137         CERT *ct;
138         BIO *under;
139         int new_state,state,skip=0;
140
141         RAND_seed(&Time,sizeof(Time));
142         ERR_clear_error();
143         clear_sys_error();
144
145         if (s->info_callback != NULL)
146                 cb=s->info_callback;
147         else if (s->ctx->info_callback != NULL)
148                 cb=s->ctx->info_callback;
149
150         /* init things to blank */
151         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
152         s->in_handshake++;
153
154 #ifdef undef
155         /* FIX THIS EAY EAY EAY */
156         /* we don't actually need a cert, we just need a cert or a DH_tmp */
157         if (((s->session == NULL) || (s->session->cert == NULL)) &&
158                 (s->cert == NULL))
159                 {
160                 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
161                 ret= -1;
162                 goto end;
163                 }
164 #endif
165
166         for (;;)
167                 {
168                 state=s->state;
169
170                 switch (s->state)
171                         {
172                 case SSL_ST_RENEGOTIATE:
173                         s->new_session=1;
174                         /* s->state=SSL_ST_ACCEPT; */
175
176                 case SSL_ST_BEFORE:
177                 case SSL_ST_ACCEPT:
178                 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
179                 case SSL_ST_OK|SSL_ST_ACCEPT:
180
181                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
182
183                         if ((s->version>>8) != 3)
184                                 abort();
185                         /* s->version=SSL3_VERSION; */
186                         s->type=SSL_ST_ACCEPT;
187
188                         if (s->init_buf == NULL)
189                                 {
190                                 if ((buf=BUF_MEM_new()) == NULL)
191                                         {
192                                         ret= -1;
193                                         goto end;
194                                         }
195                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
196                                         {
197                                         ret= -1;
198                                         goto end;
199                                         }
200                                 s->init_buf=buf;
201                                 }
202
203                         if (!ssl3_setup_buffers(s))
204                                 {
205                                 ret= -1;
206                                 goto end;
207                                 }
208
209                         /* Ok, we now need to push on a buffering BIO so that
210                          * the output is sent in a way that TCP likes :-)
211                          */
212                         if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
213
214                         s->init_num=0;
215
216                         if (s->state != SSL_ST_RENEGOTIATE)
217                                 {
218                                 s->state=SSL3_ST_SR_CLNT_HELLO_A;
219                                 ssl3_init_finished_mac(s);
220                                 s->ctx->sess_accept++;
221                                 }
222                         else
223                                 {
224                                 s->ctx->sess_accept_renegotiate++;
225                                 s->state=SSL3_ST_SW_HELLO_REQ_A;
226                                 }
227                         break;
228
229                 case SSL3_ST_SW_HELLO_REQ_A:
230                 case SSL3_ST_SW_HELLO_REQ_B:
231
232                         s->shutdown=0;
233                         ret=ssl3_send_hello_request(s);
234                         if (ret <= 0) goto end;
235                         s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
236                         s->state=SSL3_ST_SW_FLUSH;
237                         s->init_num=0;
238
239                         ssl3_init_finished_mac(s);
240                         break;
241
242                 case SSL3_ST_SW_HELLO_REQ_C:
243                         /* remove buffering on output */
244                         under=BIO_pop(s->wbio);
245                         if (under != NULL)
246                                 s->wbio=under;
247                         else
248                                 abort(); /* ok */
249                         BIO_free(s->bbio);
250                         s->bbio=NULL;
251
252                         s->state=SSL_ST_OK;
253                         ret=1;
254                         goto end;
255                         /* break; */
256
257                 case SSL3_ST_SR_CLNT_HELLO_A:
258                 case SSL3_ST_SR_CLNT_HELLO_B:
259                 case SSL3_ST_SR_CLNT_HELLO_C:
260
261                         s->shutdown=0;
262                         ret=ssl3_get_client_hello(s);
263                         if (ret <= 0) goto end;
264                         s->state=SSL3_ST_SW_SRVR_HELLO_A;
265                         s->init_num=0;
266                         break;
267
268                 case SSL3_ST_SW_SRVR_HELLO_A:
269                 case SSL3_ST_SW_SRVR_HELLO_B:
270                         ret=ssl3_send_server_hello(s);
271                         if (ret <= 0) goto end;
272
273                         if (s->hit)
274                                 s->state=SSL3_ST_SW_CHANGE_A;
275                         else
276                                 s->state=SSL3_ST_SW_CERT_A;
277                         s->init_num=0;
278                         break;
279
280                 case SSL3_ST_SW_CERT_A:
281                 case SSL3_ST_SW_CERT_B:
282                         /* Check if it is anon DH */
283                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
284                                 {
285                                 ret=ssl3_send_server_certificate(s);
286                                 if (ret <= 0) goto end;
287                                 }
288                         else
289                                 skip=1;
290                         s->state=SSL3_ST_SW_KEY_EXCH_A;
291                         s->init_num=0;
292                         break;
293
294                 case SSL3_ST_SW_KEY_EXCH_A:
295                 case SSL3_ST_SW_KEY_EXCH_B:
296                         l=s->s3->tmp.new_cipher->algorithms;
297                         if (s->session->cert == NULL)
298                                 {
299                                 if (s->cert != NULL)
300                                         {
301                                         CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
302                                         s->session->cert=s->cert;
303                                         }
304                                 else
305                                         {
306                                         CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT);
307                                         s->session->cert=s->ctx->default_cert;
308                                         }
309                                 }
310                         ct=s->session->cert;
311
312                         /* clear this, it may get reset by
313                          * send_server_key_exchange */
314                         if (s->options & SSL_OP_EPHEMERAL_RSA)
315                                 s->s3->tmp.use_rsa_tmp=1;
316                         else
317                                 s->s3->tmp.use_rsa_tmp=0;
318
319                         /* only send if a DH key exchange, fortezza or
320                          * RSA but we have a sign only certificate */
321                         if ( s->s3->tmp.use_rsa_tmp ||
322                             (l & (SSL_DH|SSL_kFZA)) ||
323                             ((l & SSL_kRSA) &&
324                              ((ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)||
325                               ((l & SSL_EXPORT) &&
326                                (EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > 512)
327                               )
328                              )
329                             )
330                            )
331                                 {
332                                 ret=ssl3_send_server_key_exchange(s);
333                                 if (ret <= 0) goto end;
334                                 }
335                         else
336                                 skip=1;
337
338                         s->state=SSL3_ST_SW_CERT_REQ_A;
339                         s->init_num=0;
340                         break;
341
342                 case SSL3_ST_SW_CERT_REQ_A:
343                 case SSL3_ST_SW_CERT_REQ_B:
344                         if (!(s->verify_mode & SSL_VERIFY_PEER) ||
345                                 ((s->session->peer != NULL) &&
346                                  (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
347                                 {
348                                 /* no cert request */
349                                 skip=1;
350                                 s->s3->tmp.cert_request=0;
351                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
352                                 }
353                         else
354                                 {
355                                 s->s3->tmp.cert_request=1;
356                                 ret=ssl3_send_certificate_request(s);
357                                 if (ret <= 0) goto end;
358                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
359                                 s->init_num=0;
360                                 }
361                         break;
362
363                 case SSL3_ST_SW_SRVR_DONE_A:
364                 case SSL3_ST_SW_SRVR_DONE_B:
365                         ret=ssl3_send_server_done(s);
366                         if (ret <= 0) goto end;
367                         s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
368                         s->state=SSL3_ST_SW_FLUSH;
369                         s->init_num=0;
370                         break;
371                 
372                 case SSL3_ST_SW_FLUSH:
373                         /* number of bytes to be flushed */
374                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
375                         if (num1 > 0)
376                                 {
377                                 s->rwstate=SSL_WRITING;
378                                 num1=BIO_flush(s->wbio);
379                                 if (num1 <= 0) { ret= -1; goto end; }
380                                 s->rwstate=SSL_NOTHING;
381                                 }
382
383                         s->state=s->s3->tmp.next_state;
384                         break;
385
386                 case SSL3_ST_SR_CERT_A:
387                 case SSL3_ST_SR_CERT_B:
388                         /* could be sent for a DH cert, even if we
389                          * have not asked for it :-) */
390                         ret=ssl3_get_client_certificate(s);
391                         if (ret <= 0) goto end;
392                         s->init_num=0;
393                         s->state=SSL3_ST_SR_KEY_EXCH_A;
394                         break;
395
396                 case SSL3_ST_SR_KEY_EXCH_A:
397                 case SSL3_ST_SR_KEY_EXCH_B:
398                         ret=ssl3_get_client_key_exchange(s);
399                         if (ret <= 0) goto end;
400                         s->state=SSL3_ST_SR_CERT_VRFY_A;
401                         s->init_num=0;
402
403                         /* We need to get hashes here so if there is
404                          * a client cert, it can be verified */ 
405                         s->method->ssl3_enc->cert_verify_mac(s,
406                                 &(s->s3->finish_dgst1),
407                                 &(s->s3->tmp.finish_md[0]));
408                         s->method->ssl3_enc->cert_verify_mac(s,
409                                 &(s->s3->finish_dgst2),
410                                 &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]));
411
412                         break;
413
414                 case SSL3_ST_SR_CERT_VRFY_A:
415                 case SSL3_ST_SR_CERT_VRFY_B:
416
417                         /* we should decide if we expected this one */
418                         ret=ssl3_get_cert_verify(s);
419                         if (ret <= 0) goto end;
420
421                         s->state=SSL3_ST_SR_FINISHED_A;
422                         s->init_num=0;
423                         break;
424
425                 case SSL3_ST_SR_FINISHED_A:
426                 case SSL3_ST_SR_FINISHED_B:
427                         ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
428                                 SSL3_ST_SR_FINISHED_B);
429                         if (ret <= 0) goto end;
430                         if (s->hit)
431                                 s->state=SSL_ST_OK;
432                         else
433                                 s->state=SSL3_ST_SW_CHANGE_A;
434                         s->init_num=0;
435                         break;
436
437                 case SSL3_ST_SW_CHANGE_A:
438                 case SSL3_ST_SW_CHANGE_B:
439
440                         s->session->cipher=s->s3->tmp.new_cipher;
441                         if (!s->method->ssl3_enc->setup_key_block(s))
442                                 { ret= -1; goto end; }
443
444                         ret=ssl3_send_change_cipher_spec(s,
445                                 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
446
447                         if (ret <= 0) goto end;
448                         s->state=SSL3_ST_SW_FINISHED_A;
449                         s->init_num=0;
450
451                         if (!s->method->ssl3_enc->change_cipher_state(s,
452                                 SSL3_CHANGE_CIPHER_SERVER_WRITE))
453                                 {
454                                 ret= -1;
455                                 goto end;
456                                 }
457
458                         break;
459
460                 case SSL3_ST_SW_FINISHED_A:
461                 case SSL3_ST_SW_FINISHED_B:
462                         ret=ssl3_send_finished(s,
463                                 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
464                                 s->method->ssl3_enc->server_finished,
465                                 s->method->ssl3_enc->server_finished_len);
466                         if (ret <= 0) goto end;
467                         s->state=SSL3_ST_SW_FLUSH;
468                         if (s->hit)
469                                 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
470                         else
471                                 s->s3->tmp.next_state=SSL_ST_OK;
472                         s->init_num=0;
473                         break;
474
475                 case SSL_ST_OK:
476                         /* clean a few things up */
477                         ssl3_cleanup_key_block(s);
478
479                         BUF_MEM_free(s->init_buf);
480                         s->init_buf=NULL;
481
482                         /* remove buffering on output */
483                         under=BIO_pop(s->wbio);
484                         if (under != NULL)
485                                 s->wbio=under;
486                         else
487                                 abort(); /* ok */
488                         BIO_free(s->bbio);
489                         s->bbio=NULL;
490
491                         s->new_session=0;
492                         s->init_num=0;
493
494                         ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
495
496                         s->ctx->sess_accept_good++;
497                         /* s->server=1; */
498                         s->handshake_func=ssl3_accept;
499                         ret=1;
500
501                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
502
503                         goto end;
504                         /* break; */
505
506                 default:
507                         SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
508                         ret= -1;
509                         goto end;
510                         /* break; */
511                         }
512                 
513                 if (!s->s3->tmp.reuse_message && !skip)
514                         {
515                         if (s->debug)
516                                 {
517                                 if ((ret=BIO_flush(s->wbio)) <= 0)
518                                         goto end;
519                                 }
520
521
522                         if ((cb != NULL) && (s->state != state))
523                                 {
524                                 new_state=s->state;
525                                 s->state=state;
526                                 cb(s,SSL_CB_ACCEPT_LOOP,1);
527                                 s->state=new_state;
528                                 }
529                         }
530                 skip=0;
531                 }
532 end:
533         /* BIO_flush(s->wbio); */
534
535         if (cb != NULL)
536                 cb(s,SSL_CB_ACCEPT_EXIT,ret);
537         s->in_handshake--;
538         return(ret);
539         }
540
541 static int ssl3_send_hello_request(s)
542 SSL *s;
543         {
544         unsigned char *p;
545
546         if (s->state == SSL3_ST_SW_HELLO_REQ_A)
547                 {
548                 p=(unsigned char *)s->init_buf->data;
549                 *(p++)=SSL3_MT_CLIENT_REQUEST;
550                 *(p++)=0;
551                 *(p++)=0;
552                 *(p++)=0;
553
554                 s->state=SSL3_ST_SW_HELLO_REQ_B;
555                 /* number of bytes to write */
556                 s->init_num=4;
557                 s->init_off=0;
558                 }
559
560         /* SSL3_ST_SW_HELLO_REQ_B */
561         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
562         }
563
564 static int ssl3_get_client_hello(s)
565 SSL *s;
566         {
567         int i,j,ok,al,ret= -1;
568         long n;
569         unsigned long id;
570         unsigned char *p,*d;
571         SSL_CIPHER *c;
572         STACK *ciphers=NULL;
573
574         /* We do this so that we will respond with our native type.
575          * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
576          * This down switching should be handled by a different method.
577          * If we are SSLv3, we will respond with SSLv3, even if prompted with
578          * TLSv1.
579          */
580         if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
581                 {
582                 s->first_packet=1;
583                 s->state=SSL3_ST_SR_CLNT_HELLO_B;
584                 }
585         n=ssl3_get_message(s,
586                 SSL3_ST_SR_CLNT_HELLO_B,
587                 SSL3_ST_SR_CLNT_HELLO_C,
588                 SSL3_MT_CLIENT_HELLO,
589                 SSL3_RT_MAX_PLAIN_LENGTH,
590                 &ok);
591
592         if (!ok) return((int)n);
593         d=p=(unsigned char *)s->init_buf->data;
594
595         /* The version number has already been checked in ssl3_get_message.
596          * I a native TLSv1/SSLv3 method, the match must be correct except
597          * perhaps for the first message */
598         p+=2;
599
600         /* load the client random */
601         memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
602         p+=SSL3_RANDOM_SIZE;
603
604         /* get the session-id */
605         j= *(p++);
606
607         s->hit=0;
608         if (j == 0)
609                 {
610                 if (!ssl_get_new_session(s,1))
611                         goto err;
612                 }
613         else
614                 {
615                 i=ssl_get_prev_session(s,p,j);
616                 if (i == 1)
617                         { /* previous session */
618                         s->hit=1;
619                         }
620                 else
621                         {
622                         if (!ssl_get_new_session(s,1))
623                                 goto err;
624                         }
625                 }
626
627         p+=j;
628         n2s(p,i);
629         if ((i == 0) && (j != 0))
630                 {
631                 /* we need a cipher if we are not resuming a session */
632                 al=SSL_AD_ILLEGAL_PARAMETER;
633                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
634                 goto f_err;
635                 }
636         if ((i+p) > (d+n))
637                 {
638                 /* not enough data */
639                 al=SSL_AD_DECODE_ERROR;
640                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
641                 goto f_err;
642                 }
643         if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers))
644                 == NULL))
645                 {
646                 goto err;
647                 }
648         p+=i;
649
650         /* If it is a hit, check that the cipher is in the list */
651         if ((s->hit) && (i > 0))
652                 {
653                 j=0;
654                 id=s->session->cipher->id;
655
656                 for (i=0; i<sk_num(ciphers); i++)
657                         {
658                         c=(SSL_CIPHER *)sk_value(ciphers,i);
659                         if (c->id == id)
660                                 {
661                                 j=1;
662                                 break;
663                                 }
664                         }
665                 if (j == 0)
666                         {
667                         if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_num(ciphers) == 1))
668                                 {
669                                 /* Very bad for multi-threading.... */
670                                 s->session->cipher=
671                                         (SSL_CIPHER *)sk_value(ciphers,0);
672                                 }
673                         else
674                                 {
675                                 /* we need to have the cipher in the cipher
676                                  * list if we are asked to reuse it */
677                                 al=SSL_AD_ILLEGAL_PARAMETER;
678                                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING);
679                                 goto f_err;
680                                 }
681                         }
682                 }
683
684         /* compression */
685         i= *(p++);
686         for (j=0; j<i; j++)
687                 if (p[j] == 0) break;
688
689         p+=i;
690         if (j >= i)
691                 {
692                 /* no compress */
693                 al=SSL_AD_DECODE_ERROR;
694                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED);
695                 goto f_err;
696                 }
697
698         /* TLS does not mind if there is extra stuff */
699         if (s->version == SSL3_VERSION)
700                 {
701                 if (p > (d+n))
702                         {
703                         /* wrong number of bytes,
704                          * there could be more to follow */
705                         al=SSL_AD_DECODE_ERROR;
706                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH);
707                         goto f_err;
708                         }
709                 }
710
711         /* do nothing with compression */
712
713         /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
714          * pick a cipher */
715
716         if (!s->hit)
717                 {
718                 if (s->session->ciphers != NULL)
719                         sk_free(s->session->ciphers);
720                 s->session->ciphers=ciphers;
721                 if (ciphers == NULL)
722                         {
723                         al=SSL_AD_ILLEGAL_PARAMETER;
724                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
725                         goto f_err;
726                         }
727                 ciphers=NULL;
728                 c=ssl3_choose_cipher(s,s->session->ciphers,
729                         ssl_get_ciphers_by_id(s));
730
731                 if (c == NULL)
732                         {
733                         al=SSL_AD_HANDSHAKE_FAILURE;
734                         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
735                         goto f_err;
736                         }
737                 s->s3->tmp.new_cipher=c;
738                 }
739         else
740                 {
741                 /* Session-id reuse */
742 #ifdef REUSE_CIPHER_BUG
743                 STACK *sk;
744                 SSL_CIPHER *nc=NULL;
745                 SSL_CIPHER *ec=NULL;
746
747                 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
748                         {
749                         sk=s->session->ciphers;
750                         for (i=0; i<sk_num(sk); i++)
751                                 {
752                                 c=(SSL_CIPHER *)sk_value(sk,i);
753                                 if (c->algorithms & SSL_eNULL)
754                                         nc=c;
755                                 if (c->algorithms & SSL_EXP)
756                                         ec=c;
757                                 }
758                         if (nc != NULL)
759                                 s->s3->tmp.new_cipher=nc;
760                         else if (ec != NULL)
761                                 s->s3->tmp.new_cipher=ec;
762                         else
763                                 s->s3->tmp.new_cipher=s->session->cipher;
764                         }
765                 else
766 #endif
767                 s->s3->tmp.new_cipher=s->session->cipher;
768                 }
769         
770         /* we now have the following setup. 
771          * client_random
772          * cipher_list          - our prefered list of ciphers
773          * ciphers              - the clients prefered list of ciphers
774          * compression          - basically ignored right now
775          * ssl version is set   - sslv3
776          * s->session           - The ssl session has been setup.
777          * s->hit               - sesson reuse flag
778          * s->tmp.new_cipher    - the new cipher to use.
779          */
780
781         ret=1;
782         if (0)
783                 {
784 f_err:
785                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
786                 }
787 err:
788         if (ciphers != NULL) sk_free(ciphers);
789         return(ret);
790         }
791
792 static int ssl3_send_server_hello(s)
793 SSL *s;
794         {
795         unsigned char *buf;
796         unsigned char *p,*d;
797         int i,sl;
798         unsigned long l,Time;
799
800         if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
801                 {
802                 buf=(unsigned char *)s->init_buf->data;
803                 p=s->s3->server_random;
804                 Time=time(NULL);                        /* Time */
805                 l2n(Time,p);
806                 RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
807                 /* Do the message type and length last */
808                 d=p= &(buf[4]);
809
810                 *(p++)=s->version>>8;
811                 *(p++)=s->version&0xff;
812
813                 /* Random stuff */
814                 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
815                 p+=SSL3_RANDOM_SIZE;
816
817                 /* now in theory we have 3 options to sending back the
818                  * session id.  If it is a re-use, we send back the
819                  * old session-id, if it is a new session, we send
820                  * back the new session-id or we send back a 0 length
821                  * session-id if we want it to be single use.
822                  * Currently I will not implement the '0' length session-id
823                  * 12-Jan-98 - I'll now support the '0' length stuff.
824                  */
825                 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
826                         s->session->session_id_length=0;
827
828                 sl=s->session->session_id_length;
829                 *(p++)=sl;
830                 memcpy(p,s->session->session_id,sl);
831                 p+=sl;
832
833                 /* put the cipher */
834                 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
835                 p+=i;
836
837                 /* put the compression method */
838                 *(p++)=0;
839
840                 /* do the header */
841                 l=(p-d);
842                 d=buf;
843                 *(d++)=SSL3_MT_SERVER_HELLO;
844                 l2n3(l,d);
845
846                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
847                 /* number of bytes to write */
848                 s->init_num=p-buf;
849                 s->init_off=0;
850                 }
851
852         /* SSL3_ST_CW_CLNT_HELLO_B */
853         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
854         }
855
856 static int ssl3_send_server_done(s)
857 SSL *s;
858         {
859         unsigned char *p;
860
861         if (s->state == SSL3_ST_SW_SRVR_DONE_A)
862                 {
863                 p=(unsigned char *)s->init_buf->data;
864
865                 /* do the header */
866                 *(p++)=SSL3_MT_SERVER_DONE;
867                 *(p++)=0;
868                 *(p++)=0;
869                 *(p++)=0;
870
871                 s->state=SSL3_ST_SW_SRVR_DONE_B;
872                 /* number of bytes to write */
873                 s->init_num=4;
874                 s->init_off=0;
875                 }
876
877         /* SSL3_ST_CW_CLNT_HELLO_B */
878         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
879         }
880
881 static int ssl3_send_server_key_exchange(s)
882 SSL *s;
883         {
884 #ifndef NO_RSA
885         unsigned char *q;
886         int j,num;
887         RSA *rsa;
888         unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
889 #endif
890 #ifndef NO_DH
891         DH *dh,*dhp;
892 #endif
893         EVP_PKEY *pkey;
894         unsigned char *p,*d;
895         int al,i;
896         unsigned long type;
897         int n;
898         CERT *cert;
899         BIGNUM *r[4];
900         int nr[4],kn;
901         BUF_MEM *buf;
902         EVP_MD_CTX md_ctx;
903
904         if (s->state == SSL3_ST_SW_KEY_EXCH_A)
905                 {
906                 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
907                 cert=s->session->cert;
908
909                 buf=s->init_buf;
910
911                 r[0]=r[1]=r[2]=r[3]=NULL;
912                 n=0;
913 #ifndef NO_RSA
914                 if (type & SSL_kRSA)
915                         {
916                         rsa=cert->rsa_tmp;
917                         if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
918                                 {
919                                 rsa=s->ctx->default_cert->rsa_tmp_cb(s,
920                                         !(s->s3->tmp.new_cipher->algorithms
921                                           &SSL_NOT_EXP));
922                                 CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
923                                 cert->rsa_tmp=rsa;
924                                 }
925                         if (rsa == NULL)
926                                 {
927                                 al=SSL_AD_HANDSHAKE_FAILURE;
928                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
929                                 goto f_err;
930                                 }
931                         r[0]=rsa->n;
932                         r[1]=rsa->e;
933                         s->s3->tmp.use_rsa_tmp=1;
934                         }
935                 else
936 #endif
937 #ifndef NO_DH
938                         if (type & SSL_kEDH)
939                         {
940                         dhp=cert->dh_tmp;
941                         if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
942                                 dhp=cert->dh_tmp_cb(s,
943                                         !(s->s3->tmp.new_cipher->algorithms
944                                           &SSL_NOT_EXP));
945                         if (dhp == NULL)
946                                 {
947                                 al=SSL_AD_HANDSHAKE_FAILURE;
948                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
949                                 goto f_err;
950                                 }
951                         if ((dh=DHparams_dup(dhp)) == NULL)
952                                 {
953                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
954                                 goto err;
955                                 }
956
957                         s->s3->tmp.dh=dh;
958                         if ((dhp->pub_key == NULL ||
959                              dhp->priv_key == NULL ||
960                              (s->options & SSL_OP_SINGLE_DH_USE)))
961                                 {
962                                 if(!DH_generate_key(dh))
963                                     {
964                                     SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
965                                            ERR_R_DH_LIB);
966                                     goto err;
967                                     }
968                                 }
969                         else
970                                 {
971                                 dh->pub_key=BN_dup(dhp->pub_key);
972                                 dh->priv_key=BN_dup(dhp->priv_key);
973                                 if ((dh->pub_key == NULL) ||
974                                         (dh->priv_key == NULL))
975                                         {
976                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
977                                         goto err;
978                                         }
979                                 }
980                         r[0]=dh->p;
981                         r[1]=dh->g;
982                         r[2]=dh->pub_key;
983                         }
984                 else 
985 #endif
986                         {
987                         al=SSL_AD_HANDSHAKE_FAILURE;
988                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
989                         goto f_err;
990                         }
991                 for (i=0; r[i] != NULL; i++)
992                         {
993                         nr[i]=BN_num_bytes(r[i]);
994                         n+=2+nr[i];
995                         }
996
997                 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
998                         {
999                         if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
1000                                 == NULL)
1001                                 {
1002                                 al=SSL_AD_DECODE_ERROR;
1003                                 goto f_err;
1004                                 }
1005                         kn=EVP_PKEY_size(pkey);
1006                         }
1007                 else
1008                         {
1009                         pkey=NULL;
1010                         kn=0;
1011                         }
1012
1013                 if (!BUF_MEM_grow(buf,n+4+kn))
1014                         {
1015                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1016                         goto err;
1017                         }
1018                 d=(unsigned char *)s->init_buf->data;
1019                 p= &(d[4]);
1020
1021                 for (i=0; r[i] != NULL; i++)
1022                         {
1023                         s2n(nr[i],p);
1024                         BN_bn2bin(r[i],p);
1025                         p+=nr[i];
1026                         }
1027
1028                 /* not anonymous */
1029                 if (pkey != NULL)
1030                         {
1031                         /* n is the length of the params, they start at &(d[4])
1032                          * and p points to the space at the end. */
1033 #ifndef NO_RSA
1034                         if (pkey->type == EVP_PKEY_RSA)
1035                                 {
1036                                 q=md_buf;
1037                                 j=0;
1038                                 for (num=2; num > 0; num--)
1039                                         {
1040                                         EVP_DigestInit(&md_ctx,(num == 2)
1041                                                 ?s->ctx->md5:s->ctx->sha1);
1042                                         EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1043                                         EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1044                                         EVP_DigestUpdate(&md_ctx,&(d[4]),n);
1045                                         EVP_DigestFinal(&md_ctx,q,
1046                                                 (unsigned int *)&i);
1047                                         q+=i;
1048                                         j+=i;
1049                                         }
1050                                 i=RSA_private_encrypt(j,md_buf,&(p[2]),
1051                                         pkey->pkey.rsa,RSA_PKCS1_PADDING);
1052                                 if (i <= 0)
1053                                         {
1054                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1055                                         goto err;
1056                                         }
1057                                 s2n(i,p);
1058                                 n+=i+2;
1059                                 }
1060                         else
1061 #endif
1062 #if !defined(NO_DSA)
1063                                 if (pkey->type == EVP_PKEY_DSA)
1064                                 {
1065                                 /* lets do DSS */
1066                                 EVP_SignInit(&md_ctx,EVP_dss1());
1067                                 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1068                                 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1069                                 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1070                                 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1071                                         (unsigned int *)&i,pkey))
1072                                         {
1073                                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
1074                                         goto err;
1075                                         }
1076                                 s2n(i,p);
1077                                 n+=i+2;
1078                                 }
1079                         else
1080 #endif
1081                                 {
1082                                 /* Is this error check actually needed? */
1083                                 al=SSL_AD_HANDSHAKE_FAILURE;
1084                                 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
1085                                 goto f_err;
1086                                 }
1087                         }
1088
1089                 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE;
1090                 l2n3(n,d);
1091
1092                 /* we should now have things packed up, so lets send
1093                  * it off */
1094                 s->init_num=n+4;
1095                 s->init_off=0;
1096                 }
1097
1098         /* SSL3_ST_SW_KEY_EXCH_B */
1099         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1100 f_err:
1101         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1102 err:
1103         return(-1);
1104         }
1105
1106 static int ssl3_send_certificate_request(s)
1107 SSL *s;
1108         {
1109         unsigned char *p,*d;
1110         int i,j,nl,off,n;
1111         STACK *sk=NULL;
1112         X509_NAME *name;
1113         BUF_MEM *buf;
1114
1115         if (s->state == SSL3_ST_SW_CERT_REQ_A)
1116                 {
1117                 buf=s->init_buf;
1118
1119                 d=p=(unsigned char *)&(buf->data[4]);
1120
1121                 /* get the list of acceptable cert types */
1122                 p++;
1123                 n=ssl3_get_req_cert_type(s,p);
1124                 d[0]=n;
1125                 p+=n;
1126                 n++;
1127
1128                 off=n;
1129                 p+=2;
1130                 n+=2;
1131
1132                 sk=SSL_get_client_CA_list(s);
1133                 nl=0;
1134                 if (sk != NULL)
1135                         {
1136                         for (i=0; i<sk_num(sk); i++)
1137                                 {
1138                                 name=(X509_NAME *)sk_value(sk,i);
1139                                 j=i2d_X509_NAME(name,NULL);
1140                                 if (!BUF_MEM_grow(buf,4+n+j+2))
1141                                         {
1142                                         SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1143                                         goto err;
1144                                         }
1145                                 p=(unsigned char *)&(buf->data[4+n]);
1146                                 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1147                                         {
1148                                         s2n(j,p);
1149                                         i2d_X509_NAME(name,&p);
1150                                         n+=2+j;
1151                                         nl+=2+j;
1152                                         }
1153                                 else
1154                                         {
1155                                         d=p;
1156                                         i2d_X509_NAME(name,&p);
1157                                         j-=2; s2n(j,d); j+=2;
1158                                         n+=j;
1159                                         nl+=j;
1160                                         }
1161                                 }
1162                         }
1163                 /* else no CA names */
1164                 p=(unsigned char *)&(buf->data[4+off]);
1165                 s2n(nl,p);
1166
1167                 d=(unsigned char *)buf->data;
1168                 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
1169                 l2n3(n,d);
1170
1171                 /* we should now have things packed up, so lets send
1172                  * it off */
1173
1174                 s->init_num=n+4;
1175                 s->init_off=0;
1176                 }
1177
1178         /* SSL3_ST_SW_CERT_REQ_B */
1179         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1180 err:
1181         return(-1);
1182         }
1183
1184 static int ssl3_get_client_key_exchange(s)
1185 SSL *s;
1186         {
1187         int i,al,ok;
1188         long n;
1189         unsigned long l;
1190         unsigned char *p;
1191         RSA *rsa=NULL;
1192         EVP_PKEY *pkey=NULL;
1193 #ifndef NO_DH
1194         BIGNUM *pub=NULL;
1195         DH *dh_srvr;
1196 #endif
1197
1198         n=ssl3_get_message(s,
1199                 SSL3_ST_SR_KEY_EXCH_A,
1200                 SSL3_ST_SR_KEY_EXCH_B,
1201                 SSL3_MT_CLIENT_KEY_EXCHANGE,
1202                 400, /* ???? */
1203                 &ok);
1204
1205         if (!ok) return((int)n);
1206         p=(unsigned char *)s->init_buf->data;
1207
1208         l=s->s3->tmp.new_cipher->algorithms;
1209
1210 #ifndef NO_RSA
1211         if (l & SSL_kRSA)
1212                 {
1213                 /* FIX THIS UP EAY EAY EAY EAY */
1214                 if (s->s3->tmp.use_rsa_tmp)
1215                         {
1216                         if ((s->session->cert != NULL) &&
1217                                 (s->session->cert->rsa_tmp != NULL))
1218                                 rsa=s->session->cert->rsa_tmp;
1219                         else if ((s->ctx->default_cert != NULL) &&
1220                                 (s->ctx->default_cert->rsa_tmp != NULL))
1221                                 rsa=s->ctx->default_cert->rsa_tmp;
1222                         /* Don't do a callback because rsa_tmp should
1223                          * be sent already */
1224                         if (rsa == NULL)
1225                                 {
1226                                 al=SSL_AD_HANDSHAKE_FAILURE;
1227                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
1228                                 goto f_err;
1229
1230                                 }
1231                         }
1232                 else
1233                         {
1234                         pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1235                         if (    (pkey == NULL) ||
1236                                 (pkey->type != EVP_PKEY_RSA) ||
1237                                 (pkey->pkey.rsa == NULL))
1238                                 {
1239                                 al=SSL_AD_HANDSHAKE_FAILURE;
1240                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
1241                                 goto f_err;
1242                                 }
1243                         rsa=pkey->pkey.rsa;
1244                         }
1245
1246                 /* TLS */
1247                 if (s->version > SSL3_VERSION)
1248                         {
1249                         n2s(p,i);
1250                         if (n != i+2)
1251                                 {
1252                                 if (!(s->options & SSL_OP_TLS_D5_BUG))
1253                                         {
1254                                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1255                                         goto err;
1256                                         }
1257                                 else
1258                                         p-=2;
1259                                 }
1260                         else
1261                                 n=i;
1262                         }
1263
1264                 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
1265
1266 #if 1
1267                 /* If a bad decrypt, use a random master key */
1268                 if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
1269                         ((p[0] != (s->version>>8)) ||
1270                          (p[1] != (s->version & 0xff))))
1271                         {
1272                         p[0]=(s->version>>8);
1273                         p[1]=(s->version & 0xff);
1274                         RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
1275                         i=SSL_MAX_MASTER_KEY_LENGTH;
1276                         }
1277 #else
1278                 if (i != SSL_MAX_MASTER_KEY_LENGTH)
1279                         {
1280                         al=SSL_AD_DECODE_ERROR;
1281                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1282                         goto f_err;
1283                         }
1284
1285                 if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff)))
1286                         {
1287                         al=SSL_AD_DECODE_ERROR;
1288                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1289                         goto f_err;
1290                         }
1291 #endif
1292
1293                 s->session->master_key_length=
1294                         s->method->ssl3_enc->generate_master_secret(s,
1295                                 s->session->master_key,
1296                                 p,i);
1297                 memset(p,0,i);
1298                 }
1299         else
1300 #endif
1301 #ifndef NO_DH
1302                 if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1303                 {
1304                 n2s(p,i);
1305                 if (n != i+2)
1306                         {
1307                         if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
1308                                 {
1309                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
1310                                 goto err;
1311                                 }
1312                         else
1313                                 {
1314                                 p-=2;
1315                                 i=(int)n;
1316                                 }
1317                         }
1318
1319                 if (n == 0L) /* the parameters are in the cert */
1320                         {
1321                         al=SSL_AD_HANDSHAKE_FAILURE;
1322                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
1323                         goto f_err;
1324                         }
1325                 else
1326                         {
1327                         if (s->s3->tmp.dh == NULL)
1328                                 {
1329                                 al=SSL_AD_HANDSHAKE_FAILURE;
1330                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1331                                 goto f_err;
1332                                 }
1333                         else
1334                                 dh_srvr=s->s3->tmp.dh;
1335                         }
1336
1337                 pub=BN_bin2bn(p,i,NULL);
1338                 if (pub == NULL)
1339                         {
1340                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
1341                         goto err;
1342                         }
1343
1344                 i=DH_compute_key(p,pub,dh_srvr);
1345
1346                 if (i <= 0)
1347                         {
1348                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
1349                         goto err;
1350                         }
1351
1352                 DH_free(s->s3->tmp.dh);
1353                 s->s3->tmp.dh=NULL;
1354
1355                 BN_clear_free(pub);
1356                 pub=NULL;
1357                 s->session->master_key_length=
1358                         s->method->ssl3_enc->generate_master_secret(s,
1359                                 s->session->master_key,p,i);
1360                 }
1361         else
1362 #endif
1363                 {
1364                 al=SSL_AD_HANDSHAKE_FAILURE;
1365                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
1366                 goto f_err;
1367                 }
1368
1369         return(1);
1370 f_err:
1371         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1372 #if !defined(NO_DH) || !defined(NO_RSA)
1373 err:
1374 #endif
1375         return(-1);
1376         }
1377
1378 static int ssl3_get_cert_verify(s)
1379 SSL *s;
1380         {
1381         EVP_PKEY *pkey=NULL;
1382         unsigned char *p;
1383         int al,ok,ret=0;
1384         long n;
1385         int type=0,i,j;
1386         X509 *peer;
1387
1388         n=ssl3_get_message(s,
1389                 SSL3_ST_SR_CERT_VRFY_A,
1390                 SSL3_ST_SR_CERT_VRFY_B,
1391                 -1,
1392                 512, /* 512? */
1393                 &ok);
1394
1395         if (!ok) return((int)n);
1396
1397         if (s->session->peer != NULL)
1398                 {
1399                 peer=s->session->peer;
1400                 pkey=X509_get_pubkey(peer);
1401                 type=X509_certificate_type(peer,pkey);
1402                 }
1403         else
1404                 {
1405                 peer=NULL;
1406                 pkey=NULL;
1407                 }
1408
1409         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
1410                 {
1411                 s->s3->tmp.reuse_message=1;
1412                 if ((peer != NULL) && (type | EVP_PKT_SIGN))
1413                         {
1414                         al=SSL_AD_UNEXPECTED_MESSAGE;
1415                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
1416                         goto f_err;
1417                         }
1418                 ret=1;
1419                 goto end;
1420                 }
1421
1422         if (peer == NULL)
1423                 {
1424                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED);
1425                 al=SSL_AD_UNEXPECTED_MESSAGE;
1426                 goto f_err;
1427                 }
1428
1429         if (!(type & EVP_PKT_SIGN))
1430                 {
1431                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
1432                 al=SSL_AD_ILLEGAL_PARAMETER;
1433                 goto f_err;
1434                 }
1435
1436         if (s->s3->change_cipher_spec)
1437                 {
1438                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
1439                 al=SSL_AD_UNEXPECTED_MESSAGE;
1440                 goto f_err;
1441                 }
1442
1443         /* we now have a signature that we need to verify */
1444         p=(unsigned char *)s->init_buf->data;
1445         n2s(p,i);
1446         n-=2;
1447         if (i > n)
1448                 {
1449                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH);
1450                 al=SSL_AD_DECODE_ERROR;
1451                 goto f_err;
1452                 }
1453
1454         j=EVP_PKEY_size(pkey);
1455         if ((i > j) || (n > j) || (n <= 0))
1456                 {
1457                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
1458                 al=SSL_AD_DECODE_ERROR;
1459                 goto f_err;
1460                 }
1461
1462 #ifndef NO_RSA 
1463         if (pkey->type == EVP_PKEY_RSA)
1464                 {
1465                 i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING);
1466                 if (i < 0)
1467                         {
1468                         al=SSL_AD_DECRYPT_ERROR;
1469                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
1470                         goto f_err;
1471                         }
1472                 if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) ||
1473                         memcmp(&(s->s3->tmp.finish_md[0]),p,
1474                                 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
1475                         {
1476                         al=SSL_AD_DECRYPT_ERROR;
1477                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
1478                         goto f_err;
1479                         }
1480                 }
1481         else
1482 #endif
1483 #ifndef NO_DSA
1484                 if (pkey->type == EVP_PKEY_DSA)
1485                 {
1486                 j=DSA_verify(pkey->save_type,
1487                         &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]),
1488                         SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
1489                 if (j <= 0)
1490                         {
1491                         /* bad signature */
1492                         al=SSL_AD_DECRYPT_ERROR;
1493                         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE);
1494                         goto f_err;
1495                         }
1496                 }
1497         else
1498 #endif
1499                 {
1500                 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
1501                 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
1502                 goto f_err;
1503                 }
1504
1505
1506         ret=1;
1507         if (0)
1508                 {
1509 f_err:
1510                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1511                 }
1512 end:
1513         return(ret);
1514         }
1515
1516 static int ssl3_get_client_certificate(s)
1517 SSL *s;
1518         {
1519         int i,ok,al,ret= -1;
1520         X509 *x=NULL;
1521         unsigned long l,nc,llen,n;
1522         unsigned char *p,*d,*q;
1523         STACK *sk=NULL;
1524
1525         n=ssl3_get_message(s,
1526                 SSL3_ST_SR_CERT_A,
1527                 SSL3_ST_SR_CERT_B,
1528                 -1,
1529 #if defined(MSDOS) && !defined(WIN32)
1530                 1024*30, /* 30k max cert list :-) */
1531 #else
1532                 1024*100, /* 100k max cert list :-) */
1533 #endif
1534                 &ok);
1535
1536         if (!ok) return((int)n);
1537
1538         if      (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE)
1539                 {
1540                 if (    (s->verify_mode & SSL_VERIFY_PEER) &&
1541                         (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1542                         {
1543                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1544                         al=SSL_AD_HANDSHAKE_FAILURE;
1545                         goto f_err;
1546                         }
1547                 /* If tls asked for a client cert we must return a 0 list */
1548                 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
1549                         {
1550                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
1551                         al=SSL_AD_UNEXPECTED_MESSAGE;
1552                         goto f_err;
1553                         }
1554                 s->s3->tmp.reuse_message=1;
1555                 return(1);
1556                 }
1557
1558         if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
1559                 {
1560                 al=SSL_AD_UNEXPECTED_MESSAGE;
1561                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
1562                 goto f_err;
1563                 }
1564         d=p=(unsigned char *)s->init_buf->data;
1565
1566         if ((sk=sk_new_null()) == NULL)
1567                 {
1568                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1569                 goto err;
1570                 }
1571
1572         n2l3(p,llen);
1573         if (llen+3 != n)
1574                 {
1575                 al=SSL_AD_DECODE_ERROR;
1576                 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1577                 goto f_err;
1578                 }
1579         for (nc=0; nc<llen; )
1580                 {
1581                 n2l3(p,l);
1582                 if ((l+nc+3) > llen)
1583                         {
1584                         al=SSL_AD_DECODE_ERROR;
1585                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1586                         goto f_err;
1587                         }
1588
1589                 q=p;
1590                 x=d2i_X509(NULL,&p,l);
1591                 if (x == NULL)
1592                         {
1593                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
1594                         goto err;
1595                         }
1596                 if (p != (q+l))
1597                         {
1598                         al=SSL_AD_DECODE_ERROR;
1599                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1600                         goto f_err;
1601                         }
1602                 if (!sk_push(sk,(char *)x))
1603                         {
1604                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1605                         goto err;
1606                         }
1607                 x=NULL;
1608                 nc+=l+3;
1609                 }
1610
1611         if (sk_num(sk) <= 0)
1612                 {
1613                 /* TLS does not mind 0 certs returned */
1614                 if (s->version == SSL3_VERSION)
1615                         {
1616                         al=SSL_AD_HANDSHAKE_FAILURE;
1617                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
1618                         goto f_err;
1619                         }
1620                 /* Fail for TLS only if we required a certificate */
1621                 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
1622                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1623                         {
1624                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1625                         al=SSL_AD_HANDSHAKE_FAILURE;
1626                         goto f_err;
1627                         }
1628                 }
1629         else
1630                 {
1631                 i=ssl_verify_cert_chain(s,sk);
1632                 if (!i)
1633                         {
1634                         al=ssl_verify_alarm_type(s->verify_result);
1635                         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
1636                         goto f_err;
1637                         }
1638                 }
1639
1640         /* This should not be needed */
1641         if (s->session->peer != NULL)
1642                 X509_free(s->session->peer);
1643         s->session->peer=(X509 *)sk_shift(sk);
1644
1645         ret=1;
1646         if (0)
1647                 {
1648 f_err:
1649                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1650                 }
1651 err:
1652         if (x != NULL) X509_free(x);
1653         if (sk != NULL) sk_pop_free(sk,X509_free);
1654         return(ret);
1655         }
1656
1657 int ssl3_send_server_certificate(s)
1658 SSL *s;
1659         {
1660         unsigned long l;
1661         X509 *x;
1662
1663         if (s->state == SSL3_ST_SW_CERT_A)
1664                 {
1665                 x=ssl_get_server_send_cert(s);
1666                 if (x == NULL)
1667                         {
1668                         SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
1669                         return(0);
1670                         }
1671
1672                 l=ssl3_output_cert_chain(s,x);
1673                 s->state=SSL3_ST_SW_CERT_B;
1674                 s->init_num=(int)l;
1675                 s->init_off=0;
1676                 }
1677
1678         /* SSL3_ST_SW_CERT_B */
1679         return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
1680         }