X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fs3_clnt.c;h=1b9b586f96fc9dc2d8ff7ed44a1b9d08bdc0f4f9;hb=6635b48cd15942a4ae5b43e638eff1db2b41122b;hp=cd70bb1fb9e034395b01157428679851287621cf;hpb=5fdf06666c863cd62d53173d1d2011cdec71200c;p=oweals%2Fopenssl.git diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index cd70bb1fb9..1b9b586f96 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -121,6 +121,32 @@ * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. * */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ #include #include "ssl_locl.h" @@ -130,26 +156,19 @@ #include #include #include +#ifndef OPENSSL_NO_DH +#include +#endif +#include -static SSL_METHOD *ssl3_get_client_method(int ver); -static int ssl3_client_hello(SSL *s); -static int ssl3_get_server_hello(SSL *s); -static int ssl3_get_certificate_request(SSL *s); +static const SSL_METHOD *ssl3_get_client_method(int ver); static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); -static int ssl3_get_server_done(SSL *s); -static int ssl3_send_client_verify(SSL *s); -static int ssl3_send_client_certificate(SSL *s); -static int ssl3_send_client_key_exchange(SSL *s); -static int ssl3_get_key_exchange(SSL *s); -static int ssl3_get_server_certificate(SSL *s); -static int ssl3_check_cert_and_algorithm(SSL *s); #ifndef OPENSSL_NO_ECDH -static int curve_id2nid(int curve_id); int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs); #endif -static SSL_METHOD *ssl3_get_client_method(int ver) +static const SSL_METHOD *ssl3_get_client_method(int ver) { if (ver == SSL3_VERSION) return(SSLv3_client_method()); @@ -157,33 +176,15 @@ static SSL_METHOD *ssl3_get_client_method(int ver) return(NULL); } -SSL_METHOD *SSLv3_client_method(void) - { - static int init=1; - static SSL_METHOD SSLv3_client_data; - - if (init) - { - CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); - - if (init) - { - memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), - sizeof(SSL_METHOD)); - SSLv3_client_data.ssl_connect=ssl3_connect; - SSLv3_client_data.get_ssl_method=ssl3_get_client_method; - init=0; - } - - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); - } - return(&SSLv3_client_data); - } +IMPLEMENT_ssl3_meth_func(SSLv3_client_method, + ssl_undefined_function, + ssl3_connect, + ssl3_get_client_method) int ssl3_connect(SSL *s) { BUF_MEM *buf=NULL; - unsigned long Time=time(NULL),l; + unsigned long Time=(unsigned long)time(NULL),l; long num1; void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; @@ -279,6 +280,7 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_SRVR_HELLO_B: ret=ssl3_get_server_hello(s); if (ret <= 0) goto end; + if (s->hit) s->state=SSL3_ST_CR_FINISHED_A; else @@ -289,7 +291,9 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: /* Check if it is anon DH/ECDH */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + /* or PSK */ + if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) + && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)) { ret=ssl3_get_server_certificate(s); if (ret <= 0) goto end; @@ -393,11 +397,15 @@ int ssl3_connect(SSL *s) s->init_num=0; s->session->cipher=s->s3->tmp.new_cipher; +#ifdef OPENSSL_NO_COMP + s->session->compress_meth=0; +#else if (s->s3->tmp.new_compression == NULL) s->session->compress_meth=0; else s->session->compress_meth= s->s3->tmp.new_compression->id; +#endif if (!s->method->ssl3_enc->setup_key_block(s)) { ret= -1; @@ -537,13 +545,16 @@ end: } -static int ssl3_client_hello(SSL *s) +int ssl3_client_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; - int i,j; + int i; unsigned long Time,l; +#ifndef OPENSSL_NO_COMP + int j; SSL_COMP *comp; +#endif buf=(unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) @@ -558,9 +569,10 @@ static int ssl3_client_hello(SSL *s) /* else use the pre-loaded session */ p=s->s3->client_random; - Time=time(NULL); /* Time */ + Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); - RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); + if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + goto err; /* Do the message type and length last */ d=p= &(buf[4]); @@ -591,7 +603,7 @@ static int ssl3_client_hello(SSL *s) } /* Ciphers supported */ - i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2])); + i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); if (i == 0) { SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); @@ -601,7 +613,12 @@ static int ssl3_client_hello(SSL *s) p+=i; /* COMPRESSION */ - if (s->ctx->comp_methods == NULL) +#ifdef OPENSSL_NO_COMP + *(p++)=1; +#else + + if ((s->options & SSL_OP_NO_COMPRESSION) + || !s->ctx->comp_methods) j=0; else j=sk_SSL_COMP_num(s->ctx->comp_methods); @@ -611,7 +628,20 @@ static int ssl3_client_hello(SSL *s) comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); *(p++)=comp->id; } +#endif *(p++)=0; /* Add the NULL method */ +#ifndef OPENSSL_NO_TLSEXT + if (ssl_prepare_clienthello_tlsext(s) <= 0) + { + SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); + goto err; + } + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) + { + SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); + goto err; + } +#endif l=(p-d); d=buf; @@ -630,7 +660,7 @@ err: return(-1); } -static int ssl3_get_server_hello(SSL *s) +int ssl3_get_server_hello(SSL *s) { STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; @@ -638,16 +668,44 @@ static int ssl3_get_server_hello(SSL *s) int i,al,ok; unsigned int j; long n; +#ifndef OPENSSL_NO_COMP SSL_COMP *comp; +#endif - n=ssl3_get_message(s, + n=s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, SSL3_ST_CR_SRVR_HELLO_B, - SSL3_MT_SERVER_HELLO, + -1, 300, /* ?? */ &ok); if (!ok) return((int)n); + + if ( SSL_version(s) == DTLS1_VERSION) + { + if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) + { + if ( s->d1->send_cookie == 0) + { + s->s3->tmp.reuse_message = 1; + return 1; + } + else /* already sent a cookie */ + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); + goto f_err; + } + } + } + + if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); + goto f_err; + } + d=p=(unsigned char *)s->init_msg; if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) @@ -743,8 +801,16 @@ static int ssl3_get_server_hello(SSL *s) /* lets get the compression algorithm */ /* COMPRESSION */ +#ifdef OPENSSL_NO_COMP + if (*(p++) != 0) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + goto f_err; + } +#else j= *(p++); - if (j == 0) + if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION)) comp=NULL; else comp=ssl3_comp_find(s->ctx->comp_methods,j); @@ -759,6 +825,24 @@ static int ssl3_get_server_hello(SSL *s) { s->s3->tmp.new_compression=comp; } +#endif +#ifndef OPENSSL_NO_TLSEXT + /* TLS extensions*/ + if (s->version > SSL3_VERSION) + { + if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) + { + /* 'al' set by ssl_parse_serverhello_tlsext */ + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); + goto f_err; + } + if (ssl_check_serverhello_tlsext(s) <= 0) + { + SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLSEXT); + goto err; + } + } +#endif if (p != (d+n)) { @@ -775,18 +859,19 @@ err: return(-1); } -static int ssl3_get_server_certificate(SSL *s) +int ssl3_get_server_certificate(SSL *s) { int al,i,ok,ret= -1; unsigned long n,nc,llen,l; X509 *x=NULL; - unsigned char *p,*d,*q; + const unsigned char *q,*p; + unsigned char *d; STACK_OF(X509) *sk=NULL; SESS_CERT *sc; EVP_PKEY *pkey=NULL; int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ - n=ssl3_get_message(s, + n=s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B, -1, @@ -807,7 +892,7 @@ static int ssl3_get_server_certificate(SSL *s) SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); goto f_err; } - d=p=(unsigned char *)s->init_msg; + p=d=(unsigned char *)s->init_msg; if ((sk=sk_X509_new_null()) == NULL) { @@ -958,7 +1043,7 @@ err: return(ret); } -static int ssl3_get_key_exchange(SSL *s) +int ssl3_get_key_exchange(SSL *s) { #ifndef OPENSSL_NO_RSA unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; @@ -984,23 +1069,34 @@ static int ssl3_get_key_exchange(SSL *s) /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ - n=ssl3_get_message(s, + n=s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); - if (!ok) return((int)n); if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { +#ifndef OPENSSL_NO_PSK + /* In plain PSK ciphersuite, ServerKeyExchange can be + omitted if no identity hint is sent. Set + session->sess_cert anyway to avoid problems + later.*/ + if (s->s3->tmp.new_cipher->algorithms & SSL_kPSK) + { + s->session->sess_cert=ssl_sess_cert_new(); + if (s->ctx->psk_identity_hint) + OPENSSL_free(s->ctx->psk_identity_hint); + s->ctx->psk_identity_hint = NULL; + } +#endif s->s3->tmp.reuse_message=1; return(1); } param=p=(unsigned char *)s->init_msg; - if (s->session->sess_cert != NULL) { #ifndef OPENSSL_NO_RSA @@ -1034,6 +1130,51 @@ static int ssl3_get_key_exchange(SSL *s) alg=s->s3->tmp.new_cipher->algorithms; EVP_MD_CTX_init(&md_ctx); +#ifndef OPENSSL_NO_PSK + if (alg & SSL_kPSK) + { + char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; + + al=SSL_AD_HANDSHAKE_FAILURE; + n2s(p,i); + param_len=i+2; + /* Store PSK identity hint for later use, hint is used + * in ssl3_send_client_key_exchange. Assume that the + * maximum length of a PSK identity hint can be as + * long as the maximum length of a PSK identity. */ + if (i > PSK_MAX_IDENTITY_LEN) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto f_err; + } + if (param_len > n) + { + al=SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, + SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); + goto f_err; + } + /* If received PSK identity hint contains NULL + * characters, the hint is truncated from the first + * NULL. p may not be ending with NULL, so create a + * NULL-terminated string. */ + memcpy(tmp_id_hint, p, i); + memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); + if (s->ctx->psk_identity_hint != NULL) + OPENSSL_free(s->ctx->psk_identity_hint); + s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); + if (s->ctx->psk_identity_hint == NULL) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + goto f_err; + } + + p+=i; + n-=param_len; + } + else +#endif /* !OPENSSL_NO_PSK */ #ifndef OPENSSL_NO_RSA if (alg & SSL_kRSA) { @@ -1169,6 +1310,9 @@ static int ssl3_get_key_exchange(SSL *s) #ifndef OPENSSL_NO_ECDH else if (alg & SSL_kECDHE) { + EC_GROUP *ngroup; + const EC_GROUP *group; + if ((ecdh=EC_KEY_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); @@ -1182,36 +1326,45 @@ static int ssl3_get_key_exchange(SSL *s) */ /* XXX: For now we only support named (not generic) curves - * and the ECParameters in this case is just two bytes. + * and the ECParameters in this case is just three bytes. */ - param_len=2; + param_len=3; if ((param_len > n) || (*p != NAMED_CURVE_TYPE) || - ((curve_nid = curve_id2nid(*(p + 1))) == 0)) + ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) { al=SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); goto f_err; } - if (!(ecdh->group=EC_GROUP_new_by_nid(curve_nid))) + ngroup = EC_GROUP_new_by_curve_name(curve_nid); + if (ngroup == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); goto err; } + if (EC_KEY_set_group(ecdh, ngroup) == 0) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); + goto err; + } + EC_GROUP_free(ngroup); + + group = EC_KEY_get0_group(ecdh); if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && - (EC_GROUP_get_degree(ecdh->group) > 163)) + (EC_GROUP_get_degree(group) > 163)) { al=SSL_AD_EXPORT_RESTRICTION; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); goto f_err; } - p+=2; + p+=3; /* Next, get the encoded ECPoint */ - if (((srvr_ecpoint = EC_POINT_new(ecdh->group)) == NULL) || + if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || ((bn_ctx = BN_CTX_new()) == NULL)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); @@ -1222,7 +1375,7 @@ static int ssl3_get_key_exchange(SSL *s) p+=1; param_len += (1 + encoded_pt_len); if ((param_len > n) || - (EC_POINT_oct2point(ecdh->group, srvr_ecpoint, + (EC_POINT_oct2point(group, srvr_ecpoint, p, encoded_pt_len, bn_ctx) == 0)) { al=SSL_AD_DECODE_ERROR; @@ -1247,10 +1400,11 @@ static int ssl3_get_key_exchange(SSL *s) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); #endif /* else anonymous ECDH, so no certificate or pkey. */ - ecdh->pub_key = srvr_ecpoint; + EC_KEY_set_public_key(ecdh, srvr_ecpoint); s->session->sess_cert->peer_ecdh_tmp=ecdh; ecdh=NULL; BN_CTX_free(bn_ctx); + EC_POINT_free(srvr_ecpoint); srvr_ecpoint = NULL; } else if (alg & SSL_kECDH) @@ -1364,12 +1518,13 @@ static int ssl3_get_key_exchange(SSL *s) } else { - /* still data left over */ - if (!(alg & SSL_aNULL)) + if (!(alg & SSL_aNULL) && !(alg & SSL_kPSK)) + /* aNULL or kPSK do not need public keys */ { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } + /* still data left over */ if (n != 0) { al=SSL_AD_DECODE_ERROR; @@ -1402,16 +1557,17 @@ err: return(-1); } -static int ssl3_get_certificate_request(SSL *s) +int ssl3_get_certificate_request(SSL *s) { int ok,ret=0; unsigned long n,nc,l; unsigned int llen,ctype_num,i; X509_NAME *xn=NULL; - unsigned char *p,*d,*q; + const unsigned char *p,*q; + unsigned char *d; STACK_OF(X509_NAME) *ca_sk=NULL; - n=ssl3_get_message(s, + n=s->method->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A, SSL3_ST_CR_CERT_REQ_B, -1, @@ -1447,7 +1603,7 @@ static int ssl3_get_certificate_request(SSL *s) } } - d=p=(unsigned char *)s->init_msg; + p=d=(unsigned char *)s->init_msg; if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) { @@ -1549,12 +1705,12 @@ static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) return(X509_NAME_cmp(*a,*b)); } -static int ssl3_get_server_done(SSL *s) +int ssl3_get_server_done(SSL *s) { int ok,ret=0; long n; - n=ssl3_get_message(s, + n=s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A, SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE, @@ -1574,19 +1730,7 @@ static int ssl3_get_server_done(SSL *s) } -static const int KDF1_SHA1_len = 20; -static void *KDF1_SHA1(void *in, size_t inlen, void *out, size_t outlen) - { -#ifndef OPENSSL_NO_SHA - if (outlen != SHA_DIGEST_LENGTH) - return NULL; - return SHA1(in, inlen, out); -#else - return NULL; -#endif - } - -static int ssl3_send_client_key_exchange(SSL *s) +int ssl3_send_client_key_exchange(SSL *s) { unsigned char *p,*d; int n; @@ -1600,7 +1744,7 @@ static int ssl3_send_client_key_exchange(SSL *s) #endif /* OPENSSL_NO_KRB5 */ #ifndef OPENSSL_NO_ECDH EC_KEY *clnt_ecdh = NULL; - EC_POINT *srvr_ecpoint = NULL; + const EC_POINT *srvr_ecpoint = NULL; EVP_PKEY *srvr_pub_pkey = NULL; unsigned char *encodedPoint = NULL; int encoded_pt_len = 0; @@ -1867,7 +2011,8 @@ static int ssl3_send_client_key_exchange(SSL *s) #ifndef OPENSSL_NO_ECDH else if ((l & SSL_kECDH) || (l & SSL_kECDHE)) { - EC_GROUP *srvr_group = NULL; + const EC_GROUP *srvr_group = NULL; + EC_KEY *tkey; int ecdh_clnt_cert = 0; int field_size = 0; @@ -1901,10 +2046,7 @@ static int ssl3_send_client_key_exchange(SSL *s) if (s->session->sess_cert->peer_ecdh_tmp != NULL) { - srvr_group = s->session->sess_cert-> \ - peer_ecdh_tmp->group; - srvr_ecpoint = s->session->sess_cert-> \ - peer_ecdh_tmp->pub_key; + tkey = s->session->sess_cert->peer_ecdh_tmp; } else { @@ -1913,18 +2055,19 @@ static int ssl3_send_client_key_exchange(SSL *s) sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); if ((srvr_pub_pkey == NULL) || (srvr_pub_pkey->type != EVP_PKEY_EC) || - (srvr_pub_pkey->pkey.eckey == NULL)) + (srvr_pub_pkey->pkey.ec == NULL)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } - srvr_group = srvr_pub_pkey->pkey.eckey->group; - srvr_ecpoint = - srvr_pub_pkey->pkey.eckey->pub_key; + tkey = srvr_pub_pkey->pkey.ec; } + srvr_group = EC_KEY_get0_group(tkey); + srvr_ecpoint = EC_KEY_get0_public_key(tkey); + if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, @@ -1938,15 +2081,30 @@ static int ssl3_send_client_key_exchange(SSL *s) goto err; } - clnt_ecdh->group = srvr_group; + if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); + goto err; + } if (ecdh_clnt_cert) { /* Reuse key info from our certificate * We only need our private key to perform * the ECDH computation. */ - clnt_ecdh->priv_key = BN_dup(s->cert->key-> \ - privatekey->pkey.eckey->priv_key); + const BIGNUM *priv_key; + tkey = s->cert->key->privatekey->pkey.ec; + priv_key = EC_KEY_get0_private_key(tkey); + if (priv_key == NULL) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); + goto err; + } } else { @@ -1962,21 +2120,14 @@ static int ssl3_send_client_key_exchange(SSL *s) * make sure to clear it out afterwards */ - field_size = EC_GROUP_get_degree(clnt_ecdh->group); + field_size = EC_GROUP_get_degree(srvr_group); if (field_size <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); goto err; } - /* If field size is not more than 24 octets, then use SHA-1 hash of result; - * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt; - * this is new with this version of the Internet Draft). - */ - if (field_size <= 24 * 8) - n=ECDH_compute_key(p, KDF1_SHA1_len, srvr_ecpoint, clnt_ecdh, KDF1_SHA1); - else - n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); + n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); if (n <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, @@ -2003,8 +2154,8 @@ static int ssl3_send_client_key_exchange(SSL *s) * allocate memory accordingly. */ encoded_pt_len = - EC_POINT_point2oct(clnt_ecdh->group, - clnt_ecdh->pub_key, + EC_POINT_point2oct(srvr_group, + EC_KEY_get0_public_key(clnt_ecdh), POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); @@ -2020,8 +2171,8 @@ static int ssl3_send_client_key_exchange(SSL *s) } /* Encode the public key */ - n = EC_POINT_point2oct(clnt_ecdh->group, - clnt_ecdh->pub_key, + n = EC_POINT_point2oct(srvr_group, + EC_KEY_get0_public_key(clnt_ecdh), POINT_CONVERSION_UNCOMPRESSED, encodedPoint, encoded_pt_len, bn_ctx); @@ -2038,14 +2189,92 @@ static int ssl3_send_client_key_exchange(SSL *s) BN_CTX_free(bn_ctx); if (encodedPoint != NULL) OPENSSL_free(encodedPoint); if (clnt_ecdh != NULL) - { - /* group is shared */ - clnt_ecdh->group = NULL; EC_KEY_free(clnt_ecdh); - } EVP_PKEY_free(srvr_pub_pkey); } #endif /* !OPENSSL_NO_ECDH */ +#ifndef OPENSSL_NO_PSK + else if (l & SSL_kPSK) + { + char identity[PSK_MAX_IDENTITY_LEN]; + unsigned char *t = NULL; + unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; + unsigned int pre_ms_len = 0, psk_len = 0; + int psk_err = 1; + + n = 0; + if (s->psk_client_callback == NULL) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + SSL_R_PSK_NO_CLIENT_CB); + goto err; + } + + psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, + identity, PSK_MAX_IDENTITY_LEN, + psk_or_pre_ms, sizeof(psk_or_pre_ms)); + if (psk_len > PSK_MAX_PSK_LEN) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto psk_err; + } + else if (psk_len == 0) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + SSL_R_PSK_IDENTITY_NOT_FOUND); + goto psk_err; + } + + /* create PSK pre_master_secret */ + pre_ms_len = 2+psk_len+2+psk_len; + t = psk_or_pre_ms; + memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); + s2n(psk_len, t); + memset(t, 0, psk_len); + t+=psk_len; + s2n(psk_len, t); + + if (s->session->psk_identity_hint != NULL) + OPENSSL_free(s->session->psk_identity_hint); + s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); + if (s->ctx->psk_identity_hint != NULL && + s->session->psk_identity_hint == NULL) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + ERR_R_MALLOC_FAILURE); + goto psk_err; + } + + if (s->session->psk_identity != NULL) + OPENSSL_free(s->session->psk_identity); + s->session->psk_identity = BUF_strdup(identity); + if (s->session->psk_identity == NULL) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + ERR_R_MALLOC_FAILURE); + goto psk_err; + } + + s->session->master_key_length = + s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, + psk_or_pre_ms, pre_ms_len); + n = strlen(identity); + s2n(n, p); + memcpy(p, identity, n); + n+=2; + psk_err = 0; + psk_err: + OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); + OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); + if (psk_err != 0) + { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + goto err; + } + } +#endif else { ssl3_send_alert(s, SSL3_AL_FATAL, @@ -2071,17 +2300,13 @@ err: BN_CTX_free(bn_ctx); if (encodedPoint != NULL) OPENSSL_free(encodedPoint); if (clnt_ecdh != NULL) - { - /* group is shared */ - clnt_ecdh->group = NULL; EC_KEY_free(clnt_ecdh); - } EVP_PKEY_free(srvr_pub_pkey); #endif return(-1); } -static int ssl3_send_client_verify(SSL *s) +int ssl3_send_client_verify(SSL *s) { unsigned char *p,*d; unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; @@ -2090,7 +2315,7 @@ static int ssl3_send_client_verify(SSL *s) unsigned u=0; #endif unsigned long n; -#ifndef OPENSSL_NO_DSA +#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) int j; #endif @@ -2142,7 +2367,7 @@ static int ssl3_send_client_verify(SSL *s) if (!ECDSA_sign(pkey->save_type, &(data[MD5_DIGEST_LENGTH]), SHA_DIGEST_LENGTH,&(p[2]), - (unsigned int *)&j,pkey->pkey.eckey)) + (unsigned int *)&j,pkey->pkey.ec)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_ECDSA_LIB); @@ -2169,7 +2394,7 @@ err: return(-1); } -static int ssl3_send_client_certificate(SSL *s) +int ssl3_send_client_certificate(SSL *s) { X509 *x509=NULL; EVP_PKEY *pkey=NULL; @@ -2248,7 +2473,7 @@ static int ssl3_send_client_certificate(SSL *s) #define has_bits(i,m) (((i)&(m)) == (m)) -static int ssl3_check_cert_and_algorithm(SSL *s) +int ssl3_check_cert_and_algorithm(SSL *s) { int i,idx; long algs; @@ -2262,7 +2487,6 @@ static int ssl3_check_cert_and_algorithm(SSL *s) #endif sc=s->session->sess_cert; - if (sc == NULL) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); @@ -2272,7 +2496,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) algs=s->s3->tmp.new_cipher->algorithms; /* we don't have a certificate */ - if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) + if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5|SSL_kPSK)) return(1); #ifndef OPENSSL_NO_RSA @@ -2384,46 +2608,3 @@ f_err: err: return(0); } - - -#ifndef OPENSSL_NO_ECDH -/* This is the complement of nid2curve_id in s3_srvr.c. */ -static int curve_id2nid(int curve_id) -{ - /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) - * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ - static int nid_list[26] = - { - 0, - NID_sect163k1, /* sect163k1 (1) */ - NID_sect163r1, /* sect163r1 (2) */ - NID_sect163r2, /* sect163r2 (3) */ - NID_sect193r1, /* sect193r1 (4) */ - NID_sect193r2, /* sect193r2 (5) */ - NID_sect233k1, /* sect233k1 (6) */ - NID_sect233r1, /* sect233r1 (7) */ - NID_sect239k1, /* sect239k1 (8) */ - NID_sect283k1, /* sect283k1 (9) */ - NID_sect283r1, /* sect283r1 (10) */ - NID_sect409k1, /* sect409k1 (11) */ - NID_sect409r1, /* sect409r1 (12) */ - NID_sect571k1, /* sect571k1 (13) */ - NID_sect571r1, /* sect571r1 (14) */ - NID_secp160k1, /* secp160k1 (15) */ - NID_secp160r1, /* secp160r1 (16) */ - NID_secp160r2, /* secp160r2 (17) */ - NID_secp192k1, /* secp192k1 (18) */ - NID_X9_62_prime192v1, /* secp192r1 (19) */ - NID_secp224k1, /* secp224k1 (20) */ - NID_secp224r1, /* secp224r1 (21) */ - NID_secp256k1, /* secp256k1 (22) */ - NID_X9_62_prime256v1, /* secp256r1 (23) */ - NID_secp384r1, /* secp384r1 (24) */ - NID_secp521r1 /* secp521r1 (25) */ - }; - - if ((curve_id < 1) || (curve_id > 25)) return 0; - - return nid_list[curve_id]; -} -#endif