X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fs3_srvr.c;h=0d90198a8fd6a7d53f15a082065a1c8beeb470a9;hb=6434abbfc6ac0d5cb882844ed10fef5821039cf6;hp=121cdfb6f232f39a7123ad63acc092a784b632ba;hpb=07ef612968bfd5be09d27b7ff7268beaa58a762f;p=oweals%2Fopenssl.git diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 121cdfb6f2..0d90198a8f 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* ssl/s3_srvr.c */ +/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -158,6 +158,7 @@ #include #include #include +#include #include #ifndef OPENSSL_NO_DH #include @@ -170,10 +171,6 @@ static const SSL_METHOD *ssl3_get_server_method(int ver); -#ifndef OPENSSL_NO_ECDH -static int nid2curve_id(int nid); -#endif - static const SSL_METHOD *ssl3_get_server_method(int ver) { if (ver == SSL3_VERSION) @@ -190,7 +187,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_server_method, int ssl3_accept(SSL *s) { BUF_MEM *buf; - unsigned long l,Time=(unsigned long)time(NULL); + unsigned long alg_k,Time=(unsigned long)time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; long num1; int ret= -1; @@ -327,10 +324,11 @@ int ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: - /* Check if it is anon DH or anon ECDH */ - /* or normal PSK */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) - && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)) + /* Check if it is anon DH or anon ECDH, */ + /* normal PSK or KRB5 */ + if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) + && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) + && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) { ret=ssl3_send_server_certificate(s); if (ret <= 0) goto end; @@ -343,13 +341,13 @@ int ssl3_accept(SSL *s) case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_B: - l=s->s3->tmp.new_cipher->algorithms; + alg_k = s->s3->tmp.new_cipher->algorithm_mkey; /* clear this, it may get reset by * send_server_key_exchange */ if ((s->options & SSL_OP_EPHEMERAL_RSA) #ifndef OPENSSL_NO_KRB5 - && !(l & SSL_KRB5) + && !(alg_k & SSL_kKRB5) #endif /* OPENSSL_NO_KRB5 */ ) /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key @@ -369,18 +367,18 @@ int ssl3_accept(SSL *s) * For ECC ciphersuites, we send a serverKeyExchange * message only if the cipher suite is either * ECDH-anon or ECDHE. In other cases, the - * server certificate contains the server's + * server certificate contains the server's * public key for key exchange. */ if (s->s3->tmp.use_rsa_tmp /* PSK: send ServerKeyExchange if PSK identity * hint if provided */ #ifndef OPENSSL_NO_PSK - || ((l & SSL_kPSK) && s->ctx->psk_identity_hint) + || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) #endif - || (l & SSL_kECDHE) - || (l & (SSL_DH|SSL_kFZA)) - || ((l & SSL_kRSA) + || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) + || (alg_k & SSL_kEECDH) + || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) @@ -410,15 +408,15 @@ int ssl3_accept(SSL *s) /* never request cert in anonymous ciphersuites * (see section "Certificate request" in SSL 3 drafts * and in RFC 2246): */ - ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && + ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && /* ... except when the application insists on verification * (against the specs, but s3_clnt.c accepts this for SSL 3) */ !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || - /* never request cert in Kerberos ciphersuites */ - (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) + /* never request cert in Kerberos ciphersuites */ + (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) /* With normal PSK Certificates and * Certificate Requests are omitted */ - || (s->s3->tmp.new_cipher->algorithms & SSL_kPSK)) + || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { /* no cert request */ skip=1; @@ -485,7 +483,7 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_KEY_EXCH_A: case SSL3_ST_SR_KEY_EXCH_B: ret=ssl3_get_client_key_exchange(s); - if (ret <= 0) + if (ret <= 0) goto end; if (ret == 2) { @@ -497,14 +495,14 @@ int ssl3_accept(SSL *s) s->state=SSL3_ST_SR_FINISHED_A; s->init_num = 0; } - else + else { s->state=SSL3_ST_SR_CERT_VRFY_A; s->init_num=0; /* We need to get hashes here so if there is * a client cert, it can be verified - */ + */ s->method->ssl3_enc->cert_verify_mac(s, &(s->s3->finish_dgst1), &(s->s3->tmp.cert_verify_md[0])); @@ -532,11 +530,26 @@ int ssl3_accept(SSL *s) if (ret <= 0) goto end; if (s->hit) s->state=SSL_ST_OK; +#ifndef OPENSSL_NO_TLSEXT + else if (s->tlsext_ticket_expected) + s->state=SSL3_ST_SW_SESSION_TICKET_A; +#endif else s->state=SSL3_ST_SW_CHANGE_A; s->init_num=0; break; +#ifndef OPENSSL_NO_TLSEXT + case SSL3_ST_SW_SESSION_TICKET_A: + case SSL3_ST_SW_SESSION_TICKET_B: + ret=ssl3_send_newsession_ticket(s); + if (ret <= 0) goto end; + s->state=SSL3_ST_SW_CHANGE_A; + s->init_num=0; + break; + +#endif + case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: @@ -718,9 +731,9 @@ int ssl3_get_client_hello(SSL *s) */ if (s->state == SSL3_ST_SR_CLNT_HELLO_A) { - s->first_packet=1; s->state=SSL3_ST_SR_CLNT_HELLO_B; } + s->first_packet=1; n=s->method->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, SSL3_ST_SR_CLNT_HELLO_C, @@ -729,6 +742,7 @@ int ssl3_get_client_hello(SSL *s) &ok); if (!ok) return((int)n); + s->first_packet=0; d=p=(unsigned char *)s->init_msg; /* use version from inside client hello, not from record header @@ -739,7 +753,7 @@ int ssl3_get_client_hello(SSL *s) if (s->client_version < s->version) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); - if ((s->client_version>>8) == SSL3_VERSION_MAJOR) + if ((s->client_version>>8) == SSL3_VERSION_MAJOR) { /* similar to ssl3_get_record, send alert using remote version number */ s->version = s->client_version; @@ -764,14 +778,14 @@ int ssl3_get_client_hello(SSL *s) * might be written that become totally unsecure when compiled with * an earlier library version) */ - if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) + if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s,1)) goto err; } else { - i=ssl_get_prev_session(s,p,j); + i=ssl_get_prev_session(s, p, j, d + n); if (i == 1) { /* previous session */ s->hit=1; @@ -946,7 +960,7 @@ int ssl3_get_client_hello(SSL *s) } } if (ssl_check_clienthello_tlsext(s) <= 0) { - SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } #endif @@ -1027,7 +1041,7 @@ int ssl3_get_client_hello(SSL *s) for (i=0; ialgorithms & SSL_eNULL) + if (c->algorithm_enc & SSL_eNULL) nc=c; if (SSL_C_IS_EXPORT(c)) ec=c; @@ -1211,7 +1225,7 @@ int ssl3_send_server_key_exchange(SSL *s) EVP_MD_CTX_init(&md_ctx); if (s->state == SSL3_ST_SW_KEY_EXCH_A) { - type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; + type=s->s3->tmp.new_cipher->algorithm_mkey; cert=s->cert; buf=s->init_buf; @@ -1306,7 +1320,7 @@ int ssl3_send_server_key_exchange(SSL *s) else #endif #ifndef OPENSSL_NO_ECDH - if (type & SSL_kECDHE) + if (type & SSL_kEECDH) { const EC_GROUP *group; @@ -1376,7 +1390,7 @@ int ssl3_send_server_key_exchange(SSL *s) * supported named curves, curve_id is non-zero. */ if ((curve_id = - nid2curve_id(EC_GROUP_get_curve_name(group))) + tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) == 0) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); @@ -1452,8 +1466,8 @@ int ssl3_send_server_key_exchange(SSL *s) n+=2+nr[i]; } - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) - && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)) + if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) + && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) == NULL) @@ -1485,7 +1499,7 @@ int ssl3_send_server_key_exchange(SSL *s) } #ifndef OPENSSL_NO_ECDH - if (type & SSL_kECDHE) + if (type & SSL_kEECDH) { /* XXX: For now, we only support named (not generic) curves. * In this situation, the serverKeyExchange message has: @@ -1714,7 +1728,7 @@ int ssl3_get_client_key_exchange(SSL *s) { int i,al,ok; long n; - unsigned long l; + unsigned long alg_k; unsigned char *p; #ifndef OPENSSL_NO_RSA RSA *rsa=NULL; @@ -1725,7 +1739,7 @@ int ssl3_get_client_key_exchange(SSL *s) DH *dh_srvr; #endif #ifndef OPENSSL_NO_KRB5 - KSSL_ERR kssl_err; + KSSL_ERR kssl_err; #endif /* OPENSSL_NO_KRB5 */ #ifndef OPENSSL_NO_ECDH @@ -1745,10 +1759,10 @@ int ssl3_get_client_key_exchange(SSL *s) if (!ok) return((int)n); p=(unsigned char *)s->init_msg; - l=s->s3->tmp.new_cipher->algorithms; + alg_k=s->s3->tmp.new_cipher->algorithm_mkey; #ifndef OPENSSL_NO_RSA - if (l & SSL_kRSA) + if (alg_k & SSL_kRSA) { /* FIX THIS UP EAY EAY EAY EAY */ if (s->s3->tmp.use_rsa_tmp) @@ -1854,7 +1868,7 @@ int ssl3_get_client_key_exchange(SSL *s) else #endif #ifndef OPENSSL_NO_DH - if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) + if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { n2s(p,i); if (n != i+2) @@ -1917,25 +1931,25 @@ int ssl3_get_client_key_exchange(SSL *s) else #endif #ifndef OPENSSL_NO_KRB5 - if (l & SSL_kKRB5) - { - krb5_error_code krb5rc; + if (alg_k & SSL_kKRB5) + { + krb5_error_code krb5rc; krb5_data enc_ticket; krb5_data authenticator; krb5_data enc_pms; - KSSL_CTX *kssl_ctx = s->kssl_ctx; + KSSL_CTX *kssl_ctx = s->kssl_ctx; EVP_CIPHER_CTX ciph_ctx; EVP_CIPHER *enc = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH - + EVP_MAX_BLOCK_LENGTH]; - int padl, outl; + + EVP_MAX_BLOCK_LENGTH]; + int padl, outl; krb5_timestamp authtime = 0; krb5_ticket_times ttimes; EVP_CIPHER_CTX_init(&ciph_ctx); - if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); + if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); n2s(p,i); enc_ticket.length = i; @@ -1986,19 +2000,19 @@ int ssl3_get_client_key_exchange(SSL *s) goto err; } - if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, + if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, &kssl_err)) != 0) - { + { #ifdef KSSL_DEBUG - printf("kssl_sget_tkt rtn %d [%d]\n", - krb5rc, kssl_err.reason); - if (kssl_err.text) - printf("kssl_err text= %s\n", kssl_err.text); + printf("kssl_sget_tkt rtn %d [%d]\n", + krb5rc, kssl_err.reason); + if (kssl_err.text) + printf("kssl_err text= %s\n", kssl_err.text); #endif /* KSSL_DEBUG */ - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - kssl_err.reason); - goto err; - } + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + kssl_err.reason); + goto err; + } /* Note: no authenticator is not considered an error, ** but will return authtime == 0. @@ -2007,29 +2021,29 @@ int ssl3_get_client_key_exchange(SSL *s) &authtime, &kssl_err)) != 0) { #ifdef KSSL_DEBUG - printf("kssl_check_authent rtn %d [%d]\n", - krb5rc, kssl_err.reason); - if (kssl_err.text) - printf("kssl_err text= %s\n", kssl_err.text); + printf("kssl_check_authent rtn %d [%d]\n", + krb5rc, kssl_err.reason); + if (kssl_err.text) + printf("kssl_err text= %s\n", kssl_err.text); #endif /* KSSL_DEBUG */ - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - kssl_err.reason); - goto err; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + kssl_err.reason); + goto err; } if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); - goto err; + goto err; } #ifdef KSSL_DEBUG - kssl_ctx_show(kssl_ctx); + kssl_ctx_show(kssl_ctx); #endif /* KSSL_DEBUG */ enc = kssl_map_enc(kssl_ctx->enctype); - if (enc == NULL) - goto err; + if (enc == NULL) + goto err; memset(iv, 0, sizeof iv); /* per RFC 1510 */ @@ -2065,34 +2079,53 @@ int ssl3_get_client_key_exchange(SSL *s) SSL_R_DATA_LENGTH_TOO_LONG); goto err; } + if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) + { + /* The premaster secret must contain the same version number as the + * ClientHello to detect version rollback attacks (strangely, the + * protocol does not offer such protection for DH ciphersuites). + * However, buggy clients exist that send random bytes instead of + * the protocol version. + * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. + * (Perhaps we should have a separate BUG value for the Kerberos cipher) + */ + if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && + (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_AD_DECODE_ERROR); + goto err; + } + } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); - s->session->master_key_length= - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, pms, outl); + s->session->master_key_length= + s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, pms, outl); - if (kssl_ctx->client_princ) - { - int len = strlen(kssl_ctx->client_princ); - if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) - { - s->session->krb5_client_princ_len = len; - memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); - } - } + if (kssl_ctx->client_princ) + { + size_t len = strlen(kssl_ctx->client_princ); + if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) + { + s->session->krb5_client_princ_len = len; + memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); + } + } - /* Was doing kssl_ctx_free() here, + /* Was doing kssl_ctx_free() here, ** but it caused problems for apache. - ** kssl_ctx = kssl_ctx_free(kssl_ctx); - ** if (s->kssl_ctx) s->kssl_ctx = NULL; - */ - } + ** kssl_ctx = kssl_ctx_free(kssl_ctx); + ** if (s->kssl_ctx) s->kssl_ctx = NULL; + */ + } else #endif /* OPENSSL_NO_KRB5 */ #ifndef OPENSSL_NO_ECDH - if ((l & SSL_kECDH) || (l & SSL_kECDHE)) + if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) { int ret = 1; int field_size = 0; @@ -2100,19 +2133,19 @@ int ssl3_get_client_key_exchange(SSL *s) const EC_GROUP *group; const BIGNUM *priv_key; - /* initialize structures for server's ECDH key pair */ + /* initialize structures for server's ECDH key pair */ if ((srvr_ecdh = EC_KEY_new()) == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); - goto err; + goto err; } /* Let's get server private key and group information */ - if (l & SSL_kECDH) + if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { - /* use the certificate */ - tkey = s->cert->key->privatekey->pkey.ec; + /* use the certificate */ + tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; } else { @@ -2141,20 +2174,20 @@ int ssl3_get_client_key_exchange(SSL *s) goto err; } - if (n == 0L) - { + if (n == 0L) + { /* Client Publickey was in Client Certificate */ - if (l & SSL_kECDHE) + if (alg_k & SSL_kEECDH) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); goto f_err; } - if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) + if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) == NULL) || (clnt_pub_pkey->type != EVP_PKEY_EC)) - { + { /* XXX: For now, we do not support client * authentication using ECDH certificates * so this branch (n == 0L) of the code is @@ -2166,11 +2199,11 @@ int ssl3_get_client_key_exchange(SSL *s) * the two ECDH shares are for the same * group. */ - al=SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); - goto f_err; - } + goto f_err; + } if (EC_POINT_copy(clnt_ecpoint, EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) @@ -2179,10 +2212,10 @@ int ssl3_get_client_key_exchange(SSL *s) ERR_R_EC_LIB); goto err; } - ret = 2; /* Skip certificate verify processing */ - } - else - { + ret = 2; /* Skip certificate verify processing */ + } + else + { /* Get client's public key from encoded point * in the ClientKeyExchange message. */ @@ -2193,21 +2226,21 @@ int ssl3_get_client_key_exchange(SSL *s) goto err; } - /* Get encoded point length */ - i = *p; + /* Get encoded point length */ + i = *p; p += 1; - if (EC_POINT_oct2point(group, + if (EC_POINT_oct2point(group, clnt_ecpoint, p, i, bn_ctx) == 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); goto err; } - /* p is pointing to somewhere in the buffer - * currently, so set it to the start - */ - p=(unsigned char *)s->init_buf->data; - } + /* p is pointing to somewhere in the buffer + * currently, so set it to the start + */ + p=(unsigned char *)s->init_buf->data; + } /* Compute the shared pre-master secret */ field_size = EC_GROUP_get_degree(group); @@ -2218,12 +2251,12 @@ int ssl3_get_client_key_exchange(SSL *s) goto err; } i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); - if (i <= 0) - { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + if (i <= 0) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); - goto err; - } + goto err; + } EVP_PKEY_free(clnt_pub_pkey); EC_POINT_free(clnt_ecpoint); @@ -2232,16 +2265,16 @@ int ssl3_get_client_key_exchange(SSL *s) BN_CTX_free(bn_ctx); /* Compute the master secret */ - s->session->master_key_length = s->method->ssl3_enc-> \ + s->session->master_key_length = s->method->ssl3_enc-> \ generate_master_secret(s, s->session->master_key, p, i); - OPENSSL_cleanse(p, i); - return (ret); + OPENSSL_cleanse(p, i); + return (ret); } else #endif #ifndef OPENSSL_NO_PSK - if (l & SSL_kPSK) + if (alg_k & SSL_kPSK) { unsigned char *t = NULL; unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; @@ -2330,8 +2363,8 @@ int ssl3_get_client_key_exchange(SSL *s) psk_err = 0; psk_err: OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); - if (psk_err != 0) - goto f_err; + if (psk_err != 0) + goto f_err; } else #endif @@ -2677,14 +2710,15 @@ int ssl3_send_server_certificate(SSL *s) if (s->state == SSL3_ST_SW_CERT_A) { x=ssl_get_server_send_cert(s); - if (x == NULL && - /* VRS: allow null cert if auth == KRB5 */ - (s->s3->tmp.new_cipher->algorithms - & (SSL_MKEY_MASK|SSL_AUTH_MASK)) - != (SSL_aKRB5|SSL_kKRB5)) + if (x == NULL) { - SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); - return(0); + /* VRS: allow null cert if auth == KRB5 */ + if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || + (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) + { + SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); + return(0); + } } l=ssl3_output_cert_chain(s,x); @@ -2696,67 +2730,90 @@ int ssl3_send_server_certificate(SSL *s) /* SSL3_ST_SW_CERT_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } +#ifndef OPENSSLP_NO_TLSEXT +int ssl3_send_newsession_ticket(SSL *s) + { + if (s->state == SSL3_ST_SW_SESSION_TICKET_A) + { + unsigned char *p, *senc, *macstart; + int len, slen; + unsigned int hlen; + EVP_CIPHER_CTX ctx; + HMAC_CTX hctx; + + /* get session encoding length */ + slen = i2d_SSL_SESSION(s->session, NULL); + /* Some length values are 16 bits, so forget it if session is + * too long + */ + if (slen > 0xFF00) + return -1; + /* Grow buffer if need be: the length calculation is as + * follows 1 (size of message name) + 3 (message length + * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + + * 16 (key name) + max_iv_len (iv length) + + * session_length + max_enc_block_size (max encrypted session + * length) + max_md_size (HMAC). + */ + if (!BUF_MEM_grow(s->init_buf, + 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + + EVP_MAX_MD_SIZE + slen)) + return -1; + senc = OPENSSL_malloc(slen); + if (!senc) + return -1; + p = senc; + i2d_SSL_SESSION(s->session, &p); + p=(unsigned char *)s->init_buf->data; + /* do the header */ + *(p++)=SSL3_MT_NEWSESSION_TICKET; + /* Skip message length for now */ + p += 3; + l2n(s->session->tlsext_tick_lifetime_hint, p); + /* Skip ticket length for now */ + p += 2; + /* Output key name */ + macstart = p; + memcpy(p, s->ctx->tlsext_tick_key_name, 16); + p += 16; + /* Generate and output IV */ + RAND_pseudo_bytes(p, 16); + EVP_CIPHER_CTX_init(&ctx); + /* Encrypt session data */ + EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, + s->ctx->tlsext_tick_aes_key, p); + p += 16; + EVP_EncryptUpdate(&ctx, p, &len, senc, slen); + p += len; + EVP_EncryptFinal(&ctx, p, &len); + p += len; + EVP_CIPHER_CTX_cleanup(&ctx); + + HMAC_CTX_init(&hctx); + HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16, + EVP_sha1(), NULL); + HMAC_Update(&hctx, macstart, p - macstart); + HMAC_Final(&hctx, p, &hlen); + HMAC_CTX_cleanup(&hctx); + + p += hlen; + /* Now write out lengths: p points to end of data written */ + /* Total length */ + len = p - (unsigned char *)s->init_buf->data; + p=(unsigned char *)s->init_buf->data + 1; + l2n3(len - 4, p); /* Message length */ + p += 4; + s2n(len - 10, p); /* Ticket length */ -#ifndef OPENSSL_NO_ECDH -/* This is the complement of curve_id2nid in s3_clnt.c. */ -static int nid2curve_id(int nid) -{ - /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) - * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */ - switch (nid) { - case NID_sect163k1: /* sect163k1 (1) */ - return 1; - case NID_sect163r1: /* sect163r1 (2) */ - return 2; - case NID_sect163r2: /* sect163r2 (3) */ - return 3; - case NID_sect193r1: /* sect193r1 (4) */ - return 4; - case NID_sect193r2: /* sect193r2 (5) */ - return 5; - case NID_sect233k1: /* sect233k1 (6) */ - return 6; - case NID_sect233r1: /* sect233r1 (7) */ - return 7; - case NID_sect239k1: /* sect239k1 (8) */ - return 8; - case NID_sect283k1: /* sect283k1 (9) */ - return 9; - case NID_sect283r1: /* sect283r1 (10) */ - return 10; - case NID_sect409k1: /* sect409k1 (11) */ - return 11; - case NID_sect409r1: /* sect409r1 (12) */ - return 12; - case NID_sect571k1: /* sect571k1 (13) */ - return 13; - case NID_sect571r1: /* sect571r1 (14) */ - return 14; - case NID_secp160k1: /* secp160k1 (15) */ - return 15; - case NID_secp160r1: /* secp160r1 (16) */ - return 16; - case NID_secp160r2: /* secp160r2 (17) */ - return 17; - case NID_secp192k1: /* secp192k1 (18) */ - return 18; - case NID_X9_62_prime192v1: /* secp192r1 (19) */ - return 19; - case NID_secp224k1: /* secp224k1 (20) */ - return 20; - case NID_secp224r1: /* secp224r1 (21) */ - return 21; - case NID_secp256k1: /* secp256k1 (22) */ - return 22; - case NID_X9_62_prime256v1: /* secp256r1 (23) */ - return 23; - case NID_secp384r1: /* secp384r1 (24) */ - return 24; - case NID_secp521r1: /* secp521r1 (25) */ - return 25; - default: - return 0; + /* number of bytes to write */ + s->init_num= len; + s->state=SSL3_ST_SW_SESSION_TICKET_B; + s->init_off=0; + OPENSSL_free(senc); + } + + /* SSL3_ST_SW_SESSION_TICKET_B */ + return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } -} #endif