121
121
* Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
124
/* ====================================================================
125
* Copyright 2005 Nokia. All rights reserved.
127
* The portions of the attached software ("Contribution") is developed by
128
* Nokia Corporation and is licensed pursuant to the OpenSSL open source
131
* The Contribution, originally written by Mika Kousa and Pasi Eronen of
132
* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133
* support (see RFC 4279) to OpenSSL.
135
* No patent licenses or other rights except those expressly stated in
136
* the OpenSSL open source license shall be deemed granted or received
137
* expressly, by implication, estoppel, or otherwise.
139
* No assurances are provided by Nokia that the Contribution does not
140
* infringe the patent or other intellectual property rights of any third
141
* party or that the license provides you with all the necessary rights
142
* to make use of the Contribution.
144
* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145
* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146
* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
125
151
#define REUSE_CIPHER_BUG
126
152
#define NETSCAPE_HANG_BUG
370
396
/* only send if a DH key exchange, fortezza or
371
397
* RSA but we have a sign only certificate
399
* PSK: may send PSK identity hints
373
401
* For ECC ciphersuites, we send a serverKeyExchange
374
402
* message only if the cipher suite is either
375
403
* ECDH-anon or ECDHE. In other cases, the
376
* server certificate contains the server's
404
* server certificate contains the server's
377
405
* public key for key exchange.
379
407
if (s->s3->tmp.use_rsa_tmp
381
|| (l & (SSL_DH|SSL_kFZA))
408
/* PSK: send ServerKeyExchange if PSK identity
409
* hint if provided */
410
#ifndef OPENSSL_NO_PSK
411
|| ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
413
|| (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
414
|| (alg_k & SSL_kEECDH)
415
|| ((alg_k & SSL_kRSA)
383
416
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
384
417
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
385
418
&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
498
534
* the client sends its ECDH pub key in
499
535
* a certificate, the CertificateVerify
500
536
* message is not sent.
537
* Also for GOST ciphersuites when
538
* the client uses its key from the certificate
502
541
s->state=SSL3_ST_SR_FINISHED_A;
507
549
s->state=SSL3_ST_SR_CERT_VRFY_A;
510
552
/* We need to get hashes here so if there is
511
553
* a client cert, it can be verified
513
s->method->ssl3_enc->cert_verify_mac(s,
514
&(s->s3->finish_dgst1),
515
&(s->s3->tmp.cert_verify_md[0]));
516
s->method->ssl3_enc->cert_verify_mac(s,
517
&(s->s3->finish_dgst2),
518
&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
554
* FIXME - digest processing for CertificateVerify
555
* should be generalized. But it is next step
557
if (s->s3->handshake_buffer)
558
if (!ssl3_digest_cached_records(s))
560
for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)
561
if (s->s3->handshake_dgst[dgst_num])
565
s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset]));
566
dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
995
1053
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
1057
/* Check if we want to use external pre-shared secret for this
1058
* handshake for not reused session only. We need to generate
1059
* server_random before calling tls_session_secret_cb in order to allow
1060
* SessionTicket processing to use it in key derivation. */
1064
Time=(unsigned long)time(NULL); /* Time */
1065
pos=s->s3->server_random;
1067
if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
1069
al=SSL_AD_INTERNAL_ERROR;
1074
if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
1076
SSL_CIPHER *pref_cipher=NULL;
1078
s->session->master_key_length=sizeof(s->session->master_key);
1079
if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
1080
ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
1083
s->session->ciphers=ciphers;
1084
s->session->verify_result=X509_V_OK;
1088
/* check if some cipher was preferred by call back */
1089
pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1090
if (pref_cipher == NULL)
1092
al=SSL_AD_HANDSHAKE_FAILURE;
1093
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1097
s->session->cipher=pref_cipher;
1100
sk_SSL_CIPHER_free(s->cipher_list);
1102
if (s->cipher_list_by_id)
1103
sk_SSL_CIPHER_free(s->cipher_list_by_id);
1105
s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1106
s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
999
1111
/* Worst case, we will use the NULL compression, but if we have other
1000
1112
* options, we will now look for them. We have i-1 compression
1001
1113
* algorithms from the client, starting at q. */
1002
1114
s->s3->tmp.new_compression=NULL;
1003
1115
#ifndef OPENSSL_NO_COMP
1004
if (s->ctx->comp_methods != NULL)
1116
/* This only happens if we have a cache hit */
1117
if (s->session->compress_meth != 0)
1119
int m, comp_id = s->session->compress_meth;
1120
/* Perform sanity checks on resumed compression algorithm */
1121
/* Can't disable compression */
1122
if (s->options & SSL_OP_NO_COMPRESSION)
1124
al=SSL_AD_INTERNAL_ERROR;
1125
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1128
/* Look for resumed compression method */
1129
for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++)
1131
comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
1132
if (comp_id == comp->id)
1134
s->s3->tmp.new_compression=comp;
1138
if (s->s3->tmp.new_compression == NULL)
1140
al=SSL_AD_INTERNAL_ERROR;
1141
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM);
1144
/* Look for resumed method in compression list */
1145
for (m = 0; m < i; m++)
1147
if (q[m] == comp_id)
1152
al=SSL_AD_ILLEGAL_PARAMETER;
1153
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1159
else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
1005
1160
{ /* See if we have a match */
1006
1161
int m,nn,o,v,done=0;
2037
if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
2215
if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
2038
2216
&kssl_err)) != 0)
2040
2218
#ifdef KSSL_DEBUG
2041
printf("kssl_sget_tkt rtn %d [%d]\n",
2042
krb5rc, kssl_err.reason);
2044
printf("kssl_err text= %s\n", kssl_err.text);
2219
printf("kssl_sget_tkt rtn %d [%d]\n",
2220
krb5rc, kssl_err.reason);
2222
printf("kssl_err text= %s\n", kssl_err.text);
2045
2223
#endif /* KSSL_DEBUG */
2046
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2224
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2051
2229
/* Note: no authenticator is not considered an error,
2052
2230
** but will return authtime == 0.
2055
2233
&authtime, &kssl_err)) != 0)
2057
2235
#ifdef KSSL_DEBUG
2058
printf("kssl_check_authent rtn %d [%d]\n",
2059
krb5rc, kssl_err.reason);
2061
printf("kssl_err text= %s\n", kssl_err.text);
2236
printf("kssl_check_authent rtn %d [%d]\n",
2237
krb5rc, kssl_err.reason);
2239
printf("kssl_err text= %s\n", kssl_err.text);
2062
2240
#endif /* KSSL_DEBUG */
2063
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2241
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2068
2246
if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
2070
2248
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
2074
2252
#ifdef KSSL_DEBUG
2075
kssl_ctx_show(kssl_ctx);
2253
kssl_ctx_show(kssl_ctx);
2076
2254
#endif /* KSSL_DEBUG */
2078
2256
enc = kssl_map_enc(kssl_ctx->enctype);
2082
2260
memset(iv, 0, sizeof iv); /* per RFC 1510 */
2134
2312
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2136
s->session->master_key_length=
2137
s->method->ssl3_enc->generate_master_secret(s,
2138
s->session->master_key, pms, outl);
2140
if (kssl_ctx->client_princ)
2142
size_t len = strlen(kssl_ctx->client_princ);
2143
if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
2145
s->session->krb5_client_princ_len = len;
2146
memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
2151
/* Was doing kssl_ctx_free() here,
2314
s->session->master_key_length=
2315
s->method->ssl3_enc->generate_master_secret(s,
2316
s->session->master_key, pms, outl);
2318
if (kssl_ctx->client_princ)
2320
size_t len = strlen(kssl_ctx->client_princ);
2321
if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
2323
s->session->krb5_client_princ_len = len;
2324
memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
2329
/* Was doing kssl_ctx_free() here,
2152
2330
** but it caused problems for apache.
2153
** kssl_ctx = kssl_ctx_free(kssl_ctx);
2154
** if (s->kssl_ctx) s->kssl_ctx = NULL;
2331
** kssl_ctx = kssl_ctx_free(kssl_ctx);
2332
** if (s->kssl_ctx) s->kssl_ctx = NULL;
2158
2336
#endif /* OPENSSL_NO_KRB5 */
2160
2338
#ifndef OPENSSL_NO_ECDH
2161
if ((l & SSL_kECDH) || (l & SSL_kECDHE))
2339
if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
2164
2342
int field_size = 0;
2286
2464
i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
2289
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2467
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2290
2468
ERR_R_ECDH_LIB);
2294
2472
EVP_PKEY_free(clnt_pub_pkey);
2295
2473
EC_POINT_free(clnt_ecpoint);
2296
if (srvr_ecdh != NULL)
2297
EC_KEY_free(srvr_ecdh);
2474
EC_KEY_free(srvr_ecdh);
2298
2475
BN_CTX_free(bn_ctx);
2476
EC_KEY_free(s->s3->tmp.ecdh);
2477
s->s3->tmp.ecdh = NULL;
2300
2479
/* Compute the master secret */
2301
s->session->master_key_length = s->method->ssl3_enc-> \
2480
s->session->master_key_length = s->method->ssl3_enc-> \
2302
2481
generate_master_secret(s, s->session->master_key, p, i);
2304
OPENSSL_cleanse(p, i);
2483
OPENSSL_cleanse(p, i);
2488
#ifndef OPENSSL_NO_PSK
2489
if (alg_k & SSL_kPSK)
2491
unsigned char *t = NULL;
2492
unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
2493
unsigned int pre_ms_len = 0, psk_len = 0;
2495
char tmp_id[PSK_MAX_IDENTITY_LEN+1];
2497
al=SSL_AD_HANDSHAKE_FAILURE;
2502
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2503
SSL_R_LENGTH_MISMATCH);
2506
if (i > PSK_MAX_IDENTITY_LEN)
2508
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2509
SSL_R_DATA_LENGTH_TOO_LONG);
2512
if (s->psk_server_callback == NULL)
2514
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2515
SSL_R_PSK_NO_SERVER_CB);
2519
/* Create guaranteed NULL-terminated identity
2520
* string for the callback */
2521
memcpy(tmp_id, p, i);
2522
memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
2523
psk_len = s->psk_server_callback(s, tmp_id,
2524
psk_or_pre_ms, sizeof(psk_or_pre_ms));
2525
OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1);
2527
if (psk_len > PSK_MAX_PSK_LEN)
2529
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2530
ERR_R_INTERNAL_ERROR);
2533
else if (psk_len == 0)
2535
/* PSK related to the given identity not found */
2536
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2537
SSL_R_PSK_IDENTITY_NOT_FOUND);
2538
al=SSL_AD_UNKNOWN_PSK_IDENTITY;
2542
/* create PSK pre_master_secret */
2543
pre_ms_len=2+psk_len+2+psk_len;
2545
memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
2547
memset(t, 0, psk_len);
2551
if (s->session->psk_identity != NULL)
2552
OPENSSL_free(s->session->psk_identity);
2553
s->session->psk_identity = BUF_strdup((char *)p);
2554
if (s->session->psk_identity == NULL)
2556
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2557
ERR_R_MALLOC_FAILURE);
2561
if (s->session->psk_identity_hint != NULL)
2562
OPENSSL_free(s->session->psk_identity_hint);
2563
s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2564
if (s->ctx->psk_identity_hint != NULL &&
2565
s->session->psk_identity_hint == NULL)
2567
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2568
ERR_R_MALLOC_FAILURE);
2572
s->session->master_key_length=
2573
s->method->ssl3_enc->generate_master_secret(s,
2574
s->session->master_key, psk_or_pre_ms, pre_ms_len);
2577
OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2583
if (alg_k & SSL_kGOST)
2586
EVP_PKEY_CTX *pkey_ctx;
2587
EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
2588
unsigned char premaster_secret[32], *start;
2589
size_t outlen=32, inlen;
2590
unsigned long alg_a;
2592
/* Get our certificate private key*/
2593
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2594
if (alg_a & SSL_aGOST94)
2595
pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
2596
else if (alg_a & SSL_aGOST01)
2597
pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2599
pkey_ctx = EVP_PKEY_CTX_new(pk,NULL);
2600
EVP_PKEY_decrypt_init(pkey_ctx);
2601
/* If client certificate is present and is of the same type, maybe
2602
* use it for key exchange. Don't mind errors from
2603
* EVP_PKEY_derive_set_peer, because it is completely valid to use
2604
* a client certificate for authorization only. */
2605
client_pub_pkey = X509_get_pubkey(s->session->peer);
2606
if (client_pub_pkey)
2608
if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
2611
/* Decrypt session key */
2612
if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED)))
2614
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
2622
else if (p[1] < 0x80)
2629
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
2632
if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0)
2635
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
2638
/* Generate master secret */
2639
s->session->master_key_length=
2640
s->method->ssl3_enc->generate_master_secret(s,
2641
s->session->master_key,premaster_secret,32);
2642
/* Check if pubkey from client certificate was used */
2643
if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2648
EVP_PKEY_free(client_pub_pkey);
2649
EVP_PKEY_CTX_free(pkey_ctx);
2310
2657
al=SSL_AD_HANDSHAKE_FAILURE;
2311
2658
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2667
3047
/* SSL3_ST_SW_CERT_B */
2668
3048
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2672
#ifndef OPENSSL_NO_ECDH
2673
/* This is the complement of curve_id2nid in s3_clnt.c. */
2674
static int nid2curve_id(int nid)
2676
/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2677
* (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2679
case NID_sect163k1: /* sect163k1 (1) */
2681
case NID_sect163r1: /* sect163r1 (2) */
2683
case NID_sect163r2: /* sect163r2 (3) */
2685
case NID_sect193r1: /* sect193r1 (4) */
2687
case NID_sect193r2: /* sect193r2 (5) */
2689
case NID_sect233k1: /* sect233k1 (6) */
2691
case NID_sect233r1: /* sect233r1 (7) */
2693
case NID_sect239k1: /* sect239k1 (8) */
2695
case NID_sect283k1: /* sect283k1 (9) */
2697
case NID_sect283r1: /* sect283r1 (10) */
2699
case NID_sect409k1: /* sect409k1 (11) */
2701
case NID_sect409r1: /* sect409r1 (12) */
2703
case NID_sect571k1: /* sect571k1 (13) */
2705
case NID_sect571r1: /* sect571r1 (14) */
2707
case NID_secp160k1: /* secp160k1 (15) */
2709
case NID_secp160r1: /* secp160r1 (16) */
2711
case NID_secp160r2: /* secp160r2 (17) */
2713
case NID_secp192k1: /* secp192k1 (18) */
2715
case NID_X9_62_prime192v1: /* secp192r1 (19) */
2717
case NID_secp224k1: /* secp224k1 (20) */
2719
case NID_secp224r1: /* secp224r1 (21) */
2721
case NID_secp256k1: /* secp256k1 (22) */
2723
case NID_X9_62_prime256v1: /* secp256r1 (23) */
2725
case NID_secp384r1: /* secp384r1 (24) */
2727
case NID_secp521r1: /* secp521r1 (25) */
2734
3050
#ifndef OPENSSL_NO_TLSEXT
2735
3051
int ssl3_send_newsession_ticket(SSL *s)