121
121
* Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
124
/* ====================================================================
125
* Copyright 2005 Nokia. All rights reserved.
127
* The portions of the attached software ("Contribution") is developed by
128
* Nokia Corporation and is licensed pursuant to the OpenSSL open source
131
* The Contribution, originally written by Mika Kousa and Pasi Eronen of
132
* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
133
* support (see RFC 4279) to OpenSSL.
135
* No patent licenses or other rights except those expressly stated in
136
* the OpenSSL open source license shall be deemed granted or received
137
* expressly, by implication, estoppel, or otherwise.
139
* No assurances are provided by Nokia that the Contribution does not
140
* infringe the patent or other intellectual property rights of any third
141
* party or that the license provides you with all the necessary rights
142
* to make use of the Contribution.
144
* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
145
* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
146
* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
147
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
125
151
#include <stdio.h>
126
152
#include "ssl_locl.h"
1003
1077
pkey=X509_get_pubkey(x);
1005
1079
/* VRS: allow null cert if auth == KRB5 */
1006
need_cert = ((s->s3->tmp.new_cipher->algorithms
1007
& (SSL_MKEY_MASK|SSL_AUTH_MASK))
1008
== (SSL_aKRB5|SSL_kKRB5))? 0: 1;
1080
need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1081
(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1010
1084
#ifdef KSSL_DEBUG
1011
printf("pkey,x = %p, %p\n", (void *)pkey,(void *)x);
1085
printf("pkey,x = %p, %p\n", pkey,x);
1012
1086
printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
1013
printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
1014
s->s3->tmp.new_cipher->algorithms, need_cert);
1087
printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
1088
s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1015
1089
#endif /* KSSL_DEBUG */
1017
1091
if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
1151
alg=s->s3->tmp.new_cipher->algorithms;
1236
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1237
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
1152
1238
EVP_MD_CTX_init(&md_ctx);
1240
#ifndef OPENSSL_NO_PSK
1241
if (alg_k & SSL_kPSK)
1243
char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
1245
al=SSL_AD_HANDSHAKE_FAILURE;
1248
/* Store PSK identity hint for later use, hint is used
1249
* in ssl3_send_client_key_exchange. Assume that the
1250
* maximum length of a PSK identity hint can be as
1251
* long as the maximum length of a PSK identity. */
1252
if (i > PSK_MAX_IDENTITY_LEN)
1254
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1255
SSL_R_DATA_LENGTH_TOO_LONG);
1260
al=SSL_AD_DECODE_ERROR;
1261
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1262
SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1265
/* If received PSK identity hint contains NULL
1266
* characters, the hint is truncated from the first
1267
* NULL. p may not be ending with NULL, so create a
1268
* NULL-terminated string. */
1269
memcpy(tmp_id_hint, p, i);
1270
memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
1271
if (s->ctx->psk_identity_hint != NULL)
1272
OPENSSL_free(s->ctx->psk_identity_hint);
1273
s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
1274
if (s->ctx->psk_identity_hint == NULL)
1276
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1284
#endif /* !OPENSSL_NO_PSK */
1154
1285
#ifndef OPENSSL_NO_RSA
1286
if (alg_k & SSL_kRSA)
1157
1288
if ((rsa=RSA_new()) == NULL)
2339
2461
EVP_PKEY_free(srvr_pub_pkey);
2341
2463
#endif /* !OPENSSL_NO_ECDH */
2464
else if (alg_k & SSL_kGOST)
2466
/* GOST key exchange message creation */
2467
EVP_PKEY_CTX *pkey_ctx;
2470
unsigned int md_len;
2472
unsigned char premaster_secret[32],shared_ukm[32], tmp[256];
2473
EVP_MD_CTX *ukm_hash;
2476
/* Get server sertificate PKEY and create ctx from it */
2477
peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509;
2479
peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509;
2481
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2485
pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL);
2486
/* If we have send a certificate, and certificate key
2488
* parameters match those of server certificate, use
2489
* certificate key for key exchange
2492
/* Otherwise, generate ephemeral key pair */
2494
EVP_PKEY_encrypt_init(pkey_ctx);
2495
/* Generate session key */
2496
RAND_bytes(premaster_secret,32);
2497
/* If we have client certificate, use its secret as peer key */
2498
if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2499
if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) {
2500
/* If there was an error - just ignore it. Ephemeral key
2506
/* Compute shared IV and store it in algorithm-specific
2508
ukm_hash = EVP_MD_CTX_create();
2509
EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94));
2510
EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE);
2511
EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE);
2512
EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
2513
EVP_MD_CTX_destroy(ukm_hash);
2514
if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV,
2516
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2520
/* Make GOST keytransport blob message */
2521
/*Encapsulate it into sequence */
2522
*(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
2524
if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) {
2525
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2532
*(p++)= msglen & 0xff;
2537
*(p++)= msglen & 0xff;
2540
memcpy(p, tmp, msglen);
2541
/* Check if pubkey from client certificate was used */
2542
if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2544
/* Set flag "skip certificate verify" */
2545
s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2547
EVP_PKEY_CTX_free(pkey_ctx);
2548
s->session->master_key_length=
2549
s->method->ssl3_enc->generate_master_secret(s,
2550
s->session->master_key,premaster_secret,32);
2551
EVP_PKEY_free(pub_key);
2554
#ifndef OPENSSL_NO_PSK
2555
else if (alg_k & SSL_kPSK)
2557
char identity[PSK_MAX_IDENTITY_LEN];
2558
unsigned char *t = NULL;
2559
unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
2560
unsigned int pre_ms_len = 0, psk_len = 0;
2564
if (s->psk_client_callback == NULL)
2566
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2567
SSL_R_PSK_NO_CLIENT_CB);
2571
psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
2572
identity, PSK_MAX_IDENTITY_LEN,
2573
psk_or_pre_ms, sizeof(psk_or_pre_ms));
2574
if (psk_len > PSK_MAX_PSK_LEN)
2576
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2577
ERR_R_INTERNAL_ERROR);
2580
else if (psk_len == 0)
2582
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2583
SSL_R_PSK_IDENTITY_NOT_FOUND);
2587
/* create PSK pre_master_secret */
2588
pre_ms_len = 2+psk_len+2+psk_len;
2590
memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
2592
memset(t, 0, psk_len);
2596
if (s->session->psk_identity_hint != NULL)
2597
OPENSSL_free(s->session->psk_identity_hint);
2598
s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2599
if (s->ctx->psk_identity_hint != NULL &&
2600
s->session->psk_identity_hint == NULL)
2602
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2603
ERR_R_MALLOC_FAILURE);
2607
if (s->session->psk_identity != NULL)
2608
OPENSSL_free(s->session->psk_identity);
2609
s->session->psk_identity = BUF_strdup(identity);
2610
if (s->session->psk_identity == NULL)
2612
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2613
ERR_R_MALLOC_FAILURE);
2617
s->session->master_key_length =
2618
s->method->ssl3_enc->generate_master_secret(s,
2619
s->session->master_key,
2620
psk_or_pre_ms, pre_ms_len);
2621
n = strlen(identity);
2623
memcpy(p, identity, n);
2627
OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2628
OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2631
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2344
2638
ssl3_send_alert(s, SSL3_AL_FATAL,
2375
2669
unsigned char *p,*d;
2376
2670
unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2377
2671
EVP_PKEY *pkey;
2672
EVP_PKEY_CTX *pctx=NULL;
2378
2673
#ifndef OPENSSL_NO_RSA
2381
2676
unsigned long n;
2382
#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
2386
2679
if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2388
2681
d=(unsigned char *)s->init_buf->data;
2390
2683
pkey=s->cert->key->privatekey;
2392
s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
2393
&(data[MD5_DIGEST_LENGTH]));
2684
/* Create context from key and test if sha1 is allowed as digest */
2685
pctx = EVP_PKEY_CTX_new(pkey,NULL);
2686
EVP_PKEY_sign_init(pctx);
2687
if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
2689
s->method->ssl3_enc->cert_verify_mac(s,
2691
&(data[MD5_DIGEST_LENGTH]));
2395
2697
#ifndef OPENSSL_NO_RSA
2396
2698
if (pkey->type == EVP_PKEY_RSA)
2398
2700
s->method->ssl3_enc->cert_verify_mac(s,
2399
&(s->s3->finish_dgst1),&(data[0]));
2400
2703
if (RSA_sign(NID_md5_sha1, data,
2401
2704
MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
2402
2705
&(p[2]), &u, pkey->pkey.rsa) <= 0 )
2677
#ifndef OPENSSL_NO_ECDH
2678
/* This is the complement of nid2curve_id in s3_srvr.c. */
2679
static int curve_id2nid(int curve_id)
2681
/* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
2682
* (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
2683
static int nid_list[26] =
2686
NID_sect163k1, /* sect163k1 (1) */
2687
NID_sect163r1, /* sect163r1 (2) */
2688
NID_sect163r2, /* sect163r2 (3) */
2689
NID_sect193r1, /* sect193r1 (4) */
2690
NID_sect193r2, /* sect193r2 (5) */
2691
NID_sect233k1, /* sect233k1 (6) */
2692
NID_sect233r1, /* sect233r1 (7) */
2693
NID_sect239k1, /* sect239k1 (8) */
2694
NID_sect283k1, /* sect283k1 (9) */
2695
NID_sect283r1, /* sect283r1 (10) */
2696
NID_sect409k1, /* sect409k1 (11) */
2697
NID_sect409r1, /* sect409r1 (12) */
2698
NID_sect571k1, /* sect571k1 (13) */
2699
NID_sect571r1, /* sect571r1 (14) */
2700
NID_secp160k1, /* secp160k1 (15) */
2701
NID_secp160r1, /* secp160r1 (16) */
2702
NID_secp160r2, /* secp160r2 (17) */
2703
NID_secp192k1, /* secp192k1 (18) */
2704
NID_X9_62_prime192v1, /* secp192r1 (19) */
2705
NID_secp224k1, /* secp224k1 (20) */
2706
NID_secp224r1, /* secp224r1 (21) */
2707
NID_secp256k1, /* secp256k1 (22) */
2708
NID_X9_62_prime256v1, /* secp256r1 (23) */
2709
NID_secp384r1, /* secp384r1 (24) */
2710
NID_secp521r1 /* secp521r1 (25) */
2713
if ((curve_id < 1) || (curve_id > 25)) return 0;
2715
return nid_list[curve_id];
2719
3001
/* Check to see if handshake is full or resumed. Usually this is just a
2720
3002
* case of checking to see if a cache hit has occurred. In the case of
2721
3003
* session tickets we have to check the next message to be sure.