summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2014-04-14 16:43:25 +0000
committerjsing <>2014-04-14 16:43:25 +0000
commit9ed612cec343ccff3513e7cf2e37938164df6b5b (patch)
tree5a919c79a7dcee39aad6ec4645d9dcecba40cfb0
parent3779c39bff8e2ae1adcc6f1324eb388d0bd49a15 (diff)
downloadopenbsd-9ed612cec343ccff3513e7cf2e37938164df6b5b.tar.gz
openbsd-9ed612cec343ccff3513e7cf2e37938164df6b5b.tar.bz2
openbsd-9ed612cec343ccff3513e7cf2e37938164df6b5b.zip
First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using tr and md5.
Diffstat
-rw-r--r--src/lib/libssl/s3_clnt.c3329
-rw-r--r--src/lib/libssl/s3_srvr.c3489
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c3329
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c3489
4 files changed, 6272 insertions, 7364 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 64e7be8d67..b9ca6b6f9b 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -168,62 +168,60 @@
168#endif 168#endif
169 169
170static const SSL_METHOD *ssl3_get_client_method(int ver); 170static const SSL_METHOD *ssl3_get_client_method(int ver);
171static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 171static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
172 172
173static const SSL_METHOD *ssl3_get_client_method(int ver) 173static const SSL_METHOD
174 { 174*ssl3_get_client_method(int ver)
175{
175 if (ver == SSL3_VERSION) 176 if (ver == SSL3_VERSION)
176 return(SSLv3_client_method()); 177 return (SSLv3_client_method());
177 else 178 else
178 return(NULL); 179 return (NULL);
179 } 180}
180 181
181IMPLEMENT_ssl3_meth_func(SSLv3_client_method, 182IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
182 ssl_undefined_function, 183 ssl_undefined_function, ssl3_connect, ssl3_get_client_method)
183 ssl3_connect,
184 ssl3_get_client_method)
185 184
186int ssl3_connect(SSL *s) 185int
187 { 186ssl3_connect(SSL *s)
188 BUF_MEM *buf=NULL; 187{
189 unsigned long Time=(unsigned long)time(NULL); 188 BUF_MEM *buf = NULL;
190 void (*cb)(const SSL *ssl,int type,int val)=NULL; 189 unsigned long Time = (unsigned long)time(NULL);
191 int ret= -1; 190 void (*cb)(const SSL *ssl, int type, int val) = NULL;
192 int new_state,state,skip=0; 191 int ret = -1;
192 int new_state, state, skip = 0;
193 193
194 RAND_add(&Time,sizeof(Time),0); 194 RAND_add(&Time, sizeof(Time), 0);
195 ERR_clear_error(); 195 ERR_clear_error();
196 errno = 0; 196 errno = 0;
197 197
198 if (s->info_callback != NULL) 198 if (s->info_callback != NULL)
199 cb=s->info_callback; 199 cb = s->info_callback;
200 else if (s->ctx->info_callback != NULL) 200 else if (s->ctx->info_callback != NULL)
201 cb=s->ctx->info_callback; 201 cb = s->ctx->info_callback;
202 202
203 s->in_handshake++; 203 s->in_handshake++;
204 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 204 if (!SSL_in_init(s) || SSL_in_before(s))
205 SSL_clear(s);
205 206
206#ifndef OPENSSL_NO_HEARTBEATS 207#ifndef OPENSSL_NO_HEARTBEATS
207 /* If we're awaiting a HeartbeatResponse, pretend we 208 /* If we're awaiting a HeartbeatResponse, pretend we
208 * already got and don't await it anymore, because 209 * already got and don't await it anymore, because
209 * Heartbeats don't make sense during handshakes anyway. 210 * Heartbeats don't make sense during handshakes anyway.
210 */ 211 */
211 if (s->tlsext_hb_pending) 212 if (s->tlsext_hb_pending) {
212 {
213 s->tlsext_hb_pending = 0; 213 s->tlsext_hb_pending = 0;
214 s->tlsext_hb_seq++; 214 s->tlsext_hb_seq++;
215 } 215 }
216#endif 216#endif
217 217
218 for (;;) 218 for (;;) {
219 { 219 state = s->state;
220 state=s->state;
221 220
222 switch(s->state) 221 switch (s->state) {
223 {
224 case SSL_ST_RENEGOTIATE: 222 case SSL_ST_RENEGOTIATE:
225 s->renegotiate=1; 223 s->renegotiate = 1;
226 s->state=SSL_ST_CONNECT; 224 s->state = SSL_ST_CONNECT;
227 s->ctx->stats.sess_connect_renegotiate++; 225 s->ctx->stats.sess_connect_renegotiate++;
228 /* break */ 226 /* break */
229 case SSL_ST_BEFORE: 227 case SSL_ST_BEFORE:
@@ -231,173 +229,172 @@ int ssl3_connect(SSL *s)
231 case SSL_ST_BEFORE|SSL_ST_CONNECT: 229 case SSL_ST_BEFORE|SSL_ST_CONNECT:
232 case SSL_ST_OK|SSL_ST_CONNECT: 230 case SSL_ST_OK|SSL_ST_CONNECT:
233 231
234 s->server=0; 232 s->server = 0;
235 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 233 if (cb != NULL)
234 cb(s, SSL_CB_HANDSHAKE_START, 1);
236 235
237 if ((s->version & 0xff00 ) != 0x0300) 236 if ((s->version & 0xff00 ) != 0x0300) {
238 {
239 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 237 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
240 ret = -1; 238 ret = -1;
241 goto end; 239 goto end;
242 } 240 }
243 241
244 /* s->version=SSL3_VERSION; */ 242 /* s->version=SSL3_VERSION; */
245 s->type=SSL_ST_CONNECT; 243 s->type = SSL_ST_CONNECT;
246 244
247 if (s->init_buf == NULL) 245 if (s->init_buf == NULL) {
248 { 246 if ((buf = BUF_MEM_new()) == NULL) {
249 if ((buf=BUF_MEM_new()) == NULL) 247 ret = -1;
250 {
251 ret= -1;
252 goto end; 248 goto end;
253 } 249 }
254 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 250 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
255 { 251 ret = -1;
256 ret= -1;
257 goto end; 252 goto end;
258 }
259 s->init_buf=buf;
260 buf=NULL;
261 } 253 }
254 s->init_buf = buf;
255 buf = NULL;
256 }
262 257
263 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 258 if (!ssl3_setup_buffers(s)) {
259 ret = -1;
260 goto end;
261 }
264 262
265 /* setup buffing BIO */ 263 /* setup buffing BIO */
266 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 264 if (!ssl_init_wbio_buffer(s, 0)) {
265 ret = -1;
266 goto end;
267 }
267 268
268 /* don't push the buffering BIO quite yet */ 269 /* don't push the buffering BIO quite yet */
269 270
270 ssl3_init_finished_mac(s); 271 ssl3_init_finished_mac(s);
271 272
272 s->state=SSL3_ST_CW_CLNT_HELLO_A; 273 s->state = SSL3_ST_CW_CLNT_HELLO_A;
273 s->ctx->stats.sess_connect++; 274 s->ctx->stats.sess_connect++;
274 s->init_num=0; 275 s->init_num = 0;
275 break; 276 break;
276 277
277 case SSL3_ST_CW_CLNT_HELLO_A: 278 case SSL3_ST_CW_CLNT_HELLO_A:
278 case SSL3_ST_CW_CLNT_HELLO_B: 279 case SSL3_ST_CW_CLNT_HELLO_B:
279 280
280 s->shutdown=0; 281 s->shutdown = 0;
281 ret=ssl3_client_hello(s); 282 ret = ssl3_client_hello(s);
282 if (ret <= 0) goto end; 283 if (ret <= 0)
283 s->state=SSL3_ST_CR_SRVR_HELLO_A; 284 goto end;
284 s->init_num=0; 285 s->state = SSL3_ST_CR_SRVR_HELLO_A;
286 s->init_num = 0;
285 287
286 /* turn on buffering for the next lot of output */ 288 /* turn on buffering for the next lot of output */
287 if (s->bbio != s->wbio) 289 if (s->bbio != s->wbio)
288 s->wbio=BIO_push(s->bbio,s->wbio); 290 s->wbio = BIO_push(s->bbio, s->wbio);
289 291
290 break; 292 break;
291 293
292 case SSL3_ST_CR_SRVR_HELLO_A: 294 case SSL3_ST_CR_SRVR_HELLO_A:
293 case SSL3_ST_CR_SRVR_HELLO_B: 295 case SSL3_ST_CR_SRVR_HELLO_B:
294 ret=ssl3_get_server_hello(s); 296 ret = ssl3_get_server_hello(s);
295 if (ret <= 0) goto end; 297 if (ret <= 0)
298 goto end;
296 299
297 if (s->hit) 300 if (s->hit) {
298 { 301 s->state = SSL3_ST_CR_FINISHED_A;
299 s->state=SSL3_ST_CR_FINISHED_A;
300#ifndef OPENSSL_NO_TLSEXT 302#ifndef OPENSSL_NO_TLSEXT
301 if (s->tlsext_ticket_expected) 303 if (s->tlsext_ticket_expected) {
302 {
303 /* receive renewed session ticket */ 304 /* receive renewed session ticket */
304 s->state=SSL3_ST_CR_SESSION_TICKET_A; 305 s->state = SSL3_ST_CR_SESSION_TICKET_A;
305 }
306#endif
307 } 306 }
308 else 307#endif
309 s->state=SSL3_ST_CR_CERT_A; 308 } else
310 s->init_num=0; 309 s->state = SSL3_ST_CR_CERT_A;
310 s->init_num = 0;
311 break; 311 break;
312 312
313 case SSL3_ST_CR_CERT_A: 313 case SSL3_ST_CR_CERT_A:
314 case SSL3_ST_CR_CERT_B: 314 case SSL3_ST_CR_CERT_B:
315#ifndef OPENSSL_NO_TLSEXT 315#ifndef OPENSSL_NO_TLSEXT
316 ret=ssl3_check_finished(s); 316 ret = ssl3_check_finished(s);
317 if (ret <= 0) goto end; 317 if (ret <= 0)
318 if (ret == 2) 318 goto end;
319 { 319 if (ret == 2) {
320 s->hit = 1; 320 s->hit = 1;
321 if (s->tlsext_ticket_expected) 321 if (s->tlsext_ticket_expected)
322 s->state=SSL3_ST_CR_SESSION_TICKET_A; 322 s->state = SSL3_ST_CR_SESSION_TICKET_A;
323 else 323 else
324 s->state=SSL3_ST_CR_FINISHED_A; 324 s->state = SSL3_ST_CR_FINISHED_A;
325 s->init_num=0; 325 s->init_num = 0;
326 break; 326 break;
327 } 327 }
328#endif 328#endif
329 /* Check if it is anon DH/ECDH */ 329 /* Check if it is anon DH/ECDH */
330 /* or PSK */ 330 /* or PSK */
331 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 331 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
332 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 332 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
333 { 333 ret = ssl3_get_server_certificate(s);
334 ret=ssl3_get_server_certificate(s); 334 if (ret <= 0)
335 if (ret <= 0) goto end; 335 goto end;
336#ifndef OPENSSL_NO_TLSEXT 336#ifndef OPENSSL_NO_TLSEXT
337 if (s->tlsext_status_expected) 337 if (s->tlsext_status_expected)
338 s->state=SSL3_ST_CR_CERT_STATUS_A; 338 s->state = SSL3_ST_CR_CERT_STATUS_A;
339 else 339 else
340 s->state=SSL3_ST_CR_KEY_EXCH_A; 340 s->state = SSL3_ST_CR_KEY_EXCH_A;
341 } 341 } else {
342 else
343 {
344 skip = 1; 342 skip = 1;
345 s->state=SSL3_ST_CR_KEY_EXCH_A; 343 s->state = SSL3_ST_CR_KEY_EXCH_A;
346 } 344 }
347#else 345#else
348 } 346 } else
349 else 347 skip = 1;
350 skip=1;
351 348
352 s->state=SSL3_ST_CR_KEY_EXCH_A; 349 s->state = SSL3_ST_CR_KEY_EXCH_A;
353#endif 350#endif
354 s->init_num=0; 351 s->init_num = 0;
355 break; 352 break;
356 353
357 case SSL3_ST_CR_KEY_EXCH_A: 354 case SSL3_ST_CR_KEY_EXCH_A:
358 case SSL3_ST_CR_KEY_EXCH_B: 355 case SSL3_ST_CR_KEY_EXCH_B:
359 ret=ssl3_get_key_exchange(s); 356 ret = ssl3_get_key_exchange(s);
360 if (ret <= 0) goto end; 357 if (ret <= 0)
361 s->state=SSL3_ST_CR_CERT_REQ_A; 358 goto end;
362 s->init_num=0; 359 s->state = SSL3_ST_CR_CERT_REQ_A;
360 s->init_num = 0;
363 361
364 /* at this point we check that we have the 362 /* at this point we check that we have the
365 * required stuff from the server */ 363 * required stuff from the server */
366 if (!ssl3_check_cert_and_algorithm(s)) 364 if (!ssl3_check_cert_and_algorithm(s)) {
367 { 365 ret = -1;
368 ret= -1;
369 goto end; 366 goto end;
370 } 367 }
371 break; 368 break;
372 369
373 case SSL3_ST_CR_CERT_REQ_A: 370 case SSL3_ST_CR_CERT_REQ_A:
374 case SSL3_ST_CR_CERT_REQ_B: 371 case SSL3_ST_CR_CERT_REQ_B:
375 ret=ssl3_get_certificate_request(s); 372 ret = ssl3_get_certificate_request(s);
376 if (ret <= 0) goto end; 373 if (ret <= 0)
377 s->state=SSL3_ST_CR_SRVR_DONE_A; 374 goto end;
378 s->init_num=0; 375 s->state = SSL3_ST_CR_SRVR_DONE_A;
376 s->init_num = 0;
379 break; 377 break;
380 378
381 case SSL3_ST_CR_SRVR_DONE_A: 379 case SSL3_ST_CR_SRVR_DONE_A:
382 case SSL3_ST_CR_SRVR_DONE_B: 380 case SSL3_ST_CR_SRVR_DONE_B:
383 ret=ssl3_get_server_done(s); 381 ret = ssl3_get_server_done(s);
384 if (ret <= 0) goto end; 382 if (ret <= 0)
383 goto end;
385#ifndef OPENSSL_NO_SRP 384#ifndef OPENSSL_NO_SRP
386 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) 385 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
387 { 386 if ((ret = SRP_Calc_A_param(s)) <= 0) {
388 if ((ret = SRP_Calc_A_param(s))<=0) 387 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
389 { 388 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
390 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC);
391 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
392 goto end; 389 goto end;
393 }
394 } 390 }
391 }
395#endif 392#endif
396 if (s->s3->tmp.cert_req) 393 if (s->s3->tmp.cert_req)
397 s->state=SSL3_ST_CW_CERT_A; 394 s->state = SSL3_ST_CW_CERT_A;
398 else 395 else
399 s->state=SSL3_ST_CW_KEY_EXCH_A; 396 s->state = SSL3_ST_CW_KEY_EXCH_A;
400 s->init_num=0; 397 s->init_num = 0;
401 398
402 break; 399 break;
403 400
@@ -405,16 +402,18 @@ int ssl3_connect(SSL *s)
405 case SSL3_ST_CW_CERT_B: 402 case SSL3_ST_CW_CERT_B:
406 case SSL3_ST_CW_CERT_C: 403 case SSL3_ST_CW_CERT_C:
407 case SSL3_ST_CW_CERT_D: 404 case SSL3_ST_CW_CERT_D:
408 ret=ssl3_send_client_certificate(s); 405 ret = ssl3_send_client_certificate(s);
409 if (ret <= 0) goto end; 406 if (ret <= 0)
410 s->state=SSL3_ST_CW_KEY_EXCH_A; 407 goto end;
411 s->init_num=0; 408 s->state = SSL3_ST_CW_KEY_EXCH_A;
409 s->init_num = 0;
412 break; 410 break;
413 411
414 case SSL3_ST_CW_KEY_EXCH_A: 412 case SSL3_ST_CW_KEY_EXCH_A:
415 case SSL3_ST_CW_KEY_EXCH_B: 413 case SSL3_ST_CW_KEY_EXCH_B:
416 ret=ssl3_send_client_key_exchange(s); 414 ret = ssl3_send_client_key_exchange(s);
417 if (ret <= 0) goto end; 415 if (ret <= 0)
416 goto end;
418 /* EAY EAY EAY need to check for DH fix cert 417 /* EAY EAY EAY need to check for DH fix cert
419 * sent back */ 418 * sent back */
420 /* For TLS, cert_req is set to 2, so a cert chain 419 /* For TLS, cert_req is set to 2, so a cert chain
@@ -426,170 +425,165 @@ int ssl3_connect(SSL *s)
426 * message when client's ECDH public key is sent 425 * message when client's ECDH public key is sent
427 * inside the client certificate. 426 * inside the client certificate.
428 */ 427 */
429 if (s->s3->tmp.cert_req == 1) 428 if (s->s3->tmp.cert_req == 1) {
430 { 429 s->state = SSL3_ST_CW_CERT_VRFY_A;
431 s->state=SSL3_ST_CW_CERT_VRFY_A; 430 } else {
432 } 431 s->state = SSL3_ST_CW_CHANGE_A;
433 else 432 s->s3->change_cipher_spec = 0;
434 { 433 }
435 s->state=SSL3_ST_CW_CHANGE_A; 434 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
436 s->s3->change_cipher_spec=0; 435 s->state = SSL3_ST_CW_CHANGE_A;
437 } 436 s->s3->change_cipher_spec = 0;
438 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) 437 }
439 {
440 s->state=SSL3_ST_CW_CHANGE_A;
441 s->s3->change_cipher_spec=0;
442 }
443 438
444 s->init_num=0; 439 s->init_num = 0;
445 break; 440 break;
446 441
447 case SSL3_ST_CW_CERT_VRFY_A: 442 case SSL3_ST_CW_CERT_VRFY_A:
448 case SSL3_ST_CW_CERT_VRFY_B: 443 case SSL3_ST_CW_CERT_VRFY_B:
449 ret=ssl3_send_client_verify(s); 444 ret = ssl3_send_client_verify(s);
450 if (ret <= 0) goto end; 445 if (ret <= 0)
451 s->state=SSL3_ST_CW_CHANGE_A; 446 goto end;
452 s->init_num=0; 447 s->state = SSL3_ST_CW_CHANGE_A;
453 s->s3->change_cipher_spec=0; 448 s->init_num = 0;
449 s->s3->change_cipher_spec = 0;
454 break; 450 break;
455 451
456 case SSL3_ST_CW_CHANGE_A: 452 case SSL3_ST_CW_CHANGE_A:
457 case SSL3_ST_CW_CHANGE_B: 453 case SSL3_ST_CW_CHANGE_B:
458 ret=ssl3_send_change_cipher_spec(s, 454 ret = ssl3_send_change_cipher_spec(s,
459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 455 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
460 if (ret <= 0) goto end; 456 if (ret <= 0)
457 goto end;
461 458
462#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 459#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
463 s->state=SSL3_ST_CW_FINISHED_A; 460 s->state = SSL3_ST_CW_FINISHED_A;
464#else 461#else
465 if (s->s3->next_proto_neg_seen) 462 if (s->s3->next_proto_neg_seen)
466 s->state=SSL3_ST_CW_NEXT_PROTO_A; 463 s->state = SSL3_ST_CW_NEXT_PROTO_A;
467 else 464 else
468 s->state=SSL3_ST_CW_FINISHED_A; 465 s->state = SSL3_ST_CW_FINISHED_A;
469#endif 466#endif
470 s->init_num=0; 467 s->init_num = 0;
471 468
472 s->session->cipher=s->s3->tmp.new_cipher; 469 s->session->cipher = s->s3->tmp.new_cipher;
473#ifdef OPENSSL_NO_COMP 470#ifdef OPENSSL_NO_COMP
474 s->session->compress_meth=0; 471 s->session->compress_meth = 0;
475#else 472#else
476 if (s->s3->tmp.new_compression == NULL) 473 if (s->s3->tmp.new_compression == NULL)
477 s->session->compress_meth=0; 474 s->session->compress_meth = 0;
478 else 475 else
479 s->session->compress_meth= 476 s->session->compress_meth =
480 s->s3->tmp.new_compression->id; 477 s->s3->tmp.new_compression->id;
481#endif 478#endif
482 if (!s->method->ssl3_enc->setup_key_block(s)) 479 if (!s->method->ssl3_enc->setup_key_block(s)) {
483 { 480 ret = -1;
484 ret= -1;
485 goto end; 481 goto end;
486 } 482 }
487 483
488 if (!s->method->ssl3_enc->change_cipher_state(s, 484 if (!s->method->ssl3_enc->change_cipher_state(s,
489 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 485 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
490 { 486 ret = -1;
491 ret= -1;
492 goto end; 487 goto end;
493 } 488 }
494 489
495 break; 490 break;
496 491
497#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 492#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
498 case SSL3_ST_CW_NEXT_PROTO_A: 493 case SSL3_ST_CW_NEXT_PROTO_A:
499 case SSL3_ST_CW_NEXT_PROTO_B: 494 case SSL3_ST_CW_NEXT_PROTO_B:
500 ret=ssl3_send_next_proto(s); 495 ret = ssl3_send_next_proto(s);
501 if (ret <= 0) goto end; 496 if (ret <= 0)
502 s->state=SSL3_ST_CW_FINISHED_A; 497 goto end;
498 s->state = SSL3_ST_CW_FINISHED_A;
503 break; 499 break;
504#endif 500#endif
505 501
506 case SSL3_ST_CW_FINISHED_A: 502 case SSL3_ST_CW_FINISHED_A:
507 case SSL3_ST_CW_FINISHED_B: 503 case SSL3_ST_CW_FINISHED_B:
508 ret=ssl3_send_finished(s, 504 ret = ssl3_send_finished(s,
509 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 505 SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
510 s->method->ssl3_enc->client_finished_label, 506 s->method->ssl3_enc->client_finished_label,
511 s->method->ssl3_enc->client_finished_label_len); 507 s->method->ssl3_enc->client_finished_label_len);
512 if (ret <= 0) goto end; 508 if (ret <= 0)
513 s->state=SSL3_ST_CW_FLUSH; 509 goto end;
510 s->state = SSL3_ST_CW_FLUSH;
514 511
515 /* clear flags */ 512 /* clear flags */
516 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 513 s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
517 if (s->hit) 514 if (s->hit) {
518 { 515 s->s3->tmp.next_state = SSL_ST_OK;
519 s->s3->tmp.next_state=SSL_ST_OK; 516 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
520 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 517 s->state = SSL_ST_OK;
521 {
522 s->state=SSL_ST_OK;
523 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 518 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
524 s->s3->delay_buf_pop_ret=0; 519 s->s3->delay_buf_pop_ret = 0;
525 }
526 } 520 }
527 else 521 } else {
528 {
529#ifndef OPENSSL_NO_TLSEXT 522#ifndef OPENSSL_NO_TLSEXT
530 /* Allow NewSessionTicket if ticket expected */ 523 /* Allow NewSessionTicket if ticket expected */
531 if (s->tlsext_ticket_expected) 524 if (s->tlsext_ticket_expected)
532 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 525 s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
533 else 526 else
534#endif 527#endif
535 528
536 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 529 s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
537 } 530 }
538 s->init_num=0; 531 s->init_num = 0;
539 break; 532 break;
540 533
541#ifndef OPENSSL_NO_TLSEXT 534#ifndef OPENSSL_NO_TLSEXT
542 case SSL3_ST_CR_SESSION_TICKET_A: 535 case SSL3_ST_CR_SESSION_TICKET_A:
543 case SSL3_ST_CR_SESSION_TICKET_B: 536 case SSL3_ST_CR_SESSION_TICKET_B:
544 ret=ssl3_get_new_session_ticket(s); 537 ret = ssl3_get_new_session_ticket(s);
545 if (ret <= 0) goto end; 538 if (ret <= 0)
546 s->state=SSL3_ST_CR_FINISHED_A; 539 goto end;
547 s->init_num=0; 540 s->state = SSL3_ST_CR_FINISHED_A;
548 break; 541 s->init_num = 0;
542 break;
549 543
550 case SSL3_ST_CR_CERT_STATUS_A: 544 case SSL3_ST_CR_CERT_STATUS_A:
551 case SSL3_ST_CR_CERT_STATUS_B: 545 case SSL3_ST_CR_CERT_STATUS_B:
552 ret=ssl3_get_cert_status(s); 546 ret = ssl3_get_cert_status(s);
553 if (ret <= 0) goto end; 547 if (ret <= 0)
554 s->state=SSL3_ST_CR_KEY_EXCH_A; 548 goto end;
555 s->init_num=0; 549 s->state = SSL3_ST_CR_KEY_EXCH_A;
556 break; 550 s->init_num = 0;
551 break;
557#endif 552#endif
558 553
559 case SSL3_ST_CR_FINISHED_A: 554 case SSL3_ST_CR_FINISHED_A:
560 case SSL3_ST_CR_FINISHED_B: 555 case SSL3_ST_CR_FINISHED_B:
561 556
562 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 557 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
563 SSL3_ST_CR_FINISHED_B); 558 SSL3_ST_CR_FINISHED_B);
564 if (ret <= 0) goto end; 559 if (ret <= 0)
560 goto end;
565 561
566 if (s->hit) 562 if (s->hit)
567 s->state=SSL3_ST_CW_CHANGE_A; 563 s->state = SSL3_ST_CW_CHANGE_A;
568 else 564 else
569 s->state=SSL_ST_OK; 565 s->state = SSL_ST_OK;
570 s->init_num=0; 566 s->init_num = 0;
571 break; 567 break;
572 568
573 case SSL3_ST_CW_FLUSH: 569 case SSL3_ST_CW_FLUSH:
574 s->rwstate=SSL_WRITING; 570 s->rwstate = SSL_WRITING;
575 if (BIO_flush(s->wbio) <= 0) 571 if (BIO_flush(s->wbio) <= 0) {
576 { 572 ret = -1;
577 ret= -1;
578 goto end; 573 goto end;
579 } 574 }
580 s->rwstate=SSL_NOTHING; 575 s->rwstate = SSL_NOTHING;
581 s->state=s->s3->tmp.next_state; 576 s->state = s->s3->tmp.next_state;
582 break; 577 break;
583 578
584 case SSL_ST_OK: 579 case SSL_ST_OK:
585 /* clean a few things up */ 580 /* clean a few things up */
586 ssl3_cleanup_key_block(s); 581 ssl3_cleanup_key_block(s);
587 582
588 if (s->init_buf != NULL) 583 if (s->init_buf != NULL) {
589 {
590 BUF_MEM_free(s->init_buf); 584 BUF_MEM_free(s->init_buf);
591 s->init_buf=NULL; 585 s->init_buf = NULL;
592 } 586 }
593 587
594 /* If we are not 'joining' the last two packets, 588 /* If we are not 'joining' the last two packets,
595 * remove the buffering now */ 589 * remove the buffering now */
@@ -597,63 +591,63 @@ int ssl3_connect(SSL *s)
597 ssl_free_wbio_buffer(s); 591 ssl_free_wbio_buffer(s);
598 /* else do it later in ssl3_write */ 592 /* else do it later in ssl3_write */
599 593
600 s->init_num=0; 594 s->init_num = 0;
601 s->renegotiate=0; 595 s->renegotiate = 0;
602 s->new_session=0; 596 s->new_session = 0;
603 597
604 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 598 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
605 if (s->hit) s->ctx->stats.sess_hit++; 599 if (s->hit)
600 s->ctx->stats.sess_hit++;
606 601
607 ret=1; 602 ret = 1;
608 /* s->server=0; */ 603 /* s->server=0; */
609 s->handshake_func=ssl3_connect; 604 s->handshake_func = ssl3_connect;
610 s->ctx->stats.sess_connect_good++; 605 s->ctx->stats.sess_connect_good++;
611 606
612 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 607 if (cb != NULL)
608 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
613 609
614 goto end; 610 goto end;
615 /* break; */ 611 /* break; */
616 612
617 default: 613 default:
618 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 614 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_UNKNOWN_STATE);
619 ret= -1; 615 ret = -1;
620 goto end; 616 goto end;
621 /* break; */ 617 /* break; */
622 } 618 }
623 619
624 /* did we do anything */ 620 /* did we do anything */
625 if (!s->s3->tmp.reuse_message && !skip) 621 if (!s->s3->tmp.reuse_message && !skip) {
626 { 622 if (s->debug) {
627 if (s->debug) 623 if ((ret = BIO_flush(s->wbio)) <= 0)
628 {
629 if ((ret=BIO_flush(s->wbio)) <= 0)
630 goto end; 624 goto end;
631 } 625 }
632 626
633 if ((cb != NULL) && (s->state != state)) 627 if ((cb != NULL) && (s->state != state)) {
634 { 628 new_state = s->state;
635 new_state=s->state; 629 s->state = state;
636 s->state=state; 630 cb(s, SSL_CB_CONNECT_LOOP, 1);
637 cb(s,SSL_CB_CONNECT_LOOP,1); 631 s->state = new_state;
638 s->state=new_state;
639 }
640 } 632 }
641 skip=0;
642 } 633 }
634 skip = 0;
635 }
643end: 636end:
644 s->in_handshake--; 637 s->in_handshake--;
645 if (buf != NULL) 638 if (buf != NULL)
646 BUF_MEM_free(buf); 639 BUF_MEM_free(buf);
647 if (cb != NULL) 640 if (cb != NULL)
648 cb(s,SSL_CB_CONNECT_EXIT,ret); 641 cb(s, SSL_CB_CONNECT_EXIT, ret);
649 return(ret); 642 return (ret);
650 } 643}
651 644
652 645
653int ssl3_client_hello(SSL *s) 646int
654 { 647ssl3_client_hello(SSL *s)
648{
655 unsigned char *buf; 649 unsigned char *buf;
656 unsigned char *p,*d; 650 unsigned char *p, *d;
657 int i; 651 int i;
658 unsigned long l; 652 unsigned long l;
659#ifndef OPENSSL_NO_COMP 653#ifndef OPENSSL_NO_COMP
@@ -661,31 +655,29 @@ int ssl3_client_hello(SSL *s)
661 SSL_COMP *comp; 655 SSL_COMP *comp;
662#endif 656#endif
663 657
664 buf=(unsigned char *)s->init_buf->data; 658 buf = (unsigned char *)s->init_buf->data;
665 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 659 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
666 {
667 SSL_SESSION *sess = s->session; 660 SSL_SESSION *sess = s->session;
668 if ((sess == NULL) || 661 if ((sess == NULL) ||
669 (sess->ssl_version != s->version) || 662 (sess->ssl_version != s->version) ||
670#ifdef OPENSSL_NO_TLSEXT 663#ifdef OPENSSL_NO_TLSEXT
671 !sess->session_id_length || 664 !sess->session_id_length ||
672#else 665#else
673 (!sess->session_id_length && !sess->tlsext_tick) || 666 (!sess->session_id_length && !sess->tlsext_tick) ||
674#endif 667#endif
675 (sess->not_resumable)) 668 (sess->not_resumable)) {
676 { 669 if (!ssl_get_new_session(s, 0))
677 if (!ssl_get_new_session(s,0))
678 goto err; 670 goto err;
679 } 671 }
680 /* else use the pre-loaded session */ 672 /* else use the pre-loaded session */
681 673
682 p=s->s3->client_random; 674 p = s->s3->client_random;
683 675
684 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 676 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
685 goto err; 677 goto err;
686 678
687 /* Do the message type and length last */ 679 /* Do the message type and length last */
688 d=p= &(buf[4]); 680 d = p= &(buf[4]);
689 681
690 /* version indicates the negotiated version: for example from 682 /* version indicates the negotiated version: for example from
691 * an SSLv2/v3 compatible client hello). The client_version 683 * an SSLv2/v3 compatible client hello). The client_version
@@ -717,562 +709,510 @@ int ssl3_client_hello(SSL *s)
717 * the negotiated version. 709 * the negotiated version.
718 */ 710 */
719#if 0 711#if 0
720 *(p++)=s->version>>8; 712 *(p++) = s->version >> 8;
721 *(p++)=s->version&0xff; 713 *(p++) = s->version&0xff;
722 s->client_version=s->version; 714 s->client_version = s->version;
723#else 715#else
724 *(p++)=s->client_version>>8; 716 *(p++) = s->client_version >> 8;
725 *(p++)=s->client_version&0xff; 717 *(p++) = s->client_version&0xff;
726#endif 718#endif
727 719
728 /* Random stuff */ 720 /* Random stuff */
729 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 721 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
730 p+=SSL3_RANDOM_SIZE; 722 p += SSL3_RANDOM_SIZE;
731 723
732 /* Session ID */ 724 /* Session ID */
733 if (s->new_session) 725 if (s->new_session)
734 i=0; 726 i = 0;
735 else 727 else
736 i=s->session->session_id_length; 728 i = s->session->session_id_length;
737 *(p++)=i; 729 *(p++) = i;
738 if (i != 0) 730 if (i != 0) {
739 { 731 if (i > (int)sizeof(s->session->session_id)) {
740 if (i > (int)sizeof(s->session->session_id))
741 {
742 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 732 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
743 goto err; 733 goto err;
744 }
745 memcpy(p,s->session->session_id,i);
746 p+=i;
747 } 734 }
748 735 memcpy(p, s->session->session_id, i);
736 p += i;
737 }
738
749 /* Ciphers supported */ 739 /* Ciphers supported */
750 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 740 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0);
751 if (i == 0) 741 if (i == 0) {
752 { 742 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
753 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
754 goto err; 743 goto err;
755 } 744 }
756#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 745#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
757 /* Some servers hang if client hello > 256 bytes 746 /* Some servers hang if client hello > 256 bytes
758 * as hack workaround chop number of supported ciphers 747 * as hack workaround chop number of supported ciphers
759 * to keep it well below this if we use TLS v1.2 748 * to keep it well below this if we use TLS v1.2
760 */ 749 */
761 if (TLS1_get_version(s) >= TLS1_2_VERSION 750 if (TLS1_get_version(s) >= TLS1_2_VERSION &&
762 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 751 i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
763 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 752 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
764#endif 753#endif
765 s2n(i,p); 754 s2n(i, p);
766 p+=i; 755 p += i;
767 756
768 /* COMPRESSION */ 757 /* COMPRESSION */
769#ifdef OPENSSL_NO_COMP 758#ifdef OPENSSL_NO_COMP
770 *(p++)=1; 759 *(p++) = 1;
771#else 760#else
772 761
773 if ((s->options & SSL_OP_NO_COMPRESSION) 762 if ((s->options & SSL_OP_NO_COMPRESSION) ||
774 || !s->ctx->comp_methods) 763 !s->ctx->comp_methods)
775 j=0; 764 j = 0;
776 else 765 else
777 j=sk_SSL_COMP_num(s->ctx->comp_methods); 766 j = sk_SSL_COMP_num(s->ctx->comp_methods);
778 *(p++)=1+j; 767 *(p++) = 1 + j;
779 for (i=0; i<j; i++) 768 for (i = 0; i < j; i++) {
780 { 769 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
781 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 770 *(p++) = comp->id;
782 *(p++)=comp->id; 771 }
783 }
784#endif 772#endif
785 *(p++)=0; /* Add the NULL method */ 773 *(p++) = 0; /* Add the NULL method */
786 774
787#ifndef OPENSSL_NO_TLSEXT 775#ifndef OPENSSL_NO_TLSEXT
788 /* TLS extensions*/ 776 /* TLS extensions*/
789 if (ssl_prepare_clienthello_tlsext(s) <= 0) 777 if (ssl_prepare_clienthello_tlsext(s) <= 0) {
790 { 778 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
791 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
792 goto err; 779 goto err;
793 } 780 }
794 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 781 if ((p = ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
795 { 782 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
796 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
797 goto err; 783 goto err;
798 } 784 }
799#endif 785#endif
800
801 l=(p-d);
802 d=buf;
803 *(d++)=SSL3_MT_CLIENT_HELLO;
804 l2n3(l,d);
805 786
806 s->state=SSL3_ST_CW_CLNT_HELLO_B; 787 l = (p - d);
788 d = buf;
789 *(d++) = SSL3_MT_CLIENT_HELLO;
790 l2n3(l, d);
791
792 s->state = SSL3_ST_CW_CLNT_HELLO_B;
807 /* number of bytes to write */ 793 /* number of bytes to write */
808 s->init_num=p-buf; 794 s->init_num = p - buf;
809 s->init_off=0; 795 s->init_off = 0;
810 } 796 }
811 797
812 /* SSL3_ST_CW_CLNT_HELLO_B */ 798 /* SSL3_ST_CW_CLNT_HELLO_B */
813 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 799 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
814err: 800err:
815 return(-1); 801 return (-1);
816 } 802}
817 803
818int ssl3_get_server_hello(SSL *s) 804int
819 { 805ssl3_get_server_hello(SSL *s)
806{
820 STACK_OF(SSL_CIPHER) *sk; 807 STACK_OF(SSL_CIPHER) *sk;
821 const SSL_CIPHER *c; 808 const SSL_CIPHER *c;
822 unsigned char *p,*d; 809 unsigned char *p, *d;
823 int i,al,ok; 810 int i, al, ok;
824 unsigned int j; 811 unsigned int j;
825 long n; 812 long n;
826#ifndef OPENSSL_NO_COMP 813#ifndef OPENSSL_NO_COMP
827 SSL_COMP *comp; 814 SSL_COMP *comp;
828#endif 815#endif
829 816
830 n=s->method->ssl_get_message(s, 817 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
831 SSL3_ST_CR_SRVR_HELLO_A, 818 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok);
832 SSL3_ST_CR_SRVR_HELLO_B,
833 -1,
834 20000, /* ?? */
835 &ok);
836 819
837 if (!ok) return((int)n); 820 if (!ok)
821 return ((int)n);
838 822
839 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 823 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) {
840 { 824 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
841 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 825 if (s->d1->send_cookie == 0) {
842 {
843 if ( s->d1->send_cookie == 0)
844 {
845 s->s3->tmp.reuse_message = 1; 826 s->s3->tmp.reuse_message = 1;
846 return 1; 827 return 1;
847 } 828 }
848 else /* already sent a cookie */ 829 else /* already sent a cookie */
849 { 830 {
850 al=SSL_AD_UNEXPECTED_MESSAGE; 831 al = SSL_AD_UNEXPECTED_MESSAGE;
851 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 832 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
852 goto f_err; 833 goto f_err;
853 }
854 } 834 }
855 } 835 }
856 836 }
857 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 837
858 { 838 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) {
859 al=SSL_AD_UNEXPECTED_MESSAGE; 839 al = SSL_AD_UNEXPECTED_MESSAGE;
860 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 840 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
861 goto f_err; 841 goto f_err;
862 } 842 }
863 843
864 d=p=(unsigned char *)s->init_msg; 844 d = p=(unsigned char *)s->init_msg;
865 845
866 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 846 if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) {
867 { 847 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
868 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 848 s->version = (s->version&0xff00)|p[1];
869 s->version=(s->version&0xff00)|p[1]; 849 al = SSL_AD_PROTOCOL_VERSION;
870 al=SSL_AD_PROTOCOL_VERSION;
871 goto f_err; 850 goto f_err;
872 } 851 }
873 p+=2; 852 p += 2;
874 853
875 /* load the server hello data */ 854 /* load the server hello data */
876 /* load the server random */ 855 /* load the server random */
877 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 856 memcpy(s->s3->server_random, p, SSL3_RANDOM_SIZE);
878 p+=SSL3_RANDOM_SIZE; 857 p += SSL3_RANDOM_SIZE;
879 858
880 /* get the session-id */ 859 /* get the session-id */
881 j= *(p++); 860 j= *(p++);
882 861
883 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 862 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) {
884 { 863 al = SSL_AD_ILLEGAL_PARAMETER;
885 al=SSL_AD_ILLEGAL_PARAMETER; 864 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
886 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
887 goto f_err; 865 goto f_err;
888 } 866 }
889 867
890#ifndef OPENSSL_NO_TLSEXT 868#ifndef OPENSSL_NO_TLSEXT
891 /* check if we want to resume the session based on external pre-shared secret */ 869 /* check if we want to resume the session based on external pre-shared secret */
892 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 870 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
893 { 871 SSL_CIPHER *pref_cipher = NULL;
894 SSL_CIPHER *pref_cipher=NULL; 872 s->session->master_key_length = sizeof(s->session->master_key);
895 s->session->master_key_length=sizeof(s->session->master_key);
896 if (s->tls_session_secret_cb(s, s->session->master_key, 873 if (s->tls_session_secret_cb(s, s->session->master_key,
897 &s->session->master_key_length, 874 &s->session->master_key_length, NULL, &pref_cipher,
898 NULL, &pref_cipher, 875 s->tls_session_secret_cb_arg)) {
899 s->tls_session_secret_cb_arg))
900 {
901 s->session->cipher = pref_cipher ? 876 s->session->cipher = pref_cipher ?
902 pref_cipher : ssl_get_cipher_by_char(s, p+j); 877 pref_cipher : ssl_get_cipher_by_char(s, p + j);
903 }
904 } 878 }
879 }
905#endif /* OPENSSL_NO_TLSEXT */ 880#endif /* OPENSSL_NO_TLSEXT */
906 881
907 if (j != 0 && j == s->session->session_id_length 882 if (j != 0 && j == s->session->session_id_length &&
908 && memcmp(p,s->session->session_id,j) == 0) 883 memcmp(p, s->session->session_id, j) == 0) {
909 { 884 if (s->sid_ctx_length != s->session->sid_ctx_length ||
910 if(s->sid_ctx_length != s->session->sid_ctx_length 885 memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
911 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 886 /* actually a client application bug */
912 { 887 al = SSL_AD_ILLEGAL_PARAMETER;
913 /* actually a client application bug */ 888 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
914 al=SSL_AD_ILLEGAL_PARAMETER; 889 goto f_err;
915 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
916 goto f_err;
917 } 890 }
918 s->hit=1; 891 s->hit = 1;
919 } 892 }
920 else /* a miss or crap from the other end */ 893 else /* a miss or crap from the other end */
921 { 894 {
922 /* If we were trying for session-id reuse, make a new 895 /* If we were trying for session-id reuse, make a new
923 * SSL_SESSION so we don't stuff up other people */ 896 * SSL_SESSION so we don't stuff up other people */
924 s->hit=0; 897 s->hit = 0;
925 if (s->session->session_id_length > 0) 898 if (s->session->session_id_length > 0) {
926 { 899 if (!ssl_get_new_session(s, 0)) {
927 if (!ssl_get_new_session(s,0)) 900 al = SSL_AD_INTERNAL_ERROR;
928 {
929 al=SSL_AD_INTERNAL_ERROR;
930 goto f_err; 901 goto f_err;
931 }
932 } 902 }
933 s->session->session_id_length=j;
934 memcpy(s->session->session_id,p,j); /* j could be 0 */
935 } 903 }
936 p+=j; 904 s->session->session_id_length = j;
937 c=ssl_get_cipher_by_char(s,p); 905 memcpy(s->session->session_id,p,j); /* j could be 0 */
938 if (c == NULL) 906 }
939 { 907 p += j;
908 c = ssl_get_cipher_by_char(s, p);
909 if (c == NULL) {
940 /* unknown cipher */ 910 /* unknown cipher */
941 al=SSL_AD_ILLEGAL_PARAMETER; 911 al = SSL_AD_ILLEGAL_PARAMETER;
942 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 912 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
943 goto f_err; 913 goto f_err;
944 } 914 }
945 /* TLS v1.2 only ciphersuites require v1.2 or later */ 915 /* TLS v1.2 only ciphersuites require v1.2 or later */
946 if ((c->algorithm_ssl & SSL_TLSV1_2) && 916 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
947 (TLS1_get_version(s) < TLS1_2_VERSION)) 917 (TLS1_get_version(s) < TLS1_2_VERSION)) {
948 { 918 al = SSL_AD_ILLEGAL_PARAMETER;
949 al=SSL_AD_ILLEGAL_PARAMETER; 919 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
950 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
951 goto f_err; 920 goto f_err;
952 } 921 }
953 p+=ssl_put_cipher_by_char(s,NULL,NULL); 922 p += ssl_put_cipher_by_char(s, NULL, NULL);
954 923
955 sk=ssl_get_ciphers_by_id(s); 924 sk = ssl_get_ciphers_by_id(s);
956 i=sk_SSL_CIPHER_find(sk,c); 925 i = sk_SSL_CIPHER_find(sk, c);
957 if (i < 0) 926 if (i < 0) {
958 {
959 /* we did not say we would use this cipher */ 927 /* we did not say we would use this cipher */
960 al=SSL_AD_ILLEGAL_PARAMETER; 928 al = SSL_AD_ILLEGAL_PARAMETER;
961 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 929 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
962 goto f_err; 930 goto f_err;
963 } 931 }
964 932
965 /* Depending on the session caching (internal/external), the cipher 933 /* Depending on the session caching (internal/external), the cipher
966 and/or cipher_id values may not be set. Make sure that 934 and/or cipher_id values may not be set. Make sure that
967 cipher_id is set and use it for comparison. */ 935 cipher_id is set and use it for comparison. */
968 if (s->session->cipher) 936 if (s->session->cipher)
969 s->session->cipher_id = s->session->cipher->id; 937 s->session->cipher_id = s->session->cipher->id;
970 if (s->hit && (s->session->cipher_id != c->id)) 938 if (s->hit && (s->session->cipher_id != c->id)) {
971 {
972/* Workaround is now obsolete */ 939/* Workaround is now obsolete */
973#if 0 940#if 0
974 if (!(s->options & 941 if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
975 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
976#endif 942#endif
977 { 943 {
978 al=SSL_AD_ILLEGAL_PARAMETER; 944 al = SSL_AD_ILLEGAL_PARAMETER;
979 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 945 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
980 goto f_err; 946 goto f_err;
981 }
982 } 947 }
983 s->s3->tmp.new_cipher=c; 948 }
949 s->s3->tmp.new_cipher = c;
984 /* Don't digest cached records if TLS v1.2: we may need them for 950 /* Don't digest cached records if TLS v1.2: we may need them for
985 * client authentication. 951 * client authentication.
986 */ 952 */
987 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 953 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) {
988 {
989 al = SSL_AD_INTERNAL_ERROR; 954 al = SSL_AD_INTERNAL_ERROR;
990 goto f_err; 955 goto f_err;
991 } 956 }
992 /* lets get the compression algorithm */ 957 /* lets get the compression algorithm */
993 /* COMPRESSION */ 958 /* COMPRESSION */
994#ifdef OPENSSL_NO_COMP 959#ifdef OPENSSL_NO_COMP
995 if (*(p++) != 0) 960 if (*(p++) != 0) {
996 { 961 al = SSL_AD_ILLEGAL_PARAMETER;
997 al=SSL_AD_ILLEGAL_PARAMETER; 962 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
998 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
999 goto f_err; 963 goto f_err;
1000 } 964 }
1001 /* If compression is disabled we'd better not try to resume a session 965 /* If compression is disabled we'd better not try to resume a session
1002 * using compression. 966 * using compression.
1003 */ 967 */
1004 if (s->session->compress_meth != 0) 968 if (s->session->compress_meth != 0) {
1005 { 969 al = SSL_AD_INTERNAL_ERROR;
1006 al=SSL_AD_INTERNAL_ERROR; 970 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1007 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1008 goto f_err; 971 goto f_err;
1009 } 972 }
1010#else 973#else
1011 j= *(p++); 974 j= *(p++);
1012 if (s->hit && j != s->session->compress_meth) 975 if (s->hit && j != s->session->compress_meth) {
1013 { 976 al = SSL_AD_ILLEGAL_PARAMETER;
1014 al=SSL_AD_ILLEGAL_PARAMETER; 977 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1015 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1016 goto f_err; 978 goto f_err;
1017 } 979 }
1018 if (j == 0) 980 if (j == 0)
1019 comp=NULL; 981 comp = NULL;
1020 else if (s->options & SSL_OP_NO_COMPRESSION) 982 else if (s->options & SSL_OP_NO_COMPRESSION) {
1021 { 983 al = SSL_AD_ILLEGAL_PARAMETER;
1022 al=SSL_AD_ILLEGAL_PARAMETER; 984 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED);
1023 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
1024 goto f_err; 985 goto f_err;
1025 } 986 } else
1026 else 987 comp = ssl3_comp_find(s->ctx->comp_methods, j);
1027 comp=ssl3_comp_find(s->ctx->comp_methods,j); 988
1028 989 if ((j != 0) && (comp == NULL)) {
1029 if ((j != 0) && (comp == NULL)) 990 al = SSL_AD_ILLEGAL_PARAMETER;
1030 { 991 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1031 al=SSL_AD_ILLEGAL_PARAMETER;
1032 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1033 goto f_err; 992 goto f_err;
1034 } 993 } else {
1035 else 994 s->s3->tmp.new_compression = comp;
1036 { 995 }
1037 s->s3->tmp.new_compression=comp;
1038 }
1039#endif 996#endif
1040 997
1041#ifndef OPENSSL_NO_TLSEXT 998#ifndef OPENSSL_NO_TLSEXT
1042 /* TLS extensions*/ 999 /* TLS extensions*/
1043 if (s->version >= SSL3_VERSION) 1000 if (s->version >= SSL3_VERSION) {
1044 { 1001 if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {
1045 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
1046 {
1047 /* 'al' set by ssl_parse_serverhello_tlsext */ 1002 /* 'al' set by ssl_parse_serverhello_tlsext */
1048 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 1003 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
1049 goto f_err; 1004 goto f_err;
1050 } 1005
1051 if (ssl_check_serverhello_tlsext(s) <= 0)
1052 {
1053 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1054 goto err;
1055 }
1056 } 1006 }
1007 if (ssl_check_serverhello_tlsext(s) <= 0) {
1008 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
1009 goto err;
1010 }
1011 }
1057#endif 1012#endif
1058 1013
1059 if (p != (d+n)) 1014 if (p != (d + n)) {
1060 {
1061 /* wrong packet length */ 1015 /* wrong packet length */
1062 al=SSL_AD_DECODE_ERROR; 1016 al = SSL_AD_DECODE_ERROR;
1063 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 1017 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
1064 goto f_err; 1018 goto f_err;
1065 } 1019 }
1066 1020
1067 return(1); 1021 return (1);
1068f_err: 1022f_err:
1069 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1023 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1070err: 1024err:
1071 return(-1); 1025 return (-1);
1072 } 1026}
1073 1027
1074int ssl3_get_server_certificate(SSL *s) 1028int
1075 { 1029ssl3_get_server_certificate(SSL *s)
1076 int al,i,ok,ret= -1; 1030{
1077 unsigned long n,nc,llen,l; 1031 int al, i, ok, ret = -1;
1078 X509 *x=NULL; 1032 unsigned long n, nc, llen, l;
1079 const unsigned char *q,*p; 1033 X509 *x = NULL;
1034 const unsigned char *q, *p;
1080 unsigned char *d; 1035 unsigned char *d;
1081 STACK_OF(X509) *sk=NULL; 1036 STACK_OF(X509) *sk = NULL;
1082 SESS_CERT *sc; 1037 SESS_CERT *sc;
1083 EVP_PKEY *pkey=NULL; 1038 EVP_PKEY *pkey = NULL;
1084 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 1039 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
1085 1040
1086 n=s->method->ssl_get_message(s, 1041 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
1087 SSL3_ST_CR_CERT_A, 1042 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
1088 SSL3_ST_CR_CERT_B,
1089 -1,
1090 s->max_cert_list,
1091 &ok);
1092 1043
1093 if (!ok) return((int)n); 1044 if (!ok)
1045 return ((int)n);
1094 1046
1095 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1047 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
1096 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 1048 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1097 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 1049 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) {
1098 { 1050 s->s3->tmp.reuse_message = 1;
1099 s->s3->tmp.reuse_message=1; 1051 return (1);
1100 return(1); 1052 }
1101 }
1102 1053
1103 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 1054 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
1104 { 1055 al = SSL_AD_UNEXPECTED_MESSAGE;
1105 al=SSL_AD_UNEXPECTED_MESSAGE; 1056 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE);
1106 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
1107 goto f_err; 1057 goto f_err;
1108 } 1058 }
1109 p=d=(unsigned char *)s->init_msg; 1059 p = d = (unsigned char *)s->init_msg;
1110 1060
1111 if ((sk=sk_X509_new_null()) == NULL) 1061 if ((sk = sk_X509_new_null()) == NULL) {
1112 { 1062 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1113 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1114 goto err; 1063 goto err;
1115 } 1064 }
1116 1065
1117 n2l3(p,llen); 1066 n2l3(p, llen);
1118 if (llen+3 != n) 1067 if (llen + 3 != n) {
1119 { 1068 al = SSL_AD_DECODE_ERROR;
1120 al=SSL_AD_DECODE_ERROR; 1069 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
1121 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1122 goto f_err; 1070 goto f_err;
1123 } 1071 }
1124 for (nc=0; nc<llen; ) 1072 for (nc = 0; nc < llen; ) {
1125 { 1073 n2l3(p, l);
1126 n2l3(p,l); 1074 if ((l + nc + 3) > llen) {
1127 if ((l+nc+3) > llen) 1075 al = SSL_AD_DECODE_ERROR;
1128 { 1076 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
1129 al=SSL_AD_DECODE_ERROR;
1130 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1131 goto f_err; 1077 goto f_err;
1132 } 1078 }
1133 1079
1134 q=p; 1080 q = p;
1135 x=d2i_X509(NULL,&q,l); 1081 x = d2i_X509(NULL, &q, l);
1136 if (x == NULL) 1082 if (x == NULL) {
1137 { 1083 al = SSL_AD_BAD_CERTIFICATE;
1138 al=SSL_AD_BAD_CERTIFICATE; 1084 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
1139 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
1140 goto f_err; 1085 goto f_err;
1141 } 1086 }
1142 if (q != (p+l)) 1087 if (q != (p + l)) {
1143 { 1088 al = SSL_AD_DECODE_ERROR;
1144 al=SSL_AD_DECODE_ERROR; 1089 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
1145 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1146 goto f_err; 1090 goto f_err;
1147 } 1091 }
1148 if (!sk_X509_push(sk,x)) 1092 if (!sk_X509_push(sk, x)) {
1149 { 1093 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1150 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1151 goto err; 1094 goto err;
1152 }
1153 x=NULL;
1154 nc+=l+3;
1155 p=q;
1156 } 1095 }
1096 x = NULL;
1097 nc += l + 3;
1098 p = q;
1099 }
1157 1100
1158 i=ssl_verify_cert_chain(s,sk); 1101 i = ssl_verify_cert_chain(s, sk);
1159 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1102 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1160#ifndef OPENSSL_NO_KRB5 1103#ifndef OPENSSL_NO_KRB5
1161 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1104 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1162 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1105 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1163#endif /* OPENSSL_NO_KRB5 */ 1106#endif /* OPENSSL_NO_KRB5 */
1164 ) 1107 ) {
1165 { 1108 al = ssl_verify_alarm_type(s->verify_result);
1166 al=ssl_verify_alarm_type(s->verify_result); 1109 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERTIFICATE_VERIFY_FAILED);
1167 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 1110 goto f_err;
1168 goto f_err; 1111
1169 } 1112 }
1170 ERR_clear_error(); /* but we keep s->verify_result */ 1113 ERR_clear_error(); /* but we keep s->verify_result */
1171 1114
1172 sc=ssl_sess_cert_new(); 1115 sc = ssl_sess_cert_new();
1173 if (sc == NULL) goto err; 1116 if (sc == NULL)
1117 goto err;
1174 1118
1175 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 1119 if (s->session->sess_cert)
1176 s->session->sess_cert=sc; 1120 ssl_sess_cert_free(s->session->sess_cert);
1121 s->session->sess_cert = sc;
1177 1122
1178 sc->cert_chain=sk; 1123 sc->cert_chain = sk;
1179 /* Inconsistency alert: cert_chain does include the peer's 1124 /* Inconsistency alert: cert_chain does include the peer's
1180 * certificate, which we don't include in s3_srvr.c */ 1125 * certificate, which we don't include in s3_srvr.c */
1181 x=sk_X509_value(sk,0); 1126 x = sk_X509_value(sk, 0);
1182 sk=NULL; 1127 sk = NULL;
1183 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1128 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1184 1129
1185 pkey=X509_get_pubkey(x); 1130 pkey = X509_get_pubkey(x);
1186 1131
1187 /* VRS: allow null cert if auth == KRB5 */ 1132 /* VRS: allow null cert if auth == KRB5 */
1188 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1133 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1189 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1134 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1190 ? 0 : 1; 1135 ? 0 : 1;
1191 1136
1192#ifdef KSSL_DEBUG 1137#ifdef KSSL_DEBUG
1193 printf("pkey,x = %p, %p\n", pkey,x); 1138 printf("pkey, x = %p, %p\n", pkey, x);
1194 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1139 printf("ssl_cert_type(x, pkey) = %d\n", ssl_cert_type(x, pkey));
1195 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1140 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
1196 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1141 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1197#endif /* KSSL_DEBUG */ 1142#endif /* KSSL_DEBUG */
1198 1143
1199 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 1144 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) {
1200 { 1145 x = NULL;
1201 x=NULL; 1146 al = SSL3_AL_FATAL;
1202 al=SSL3_AL_FATAL;
1203 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1147 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1204 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1148 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1205 goto f_err; 1149 goto f_err;
1206 } 1150 }
1207 1151
1208 i=ssl_cert_type(x,pkey); 1152 i = ssl_cert_type(x, pkey);
1209 if (need_cert && i < 0) 1153 if (need_cert && i < 0) {
1210 { 1154 x = NULL;
1211 x=NULL; 1155 al = SSL3_AL_FATAL;
1212 al=SSL3_AL_FATAL;
1213 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1156 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1214 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1157 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1215 goto f_err; 1158 goto f_err;
1216 } 1159 }
1217 1160
1218 if (need_cert) 1161 if (need_cert) {
1219 { 1162 sc->peer_cert_type = i;
1220 sc->peer_cert_type=i; 1163 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1221 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1222 /* Why would the following ever happen? 1164 /* Why would the following ever happen?
1223 * We just created sc a couple of lines ago. */ 1165 * We just created sc a couple of lines ago. */
1224 if (sc->peer_pkeys[i].x509 != NULL) 1166 if (sc->peer_pkeys[i].x509 != NULL)
1225 X509_free(sc->peer_pkeys[i].x509); 1167 X509_free(sc->peer_pkeys[i].x509);
1226 sc->peer_pkeys[i].x509=x; 1168 sc->peer_pkeys[i].x509 = x;
1227 sc->peer_key= &(sc->peer_pkeys[i]); 1169 sc->peer_key = &(sc->peer_pkeys[i]);
1228 1170
1229 if (s->session->peer != NULL) 1171 if (s->session->peer != NULL)
1230 X509_free(s->session->peer); 1172 X509_free(s->session->peer);
1231 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1173 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1232 s->session->peer=x; 1174 s->session->peer = x;
1233 } 1175 } else {
1234 else 1176 sc->peer_cert_type = i;
1235 { 1177 sc->peer_key = NULL;
1236 sc->peer_cert_type=i;
1237 sc->peer_key= NULL;
1238 1178
1239 if (s->session->peer != NULL) 1179 if (s->session->peer != NULL)
1240 X509_free(s->session->peer); 1180 X509_free(s->session->peer);
1241 s->session->peer=NULL; 1181 s->session->peer = NULL;
1242 } 1182 }
1243 s->session->verify_result = s->verify_result; 1183 s->session->verify_result = s->verify_result;
1244 1184
1245 x=NULL; 1185 x = NULL;
1246 ret=1; 1186 ret = 1;
1247 1187
1248 if (0) 1188 if (0) {
1249 {
1250f_err: 1189f_err:
1251 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1190 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1252 } 1191 }
1253err: 1192err:
1254 EVP_PKEY_free(pkey); 1193 EVP_PKEY_free(pkey);
1255 X509_free(x); 1194 X509_free(x);
1256 sk_X509_pop_free(sk,X509_free); 1195 sk_X509_pop_free(sk, X509_free);
1257 return(ret); 1196 return (ret);
1258 } 1197}
1259 1198
1260int ssl3_get_key_exchange(SSL *s) 1199int
1261 { 1200ssl3_get_key_exchange(SSL *s)
1201{
1262#ifndef OPENSSL_NO_RSA 1202#ifndef OPENSSL_NO_RSA
1263 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 1203 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1264#endif 1204#endif
1265 EVP_MD_CTX md_ctx; 1205 EVP_MD_CTX md_ctx;
1266 unsigned char *param,*p; 1206 unsigned char *param, *p;
1267 int al,i,j,param_len,ok; 1207 int al, i, j, param_len, ok;
1268 long n,alg_k,alg_a; 1208 long n, alg_k, alg_a;
1269 EVP_PKEY *pkey=NULL; 1209 EVP_PKEY *pkey = NULL;
1270 const EVP_MD *md = NULL; 1210 const EVP_MD *md = NULL;
1271#ifndef OPENSSL_NO_RSA 1211#ifndef OPENSSL_NO_RSA
1272 RSA *rsa=NULL; 1212 RSA *rsa = NULL;
1273#endif 1213#endif
1274#ifndef OPENSSL_NO_DH 1214#ifndef OPENSSL_NO_DH
1275 DH *dh=NULL; 1215 DH *dh = NULL;
1276#endif 1216#endif
1277#ifndef OPENSSL_NO_ECDH 1217#ifndef OPENSSL_NO_ECDH
1278 EC_KEY *ecdh = NULL; 1218 EC_KEY *ecdh = NULL;
@@ -1284,336 +1224,291 @@ int ssl3_get_key_exchange(SSL *s)
1284 1224
1285 /* use same message size as in ssl3_get_certificate_request() 1225 /* use same message size as in ssl3_get_certificate_request()
1286 * as ServerKeyExchange message may be skipped */ 1226 * as ServerKeyExchange message may be skipped */
1287 n=s->method->ssl_get_message(s, 1227 n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1288 SSL3_ST_CR_KEY_EXCH_A, 1228 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok);
1289 SSL3_ST_CR_KEY_EXCH_B, 1229 if (!ok)
1290 -1, 1230 return ((int)n);
1291 s->max_cert_list, 1231
1292 &ok); 1232 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1293 if (!ok) return((int)n);
1294
1295 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1296 {
1297#ifndef OPENSSL_NO_PSK 1233#ifndef OPENSSL_NO_PSK
1298 /* In plain PSK ciphersuite, ServerKeyExchange can be 1234 /* In plain PSK ciphersuite, ServerKeyExchange can be
1299 omitted if no identity hint is sent. Set 1235 omitted if no identity hint is sent. Set
1300 session->sess_cert anyway to avoid problems 1236 session->sess_cert anyway to avoid problems
1301 later.*/ 1237 later.*/
1302 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 1238 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) {
1303 { 1239 s->session->sess_cert = ssl_sess_cert_new();
1304 s->session->sess_cert=ssl_sess_cert_new();
1305 if (s->ctx->psk_identity_hint) 1240 if (s->ctx->psk_identity_hint)
1306 OPENSSL_free(s->ctx->psk_identity_hint); 1241 OPENSSL_free(s->ctx->psk_identity_hint);
1307 s->ctx->psk_identity_hint = NULL; 1242 s->ctx->psk_identity_hint = NULL;
1308 }
1309#endif
1310 s->s3->tmp.reuse_message=1;
1311 return(1);
1312 } 1243 }
1244#endif
1245 s->s3->tmp.reuse_message = 1;
1246 return (1);
1247 }
1313 1248
1314 param=p=(unsigned char *)s->init_msg; 1249 param = p = (unsigned char *)s->init_msg;
1315 if (s->session->sess_cert != NULL) 1250 if (s->session->sess_cert != NULL) {
1316 {
1317#ifndef OPENSSL_NO_RSA 1251#ifndef OPENSSL_NO_RSA
1318 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1252 if (s->session->sess_cert->peer_rsa_tmp != NULL) {
1319 {
1320 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1253 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1321 s->session->sess_cert->peer_rsa_tmp=NULL; 1254 s->session->sess_cert->peer_rsa_tmp = NULL;
1322 } 1255 }
1323#endif 1256#endif
1324#ifndef OPENSSL_NO_DH 1257#ifndef OPENSSL_NO_DH
1325 if (s->session->sess_cert->peer_dh_tmp) 1258 if (s->session->sess_cert->peer_dh_tmp) {
1326 {
1327 DH_free(s->session->sess_cert->peer_dh_tmp); 1259 DH_free(s->session->sess_cert->peer_dh_tmp);
1328 s->session->sess_cert->peer_dh_tmp=NULL; 1260 s->session->sess_cert->peer_dh_tmp = NULL;
1329 } 1261 }
1330#endif 1262#endif
1331#ifndef OPENSSL_NO_ECDH 1263#ifndef OPENSSL_NO_ECDH
1332 if (s->session->sess_cert->peer_ecdh_tmp) 1264 if (s->session->sess_cert->peer_ecdh_tmp) {
1333 {
1334 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1265 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1335 s->session->sess_cert->peer_ecdh_tmp=NULL; 1266 s->session->sess_cert->peer_ecdh_tmp = NULL;
1336 }
1337#endif
1338 }
1339 else
1340 {
1341 s->session->sess_cert=ssl_sess_cert_new();
1342 } 1267 }
1268#endif
1269 } else {
1270 s->session->sess_cert = ssl_sess_cert_new();
1271 }
1343 1272
1344 param_len=0; 1273 param_len = 0;
1345 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1274 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1346 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1275 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1347 EVP_MD_CTX_init(&md_ctx); 1276 EVP_MD_CTX_init(&md_ctx);
1348 1277
1349#ifndef OPENSSL_NO_PSK 1278#ifndef OPENSSL_NO_PSK
1350 if (alg_k & SSL_kPSK) 1279 if (alg_k & SSL_kPSK) {
1351 { 1280 char tmp_id_hint[PSK_MAX_IDENTITY_LEN + 1];
1352 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
1353 1281
1354 al=SSL_AD_HANDSHAKE_FAILURE; 1282 al = SSL_AD_HANDSHAKE_FAILURE;
1355 n2s(p,i); 1283 n2s(p, i);
1356 param_len=i+2; 1284 param_len = i + 2;
1357 /* Store PSK identity hint for later use, hint is used 1285 /* Store PSK identity hint for later use, hint is used
1358 * in ssl3_send_client_key_exchange. Assume that the 1286 * in ssl3_send_client_key_exchange. Assume that the
1359 * maximum length of a PSK identity hint can be as 1287 * maximum length of a PSK identity hint can be as
1360 * long as the maximum length of a PSK identity. */ 1288 * long as the maximum length of a PSK identity. */
1361 if (i > PSK_MAX_IDENTITY_LEN) 1289 if (i > PSK_MAX_IDENTITY_LEN) {
1362 {
1363 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1290 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1364 SSL_R_DATA_LENGTH_TOO_LONG); 1291 SSL_R_DATA_LENGTH_TOO_LONG);
1365 goto f_err; 1292 goto f_err;
1366 } 1293 }
1367 if (param_len > n) 1294 if (param_len > n) {
1368 { 1295 al = SSL_AD_DECODE_ERROR;
1369 al=SSL_AD_DECODE_ERROR;
1370 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1296 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1371 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1297 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1372 goto f_err; 1298 goto f_err;
1373 } 1299 }
1374 /* If received PSK identity hint contains NULL 1300 /* If received PSK identity hint contains NULL
1375 * characters, the hint is truncated from the first 1301 * characters, the hint is truncated from the first
1376 * NULL. p may not be ending with NULL, so create a 1302 * NULL. p may not be ending with NULL, so create a
1377 * NULL-terminated string. */ 1303 * NULL-terminated string. */
1378 memcpy(tmp_id_hint, p, i); 1304 memcpy(tmp_id_hint, p, i);
1379 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1305 memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
1380 if (s->ctx->psk_identity_hint != NULL) 1306 if (s->ctx->psk_identity_hint != NULL)
1381 OPENSSL_free(s->ctx->psk_identity_hint); 1307 OPENSSL_free(s->ctx->psk_identity_hint);
1382 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1308 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
1383 if (s->ctx->psk_identity_hint == NULL) 1309 if (s->ctx->psk_identity_hint == NULL) {
1384 {
1385 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1310 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1386 goto f_err; 1311 goto f_err;
1387 }
1388
1389 p+=i;
1390 n-=param_len;
1391 } 1312 }
1392 else 1313
1314 p += i;
1315 n -= param_len;
1316 } else
1393#endif /* !OPENSSL_NO_PSK */ 1317#endif /* !OPENSSL_NO_PSK */
1394#ifndef OPENSSL_NO_SRP 1318#ifndef OPENSSL_NO_SRP
1395 if (alg_k & SSL_kSRP) 1319 if (alg_k & SSL_kSRP) {
1396 { 1320 n2s(p, i);
1397 n2s(p,i); 1321 param_len = i + 2;
1398 param_len=i+2; 1322 if (param_len > n) {
1399 if (param_len > n) 1323 al = SSL_AD_DECODE_ERROR;
1400 { 1324 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);
1401 al=SSL_AD_DECODE_ERROR;
1402 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH);
1403 goto f_err; 1325 goto f_err;
1404 } 1326 }
1405 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL))) 1327 if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
1406 { 1328 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1407 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1408 goto err; 1329 goto err;
1409 } 1330 }
1410 p+=i; 1331 p += i;
1411 1332
1412 n2s(p,i); 1333 n2s(p, i);
1413 param_len+=i+2; 1334 param_len += i + 2;
1414 if (param_len > n) 1335 if (param_len > n) {
1415 { 1336 al = SSL_AD_DECODE_ERROR;
1416 al=SSL_AD_DECODE_ERROR; 1337 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);
1417 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH);
1418 goto f_err; 1338 goto f_err;
1419 } 1339 }
1420 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL))) 1340 if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
1421 { 1341 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1422 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1423 goto err; 1342 goto err;
1424 } 1343 }
1425 p+=i; 1344 p += i;
1426 1345
1427 i = (unsigned int)(p[0]); 1346 i = (unsigned int)(p[0]);
1428 p++; 1347 p++;
1429 param_len+=i+1; 1348 param_len += i + 1;
1430 if (param_len > n) 1349 if (param_len > n) {
1431 { 1350 al = SSL_AD_DECODE_ERROR;
1432 al=SSL_AD_DECODE_ERROR; 1351 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);
1433 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH);
1434 goto f_err; 1352 goto f_err;
1435 } 1353 }
1436 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL))) 1354 if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
1437 { 1355 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1439 goto err; 1356 goto err;
1440 } 1357 }
1441 p+=i; 1358 p += i;
1442 1359
1443 n2s(p,i); 1360 n2s(p, i);
1444 param_len+=i+2; 1361 param_len += i + 2;
1445 if (param_len > n) 1362 if (param_len > n) {
1446 { 1363 al = SSL_AD_DECODE_ERROR;
1447 al=SSL_AD_DECODE_ERROR; 1364 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);
1448 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH);
1449 goto f_err; 1365 goto f_err;
1450 } 1366 }
1451 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL))) 1367 if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
1452 { 1368 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1453 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1454 goto err; 1369 goto err;
1455 } 1370 }
1456 p+=i; 1371 p += i;
1457 n-=param_len; 1372 n -= param_len;
1458 1373
1459/* We must check if there is a certificate */ 1374/* We must check if there is a certificate */
1460#ifndef OPENSSL_NO_RSA 1375#ifndef OPENSSL_NO_RSA
1461 if (alg_a & SSL_aRSA) 1376 if (alg_a & SSL_aRSA)
1462 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1377 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1463#else 1378#else
1464 if (0) 1379 if (0)
1465 ; 1380;
1466#endif 1381#endif
1467#ifndef OPENSSL_NO_DSA 1382#ifndef OPENSSL_NO_DSA
1468 else if (alg_a & SSL_aDSS) 1383 else if (alg_a & SSL_aDSS)
1469 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1384 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1470#endif 1385#endif
1471 } 1386 } else
1472 else
1473#endif /* !OPENSSL_NO_SRP */ 1387#endif /* !OPENSSL_NO_SRP */
1474#ifndef OPENSSL_NO_RSA 1388#ifndef OPENSSL_NO_RSA
1475 if (alg_k & SSL_kRSA) 1389 if (alg_k & SSL_kRSA) {
1476 { 1390 if ((rsa = RSA_new()) == NULL) {
1477 if ((rsa=RSA_new()) == NULL) 1391 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1478 {
1479 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1480 goto err; 1392 goto err;
1481 } 1393 }
1482 n2s(p,i); 1394 n2s(p, i);
1483 param_len=i+2; 1395 param_len = i + 2;
1484 if (param_len > n) 1396 if (param_len > n) {
1485 { 1397 al = SSL_AD_DECODE_ERROR;
1486 al=SSL_AD_DECODE_ERROR; 1398 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_MODULUS_LENGTH);
1487 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1488 goto f_err; 1399 goto f_err;
1489 } 1400 }
1490 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 1401 if (!(rsa->n = BN_bin2bn(p, i, rsa->n))) {
1491 { 1402 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1492 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1493 goto err; 1403 goto err;
1494 } 1404 }
1495 p+=i; 1405 p += i;
1496 1406
1497 n2s(p,i); 1407 n2s(p, i);
1498 param_len+=i+2; 1408 param_len += i + 2;
1499 if (param_len > n) 1409 if (param_len > n) {
1500 { 1410 al = SSL_AD_DECODE_ERROR;
1501 al=SSL_AD_DECODE_ERROR; 1411 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_E_LENGTH);
1502 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1503 goto f_err; 1412 goto f_err;
1504 } 1413 }
1505 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 1414 if (!(rsa->e = BN_bin2bn(p, i, rsa->e))) {
1506 { 1415 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1507 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1508 goto err; 1416 goto err;
1509 } 1417 }
1510 p+=i; 1418 p += i;
1511 n-=param_len; 1419 n -= param_len;
1512 1420
1513 /* this should be because we are using an export cipher */ 1421 /* this should be because we are using an export cipher */
1514 if (alg_a & SSL_aRSA) 1422 if (alg_a & SSL_aRSA)
1515 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1423 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1516 else 1424 else {
1517 { 1425 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1518 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1519 goto err; 1426 goto err;
1520 }
1521 s->session->sess_cert->peer_rsa_tmp=rsa;
1522 rsa=NULL;
1523 } 1427 }
1428 s->session->sess_cert->peer_rsa_tmp = rsa;
1429 rsa = NULL;
1430 }
1524#else /* OPENSSL_NO_RSA */ 1431#else /* OPENSSL_NO_RSA */
1525 if (0) 1432 if (0)
1526 ; 1433;
1527#endif 1434#endif
1528#ifndef OPENSSL_NO_DH 1435#ifndef OPENSSL_NO_DH
1529 else if (alg_k & SSL_kEDH) 1436 else if (alg_k & SSL_kEDH) {
1530 { 1437 if ((dh = DH_new()) == NULL) {
1531 if ((dh=DH_new()) == NULL) 1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
1532 {
1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1534 goto err; 1439 goto err;
1535 } 1440 }
1536 n2s(p,i); 1441 n2s(p, i);
1537 param_len=i+2; 1442 param_len = i + 2;
1538 if (param_len > n) 1443 if (param_len > n) {
1539 { 1444 al = SSL_AD_DECODE_ERROR;
1540 al=SSL_AD_DECODE_ERROR; 1445 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
1541 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1542 goto f_err; 1446 goto f_err;
1543 } 1447 }
1544 if (!(dh->p=BN_bin2bn(p,i,NULL))) 1448 if (!(dh->p = BN_bin2bn(p, i, NULL))) {
1545 { 1449 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1546 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1547 goto err; 1450 goto err;
1548 } 1451 }
1549 p+=i; 1452 p += i;
1550 1453
1551 n2s(p,i); 1454 n2s(p, i);
1552 param_len+=i+2; 1455 param_len += i + 2;
1553 if (param_len > n) 1456 if (param_len > n) {
1554 { 1457 al = SSL_AD_DECODE_ERROR;
1555 al=SSL_AD_DECODE_ERROR; 1458 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH);
1556 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1557 goto f_err; 1459 goto f_err;
1558 } 1460 }
1559 if (!(dh->g=BN_bin2bn(p,i,NULL))) 1461 if (!(dh->g = BN_bin2bn(p, i, NULL))) {
1560 { 1462 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1561 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1562 goto err; 1463 goto err;
1563 } 1464 }
1564 p+=i; 1465 p += i;
1565 1466
1566 n2s(p,i); 1467 n2s(p, i);
1567 param_len+=i+2; 1468 param_len += i + 2;
1568 if (param_len > n) 1469 if (param_len > n) {
1569 { 1470 al = SSL_AD_DECODE_ERROR;
1570 al=SSL_AD_DECODE_ERROR; 1471 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1571 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1572 goto f_err; 1472 goto f_err;
1573 } 1473 }
1574 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 1474 if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1575 { 1475 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1576 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1577 goto err; 1476 goto err;
1578 } 1477 }
1579 p+=i; 1478 p += i;
1580 n-=param_len; 1479 n -= param_len;
1581 1480
1582#ifndef OPENSSL_NO_RSA 1481#ifndef OPENSSL_NO_RSA
1583 if (alg_a & SSL_aRSA) 1482 if (alg_a & SSL_aRSA)
1584 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1483 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1585#else 1484#else
1586 if (0) 1485 if (0)
1587 ; 1486;
1588#endif 1487#endif
1589#ifndef OPENSSL_NO_DSA 1488#ifndef OPENSSL_NO_DSA
1590 else if (alg_a & SSL_aDSS) 1489 else if (alg_a & SSL_aDSS)
1591 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1490 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1592#endif 1491#endif
1593 /* else anonymous DH, so no certificate or pkey. */ 1492 /* else anonymous DH, so no certificate or pkey. */
1594 1493
1595 s->session->sess_cert->peer_dh_tmp=dh; 1494 s->session->sess_cert->peer_dh_tmp = dh;
1596 dh=NULL; 1495 dh = NULL;
1597 } 1496 } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
1598 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 1497 al = SSL_AD_ILLEGAL_PARAMETER;
1599 { 1498 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1600 al=SSL_AD_ILLEGAL_PARAMETER;
1601 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1602 goto f_err; 1499 goto f_err;
1603 } 1500 }
1604#endif /* !OPENSSL_NO_DH */ 1501#endif /* !OPENSSL_NO_DH */
1605 1502
1606#ifndef OPENSSL_NO_ECDH 1503#ifndef OPENSSL_NO_ECDH
1607 else if (alg_k & SSL_kEECDH) 1504 else if (alg_k & SSL_kEECDH) {
1608 {
1609 EC_GROUP *ngroup; 1505 EC_GROUP *ngroup;
1610 const EC_GROUP *group; 1506 const EC_GROUP *group;
1611 1507
1612 if ((ecdh=EC_KEY_new()) == NULL) 1508 if ((ecdh = EC_KEY_new()) == NULL) {
1613 { 1509 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1614 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1615 goto err; 1510 goto err;
1616 } 1511 }
1617 1512
1618 /* Extract elliptic curve parameters and the 1513 /* Extract elliptic curve parameters and the
1619 * server's ephemeral ECDH public key. 1514 * server's ephemeral ECDH public key.
@@ -1624,217 +1519,194 @@ int ssl3_get_key_exchange(SSL *s)
1624 /* XXX: For now we only support named (not generic) curves 1519 /* XXX: For now we only support named (not generic) curves
1625 * and the ECParameters in this case is just three bytes. 1520 * and the ECParameters in this case is just three bytes.
1626 */ 1521 */
1627 param_len=3; 1522 param_len = 3;
1628 if ((param_len > n) || 1523 if ((param_len > n) ||
1629 (*p != NAMED_CURVE_TYPE) || 1524 (*p != NAMED_CURVE_TYPE) ||
1630 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 1525 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) {
1631 { 1526 al = SSL_AD_INTERNAL_ERROR;
1632 al=SSL_AD_INTERNAL_ERROR; 1527 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1633 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1634 goto f_err; 1528 goto f_err;
1635 } 1529 }
1636 1530
1637 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1531 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1638 if (ngroup == NULL) 1532 if (ngroup == NULL) {
1639 { 1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1640 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1641 goto err; 1534 goto err;
1642 } 1535 }
1643 if (EC_KEY_set_group(ecdh, ngroup) == 0) 1536 if (EC_KEY_set_group(ecdh, ngroup) == 0) {
1644 { 1537 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1645 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1646 goto err; 1538 goto err;
1647 } 1539 }
1648 EC_GROUP_free(ngroup); 1540 EC_GROUP_free(ngroup);
1649 1541
1650 group = EC_KEY_get0_group(ecdh); 1542 group = EC_KEY_get0_group(ecdh);
1651 1543
1652 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1544 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1653 (EC_GROUP_get_degree(group) > 163)) 1545 (EC_GROUP_get_degree(group) > 163)) {
1654 { 1546 al = SSL_AD_EXPORT_RESTRICTION;
1655 al=SSL_AD_EXPORT_RESTRICTION; 1547 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1656 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1657 goto f_err; 1548 goto f_err;
1658 } 1549 }
1659 1550
1660 p+=3; 1551 p += 3;
1661 1552
1662 /* Next, get the encoded ECPoint */ 1553 /* Next, get the encoded ECPoint */
1663 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1554 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1664 ((bn_ctx = BN_CTX_new()) == NULL)) 1555 ((bn_ctx = BN_CTX_new()) == NULL)) {
1665 { 1556 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1666 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1667 goto err; 1557 goto err;
1668 } 1558 }
1669 1559
1670 encoded_pt_len = *p; /* length of encoded point */ 1560 encoded_pt_len = *p;
1671 p+=1; 1561 /* length of encoded point */
1562 p += 1;
1672 param_len += (1 + encoded_pt_len); 1563 param_len += (1 + encoded_pt_len);
1673 if ((param_len > n) || 1564 if ((param_len > n) ||
1674 (EC_POINT_oct2point(group, srvr_ecpoint, 1565 (EC_POINT_oct2point(group, srvr_ecpoint,
1675 p, encoded_pt_len, bn_ctx) == 0)) 1566 p, encoded_pt_len, bn_ctx) == 0)) {
1676 { 1567 al = SSL_AD_DECODE_ERROR;
1677 al=SSL_AD_DECODE_ERROR; 1568 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
1678 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1679 goto f_err; 1569 goto f_err;
1680 } 1570 }
1681 1571
1682 n-=param_len; 1572 n -= param_len;
1683 p+=encoded_pt_len; 1573 p += encoded_pt_len;
1684 1574
1685 /* The ECC/TLS specification does not mention 1575 /* The ECC/TLS specification does not mention
1686 * the use of DSA to sign ECParameters in the server 1576 * the use of DSA to sign ECParameters in the server
1687 * key exchange message. We do support RSA and ECDSA. 1577 * key exchange message. We do support RSA and ECDSA.
1688 */ 1578 */
1689 if (0) ; 1579 if (0);
1690#ifndef OPENSSL_NO_RSA 1580#ifndef OPENSSL_NO_RSA
1691 else if (alg_a & SSL_aRSA) 1581 else if (alg_a & SSL_aRSA)
1692 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1582 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1693#endif 1583#endif
1694#ifndef OPENSSL_NO_ECDSA 1584#ifndef OPENSSL_NO_ECDSA
1695 else if (alg_a & SSL_aECDSA) 1585 else if (alg_a & SSL_aECDSA)
1696 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1586 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1697#endif 1587#endif
1698 /* else anonymous ECDH, so no certificate or pkey. */ 1588 /* else anonymous ECDH, so no certificate or pkey. */
1699 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1589 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1700 s->session->sess_cert->peer_ecdh_tmp=ecdh; 1590 s->session->sess_cert->peer_ecdh_tmp = ecdh;
1701 ecdh=NULL; 1591 ecdh = NULL;
1702 BN_CTX_free(bn_ctx); 1592 BN_CTX_free(bn_ctx);
1703 bn_ctx = NULL; 1593 bn_ctx = NULL;
1704 EC_POINT_free(srvr_ecpoint); 1594 EC_POINT_free(srvr_ecpoint);
1705 srvr_ecpoint = NULL; 1595 srvr_ecpoint = NULL;
1706 } 1596 } else if (alg_k) {
1707 else if (alg_k) 1597 al = SSL_AD_UNEXPECTED_MESSAGE;
1708 { 1598 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1709 al=SSL_AD_UNEXPECTED_MESSAGE;
1710 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1711 goto f_err; 1599 goto f_err;
1712 } 1600 }
1713#endif /* !OPENSSL_NO_ECDH */ 1601#endif /* !OPENSSL_NO_ECDH */
1714 1602
1715 1603
1716 /* p points to the next byte, there are 'n' bytes left */ 1604 /* p points to the next byte, there are 'n' bytes left */
1717 1605
1718 /* if it was signed, check the signature */ 1606 /* if it was signed, check the signature */
1719 if (pkey != NULL) 1607 if (pkey != NULL) {
1720 { 1608 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1721 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1722 {
1723 int sigalg = tls12_get_sigid(pkey); 1609 int sigalg = tls12_get_sigid(pkey);
1724 /* Should never happen */ 1610 /* Should never happen */
1725 if (sigalg == -1) 1611 if (sigalg == -1) {
1726 { 1612 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1727 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1728 goto err; 1613 goto err;
1729 } 1614 }
1730 /* Check key type is consistent with signature */ 1615 /* Check key type is consistent with signature */
1731 if (sigalg != (int)p[1]) 1616 if (sigalg != (int)p[1]) {
1732 { 1617 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_TYPE);
1733 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE); 1618 al = SSL_AD_DECODE_ERROR;
1734 al=SSL_AD_DECODE_ERROR;
1735 goto f_err; 1619 goto f_err;
1736 } 1620 }
1737 md = tls12_get_hash(p[0]); 1621 md = tls12_get_hash(p[0]);
1738 if (md == NULL) 1622 if (md == NULL) {
1739 { 1623 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNKNOWN_DIGEST);
1740 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST); 1624 al = SSL_AD_DECODE_ERROR;
1741 al=SSL_AD_DECODE_ERROR;
1742 goto f_err; 1625 goto f_err;
1743 } 1626 }
1744#ifdef SSL_DEBUG 1627#ifdef SSL_DEBUG
1745fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 1628 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1746#endif 1629#endif
1747 p += 2; 1630 p += 2;
1748 n -= 2; 1631 n -= 2;
1749 } 1632 } else
1750 else
1751 md = EVP_sha1(); 1633 md = EVP_sha1();
1752
1753 n2s(p,i);
1754 n-=2;
1755 j=EVP_PKEY_size(pkey);
1756 1634
1757 if ((i != n) || (n > j) || (n <= 0)) 1635 n2s(p, i);
1758 { 1636 n -= 2;
1637 j = EVP_PKEY_size(pkey);
1638
1639 if ((i != n) || (n > j) || (n <= 0)) {
1759 /* wrong packet length */ 1640 /* wrong packet length */
1760 al=SSL_AD_DECODE_ERROR; 1641 al = SSL_AD_DECODE_ERROR;
1761 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1642 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH);
1762 goto f_err; 1643 goto f_err;
1763 } 1644 }
1764 1645
1765#ifndef OPENSSL_NO_RSA 1646#ifndef OPENSSL_NO_RSA
1766 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) 1647 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) {
1767 {
1768 int num; 1648 int num;
1769 1649
1770 j=0; 1650 j = 0;
1771 q=md_buf; 1651 q = md_buf;
1772 for (num=2; num > 0; num--) 1652 for (num = 2; num > 0; num--) {
1773 {
1774 EVP_MD_CTX_set_flags(&md_ctx, 1653 EVP_MD_CTX_set_flags(&md_ctx,
1775 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1654 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1776 EVP_DigestInit_ex(&md_ctx,(num == 2) 1655 EVP_DigestInit_ex(&md_ctx,(num == 2)
1777 ?s->ctx->md5:s->ctx->sha1, NULL); 1656 ?s->ctx->md5 : s->ctx->sha1, NULL);
1778 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1657 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1779 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1658 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1780 EVP_DigestUpdate(&md_ctx,param,param_len); 1659 EVP_DigestUpdate(&md_ctx, param, param_len);
1781 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1660 EVP_DigestFinal_ex(&md_ctx, q,(unsigned int *)&i);
1782 q+=i; 1661 q += i;
1783 j+=i; 1662 j += i;
1784 } 1663 }
1785 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1664 i = RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1786 pkey->pkey.rsa); 1665 pkey->pkey.rsa);
1787 if (i < 0) 1666 if (i < 0) {
1788 { 1667 al = SSL_AD_DECRYPT_ERROR;
1789 al=SSL_AD_DECRYPT_ERROR; 1668 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_DECRYPT);
1790 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1791 goto f_err; 1669 goto f_err;
1792 } 1670 }
1793 if (i == 0) 1671 if (i == 0) {
1794 {
1795 /* bad signature */ 1672 /* bad signature */
1796 al=SSL_AD_DECRYPT_ERROR; 1673 al = SSL_AD_DECRYPT_ERROR;
1797 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1674 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1798 goto f_err; 1675 goto f_err;
1799 }
1800 } 1676 }
1801 else 1677 } else
1802#endif 1678#endif
1803 { 1679 {
1804 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1680 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1805 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1681 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1806 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1682 EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1807 EVP_VerifyUpdate(&md_ctx,param,param_len); 1683 EVP_VerifyUpdate(&md_ctx, param, param_len);
1808 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1684 if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) {
1809 {
1810 /* bad signature */ 1685 /* bad signature */
1811 al=SSL_AD_DECRYPT_ERROR; 1686 al = SSL_AD_DECRYPT_ERROR;
1812 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1687 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1813 goto f_err; 1688 goto f_err;
1814 }
1815 } 1689 }
1816 } 1690 }
1817 else 1691 } else {
1818 {
1819 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1692 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
1820 /* aNULL or kPSK do not need public keys */ 1693 /* aNULL or kPSK do not need public keys */
1821 { 1694 {
1822 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1695 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1823 goto err; 1696 goto err;
1824 } 1697 }
1825 /* still data left over */ 1698 /* still data left over */
1826 if (n != 0) 1699 if (n != 0) {
1827 { 1700 al = SSL_AD_DECODE_ERROR;
1828 al=SSL_AD_DECODE_ERROR; 1701 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE);
1829 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1830 goto f_err; 1702 goto f_err;
1831 }
1832 } 1703 }
1704 }
1833 EVP_PKEY_free(pkey); 1705 EVP_PKEY_free(pkey);
1834 EVP_MD_CTX_cleanup(&md_ctx); 1706 EVP_MD_CTX_cleanup(&md_ctx);
1835 return(1); 1707 return (1);
1836f_err: 1708f_err:
1837 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1709 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1838err: 1710err:
1839 EVP_PKEY_free(pkey); 1711 EVP_PKEY_free(pkey);
1840#ifndef OPENSSL_NO_RSA 1712#ifndef OPENSSL_NO_RSA
@@ -1852,241 +1724,219 @@ err:
1852 EC_KEY_free(ecdh); 1724 EC_KEY_free(ecdh);
1853#endif 1725#endif
1854 EVP_MD_CTX_cleanup(&md_ctx); 1726 EVP_MD_CTX_cleanup(&md_ctx);
1855 return(-1); 1727 return (-1);
1856 } 1728}
1857 1729
1858int ssl3_get_certificate_request(SSL *s) 1730int
1859 { 1731ssl3_get_certificate_request(SSL *s)
1860 int ok,ret=0; 1732{
1861 unsigned long n,nc,l; 1733 int ok, ret = 0;
1862 unsigned int llen, ctype_num,i; 1734 unsigned long n, nc, l;
1863 X509_NAME *xn=NULL; 1735 unsigned int llen, ctype_num, i;
1864 const unsigned char *p,*q; 1736 X509_NAME *xn = NULL;
1737 const unsigned char *p, *q;
1865 unsigned char *d; 1738 unsigned char *d;
1866 STACK_OF(X509_NAME) *ca_sk=NULL; 1739 STACK_OF(X509_NAME) *ca_sk = NULL;
1867 1740
1868 n=s->method->ssl_get_message(s, 1741 n = s->method->ssl_get_message(s,
1869 SSL3_ST_CR_CERT_REQ_A, 1742 SSL3_ST_CR_CERT_REQ_A,
1870 SSL3_ST_CR_CERT_REQ_B, 1743 SSL3_ST_CR_CERT_REQ_B,
1871 -1, 1744 -1,
1872 s->max_cert_list, 1745 s->max_cert_list,
1873 &ok); 1746 &ok);
1874 1747
1875 if (!ok) return((int)n); 1748 if (!ok)
1749 return ((int)n);
1876 1750
1877 s->s3->tmp.cert_req=0; 1751 s->s3->tmp.cert_req = 0;
1878 1752
1879 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1753 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) {
1880 { 1754 s->s3->tmp.reuse_message = 1;
1881 s->s3->tmp.reuse_message=1;
1882 /* If we get here we don't need any cached handshake records 1755 /* If we get here we don't need any cached handshake records
1883 * as we wont be doing client auth. 1756 * as we wont be doing client auth.
1884 */ 1757 */
1885 if (s->s3->handshake_buffer) 1758 if (s->s3->handshake_buffer) {
1886 {
1887 if (!ssl3_digest_cached_records(s)) 1759 if (!ssl3_digest_cached_records(s))
1888 goto err; 1760 goto err;
1889 }
1890 return(1);
1891 } 1761 }
1762 return (1);
1763 }
1892 1764
1893 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 1765 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1894 { 1766 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1895 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1767 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_WRONG_MESSAGE_TYPE);
1896 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1897 goto err; 1768 goto err;
1898 } 1769 }
1899 1770
1900 /* TLS does not like anon-DH with client cert */ 1771 /* TLS does not like anon-DH with client cert */
1901 if (s->version > SSL3_VERSION) 1772 if (s->version > SSL3_VERSION) {
1902 { 1773 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
1903 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1774 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1904 { 1775 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1905 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1906 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1907 goto err; 1776 goto err;
1908 }
1909 } 1777 }
1778 }
1910 1779
1911 p=d=(unsigned char *)s->init_msg; 1780 p = d=(unsigned char *)s->init_msg;
1912 1781
1913 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 1782 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1914 { 1783 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1915 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1916 goto err; 1784 goto err;
1917 } 1785 }
1918 1786
1919 /* get the certificate types */ 1787 /* get the certificate types */
1920 ctype_num= *(p++); 1788 ctype_num= *(p++);
1921 if (ctype_num > SSL3_CT_NUMBER) 1789 if (ctype_num > SSL3_CT_NUMBER)
1922 ctype_num=SSL3_CT_NUMBER; 1790 ctype_num = SSL3_CT_NUMBER;
1923 for (i=0; i<ctype_num; i++) 1791 for (i = 0; i < ctype_num; i++)
1924 s->s3->tmp.ctype[i]= p[i]; 1792 s->s3->tmp.ctype[i] = p[i];
1925 p+=ctype_num; 1793 p += ctype_num;
1926 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1794 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1927 {
1928 n2s(p, llen); 1795 n2s(p, llen);
1929 /* Check we have enough room for signature algorithms and 1796 /* Check we have enough room for signature algorithms and
1930 * following length value. 1797 * following length value.
1931 */ 1798 */
1932 if ((unsigned long)(p - d + llen + 2) > n) 1799 if ((unsigned long)(p - d + llen + 2) > n) {
1933 { 1800 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1934 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1801 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_DATA_LENGTH_TOO_LONG);
1935 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG);
1936 goto err; 1802 goto err;
1937 } 1803 }
1938 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) 1804 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) {
1939 { 1805 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1940 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1806 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1941 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1942 goto err; 1807 goto err;
1943 }
1944 p += llen;
1945 } 1808 }
1809 p += llen;
1810 }
1946 1811
1947 /* get the CA RDNs */ 1812 /* get the CA RDNs */
1948 n2s(p,llen); 1813 n2s(p, llen);
1949#if 0 1814#if 0
1950{ 1815 {
1951FILE *out; 1816 FILE *out;
1952out=fopen("/tmp/vsign.der","w"); 1817 out = fopen("/tmp/vsign.der", "w");
1953fwrite(p,1,llen,out); 1818 fwrite(p, 1, llen, out);
1954fclose(out); 1819 fclose(out);
1955} 1820 }
1956#endif 1821#endif
1957 1822
1958 if ((unsigned long)(p - d + llen) != n) 1823 if ((unsigned long)(p - d + llen) != n) {
1959 { 1824 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1960 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1825 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
1961 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1962 goto err; 1826 goto err;
1963 } 1827 }
1964 1828
1965 for (nc=0; nc<llen; ) 1829 for (nc = 0; nc < llen; ) {
1966 { 1830 n2s(p, l);
1967 n2s(p,l); 1831 if ((l + nc + 2) > llen) {
1968 if ((l+nc+2) > llen)
1969 {
1970 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1832 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1971 goto cont; /* netscape bugs */ 1833 goto cont; /* netscape bugs */
1972 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1834 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1973 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 1835 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
1974 goto err; 1836 goto err;
1975 } 1837 }
1976 1838
1977 q=p; 1839 q = p;
1978 1840
1979 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 1841 if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
1980 {
1981 /* If netscape tolerance is on, ignore errors */ 1842 /* If netscape tolerance is on, ignore errors */
1982 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1843 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1983 goto cont; 1844 goto cont;
1984 else 1845 else {
1985 { 1846 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1986 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1847 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
1987 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1988 goto err; 1848 goto err;
1989 }
1990 } 1849 }
1850 }
1991 1851
1992 if (q != (p+l)) 1852 if (q != (p + l)) {
1993 { 1853 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1994 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1854 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_LENGTH_MISMATCH);
1995 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1996 goto err; 1855 goto err;
1997 } 1856 }
1998 if (!sk_X509_NAME_push(ca_sk,xn)) 1857 if (!sk_X509_NAME_push(ca_sk, xn)) {
1999 { 1858 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
2000 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
2001 goto err; 1859 goto err;
2002 }
2003
2004 p+=l;
2005 nc+=l+2;
2006 } 1860 }
2007 1861
2008 if (0) 1862 p += l;
2009 { 1863 nc += l + 2;
1864 }
1865
1866 if (0) {
2010cont: 1867cont:
2011 ERR_clear_error(); 1868 ERR_clear_error();
2012 } 1869 }
2013 1870
2014 /* we should setup a certificate to return.... */ 1871 /* we should setup a certificate to return.... */
2015 s->s3->tmp.cert_req=1; 1872 s->s3->tmp.cert_req = 1;
2016 s->s3->tmp.ctype_num=ctype_num; 1873 s->s3->tmp.ctype_num = ctype_num;
2017 if (s->s3->tmp.ca_names != NULL) 1874 if (s->s3->tmp.ca_names != NULL)
2018 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1875 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
2019 s->s3->tmp.ca_names=ca_sk; 1876 s->s3->tmp.ca_names = ca_sk;
2020 ca_sk=NULL; 1877 ca_sk = NULL;
2021 1878
2022 ret=1; 1879 ret = 1;
2023err: 1880err:
2024 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 1881 if (ca_sk != NULL)
2025 return(ret); 1882 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2026 } 1883 return (ret);
1884}
1885
1886static int
1887ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1888{
1889 return (X509_NAME_cmp(*a, *b));
1890}
2027 1891
2028static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
2029 {
2030 return(X509_NAME_cmp(*a,*b));
2031 }
2032#ifndef OPENSSL_NO_TLSEXT 1892#ifndef OPENSSL_NO_TLSEXT
2033int ssl3_get_new_session_ticket(SSL *s) 1893int
2034 { 1894ssl3_get_new_session_ticket(SSL *s)
2035 int ok,al,ret=0, ticklen; 1895{
1896 int ok, al, ret = 0, ticklen;
2036 long n; 1897 long n;
2037 const unsigned char *p; 1898 const unsigned char *p;
2038 unsigned char *d; 1899 unsigned char *d;
2039 1900
2040 n=s->method->ssl_get_message(s, 1901 n = s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
2041 SSL3_ST_CR_SESSION_TICKET_A, 1902 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok);
2042 SSL3_ST_CR_SESSION_TICKET_B,
2043 -1,
2044 16384,
2045 &ok);
2046
2047 if (!ok) 1903 if (!ok)
2048 return((int)n); 1904 return ((int)n);
2049 1905
2050 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 1906 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) {
2051 { 1907 s->s3->tmp.reuse_message = 1;
2052 s->s3->tmp.reuse_message=1; 1908 return (1);
2053 return(1); 1909 }
2054 } 1910 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) {
2055 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 1911 al = SSL_AD_UNEXPECTED_MESSAGE;
2056 { 1912 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_BAD_MESSAGE_TYPE);
2057 al=SSL_AD_UNEXPECTED_MESSAGE;
2058 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
2059 goto f_err; 1913 goto f_err;
2060 } 1914 }
2061 if (n < 6) 1915 if (n < 6) {
2062 {
2063 /* need at least ticket_lifetime_hint + ticket length */ 1916 /* need at least ticket_lifetime_hint + ticket length */
2064 al = SSL_AD_DECODE_ERROR; 1917 al = SSL_AD_DECODE_ERROR;
2065 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1918 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2066 goto f_err; 1919 goto f_err;
2067 } 1920 }
2068 1921
2069 p=d=(unsigned char *)s->init_msg; 1922 p = d = (unsigned char *)s->init_msg;
2070 n2l(p, s->session->tlsext_tick_lifetime_hint); 1923 n2l(p, s->session->tlsext_tick_lifetime_hint);
2071 n2s(p, ticklen); 1924 n2s(p, ticklen);
2072 /* ticket_lifetime_hint + ticket_length + ticket */ 1925 /* ticket_lifetime_hint + ticket_length + ticket */
2073 if (ticklen + 6 != n) 1926 if (ticklen + 6 != n) {
2074 {
2075 al = SSL_AD_DECODE_ERROR; 1927 al = SSL_AD_DECODE_ERROR;
2076 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1928 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2077 goto f_err; 1929 goto f_err;
2078 } 1930 }
2079 if (s->session->tlsext_tick) 1931 if (s->session->tlsext_tick) {
2080 {
2081 OPENSSL_free(s->session->tlsext_tick); 1932 OPENSSL_free(s->session->tlsext_tick);
2082 s->session->tlsext_ticklen = 0; 1933 s->session->tlsext_ticklen = 0;
2083 } 1934 }
2084 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 1935 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2085 if (!s->session->tlsext_tick) 1936 if (!s->session->tlsext_tick) {
2086 { 1937 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
2087 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
2088 goto err; 1938 goto err;
2089 } 1939 }
2090 memcpy(s->session->tlsext_tick, p, ticklen); 1940 memcpy(s->session->tlsext_tick, p, ticklen);
2091 s->session->tlsext_ticklen = ticklen; 1941 s->session->tlsext_ticklen = ticklen;
2092 /* There are two ways to detect a resumed ticket sesion. 1942 /* There are two ways to detect a resumed ticket sesion.
@@ -2105,122 +1955,116 @@ int ssl3_get_new_session_ticket(SSL *s)
2105 * ticket. 1955 * ticket.
2106 */ 1956 */
2107 EVP_Digest(p, ticklen, 1957 EVP_Digest(p, ticklen,
2108 s->session->session_id, &s->session->session_id_length, 1958 s->session->session_id, &s->session->session_id_length,
2109#ifndef OPENSSL_NO_SHA256 1959#ifndef OPENSSL_NO_SHA256
2110 EVP_sha256(), NULL); 1960 EVP_sha256(), NULL);
2111#else 1961#else
2112 EVP_sha1(), NULL); 1962 EVP_sha1(), NULL);
2113#endif 1963#endif
2114 ret=1; 1964 ret = 1;
2115 return(ret); 1965 return (ret);
2116f_err: 1966f_err:
2117 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1967 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2118err: 1968err:
2119 return(-1); 1969 return (-1);
2120 } 1970}
2121 1971
2122int ssl3_get_cert_status(SSL *s) 1972int
2123 { 1973ssl3_get_cert_status(SSL *s)
1974{
2124 int ok, al; 1975 int ok, al;
2125 unsigned long resplen,n; 1976 unsigned long resplen, n;
2126 const unsigned char *p; 1977 const unsigned char *p;
2127 1978
2128 n=s->method->ssl_get_message(s, 1979 n = s->method->ssl_get_message(s,
2129 SSL3_ST_CR_CERT_STATUS_A, 1980 SSL3_ST_CR_CERT_STATUS_A,
2130 SSL3_ST_CR_CERT_STATUS_B, 1981 SSL3_ST_CR_CERT_STATUS_B,
2131 SSL3_MT_CERTIFICATE_STATUS, 1982 SSL3_MT_CERTIFICATE_STATUS,
2132 16384, 1983 16384,
2133 &ok); 1984 &ok);
2134 1985
2135 if (!ok) return((int)n); 1986 if (!ok)
2136 if (n < 4) 1987 return ((int)n);
2137 { 1988 if (n < 4) {
2138 /* need at least status type + length */ 1989 /* need at least status type + length */
2139 al = SSL_AD_DECODE_ERROR; 1990 al = SSL_AD_DECODE_ERROR;
2140 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1991 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2141 goto f_err; 1992 goto f_err;
2142 } 1993 }
2143 p = (unsigned char *)s->init_msg; 1994 p = (unsigned char *)s->init_msg;
2144 if (*p++ != TLSEXT_STATUSTYPE_ocsp) 1995 if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
2145 {
2146 al = SSL_AD_DECODE_ERROR; 1996 al = SSL_AD_DECODE_ERROR;
2147 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 1997 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
2148 goto f_err; 1998 goto f_err;
2149 } 1999 }
2150 n2l3(p, resplen); 2000 n2l3(p, resplen);
2151 if (resplen + 4 != n) 2001 if (resplen + 4 != n) {
2152 {
2153 al = SSL_AD_DECODE_ERROR; 2002 al = SSL_AD_DECODE_ERROR;
2154 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2003 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2155 goto f_err; 2004 goto f_err;
2156 } 2005 }
2157 if (s->tlsext_ocsp_resp) 2006 if (s->tlsext_ocsp_resp)
2158 OPENSSL_free(s->tlsext_ocsp_resp); 2007 OPENSSL_free(s->tlsext_ocsp_resp);
2159 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 2008 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
2160 if (!s->tlsext_ocsp_resp) 2009 if (!s->tlsext_ocsp_resp) {
2161 {
2162 al = SSL_AD_INTERNAL_ERROR; 2010 al = SSL_AD_INTERNAL_ERROR;
2163 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2011 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2164 goto f_err; 2012 goto f_err;
2165 } 2013 }
2166 s->tlsext_ocsp_resplen = resplen; 2014 s->tlsext_ocsp_resplen = resplen;
2167 if (s->ctx->tlsext_status_cb) 2015 if (s->ctx->tlsext_status_cb) {
2168 {
2169 int ret; 2016 int ret;
2170 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2017 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2171 if (ret == 0) 2018 if (ret == 0) {
2172 {
2173 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2019 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2174 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 2020 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_INVALID_STATUS_RESPONSE);
2175 goto f_err; 2021 goto f_err;
2176 } 2022 }
2177 if (ret < 0) 2023 if (ret < 0) {
2178 {
2179 al = SSL_AD_INTERNAL_ERROR; 2024 al = SSL_AD_INTERNAL_ERROR;
2180 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2025 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2181 goto f_err; 2026 goto f_err;
2182 }
2183 } 2027 }
2028 }
2184 return 1; 2029 return 1;
2185f_err: 2030f_err:
2186 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2031 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2187 return(-1); 2032 return (-1);
2188 } 2033}
2189#endif 2034#endif
2190 2035
2191int ssl3_get_server_done(SSL *s) 2036int
2192 { 2037ssl3_get_server_done(SSL *s)
2193 int ok,ret=0; 2038{
2039 int ok, ret = 0;
2194 long n; 2040 long n;
2195 2041
2196 n=s->method->ssl_get_message(s, 2042 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
2197 SSL3_ST_CR_SRVR_DONE_A, 2043 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
2198 SSL3_ST_CR_SRVR_DONE_B, 2044 30, /* should be very small, like 0 :-) */ &ok);
2199 SSL3_MT_SERVER_DONE,
2200 30, /* should be very small, like 0 :-) */
2201 &ok);
2202 2045
2203 if (!ok) return((int)n); 2046 if (!ok)
2204 if (n > 0) 2047 return ((int)n);
2205 { 2048 if (n > 0) {
2206 /* should contain no data */ 2049 /* should contain no data */
2207 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2050 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2208 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 2051 SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
2209 return -1; 2052 return -1;
2210 }
2211 ret=1;
2212 return(ret);
2213 } 2053 }
2054 ret = 1;
2055 return (ret);
2056}
2214 2057
2215 2058
2216int ssl3_send_client_key_exchange(SSL *s) 2059int
2217 { 2060ssl3_send_client_key_exchange(SSL *s)
2218 unsigned char *p,*d; 2061{
2062 unsigned char *p, *d;
2219 int n; 2063 int n;
2220 unsigned long alg_k; 2064 unsigned long alg_k;
2221#ifndef OPENSSL_NO_RSA 2065#ifndef OPENSSL_NO_RSA
2222 unsigned char *q; 2066 unsigned char *q;
2223 EVP_PKEY *pkey=NULL; 2067 EVP_PKEY *pkey = NULL;
2224#endif 2068#endif
2225#ifndef OPENSSL_NO_KRB5 2069#ifndef OPENSSL_NO_KRB5
2226 KSSL_ERR kssl_err; 2070 KSSL_ERR kssl_err;
@@ -2234,77 +2078,73 @@ int ssl3_send_client_key_exchange(SSL *s)
2234 BN_CTX * bn_ctx = NULL; 2078 BN_CTX * bn_ctx = NULL;
2235#endif 2079#endif
2236 2080
2237 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 2081 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
2238 { 2082 d = (unsigned char *)s->init_buf->data;
2239 d=(unsigned char *)s->init_buf->data; 2083 p = &(d[4]);
2240 p= &(d[4]);
2241 2084
2242 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2085 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2243 2086
2244 /* Fool emacs indentation */ 2087 /* Fool emacs indentation */
2245 if (0) {} 2088 if (0) {
2089 }
2246#ifndef OPENSSL_NO_RSA 2090#ifndef OPENSSL_NO_RSA
2247 else if (alg_k & SSL_kRSA) 2091 else if (alg_k & SSL_kRSA) {
2248 {
2249 RSA *rsa; 2092 RSA *rsa;
2250 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2093 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2251 2094
2252 if (s->session->sess_cert->peer_rsa_tmp != NULL) 2095 if (s->session->sess_cert->peer_rsa_tmp != NULL)
2253 rsa=s->session->sess_cert->peer_rsa_tmp; 2096 rsa = s->session->sess_cert->peer_rsa_tmp;
2254 else 2097 else {
2255 { 2098 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2256 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2257 if ((pkey == NULL) || 2099 if ((pkey == NULL) ||
2258 (pkey->type != EVP_PKEY_RSA) || 2100 (pkey->type != EVP_PKEY_RSA) ||
2259 (pkey->pkey.rsa == NULL)) 2101 (pkey->pkey.rsa == NULL)) {
2260 { 2102 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2261 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2262 goto err; 2103 goto err;
2263 }
2264 rsa=pkey->pkey.rsa;
2265 EVP_PKEY_free(pkey);
2266 } 2104 }
2267 2105 rsa = pkey->pkey.rsa;
2268 tmp_buf[0]=s->client_version>>8; 2106 EVP_PKEY_free(pkey);
2269 tmp_buf[1]=s->client_version&0xff; 2107 }
2270 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2108
2271 goto err; 2109 tmp_buf[0] = s->client_version >> 8;
2110 tmp_buf[1] = s->client_version & 0xff;
2111 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2112 goto err;
2272 2113
2273 s->session->master_key_length=sizeof tmp_buf; 2114 s->session->master_key_length = sizeof tmp_buf;
2274 2115
2275 q=p; 2116 q = p;
2276 /* Fix buf for TLS and beyond */ 2117 /* Fix buf for TLS and beyond */
2277 if (s->version > SSL3_VERSION) 2118 if (s->version > SSL3_VERSION)
2278 p+=2; 2119 p += 2;
2279 n=RSA_public_encrypt(sizeof tmp_buf, 2120 n = RSA_public_encrypt(sizeof tmp_buf,
2280 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 2121 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
2281#ifdef PKCS1_CHECK 2122#ifdef PKCS1_CHECK
2282 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 2123 if (s->options & SSL_OP_PKCS1_CHECK_1)
2283 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 2124 p[1]++;
2125 if (s->options & SSL_OP_PKCS1_CHECK_2)
2126 tmp_buf[0] = 0x70;
2284#endif 2127#endif
2285 if (n <= 0) 2128 if (n <= 0) {
2286 { 2129 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
2287 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
2288 goto err; 2130 goto err;
2289 } 2131 }
2290 2132
2291 /* Fix buf for TLS and beyond */ 2133 /* Fix buf for TLS and beyond */
2292 if (s->version > SSL3_VERSION) 2134 if (s->version > SSL3_VERSION) {
2293 { 2135 s2n(n, q);
2294 s2n(n,q); 2136 n += 2;
2295 n+=2;
2296 }
2297
2298 s->session->master_key_length=
2299 s->method->ssl3_enc->generate_master_secret(s,
2300 s->session->master_key,
2301 tmp_buf,sizeof tmp_buf);
2302 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2303 } 2137 }
2138
2139 s->session->master_key_length =
2140 s->method->ssl3_enc->generate_master_secret(
2141 s, s->session->master_key, tmp_buf,
2142 sizeof tmp_buf);
2143 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2144 }
2304#endif 2145#endif
2305#ifndef OPENSSL_NO_KRB5 2146#ifndef OPENSSL_NO_KRB5
2306 else if (alg_k & SSL_kKRB5) 2147 else if (alg_k & SSL_kKRB5) {
2307 {
2308 krb5_error_code krb5rc; 2148 krb5_error_code krb5rc;
2309 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2149 KSSL_CTX *kssl_ctx = s->kssl_ctx;
2310 /* krb5_data krb5_ap_req; */ 2150 /* krb5_data krb5_ap_req; */
@@ -2314,43 +2154,43 @@ int ssl3_send_client_key_exchange(SSL *s)
2314 const EVP_CIPHER *enc = NULL; 2154 const EVP_CIPHER *enc = NULL;
2315 unsigned char iv[EVP_MAX_IV_LENGTH]; 2155 unsigned char iv[EVP_MAX_IV_LENGTH];
2316 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2156 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2317 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2157 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2318 + EVP_MAX_IV_LENGTH]; 2158 + EVP_MAX_IV_LENGTH];
2319 int padl, outl = sizeof(epms); 2159 int padl, outl = sizeof(epms);
2320 2160
2321 EVP_CIPHER_CTX_init(&ciph_ctx); 2161 EVP_CIPHER_CTX_init(&ciph_ctx);
2322 2162
2323#ifdef KSSL_DEBUG 2163#ifdef KSSL_DEBUG
2324 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2164 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
2325 alg_k, SSL_kKRB5); 2165 alg_k, SSL_kKRB5);
2326#endif /* KSSL_DEBUG */ 2166#endif /* KSSL_DEBUG */
2327 2167
2328 authp = NULL; 2168 authp = NULL;
2329#ifdef KRB5SENDAUTH 2169#ifdef KRB5SENDAUTH
2330 if (KRB5SENDAUTH) authp = &authenticator; 2170 if (KRB5SENDAUTH)
2171 authp = &authenticator;
2331#endif /* KRB5SENDAUTH */ 2172#endif /* KRB5SENDAUTH */
2332 2173
2333 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2174 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket,
2334 &kssl_err); 2175 authp, &kssl_err);
2335 enc = kssl_map_enc(kssl_ctx->enctype); 2176 enc = kssl_map_enc(kssl_ctx->enctype);
2336 if (enc == NULL) 2177 if (enc == NULL)
2337 goto err; 2178 goto err;
2338#ifdef KSSL_DEBUG 2179#ifdef KSSL_DEBUG
2339 { 2180 {
2340 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2181 printf("kssl_cget_tkt rtn %d\n", krb5rc);
2341 if (krb5rc && kssl_err.text) 2182 if (krb5rc && kssl_err.text)
2342 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2183 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
2343 } 2184 }
2344#endif /* KSSL_DEBUG */ 2185#endif /* KSSL_DEBUG */
2345 2186
2346 if (krb5rc) 2187 if (krb5rc) {
2347 { 2188 ssl3_send_alert(s, SSL3_AL_FATAL,
2348 ssl3_send_alert(s,SSL3_AL_FATAL, 2189 SSL_AD_HANDSHAKE_FAILURE);
2349 SSL_AD_HANDSHAKE_FAILURE);
2350 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2190 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2351 kssl_err.reason); 2191 kssl_err.reason);
2352 goto err; 2192 goto err;
2353 } 2193 }
2354 2194
2355 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2195 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
2356 ** in place of RFC 2712 KerberosWrapper, as in: 2196 ** in place of RFC 2712 KerberosWrapper, as in:
@@ -2372,32 +2212,29 @@ int ssl3_send_client_key_exchange(SSL *s)
2372 */ 2212 */
2373 2213
2374 /* KerberosWrapper.Ticket */ 2214 /* KerberosWrapper.Ticket */
2375 s2n(enc_ticket->length,p); 2215 s2n(enc_ticket->length, p);
2376 memcpy(p, enc_ticket->data, enc_ticket->length); 2216 memcpy(p, enc_ticket->data, enc_ticket->length);
2377 p+= enc_ticket->length; 2217 p += enc_ticket->length;
2378 n = enc_ticket->length + 2; 2218 n = enc_ticket->length + 2;
2379 2219
2380 /* KerberosWrapper.Authenticator */ 2220 /* KerberosWrapper.Authenticator */
2381 if (authp && authp->length) 2221 if (authp && authp->length) {
2382 { 2222 s2n(authp->length, p);
2383 s2n(authp->length,p);
2384 memcpy(p, authp->data, authp->length); 2223 memcpy(p, authp->data, authp->length);
2385 p+= authp->length; 2224 p += authp->length;
2386 n+= authp->length + 2; 2225 n += authp->length + 2;
2387 2226
2388 free(authp->data); 2227 free(authp->data);
2389 authp->data = NULL; 2228 authp->data = NULL;
2390 authp->length = 0; 2229 authp->length = 0;
2391 } 2230 } else {
2392 else
2393 {
2394 s2n(0,p);/* null authenticator length */ 2231 s2n(0,p);/* null authenticator length */
2395 n+=2; 2232 n += 2;
2396 } 2233 }
2397 2234
2398 tmp_buf[0]=s->client_version>>8; 2235 tmp_buf[0] = s->client_version >> 8;
2399 tmp_buf[1]=s->client_version&0xff; 2236 tmp_buf[1] = s->client_version&0xff;
2400 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2237 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2401 goto err; 2238 goto err;
2402 2239
2403 /* 20010420 VRS. Tried it this way; failed. 2240 /* 20010420 VRS. Tried it this way; failed.
@@ -2407,104 +2244,97 @@ int ssl3_send_client_key_exchange(SSL *s)
2407 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2244 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2408 */ 2245 */
2409 2246
2410 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2247 memset(iv, 0, sizeof iv);
2411 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2248 /* per RFC 1510 */
2412 kssl_ctx->key,iv); 2249 EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
2413 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2250 kssl_ctx->key, iv);
2414 sizeof tmp_buf); 2251 EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
2415 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2252 sizeof tmp_buf);
2253 EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
2416 outl += padl; 2254 outl += padl;
2417 if (outl > (int)sizeof epms) 2255 if (outl > (int)sizeof epms) {
2418 {
2419 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2256 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2420 goto err; 2257 goto err;
2421 } 2258 }
2422 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2259 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2423 2260
2424 /* KerberosWrapper.EncryptedPreMasterSecret */ 2261 /* KerberosWrapper.EncryptedPreMasterSecret */
2425 s2n(outl,p); 2262 s2n(outl, p);
2426 memcpy(p, epms, outl); 2263 memcpy(p, epms, outl);
2427 p+=outl; 2264 p += outl;
2428 n+=outl + 2; 2265 n += outl + 2;
2429 2266
2430 s->session->master_key_length= 2267 s->session->master_key_length =
2431 s->method->ssl3_enc->generate_master_secret(s, 2268 s->method->ssl3_enc->generate_master_secret(s,
2432 s->session->master_key, 2269 s->session->master_key,
2433 tmp_buf, sizeof tmp_buf); 2270 tmp_buf, sizeof tmp_buf);
2434 2271
2435 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2272 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2436 OPENSSL_cleanse(epms, outl); 2273 OPENSSL_cleanse(epms, outl);
2437 } 2274 }
2438#endif 2275#endif
2439#ifndef OPENSSL_NO_DH 2276#ifndef OPENSSL_NO_DH
2440 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2277 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2441 { 2278 DH *dh_srvr, *dh_clnt;
2442 DH *dh_srvr,*dh_clnt;
2443 2279
2444 if (s->session->sess_cert == NULL) 2280 if (s->session->sess_cert == NULL) {
2445 { 2281 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
2446 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2282 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
2447 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
2448 goto err; 2283 goto err;
2449 } 2284 }
2450 2285
2451 if (s->session->sess_cert->peer_dh_tmp != NULL) 2286 if (s->session->sess_cert->peer_dh_tmp != NULL)
2452 dh_srvr=s->session->sess_cert->peer_dh_tmp; 2287 dh_srvr = s->session->sess_cert->peer_dh_tmp;
2453 else 2288 else {
2454 {
2455 /* we get them from the cert */ 2289 /* we get them from the cert */
2456 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2290 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2457 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2291 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2458 goto err; 2292 goto err;
2459 } 2293 }
2460 2294
2461 /* generate a new random key */ 2295 /* generate a new random key */
2462 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 2296 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
2463 { 2297 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2464 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2465 goto err; 2298 goto err;
2466 } 2299 }
2467 if (!DH_generate_key(dh_clnt)) 2300 if (!DH_generate_key(dh_clnt)) {
2468 { 2301 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2469 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2470 DH_free(dh_clnt); 2302 DH_free(dh_clnt);
2471 goto err; 2303 goto err;
2472 } 2304 }
2473 2305
2474 /* use the 'p' output buffer for the DH key, but 2306 /* use the 'p' output buffer for the DH key, but
2475 * make sure to clear it out afterwards */ 2307 * make sure to clear it out afterwards */
2476 2308
2477 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 2309 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt);
2478 2310
2479 if (n <= 0) 2311 if (n <= 0) {
2480 { 2312 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2481 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2482 DH_free(dh_clnt); 2313 DH_free(dh_clnt);
2483 goto err; 2314 goto err;
2484 } 2315 }
2485 2316
2486 /* generate master key from the result */ 2317 /* generate master key from the result */
2487 s->session->master_key_length= 2318 s->session->master_key_length =
2488 s->method->ssl3_enc->generate_master_secret(s, 2319 s->method->ssl3_enc->generate_master_secret(s,
2489 s->session->master_key,p,n); 2320 s->session->master_key, p, n);
2490 /* clean up */ 2321 /* clean up */
2491 memset(p,0,n); 2322 memset(p, 0, n);
2492 2323
2493 /* send off the data */ 2324 /* send off the data */
2494 n=BN_num_bytes(dh_clnt->pub_key); 2325 n = BN_num_bytes(dh_clnt->pub_key);
2495 s2n(n,p); 2326 s2n(n, p);
2496 BN_bn2bin(dh_clnt->pub_key,p); 2327 BN_bn2bin(dh_clnt->pub_key, p);
2497 n+=2; 2328 n += 2;
2498 2329
2499 DH_free(dh_clnt); 2330 DH_free(dh_clnt);
2500 2331
2501 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2332 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2502 } 2333 }
2503#endif 2334#endif
2504 2335
2505#ifndef OPENSSL_NO_ECDH 2336#ifndef OPENSSL_NO_ECDH
2506 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2337 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2507 {
2508 const EC_GROUP *srvr_group = NULL; 2338 const EC_GROUP *srvr_group = NULL;
2509 EC_KEY *tkey; 2339 EC_KEY *tkey;
2510 int ecdh_clnt_cert = 0; 2340 int ecdh_clnt_cert = 0;
@@ -2515,8 +2345,7 @@ int ssl3_send_client_key_exchange(SSL *s)
2515 * computation as part of client certificate? 2345 * computation as part of client certificate?
2516 * If so, set ecdh_clnt_cert to 1. 2346 * If so, set ecdh_clnt_cert to 1.
2517 */ 2347 */
2518 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 2348 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) {
2519 {
2520 /* XXX: For now, we do not support client 2349 /* XXX: For now, we do not support client
2521 * authentication using ECDH certificates. 2350 * authentication using ECDH certificates.
2522 * To add such support, one needs to add 2351 * To add such support, one needs to add
@@ -2536,52 +2365,44 @@ int ssl3_send_client_key_exchange(SSL *s)
2536 * EVP_PKEY_EC) && ...) 2365 * EVP_PKEY_EC) && ...)
2537 * ecdh_clnt_cert = 1; 2366 * ecdh_clnt_cert = 1;
2538 */ 2367 */
2539 } 2368 }
2540 2369
2541 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2370 if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
2542 {
2543 tkey = s->session->sess_cert->peer_ecdh_tmp; 2371 tkey = s->session->sess_cert->peer_ecdh_tmp;
2544 } 2372 } else {
2545 else
2546 {
2547 /* Get the Server Public Key from Cert */ 2373 /* Get the Server Public Key from Cert */
2548 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2374 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2549 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2375 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2550 if ((srvr_pub_pkey == NULL) || 2376 if ((srvr_pub_pkey == NULL) ||
2551 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2377 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2552 (srvr_pub_pkey->pkey.ec == NULL)) 2378 (srvr_pub_pkey->pkey.ec == NULL)) {
2553 {
2554 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2379 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2555 ERR_R_INTERNAL_ERROR); 2380 ERR_R_INTERNAL_ERROR);
2556 goto err; 2381 goto err;
2557 } 2382 }
2558 2383
2559 tkey = srvr_pub_pkey->pkey.ec; 2384 tkey = srvr_pub_pkey->pkey.ec;
2560 } 2385 }
2561 2386
2562 srvr_group = EC_KEY_get0_group(tkey); 2387 srvr_group = EC_KEY_get0_group(tkey);
2563 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2388 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2564 2389
2565 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2390 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
2566 {
2567 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2391 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2568 ERR_R_INTERNAL_ERROR); 2392 ERR_R_INTERNAL_ERROR);
2569 goto err; 2393 goto err;
2570 } 2394 }
2571 2395
2572 if ((clnt_ecdh=EC_KEY_new()) == NULL) 2396 if ((clnt_ecdh = EC_KEY_new()) == NULL) {
2573 { 2397 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2574 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2575 goto err; 2398 goto err;
2576 } 2399 }
2577 2400
2578 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2401 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
2579 { 2402 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2580 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2581 goto err; 2403 goto err;
2582 } 2404 }
2583 if (ecdh_clnt_cert) 2405 if (ecdh_clnt_cert) {
2584 {
2585 /* Reuse key info from our certificate 2406 /* Reuse key info from our certificate
2586 * We only need our private key to perform 2407 * We only need our private key to perform
2587 * the ECDH computation. 2408 * the ECDH computation.
@@ -2589,581 +2410,529 @@ int ssl3_send_client_key_exchange(SSL *s)
2589 const BIGNUM *priv_key; 2410 const BIGNUM *priv_key;
2590 tkey = s->cert->key->privatekey->pkey.ec; 2411 tkey = s->cert->key->privatekey->pkey.ec;
2591 priv_key = EC_KEY_get0_private_key(tkey); 2412 priv_key = EC_KEY_get0_private_key(tkey);
2592 if (priv_key == NULL) 2413 if (priv_key == NULL) {
2593 { 2414 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2594 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2595 goto err; 2415 goto err;
2596 } 2416 }
2597 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2417 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) {
2598 { 2418 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2599 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2600 goto err; 2419 goto err;
2601 }
2602 } 2420 }
2603 else 2421 } else {
2604 {
2605 /* Generate a new ECDH key pair */ 2422 /* Generate a new ECDH key pair */
2606 if (!(EC_KEY_generate_key(clnt_ecdh))) 2423 if (!(EC_KEY_generate_key(clnt_ecdh))) {
2607 {
2608 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2424 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2609 goto err; 2425 goto err;
2610 }
2611 } 2426 }
2427 }
2612 2428
2613 /* use the 'p' output buffer for the ECDH key, but 2429 /* use the 'p' output buffer for the ECDH key, but
2614 * make sure to clear it out afterwards 2430 * make sure to clear it out afterwards
2615 */ 2431 */
2616 2432
2617 field_size = EC_GROUP_get_degree(srvr_group); 2433 field_size = EC_GROUP_get_degree(srvr_group);
2618 if (field_size <= 0) 2434 if (field_size <= 0) {
2619 { 2435 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2620 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2436 ERR_R_ECDH_LIB);
2621 ERR_R_ECDH_LIB);
2622 goto err; 2437 goto err;
2623 } 2438 }
2624 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2439 n = ECDH_compute_key(p, (field_size + 7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2625 if (n <= 0) 2440 if (n <= 0) {
2626 { 2441 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2627 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2442 ERR_R_ECDH_LIB);
2628 ERR_R_ECDH_LIB);
2629 goto err; 2443 goto err;
2630 } 2444 }
2631 2445
2632 /* generate master key from the result */ 2446 /* generate master key from the result */
2633 s->session->master_key_length = s->method->ssl3_enc \ 2447 s->session->master_key_length = s->method->ssl3_enc \
2634 -> generate_master_secret(s, 2448 -> generate_master_secret(s,
2635 s->session->master_key, 2449 s->session->master_key,
2636 p, n); 2450 p, n);
2637 2451
2638 memset(p, 0, n); /* clean up */ 2452 memset(p, 0, n); /* clean up */
2639 2453
2640 if (ecdh_clnt_cert) 2454 if (ecdh_clnt_cert) {
2641 {
2642 /* Send empty client key exch message */ 2455 /* Send empty client key exch message */
2643 n = 0; 2456 n = 0;
2644 } 2457 } else {
2645 else
2646 {
2647 /* First check the size of encoding and 2458 /* First check the size of encoding and
2648 * allocate memory accordingly. 2459 * allocate memory accordingly.
2649 */ 2460 */
2650 encoded_pt_len = 2461 encoded_pt_len =
2651 EC_POINT_point2oct(srvr_group, 2462 EC_POINT_point2oct(srvr_group,
2652 EC_KEY_get0_public_key(clnt_ecdh), 2463 EC_KEY_get0_public_key(clnt_ecdh),
2653 POINT_CONVERSION_UNCOMPRESSED, 2464 POINT_CONVERSION_UNCOMPRESSED,
2654 NULL, 0, NULL); 2465 NULL, 0, NULL);
2655 2466
2656 encodedPoint = (unsigned char *) 2467 encodedPoint =
2657 OPENSSL_malloc(encoded_pt_len * 2468 (unsigned char *)OPENSSL_malloc(
2658 sizeof(unsigned char)); 2469 encoded_pt_len * sizeof(unsigned char));
2470
2659 bn_ctx = BN_CTX_new(); 2471 bn_ctx = BN_CTX_new();
2660 if ((encodedPoint == NULL) || 2472 if ((encodedPoint == NULL) ||
2661 (bn_ctx == NULL)) 2473 (bn_ctx == NULL)) {
2662 { 2474 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2663 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2664 goto err; 2475 goto err;
2665 } 2476 }
2666 2477
2667 /* Encode the public key */ 2478 /* Encode the public key */
2668 n = EC_POINT_point2oct(srvr_group, 2479 n = EC_POINT_point2oct(srvr_group,
2669 EC_KEY_get0_public_key(clnt_ecdh), 2480 EC_KEY_get0_public_key(clnt_ecdh),
2670 POINT_CONVERSION_UNCOMPRESSED, 2481 POINT_CONVERSION_UNCOMPRESSED,
2671 encodedPoint, encoded_pt_len, bn_ctx); 2482 encodedPoint, encoded_pt_len, bn_ctx);
2672 2483
2673 *p = n; /* length of encoded point */ 2484 *p = n; /* length of encoded point */
2674 /* Encoded point will be copied here */ 2485 /* Encoded point will be copied here */
2675 p += 1; 2486 p += 1;
2487
2676 /* copy the point */ 2488 /* copy the point */
2677 memcpy((unsigned char *)p, encodedPoint, n); 2489 memcpy((unsigned char *)p, encodedPoint, n);
2678 /* increment n to account for length field */ 2490 /* increment n to account for length field */
2679 n += 1; 2491 n += 1;
2680 } 2492
2493 }
2681 2494
2682 /* Free allocated memory */ 2495 /* Free allocated memory */
2683 BN_CTX_free(bn_ctx); 2496 BN_CTX_free(bn_ctx);
2684 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2497 if (encodedPoint != NULL)
2685 if (clnt_ecdh != NULL) 2498 OPENSSL_free(encodedPoint);
2686 EC_KEY_free(clnt_ecdh); 2499 if (clnt_ecdh != NULL)
2500 EC_KEY_free(clnt_ecdh);
2687 EVP_PKEY_free(srvr_pub_pkey); 2501 EVP_PKEY_free(srvr_pub_pkey);
2688 } 2502 }
2689#endif /* !OPENSSL_NO_ECDH */ 2503#endif /* !OPENSSL_NO_ECDH */
2690 else if (alg_k & SSL_kGOST) 2504 else if (alg_k & SSL_kGOST) {
2691 {
2692 /* GOST key exchange message creation */ 2505 /* GOST key exchange message creation */
2693 EVP_PKEY_CTX *pkey_ctx; 2506 EVP_PKEY_CTX *pkey_ctx;
2694 X509 *peer_cert; 2507 X509 *peer_cert;
2508
2695 size_t msglen; 2509 size_t msglen;
2696 unsigned int md_len; 2510 unsigned int md_len;
2697 int keytype; 2511 int keytype;
2698 unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 2512 unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
2699 EVP_MD_CTX *ukm_hash; 2513 EVP_MD_CTX *ukm_hash;
2700 EVP_PKEY *pub_key; 2514 EVP_PKEY *pub_key;
2701 2515
2702 /* Get server sertificate PKEY and create ctx from it */ 2516 /* Get server sertificate PKEY and create ctx from it */
2703 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 2517 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST01)].x509;
2704 if (!peer_cert) 2518 if (!peer_cert)
2705 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 2519 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST94)].x509;
2706 if (!peer_cert) { 2520 if (!peer_cert) {
2707 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2521 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2708 goto err; 2522 goto err;
2709 } 2523 }
2710 2524
2711 pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 2525 pkey_ctx = EVP_PKEY_CTX_new(pub_key = X509_get_pubkey(peer_cert), NULL);
2712 /* If we have send a certificate, and certificate key 2526 /* If we have send a certificate, and certificate key
2713 2527
2714 * parameters match those of server certificate, use 2528 * parameters match those of server certificate, use
2715 * certificate key for key exchange 2529 * certificate key for key exchange
2716 */ 2530 */
2717 2531
2718 /* Otherwise, generate ephemeral key pair */ 2532 /* Otherwise, generate ephemeral key pair */
2719 2533
2720 EVP_PKEY_encrypt_init(pkey_ctx); 2534 EVP_PKEY_encrypt_init(pkey_ctx);
2721 /* Generate session key */ 2535 /* Generate session key */
2722 RAND_bytes(premaster_secret,32); 2536 RAND_bytes(premaster_secret, 32);
2723 /* If we have client certificate, use its secret as peer key */ 2537 /* If we have client certificate, use its secret as peer key */
2724 if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2538 if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2725 if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 2539 if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <=0) {
2726 /* If there was an error - just ignore it. Ephemeral key 2540 /* If there was an error - just ignore it. Ephemeral key
2727 * would be used 2541 * would be used
2728 */ 2542 */
2729 ERR_clear_error(); 2543 ERR_clear_error();
2730 } 2544 }
2731 } 2545 }
2732 /* Compute shared IV and store it in algorithm-specific 2546 /* Compute shared IV and store it in algorithm-specific
2733 * context data */ 2547 * context data */
2734 ukm_hash = EVP_MD_CTX_create(); 2548 ukm_hash = EVP_MD_CTX_create();
2735 EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 2549 EVP_DigestInit(ukm_hash, EVP_get_digestbynid(NID_id_GostR3411_94));
2736 EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 2550 EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE);
2737 EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 2551 EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE);
2738 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2552 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
2739 EVP_MD_CTX_destroy(ukm_hash); 2553 EVP_MD_CTX_destroy(ukm_hash);
2740 if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV, 2554 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV,
2741 8,shared_ukm)<0) { 2555 8, shared_ukm) < 0) {
2742 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2556 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2743 SSL_R_LIBRARY_BUG); 2557 SSL_R_LIBRARY_BUG);
2744 goto err; 2558 goto err;
2745 } 2559 }
2746 /* Make GOST keytransport blob message */ 2560 /* Make GOST keytransport blob message */
2747 /*Encapsulate it into sequence */ 2561 /*Encapsulate it into sequence */
2748 *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 2562 *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
2749 msglen=255; 2563 msglen = 255;
2750 if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) { 2564 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, 32) < 0) {
2751 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2565 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2752 SSL_R_LIBRARY_BUG); 2566 SSL_R_LIBRARY_BUG);
2753 goto err; 2567 goto err;
2754 } 2568 }
2755 if (msglen >= 0x80) 2569 if (msglen >= 0x80) {
2756 { 2570 *(p++) = 0x81;
2757 *(p++)=0x81; 2571 *(p++) = msglen & 0xff;
2758 *(p++)= msglen & 0xff; 2572 n = msglen + 3;
2759 n=msglen+3; 2573 } else {
2760 } 2574 *(p++) = msglen & 0xff;
2761 else 2575 n = msglen + 2;
2762 { 2576 }
2763 *(p++)= msglen & 0xff;
2764 n=msglen+2;
2765 }
2766 memcpy(p, tmp, msglen); 2577 memcpy(p, tmp, msglen);
2767 /* Check if pubkey from client certificate was used */ 2578 /* Check if pubkey from client certificate was used */
2768 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2579 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) {
2769 {
2770 /* Set flag "skip certificate verify" */ 2580 /* Set flag "skip certificate verify" */
2771 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2581 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2772 } 2582 }
2773 EVP_PKEY_CTX_free(pkey_ctx); 2583 EVP_PKEY_CTX_free(pkey_ctx);
2774 s->session->master_key_length= 2584 s->session->master_key_length =
2775 s->method->ssl3_enc->generate_master_secret(s, 2585 s->method->ssl3_enc->generate_master_secret(s,
2776 s->session->master_key,premaster_secret,32); 2586 s->session->master_key, premaster_secret, 32);
2777 EVP_PKEY_free(pub_key); 2587 EVP_PKEY_free(pub_key);
2778 2588
2779 } 2589 }
2780#ifndef OPENSSL_NO_SRP 2590#ifndef OPENSSL_NO_SRP
2781 else if (alg_k & SSL_kSRP) 2591 else if (alg_k & SSL_kSRP) {
2782 { 2592 if (s->srp_ctx.A != NULL) {
2783 if (s->srp_ctx.A != NULL)
2784 {
2785 /* send off the data */ 2593 /* send off the data */
2786 n=BN_num_bytes(s->srp_ctx.A); 2594 n = BN_num_bytes(s->srp_ctx.A);
2787 s2n(n,p); 2595 s2n(n, p);
2788 BN_bn2bin(s->srp_ctx.A,p); 2596 BN_bn2bin(s->srp_ctx.A, p);
2789 n+=2; 2597 n += 2;
2790 } 2598 } else {
2791 else 2599 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2792 {
2793 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2794 goto err; 2600 goto err;
2795 } 2601 }
2796 if (s->session->srp_username != NULL) 2602 if (s->session->srp_username != NULL)
2797 OPENSSL_free(s->session->srp_username); 2603 OPENSSL_free(s->session->srp_username);
2798 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2604 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2799 if (s->session->srp_username == NULL) 2605 if (s->session->srp_username == NULL) {
2800 {
2801 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2606 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2802 ERR_R_MALLOC_FAILURE); 2607 ERR_R_MALLOC_FAILURE);
2803 goto err; 2608 goto err;
2804 } 2609 }
2805 2610
2806 if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0) 2611 if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) {
2807 { 2612 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2808 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2809 goto err; 2613 goto err;
2810 }
2811 } 2614 }
2615 }
2812#endif 2616#endif
2813#ifndef OPENSSL_NO_PSK 2617#ifndef OPENSSL_NO_PSK
2814 else if (alg_k & SSL_kPSK) 2618 else if (alg_k & SSL_kPSK) {
2815 {
2816 char identity[PSK_MAX_IDENTITY_LEN]; 2619 char identity[PSK_MAX_IDENTITY_LEN];
2817 unsigned char *t = NULL; 2620 unsigned char *t = NULL;
2818 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2621 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
2819 unsigned int pre_ms_len = 0, psk_len = 0; 2622 unsigned int pre_ms_len = 0, psk_len = 0;
2820 int psk_err = 1; 2623 int psk_err = 1;
2821 2624
2822 n = 0; 2625 n = 0;
2823 if (s->psk_client_callback == NULL) 2626 if (s->psk_client_callback == NULL) {
2824 {
2825 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2627 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2826 SSL_R_PSK_NO_CLIENT_CB); 2628 SSL_R_PSK_NO_CLIENT_CB);
2827 goto err; 2629 goto err;
2828 } 2630 }
2829 2631
2830 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 2632 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
2831 identity, PSK_MAX_IDENTITY_LEN, 2633 identity, PSK_MAX_IDENTITY_LEN,
2832 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2634 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2833 if (psk_len > PSK_MAX_PSK_LEN) 2635 if (psk_len > PSK_MAX_PSK_LEN) {
2834 {
2835 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2636 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2836 ERR_R_INTERNAL_ERROR); 2637 ERR_R_INTERNAL_ERROR);
2837 goto psk_err; 2638 goto psk_err;
2838 } 2639 } else if (psk_len == 0) {
2839 else if (psk_len == 0)
2840 {
2841 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2640 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2842 SSL_R_PSK_IDENTITY_NOT_FOUND); 2641 SSL_R_PSK_IDENTITY_NOT_FOUND);
2843 goto psk_err; 2642 goto psk_err;
2844 } 2643 }
2845 2644
2846 /* create PSK pre_master_secret */ 2645 /* create PSK pre_master_secret */
2847 pre_ms_len = 2+psk_len+2+psk_len; 2646 pre_ms_len = 2 + psk_len + 2 + psk_len;
2848 t = psk_or_pre_ms; 2647 t = psk_or_pre_ms;
2849 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2648 memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
2850 s2n(psk_len, t); 2649 s2n(psk_len, t);
2851 memset(t, 0, psk_len); 2650 memset(t, 0, psk_len);
2852 t+=psk_len; 2651 t += psk_len;
2853 s2n(psk_len, t); 2652 s2n(psk_len, t);
2854 2653
2855 if (s->session->psk_identity_hint != NULL) 2654 if (s->session->psk_identity_hint != NULL)
2856 OPENSSL_free(s->session->psk_identity_hint); 2655 OPENSSL_free(s->session->psk_identity_hint);
2857 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2656 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2858 if (s->ctx->psk_identity_hint != NULL && 2657 if (s->ctx->psk_identity_hint != NULL &&
2859 s->session->psk_identity_hint == NULL) 2658 s->session->psk_identity_hint == NULL) {
2860 {
2861 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2659 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2862 ERR_R_MALLOC_FAILURE); 2660 ERR_R_MALLOC_FAILURE);
2863 goto psk_err; 2661 goto psk_err;
2864 } 2662 }
2865 2663
2866 if (s->session->psk_identity != NULL) 2664 if (s->session->psk_identity != NULL)
2867 OPENSSL_free(s->session->psk_identity); 2665 OPENSSL_free(s->session->psk_identity);
2868 s->session->psk_identity = BUF_strdup(identity); 2666 s->session->psk_identity = BUF_strdup(identity);
2869 if (s->session->psk_identity == NULL) 2667 if (s->session->psk_identity == NULL) {
2870 {
2871 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2668 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2872 ERR_R_MALLOC_FAILURE); 2669 ERR_R_MALLOC_FAILURE);
2873 goto psk_err; 2670 goto psk_err;
2874 } 2671 }
2875 2672
2876 s->session->master_key_length = 2673 s->session->master_key_length =
2877 s->method->ssl3_enc->generate_master_secret(s, 2674 s->method->ssl3_enc->generate_master_secret(
2878 s->session->master_key, 2675 s, s->session->master_key, psk_or_pre_ms,
2879 psk_or_pre_ms, pre_ms_len); 2676 pre_ms_len);
2677
2880 n = strlen(identity); 2678 n = strlen(identity);
2881 s2n(n, p); 2679 s2n(n, p);
2882 memcpy(p, identity, n); 2680 memcpy(p, identity, n);
2883 n+=2; 2681 n += 2;
2884 psk_err = 0; 2682 psk_err = 0;
2885 psk_err: 2683 psk_err:
2886 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 2684 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2887 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2685 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2888 if (psk_err != 0) 2686 if (psk_err != 0) {
2889 {
2890 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2687 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2891 goto err; 2688 goto err;
2892 }
2893 } 2689 }
2690 }
2894#endif 2691#endif
2895 else 2692 else {
2896 {
2897 ssl3_send_alert(s, SSL3_AL_FATAL, 2693 ssl3_send_alert(s, SSL3_AL_FATAL,
2898 SSL_AD_HANDSHAKE_FAILURE); 2694 SSL_AD_HANDSHAKE_FAILURE);
2899 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2695 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2900 ERR_R_INTERNAL_ERROR); 2696 ERR_R_INTERNAL_ERROR);
2901 goto err; 2697 goto err;
2902 } 2698 }
2903
2904 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2905 l2n3(n,d);
2906 2699
2907 s->state=SSL3_ST_CW_KEY_EXCH_B; 2700 *(d++) = SSL3_MT_CLIENT_KEY_EXCHANGE;
2701 l2n3(n, d);
2702
2703 s->state = SSL3_ST_CW_KEY_EXCH_B;
2908 /* number of bytes to write */ 2704 /* number of bytes to write */
2909 s->init_num=n+4; 2705 s->init_num = n + 4;
2910 s->init_off=0; 2706 s->init_off = 0;
2911 } 2707 }
2912 2708
2913 /* SSL3_ST_CW_KEY_EXCH_B */ 2709 /* SSL3_ST_CW_KEY_EXCH_B */
2914 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2710 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2915err: 2711err:
2916#ifndef OPENSSL_NO_ECDH 2712#ifndef OPENSSL_NO_ECDH
2917 BN_CTX_free(bn_ctx); 2713 BN_CTX_free(bn_ctx);
2918 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2714 if (encodedPoint != NULL)
2919 if (clnt_ecdh != NULL) 2715 OPENSSL_free(encodedPoint);
2716 if (clnt_ecdh != NULL)
2920 EC_KEY_free(clnt_ecdh); 2717 EC_KEY_free(clnt_ecdh);
2921 EVP_PKEY_free(srvr_pub_pkey); 2718 EVP_PKEY_free(srvr_pub_pkey);
2922#endif 2719#endif
2923 return(-1); 2720 return (-1);
2924 } 2721}
2925 2722
2926int ssl3_send_client_verify(SSL *s) 2723int
2927 { 2724ssl3_send_client_verify(SSL *s)
2928 unsigned char *p,*d; 2725{
2929 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 2726 unsigned char *p, *d;
2727 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
2930 EVP_PKEY *pkey; 2728 EVP_PKEY *pkey;
2931 EVP_PKEY_CTX *pctx=NULL; 2729 EVP_PKEY_CTX *pctx = NULL;
2932 EVP_MD_CTX mctx; 2730 EVP_MD_CTX mctx;
2933 unsigned u=0; 2731 unsigned u = 0;
2934 unsigned long n; 2732 unsigned long n;
2935 int j; 2733 int j;
2936 2734
2937 EVP_MD_CTX_init(&mctx); 2735 EVP_MD_CTX_init(&mctx);
2938 2736
2939 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 2737 if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
2940 { 2738 d = (unsigned char *)s->init_buf->data;
2941 d=(unsigned char *)s->init_buf->data; 2739 p = &(d[4]);
2942 p= &(d[4]); 2740 pkey = s->cert->key->privatekey;
2943 pkey=s->cert->key->privatekey;
2944/* Create context from key and test if sha1 is allowed as digest */ 2741/* Create context from key and test if sha1 is allowed as digest */
2945 pctx = EVP_PKEY_CTX_new(pkey,NULL); 2742 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2946 EVP_PKEY_sign_init(pctx); 2743 EVP_PKEY_sign_init(pctx);
2947 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 2744 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
2948 {
2949 if (TLS1_get_version(s) < TLS1_2_VERSION) 2745 if (TLS1_get_version(s) < TLS1_2_VERSION)
2950 s->method->ssl3_enc->cert_verify_mac(s, 2746 s->method->ssl3_enc->cert_verify_mac(s,
2951 NID_sha1, 2747 NID_sha1,
2952 &(data[MD5_DIGEST_LENGTH])); 2748 &(data[MD5_DIGEST_LENGTH]));
2953 } 2749 } else {
2954 else
2955 {
2956 ERR_clear_error(); 2750 ERR_clear_error();
2957 } 2751 }
2958 /* For TLS v1.2 send signature algorithm and signature 2752 /* For TLS v1.2 send signature algorithm and signature
2959 * using agreed digest and cached handshake records. 2753 * using agreed digest and cached handshake records.
2960 */ 2754 */
2961 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2755 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2962 {
2963 long hdatalen = 0; 2756 long hdatalen = 0;
2964 void *hdata; 2757 void *hdata;
2965 const EVP_MD *md = s->cert->key->digest; 2758 const EVP_MD *md = s->cert->key->digest;
2966 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 2759 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
2967 &hdata); 2760 &hdata);
2968 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) 2761 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {
2969 {
2970 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2762 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2971 ERR_R_INTERNAL_ERROR); 2763 ERR_R_INTERNAL_ERROR);
2972 goto err; 2764 goto err;
2973 } 2765 }
2974 p += 2; 2766 p += 2;
2975#ifdef SSL_DEBUG 2767#ifdef SSL_DEBUG
2976 fprintf(stderr, "Using TLS 1.2 with client alg %s\n", 2768 fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
2977 EVP_MD_name(md)); 2769 EVP_MD_name(md));
2978#endif 2770#endif
2979 if (!EVP_SignInit_ex(&mctx, md, NULL) 2771 if (!EVP_SignInit_ex(&mctx, md, NULL) ||
2980 || !EVP_SignUpdate(&mctx, hdata, hdatalen) 2772 !EVP_SignUpdate(&mctx, hdata, hdatalen) ||
2981 || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) 2773 !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
2982 {
2983 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2774 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2984 ERR_R_EVP_LIB); 2775 ERR_R_EVP_LIB);
2985 goto err; 2776 goto err;
2986 } 2777 }
2987 s2n(u,p); 2778 s2n(u, p);
2988 n = u + 4; 2779 n = u + 4;
2989 if (!ssl3_digest_cached_records(s)) 2780 if (!ssl3_digest_cached_records(s))
2990 goto err; 2781 goto err;
2991 } 2782 } else
2992 else
2993#ifndef OPENSSL_NO_RSA 2783#ifndef OPENSSL_NO_RSA
2994 if (pkey->type == EVP_PKEY_RSA) 2784 if (pkey->type == EVP_PKEY_RSA) {
2995 { 2785 s->method->ssl3_enc->cert_verify_mac(
2996 s->method->ssl3_enc->cert_verify_mac(s, 2786 s, NID_md5, &(data[0]));
2997 NID_md5,
2998 &(data[0]));
2999 if (RSA_sign(NID_md5_sha1, data, 2787 if (RSA_sign(NID_md5_sha1, data,
3000 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 2788 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
3001 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 2789 &u, pkey->pkey.rsa) <= 0 ) {
3002 { 2790 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB);
3003 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
3004 goto err; 2791 goto err;
3005 }
3006 s2n(u,p);
3007 n=u+2;
3008 } 2792 }
3009 else 2793 s2n(u, p);
2794 n = u + 2;
2795 } else
3010#endif 2796#endif
3011#ifndef OPENSSL_NO_DSA 2797#ifndef OPENSSL_NO_DSA
3012 if (pkey->type == EVP_PKEY_DSA) 2798 if (pkey->type == EVP_PKEY_DSA) {
3013 {
3014 if (!DSA_sign(pkey->save_type, 2799 if (!DSA_sign(pkey->save_type,
3015 &(data[MD5_DIGEST_LENGTH]), 2800 &(data[MD5_DIGEST_LENGTH]),
3016 SHA_DIGEST_LENGTH,&(p[2]), 2801 SHA_DIGEST_LENGTH, &(p[2]),
3017 (unsigned int *)&j,pkey->pkey.dsa)) 2802 (unsigned int *)&j, pkey->pkey.dsa)) {
3018 { 2803 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB);
3019 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
3020 goto err; 2804 goto err;
3021 }
3022 s2n(j,p);
3023 n=j+2;
3024 } 2805 }
3025 else 2806 s2n(j, p);
2807 n = j + 2;
2808 } else
3026#endif 2809#endif
3027#ifndef OPENSSL_NO_ECDSA 2810#ifndef OPENSSL_NO_ECDSA
3028 if (pkey->type == EVP_PKEY_EC) 2811 if (pkey->type == EVP_PKEY_EC) {
3029 {
3030 if (!ECDSA_sign(pkey->save_type, 2812 if (!ECDSA_sign(pkey->save_type,
3031 &(data[MD5_DIGEST_LENGTH]), 2813 &(data[MD5_DIGEST_LENGTH]),
3032 SHA_DIGEST_LENGTH,&(p[2]), 2814 SHA_DIGEST_LENGTH, &(p[2]),
3033 (unsigned int *)&j,pkey->pkey.ec)) 2815 (unsigned int *)&j, pkey->pkey.ec)) {
3034 {
3035 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2816 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
3036 ERR_R_ECDSA_LIB); 2817 ERR_R_ECDSA_LIB);
3037 goto err; 2818 goto err;
3038 }
3039 s2n(j,p);
3040 n=j+2;
3041 } 2819 }
3042 else 2820 s2n(j, p);
2821 n = j + 2;
2822 } else
3043#endif 2823#endif
3044 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 2824 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) {
3045 { 2825 unsigned char signbuf[64];
3046 unsigned char signbuf[64]; 2826 int i;
3047 int i; 2827 size_t sigsize = 64;
3048 size_t sigsize=64; 2828 s->method->ssl3_enc->cert_verify_mac(s,
3049 s->method->ssl3_enc->cert_verify_mac(s,
3050 NID_id_GostR3411_94, 2829 NID_id_GostR3411_94,
3051 data); 2830 data);
3052 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 2831 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
3053 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2832 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
3054 ERR_R_INTERNAL_ERROR); 2833 ERR_R_INTERNAL_ERROR);
3055 goto err; 2834 goto err;
3056 } 2835 }
3057 for (i=63,j=0; i>=0; j++, i--) { 2836 for (i = 63, j = 0; i >= 0; j++, i--) {
3058 p[2+j]=signbuf[i]; 2837 p[2 + j] = signbuf[i];
3059 } 2838 }
3060 s2n(j,p); 2839 s2n(j, p);
3061 n=j+2; 2840 n = j + 2;
3062 } 2841 } else {
3063 else 2842 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
3064 {
3065 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
3066 goto err; 2843 goto err;
3067 } 2844 }
3068 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 2845 *(d++) = SSL3_MT_CERTIFICATE_VERIFY;
3069 l2n3(n,d); 2846 l2n3(n, d);
3070 2847
3071 s->state=SSL3_ST_CW_CERT_VRFY_B; 2848 s->state = SSL3_ST_CW_CERT_VRFY_B;
3072 s->init_num=(int)n+4; 2849 s->init_num = (int)n + 4;
3073 s->init_off=0; 2850 s->init_off = 0;
3074 } 2851 }
3075 EVP_MD_CTX_cleanup(&mctx); 2852 EVP_MD_CTX_cleanup(&mctx);
3076 EVP_PKEY_CTX_free(pctx); 2853 EVP_PKEY_CTX_free(pctx);
3077 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2854 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3078err: 2855err:
3079 EVP_MD_CTX_cleanup(&mctx); 2856 EVP_MD_CTX_cleanup(&mctx);
3080 EVP_PKEY_CTX_free(pctx); 2857 EVP_PKEY_CTX_free(pctx);
3081 return(-1); 2858 return (-1);
3082 } 2859}
3083 2860
3084int ssl3_send_client_certificate(SSL *s) 2861int
3085 { 2862ssl3_send_client_certificate(SSL *s)
3086 X509 *x509=NULL; 2863{
3087 EVP_PKEY *pkey=NULL; 2864 X509 *x509 = NULL;
2865 EVP_PKEY *pkey = NULL;
3088 int i; 2866 int i;
3089 unsigned long l; 2867 unsigned long l;
3090 2868
3091 if (s->state == SSL3_ST_CW_CERT_A) 2869 if (s->state == SSL3_ST_CW_CERT_A) {
3092 { 2870 if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
3093 if ((s->cert == NULL) || 2871 (s->cert->key->privatekey == NULL))
3094 (s->cert->key->x509 == NULL) || 2872 s->state = SSL3_ST_CW_CERT_B;
3095 (s->cert->key->privatekey == NULL))
3096 s->state=SSL3_ST_CW_CERT_B;
3097 else 2873 else
3098 s->state=SSL3_ST_CW_CERT_C; 2874 s->state = SSL3_ST_CW_CERT_C;
3099 } 2875 }
3100 2876
3101 /* We need to get a client cert */ 2877 /* We need to get a client cert */
3102 if (s->state == SSL3_ST_CW_CERT_B) 2878 if (s->state == SSL3_ST_CW_CERT_B) {
3103 {
3104 /* If we get an error, we need to 2879 /* If we get an error, we need to
3105 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 2880 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
3106 * We then get retied later */ 2881 * We then get retied later */
3107 i=0; 2882 i = 0;
3108 i = ssl_do_client_cert_cb(s, &x509, &pkey); 2883 i = ssl_do_client_cert_cb(s, &x509, &pkey);
3109 if (i < 0) 2884 if (i < 0) {
3110 { 2885 s->rwstate = SSL_X509_LOOKUP;
3111 s->rwstate=SSL_X509_LOOKUP; 2886 return (-1);
3112 return(-1); 2887 }
3113 } 2888 s->rwstate = SSL_NOTHING;
3114 s->rwstate=SSL_NOTHING; 2889 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
3115 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 2890 s->state = SSL3_ST_CW_CERT_B;
3116 { 2891 if (!SSL_use_certificate(s, x509) ||
3117 s->state=SSL3_ST_CW_CERT_B; 2892 !SSL_use_PrivateKey(s, pkey))
3118 if ( !SSL_use_certificate(s,x509) || 2893 i = 0;
3119 !SSL_use_PrivateKey(s,pkey)) 2894 } else if (i == 1) {
3120 i=0; 2895 i = 0;
3121 } 2896 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3122 else if (i == 1) 2897 }
3123 { 2898
3124 i=0; 2899 if (x509 != NULL)
3125 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 2900 X509_free(x509);
3126 } 2901 if (pkey != NULL)
3127 2902 EVP_PKEY_free(pkey);
3128 if (x509 != NULL) X509_free(x509); 2903 if (i == 0) {
3129 if (pkey != NULL) EVP_PKEY_free(pkey); 2904 if (s->version == SSL3_VERSION) {
3130 if (i == 0) 2905 s->s3->tmp.cert_req = 0;
3131 { 2906 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
3132 if (s->version == SSL3_VERSION) 2907 return (1);
3133 { 2908 } else {
3134 s->s3->tmp.cert_req=0; 2909 s->s3->tmp.cert_req = 2;
3135 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
3136 return(1);
3137 }
3138 else
3139 {
3140 s->s3->tmp.cert_req=2;
3141 }
3142 } 2910 }
2911 }
3143 2912
3144 /* Ok, we have a cert */ 2913 /* Ok, we have a cert */
3145 s->state=SSL3_ST_CW_CERT_C; 2914 s->state = SSL3_ST_CW_CERT_C;
3146 } 2915 }
3147 2916
3148 if (s->state == SSL3_ST_CW_CERT_C) 2917 if (s->state == SSL3_ST_CW_CERT_C) {
3149 { 2918 s->state = SSL3_ST_CW_CERT_D;
3150 s->state=SSL3_ST_CW_CERT_D; 2919 l = ssl3_output_cert_chain(s,
3151 l=ssl3_output_cert_chain(s, 2920 (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
3152 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 2921 s->init_num = (int)l;
3153 s->init_num=(int)l; 2922 s->init_off = 0;
3154 s->init_off=0;
3155 }
3156 /* SSL3_ST_CW_CERT_D */
3157 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3158 } 2923 }
2924 /* SSL3_ST_CW_CERT_D */
2925 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2926}
3159 2927
3160#define has_bits(i,m) (((i)&(m)) == (m)) 2928#define has_bits(i,m) (((i)&(m)) == (m))
3161 2929
3162int ssl3_check_cert_and_algorithm(SSL *s) 2930int
3163 { 2931ssl3_check_cert_and_algorithm(SSL *s)
3164 int i,idx; 2932{
3165 long alg_k,alg_a; 2933 int i, idx;
3166 EVP_PKEY *pkey=NULL; 2934 long alg_k, alg_a;
2935 EVP_PKEY *pkey = NULL;
3167 SESS_CERT *sc; 2936 SESS_CERT *sc;
3168#ifndef OPENSSL_NO_RSA 2937#ifndef OPENSSL_NO_RSA
3169 RSA *rsa; 2938 RSA *rsa;
@@ -3172,138 +2941,120 @@ int ssl3_check_cert_and_algorithm(SSL *s)
3172 DH *dh; 2941 DH *dh;
3173#endif 2942#endif
3174 2943
3175 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2944 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3176 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 2945 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3177 2946
3178 /* we don't have a certificate */ 2947 /* we don't have a certificate */
3179 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 2948 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
3180 return(1); 2949 return (1);
3181 2950
3182 sc=s->session->sess_cert; 2951 sc = s->session->sess_cert;
3183 if (sc == NULL) 2952 if (sc == NULL) {
3184 { 2953 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
3185 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
3186 goto err; 2954 goto err;
3187 } 2955 }
3188 2956
3189#ifndef OPENSSL_NO_RSA 2957#ifndef OPENSSL_NO_RSA
3190 rsa=s->session->sess_cert->peer_rsa_tmp; 2958 rsa = s->session->sess_cert->peer_rsa_tmp;
3191#endif 2959#endif
3192#ifndef OPENSSL_NO_DH 2960#ifndef OPENSSL_NO_DH
3193 dh=s->session->sess_cert->peer_dh_tmp; 2961 dh = s->session->sess_cert->peer_dh_tmp;
3194#endif 2962#endif
3195 2963
3196 /* This is the passed certificate */ 2964 /* This is the passed certificate */
3197 2965
3198 idx=sc->peer_cert_type; 2966 idx = sc->peer_cert_type;
3199#ifndef OPENSSL_NO_ECDH 2967#ifndef OPENSSL_NO_ECDH
3200 if (idx == SSL_PKEY_ECC) 2968 if (idx == SSL_PKEY_ECC) {
3201 {
3202 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 2969 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
3203 s) == 0) 2970 s) == 0)
3204 { /* check failed */ 2971 { /* check failed */
3205 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 2972 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
3206 goto f_err; 2973 goto f_err;
3207 } 2974 } else {
3208 else
3209 {
3210 return 1; 2975 return 1;
3211 }
3212 } 2976 }
2977 }
3213#endif 2978#endif
3214 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 2979 pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
3215 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 2980 i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
3216 EVP_PKEY_free(pkey); 2981 EVP_PKEY_free(pkey);
3217 2982
3218 2983
3219 /* Check that we have a certificate if we require one */ 2984 /* Check that we have a certificate if we require one */
3220 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 2985 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
3221 { 2986 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT);
3222 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
3223 goto f_err; 2987 goto f_err;
3224 } 2988 }
3225#ifndef OPENSSL_NO_DSA 2989#ifndef OPENSSL_NO_DSA
3226 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 2990 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
3227 { 2991 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT);
3228 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
3229 goto f_err; 2992 goto f_err;
3230 } 2993 }
3231#endif 2994#endif
3232#ifndef OPENSSL_NO_RSA 2995#ifndef OPENSSL_NO_RSA
3233 if ((alg_k & SSL_kRSA) && 2996 if ((alg_k & SSL_kRSA) &&
3234 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 2997 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) {
3235 { 2998 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3236 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3237 goto f_err; 2999 goto f_err;
3238 } 3000 }
3239#endif 3001#endif
3240#ifndef OPENSSL_NO_DH 3002#ifndef OPENSSL_NO_DH
3241 if ((alg_k & SSL_kEDH) && 3003 if ((alg_k & SSL_kEDH) &&
3242 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 3004 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
3243 { 3005 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY);
3244 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
3245 goto f_err; 3006 goto f_err;
3246 } 3007 } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) {
3247 else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 3008 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT);
3248 {
3249 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
3250 goto f_err; 3009 goto f_err;
3251 } 3010 }
3252#ifndef OPENSSL_NO_DSA 3011#ifndef OPENSSL_NO_DSA
3253 else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 3012 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
3254 { 3013 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT);
3255 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
3256 goto f_err; 3014 goto f_err;
3257 } 3015 }
3258#endif 3016#endif
3259#endif 3017#endif
3260 3018
3261 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 3019 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
3262 {
3263#ifndef OPENSSL_NO_RSA 3020#ifndef OPENSSL_NO_RSA
3264 if (alg_k & SSL_kRSA) 3021 if (alg_k & SSL_kRSA) {
3265 { 3022 if (rsa == NULL ||
3266 if (rsa == NULL 3023 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3267 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3024 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3268 {
3269 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3270 goto f_err; 3025 goto f_err;
3271 }
3272 } 3026 }
3273 else 3027 } else
3274#endif 3028#endif
3275#ifndef OPENSSL_NO_DH 3029#ifndef OPENSSL_NO_DH
3276 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 3030 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
3277 { 3031 if (dh == NULL ||
3278 if (dh == NULL 3032 DH_size(dh) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3279 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3033 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3280 {
3281 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3282 goto f_err; 3034 goto f_err;
3283 }
3284 } 3035 }
3285 else 3036 } else
3286#endif 3037#endif
3287 { 3038 {
3288 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 3039 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
3289 goto f_err; 3040 goto f_err;
3290 }
3291 } 3041 }
3292 return(1); 3042 }
3043 return (1);
3293f_err: 3044f_err:
3294 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 3045 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
3295err: 3046err:
3296 return(0); 3047 return (0);
3297 } 3048}
3298 3049
3299#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 3050#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
3300int ssl3_send_next_proto(SSL *s) 3051int
3301 { 3052ssl3_send_next_proto(SSL *s)
3053{
3302 unsigned int len, padding_len; 3054 unsigned int len, padding_len;
3303 unsigned char *d; 3055 unsigned char *d;
3304 3056
3305 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) 3057 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {
3306 {
3307 len = s->next_proto_negotiated_len; 3058 len = s->next_proto_negotiated_len;
3308 padding_len = 32 - ((len + 2) % 32); 3059 padding_len = 32 - ((len + 2) % 32);
3309 d = (unsigned char *)s->init_buf->data; 3060 d = (unsigned char *)s->init_buf->data;
@@ -3311,12 +3062,12 @@ int ssl3_send_next_proto(SSL *s)
3311 memcpy(d + 5, s->next_proto_negotiated, len); 3062 memcpy(d + 5, s->next_proto_negotiated, len);
3312 d[5 + len] = padding_len; 3063 d[5 + len] = padding_len;
3313 memset(d + 6 + len, 0, padding_len); 3064 memset(d + 6 + len, 0, padding_len);
3314 *(d++)=SSL3_MT_NEXT_PROTO; 3065 *(d++) = SSL3_MT_NEXT_PROTO;
3315 l2n3(2 + len + padding_len, d); 3066 l2n3(2 + len + padding_len, d);
3316 s->state = SSL3_ST_CW_NEXT_PROTO_B; 3067 s->state = SSL3_ST_CW_NEXT_PROTO_B;
3317 s->init_num = 4 + 2 + len + padding_len; 3068 s->init_num = 4 + 2 + len + padding_len;
3318 s->init_off = 0; 3069 s->init_off = 0;
3319 } 3070 }
3320 3071
3321 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3072 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3322} 3073}
@@ -3328,8 +3079,9 @@ int ssl3_send_next_proto(SSL *s)
3328 */ 3079 */
3329 3080
3330#ifndef OPENSSL_NO_TLSEXT 3081#ifndef OPENSSL_NO_TLSEXT
3331int ssl3_check_finished(SSL *s) 3082int
3332 { 3083ssl3_check_finished(SSL *s)
3084{
3333 int ok; 3085 int ok;
3334 long n; 3086 long n;
3335 /* If we have no ticket it cannot be a resumed session. */ 3087 /* If we have no ticket it cannot be a resumed session. */
@@ -3337,36 +3089,33 @@ int ssl3_check_finished(SSL *s)
3337 return 1; 3089 return 1;
3338 /* this function is called when we really expect a Certificate 3090 /* this function is called when we really expect a Certificate
3339 * message, so permit appropriate message length */ 3091 * message, so permit appropriate message length */
3340 n=s->method->ssl_get_message(s, 3092 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
3341 SSL3_ST_CR_CERT_A, 3093 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
3342 SSL3_ST_CR_CERT_B, 3094 if (!ok)
3343 -1, 3095 return ((int)n);
3344 s->max_cert_list,
3345 &ok);
3346 if (!ok) return((int)n);
3347 s->s3->tmp.reuse_message = 1; 3096 s->s3->tmp.reuse_message = 1;
3348 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 3097 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) ||
3349 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3098 (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
3350 return 2; 3099 return 2;
3351 3100
3352 return 1; 3101 return 1;
3353 } 3102}
3354#endif 3103#endif
3355 3104
3356int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3105int
3357 { 3106ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3107{
3358 int i = 0; 3108 int i = 0;
3359#ifndef OPENSSL_NO_ENGINE 3109#ifndef OPENSSL_NO_ENGINE
3360 if (s->ctx->client_cert_engine) 3110 if (s->ctx->client_cert_engine) {
3361 {
3362 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3111 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3363 SSL_get_client_CA_list(s), 3112 SSL_get_client_CA_list(s),
3364 px509, ppkey, NULL, NULL, NULL); 3113 px509, ppkey, NULL, NULL, NULL);
3365 if (i != 0) 3114 if (i != 0)
3366 return i; 3115 return i;
3367 } 3116 }
3368#endif 3117#endif
3369 if (s->ctx->client_cert_cb) 3118 if (s->ctx->client_cert_cb)
3370 i = s->ctx->client_cert_cb(s,px509,ppkey); 3119 i = s->ctx->client_cert_cb(s, px509, ppkey);
3371 return i; 3120 return i;
3372 } 3121}
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 518dfcd5e2..eeadb160d1 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -171,92 +171,86 @@
171 171
172static const SSL_METHOD *ssl3_get_server_method(int ver); 172static const SSL_METHOD *ssl3_get_server_method(int ver);
173 173
174static const SSL_METHOD *ssl3_get_server_method(int ver) 174static const SSL_METHOD
175 { 175*ssl3_get_server_method(int ver)
176{
176 if (ver == SSL3_VERSION) 177 if (ver == SSL3_VERSION)
177 return(SSLv3_server_method()); 178 return (SSLv3_server_method());
178 else 179 else
179 return(NULL); 180 return (NULL);
180 } 181}
181 182
182#ifndef OPENSSL_NO_SRP 183#ifndef OPENSSL_NO_SRP
183static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) 184static int
184 { 185ssl_check_srp_ext_ClientHello(SSL *s, int *al)
186{
185 int ret = SSL_ERROR_NONE; 187 int ret = SSL_ERROR_NONE;
186 188
187 *al = SSL_AD_UNRECOGNIZED_NAME; 189 *al = SSL_AD_UNRECOGNIZED_NAME;
188 190
189 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 191 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
190 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) 192 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
191 { 193 if (s->srp_ctx.login == NULL) {
192 if(s->srp_ctx.login == NULL)
193 {
194 /* RFC 5054 says SHOULD reject, 194 /* RFC 5054 says SHOULD reject,
195 we do so if There is no srp login name */ 195 we do so if There is no srp login name */
196 ret = SSL3_AL_FATAL; 196 ret = SSL3_AL_FATAL;
197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
198 } 198 } else {
199 else 199 ret = SSL_srp_server_param_with_username(s, al);
200 {
201 ret = SSL_srp_server_param_with_username(s,al);
202 }
203 } 200 }
204 return ret;
205 } 201 }
202 return ret;
203}
206#endif 204#endif
207 205
208IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 206IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
209 ssl3_accept, 207 ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
210 ssl_undefined_function,
211 ssl3_get_server_method)
212 208
213int ssl3_accept(SSL *s) 209int
214 { 210ssl3_accept(SSL *s)
211{
215 BUF_MEM *buf; 212 BUF_MEM *buf;
216 unsigned long alg_k,Time=(unsigned long)time(NULL); 213 unsigned long alg_k, Time = (unsigned long)time(NULL);
217 void (*cb)(const SSL *ssl,int type,int val)=NULL; 214 void (*cb)(const SSL *ssl, int type, int val) = NULL;
218 int ret= -1; 215 int ret = -1;
219 int new_state,state,skip=0; 216 int new_state, state, skip = 0;
220 217
221 RAND_add(&Time,sizeof(Time),0); 218 RAND_add(&Time, sizeof(Time), 0);
222 ERR_clear_error(); 219 ERR_clear_error();
223 errno = 0; 220 errno = 0;
224 221
225 if (s->info_callback != NULL) 222 if (s->info_callback != NULL)
226 cb=s->info_callback; 223 cb = s->info_callback;
227 else if (s->ctx->info_callback != NULL) 224 else if (s->ctx->info_callback != NULL)
228 cb=s->ctx->info_callback; 225 cb = s->ctx->info_callback;
229 226
230 /* init things to blank */ 227 /* init things to blank */
231 s->in_handshake++; 228 s->in_handshake++;
232 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 229 if (!SSL_in_init(s) || SSL_in_before(s))
230 SSL_clear(s);
233 231
234 if (s->cert == NULL) 232 if (s->cert == NULL) {
235 { 233 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
236 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 234 return (-1);
237 return(-1); 235 }
238 }
239 236
240#ifndef OPENSSL_NO_HEARTBEATS 237#ifndef OPENSSL_NO_HEARTBEATS
241 /* If we're awaiting a HeartbeatResponse, pretend we 238 /* If we're awaiting a HeartbeatResponse, pretend we
242 * already got and don't await it anymore, because 239 * already got and don't await it anymore, because
243 * Heartbeats don't make sense during handshakes anyway. 240 * Heartbeats don't make sense during handshakes anyway.
244 */ 241 */
245 if (s->tlsext_hb_pending) 242 if (s->tlsext_hb_pending) {
246 {
247 s->tlsext_hb_pending = 0; 243 s->tlsext_hb_pending = 0;
248 s->tlsext_hb_seq++; 244 s->tlsext_hb_seq++;
249 } 245 }
250#endif 246#endif
251 247
252 for (;;) 248 for (;;) {
253 { 249 state = s->state;
254 state=s->state;
255 250
256 switch (s->state) 251 switch (s->state) {
257 {
258 case SSL_ST_RENEGOTIATE: 252 case SSL_ST_RENEGOTIATE:
259 s->renegotiate=1; 253 s->renegotiate = 1;
260 /* s->state=SSL_ST_ACCEPT; */ 254 /* s->state=SSL_ST_ACCEPT; */
261 255
262 case SSL_ST_BEFORE: 256 case SSL_ST_BEFORE:
@@ -264,146 +258,143 @@ int ssl3_accept(SSL *s)
264 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 258 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
265 case SSL_ST_OK|SSL_ST_ACCEPT: 259 case SSL_ST_OK|SSL_ST_ACCEPT:
266 260
267 s->server=1; 261 s->server = 1;
268 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 262 if (cb != NULL)
263 cb(s, SSL_CB_HANDSHAKE_START, 1);
269 264
270 if ((s->version>>8) != 3) 265 if ((s->version >> 8) != 3) {
271 {
272 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 266 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
273 return -1; 267 return -1;
274 } 268 }
275 s->type=SSL_ST_ACCEPT; 269 s->type = SSL_ST_ACCEPT;
276 270
277 if (s->init_buf == NULL) 271 if (s->init_buf == NULL) {
278 { 272 if ((buf = BUF_MEM_new()) == NULL) {
279 if ((buf=BUF_MEM_new()) == NULL) 273 ret = -1;
280 {
281 ret= -1;
282 goto end; 274 goto end;
283 } 275 }
284 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 276 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
285 { 277 ret = -1;
286 ret= -1;
287 goto end; 278 goto end;
288 }
289 s->init_buf=buf;
290 } 279 }
280 s->init_buf = buf;
281 }
291 282
292 if (!ssl3_setup_buffers(s)) 283 if (!ssl3_setup_buffers(s)) {
293 { 284 ret = -1;
294 ret= -1;
295 goto end; 285 goto end;
296 } 286 }
297 287
298 s->init_num=0; 288 s->init_num = 0;
299 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 289 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
300 290
301 if (s->state != SSL_ST_RENEGOTIATE) 291 if (s->state != SSL_ST_RENEGOTIATE) {
302 {
303 /* Ok, we now need to push on a buffering BIO so that 292 /* Ok, we now need to push on a buffering BIO so that
304 * the output is sent in a way that TCP likes :-) 293 * the output is sent in a way that TCP likes :-)
305 */ 294 */
306 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 295 if (!ssl_init_wbio_buffer(s, 1)) {
307 296 ret = -1;
297 goto end;
298 }
299
308 ssl3_init_finished_mac(s); 300 ssl3_init_finished_mac(s);
309 s->state=SSL3_ST_SR_CLNT_HELLO_A; 301 s->state = SSL3_ST_SR_CLNT_HELLO_A;
310 s->ctx->stats.sess_accept++; 302 s->ctx->stats.sess_accept++;
311 } 303 } else if (!s->s3->send_connection_binding &&
312 else if (!s->s3->send_connection_binding && 304 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
313 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
314 {
315 /* Server attempting to renegotiate with 305 /* Server attempting to renegotiate with
316 * client that doesn't support secure 306 * client that doesn't support secure
317 * renegotiation. 307 * renegotiation.
318 */ 308 */
319 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 309 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
320 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 310 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
321 ret = -1; 311 ret = -1;
322 goto end; 312 goto end;
323 } 313 } else {
324 else
325 {
326 /* s->state == SSL_ST_RENEGOTIATE, 314 /* s->state == SSL_ST_RENEGOTIATE,
327 * we will just send a HelloRequest */ 315 * we will just send a HelloRequest */
328 s->ctx->stats.sess_accept_renegotiate++; 316 s->ctx->stats.sess_accept_renegotiate++;
329 s->state=SSL3_ST_SW_HELLO_REQ_A; 317 s->state = SSL3_ST_SW_HELLO_REQ_A;
330 } 318 }
331 break; 319 break;
332 320
333 case SSL3_ST_SW_HELLO_REQ_A: 321 case SSL3_ST_SW_HELLO_REQ_A:
334 case SSL3_ST_SW_HELLO_REQ_B: 322 case SSL3_ST_SW_HELLO_REQ_B:
335 323
336 s->shutdown=0; 324 s->shutdown = 0;
337 ret=ssl3_send_hello_request(s); 325 ret = ssl3_send_hello_request(s);
338 if (ret <= 0) goto end; 326 if (ret <= 0)
339 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 327 goto end;
340 s->state=SSL3_ST_SW_FLUSH; 328 s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C;
341 s->init_num=0; 329 s->state = SSL3_ST_SW_FLUSH;
330 s->init_num = 0;
342 331
343 ssl3_init_finished_mac(s); 332 ssl3_init_finished_mac(s);
344 break; 333 break;
345 334
346 case SSL3_ST_SW_HELLO_REQ_C: 335 case SSL3_ST_SW_HELLO_REQ_C:
347 s->state=SSL_ST_OK; 336 s->state = SSL_ST_OK;
348 break; 337 break;
349 338
350 case SSL3_ST_SR_CLNT_HELLO_A: 339 case SSL3_ST_SR_CLNT_HELLO_A:
351 case SSL3_ST_SR_CLNT_HELLO_B: 340 case SSL3_ST_SR_CLNT_HELLO_B:
352 case SSL3_ST_SR_CLNT_HELLO_C: 341 case SSL3_ST_SR_CLNT_HELLO_C:
353 342
354 s->shutdown=0; 343 s->shutdown = 0;
355 if (s->rwstate != SSL_X509_LOOKUP) 344 if (s->rwstate != SSL_X509_LOOKUP) {
356 { 345 ret = ssl3_get_client_hello(s);
357 ret=ssl3_get_client_hello(s); 346 if (ret <= 0)
358 if (ret <= 0) goto end; 347 goto end;
359 } 348 }
360#ifndef OPENSSL_NO_SRP 349#ifndef OPENSSL_NO_SRP
361 { 350 {
362 int al; 351 int al;
363 if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0) 352 if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
364 {
365 /* callback indicates firther work to be done */ 353 /* callback indicates firther work to be done */
366 s->rwstate=SSL_X509_LOOKUP; 354 s->rwstate = SSL_X509_LOOKUP;
367 goto end; 355 goto end;
368 } 356 }
369 if (ret != SSL_ERROR_NONE) 357 if (ret != SSL_ERROR_NONE) {
370 { 358 ssl3_send_alert(s, SSL3_AL_FATAL, al);
371 ssl3_send_alert(s,SSL3_AL_FATAL,al); 359
372 /* This is not really an error but the only means to 360 /* This is not really an error but the only means to
373 for a client to detect whether srp is supported. */ 361 for a client to detect whether srp is supported. */
374 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 362 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
375 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); 363 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
376 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 364
377 ret= -1; 365 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
378 goto end; 366
367 ret = -1;
368 goto end;
369
379 } 370 }
380 } 371 }
381#endif 372#endif
382 373
383 s->renegotiate = 2; 374 s->renegotiate = 2;
384 s->state=SSL3_ST_SW_SRVR_HELLO_A; 375 s->state = SSL3_ST_SW_SRVR_HELLO_A;
385 s->init_num=0; 376 s->init_num = 0;
386 break; 377 break;
387 378
388 case SSL3_ST_SW_SRVR_HELLO_A: 379 case SSL3_ST_SW_SRVR_HELLO_A:
389 case SSL3_ST_SW_SRVR_HELLO_B: 380 case SSL3_ST_SW_SRVR_HELLO_B:
390 ret=ssl3_send_server_hello(s); 381 ret = ssl3_send_server_hello(s);
391 if (ret <= 0) goto end; 382 if (ret <= 0)
383 goto end;
392#ifndef OPENSSL_NO_TLSEXT 384#ifndef OPENSSL_NO_TLSEXT
393 if (s->hit) 385 if (s->hit) {
394 {
395 if (s->tlsext_ticket_expected) 386 if (s->tlsext_ticket_expected)
396 s->state=SSL3_ST_SW_SESSION_TICKET_A; 387 s->state = SSL3_ST_SW_SESSION_TICKET_A;
397 else 388 else
398 s->state=SSL3_ST_SW_CHANGE_A; 389 s->state = SSL3_ST_SW_CHANGE_A;
399 } 390 }
400#else 391#else
401 if (s->hit) 392 if (s->hit)
402 s->state=SSL3_ST_SW_CHANGE_A; 393 s->state = SSL3_ST_SW_CHANGE_A;
403#endif 394#endif
404 else 395 else
405 s->state=SSL3_ST_SW_CERT_A; 396 s->state = SSL3_ST_SW_CERT_A;
406 s->init_num=0; 397 s->init_num = 0;
407 break; 398 break;
408 399
409 case SSL3_ST_SW_CERT_A: 400 case SSL3_ST_SW_CERT_A:
@@ -412,29 +403,26 @@ int ssl3_accept(SSL *s)
412 /* normal PSK or KRB5 or SRP */ 403 /* normal PSK or KRB5 or SRP */
413 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 404 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
414 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 405 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
415 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 406 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) {
416 { 407 ret = ssl3_send_server_certificate(s);
417 ret=ssl3_send_server_certificate(s); 408 if (ret <= 0)
418 if (ret <= 0) goto end; 409 goto end;
419#ifndef OPENSSL_NO_TLSEXT 410#ifndef OPENSSL_NO_TLSEXT
420 if (s->tlsext_status_expected) 411 if (s->tlsext_status_expected)
421 s->state=SSL3_ST_SW_CERT_STATUS_A; 412 s->state = SSL3_ST_SW_CERT_STATUS_A;
422 else 413 else
423 s->state=SSL3_ST_SW_KEY_EXCH_A; 414 s->state = SSL3_ST_SW_KEY_EXCH_A;
424 } 415 } else {
425 else
426 {
427 skip = 1; 416 skip = 1;
428 s->state=SSL3_ST_SW_KEY_EXCH_A; 417 s->state = SSL3_ST_SW_KEY_EXCH_A;
429 } 418 }
430#else 419#else
431 } 420 } else
432 else 421 skip = 1;
433 skip=1;
434 422
435 s->state=SSL3_ST_SW_KEY_EXCH_A; 423 s->state = SSL3_ST_SW_KEY_EXCH_A;
436#endif 424#endif
437 s->init_num=0; 425 s->init_num = 0;
438 break; 426 break;
439 427
440 case SSL3_ST_SW_KEY_EXCH_A: 428 case SSL3_ST_SW_KEY_EXCH_A:
@@ -445,16 +433,16 @@ int ssl3_accept(SSL *s)
445 * send_server_key_exchange */ 433 * send_server_key_exchange */
446 if ((s->options & SSL_OP_EPHEMERAL_RSA) 434 if ((s->options & SSL_OP_EPHEMERAL_RSA)
447#ifndef OPENSSL_NO_KRB5 435#ifndef OPENSSL_NO_KRB5
448 && !(alg_k & SSL_kKRB5) 436 && !(alg_k & SSL_kKRB5)
449#endif /* OPENSSL_NO_KRB5 */ 437#endif /* OPENSSL_NO_KRB5 */
450 ) 438 )
451 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 439 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
452 * even when forbidden by protocol specs 440 * even when forbidden by protocol specs
453 * (handshake may fail as clients are not required to 441 * (handshake may fail as clients are not required to
454 * be able to handle this) */ 442 * be able to handle this) */
455 s->s3->tmp.use_rsa_tmp=1; 443 s->s3->tmp.use_rsa_tmp = 1;
456 else 444 else
457 s->s3->tmp.use_rsa_tmp=0; 445 s->s3->tmp.use_rsa_tmp = 0;
458 446
459 447
460 /* only send if a DH key exchange, fortezza or 448 /* only send if a DH key exchange, fortezza or
@@ -475,83 +463,81 @@ int ssl3_accept(SSL *s)
475 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 463 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
476#endif 464#endif
477#ifndef OPENSSL_NO_SRP 465#ifndef OPENSSL_NO_SRP
478 /* SRP: send ServerKeyExchange */ 466 /* SRP: send ServerKeyExchange */
479 || (alg_k & SSL_kSRP) 467 || (alg_k & SSL_kSRP)
480#endif 468#endif
481 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 469 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
482 || (alg_k & SSL_kEECDH) 470 || (alg_k & SSL_kEECDH)
483 || ((alg_k & SSL_kRSA) 471 || ((alg_k & SSL_kRSA)
484 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 472 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
485 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 473 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
486 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 474 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
487 )
488 )
489 )
490 ) 475 )
491 { 476 )
492 ret=ssl3_send_server_key_exchange(s); 477 )
493 if (ret <= 0) goto end; 478 ) {
494 } 479 ret = ssl3_send_server_key_exchange(s);
495 else 480 if (ret <= 0)
496 skip=1; 481 goto end;
482 } else
483 skip = 1;
497 484
498 s->state=SSL3_ST_SW_CERT_REQ_A; 485 s->state = SSL3_ST_SW_CERT_REQ_A;
499 s->init_num=0; 486 s->init_num = 0;
500 break; 487 break;
501 488
502 case SSL3_ST_SW_CERT_REQ_A: 489 case SSL3_ST_SW_CERT_REQ_A:
503 case SSL3_ST_SW_CERT_REQ_B: 490 case SSL3_ST_SW_CERT_REQ_B:
504 if (/* don't request cert unless asked for it: */ 491 if (/* don't request cert unless asked for it: */
505 !(s->verify_mode & SSL_VERIFY_PEER) || 492 !(s->verify_mode & SSL_VERIFY_PEER) ||
506 /* if SSL_VERIFY_CLIENT_ONCE is set, 493 /* if SSL_VERIFY_CLIENT_ONCE is set,
507 * don't request cert during re-negotiation: */ 494 * don't request cert during re-negotiation: */
508 ((s->session->peer != NULL) && 495 ((s->session->peer != NULL) &&
509 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 496 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
510 /* never request cert in anonymous ciphersuites 497 /* never request cert in anonymous ciphersuites
511 * (see section "Certificate request" in SSL 3 drafts 498 * (see section "Certificate request" in SSL 3 drafts
512 * and in RFC 2246): */ 499 * and in RFC 2246): */
513 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 500 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
514 /* ... except when the application insists on verification 501 /* ... except when the application insists on verification
515 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 502 * (against the specs, but s3_clnt.c accepts this for SSL 3) */
516 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 503 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
517 /* never request cert in Kerberos ciphersuites */ 504 /* never request cert in Kerberos ciphersuites */
518 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) 505 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
519 /* With normal PSK Certificates and 506 /* With normal PSK Certificates and
520 * Certificate Requests are omitted */ 507 * Certificate Requests are omitted */
521 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 508 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
522 {
523 /* no cert request */ 509 /* no cert request */
524 skip=1; 510 skip = 1;
525 s->s3->tmp.cert_request=0; 511 s->s3->tmp.cert_request = 0;
526 s->state=SSL3_ST_SW_SRVR_DONE_A; 512 s->state = SSL3_ST_SW_SRVR_DONE_A;
527 if (s->s3->handshake_buffer) 513 if (s->s3->handshake_buffer)
528 if (!ssl3_digest_cached_records(s)) 514 if (!ssl3_digest_cached_records(s))
529 return -1; 515 return -1;
530 } 516 } else {
531 else 517 s->s3->tmp.cert_request = 1;
532 { 518 ret = ssl3_send_certificate_request(s);
533 s->s3->tmp.cert_request=1; 519 if (ret <= 0)
534 ret=ssl3_send_certificate_request(s); 520 goto end;
535 if (ret <= 0) goto end;
536#ifndef NETSCAPE_HANG_BUG 521#ifndef NETSCAPE_HANG_BUG
537 s->state=SSL3_ST_SW_SRVR_DONE_A; 522 s->state = SSL3_ST_SW_SRVR_DONE_A;
538#else 523#else
539 s->state=SSL3_ST_SW_FLUSH; 524 s->state = SSL3_ST_SW_FLUSH;
540 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 525 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
541#endif 526#endif
542 s->init_num=0; 527 s->init_num = 0;
543 } 528 }
544 break; 529 break;
545 530
546 case SSL3_ST_SW_SRVR_DONE_A: 531 case SSL3_ST_SW_SRVR_DONE_A:
547 case SSL3_ST_SW_SRVR_DONE_B: 532 case SSL3_ST_SW_SRVR_DONE_B:
548 ret=ssl3_send_server_done(s); 533 ret = ssl3_send_server_done(s);
549 if (ret <= 0) goto end; 534 if (ret <= 0)
550 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 535 goto end;
551 s->state=SSL3_ST_SW_FLUSH; 536 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
552 s->init_num=0; 537 s->state = SSL3_ST_SW_FLUSH;
538 s->init_num = 0;
553 break; 539 break;
554 540
555 case SSL3_ST_SW_FLUSH: 541 case SSL3_ST_SW_FLUSH:
556 542
557 /* This code originally checked to see if 543 /* This code originally checked to see if
@@ -564,15 +550,14 @@ int ssl3_accept(SSL *s)
564 * unconditionally. 550 * unconditionally.
565 */ 551 */
566 552
567 s->rwstate=SSL_WRITING; 553 s->rwstate = SSL_WRITING;
568 if (BIO_flush(s->wbio) <= 0) 554 if (BIO_flush(s->wbio) <= 0) {
569 { 555 ret = -1;
570 ret= -1;
571 goto end; 556 goto end;
572 } 557 }
573 s->rwstate=SSL_NOTHING; 558 s->rwstate = SSL_NOTHING;
574 559
575 s->state=s->s3->tmp.next_state; 560 s->state = s->s3->tmp.next_state;
576 break; 561 break;
577 562
578 case SSL3_ST_SR_CERT_A: 563 case SSL3_ST_SR_CERT_A:
@@ -584,23 +569,22 @@ int ssl3_accept(SSL *s)
584 if (ret == 2) 569 if (ret == 2)
585 s->state = SSL3_ST_SR_CLNT_HELLO_C; 570 s->state = SSL3_ST_SR_CLNT_HELLO_C;
586 else { 571 else {
587 if (s->s3->tmp.cert_request) 572 if (s->s3->tmp.cert_request) {
588 { 573 ret = ssl3_get_client_certificate(s);
589 ret=ssl3_get_client_certificate(s); 574 if (ret <= 0)
590 if (ret <= 0) goto end; 575 goto end;
591 } 576 }
592 s->init_num=0; 577 s->init_num = 0;
593 s->state=SSL3_ST_SR_KEY_EXCH_A; 578 s->state = SSL3_ST_SR_KEY_EXCH_A;
594 } 579 }
595 break; 580 break;
596 581
597 case SSL3_ST_SR_KEY_EXCH_A: 582 case SSL3_ST_SR_KEY_EXCH_A:
598 case SSL3_ST_SR_KEY_EXCH_B: 583 case SSL3_ST_SR_KEY_EXCH_B:
599 ret=ssl3_get_client_key_exchange(s); 584 ret = ssl3_get_client_key_exchange(s);
600 if (ret <= 0) 585 if (ret <= 0)
601 goto end; 586 goto end;
602 if (ret == 2) 587 if (ret == 2) {
603 {
604 /* For the ECDH ciphersuites when 588 /* For the ECDH ciphersuites when
605 * the client sends its ECDH pub key in 589 * the client sends its ECDH pub key in
606 * a certificate, the CertificateVerify 590 * a certificate, the CertificateVerify
@@ -610,40 +594,35 @@ int ssl3_accept(SSL *s)
610 * for key exchange. 594 * for key exchange.
611 */ 595 */
612#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 596#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
613 s->state=SSL3_ST_SR_FINISHED_A; 597 s->state = SSL3_ST_SR_FINISHED_A;
614#else 598#else
615 if (s->s3->next_proto_neg_seen) 599 if (s->s3->next_proto_neg_seen)
616 s->state=SSL3_ST_SR_NEXT_PROTO_A; 600 s->state = SSL3_ST_SR_NEXT_PROTO_A;
617 else 601 else
618 s->state=SSL3_ST_SR_FINISHED_A; 602 s->state = SSL3_ST_SR_FINISHED_A;
619#endif 603#endif
620 s->init_num = 0; 604 s->init_num = 0;
621 } 605 } else if (TLS1_get_version(s) >= TLS1_2_VERSION) {
622 else if (TLS1_get_version(s) >= TLS1_2_VERSION) 606 s->state = SSL3_ST_SR_CERT_VRFY_A;
623 { 607 s->init_num = 0;
624 s->state=SSL3_ST_SR_CERT_VRFY_A;
625 s->init_num=0;
626 if (!s->session->peer) 608 if (!s->session->peer)
627 break; 609 break;
628 /* For TLS v1.2 freeze the handshake buffer 610 /* For TLS v1.2 freeze the handshake buffer
629 * at this point and digest cached records. 611 * at this point and digest cached records.
630 */ 612 */
631 if (!s->s3->handshake_buffer) 613 if (!s->s3->handshake_buffer) {
632 { 614 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
633 SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR);
634 return -1; 615 return -1;
635 } 616 }
636 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 617 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
637 if (!ssl3_digest_cached_records(s)) 618 if (!ssl3_digest_cached_records(s))
638 return -1; 619 return -1;
639 } 620 } else {
640 else 621 int offset = 0;
641 {
642 int offset=0;
643 int dgst_num; 622 int dgst_num;
644 623
645 s->state=SSL3_ST_SR_CERT_VRFY_A; 624 s->state = SSL3_ST_SR_CERT_VRFY_A;
646 s->init_num=0; 625 s->init_num = 0;
647 626
648 /* We need to get hashes here so if there is 627 /* We need to get hashes here so if there is
649 * a client cert, it can be verified 628 * a client cert, it can be verified
@@ -653,82 +632,85 @@ int ssl3_accept(SSL *s)
653 if (s->s3->handshake_buffer) 632 if (s->s3->handshake_buffer)
654 if (!ssl3_digest_cached_records(s)) 633 if (!ssl3_digest_cached_records(s))
655 return -1; 634 return -1;
656 for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) 635 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++)
657 if (s->s3->handshake_dgst[dgst_num]) 636 if (s->s3->handshake_dgst[dgst_num]) {
658 { 637 int dgst_size;
659 int dgst_size; 638
660 639 s->method->ssl3_enc->cert_verify_mac(s, EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]), &(s->s3->tmp.cert_verify_md[offset]));
661 s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); 640 dgst_size = EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
662 dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); 641 if (dgst_size < 0) {
663 if (dgst_size < 0) 642 ret = -1;
664 { 643 goto end;
665 ret = -1; 644 }
666 goto end; 645 offset += dgst_size;
667 }
668 offset+=dgst_size;
669 }
670 } 646 }
647 }
671 break; 648 break;
672 649
673 case SSL3_ST_SR_CERT_VRFY_A: 650 case SSL3_ST_SR_CERT_VRFY_A:
674 case SSL3_ST_SR_CERT_VRFY_B: 651 case SSL3_ST_SR_CERT_VRFY_B:
675 652
676 /* we should decide if we expected this one */ 653 /* we should decide if we expected this one */
677 ret=ssl3_get_cert_verify(s); 654 ret = ssl3_get_cert_verify(s);
678 if (ret <= 0) goto end; 655 if (ret <= 0)
656 goto end;
679 657
680#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 658#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
681 s->state=SSL3_ST_SR_FINISHED_A; 659 s->state = SSL3_ST_SR_FINISHED_A;
682#else 660#else
683 if (s->s3->next_proto_neg_seen) 661 if (s->s3->next_proto_neg_seen)
684 s->state=SSL3_ST_SR_NEXT_PROTO_A; 662 s->state = SSL3_ST_SR_NEXT_PROTO_A;
685 else 663 else
686 s->state=SSL3_ST_SR_FINISHED_A; 664 s->state = SSL3_ST_SR_FINISHED_A;
687#endif 665#endif
688 s->init_num=0; 666 s->init_num = 0;
689 break; 667 break;
690 668
691#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 669#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
692 case SSL3_ST_SR_NEXT_PROTO_A: 670 case SSL3_ST_SR_NEXT_PROTO_A:
693 case SSL3_ST_SR_NEXT_PROTO_B: 671 case SSL3_ST_SR_NEXT_PROTO_B:
694 ret=ssl3_get_next_proto(s); 672 ret = ssl3_get_next_proto(s);
695 if (ret <= 0) goto end; 673 if (ret <= 0)
674 goto end;
696 s->init_num = 0; 675 s->init_num = 0;
697 s->state=SSL3_ST_SR_FINISHED_A; 676 s->state = SSL3_ST_SR_FINISHED_A;
698 break; 677 break;
699#endif 678#endif
700 679
701 case SSL3_ST_SR_FINISHED_A: 680 case SSL3_ST_SR_FINISHED_A:
702 case SSL3_ST_SR_FINISHED_B: 681 case SSL3_ST_SR_FINISHED_B:
703 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 682 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
704 SSL3_ST_SR_FINISHED_B); 683 SSL3_ST_SR_FINISHED_B);
705 if (ret <= 0) goto end; 684 if (ret <= 0)
685 goto end;
706 if (s->hit) 686 if (s->hit)
707 s->state=SSL_ST_OK; 687 s->state = SSL_ST_OK;
708#ifndef OPENSSL_NO_TLSEXT 688#ifndef OPENSSL_NO_TLSEXT
709 else if (s->tlsext_ticket_expected) 689 else if (s->tlsext_ticket_expected)
710 s->state=SSL3_ST_SW_SESSION_TICKET_A; 690 s->state = SSL3_ST_SW_SESSION_TICKET_A;
711#endif 691#endif
712 else 692 else
713 s->state=SSL3_ST_SW_CHANGE_A; 693 s->state = SSL3_ST_SW_CHANGE_A;
714 s->init_num=0; 694 s->init_num = 0;
715 break; 695 break;
716 696
717#ifndef OPENSSL_NO_TLSEXT 697#ifndef OPENSSL_NO_TLSEXT
718 case SSL3_ST_SW_SESSION_TICKET_A: 698 case SSL3_ST_SW_SESSION_TICKET_A:
719 case SSL3_ST_SW_SESSION_TICKET_B: 699 case SSL3_ST_SW_SESSION_TICKET_B:
720 ret=ssl3_send_newsession_ticket(s); 700 ret = ssl3_send_newsession_ticket(s);
721 if (ret <= 0) goto end; 701 if (ret <= 0)
722 s->state=SSL3_ST_SW_CHANGE_A; 702 goto end;
723 s->init_num=0; 703 s->state = SSL3_ST_SW_CHANGE_A;
704 s->init_num = 0;
724 break; 705 break;
725 706
726 case SSL3_ST_SW_CERT_STATUS_A: 707 case SSL3_ST_SW_CERT_STATUS_A:
727 case SSL3_ST_SW_CERT_STATUS_B: 708 case SSL3_ST_SW_CERT_STATUS_B:
728 ret=ssl3_send_cert_status(s); 709 ret = ssl3_send_cert_status(s);
729 if (ret <= 0) goto end; 710 if (ret <= 0)
730 s->state=SSL3_ST_SW_KEY_EXCH_A; 711 goto end;
731 s->init_num=0; 712 s->state = SSL3_ST_SW_KEY_EXCH_A;
713 s->init_num = 0;
732 break; 714 break;
733 715
734#endif 716#endif
@@ -736,48 +718,49 @@ int ssl3_accept(SSL *s)
736 case SSL3_ST_SW_CHANGE_A: 718 case SSL3_ST_SW_CHANGE_A:
737 case SSL3_ST_SW_CHANGE_B: 719 case SSL3_ST_SW_CHANGE_B:
738 720
739 s->session->cipher=s->s3->tmp.new_cipher; 721 s->session->cipher = s->s3->tmp.new_cipher;
740 if (!s->method->ssl3_enc->setup_key_block(s)) 722 if (!s->method->ssl3_enc->setup_key_block(s)) {
741 { ret= -1; goto end; } 723 ret = -1;
724 goto end;
725 }
742 726
743 ret=ssl3_send_change_cipher_spec(s, 727 ret = ssl3_send_change_cipher_spec(s,
744 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 728 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
745 729
746 if (ret <= 0) goto end; 730 if (ret <= 0)
747 s->state=SSL3_ST_SW_FINISHED_A; 731 goto end;
748 s->init_num=0; 732 s->state = SSL3_ST_SW_FINISHED_A;
733 s->init_num = 0;
749 734
750 if (!s->method->ssl3_enc->change_cipher_state(s, 735 if (!s->method->ssl3_enc->change_cipher_state(
751 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 736 s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
752 { 737 ret = -1;
753 ret= -1;
754 goto end; 738 goto end;
755 } 739 }
756 740
757 break; 741 break;
758 742
759 case SSL3_ST_SW_FINISHED_A: 743 case SSL3_ST_SW_FINISHED_A:
760 case SSL3_ST_SW_FINISHED_B: 744 case SSL3_ST_SW_FINISHED_B:
761 ret=ssl3_send_finished(s, 745 ret = ssl3_send_finished(s,
762 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 746 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
763 s->method->ssl3_enc->server_finished_label, 747 s->method->ssl3_enc->server_finished_label,
764 s->method->ssl3_enc->server_finished_label_len); 748 s->method->ssl3_enc->server_finished_label_len);
765 if (ret <= 0) goto end; 749 if (ret <= 0)
766 s->state=SSL3_ST_SW_FLUSH; 750 goto end;
767 if (s->hit) 751 s->state = SSL3_ST_SW_FLUSH;
768 { 752 if (s->hit) {
769#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 753#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
770 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 754 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
771#else 755#else
772 if (s->s3->next_proto_neg_seen) 756 if (s->s3->next_proto_neg_seen)
773 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; 757 s->s3->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A;
774 else 758 else
775 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 759 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
776#endif 760#endif
777 } 761 } else
778 else 762 s->s3->tmp.next_state = SSL_ST_OK;
779 s->s3->tmp.next_state=SSL_ST_OK; 763 s->init_num = 0;
780 s->init_num=0;
781 break; 764 break;
782 765
783 case SSL_ST_OK: 766 case SSL_ST_OK:
@@ -785,146 +768,143 @@ int ssl3_accept(SSL *s)
785 ssl3_cleanup_key_block(s); 768 ssl3_cleanup_key_block(s);
786 769
787 BUF_MEM_free(s->init_buf); 770 BUF_MEM_free(s->init_buf);
788 s->init_buf=NULL; 771 s->init_buf = NULL;
789 772
790 /* remove buffering on output */ 773 /* remove buffering on output */
791 ssl_free_wbio_buffer(s); 774 ssl_free_wbio_buffer(s);
792 775
793 s->init_num=0; 776 s->init_num = 0;
794 777
795 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ 778 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
796 { 779 {
797 s->renegotiate=0; 780 s->renegotiate = 0;
798 s->new_session=0; 781 s->new_session = 0;
799 782
800 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 783 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
801 784
802 s->ctx->stats.sess_accept_good++; 785 s->ctx->stats.sess_accept_good++;
803 /* s->server=1; */ 786 /* s->server=1; */
804 s->handshake_func=ssl3_accept; 787 s->handshake_func = ssl3_accept;
788
789 if (cb != NULL)
790 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
791 }
805 792
806 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
807 }
808
809 ret = 1; 793 ret = 1;
810 goto end; 794 goto end;
811 /* break; */ 795 /* break; */
812 796
813 default: 797 default:
814 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 798 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE);
815 ret= -1; 799 ret = -1;
816 goto end; 800 goto end;
817 /* break; */ 801 /* break; */
818 } 802 }
819 803
820 if (!s->s3->tmp.reuse_message && !skip) 804 if (!s->s3->tmp.reuse_message && !skip) {
821 { 805 if (s->debug) {
822 if (s->debug) 806 if ((ret = BIO_flush(s->wbio)) <= 0)
823 {
824 if ((ret=BIO_flush(s->wbio)) <= 0)
825 goto end; 807 goto end;
826 } 808 }
827 809
828 810
829 if ((cb != NULL) && (s->state != state)) 811 if ((cb != NULL) && (s->state != state)) {
830 { 812 new_state = s->state;
831 new_state=s->state; 813 s->state = state;
832 s->state=state; 814 cb(s, SSL_CB_ACCEPT_LOOP, 1);
833 cb(s,SSL_CB_ACCEPT_LOOP,1); 815 s->state = new_state;
834 s->state=new_state;
835 }
836 } 816 }
837 skip=0;
838 } 817 }
818 skip = 0;
819 }
839end: 820end:
840 /* BIO_flush(s->wbio); */ 821 /* BIO_flush(s->wbio); */
841 822
842 s->in_handshake--; 823 s->in_handshake--;
843 if (cb != NULL) 824 if (cb != NULL)
844 cb(s,SSL_CB_ACCEPT_EXIT,ret); 825 cb(s, SSL_CB_ACCEPT_EXIT, ret);
845 return(ret); 826 return (ret);
846 } 827}
847 828
848int ssl3_send_hello_request(SSL *s) 829int
849 { 830ssl3_send_hello_request(SSL *s)
831{
850 unsigned char *p; 832 unsigned char *p;
851 833
852 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 834 if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
853 { 835 p = (unsigned char *)s->init_buf->data;
854 p=(unsigned char *)s->init_buf->data; 836 *(p++) = SSL3_MT_HELLO_REQUEST;
855 *(p++)=SSL3_MT_HELLO_REQUEST; 837 *(p++) = 0;
856 *(p++)=0; 838 *(p++) = 0;
857 *(p++)=0; 839 *(p++) = 0;
858 *(p++)=0;
859 840
860 s->state=SSL3_ST_SW_HELLO_REQ_B; 841 s->state = SSL3_ST_SW_HELLO_REQ_B;
861 /* number of bytes to write */ 842 /* number of bytes to write */
862 s->init_num=4; 843 s->init_num = 4;
863 s->init_off=0; 844 s->init_off = 0;
864 } 845 }
865 846
866 /* SSL3_ST_SW_HELLO_REQ_B */ 847 /* SSL3_ST_SW_HELLO_REQ_B */
867 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 848 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
868 } 849}
869 850
870int ssl3_check_client_hello(SSL *s) 851int
871 { 852ssl3_check_client_hello(SSL *s)
853{
872 int ok; 854 int ok;
873 long n; 855 long n;
874 856
875 /* this function is called when we really expect a Certificate message, 857 /* this function is called when we really expect a Certificate message,
876 * so permit appropriate message length */ 858 * so permit appropriate message length */
877 n=s->method->ssl_get_message(s, 859 n = s->method->ssl_get_message(s,
878 SSL3_ST_SR_CERT_A, 860 SSL3_ST_SR_CERT_A,
879 SSL3_ST_SR_CERT_B, 861 SSL3_ST_SR_CERT_B,
880 -1, 862 -1,
881 s->max_cert_list, 863 s->max_cert_list,
882 &ok); 864 &ok);
883 if (!ok) return((int)n); 865 if (!ok)
866 return ((int)n);
884 s->s3->tmp.reuse_message = 1; 867 s->s3->tmp.reuse_message = 1;
885 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 868 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) {
886 {
887 /* We only allow the client to restart the handshake once per 869 /* We only allow the client to restart the handshake once per
888 * negotiation. */ 870 * negotiation. */
889 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) 871 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
890 {
891 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 872 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
892 return -1; 873 return -1;
893 } 874 }
894 /* Throw away what we have done so far in the current handshake, 875 /* Throw away what we have done so far in the current handshake,
895 * which will now be aborted. (A full SSL_clear would be too much.) */ 876 * which will now be aborted. (A full SSL_clear would be too much.) */
896#ifndef OPENSSL_NO_DH 877#ifndef OPENSSL_NO_DH
897 if (s->s3->tmp.dh != NULL) 878 if (s->s3->tmp.dh != NULL) {
898 {
899 DH_free(s->s3->tmp.dh); 879 DH_free(s->s3->tmp.dh);
900 s->s3->tmp.dh = NULL; 880 s->s3->tmp.dh = NULL;
901 } 881 }
902#endif 882#endif
903#ifndef OPENSSL_NO_ECDH 883#ifndef OPENSSL_NO_ECDH
904 if (s->s3->tmp.ecdh != NULL) 884 if (s->s3->tmp.ecdh != NULL) {
905 {
906 EC_KEY_free(s->s3->tmp.ecdh); 885 EC_KEY_free(s->s3->tmp.ecdh);
907 s->s3->tmp.ecdh = NULL; 886 s->s3->tmp.ecdh = NULL;
908 } 887 }
909#endif 888#endif
910 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 889 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
911 return 2; 890 return 2;
912 } 891 }
913 return 1; 892 return 1;
914} 893}
915 894
916int ssl3_get_client_hello(SSL *s) 895int
917 { 896ssl3_get_client_hello(SSL *s)
918 int i,j,ok,al,ret= -1; 897{
898 int i, j, ok, al, ret = -1;
919 unsigned int cookie_len; 899 unsigned int cookie_len;
920 long n; 900 long n;
921 unsigned long id; 901 unsigned long id;
922 unsigned char *p,*d,*q; 902 unsigned char *p, *d, *q;
923 SSL_CIPHER *c; 903 SSL_CIPHER *c;
924#ifndef OPENSSL_NO_COMP 904#ifndef OPENSSL_NO_COMP
925 SSL_COMP *comp=NULL; 905 SSL_COMP *comp = NULL;
926#endif 906#endif
927 STACK_OF(SSL_CIPHER) *ciphers=NULL; 907 STACK_OF(SSL_CIPHER) *ciphers = NULL;
928 908
929 /* We do this so that we will respond with our native type. 909 /* We do this so that we will respond with our native type.
930 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 910 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
@@ -932,65 +912,61 @@ int ssl3_get_client_hello(SSL *s)
932 * If we are SSLv3, we will respond with SSLv3, even if prompted with 912 * If we are SSLv3, we will respond with SSLv3, even if prompted with
933 * TLSv1. 913 * TLSv1.
934 */ 914 */
935 if (s->state == SSL3_ST_SR_CLNT_HELLO_A 915 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) {
936 ) 916 s->state = SSL3_ST_SR_CLNT_HELLO_B;
937 { 917 }
938 s->state=SSL3_ST_SR_CLNT_HELLO_B; 918 s->first_packet = 1;
939 } 919 n = s->method->ssl_get_message(s,
940 s->first_packet=1; 920 SSL3_ST_SR_CLNT_HELLO_B,
941 n=s->method->ssl_get_message(s, 921 SSL3_ST_SR_CLNT_HELLO_C,
942 SSL3_ST_SR_CLNT_HELLO_B, 922 SSL3_MT_CLIENT_HELLO,
943 SSL3_ST_SR_CLNT_HELLO_C, 923 SSL3_RT_MAX_PLAIN_LENGTH,
944 SSL3_MT_CLIENT_HELLO, 924 &ok);
945 SSL3_RT_MAX_PLAIN_LENGTH,
946 &ok);
947 925
948 if (!ok) return((int)n); 926 if (!ok)
949 s->first_packet=0; 927 return ((int)n);
950 d=p=(unsigned char *)s->init_msg; 928 s->first_packet = 0;
929 d = p=(unsigned char *)s->init_msg;
951 930
952 /* use version from inside client hello, not from record header 931 /* use version from inside client hello, not from record header
953 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 932 * (may differ: see RFC 2246, Appendix E, second paragraph) */
954 s->client_version=(((int)p[0])<<8)|(int)p[1]; 933 s->client_version = (((int)p[0]) << 8)|(int)p[1];
955 p+=2; 934 p += 2;
956 935
957 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 936 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
958 (s->version != DTLS1_VERSION && s->client_version < s->version)) 937 (s->version != DTLS1_VERSION && s->client_version < s->version)) {
959 {
960 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 938 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
961 if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 939 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
962 !s->enc_write_ctx && !s->write_hash) 940 !s->enc_write_ctx && !s->write_hash) {
963 {
964 /* similar to ssl3_get_record, send alert using remote version number */ 941 /* similar to ssl3_get_record, send alert using remote version number */
965 s->version = s->client_version; 942 s->version = s->client_version;
966 } 943 }
967 al = SSL_AD_PROTOCOL_VERSION; 944 al = SSL_AD_PROTOCOL_VERSION;
968 goto f_err; 945 goto f_err;
969 } 946 }
970 947
971 /* If we require cookies and this ClientHello doesn't 948 /* If we require cookies and this ClientHello doesn't
972 * contain one, just return since we do not want to 949 * contain one, just return since we do not want to
973 * allocate any memory yet. So check cookie length... 950 * allocate any memory yet. So check cookie length...
974 */ 951 */
975 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) 952 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
976 {
977 unsigned int session_length, cookie_length; 953 unsigned int session_length, cookie_length;
978 954
979 session_length = *(p + SSL3_RANDOM_SIZE); 955 session_length = *(p + SSL3_RANDOM_SIZE);
980 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 956 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
981 957
982 if (cookie_length == 0) 958 if (cookie_length == 0)
983 return 1; 959 return 1;
984 } 960 }
985 961
986 /* load the client random */ 962 /* load the client random */
987 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 963 memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
988 p+=SSL3_RANDOM_SIZE; 964 p += SSL3_RANDOM_SIZE;
989 965
990 /* get the session-id */ 966 /* get the session-id */
991 j= *(p++); 967 j= *(p++);
992 968
993 s->hit=0; 969 s->hit = 0;
994 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation. 970 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
995 * 0.9.7 and later allow this by default, but optionally ignore resumption requests 971 * 0.9.7 and later allow this by default, but optionally ignore resumption requests
996 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 972 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
@@ -1002,31 +978,26 @@ int ssl3_get_client_hello(SSL *s)
1002 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 978 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1003 * setting will be ignored. 979 * setting will be ignored.
1004 */ 980 */
1005 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 981 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1006 { 982 if (!ssl_get_new_session(s, 1))
1007 if (!ssl_get_new_session(s,1))
1008 goto err; 983 goto err;
1009 } 984 } else {
1010 else 985 i = ssl_get_prev_session(s, p, j, d + n);
1011 {
1012 i=ssl_get_prev_session(s, p, j, d + n);
1013 if (i == 1) 986 if (i == 1)
1014 { /* previous session */ 987 { /* previous session */
1015 s->hit=1; 988 s->hit = 1;
1016 } 989 } else if (i == -1)
1017 else if (i == -1)
1018 goto err; 990 goto err;
1019 else /* i == 0 */ 991 else /* i == 0 */
1020 { 992 {
1021 if (!ssl_get_new_session(s,1)) 993 if (!ssl_get_new_session(s, 1))
1022 goto err; 994 goto err;
1023 }
1024 } 995 }
996 }
1025 997
1026 p+=j; 998 p += j;
1027 999
1028 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 1000 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
1029 {
1030 /* cookie stuff */ 1001 /* cookie stuff */
1031 cookie_len = *(p++); 1002 cookie_len = *(p++);
1032 1003
@@ -1035,159 +1006,141 @@ int ssl3_get_client_hello(SSL *s)
1035 * HelloVerify message has not been sent--make sure that it 1006 * HelloVerify message has not been sent--make sure that it
1036 * does not cause an overflow. 1007 * does not cause an overflow.
1037 */ 1008 */
1038 if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 1009 if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
1039 {
1040 /* too much data */ 1010 /* too much data */
1041 al = SSL_AD_DECODE_ERROR; 1011 al = SSL_AD_DECODE_ERROR;
1042 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1012 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
1043 goto f_err; 1013 goto f_err;
1044 } 1014 }
1045 1015
1046 /* verify the cookie if appropriate option is set. */ 1016 /* verify the cookie if appropriate option is set. */
1047 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 1017 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
1048 cookie_len > 0) 1018 cookie_len > 0) {
1049 {
1050 memcpy(s->d1->rcvd_cookie, p, cookie_len); 1019 memcpy(s->d1->rcvd_cookie, p, cookie_len);
1051 1020
1052 if ( s->ctx->app_verify_cookie_cb != NULL) 1021 if (s->ctx->app_verify_cookie_cb != NULL) {
1053 { 1022 if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
1054 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 1023 cookie_len) == 0) {
1055 cookie_len) == 0) 1024 al = SSL_AD_HANDSHAKE_FAILURE;
1056 { 1025 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1057 al=SSL_AD_HANDSHAKE_FAILURE; 1026 SSL_R_COOKIE_MISMATCH);
1058 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1059 SSL_R_COOKIE_MISMATCH);
1060 goto f_err;
1061 }
1062 /* else cookie verification succeeded */
1063 }
1064 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1065 s->d1->cookie_len) != 0) /* default verification */
1066 {
1067 al=SSL_AD_HANDSHAKE_FAILURE;
1068 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1069 SSL_R_COOKIE_MISMATCH);
1070 goto f_err; 1027 goto f_err;
1071 } 1028 }
1029 /* else cookie verification succeeded */
1030 } else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1031 s->d1->cookie_len) != 0) /* default verification */
1032 {
1033 al = SSL_AD_HANDSHAKE_FAILURE;
1034 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1035 SSL_R_COOKIE_MISMATCH);
1036 goto f_err;
1037 }
1072 1038
1073 ret = 2; 1039 ret = 2;
1074 } 1040 }
1075 1041
1076 p += cookie_len; 1042 p += cookie_len;
1077 } 1043 }
1078 1044
1079 n2s(p,i); 1045 n2s(p, i);
1080 if ((i == 0) && (j != 0)) 1046 if ((i == 0) && (j != 0)) {
1081 {
1082 /* we need a cipher if we are not resuming a session */ 1047 /* we need a cipher if we are not resuming a session */
1083 al=SSL_AD_ILLEGAL_PARAMETER; 1048 al = SSL_AD_ILLEGAL_PARAMETER;
1084 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 1049 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
1085 goto f_err; 1050 goto f_err;
1086 } 1051 }
1087 if ((p+i) >= (d+n)) 1052 if ((p + i) >= (d + n)) {
1088 {
1089 /* not enough data */ 1053 /* not enough data */
1090 al=SSL_AD_DECODE_ERROR; 1054 al = SSL_AD_DECODE_ERROR;
1091 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1055 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1092 goto f_err; 1056 goto f_err;
1093 } 1057 }
1094 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 1058 if ((i > 0) &&
1095 == NULL)) 1059 (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL)) {
1096 {
1097 goto err; 1060 goto err;
1098 } 1061 }
1099 p+=i; 1062 p += i;
1100 1063
1101 /* If it is a hit, check that the cipher is in the list */ 1064 /* If it is a hit, check that the cipher is in the list */
1102 if ((s->hit) && (i > 0)) 1065 if ((s->hit) && (i > 0)) {
1103 { 1066 j = 0;
1104 j=0; 1067 id = s->session->cipher->id;
1105 id=s->session->cipher->id;
1106 1068
1107#ifdef CIPHER_DEBUG 1069#ifdef CIPHER_DEBUG
1108 printf("client sent %d ciphers\n",sk_num(ciphers)); 1070 printf("client sent %d ciphers\n", sk_num(ciphers));
1109#endif 1071#endif
1110 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 1072 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1111 { 1073 c = sk_SSL_CIPHER_value(ciphers, i);
1112 c=sk_SSL_CIPHER_value(ciphers,i);
1113#ifdef CIPHER_DEBUG 1074#ifdef CIPHER_DEBUG
1114 printf("client [%2d of %2d]:%s\n", 1075 printf("client [%2d of %2d]:%s\n",
1115 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 1076 i, sk_num(ciphers), SSL_CIPHER_get_name(c));
1116#endif 1077#endif
1117 if (c->id == id) 1078 if (c->id == id) {
1118 { 1079 j = 1;
1119 j=1;
1120 break; 1080 break;
1121 }
1122 } 1081 }
1082 }
1123/* Disabled because it can be used in a ciphersuite downgrade 1083/* Disabled because it can be used in a ciphersuite downgrade
1124 * attack: CVE-2010-4180. 1084 * attack: CVE-2010-4180.
1125 */ 1085 */
1126#if 0 1086#if 0
1127 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 1087 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) {
1128 {
1129 /* Special case as client bug workaround: the previously used cipher may 1088 /* Special case as client bug workaround: the previously used cipher may
1130 * not be in the current list, the client instead might be trying to 1089 * not be in the current list, the client instead might be trying to
1131 * continue using a cipher that before wasn't chosen due to server 1090 * continue using a cipher that before wasn't chosen due to server
1132 * preferences. We'll have to reject the connection if the cipher is not 1091 * preferences. We'll have to reject the connection if the cipher is not
1133 * enabled, though. */ 1092 * enabled, though. */
1134 c = sk_SSL_CIPHER_value(ciphers, 0); 1093 c = sk_SSL_CIPHER_value(ciphers, 0);
1135 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 1094 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
1136 {
1137 s->session->cipher = c; 1095 s->session->cipher = c;
1138 j = 1; 1096 j = 1;
1139 }
1140 } 1097 }
1098 }
1141#endif 1099#endif
1142 if (j == 0) 1100 if (j == 0) {
1143 {
1144 /* we need to have the cipher in the cipher 1101 /* we need to have the cipher in the cipher
1145 * list if we are asked to reuse it */ 1102 * list if we are asked to reuse it */
1146 al=SSL_AD_ILLEGAL_PARAMETER; 1103 al = SSL_AD_ILLEGAL_PARAMETER;
1147 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 1104 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING);
1148 goto f_err; 1105 goto f_err;
1149 }
1150 } 1106 }
1107 }
1151 1108
1152 /* compression */ 1109 /* compression */
1153 i= *(p++); 1110 i= *(p++);
1154 if ((p+i) > (d+n)) 1111 if ((p + i) > (d + n)) {
1155 {
1156 /* not enough data */ 1112 /* not enough data */
1157 al=SSL_AD_DECODE_ERROR; 1113 al = SSL_AD_DECODE_ERROR;
1158 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1114 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1159 goto f_err; 1115 goto f_err;
1160 } 1116 }
1161 q=p; 1117 q = p;
1162 for (j=0; j<i; j++) 1118 for (j = 0; j < i; j++) {
1163 { 1119 if (p[j] == 0)
1164 if (p[j] == 0) break; 1120 break;
1165 } 1121 }
1166 1122
1167 p+=i; 1123 p += i;
1168 if (j >= i) 1124 if (j >= i) {
1169 {
1170 /* no compress */ 1125 /* no compress */
1171 al=SSL_AD_DECODE_ERROR; 1126 al = SSL_AD_DECODE_ERROR;
1172 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 1127 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1173 goto f_err; 1128 goto f_err;
1174 } 1129 }
1175 1130
1176#ifndef OPENSSL_NO_TLSEXT 1131#ifndef OPENSSL_NO_TLSEXT
1177 /* TLS extensions*/ 1132 /* TLS extensions*/
1178 if (s->version >= SSL3_VERSION) 1133 if (s->version >= SSL3_VERSION) {
1179 { 1134 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
1180 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
1181 {
1182 /* 'al' set by ssl_parse_clienthello_tlsext */ 1135 /* 'al' set by ssl_parse_clienthello_tlsext */
1183 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 1136 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1184 goto f_err; 1137 goto f_err;
1185 }
1186 }
1187 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1188 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
1189 goto err;
1190 } 1138 }
1139 }
1140 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1141 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1142 goto err;
1143 }
1191 1144
1192 /* Check if we want to use external pre-shared secret for this 1145 /* Check if we want to use external pre-shared secret for this
1193 * handshake for not reused session only. We need to generate 1146 * handshake for not reused session only. We need to generate
@@ -1195,38 +1148,34 @@ int ssl3_get_client_hello(SSL *s)
1195 * SessionTicket processing to use it in key derivation. */ 1148 * SessionTicket processing to use it in key derivation. */
1196 { 1149 {
1197 unsigned char *pos; 1150 unsigned char *pos;
1198 pos=s->s3->server_random; 1151 pos = s->s3->server_random;
1199 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) 1152 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
1200 { 1153 al = SSL_AD_INTERNAL_ERROR;
1201 al=SSL_AD_INTERNAL_ERROR;
1202 goto f_err; 1154 goto f_err;
1203 } 1155 }
1204 } 1156 }
1205 1157
1206 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) 1158 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1207 { 1159 SSL_CIPHER *pref_cipher = NULL;
1208 SSL_CIPHER *pref_cipher=NULL;
1209 1160
1210 s->session->master_key_length=sizeof(s->session->master_key); 1161 s->session->master_key_length = sizeof(s->session->master_key);
1211 if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, 1162 if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
1212 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) 1163 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) {
1213 { 1164 s->hit = 1;
1214 s->hit=1; 1165 s->session->ciphers = ciphers;
1215 s->session->ciphers=ciphers; 1166 s->session->verify_result = X509_V_OK;
1216 s->session->verify_result=X509_V_OK;
1217 1167
1218 ciphers=NULL; 1168 ciphers = NULL;
1219 1169
1220 /* check if some cipher was preferred by call back */ 1170 /* check if some cipher was preferred by call back */
1221 pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 1171 pref_cipher = pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1222 if (pref_cipher == NULL) 1172 if (pref_cipher == NULL) {
1223 { 1173 al = SSL_AD_HANDSHAKE_FAILURE;
1224 al=SSL_AD_HANDSHAKE_FAILURE; 1174 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1225 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1226 goto f_err; 1175 goto f_err;
1227 } 1176 }
1228 1177
1229 s->session->cipher=pref_cipher; 1178 s->session->cipher = pref_cipher;
1230 1179
1231 if (s->cipher_list) 1180 if (s->cipher_list)
1232 sk_SSL_CIPHER_free(s->cipher_list); 1181 sk_SSL_CIPHER_free(s->cipher_list);
@@ -1236,165 +1185,144 @@ int ssl3_get_client_hello(SSL *s)
1236 1185
1237 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1186 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1238 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1187 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1239 }
1240 } 1188 }
1189 }
1241#endif 1190#endif
1242 1191
1243 /* Worst case, we will use the NULL compression, but if we have other 1192 /* Worst case, we will use the NULL compression, but if we have other
1244 * options, we will now look for them. We have i-1 compression 1193 * options, we will now look for them. We have i-1 compression
1245 * algorithms from the client, starting at q. */ 1194 * algorithms from the client, starting at q. */
1246 s->s3->tmp.new_compression=NULL; 1195 s->s3->tmp.new_compression = NULL;
1247#ifndef OPENSSL_NO_COMP 1196#ifndef OPENSSL_NO_COMP
1248 /* This only happens if we have a cache hit */ 1197 /* This only happens if we have a cache hit */
1249 if (s->session->compress_meth != 0) 1198 if (s->session->compress_meth != 0) {
1250 {
1251 int m, comp_id = s->session->compress_meth; 1199 int m, comp_id = s->session->compress_meth;
1252 /* Perform sanity checks on resumed compression algorithm */ 1200 /* Perform sanity checks on resumed compression algorithm */
1253 /* Can't disable compression */ 1201 /* Can't disable compression */
1254 if (s->options & SSL_OP_NO_COMPRESSION) 1202 if (s->options & SSL_OP_NO_COMPRESSION) {
1255 { 1203 al = SSL_AD_INTERNAL_ERROR;
1256 al=SSL_AD_INTERNAL_ERROR; 1204 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1257 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1258 goto f_err; 1205 goto f_err;
1259 } 1206 }
1260 /* Look for resumed compression method */ 1207 /* Look for resumed compression method */
1261 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) 1208 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
1262 { 1209 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1263 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1210 if (comp_id == comp->id) {
1264 if (comp_id == comp->id) 1211 s->s3->tmp.new_compression = comp;
1265 {
1266 s->s3->tmp.new_compression=comp;
1267 break; 1212 break;
1268 }
1269 } 1213 }
1270 if (s->s3->tmp.new_compression == NULL) 1214 }
1271 { 1215 if (s->s3->tmp.new_compression == NULL) {
1272 al=SSL_AD_INTERNAL_ERROR; 1216 al = SSL_AD_INTERNAL_ERROR;
1273 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM); 1217 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INVALID_COMPRESSION_ALGORITHM);
1274 goto f_err; 1218 goto f_err;
1275 } 1219 }
1276 /* Look for resumed method in compression list */ 1220 /* Look for resumed method in compression list */
1277 for (m = 0; m < i; m++) 1221 for (m = 0; m < i; m++) {
1278 {
1279 if (q[m] == comp_id) 1222 if (q[m] == comp_id)
1280 break; 1223 break;
1281 } 1224 }
1282 if (m >= i) 1225 if (m >= i) {
1283 { 1226 al = SSL_AD_ILLEGAL_PARAMETER;
1284 al=SSL_AD_ILLEGAL_PARAMETER; 1227 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1285 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1286 goto f_err; 1228 goto f_err;
1287 }
1288 } 1229 }
1289 else if (s->hit) 1230 } else if (s->hit)
1290 comp = NULL; 1231 comp = NULL;
1291 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) 1232 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
1292 { /* See if we have a match */ 1233 { /* See if we have a match */
1293 int m,nn,o,v,done=0; 1234 int m, nn, o, v, done = 0;
1294 1235
1295 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1236 nn = sk_SSL_COMP_num(s->ctx->comp_methods);
1296 for (m=0; m<nn; m++) 1237 for (m = 0; m < nn; m++) {
1297 { 1238 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1298 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1239 v = comp->id;
1299 v=comp->id; 1240 for (o = 0; o < i; o++) {
1300 for (o=0; o<i; o++) 1241 if (v == q[o]) {
1301 { 1242 done = 1;
1302 if (v == q[o])
1303 {
1304 done=1;
1305 break; 1243 break;
1306 }
1307 } 1244 }
1308 if (done) break;
1309 } 1245 }
1246 if (done)
1247 break;
1248 }
1310 if (done) 1249 if (done)
1311 s->s3->tmp.new_compression=comp; 1250 s->s3->tmp.new_compression = comp;
1312 else 1251 else
1313 comp=NULL; 1252 comp = NULL;
1314 } 1253 }
1315#else 1254#else
1316 /* If compression is disabled we'd better not try to resume a session 1255 /* If compression is disabled we'd better not try to resume a session
1317 * using compression. 1256 * using compression.
1318 */ 1257 */
1319 if (s->session->compress_meth != 0) 1258 if (s->session->compress_meth != 0) {
1320 { 1259 al = SSL_AD_INTERNAL_ERROR;
1321 al=SSL_AD_INTERNAL_ERROR; 1260 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1322 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1323 goto f_err; 1261 goto f_err;
1324 } 1262 }
1325#endif 1263#endif
1326 1264
1327 /* Given s->session->ciphers and SSL_get_ciphers, we must 1265 /* Given s->session->ciphers and SSL_get_ciphers, we must
1328 * pick a cipher */ 1266 * pick a cipher */
1329 1267
1330 if (!s->hit) 1268 if (!s->hit) {
1331 {
1332#ifdef OPENSSL_NO_COMP 1269#ifdef OPENSSL_NO_COMP
1333 s->session->compress_meth=0; 1270 s->session->compress_meth = 0;
1334#else 1271#else
1335 s->session->compress_meth=(comp == NULL)?0:comp->id; 1272 s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1336#endif 1273#endif
1337 if (s->session->ciphers != NULL) 1274 if (s->session->ciphers != NULL)
1338 sk_SSL_CIPHER_free(s->session->ciphers); 1275 sk_SSL_CIPHER_free(s->session->ciphers);
1339 s->session->ciphers=ciphers; 1276 s->session->ciphers = ciphers;
1340 if (ciphers == NULL) 1277 if (ciphers == NULL) {
1341 { 1278 al = SSL_AD_ILLEGAL_PARAMETER;
1342 al=SSL_AD_ILLEGAL_PARAMETER; 1279 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED);
1343 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
1344 goto f_err; 1280 goto f_err;
1345 } 1281 }
1346 ciphers=NULL; 1282 ciphers = NULL;
1347 c=ssl3_choose_cipher(s,s->session->ciphers, 1283 c = ssl3_choose_cipher(s, s->session->ciphers,
1348 SSL_get_ciphers(s)); 1284 SSL_get_ciphers(s));
1349 1285
1350 if (c == NULL) 1286 if (c == NULL) {
1351 { 1287 al = SSL_AD_HANDSHAKE_FAILURE;
1352 al=SSL_AD_HANDSHAKE_FAILURE; 1288 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1353 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1354 goto f_err; 1289 goto f_err;
1355 }
1356 s->s3->tmp.new_cipher=c;
1357 } 1290 }
1358 else 1291 s->s3->tmp.new_cipher = c;
1359 { 1292 } else {
1360 /* Session-id reuse */ 1293 /* Session-id reuse */
1361#ifdef REUSE_CIPHER_BUG 1294#ifdef REUSE_CIPHER_BUG
1362 STACK_OF(SSL_CIPHER) *sk; 1295 STACK_OF(SSL_CIPHER) *sk;
1363 SSL_CIPHER *nc=NULL; 1296 SSL_CIPHER *nc = NULL;
1364 SSL_CIPHER *ec=NULL; 1297 SSL_CIPHER *ec = NULL;
1365 1298
1366 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1299 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
1367 { 1300 sk = s->session->ciphers;
1368 sk=s->session->ciphers; 1301 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
1369 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1302 c = sk_SSL_CIPHER_value(sk, i);
1370 {
1371 c=sk_SSL_CIPHER_value(sk,i);
1372 if (c->algorithm_enc & SSL_eNULL) 1303 if (c->algorithm_enc & SSL_eNULL)
1373 nc=c; 1304 nc = c;
1374 if (SSL_C_IS_EXPORT(c)) 1305 if (SSL_C_IS_EXPORT(c))
1375 ec=c; 1306 ec = c;
1376 } 1307 }
1377 if (nc != NULL) 1308 if (nc != NULL)
1378 s->s3->tmp.new_cipher=nc; 1309 s->s3->tmp.new_cipher = nc;
1379 else if (ec != NULL) 1310 else if (ec != NULL)
1380 s->s3->tmp.new_cipher=ec; 1311 s->s3->tmp.new_cipher = ec;
1381 else 1312 else
1382 s->s3->tmp.new_cipher=s->session->cipher; 1313 s->s3->tmp.new_cipher = s->session->cipher;
1383 } 1314 } else
1384 else
1385#endif 1315#endif
1386 s->s3->tmp.new_cipher=s->session->cipher; 1316 s->s3->tmp.new_cipher = s->session->cipher;
1387 } 1317 }
1388 1318
1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) 1319 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) {
1390 { 1320 if (!ssl3_digest_cached_records(s)) {
1391 if (!ssl3_digest_cached_records(s))
1392 {
1393 al = SSL_AD_INTERNAL_ERROR; 1321 al = SSL_AD_INTERNAL_ERROR;
1394 goto f_err; 1322 goto f_err;
1395 }
1396 } 1323 }
1397 1324 }
1325
1398 /* we now have the following setup. 1326 /* we now have the following setup.
1399 * client_random 1327 * client_random
1400 * cipher_list - our prefered list of ciphers 1328 * cipher_list - our prefered list of ciphers
@@ -1407,50 +1335,49 @@ int ssl3_get_client_hello(SSL *s)
1407 */ 1335 */
1408 1336
1409 /* Handles TLS extensions that we couldn't check earlier */ 1337 /* Handles TLS extensions that we couldn't check earlier */
1410 if (s->version >= SSL3_VERSION) 1338 if (s->version >= SSL3_VERSION) {
1411 { 1339 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1412 if (ssl_check_clienthello_tlsext_late(s) <= 0)
1413 {
1414 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1340 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1415 goto err; 1341 goto err;
1416 }
1417 } 1342 }
1343 }
1418 1344
1419 if (ret < 0) ret=1; 1345 if (ret < 0)
1420 if (0) 1346 ret = 1;
1421 { 1347 if (0) {
1422f_err: 1348f_err:
1423 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1349 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1424 }
1425err:
1426 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
1427 return(ret);
1428 } 1350 }
1351err:
1352 if (ciphers != NULL)
1353 sk_SSL_CIPHER_free(ciphers);
1354 return (ret);
1355}
1429 1356
1430int ssl3_send_server_hello(SSL *s) 1357int
1431 { 1358ssl3_send_server_hello(SSL *s)
1359{
1432 unsigned char *buf; 1360 unsigned char *buf;
1433 unsigned char *p,*d; 1361 unsigned char *p, *d;
1434 int i,sl; 1362 int i, sl;
1435 unsigned long l; 1363 unsigned long l;
1436 1364
1437 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1365 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
1438 { 1366 buf = (unsigned char *)s->init_buf->data;
1439 buf=(unsigned char *)s->init_buf->data;
1440#ifdef OPENSSL_NO_TLSEXT 1367#ifdef OPENSSL_NO_TLSEXT
1441 p=s->s3->server_random; 1368 p = s->s3->server_random;
1442 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) 1369 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
1443 return -1; 1370 return -1;
1444#endif 1371#endif
1445 /* Do the message type and length last */ 1372 /* Do the message type and length last */
1446 d=p= &(buf[4]); 1373 d = p= &(buf[4]);
1447 1374
1448 *(p++)=s->version>>8; 1375 *(p++) = s->version >> 8;
1449 *(p++)=s->version&0xff; 1376 *(p++) = s->version&0xff;
1450 1377
1451 /* Random stuff */ 1378 /* Random stuff */
1452 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1379 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1453 p+=SSL3_RANDOM_SIZE; 1380 p += SSL3_RANDOM_SIZE;
1454 1381
1455 /* There are several cases for the session ID to send 1382 /* There are several cases for the session ID to send
1456 * back in the server hello: 1383 * back in the server hello:
@@ -1469,317 +1396,287 @@ int ssl3_send_server_hello(SSL *s)
1469 */ 1396 */
1470 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1397 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1471 && !s->hit) 1398 && !s->hit)
1472 s->session->session_id_length=0; 1399 s->session->session_id_length = 0;
1473 1400
1474 sl=s->session->session_id_length; 1401 sl = s->session->session_id_length;
1475 if (sl > (int)sizeof(s->session->session_id)) 1402 if (sl > (int)sizeof(s->session->session_id)) {
1476 {
1477 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1403 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1478 return -1; 1404 return -1;
1479 } 1405 }
1480 *(p++)=sl; 1406 *(p++) = sl;
1481 memcpy(p,s->session->session_id,sl); 1407 memcpy(p, s->session->session_id, sl);
1482 p+=sl; 1408 p += sl;
1483 1409
1484 /* put the cipher */ 1410 /* put the cipher */
1485 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1411 i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
1486 p+=i; 1412 p += i;
1487 1413
1488 /* put the compression method */ 1414 /* put the compression method */
1489#ifdef OPENSSL_NO_COMP 1415#ifdef OPENSSL_NO_COMP
1490 *(p++)=0; 1416 *(p++) = 0;
1491#else 1417#else
1492 if (s->s3->tmp.new_compression == NULL) 1418 if (s->s3->tmp.new_compression == NULL)
1493 *(p++)=0; 1419 *(p++) = 0;
1494 else 1420 else
1495 *(p++)=s->s3->tmp.new_compression->id; 1421 *(p++) = s->s3->tmp.new_compression->id;
1496#endif 1422#endif
1497#ifndef OPENSSL_NO_TLSEXT 1423#ifndef OPENSSL_NO_TLSEXT
1498 if (ssl_prepare_serverhello_tlsext(s) <= 0) 1424 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1499 { 1425 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
1500 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1501 return -1; 1426 return -1;
1502 } 1427 }
1503 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1428 if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
1504 { 1429 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1505 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
1506 return -1; 1430 return -1;
1507 } 1431 }
1508#endif 1432#endif
1509 /* do the header */ 1433 /* do the header */
1510 l=(p-d); 1434 l = (p - d);
1511 d=buf; 1435 d = buf;
1512 *(d++)=SSL3_MT_SERVER_HELLO; 1436 *(d++) = SSL3_MT_SERVER_HELLO;
1513 l2n3(l,d); 1437 l2n3(l, d);
1514 1438
1515 s->state=SSL3_ST_SW_SRVR_HELLO_B; 1439 s->state = SSL3_ST_SW_SRVR_HELLO_B;
1516 /* number of bytes to write */ 1440 /* number of bytes to write */
1517 s->init_num=p-buf; 1441 s->init_num = p - buf;
1518 s->init_off=0; 1442 s->init_off = 0;
1519 } 1443 }
1520 1444
1521 /* SSL3_ST_SW_SRVR_HELLO_B */ 1445 /* SSL3_ST_SW_SRVR_HELLO_B */
1522 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1446 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1523 } 1447}
1524 1448
1525int ssl3_send_server_done(SSL *s) 1449int
1526 { 1450ssl3_send_server_done(SSL *s)
1451{
1527 unsigned char *p; 1452 unsigned char *p;
1528 1453
1529 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1454 if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
1530 { 1455 p = (unsigned char *)s->init_buf->data;
1531 p=(unsigned char *)s->init_buf->data;
1532 1456
1533 /* do the header */ 1457 /* do the header */
1534 *(p++)=SSL3_MT_SERVER_DONE; 1458 *(p++) = SSL3_MT_SERVER_DONE;
1535 *(p++)=0; 1459 *(p++) = 0;
1536 *(p++)=0; 1460 *(p++) = 0;
1537 *(p++)=0; 1461 *(p++) = 0;
1538 1462
1539 s->state=SSL3_ST_SW_SRVR_DONE_B; 1463 s->state = SSL3_ST_SW_SRVR_DONE_B;
1540 /* number of bytes to write */ 1464 /* number of bytes to write */
1541 s->init_num=4; 1465 s->init_num = 4;
1542 s->init_off=0; 1466 s->init_off = 0;
1543 } 1467 }
1544 1468
1545 /* SSL3_ST_SW_SRVR_DONE_B */ 1469 /* SSL3_ST_SW_SRVR_DONE_B */
1546 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1470 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1547 } 1471}
1548 1472
1549int ssl3_send_server_key_exchange(SSL *s) 1473int
1550 { 1474ssl3_send_server_key_exchange(SSL *s)
1475{
1551#ifndef OPENSSL_NO_RSA 1476#ifndef OPENSSL_NO_RSA
1552 unsigned char *q; 1477 unsigned char *q;
1553 int j,num; 1478 int j, num;
1554 RSA *rsa; 1479 RSA *rsa;
1555 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1480 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1556 unsigned int u; 1481 unsigned int u;
1557#endif 1482#endif
1558#ifndef OPENSSL_NO_DH 1483#ifndef OPENSSL_NO_DH
1559 DH *dh=NULL,*dhp; 1484 DH *dh = NULL, *dhp;
1560#endif 1485#endif
1561#ifndef OPENSSL_NO_ECDH 1486#ifndef OPENSSL_NO_ECDH
1562 EC_KEY *ecdh=NULL, *ecdhp; 1487 EC_KEY *ecdh = NULL, *ecdhp;
1563 unsigned char *encodedPoint = NULL; 1488 unsigned char *encodedPoint = NULL;
1564 int encodedlen = 0; 1489 int encodedlen = 0;
1565 int curve_id = 0; 1490 int curve_id = 0;
1566 BN_CTX *bn_ctx = NULL; 1491 BN_CTX *bn_ctx = NULL;
1492
1567#endif 1493#endif
1568 EVP_PKEY *pkey; 1494 EVP_PKEY *pkey;
1569 const EVP_MD *md = NULL; 1495 const EVP_MD *md = NULL;
1570 unsigned char *p,*d; 1496 unsigned char *p, *d;
1571 int al,i; 1497 int al, i;
1572 unsigned long type; 1498 unsigned long type;
1573 int n; 1499 int n;
1574 CERT *cert; 1500 CERT *cert;
1575 BIGNUM *r[4]; 1501 BIGNUM *r[4];
1576 int nr[4],kn; 1502 int nr[4], kn;
1577 BUF_MEM *buf; 1503 BUF_MEM *buf;
1578 EVP_MD_CTX md_ctx; 1504 EVP_MD_CTX md_ctx;
1579 1505
1580 EVP_MD_CTX_init(&md_ctx); 1506 EVP_MD_CTX_init(&md_ctx);
1581 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1507 if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1582 { 1508 type = s->s3->tmp.new_cipher->algorithm_mkey;
1583 type=s->s3->tmp.new_cipher->algorithm_mkey; 1509 cert = s->cert;
1584 cert=s->cert;
1585 1510
1586 buf=s->init_buf; 1511 buf = s->init_buf;
1587 1512
1588 r[0]=r[1]=r[2]=r[3]=NULL; 1513 r[0] = r[1] = r[2] = r[3] = NULL;
1589 n=0; 1514 n = 0;
1590#ifndef OPENSSL_NO_RSA 1515#ifndef OPENSSL_NO_RSA
1591 if (type & SSL_kRSA) 1516 if (type & SSL_kRSA) {
1592 { 1517 rsa = cert->rsa_tmp;
1593 rsa=cert->rsa_tmp; 1518 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
1594 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1519 rsa = s->cert->rsa_tmp_cb(s,
1595 { 1520 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1596 rsa=s->cert->rsa_tmp_cb(s, 1521 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1597 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1522 if (rsa == NULL) {
1598 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1523 al = SSL_AD_HANDSHAKE_FAILURE;
1599 if(rsa == NULL) 1524 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1600 {
1601 al=SSL_AD_HANDSHAKE_FAILURE;
1602 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1603 goto f_err; 1525 goto f_err;
1604 } 1526 }
1605 RSA_up_ref(rsa); 1527 RSA_up_ref(rsa);
1606 cert->rsa_tmp=rsa; 1528 cert->rsa_tmp = rsa;
1607 } 1529 }
1608 if (rsa == NULL) 1530 if (rsa == NULL) {
1609 { 1531 al = SSL_AD_HANDSHAKE_FAILURE;
1610 al=SSL_AD_HANDSHAKE_FAILURE; 1532 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_KEY);
1611 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
1612 goto f_err; 1533 goto f_err;
1613 }
1614 r[0]=rsa->n;
1615 r[1]=rsa->e;
1616 s->s3->tmp.use_rsa_tmp=1;
1617 } 1534 }
1618 else 1535 r[0] = rsa->n;
1536 r[1] = rsa->e;
1537 s->s3->tmp.use_rsa_tmp = 1;
1538 } else
1619#endif 1539#endif
1620#ifndef OPENSSL_NO_DH 1540#ifndef OPENSSL_NO_DH
1621 if (type & SSL_kEDH) 1541 if (type & SSL_kEDH) {
1622 { 1542 dhp = cert->dh_tmp;
1623 dhp=cert->dh_tmp;
1624 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1543 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
1625 dhp=s->cert->dh_tmp_cb(s, 1544 dhp = s->cert->dh_tmp_cb(s,
1626 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1545 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1627 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1546 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1628 if (dhp == NULL) 1547 if (dhp == NULL) {
1629 { 1548 al = SSL_AD_HANDSHAKE_FAILURE;
1630 al=SSL_AD_HANDSHAKE_FAILURE; 1549 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
1631 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1632 goto f_err; 1550 goto f_err;
1633 } 1551 }
1634 1552
1635 if (s->s3->tmp.dh != NULL) 1553 if (s->s3->tmp.dh != NULL) {
1636 {
1637 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1554 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1638 goto err; 1555 goto err;
1639 } 1556 }
1640 1557
1641 if ((dh=DHparams_dup(dhp)) == NULL) 1558 if ((dh = DHparams_dup(dhp)) == NULL) {
1642 { 1559 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1643 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1644 goto err; 1560 goto err;
1645 } 1561 }
1646 1562
1647 s->s3->tmp.dh=dh; 1563 s->s3->tmp.dh = dh;
1648 if ((dhp->pub_key == NULL || 1564 if ((dhp->pub_key == NULL || dhp->priv_key == NULL ||
1649 dhp->priv_key == NULL || 1565 (s->options & SSL_OP_SINGLE_DH_USE))) {
1650 (s->options & SSL_OP_SINGLE_DH_USE))) 1566 if (!DH_generate_key(dh)) {
1651 { 1567 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1652 if(!DH_generate_key(dh)) 1568 ERR_R_DH_LIB);
1653 { 1569 goto err;
1654 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1655 ERR_R_DH_LIB);
1656 goto err;
1657 }
1658 } 1570 }
1659 else 1571 } else {
1660 { 1572 dh->pub_key = BN_dup(dhp->pub_key);
1661 dh->pub_key=BN_dup(dhp->pub_key); 1573 dh->priv_key = BN_dup(dhp->priv_key);
1662 dh->priv_key=BN_dup(dhp->priv_key);
1663 if ((dh->pub_key == NULL) || 1574 if ((dh->pub_key == NULL) ||
1664 (dh->priv_key == NULL)) 1575 (dh->priv_key == NULL)) {
1665 { 1576 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1666 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1667 goto err; 1577 goto err;
1668 }
1669 } 1578 }
1670 r[0]=dh->p;
1671 r[1]=dh->g;
1672 r[2]=dh->pub_key;
1673 } 1579 }
1674 else 1580 r[0] = dh->p;
1581 r[1] = dh->g;
1582 r[2] = dh->pub_key;
1583 } else
1675#endif 1584#endif
1676#ifndef OPENSSL_NO_ECDH 1585#ifndef OPENSSL_NO_ECDH
1677 if (type & SSL_kEECDH) 1586 if (type & SSL_kEECDH) {
1678 {
1679 const EC_GROUP *group; 1587 const EC_GROUP *group;
1680 1588
1681 ecdhp=cert->ecdh_tmp; 1589 ecdhp = cert->ecdh_tmp;
1682 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1590 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) {
1683 { 1591 ecdhp = s->cert->ecdh_tmp_cb(
1684 ecdhp=s->cert->ecdh_tmp_cb(s, 1592 s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1685 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1593 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1686 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1594 }
1687 } 1595 if (ecdhp == NULL) {
1688 if (ecdhp == NULL) 1596 al = SSL_AD_HANDSHAKE_FAILURE;
1689 { 1597 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
1690 al=SSL_AD_HANDSHAKE_FAILURE;
1691 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
1692 goto f_err; 1598 goto f_err;
1693 } 1599 }
1694 1600
1695 if (s->s3->tmp.ecdh != NULL) 1601 if (s->s3->tmp.ecdh != NULL) {
1696 {
1697 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1602 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1698 goto err; 1603 goto err;
1699 } 1604 }
1700 1605
1701 /* Duplicate the ECDH structure. */ 1606 /* Duplicate the ECDH structure. */
1702 if (ecdhp == NULL) 1607 if (ecdhp == NULL) {
1703 { 1608 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1704 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1705 goto err; 1609 goto err;
1706 } 1610 }
1707 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) 1611 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1708 { 1612 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1709 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1710 goto err; 1613 goto err;
1711 } 1614 }
1712 1615
1713 s->s3->tmp.ecdh=ecdh; 1616 s->s3->tmp.ecdh = ecdh;
1714 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1617 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1715 (EC_KEY_get0_private_key(ecdh) == NULL) || 1618 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1716 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1619 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1717 { 1620 if (!EC_KEY_generate_key(ecdh)) {
1718 if(!EC_KEY_generate_key(ecdh)) 1621 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1719 { 1622 goto err;
1720 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1721 goto err;
1722 }
1723 } 1623 }
1624 }
1724 1625
1725 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1626 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1726 (EC_KEY_get0_public_key(ecdh) == NULL) || 1627 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1727 (EC_KEY_get0_private_key(ecdh) == NULL)) 1628 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1728 { 1629 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1729 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1730 goto err; 1630 goto err;
1731 } 1631 }
1732 1632
1733 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1633 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1734 (EC_GROUP_get_degree(group) > 163)) 1634 (EC_GROUP_get_degree(group) > 163)) {
1735 { 1635 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1736 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1737 goto err; 1636 goto err;
1738 } 1637 }
1739 1638
1740 /* XXX: For now, we only support ephemeral ECDH 1639 /* XXX: For now, we only support ephemeral ECDH
1741 * keys over named (not generic) curves. For 1640 * keys over named (not generic) curves. For
1742 * supported named curves, curve_id is non-zero. 1641 * supported named curves, curve_id is non-zero.
1743 */ 1642 */
1744 if ((curve_id = 1643 if ((curve_id = tls1_ec_nid2curve_id(
1745 tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) 1644 EC_GROUP_get_curve_name(group))) == 0) {
1746 == 0) 1645 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1747 {
1748 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1749 goto err; 1646 goto err;
1750 } 1647 }
1751 1648
1752 /* Encode the public key. 1649 /* Encode the public key.
1753 * First check the size of encoding and 1650 * First check the size of encoding and
1754 * allocate memory accordingly. 1651 * allocate memory accordingly.
1755 */ 1652 */
1756 encodedlen = EC_POINT_point2oct(group, 1653 encodedlen = EC_POINT_point2oct(group,
1757 EC_KEY_get0_public_key(ecdh), 1654 EC_KEY_get0_public_key(ecdh),
1758 POINT_CONVERSION_UNCOMPRESSED, 1655 POINT_CONVERSION_UNCOMPRESSED,
1759 NULL, 0, NULL); 1656 NULL, 0, NULL);
1657
1658 encodedPoint = (unsigned char *)
1659 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1760 1660
1761 encodedPoint = (unsigned char *)
1762 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1763 bn_ctx = BN_CTX_new(); 1661 bn_ctx = BN_CTX_new();
1764 if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1662 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1765 { 1663 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1766 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1767 goto err; 1664 goto err;
1768 } 1665 }
1769 1666
1770 1667
1771 encodedlen = EC_POINT_point2oct(group, 1668 encodedlen = EC_POINT_point2oct(group,
1772 EC_KEY_get0_public_key(ecdh), 1669 EC_KEY_get0_public_key(ecdh),
1773 POINT_CONVERSION_UNCOMPRESSED, 1670 POINT_CONVERSION_UNCOMPRESSED,
1774 encodedPoint, encodedlen, bn_ctx); 1671 encodedPoint, encodedlen, bn_ctx);
1775 1672
1776 if (encodedlen == 0) 1673 if (encodedlen == 0) {
1777 { 1674 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1778 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1779 goto err; 1675 goto err;
1780 } 1676 }
1781 1677
1782 BN_CTX_free(bn_ctx); bn_ctx=NULL; 1678 BN_CTX_free(bn_ctx);
1679 bn_ctx = NULL;
1783 1680
1784 /* XXX: For now, we only support named (not 1681 /* XXX: For now, we only support named (not
1785 * generic) curves in ECDH ephemeral key exchanges. 1682 * generic) curves in ECDH ephemeral key exchanges.
@@ -1792,98 +1689,80 @@ int ssl3_send_server_key_exchange(SSL *s)
1792 /* We'll generate the serverKeyExchange message 1689 /* We'll generate the serverKeyExchange message
1793 * explicitly so we can set these to NULLs 1690 * explicitly so we can set these to NULLs
1794 */ 1691 */
1795 r[0]=NULL; 1692 r[0] = NULL;
1796 r[1]=NULL; 1693 r[1] = NULL;
1797 r[2]=NULL; 1694 r[2] = NULL;
1798 r[3]=NULL; 1695 r[3] = NULL;
1799 } 1696 } else
1800 else
1801#endif /* !OPENSSL_NO_ECDH */ 1697#endif /* !OPENSSL_NO_ECDH */
1802#ifndef OPENSSL_NO_PSK 1698#ifndef OPENSSL_NO_PSK
1803 if (type & SSL_kPSK) 1699 if (type & SSL_kPSK) {
1804 { 1700 /* reserve size for record length and PSK identity hint*/
1805 /* reserve size for record length and PSK identity hint*/ 1701 n += 2 + strlen(s->ctx->psk_identity_hint);
1806 n+=2+strlen(s->ctx->psk_identity_hint); 1702 } else
1807 }
1808 else
1809#endif /* !OPENSSL_NO_PSK */ 1703#endif /* !OPENSSL_NO_PSK */
1810#ifndef OPENSSL_NO_SRP 1704#ifndef OPENSSL_NO_SRP
1811 if (type & SSL_kSRP) 1705 if (type & SSL_kSRP) {
1812 { 1706 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
1813 if ((s->srp_ctx.N == NULL) || 1707 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
1814 (s->srp_ctx.g == NULL) || 1708 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM);
1815 (s->srp_ctx.s == NULL) ||
1816 (s->srp_ctx.B == NULL))
1817 {
1818 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_SRP_PARAM);
1819 goto err; 1709 goto err;
1820 }
1821 r[0]=s->srp_ctx.N;
1822 r[1]=s->srp_ctx.g;
1823 r[2]=s->srp_ctx.s;
1824 r[3]=s->srp_ctx.B;
1825 } 1710 }
1826 else 1711 r[0] = s->srp_ctx.N;
1712 r[1] = s->srp_ctx.g;
1713 r[2] = s->srp_ctx.s;
1714 r[3] = s->srp_ctx.B;
1715 } else
1827#endif 1716#endif
1828 { 1717 {
1829 al=SSL_AD_HANDSHAKE_FAILURE; 1718 al = SSL_AD_HANDSHAKE_FAILURE;
1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1719 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1831 goto f_err; 1720 goto f_err;
1832 } 1721 }
1833 for (i=0; i < 4 && r[i] != NULL; i++) 1722 for (i = 0; i < 4 && r[i] != NULL; i++) {
1834 { 1723 nr[i] = BN_num_bytes(r[i]);
1835 nr[i]=BN_num_bytes(r[i]);
1836#ifndef OPENSSL_NO_SRP 1724#ifndef OPENSSL_NO_SRP
1837 if ((i == 2) && (type & SSL_kSRP)) 1725 if ((i == 2) && (type & SSL_kSRP))
1838 n+=1+nr[i]; 1726 n += 1 + nr[i];
1839 else 1727 else
1840#endif 1728#endif
1841 n+=2+nr[i]; 1729 n += 2 + nr[i];
1842 } 1730 }
1843 1731
1844 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1732 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
1845 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 1733 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1846 { 1734 if ((pkey = ssl_get_sign_pkey(
1847 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md)) 1735 s, s->s3->tmp.new_cipher, &md)) == NULL) {
1848 == NULL) 1736 al = SSL_AD_DECODE_ERROR;
1849 {
1850 al=SSL_AD_DECODE_ERROR;
1851 goto f_err; 1737 goto f_err;
1852 }
1853 kn=EVP_PKEY_size(pkey);
1854 }
1855 else
1856 {
1857 pkey=NULL;
1858 kn=0;
1859 } 1738 }
1739 kn = EVP_PKEY_size(pkey);
1740 } else {
1741 pkey = NULL;
1742 kn = 0;
1743 }
1860 1744
1861 if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1745 if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) {
1862 { 1746 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
1863 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1864 goto err; 1747 goto err;
1865 } 1748 }
1866 d=(unsigned char *)s->init_buf->data; 1749 d = (unsigned char *)s->init_buf->data;
1867 p= &(d[4]); 1750 p = &(d[4]);
1868 1751
1869 for (i=0; i < 4 && r[i] != NULL; i++) 1752 for (i = 0; i < 4 && r[i] != NULL; i++) {
1870 {
1871#ifndef OPENSSL_NO_SRP 1753#ifndef OPENSSL_NO_SRP
1872 if ((i == 2) && (type & SSL_kSRP)) 1754 if ((i == 2) && (type & SSL_kSRP)) {
1873 {
1874 *p = nr[i]; 1755 *p = nr[i];
1875 p++; 1756 p++;
1876 } 1757 } else
1877 else
1878#endif 1758#endif
1879 s2n(nr[i],p); 1759 s2n(nr[i], p);
1880 BN_bn2bin(r[i],p); 1760 BN_bn2bin(r[i], p);
1881 p+=nr[i]; 1761 p += nr[i];
1882 } 1762 }
1883 1763
1884#ifndef OPENSSL_NO_ECDH 1764#ifndef OPENSSL_NO_ECDH
1885 if (type & SSL_kEECDH) 1765 if (type & SSL_kEECDH) {
1886 {
1887 /* XXX: For now, we only support named (not generic) curves. 1766 /* XXX: For now, we only support named (not generic) curves.
1888 * In this situation, the serverKeyExchange message has: 1767 * In this situation, the serverKeyExchange message has:
1889 * [1 byte CurveType], [2 byte CurveName] 1768 * [1 byte CurveType], [2 byte CurveName]
@@ -1898,236 +1777,220 @@ int ssl3_send_server_key_exchange(SSL *s)
1898 p += 1; 1777 p += 1;
1899 *p = encodedlen; 1778 *p = encodedlen;
1900 p += 1; 1779 p += 1;
1901 memcpy((unsigned char*)p, 1780 memcpy((unsigned char*)p,
1902 (unsigned char *)encodedPoint, 1781 (unsigned char *)encodedPoint, encodedlen);
1903 encodedlen);
1904 OPENSSL_free(encodedPoint); 1782 OPENSSL_free(encodedPoint);
1905 encodedPoint = NULL; 1783 encodedPoint = NULL;
1906 p += encodedlen; 1784 p += encodedlen;
1907 } 1785 }
1908#endif 1786#endif
1909 1787
1910#ifndef OPENSSL_NO_PSK 1788#ifndef OPENSSL_NO_PSK
1911 if (type & SSL_kPSK) 1789 if (type & SSL_kPSK) {
1912 {
1913 /* copy PSK identity hint */ 1790 /* copy PSK identity hint */
1914 s2n(strlen(s->ctx->psk_identity_hint), p); 1791 s2n(strlen(s->ctx->psk_identity_hint), p);
1792
1915 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); 1793 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
1916 p+=strlen(s->ctx->psk_identity_hint); 1794 p += strlen(s->ctx->psk_identity_hint);
1917 } 1795 }
1918#endif 1796#endif
1919 1797
1920 /* not anonymous */ 1798 /* not anonymous */
1921 if (pkey != NULL) 1799 if (pkey != NULL) {
1922 {
1923 /* n is the length of the params, they start at &(d[4]) 1800 /* n is the length of the params, they start at &(d[4])
1924 * and p points to the space at the end. */ 1801 * and p points to the space at the end. */
1925#ifndef OPENSSL_NO_RSA 1802#ifndef OPENSSL_NO_RSA
1926 if (pkey->type == EVP_PKEY_RSA 1803 if (pkey->type == EVP_PKEY_RSA
1927 && TLS1_get_version(s) < TLS1_2_VERSION) 1804 && TLS1_get_version(s) < TLS1_2_VERSION) {
1928 { 1805 q = md_buf;
1929 q=md_buf; 1806 j = 0;
1930 j=0; 1807 for (num = 2; num > 0; num--) {
1931 for (num=2; num > 0; num--)
1932 {
1933 EVP_MD_CTX_set_flags(&md_ctx, 1808 EVP_MD_CTX_set_flags(&md_ctx,
1934 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1809 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1935 EVP_DigestInit_ex(&md_ctx,(num == 2) 1810 EVP_DigestInit_ex(&md_ctx,
1936 ?s->ctx->md5:s->ctx->sha1, NULL); 1811 (num == 2) ? s->ctx->md5 : s->ctx->sha1, NULL);
1937 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1812 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1938 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1813 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1939 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1814 EVP_DigestUpdate(&md_ctx, &(d[4]), n);
1940 EVP_DigestFinal_ex(&md_ctx,q, 1815 EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i);
1941 (unsigned int *)&i); 1816 q += i;
1942 q+=i; 1817 j += i;
1943 j+=i; 1818 }
1944 }
1945 if (RSA_sign(NID_md5_sha1, md_buf, j, 1819 if (RSA_sign(NID_md5_sha1, md_buf, j,
1946 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1820 &(p[2]), &u, pkey->pkey.rsa) <= 0) {
1947 { 1821 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA);
1948 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1949 goto err; 1822 goto err;
1950 }
1951 s2n(u,p);
1952 n+=u+2;
1953 } 1823 }
1954 else 1824 s2n(u, p);
1825 n += u + 2;
1826 } else
1955#endif 1827#endif
1956 if (md) 1828 if (md) {
1957 {
1958 /* For TLS1.2 and later send signature 1829 /* For TLS1.2 and later send signature
1959 * algorithm */ 1830 * algorithm */
1960 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1831 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1961 { 1832 if (!tls12_get_sigandhash(p, pkey, md)) {
1962 if (!tls12_get_sigandhash(p, pkey, md))
1963 {
1964 /* Should never happen */ 1833 /* Should never happen */
1965 al=SSL_AD_INTERNAL_ERROR; 1834 al = SSL_AD_INTERNAL_ERROR;
1966 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1835 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1967 goto f_err; 1836 goto f_err;
1968 }
1969 p+=2;
1970 } 1837 }
1838 p += 2;
1839 }
1971#ifdef SSL_DEBUG 1840#ifdef SSL_DEBUG
1972 fprintf(stderr, "Using hash %s\n", 1841 fprintf(stderr, "Using hash %s\n",
1973 EVP_MD_name(md)); 1842 EVP_MD_name(md));
1974#endif 1843#endif
1975 EVP_SignInit_ex(&md_ctx, md, NULL); 1844 EVP_SignInit_ex(&md_ctx, md, NULL);
1976 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1845 EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1977 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1846 EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1978 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1847 EVP_SignUpdate(&md_ctx, &(d[4]), n);
1979 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1848 if (!EVP_SignFinal(&md_ctx, &(p[2]),
1980 (unsigned int *)&i,pkey)) 1849 (unsigned int *)&i, pkey)) {
1981 { 1850 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
1982 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_EVP);
1983 goto err; 1851 goto err;
1984 }
1985 s2n(i,p);
1986 n+=i+2;
1987 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1988 n+= 2;
1989 } 1852 }
1990 else 1853 s2n(i, p);
1991 { 1854 n += i + 2;
1855 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1856 n += 2;
1857 } else {
1992 /* Is this error check actually needed? */ 1858 /* Is this error check actually needed? */
1993 al=SSL_AD_HANDSHAKE_FAILURE; 1859 al = SSL_AD_HANDSHAKE_FAILURE;
1994 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1860 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_PKEY_TYPE);
1995 goto f_err; 1861 goto f_err;
1996 }
1997 } 1862 }
1863 }
1998 1864
1999 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 1865 *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
2000 l2n3(n,d); 1866 l2n3(n, d);
2001 1867
2002 /* we should now have things packed up, so lets send 1868 /* we should now have things packed up, so lets send
2003 * it off */ 1869 * it off */
2004 s->init_num=n+4; 1870 s->init_num = n + 4;
2005 s->init_off=0; 1871 s->init_off = 0;
2006 } 1872 }
2007 1873
2008 s->state = SSL3_ST_SW_KEY_EXCH_B; 1874 s->state = SSL3_ST_SW_KEY_EXCH_B;
2009 EVP_MD_CTX_cleanup(&md_ctx); 1875 EVP_MD_CTX_cleanup(&md_ctx);
2010 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1876 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2011f_err: 1877f_err:
2012 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1878 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2013err: 1879err:
2014#ifndef OPENSSL_NO_ECDH 1880#ifndef OPENSSL_NO_ECDH
2015 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1881 if (encodedPoint != NULL)
1882 OPENSSL_free(encodedPoint);
2016 BN_CTX_free(bn_ctx); 1883 BN_CTX_free(bn_ctx);
2017#endif 1884#endif
2018 EVP_MD_CTX_cleanup(&md_ctx); 1885 EVP_MD_CTX_cleanup(&md_ctx);
2019 return(-1); 1886 return (-1);
2020 } 1887}
2021 1888
2022int ssl3_send_certificate_request(SSL *s) 1889int
2023 { 1890ssl3_send_certificate_request(SSL *s)
2024 unsigned char *p,*d; 1891{
2025 int i,j,nl,off,n; 1892 unsigned char *p, *d;
2026 STACK_OF(X509_NAME) *sk=NULL; 1893 int i, j, nl, off, n;
1894 STACK_OF(X509_NAME) *sk = NULL;
2027 X509_NAME *name; 1895 X509_NAME *name;
2028 BUF_MEM *buf; 1896 BUF_MEM *buf;
2029 1897
2030 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1898 if (s->state == SSL3_ST_SW_CERT_REQ_A) {
2031 { 1899 buf = s->init_buf;
2032 buf=s->init_buf;
2033 1900
2034 d=p=(unsigned char *)&(buf->data[4]); 1901 d = p = (unsigned char *)&(buf->data[4]);
2035 1902
2036 /* get the list of acceptable cert types */ 1903 /* get the list of acceptable cert types */
2037 p++; 1904 p++;
2038 n=ssl3_get_req_cert_type(s,p); 1905 n = ssl3_get_req_cert_type(s, p);
2039 d[0]=n; 1906 d[0] = n;
2040 p+=n; 1907 p += n;
2041 n++; 1908 n++;
2042 1909
2043 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1910 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2044 {
2045 nl = tls12_get_req_sig_algs(s, p + 2); 1911 nl = tls12_get_req_sig_algs(s, p + 2);
2046 s2n(nl, p); 1912 s2n(nl, p);
2047 p += nl + 2; 1913 p += nl + 2;
2048 n += nl + 2; 1914 n += nl + 2;
2049 } 1915 }
2050
2051 off=n;
2052 p+=2;
2053 n+=2;
2054 1916
2055 sk=SSL_get_client_CA_list(s); 1917 off = n;
2056 nl=0; 1918 p += 2;
2057 if (sk != NULL) 1919 n += 2;
2058 { 1920
2059 for (i=0; i<sk_X509_NAME_num(sk); i++) 1921 sk = SSL_get_client_CA_list(s);
2060 { 1922 nl = 0;
2061 name=sk_X509_NAME_value(sk,i); 1923 if (sk != NULL) {
2062 j=i2d_X509_NAME(name,NULL); 1924 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2063 if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 1925 name = sk_X509_NAME_value(sk, i);
2064 { 1926 j = i2d_X509_NAME(name, NULL);
2065 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1927 if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) {
1928 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_BUF_LIB);
2066 goto err; 1929 goto err;
2067 } 1930 }
2068 p=(unsigned char *)&(buf->data[4+n]); 1931 p = (unsigned char *)&(buf->data[4 + n]);
2069 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1932 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
2070 { 1933 s2n(j, p);
2071 s2n(j,p); 1934 i2d_X509_NAME(name, &p);
2072 i2d_X509_NAME(name,&p); 1935 n += 2 + j;
2073 n+=2+j; 1936 nl += 2 + j;
2074 nl+=2+j; 1937 } else {
2075 } 1938 d = p;
2076 else 1939 i2d_X509_NAME(name, &p);
2077 { 1940 j -= 2;
2078 d=p; 1941 s2n(j, d);
2079 i2d_X509_NAME(name,&p); 1942 j += 2;
2080 j-=2; s2n(j,d); j+=2; 1943 n += j;
2081 n+=j; 1944 nl += j;
2082 nl+=j;
2083 }
2084 } 1945 }
2085 } 1946 }
1947 }
2086 /* else no CA names */ 1948 /* else no CA names */
2087 p=(unsigned char *)&(buf->data[4+off]); 1949 p = (unsigned char *)&(buf->data[4 + off]);
2088 s2n(nl,p); 1950 s2n(nl, p);
2089 1951
2090 d=(unsigned char *)buf->data; 1952 d = (unsigned char *)buf->data;
2091 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1953 *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
2092 l2n3(n,d); 1954 l2n3(n, d);
2093 1955
2094 /* we should now have things packed up, so lets send 1956 /* we should now have things packed up, so lets send
2095 * it off */ 1957 * it off */
2096 1958
2097 s->init_num=n+4; 1959 s->init_num = n + 4;
2098 s->init_off=0; 1960 s->init_off = 0;
2099#ifdef NETSCAPE_HANG_BUG 1961#ifdef NETSCAPE_HANG_BUG
2100 p=(unsigned char *)s->init_buf->data + s->init_num; 1962 p = (unsigned char *)s->init_buf->data + s->init_num;
2101 1963
2102 /* do the header */ 1964 /* do the header */
2103 *(p++)=SSL3_MT_SERVER_DONE; 1965 *(p++) = SSL3_MT_SERVER_DONE;
2104 *(p++)=0; 1966 *(p++) = 0;
2105 *(p++)=0; 1967 *(p++) = 0;
2106 *(p++)=0; 1968 *(p++) = 0;
2107 s->init_num += 4; 1969 s->init_num += 4;
2108#endif 1970#endif
2109 1971
2110 s->state = SSL3_ST_SW_CERT_REQ_B; 1972 s->state = SSL3_ST_SW_CERT_REQ_B;
2111 } 1973 }
2112 1974
2113 /* SSL3_ST_SW_CERT_REQ_B */ 1975 /* SSL3_ST_SW_CERT_REQ_B */
2114 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1976 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2115err: 1977err:
2116 return(-1); 1978 return (-1);
2117 } 1979}
2118 1980
2119int ssl3_get_client_key_exchange(SSL *s) 1981int
2120 { 1982ssl3_get_client_key_exchange(SSL *s)
2121 int i,al,ok; 1983{
1984 int i, al, ok;
2122 long n; 1985 long n;
2123 unsigned long alg_k; 1986 unsigned long alg_k;
2124 unsigned char *p; 1987 unsigned char *p;
2125#ifndef OPENSSL_NO_RSA 1988#ifndef OPENSSL_NO_RSA
2126 RSA *rsa=NULL; 1989 RSA *rsa = NULL;
2127 EVP_PKEY *pkey=NULL; 1990 EVP_PKEY *pkey = NULL;
2128#endif 1991#endif
2129#ifndef OPENSSL_NO_DH 1992#ifndef OPENSSL_NO_DH
2130 BIGNUM *pub=NULL; 1993 BIGNUM *pub = NULL;
2131 DH *dh_srvr; 1994 DH *dh_srvr;
2132#endif 1995#endif
2133#ifndef OPENSSL_NO_KRB5 1996#ifndef OPENSSL_NO_KRB5
@@ -2138,83 +2001,67 @@ int ssl3_get_client_key_exchange(SSL *s)
2138 EC_KEY *srvr_ecdh = NULL; 2001 EC_KEY *srvr_ecdh = NULL;
2139 EVP_PKEY *clnt_pub_pkey = NULL; 2002 EVP_PKEY *clnt_pub_pkey = NULL;
2140 EC_POINT *clnt_ecpoint = NULL; 2003 EC_POINT *clnt_ecpoint = NULL;
2141 BN_CTX *bn_ctx = NULL; 2004 BN_CTX *bn_ctx = NULL;
2142#endif
2143 2005
2144 n=s->method->ssl_get_message(s, 2006#endif
2145 SSL3_ST_SR_KEY_EXCH_A,
2146 SSL3_ST_SR_KEY_EXCH_B,
2147 SSL3_MT_CLIENT_KEY_EXCHANGE,
2148 2048, /* ??? */
2149 &ok);
2150 2007
2151 if (!ok) return((int)n); 2008 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
2152 p=(unsigned char *)s->init_msg; 2009 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,
2010 2048, /* ??? */ &ok);
2011 if (!ok)
2012 return ((int)n);
2013 p = (unsigned char *)s->init_msg;
2153 2014
2154 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2015 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2155 2016
2156#ifndef OPENSSL_NO_RSA 2017#ifndef OPENSSL_NO_RSA
2157 if (alg_k & SSL_kRSA) 2018 if (alg_k & SSL_kRSA) {
2158 {
2159 /* FIX THIS UP EAY EAY EAY EAY */ 2019 /* FIX THIS UP EAY EAY EAY EAY */
2160 if (s->s3->tmp.use_rsa_tmp) 2020 if (s->s3->tmp.use_rsa_tmp) {
2161 {
2162 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 2021 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
2163 rsa=s->cert->rsa_tmp; 2022 rsa = s->cert->rsa_tmp;
2164 /* Don't do a callback because rsa_tmp should 2023 /* Don't do a callback because rsa_tmp should
2165 * be sent already */ 2024 * be sent already */
2166 if (rsa == NULL) 2025 if (rsa == NULL) {
2167 { 2026 al = SSL_AD_HANDSHAKE_FAILURE;
2168 al=SSL_AD_HANDSHAKE_FAILURE; 2027 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_PKEY);
2169 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
2170 goto f_err; 2028 goto f_err;
2171 2029
2172 }
2173 } 2030 }
2174 else 2031 } else {
2175 { 2032 pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
2176 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 2033 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
2177 if ( (pkey == NULL) || 2034 (pkey->pkey.rsa == NULL)) {
2178 (pkey->type != EVP_PKEY_RSA) || 2035 al = SSL_AD_HANDSHAKE_FAILURE;
2179 (pkey->pkey.rsa == NULL)) 2036 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_RSA_CERTIFICATE);
2180 {
2181 al=SSL_AD_HANDSHAKE_FAILURE;
2182 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
2183 goto f_err; 2037 goto f_err;
2184 }
2185 rsa=pkey->pkey.rsa;
2186 } 2038 }
2039 rsa = pkey->pkey.rsa;
2040 }
2187 2041
2188 /* TLS and [incidentally] DTLS{0xFEFF} */ 2042 /* TLS and [incidentally] DTLS{0xFEFF} */
2189 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) 2043 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
2190 { 2044 n2s(p, i);
2191 n2s(p,i); 2045 if (n != i + 2) {
2192 if (n != i+2) 2046 if (!(s->options & SSL_OP_TLS_D5_BUG)) {
2193 { 2047 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2194 if (!(s->options & SSL_OP_TLS_D5_BUG))
2195 {
2196 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2197 goto err; 2048 goto err;
2198 } 2049 } else
2199 else 2050 p -= 2;
2200 p-=2; 2051 } else
2201 } 2052 n = i;
2202 else 2053 }
2203 n=i;
2204 }
2205 2054
2206 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 2055 i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
2207 2056
2208 al = -1; 2057 al = -1;
2209 2058
2210 if (i != SSL_MAX_MASTER_KEY_LENGTH) 2059 if (i != SSL_MAX_MASTER_KEY_LENGTH) {
2211 { 2060 al = SSL_AD_DECODE_ERROR;
2212 al=SSL_AD_DECODE_ERROR;
2213 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 2061 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
2214 } 2062 }
2215 2063
2216 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) 2064 if ((al == -1) && !((p[0] == (s->client_version >> 8)) && (p[1] == (s->client_version & 0xff)))) {
2217 {
2218 /* The premaster secret must contain the same version number as the 2065 /* The premaster secret must contain the same version number as the
2219 * ClientHello to detect version rollback attacks (strangely, the 2066 * ClientHello to detect version rollback attacks (strangely, the
2220 * protocol does not offer such protection for DH ciphersuites). 2067 * protocol does not offer such protection for DH ciphersuites).
@@ -2223,9 +2070,8 @@ int ssl3_get_client_key_exchange(SSL *s)
2223 * protocol version. 2070 * protocol version.
2224 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 2071 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
2225 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 2072 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
2226 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 2073 (p[0] == (s->version >> 8)) && (p[1] == (s->version & 0xff)))) {
2227 { 2074 al = SSL_AD_DECODE_ERROR;
2228 al=SSL_AD_DECODE_ERROR;
2229 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 2075 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
2230 2076
2231 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 2077 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
@@ -2235,11 +2081,10 @@ int ssl3_get_client_key_exchange(SSL *s)
2235 * made up by the adversary is properly formatted except 2081 * made up by the adversary is properly formatted except
2236 * that the version number is wrong. To avoid such attacks, 2082 * that the version number is wrong. To avoid such attacks,
2237 * we should treat this just like any other decryption error. */ 2083 * we should treat this just like any other decryption error. */
2238 }
2239 } 2084 }
2085 }
2240 2086
2241 if (al != -1) 2087 if (al != -1) {
2242 {
2243 /* Some decryption failure -- use random value instead as countermeasure 2088 /* Some decryption failure -- use random value instead as countermeasure
2244 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 2089 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
2245 * (see RFC 2246, section 7.4.7.1). */ 2090 * (see RFC 2246, section 7.4.7.1). */
@@ -2249,83 +2094,69 @@ int ssl3_get_client_key_exchange(SSL *s)
2249 p[1] = s->client_version & 0xff; 2094 p[1] = s->client_version & 0xff;
2250 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 2095 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
2251 goto err; 2096 goto err;
2252 }
2253
2254 s->session->master_key_length=
2255 s->method->ssl3_enc->generate_master_secret(s,
2256 s->session->master_key,
2257 p,i);
2258 OPENSSL_cleanse(p,i);
2259 } 2097 }
2260 else 2098
2099 s->session->master_key_length =
2100 s->method->ssl3_enc->generate_master_secret(s,
2101 s->session->master_key,
2102 p, i);
2103 OPENSSL_cleanse(p, i);
2104 } else
2261#endif 2105#endif
2262#ifndef OPENSSL_NO_DH 2106#ifndef OPENSSL_NO_DH
2263 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2107 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2264 { 2108 n2s(p, i);
2265 n2s(p,i); 2109 if (n != i + 2) {
2266 if (n != i+2) 2110 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
2267 { 2111 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2268 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
2269 {
2270 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2271 goto err; 2112 goto err;
2272 } 2113 } else {
2273 else 2114 p -= 2;
2274 { 2115 i = (int)n;
2275 p-=2;
2276 i=(int)n;
2277 }
2278 } 2116 }
2117 }
2279 2118
2280 if (n == 0L) /* the parameters are in the cert */ 2119 if (n == 0L) /* the parameters are in the cert */
2281 { 2120 {
2282 al=SSL_AD_HANDSHAKE_FAILURE; 2121 al = SSL_AD_HANDSHAKE_FAILURE;
2283 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 2122 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_DECODE_DH_CERTS);
2284 goto f_err; 2123 goto f_err;
2285 } 2124 } else {
2286 else 2125 if (s->s3->tmp.dh == NULL) {
2287 { 2126 al = SSL_AD_HANDSHAKE_FAILURE;
2288 if (s->s3->tmp.dh == NULL) 2127 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
2289 {
2290 al=SSL_AD_HANDSHAKE_FAILURE;
2291 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
2292 goto f_err; 2128 goto f_err;
2293 } 2129 } else
2294 else 2130 dh_srvr = s->s3->tmp.dh;
2295 dh_srvr=s->s3->tmp.dh; 2131 }
2296 }
2297 2132
2298 pub=BN_bin2bn(p,i,NULL); 2133 pub = BN_bin2bn(p, i, NULL);
2299 if (pub == NULL) 2134 if (pub == NULL) {
2300 { 2135 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2301 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
2302 goto err; 2136 goto err;
2303 } 2137 }
2304 2138
2305 i=DH_compute_key(p,pub,dh_srvr); 2139 i = DH_compute_key(p, pub, dh_srvr);
2306 2140
2307 if (i <= 0) 2141 if (i <= 0) {
2308 { 2142 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2309 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2310 BN_clear_free(pub); 2143 BN_clear_free(pub);
2311 goto err; 2144 goto err;
2312 } 2145 }
2313 2146
2314 DH_free(s->s3->tmp.dh); 2147 DH_free(s->s3->tmp.dh);
2315 s->s3->tmp.dh=NULL; 2148 s->s3->tmp.dh = NULL;
2316 2149
2317 BN_clear_free(pub); 2150 BN_clear_free(pub);
2318 pub=NULL; 2151 pub = NULL;
2319 s->session->master_key_length= 2152 s->session->master_key_length =
2320 s->method->ssl3_enc->generate_master_secret(s, 2153 s->method->ssl3_enc->generate_master_secret(
2321 s->session->master_key,p,i); 2154 s, s->session->master_key, p, i);
2322 OPENSSL_cleanse(p,i); 2155 OPENSSL_cleanse(p, i);
2323 } 2156 } else
2324 else
2325#endif 2157#endif
2326#ifndef OPENSSL_NO_KRB5 2158#ifndef OPENSSL_NO_KRB5
2327 if (alg_k & SSL_kKRB5) 2159 if (alg_k & SSL_kKRB5) {
2328 {
2329 krb5_error_code krb5rc; 2160 krb5_error_code krb5rc;
2330 krb5_data enc_ticket; 2161 krb5_data enc_ticket;
2331 krb5_data authenticator; 2162 krb5_data authenticator;
@@ -2335,100 +2166,94 @@ int ssl3_get_client_key_exchange(SSL *s)
2335 const EVP_CIPHER *enc = NULL; 2166 const EVP_CIPHER *enc = NULL;
2336 unsigned char iv[EVP_MAX_IV_LENGTH]; 2167 unsigned char iv[EVP_MAX_IV_LENGTH];
2337 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2168 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
2338 + EVP_MAX_BLOCK_LENGTH]; 2169 + EVP_MAX_BLOCK_LENGTH];
2339 int padl, outl; 2170 int padl, outl;
2340 krb5_timestamp authtime = 0; 2171 krb5_timestamp authtime = 0;
2341 krb5_ticket_times ttimes; 2172 krb5_ticket_times ttimes;
2342 2173
2343 EVP_CIPHER_CTX_init(&ciph_ctx); 2174 EVP_CIPHER_CTX_init(&ciph_ctx);
2344 2175
2345 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2176 if (!kssl_ctx)
2177 kssl_ctx = kssl_ctx_new();
2346 2178
2347 n2s(p,i); 2179 n2s(p, i);
2348 enc_ticket.length = i; 2180 enc_ticket.length = i;
2349 2181
2350 if (n < (long)(enc_ticket.length + 6)) 2182 if (n < (long)(enc_ticket.length + 6)) {
2351 {
2352 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2183 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2353 SSL_R_DATA_LENGTH_TOO_LONG); 2184 SSL_R_DATA_LENGTH_TOO_LONG);
2354 goto err; 2185 goto err;
2355 } 2186 }
2356 2187
2357 enc_ticket.data = (char *)p; 2188 enc_ticket.data = (char *)p;
2358 p+=enc_ticket.length; 2189 p += enc_ticket.length;
2359 2190
2360 n2s(p,i); 2191 n2s(p, i);
2361 authenticator.length = i; 2192 authenticator.length = i;
2362 2193
2363 if (n < (long)(enc_ticket.length + authenticator.length + 6)) 2194 if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
2364 {
2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2195 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2366 SSL_R_DATA_LENGTH_TOO_LONG); 2196 SSL_R_DATA_LENGTH_TOO_LONG);
2367 goto err; 2197 goto err;
2368 } 2198 }
2369 2199
2370 authenticator.data = (char *)p; 2200 authenticator.data = (char *)p;
2371 p+=authenticator.length; 2201 p += authenticator.length;
2372 2202
2373 n2s(p,i); 2203 n2s(p, i);
2374 enc_pms.length = i; 2204 enc_pms.length = i;
2375 enc_pms.data = (char *)p; 2205 enc_pms.data = (char *)p;
2376 p+=enc_pms.length; 2206 p += enc_pms.length;
2377 2207
2378 /* Note that the length is checked again below, 2208 /* Note that the length is checked again below,
2379 ** after decryption 2209 ** after decryption
2380 */ 2210 */
2381 if(enc_pms.length > sizeof pms) 2211 if (enc_pms.length > sizeof pms) {
2382 {
2383 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2212 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2384 SSL_R_DATA_LENGTH_TOO_LONG); 2213 SSL_R_DATA_LENGTH_TOO_LONG);
2385 goto err; 2214 goto err;
2386 } 2215 }
2387 2216
2388 if (n != (long)(enc_ticket.length + authenticator.length + 2217 if (n != (long)(enc_ticket.length + authenticator.length +
2389 enc_pms.length + 6)) 2218 enc_pms.length + 6)) {
2390 {
2391 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2219 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2392 SSL_R_DATA_LENGTH_TOO_LONG); 2220 SSL_R_DATA_LENGTH_TOO_LONG);
2393 goto err; 2221 goto err;
2394 } 2222 }
2395 2223
2396 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2224 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
2397 &kssl_err)) != 0) 2225 &kssl_err)) != 0) {
2398 {
2399#ifdef KSSL_DEBUG 2226#ifdef KSSL_DEBUG
2400 printf("kssl_sget_tkt rtn %d [%d]\n", 2227 printf("kssl_sget_tkt rtn %d [%d]\n",
2401 krb5rc, kssl_err.reason); 2228 krb5rc, kssl_err.reason);
2402 if (kssl_err.text) 2229 if (kssl_err.text)
2403 printf("kssl_err text= %s\n", kssl_err.text); 2230 printf("kssl_err text= %s\n", kssl_err.text);
2404#endif /* KSSL_DEBUG */ 2231#endif /* KSSL_DEBUG */
2405 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2232 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2406 kssl_err.reason); 2233 kssl_err.reason);
2407 goto err; 2234 goto err;
2408 } 2235 }
2409 2236
2410 /* Note: no authenticator is not considered an error, 2237 /* Note: no authenticator is not considered an error,
2411 ** but will return authtime == 0. 2238 ** but will return authtime == 0.
2412 */ 2239 */
2413 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2240 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
2414 &authtime, &kssl_err)) != 0) 2241 &authtime, &kssl_err)) != 0) {
2415 {
2416#ifdef KSSL_DEBUG 2242#ifdef KSSL_DEBUG
2417 printf("kssl_check_authent rtn %d [%d]\n", 2243 printf("kssl_check_authent rtn %d [%d]\n",
2418 krb5rc, kssl_err.reason); 2244 krb5rc, kssl_err.reason);
2419 if (kssl_err.text) 2245 if (kssl_err.text)
2420 printf("kssl_err text= %s\n", kssl_err.text); 2246 printf("kssl_err text= %s\n", kssl_err.text);
2421#endif /* KSSL_DEBUG */ 2247#endif /* KSSL_DEBUG */
2422 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2248 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2423 kssl_err.reason); 2249 kssl_err.reason);
2424 goto err; 2250 goto err;
2425 } 2251 }
2426 2252
2427 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2253 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
2428 {
2429 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2254 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
2430 goto err; 2255 goto err;
2431 } 2256 }
2432 2257
2433#ifdef KSSL_DEBUG 2258#ifdef KSSL_DEBUG
2434 kssl_ctx_show(kssl_ctx); 2259 kssl_ctx_show(kssl_ctx);
@@ -2436,44 +2261,38 @@ int ssl3_get_client_key_exchange(SSL *s)
2436 2261
2437 enc = kssl_map_enc(kssl_ctx->enctype); 2262 enc = kssl_map_enc(kssl_ctx->enctype);
2438 if (enc == NULL) 2263 if (enc == NULL)
2439 goto err; 2264 goto err;
2440 2265
2441 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2266 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2442 2267
2443 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2268 if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) {
2444 {
2445 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2269 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2446 SSL_R_DECRYPTION_FAILED); 2270 SSL_R_DECRYPTION_FAILED);
2447 goto err; 2271 goto err;
2448 } 2272 }
2449 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2273 if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
2450 (unsigned char *)enc_pms.data, enc_pms.length)) 2274 (unsigned char *)enc_pms.data, enc_pms.length)) {
2451 {
2452 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2275 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2453 SSL_R_DECRYPTION_FAILED); 2276 SSL_R_DECRYPTION_FAILED);
2454 goto err; 2277 goto err;
2455 } 2278 }
2456 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2279 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2457 {
2458 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2280 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2459 SSL_R_DATA_LENGTH_TOO_LONG); 2281 SSL_R_DATA_LENGTH_TOO_LONG);
2460 goto err; 2282 goto err;
2461 } 2283 }
2462 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2284 if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
2463 {
2464 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2285 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2465 SSL_R_DECRYPTION_FAILED); 2286 SSL_R_DECRYPTION_FAILED);
2466 goto err; 2287 goto err;
2467 } 2288 }
2468 outl += padl; 2289 outl += padl;
2469 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2290 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2470 {
2471 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2291 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2472 SSL_R_DATA_LENGTH_TOO_LONG); 2292 SSL_R_DATA_LENGTH_TOO_LONG);
2473 goto err; 2293 goto err;
2474 } 2294 }
2475 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) 2295 if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) {
2476 {
2477 /* The premaster secret must contain the same version number as the 2296 /* The premaster secret must contain the same version number as the
2478 * ClientHello to detect version rollback attacks (strangely, the 2297 * ClientHello to detect version rollback attacks (strangely, the
2479 * protocol does not offer such protection for DH ciphersuites). 2298 * protocol does not offer such protection for DH ciphersuites).
@@ -2482,29 +2301,26 @@ int ssl3_get_client_key_exchange(SSL *s)
2482 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2301 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
2483 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2302 * (Perhaps we should have a separate BUG value for the Kerberos cipher)
2484 */ 2303 */
2485 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2304 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
2486 { 2305 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2487 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2306 SSL_AD_DECODE_ERROR);
2488 SSL_AD_DECODE_ERROR); 2307 goto err;
2489 goto err;
2490 } 2308 }
2491 } 2309 }
2492 2310
2493 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2311 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2494 2312
2495 s->session->master_key_length= 2313 s->session->master_key_length =
2496 s->method->ssl3_enc->generate_master_secret(s, 2314 s->method->ssl3_enc->generate_master_secret(s,
2497 s->session->master_key, pms, outl); 2315 s->session->master_key, pms, outl);
2498 2316
2499 if (kssl_ctx->client_princ) 2317 if (kssl_ctx->client_princ) {
2500 {
2501 size_t len = strlen(kssl_ctx->client_princ); 2318 size_t len = strlen(kssl_ctx->client_princ);
2502 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2319 if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) {
2503 {
2504 s->session->krb5_client_princ_len = len; 2320 s->session->krb5_client_princ_len = len;
2505 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2321 memcpy(s->session->krb5_client_princ, kssl_ctx->client_princ, len);
2506 }
2507 } 2322 }
2323 }
2508 2324
2509 2325
2510 /* Was doing kssl_ctx_free() here, 2326 /* Was doing kssl_ctx_free() here,
@@ -2512,13 +2328,11 @@ int ssl3_get_client_key_exchange(SSL *s)
2512 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2328 ** kssl_ctx = kssl_ctx_free(kssl_ctx);
2513 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2329 ** if (s->kssl_ctx) s->kssl_ctx = NULL;
2514 */ 2330 */
2515 } 2331 } else
2516 else
2517#endif /* OPENSSL_NO_KRB5 */ 2332#endif /* OPENSSL_NO_KRB5 */
2518 2333
2519#ifndef OPENSSL_NO_ECDH 2334#ifndef OPENSSL_NO_ECDH
2520 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2335 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2521 {
2522 int ret = 1; 2336 int ret = 1;
2523 int field_size = 0; 2337 int field_size = 0;
2524 const EC_KEY *tkey; 2338 const EC_KEY *tkey;
@@ -2526,60 +2340,51 @@ int ssl3_get_client_key_exchange(SSL *s)
2526 const BIGNUM *priv_key; 2340 const BIGNUM *priv_key;
2527 2341
2528 /* initialize structures for server's ECDH key pair */ 2342 /* initialize structures for server's ECDH key pair */
2529 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2343 if ((srvr_ecdh = EC_KEY_new()) == NULL) {
2530 {
2531 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2344 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2532 ERR_R_MALLOC_FAILURE); 2345 ERR_R_MALLOC_FAILURE);
2533 goto err; 2346 goto err;
2534 } 2347 }
2535 2348
2536 /* Let's get server private key and group information */ 2349 /* Let's get server private key and group information */
2537 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) 2350 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
2538 {
2539 /* use the certificate */ 2351 /* use the certificate */
2540 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2352 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2541 } 2353 } else {
2542 else
2543 {
2544 /* use the ephermeral values we saved when 2354 /* use the ephermeral values we saved when
2545 * generating the ServerKeyExchange msg. 2355 * generating the ServerKeyExchange msg.
2546 */ 2356 */
2547 tkey = s->s3->tmp.ecdh; 2357 tkey = s->s3->tmp.ecdh;
2548 } 2358 }
2549 2359
2550 group = EC_KEY_get0_group(tkey); 2360 group = EC_KEY_get0_group(tkey);
2551 priv_key = EC_KEY_get0_private_key(tkey); 2361 priv_key = EC_KEY_get0_private_key(tkey);
2552 2362
2553 if (!EC_KEY_set_group(srvr_ecdh, group) || 2363 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2554 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2364 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
2555 {
2556 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2557 ERR_R_EC_LIB); 2366 ERR_R_EC_LIB);
2558 goto err; 2367 goto err;
2559 } 2368 }
2560 2369
2561 /* Let's get client's public key */ 2370 /* Let's get client's public key */
2562 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2371 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
2563 {
2564 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2372 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2565 ERR_R_MALLOC_FAILURE); 2373 ERR_R_MALLOC_FAILURE);
2566 goto err; 2374 goto err;
2567 } 2375 }
2568 2376
2569 if (n == 0L) 2377 if (n == 0L) {
2570 {
2571 /* Client Publickey was in Client Certificate */ 2378 /* Client Publickey was in Client Certificate */
2572 2379
2573 if (alg_k & SSL_kEECDH) 2380 if (alg_k & SSL_kEECDH) {
2574 { 2381 al = SSL_AD_HANDSHAKE_FAILURE;
2575 al=SSL_AD_HANDSHAKE_FAILURE; 2382 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
2576 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2383 goto f_err;
2577 goto f_err; 2384 }
2578 } 2385 if (((clnt_pub_pkey = X509_get_pubkey(
2579 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2386 s->session->peer)) == NULL) ||
2580 == NULL) || 2387 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
2581 (clnt_pub_pkey->type != EVP_PKEY_EC))
2582 {
2583 /* XXX: For now, we do not support client 2388 /* XXX: For now, we do not support client
2584 * authentication using ECDH certificates 2389 * authentication using ECDH certificates
2585 * so this branch (n == 0L) of the code is 2390 * so this branch (n == 0L) of the code is
@@ -2591,771 +2396,680 @@ int ssl3_get_client_key_exchange(SSL *s)
2591 * the two ECDH shares are for the same 2396 * the two ECDH shares are for the same
2592 * group. 2397 * group.
2593 */ 2398 */
2594 al=SSL_AD_HANDSHAKE_FAILURE; 2399 al = SSL_AD_HANDSHAKE_FAILURE;
2595 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2400 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2596 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2401 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2597 goto f_err; 2402 goto f_err;
2598 } 2403 }
2599 2404
2600 if (EC_POINT_copy(clnt_ecpoint, 2405 if (EC_POINT_copy(clnt_ecpoint,
2601 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2406 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) {
2602 {
2603 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2407 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2604 ERR_R_EC_LIB); 2408 ERR_R_EC_LIB);
2605 goto err; 2409 goto err;
2606 }
2607 ret = 2; /* Skip certificate verify processing */
2608 } 2410 }
2609 else 2411 ret = 2; /* Skip certificate verify processing */
2610 { 2412 } else {
2611 /* Get client's public key from encoded point 2413 /* Get client's public key from encoded point
2612 * in the ClientKeyExchange message. 2414 * in the ClientKeyExchange message.
2613 */ 2415 */
2614 if ((bn_ctx = BN_CTX_new()) == NULL) 2416 if ((bn_ctx = BN_CTX_new()) == NULL) {
2615 {
2616 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2417 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2617 ERR_R_MALLOC_FAILURE); 2418 ERR_R_MALLOC_FAILURE);
2618 goto err; 2419 goto err;
2619 } 2420 }
2620 2421
2621 /* Get encoded point length */ 2422 /* Get encoded point length */
2622 i = *p; 2423 i = *p;
2424
2623 p += 1; 2425 p += 1;
2624 if (n != 1 + i) 2426 if (n != 1 + i) {
2625 {
2626 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2427 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2627 ERR_R_EC_LIB); 2428 ERR_R_EC_LIB);
2628 goto err; 2429 goto err;
2629 } 2430 }
2630 if (EC_POINT_oct2point(group, 2431 if (EC_POINT_oct2point(group,
2631 clnt_ecpoint, p, i, bn_ctx) == 0) 2432 clnt_ecpoint, p, i, bn_ctx) == 0) {
2632 {
2633 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2433 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2634 ERR_R_EC_LIB); 2434 ERR_R_EC_LIB);
2635 goto err; 2435 goto err;
2636 } 2436 }
2637 /* p is pointing to somewhere in the buffer 2437 /* p is pointing to somewhere in the buffer
2638 * currently, so set it to the start 2438 * currently, so set it to the start
2639 */ 2439 */
2640 p=(unsigned char *)s->init_buf->data; 2440 p = (unsigned char *)s->init_buf->data;
2641 } 2441 }
2642 2442
2643 /* Compute the shared pre-master secret */ 2443 /* Compute the shared pre-master secret */
2644 field_size = EC_GROUP_get_degree(group); 2444 field_size = EC_GROUP_get_degree(group);
2645 if (field_size <= 0) 2445 if (field_size <= 0) {
2646 { 2446 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2647 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2447 ERR_R_ECDH_LIB);
2648 ERR_R_ECDH_LIB);
2649 goto err; 2448 goto err;
2650 } 2449 }
2651 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2450 i = ECDH_compute_key(p, (field_size + 7)/8, clnt_ecpoint, srvr_ecdh, NULL);
2652 if (i <= 0) 2451 if (i <= 0) {
2653 {
2654 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2452 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2655 ERR_R_ECDH_LIB); 2453 ERR_R_ECDH_LIB);
2656 goto err; 2454 goto err;
2657 } 2455 }
2658 2456
2659 EVP_PKEY_free(clnt_pub_pkey); 2457 EVP_PKEY_free(clnt_pub_pkey);
2660 EC_POINT_free(clnt_ecpoint); 2458 EC_POINT_free(clnt_ecpoint);
2661 EC_KEY_free(srvr_ecdh); 2459 EC_KEY_free(srvr_ecdh);
2662 BN_CTX_free(bn_ctx); 2460 BN_CTX_free(bn_ctx);
2663 EC_KEY_free(s->s3->tmp.ecdh); 2461 EC_KEY_free(s->s3->tmp.ecdh);
2664 s->s3->tmp.ecdh = NULL; 2462 s->s3->tmp.ecdh = NULL;
2463
2665 2464
2666 /* Compute the master secret */ 2465 /* Compute the master secret */
2667 s->session->master_key_length = s->method->ssl3_enc-> \ 2466 s->session->master_key_length = s->method->ssl3_enc-> \
2668 generate_master_secret(s, s->session->master_key, p, i); 2467 generate_master_secret(s, s->session->master_key, p, i);
2669 2468
2670 OPENSSL_cleanse(p, i); 2469 OPENSSL_cleanse(p, i);
2671 return (ret); 2470 return (ret);
2672 } 2471 } else
2673 else
2674#endif 2472#endif
2675#ifndef OPENSSL_NO_PSK 2473#ifndef OPENSSL_NO_PSK
2676 if (alg_k & SSL_kPSK) 2474 if (alg_k & SSL_kPSK) {
2677 { 2475 unsigned char *t = NULL;
2678 unsigned char *t = NULL; 2476 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
2679 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2477 unsigned int pre_ms_len = 0, psk_len = 0;
2680 unsigned int pre_ms_len = 0, psk_len = 0; 2478 int psk_err = 1;
2681 int psk_err = 1; 2479 char tmp_id[PSK_MAX_IDENTITY_LEN + 1];
2682 char tmp_id[PSK_MAX_IDENTITY_LEN+1];
2683 2480
2684 al=SSL_AD_HANDSHAKE_FAILURE; 2481 al = SSL_AD_HANDSHAKE_FAILURE;
2685
2686 n2s(p,i);
2687 if (n != i+2)
2688 {
2689 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2690 SSL_R_LENGTH_MISMATCH);
2691 goto psk_err;
2692 }
2693 if (i > PSK_MAX_IDENTITY_LEN)
2694 {
2695 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2696 SSL_R_DATA_LENGTH_TOO_LONG);
2697 goto psk_err;
2698 }
2699 if (s->psk_server_callback == NULL)
2700 {
2701 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2702 SSL_R_PSK_NO_SERVER_CB);
2703 goto psk_err;
2704 }
2705 2482
2706 /* Create guaranteed NULL-terminated identity 2483 n2s(p, i);
2707 * string for the callback */ 2484 if (n != i + 2) {
2708 memcpy(tmp_id, p, i); 2485 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2709 memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 2486 SSL_R_LENGTH_MISMATCH);
2710 psk_len = s->psk_server_callback(s, tmp_id, 2487 goto psk_err;
2711 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2488 }
2712 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); 2489 if (i > PSK_MAX_IDENTITY_LEN) {
2490 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2491 SSL_R_DATA_LENGTH_TOO_LONG);
2492 goto psk_err;
2493 }
2494 if (s->psk_server_callback == NULL) {
2495 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2496 SSL_R_PSK_NO_SERVER_CB);
2497 goto psk_err;
2498 }
2713 2499
2714 if (psk_len > PSK_MAX_PSK_LEN) 2500 /* Create guaranteed NULL-terminated identity
2715 { 2501 * string for the callback */
2716 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2502 memcpy(tmp_id, p, i);
2717 ERR_R_INTERNAL_ERROR); 2503 memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
2718 goto psk_err; 2504 psk_len = s->psk_server_callback(s, tmp_id,
2719 } 2505 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2720 else if (psk_len == 0) 2506 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
2721 {
2722 /* PSK related to the given identity not found */
2723 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2724 SSL_R_PSK_IDENTITY_NOT_FOUND);
2725 al=SSL_AD_UNKNOWN_PSK_IDENTITY;
2726 goto psk_err;
2727 }
2728 2507
2729 /* create PSK pre_master_secret */ 2508 if (psk_len > PSK_MAX_PSK_LEN) {
2730 pre_ms_len=2+psk_len+2+psk_len; 2509 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2731 t = psk_or_pre_ms; 2510 ERR_R_INTERNAL_ERROR);
2732 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2511 goto psk_err;
2733 s2n(psk_len, t); 2512 } else if (psk_len == 0) {
2734 memset(t, 0, psk_len); 2513 /* PSK related to the given identity not found */
2735 t+=psk_len; 2514 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2736 s2n(psk_len, t); 2515 SSL_R_PSK_IDENTITY_NOT_FOUND);
2737 2516 al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2738 if (s->session->psk_identity != NULL) 2517 goto psk_err;
2739 OPENSSL_free(s->session->psk_identity); 2518 }
2740 s->session->psk_identity = BUF_strdup((char *)p); 2519
2741 if (s->session->psk_identity == NULL) 2520 /* create PSK pre_master_secret */
2742 { 2521 pre_ms_len = 2 + psk_len + 2 + psk_len;
2743 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2522 t = psk_or_pre_ms;
2744 ERR_R_MALLOC_FAILURE); 2523 memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
2745 goto psk_err; 2524 s2n(psk_len, t);
2746 } 2525 memset(t, 0, psk_len);
2526 t += psk_len;
2527 s2n(psk_len, t);
2528
2529 if (s->session->psk_identity != NULL)
2530 OPENSSL_free(s->session->psk_identity);
2531 s->session->psk_identity = BUF_strdup((char *)p);
2532 if (s->session->psk_identity == NULL) {
2533 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2534 ERR_R_MALLOC_FAILURE);
2535 goto psk_err;
2536 }
2747 2537
2748 if (s->session->psk_identity_hint != NULL) 2538 if (s->session->psk_identity_hint != NULL)
2749 OPENSSL_free(s->session->psk_identity_hint); 2539 OPENSSL_free(s->session->psk_identity_hint);
2750 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2540 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2751 if (s->ctx->psk_identity_hint != NULL && 2541 if (s->ctx->psk_identity_hint != NULL &&
2752 s->session->psk_identity_hint == NULL) 2542 s->session->psk_identity_hint == NULL) {
2753 { 2543 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2754 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2544 ERR_R_MALLOC_FAILURE);
2755 ERR_R_MALLOC_FAILURE); 2545 goto psk_err;
2756 goto psk_err; 2546 }
2757 }
2758 2547
2759 s->session->master_key_length= 2548 s->session->master_key_length =
2760 s->method->ssl3_enc->generate_master_secret(s, 2549 s->method->ssl3_enc->generate_master_secret(
2761 s->session->master_key, psk_or_pre_ms, pre_ms_len); 2550 s, s->session->master_key, psk_or_pre_ms, pre_ms_len);
2762 psk_err = 0; 2551 psk_err = 0;
2763 psk_err: 2552 psk_err:
2764 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2553 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2765 if (psk_err != 0) 2554 if (psk_err != 0)
2766 goto f_err; 2555 goto f_err;
2767 } 2556 } else
2768 else
2769#endif 2557#endif
2770#ifndef OPENSSL_NO_SRP 2558#ifndef OPENSSL_NO_SRP
2771 if (alg_k & SSL_kSRP) 2559 if (alg_k & SSL_kSRP) {
2772 { 2560 int param_len;
2773 int param_len;
2774
2775 n2s(p,i);
2776 param_len=i+2;
2777 if (param_len > n)
2778 {
2779 al=SSL_AD_DECODE_ERROR;
2780 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH);
2781 goto f_err;
2782 }
2783 if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL)))
2784 {
2785 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB);
2786 goto err;
2787 }
2788 if (s->session->srp_username != NULL)
2789 OPENSSL_free(s->session->srp_username);
2790 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2791 if (s->session->srp_username == NULL)
2792 {
2793 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2794 ERR_R_MALLOC_FAILURE);
2795 goto err;
2796 }
2797 2561
2798 if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0) 2562 n2s(p, i);
2799 { 2563 param_len = i + 2;
2800 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2564 if (param_len > n) {
2801 goto err; 2565 al = SSL_AD_DECODE_ERROR;
2802 } 2566 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
2567 goto f_err;
2568 }
2569 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
2570 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
2571 goto err;
2572 }
2573 if (s->session->srp_username != NULL)
2574 OPENSSL_free(s->session->srp_username);
2575 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2576 if (s->session->srp_username == NULL) {
2577 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2578 ERR_R_MALLOC_FAILURE);
2579 goto err;
2580 }
2803 2581
2804 p+=i; 2582 if ((s->session->master_key_length = SRP_generate_server_master_secret(s, s->session->master_key)) < 0) {
2805 } 2583 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2806 else 2584 goto err;
2585 }
2586
2587 p += i;
2588 } else
2807#endif /* OPENSSL_NO_SRP */ 2589#endif /* OPENSSL_NO_SRP */
2808 if (alg_k & SSL_kGOST) 2590 if (alg_k & SSL_kGOST) {
2809 { 2591 int ret = 0;
2810 int ret = 0; 2592 EVP_PKEY_CTX *pkey_ctx;
2811 EVP_PKEY_CTX *pkey_ctx; 2593 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
2812 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 2594 unsigned char premaster_secret[32], *start;
2813 unsigned char premaster_secret[32], *start; 2595 size_t outlen = 32, inlen;
2814 size_t outlen=32, inlen; 2596 unsigned long alg_a;
2815 unsigned long alg_a; 2597
2816 2598 /* Get our certificate private key*/
2817 /* Get our certificate private key*/ 2599 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2818 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2600 if (alg_a & SSL_aGOST94)
2819 if (alg_a & SSL_aGOST94) 2601 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
2820 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; 2602 else if (alg_a & SSL_aGOST01)
2821 else if (alg_a & SSL_aGOST01) 2603 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2822 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 2604
2823 2605 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2824 pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); 2606 EVP_PKEY_decrypt_init(pkey_ctx);
2825 EVP_PKEY_decrypt_init(pkey_ctx);
2826 /* If client certificate is present and is of the same type, maybe 2607 /* If client certificate is present and is of the same type, maybe
2827 * use it for key exchange. Don't mind errors from 2608 * use it for key exchange. Don't mind errors from
2828 * EVP_PKEY_derive_set_peer, because it is completely valid to use 2609 * EVP_PKEY_derive_set_peer, because it is completely valid to use
2829 * a client certificate for authorization only. */ 2610 * a client certificate for authorization only. */
2830 client_pub_pkey = X509_get_pubkey(s->session->peer); 2611 client_pub_pkey = X509_get_pubkey(s->session->peer);
2831 if (client_pub_pkey) 2612 if (client_pub_pkey) {
2832 { 2613 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
2833 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 2614 ERR_clear_error();
2834 ERR_clear_error(); 2615 }
2835 } 2616 /* Decrypt session key */
2836 /* Decrypt session key */ 2617 if ((*p != ( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) {
2837 if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) 2618 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2838 { 2619 goto gerr;
2839 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2620 }
2840 goto gerr; 2621 if (p[1] == 0x81) {
2841 } 2622 start = p + 3;
2842 if (p[1] == 0x81) 2623 inlen = p[2];
2843 { 2624 } else if (p[1] < 0x80) {
2844 start = p+3; 2625 start = p + 2;
2845 inlen = p[2]; 2626 inlen = p[1];
2846 } 2627 } else {
2847 else if (p[1] < 0x80) 2628 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2848 { 2629 goto gerr;
2849 start = p+2; 2630 }
2850 inlen = p[1]; 2631 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <=0)
2851 } 2632
2852 else 2633 {
2853 { 2634 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2854 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2635 goto gerr;
2855 goto gerr; 2636 }
2856 } 2637 /* Generate master secret */
2857 if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 2638 s->session->master_key_length =
2858 2639 s->method->ssl3_enc->generate_master_secret(
2859 { 2640 s, s->session->master_key, premaster_secret, 32);
2860 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2641 /* Check if pubkey from client certificate was used */
2861 goto gerr; 2642 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2862 } 2643 ret = 2;
2863 /* Generate master secret */ 2644 else
2864 s->session->master_key_length= 2645 ret = 1;
2865 s->method->ssl3_enc->generate_master_secret(s,
2866 s->session->master_key,premaster_secret,32);
2867 /* Check if pubkey from client certificate was used */
2868 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2869 ret = 2;
2870 else
2871 ret = 1;
2872 gerr: 2646 gerr:
2873 EVP_PKEY_free(client_pub_pkey); 2647 EVP_PKEY_free(client_pub_pkey);
2874 EVP_PKEY_CTX_free(pkey_ctx); 2648 EVP_PKEY_CTX_free(pkey_ctx);
2875 if (ret) 2649 if (ret)
2876 return ret; 2650 return ret;
2877 else
2878 goto err;
2879 }
2880 else 2651 else
2881 { 2652 goto err;
2882 al=SSL_AD_HANDSHAKE_FAILURE; 2653 } else {
2654 al = SSL_AD_HANDSHAKE_FAILURE;
2883 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2655 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2884 SSL_R_UNKNOWN_CIPHER_TYPE); 2656 SSL_R_UNKNOWN_CIPHER_TYPE);
2885 goto f_err; 2657 goto f_err;
2886 } 2658 }
2887 2659
2888 return(1); 2660 return (1);
2889f_err: 2661f_err:
2890 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2662 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2891#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP) 2663#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2892err: 2664err:
2893#endif 2665#endif
2894#ifndef OPENSSL_NO_ECDH 2666#ifndef OPENSSL_NO_ECDH
2895 EVP_PKEY_free(clnt_pub_pkey); 2667 EVP_PKEY_free(clnt_pub_pkey);
2896 EC_POINT_free(clnt_ecpoint); 2668 EC_POINT_free(clnt_ecpoint);
2897 if (srvr_ecdh != NULL) 2669 if (srvr_ecdh != NULL)
2898 EC_KEY_free(srvr_ecdh); 2670 EC_KEY_free(srvr_ecdh);
2899 BN_CTX_free(bn_ctx); 2671 BN_CTX_free(bn_ctx);
2900#endif 2672#endif
2901 return(-1); 2673 return (-1);
2902 } 2674}
2903 2675
2904int ssl3_get_cert_verify(SSL *s) 2676int
2905 { 2677ssl3_get_cert_verify(SSL *s)
2906 EVP_PKEY *pkey=NULL; 2678{
2679 EVP_PKEY *pkey = NULL;
2907 unsigned char *p; 2680 unsigned char *p;
2908 int al,ok,ret=0; 2681 int al, ok, ret = 0;
2909 long n; 2682 long n;
2910 int type=0,i,j; 2683 int type = 0, i, j;
2911 X509 *peer; 2684 X509 *peer;
2912 const EVP_MD *md = NULL; 2685 const EVP_MD *md = NULL;
2913 EVP_MD_CTX mctx; 2686 EVP_MD_CTX mctx;
2914 EVP_MD_CTX_init(&mctx); 2687 EVP_MD_CTX_init(&mctx);
2915 2688
2916 n=s->method->ssl_get_message(s, 2689 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2917 SSL3_ST_SR_CERT_VRFY_A, 2690 SSL3_ST_SR_CERT_VRFY_B, -1,
2918 SSL3_ST_SR_CERT_VRFY_B, 2691 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
2919 -1, 2692 if (!ok)
2920 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ 2693 return ((int)n);
2921 &ok); 2694
2922 2695 if (s->session->peer != NULL) {
2923 if (!ok) return((int)n); 2696 peer = s->session->peer;
2924 2697 pkey = X509_get_pubkey(peer);
2925 if (s->session->peer != NULL) 2698 type = X509_certificate_type(peer, pkey);
2926 { 2699 } else {
2927 peer=s->session->peer; 2700 peer = NULL;
2928 pkey=X509_get_pubkey(peer); 2701 pkey = NULL;
2929 type=X509_certificate_type(peer,pkey); 2702 }
2930 }
2931 else
2932 {
2933 peer=NULL;
2934 pkey=NULL;
2935 }
2936 2703
2937 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2704 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
2938 { 2705 s->s3->tmp.reuse_message = 1;
2939 s->s3->tmp.reuse_message=1; 2706 if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
2940 if ((peer != NULL) && (type & EVP_PKT_SIGN)) 2707 al = SSL_AD_UNEXPECTED_MESSAGE;
2941 { 2708 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE);
2942 al=SSL_AD_UNEXPECTED_MESSAGE;
2943 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
2944 goto f_err; 2709 goto f_err;
2945 }
2946 ret=1;
2947 goto end;
2948 } 2710 }
2711 ret = 1;
2712 goto end;
2713 }
2949 2714
2950 if (peer == NULL) 2715 if (peer == NULL) {
2951 { 2716 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_NO_CLIENT_CERT_RECEIVED);
2952 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 2717 al = SSL_AD_UNEXPECTED_MESSAGE;
2953 al=SSL_AD_UNEXPECTED_MESSAGE;
2954 goto f_err; 2718 goto f_err;
2955 } 2719 }
2956 2720
2957 if (!(type & EVP_PKT_SIGN)) 2721 if (!(type & EVP_PKT_SIGN)) {
2958 { 2722 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2959 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2723 al = SSL_AD_ILLEGAL_PARAMETER;
2960 al=SSL_AD_ILLEGAL_PARAMETER;
2961 goto f_err; 2724 goto f_err;
2962 } 2725 }
2963 2726
2964 if (s->s3->change_cipher_spec) 2727 if (s->s3->change_cipher_spec) {
2965 { 2728 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_CCS_RECEIVED_EARLY);
2966 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2729 al = SSL_AD_UNEXPECTED_MESSAGE;
2967 al=SSL_AD_UNEXPECTED_MESSAGE;
2968 goto f_err; 2730 goto f_err;
2969 } 2731 }
2970 2732
2971 /* we now have a signature that we need to verify */ 2733 /* we now have a signature that we need to verify */
2972 p=(unsigned char *)s->init_msg; 2734 p = (unsigned char *)s->init_msg;
2973 /* Check for broken implementations of GOST ciphersuites */ 2735 /* Check for broken implementations of GOST ciphersuites */
2974 /* If key is GOST and n is exactly 64, it is bare 2736 /* If key is GOST and n is exactly 64, it is bare
2975 * signature without length field */ 2737 * signature without length field */
2976 if (n==64 && (pkey->type==NID_id_GostR3410_94 || 2738 if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
2977 pkey->type == NID_id_GostR3410_2001) ) 2739 pkey->type == NID_id_GostR3410_2001) ) {
2978 { 2740 i = 64;
2979 i=64; 2741 } else {
2980 } 2742 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2981 else
2982 {
2983 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2984 {
2985 int sigalg = tls12_get_sigid(pkey); 2743 int sigalg = tls12_get_sigid(pkey);
2986 /* Should never happen */ 2744 /* Should never happen */
2987 if (sigalg == -1) 2745 if (sigalg == -1) {
2988 { 2746 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
2989 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2747 al = SSL_AD_INTERNAL_ERROR;
2990 al=SSL_AD_INTERNAL_ERROR;
2991 goto f_err; 2748 goto f_err;
2992 } 2749 }
2993 /* Check key type is consistent with signature */ 2750 /* Check key type is consistent with signature */
2994 if (sigalg != (int)p[1]) 2751 if (sigalg != (int)p[1]) {
2995 { 2752 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_TYPE);
2996 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE); 2753 al = SSL_AD_DECODE_ERROR;
2997 al=SSL_AD_DECODE_ERROR;
2998 goto f_err; 2754 goto f_err;
2999 } 2755 }
3000 md = tls12_get_hash(p[0]); 2756 md = tls12_get_hash(p[0]);
3001 if (md == NULL) 2757 if (md == NULL) {
3002 { 2758 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_UNKNOWN_DIGEST);
3003 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST); 2759 al = SSL_AD_DECODE_ERROR;
3004 al=SSL_AD_DECODE_ERROR;
3005 goto f_err; 2760 goto f_err;
3006 } 2761 }
3007#ifdef SSL_DEBUG 2762#ifdef SSL_DEBUG
3008fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 2763 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
3009#endif 2764#endif
3010 p += 2; 2765 p += 2;
3011 n -= 2; 2766 n -= 2;
3012 } 2767 }
3013 n2s(p,i); 2768 n2s(p, i);
3014 n-=2; 2769 n -= 2;
3015 if (i > n) 2770 if (i > n) {
3016 { 2771 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
3017 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2772 al = SSL_AD_DECODE_ERROR;
3018 al=SSL_AD_DECODE_ERROR;
3019 goto f_err; 2773 goto f_err;
3020 }
3021 }
3022 j=EVP_PKEY_size(pkey);
3023 if ((i > j) || (n > j) || (n <= 0))
3024 {
3025 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
3026 al=SSL_AD_DECODE_ERROR;
3027 goto f_err;
3028 } 2774 }
2775 }
2776 j = EVP_PKEY_size(pkey);
2777 if ((i > j) || (n > j) || (n <= 0)) {
2778 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2779 al = SSL_AD_DECODE_ERROR;
2780 goto f_err;
2781 }
3029 2782
3030 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2783 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
3031 {
3032 long hdatalen = 0; 2784 long hdatalen = 0;
3033 void *hdata; 2785 void *hdata;
3034 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 2786 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
3035 if (hdatalen <= 0) 2787 if (hdatalen <= 0) {
3036 {
3037 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 2788 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3038 al=SSL_AD_INTERNAL_ERROR; 2789 al = SSL_AD_INTERNAL_ERROR;
3039 goto f_err; 2790 goto f_err;
3040 } 2791 }
3041#ifdef SSL_DEBUG 2792#ifdef SSL_DEBUG
3042 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n", 2793 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
3043 EVP_MD_name(md)); 2794 EVP_MD_name(md));
3044#endif 2795#endif
3045 if (!EVP_VerifyInit_ex(&mctx, md, NULL) 2796 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
3046 || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) 2797 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
3047 {
3048 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB); 2798 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB);
3049 al=SSL_AD_INTERNAL_ERROR; 2799 al = SSL_AD_INTERNAL_ERROR;
3050 goto f_err; 2800 goto f_err;
3051 } 2801 }
3052 2802
3053 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) 2803 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) {
3054 { 2804 al = SSL_AD_DECRYPT_ERROR;
3055 al=SSL_AD_DECRYPT_ERROR; 2805 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
3056 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_SIGNATURE);
3057 goto f_err; 2806 goto f_err;
3058 }
3059 } 2807 }
3060 else 2808 } else
3061#ifndef OPENSSL_NO_RSA 2809#ifndef OPENSSL_NO_RSA
3062 if (pkey->type == EVP_PKEY_RSA) 2810 if (pkey->type == EVP_PKEY_RSA) {
3063 { 2811 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
3064 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 2812 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
3065 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 2813 pkey->pkey.rsa);
3066 pkey->pkey.rsa); 2814 if (i < 0) {
3067 if (i < 0) 2815 al = SSL_AD_DECRYPT_ERROR;
3068 { 2816 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT);
3069 al=SSL_AD_DECRYPT_ERROR;
3070 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
3071 goto f_err; 2817 goto f_err;
3072 } 2818 }
3073 if (i == 0) 2819 if (i == 0) {
3074 { 2820 al = SSL_AD_DECRYPT_ERROR;
3075 al=SSL_AD_DECRYPT_ERROR; 2821 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE);
3076 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
3077 goto f_err; 2822 goto f_err;
3078 }
3079 } 2823 }
3080 else 2824 } else
3081#endif 2825#endif
3082#ifndef OPENSSL_NO_DSA 2826#ifndef OPENSSL_NO_DSA
3083 if (pkey->type == EVP_PKEY_DSA) 2827 if (pkey->type == EVP_PKEY_DSA) {
3084 { 2828 j = DSA_verify(pkey->save_type,
3085 j=DSA_verify(pkey->save_type, 2829 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
3086 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2830 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
3087 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 2831 if (j <= 0) {
3088 if (j <= 0)
3089 {
3090 /* bad signature */ 2832 /* bad signature */
3091 al=SSL_AD_DECRYPT_ERROR; 2833 al = SSL_AD_DECRYPT_ERROR;
3092 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 2834 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE);
3093 goto f_err; 2835 goto f_err;
3094 }
3095 } 2836 }
3096 else 2837 } else
3097#endif 2838#endif
3098#ifndef OPENSSL_NO_ECDSA 2839#ifndef OPENSSL_NO_ECDSA
3099 if (pkey->type == EVP_PKEY_EC) 2840 if (pkey->type == EVP_PKEY_EC) {
3100 { 2841 j = ECDSA_verify(pkey->save_type,
3101 j=ECDSA_verify(pkey->save_type, 2842 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
3102 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2843 SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec);
3103 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 2844 if (j <= 0) {
3104 if (j <= 0)
3105 {
3106 /* bad signature */ 2845 /* bad signature */
3107 al=SSL_AD_DECRYPT_ERROR; 2846 al = SSL_AD_DECRYPT_ERROR;
3108 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2847 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3109 SSL_R_BAD_ECDSA_SIGNATURE); 2848 SSL_R_BAD_ECDSA_SIGNATURE);
3110 goto f_err; 2849 goto f_err;
3111 }
3112 } 2850 }
3113 else 2851 } else
3114#endif 2852#endif
3115 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 2853 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) {
3116 { unsigned char signature[64]; 2854 unsigned char signature[64];
3117 int idx; 2855 int idx;
3118 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL); 2856 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
3119 EVP_PKEY_verify_init(pctx); 2857 EVP_PKEY_verify_init(pctx);
3120 if (i!=64) { 2858 if (i != 64) {
3121 fprintf(stderr,"GOST signature length is %d",i); 2859 fprintf(stderr, "GOST signature length is %d", i);
3122 } 2860 }
3123 for (idx=0;idx<64;idx++) { 2861 for (idx = 0; idx < 64; idx++) {
3124 signature[63-idx]=p[idx]; 2862 signature[63 - idx] = p[idx];
3125 } 2863 }
3126 j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_verify_md,32); 2864 j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md, 32);
3127 EVP_PKEY_CTX_free(pctx); 2865 EVP_PKEY_CTX_free(pctx);
3128 if (j<=0) 2866 if (j <= 0) {
3129 { 2867 al = SSL_AD_DECRYPT_ERROR;
3130 al=SSL_AD_DECRYPT_ERROR; 2868 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3131 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2869 SSL_R_BAD_ECDSA_SIGNATURE);
3132 SSL_R_BAD_ECDSA_SIGNATURE); 2870 goto f_err;
3133 goto f_err;
3134 }
3135 } 2871 }
3136 else 2872 } else {
3137 { 2873 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3138 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2874 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
3139 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
3140 goto f_err; 2875 goto f_err;
3141 } 2876 }
3142 2877
3143 2878
3144 ret=1; 2879 ret = 1;
3145 if (0) 2880 if (0) {
3146 {
3147f_err: 2881f_err:
3148 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2882 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3149 } 2883 }
3150end: 2884end:
3151 if (s->s3->handshake_buffer) 2885 if (s->s3->handshake_buffer) {
3152 {
3153 BIO_free(s->s3->handshake_buffer); 2886 BIO_free(s->s3->handshake_buffer);
3154 s->s3->handshake_buffer = NULL; 2887 s->s3->handshake_buffer = NULL;
3155 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; 2888 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
3156 } 2889 }
3157 EVP_MD_CTX_cleanup(&mctx); 2890 EVP_MD_CTX_cleanup(&mctx);
3158 EVP_PKEY_free(pkey); 2891 EVP_PKEY_free(pkey);
3159 return(ret); 2892 return (ret);
3160 } 2893}
3161 2894
3162int ssl3_get_client_certificate(SSL *s) 2895int
3163 { 2896ssl3_get_client_certificate(SSL *s)
3164 int i,ok,al,ret= -1; 2897{
3165 X509 *x=NULL; 2898 int i, ok, al, ret = -1;
3166 unsigned long l,nc,llen,n; 2899 X509 *x = NULL;
3167 const unsigned char *p,*q; 2900 unsigned long l, nc, llen, n;
2901 const unsigned char *p, *q;
3168 unsigned char *d; 2902 unsigned char *d;
3169 STACK_OF(X509) *sk=NULL; 2903 STACK_OF(X509) *sk = NULL;
3170 2904
3171 n=s->method->ssl_get_message(s, 2905 n = s->method->ssl_get_message(s,
3172 SSL3_ST_SR_CERT_A, 2906 SSL3_ST_SR_CERT_A,
3173 SSL3_ST_SR_CERT_B, 2907 SSL3_ST_SR_CERT_B,
3174 -1, 2908 -1,
3175 s->max_cert_list, 2909 s->max_cert_list,
3176 &ok); 2910 &ok);
3177 2911
3178 if (!ok) return((int)n); 2912 if (!ok)
2913 return ((int)n);
3179 2914
3180 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 2915 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
3181 { 2916 if ((s->verify_mode & SSL_VERIFY_PEER) &&
3182 if ( (s->verify_mode & SSL_VERIFY_PEER) && 2917 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3183 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2918 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3184 { 2919 al = SSL_AD_HANDSHAKE_FAILURE;
3185 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3186 al=SSL_AD_HANDSHAKE_FAILURE;
3187 goto f_err; 2920 goto f_err;
3188 } 2921 }
3189 /* If tls asked for a client cert, the client must return a 0 list */ 2922 /* If tls asked for a client cert, the client must return a 0 list */
3190 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 2923 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
3191 { 2924 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
3192 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 2925 al = SSL_AD_UNEXPECTED_MESSAGE;
3193 al=SSL_AD_UNEXPECTED_MESSAGE;
3194 goto f_err; 2926 goto f_err;
3195 }
3196 s->s3->tmp.reuse_message=1;
3197 return(1);
3198 } 2927 }
2928 s->s3->tmp.reuse_message = 1;
2929 return (1);
2930 }
3199 2931
3200 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 2932 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
3201 { 2933 al = SSL_AD_UNEXPECTED_MESSAGE;
3202 al=SSL_AD_UNEXPECTED_MESSAGE; 2934 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE);
3203 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
3204 goto f_err; 2935 goto f_err;
3205 } 2936 }
3206 p=d=(unsigned char *)s->init_msg; 2937 p = d = (unsigned char *)s->init_msg;
3207 2938
3208 if ((sk=sk_X509_new_null()) == NULL) 2939 if ((sk = sk_X509_new_null()) == NULL) {
3209 { 2940 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3210 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
3211 goto err; 2941 goto err;
3212 } 2942 }
3213 2943
3214 n2l3(p,llen); 2944 n2l3(p, llen);
3215 if (llen+3 != n) 2945 if (llen + 3 != n) {
3216 { 2946 al = SSL_AD_DECODE_ERROR;
3217 al=SSL_AD_DECODE_ERROR; 2947 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
3218 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
3219 goto f_err; 2948 goto f_err;
3220 } 2949 }
3221 for (nc=0; nc<llen; ) 2950 for (nc = 0; nc < llen;) {
3222 { 2951 n2l3(p, l);
3223 n2l3(p,l); 2952 if ((l + nc + 3) > llen) {
3224 if ((l+nc+3) > llen) 2953 al = SSL_AD_DECODE_ERROR;
3225 { 2954 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
3226 al=SSL_AD_DECODE_ERROR;
3227 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
3228 goto f_err; 2955 goto f_err;
3229 } 2956 }
3230 2957
3231 q=p; 2958 q = p;
3232 x=d2i_X509(NULL,&p,l); 2959 x = d2i_X509(NULL, &p, l);
3233 if (x == NULL) 2960 if (x == NULL) {
3234 { 2961 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
3235 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
3236 goto err; 2962 goto err;
3237 } 2963 }
3238 if (p != (q+l)) 2964 if (p != (q + l)) {
3239 { 2965 al = SSL_AD_DECODE_ERROR;
3240 al=SSL_AD_DECODE_ERROR; 2966 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
3241 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
3242 goto f_err; 2967 goto f_err;
3243 } 2968 }
3244 if (!sk_X509_push(sk,x)) 2969 if (!sk_X509_push(sk, x)) {
3245 { 2970 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3246 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
3247 goto err; 2971 goto err;
3248 }
3249 x=NULL;
3250 nc+=l+3;
3251 } 2972 }
2973 x = NULL;
2974 nc += l + 3;
2975 }
3252 2976
3253 if (sk_X509_num(sk) <= 0) 2977 if (sk_X509_num(sk) <= 0) {
3254 {
3255 /* TLS does not mind 0 certs returned */ 2978 /* TLS does not mind 0 certs returned */
3256 if (s->version == SSL3_VERSION) 2979 if (s->version == SSL3_VERSION) {
3257 { 2980 al = SSL_AD_HANDSHAKE_FAILURE;
3258 al=SSL_AD_HANDSHAKE_FAILURE; 2981 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATES_RETURNED);
3259 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
3260 goto f_err; 2982 goto f_err;
3261 } 2983 }
3262 /* Fail for TLS only if we required a certificate */ 2984 /* Fail for TLS only if we required a certificate */
3263 else if ((s->verify_mode & SSL_VERIFY_PEER) && 2985 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
3264 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2986 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3265 { 2987 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3266 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2988 al = SSL_AD_HANDSHAKE_FAILURE;
3267 al=SSL_AD_HANDSHAKE_FAILURE;
3268 goto f_err; 2989 goto f_err;
3269 } 2990 }
3270 /* No client certificate so digest cached records */ 2991 /* No client certificate so digest cached records */
3271 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) 2992 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
3272 { 2993 al = SSL_AD_INTERNAL_ERROR;
3273 al=SSL_AD_INTERNAL_ERROR;
3274 goto f_err; 2994 goto f_err;
3275 }
3276 } 2995 }
3277 else 2996 } else {
3278 { 2997 i = ssl_verify_cert_chain(s, sk);
3279 i=ssl_verify_cert_chain(s,sk); 2998 if (i <= 0) {
3280 if (i <= 0) 2999 al = ssl_verify_alarm_type(s->verify_result);
3281 { 3000 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATE_RETURNED);
3282 al=ssl_verify_alarm_type(s->verify_result);
3283 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
3284 goto f_err; 3001 goto f_err;
3285 }
3286 } 3002 }
3003 }
3287 3004
3288 if (s->session->peer != NULL) /* This should not be needed */ 3005 if (s->session->peer != NULL) /* This should not be needed */
3289 X509_free(s->session->peer); 3006 X509_free(s->session->peer);
3290 s->session->peer=sk_X509_shift(sk); 3007 s->session->peer = sk_X509_shift(sk);
3291 s->session->verify_result = s->verify_result; 3008 s->session->verify_result = s->verify_result;
3292 3009
3293 /* With the current implementation, sess_cert will always be NULL 3010 /* With the current implementation, sess_cert will always be NULL
3294 * when we arrive here. */ 3011 * when we arrive here. */
3295 if (s->session->sess_cert == NULL) 3012 if (s->session->sess_cert == NULL) {
3296 {
3297 s->session->sess_cert = ssl_sess_cert_new(); 3013 s->session->sess_cert = ssl_sess_cert_new();
3298 if (s->session->sess_cert == NULL) 3014 if (s->session->sess_cert == NULL) {
3299 {
3300 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3015 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3301 goto err; 3016 goto err;
3302 }
3303 } 3017 }
3018 }
3304 if (s->session->sess_cert->cert_chain != NULL) 3019 if (s->session->sess_cert->cert_chain != NULL)
3305 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 3020 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
3306 s->session->sess_cert->cert_chain=sk; 3021 s->session->sess_cert->cert_chain = sk;
3307 /* Inconsistency alert: cert_chain does *not* include the 3022 /* Inconsistency alert: cert_chain does *not* include the
3308 * peer's own certificate, while we do include it in s3_clnt.c */ 3023 * peer's own certificate, while we do include it in s3_clnt.c */
3309 3024
3310 sk=NULL; 3025 sk = NULL;
3311 3026
3312 ret=1; 3027 ret = 1;
3313 if (0) 3028 if (0) {
3314 {
3315f_err: 3029f_err:
3316 ssl3_send_alert(s,SSL3_AL_FATAL,al); 3030 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3317 }
3318err:
3319 if (x != NULL) X509_free(x);
3320 if (sk != NULL) sk_X509_pop_free(sk,X509_free);
3321 return(ret);
3322 } 3031 }
3032err:
3033 if (x != NULL)
3034 X509_free(x);
3035 if (sk != NULL)
3036 sk_X509_pop_free(sk, X509_free);
3037 return (ret);
3038}
3323 3039
3324int ssl3_send_server_certificate(SSL *s) 3040int
3325 { 3041ssl3_send_server_certificate(SSL *s)
3042{
3326 unsigned long l; 3043 unsigned long l;
3327 X509 *x; 3044 X509 *x;
3328 3045
3329 if (s->state == SSL3_ST_SW_CERT_A) 3046 if (s->state == SSL3_ST_SW_CERT_A) {
3330 { 3047 x = ssl_get_server_send_cert(s);
3331 x=ssl_get_server_send_cert(s); 3048 if (x == NULL) {
3332 if (x == NULL)
3333 {
3334 /* VRS: allow null cert if auth == KRB5 */ 3049 /* VRS: allow null cert if auth == KRB5 */
3335 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || 3050 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
3336 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) 3051 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) {
3337 { 3052 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3338 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 3053 return (0);
3339 return(0);
3340 }
3341 } 3054 }
3342
3343 l=ssl3_output_cert_chain(s,x);
3344 s->state=SSL3_ST_SW_CERT_B;
3345 s->init_num=(int)l;
3346 s->init_off=0;
3347 } 3055 }
3348 3056
3349 /* SSL3_ST_SW_CERT_B */ 3057 l = ssl3_output_cert_chain(s, x);
3350 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3058 s->state = SSL3_ST_SW_CERT_B;
3059 s->init_num = (int)l;
3060 s->init_off = 0;
3351 } 3061 }
3352 3062
3063 /* SSL3_ST_SW_CERT_B */
3064 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3065}
3066
3353#ifndef OPENSSL_NO_TLSEXT 3067#ifndef OPENSSL_NO_TLSEXT
3354/* send a new session ticket (not necessarily for a new session) */ 3068/* send a new session ticket (not necessarily for a new session) */
3355int ssl3_send_newsession_ticket(SSL *s) 3069int
3356 { 3070ssl3_send_newsession_ticket(SSL *s)
3357 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 3071{
3358 { 3072 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
3359 unsigned char *p, *senc, *macstart; 3073 unsigned char *p, *senc, *macstart;
3360 const unsigned char *const_p; 3074 const unsigned char *const_p;
3361 int len, slen_full, slen; 3075 int len, slen_full, slen;
@@ -3383,19 +3097,18 @@ int ssl3_send_newsession_ticket(SSL *s)
3383 /* create a fresh copy (not shared with other threads) to clean up */ 3097 /* create a fresh copy (not shared with other threads) to clean up */
3384 const_p = senc; 3098 const_p = senc;
3385 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3099 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3386 if (sess == NULL) 3100 if (sess == NULL) {
3387 {
3388 OPENSSL_free(senc); 3101 OPENSSL_free(senc);
3389 return -1; 3102 return -1;
3390 } 3103 }
3391 sess->session_id_length = 0; /* ID is irrelevant for the ticket */ 3104 sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3392 3105
3393 slen = i2d_SSL_SESSION(sess, NULL); 3106 slen = i2d_SSL_SESSION(sess, NULL);
3394 if (slen > slen_full) /* shouldn't ever happen */ 3107 if (slen > slen_full) /* shouldn't ever happen */
3395 { 3108 {
3396 OPENSSL_free(senc); 3109 OPENSSL_free(senc);
3397 return -1; 3110 return -1;
3398 } 3111 }
3399 p = senc; 3112 p = senc;
3400 i2d_SSL_SESSION(sess, &p); 3113 i2d_SSL_SESSION(sess, &p);
3401 SSL_SESSION_free(sess); 3114 SSL_SESSION_free(sess);
@@ -3409,12 +3122,12 @@ int ssl3_send_newsession_ticket(SSL *s)
3409 */ 3122 */
3410 if (!BUF_MEM_grow(s->init_buf, 3123 if (!BUF_MEM_grow(s->init_buf,
3411 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3124 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3412 EVP_MAX_MD_SIZE + slen)) 3125 EVP_MAX_MD_SIZE + slen))
3413 return -1; 3126 return -1;
3414 3127
3415 p=(unsigned char *)s->init_buf->data; 3128 p = (unsigned char *)s->init_buf->data;
3416 /* do the header */ 3129 /* do the header */
3417 *(p++)=SSL3_MT_NEWSESSION_TICKET; 3130 *(p++) = SSL3_MT_NEWSESSION_TICKET;
3418 /* Skip message length for now */ 3131 /* Skip message length for now */
3419 p += 3; 3132 p += 3;
3420 EVP_CIPHER_CTX_init(&ctx); 3133 EVP_CIPHER_CTX_init(&ctx);
@@ -3423,24 +3136,20 @@ int ssl3_send_newsession_ticket(SSL *s)
3423 * it does all the work otherwise use generated values 3136 * it does all the work otherwise use generated values
3424 * from parent ctx. 3137 * from parent ctx.
3425 */ 3138 */
3426 if (tctx->tlsext_ticket_key_cb) 3139 if (tctx->tlsext_ticket_key_cb) {
3427 {
3428 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3140 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
3429 &hctx, 1) < 0) 3141 &hctx, 1) < 0) {
3430 {
3431 OPENSSL_free(senc); 3142 OPENSSL_free(senc);
3432 return -1; 3143 return -1;
3433 }
3434 } 3144 }
3435 else 3145 } else {
3436 {
3437 RAND_pseudo_bytes(iv, 16); 3146 RAND_pseudo_bytes(iv, 16);
3438 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 3147 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3439 tctx->tlsext_tick_aes_key, iv); 3148 tctx->tlsext_tick_aes_key, iv);
3440 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 3149 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3441 tlsext_tick_md(), NULL); 3150 tlsext_tick_md(), NULL);
3442 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3151 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3443 } 3152 }
3444 3153
3445 /* Ticket lifetime hint (advisory only): 3154 /* Ticket lifetime hint (advisory only):
3446 * We leave this unspecified for resumed session (for simplicity), 3155 * We leave this unspecified for resumed session (for simplicity),
@@ -3472,26 +3181,27 @@ int ssl3_send_newsession_ticket(SSL *s)
3472 /* Now write out lengths: p points to end of data written */ 3181 /* Now write out lengths: p points to end of data written */
3473 /* Total length */ 3182 /* Total length */
3474 len = p - (unsigned char *)s->init_buf->data; 3183 len = p - (unsigned char *)s->init_buf->data;
3475 p=(unsigned char *)s->init_buf->data + 1; 3184 p = (unsigned char *)s->init_buf->data + 1;
3476 l2n3(len - 4, p); /* Message length */ 3185 l2n3(len - 4, p); /* Message length */
3477 p += 4; 3186 p += 4;
3478 s2n(len - 10, p); /* Ticket length */ 3187 s2n(len - 10, p);
3188 /* Ticket length */
3479 3189
3480 /* number of bytes to write */ 3190 /* number of bytes to write */
3481 s->init_num= len; 3191 s->init_num = len;
3482 s->state=SSL3_ST_SW_SESSION_TICKET_B; 3192 s->state = SSL3_ST_SW_SESSION_TICKET_B;
3483 s->init_off=0; 3193 s->init_off = 0;
3484 OPENSSL_free(senc); 3194 OPENSSL_free(senc);
3485 } 3195 }
3486 3196
3487 /* SSL3_ST_SW_SESSION_TICKET_B */ 3197 /* SSL3_ST_SW_SESSION_TICKET_B */
3488 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3198 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3489 } 3199}
3490 3200
3491int ssl3_send_cert_status(SSL *s) 3201int
3492 { 3202ssl3_send_cert_status(SSL *s)
3493 if (s->state == SSL3_ST_SW_CERT_STATUS_A) 3203{
3494 { 3204 if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
3495 unsigned char *p; 3205 unsigned char *p;
3496 /* Grow buffer if need be: the length calculation is as 3206 /* Grow buffer if need be: the length calculation is as
3497 * follows 1 (message type) + 3 (message length) + 3207 * follows 1 (message type) + 3 (message length) +
@@ -3501,33 +3211,34 @@ int ssl3_send_cert_status(SSL *s)
3501 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 3211 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
3502 return -1; 3212 return -1;
3503 3213
3504 p=(unsigned char *)s->init_buf->data; 3214 p = (unsigned char *)s->init_buf->data;
3505 3215
3506 /* do the header */ 3216 /* do the header */
3507 *(p++)=SSL3_MT_CERTIFICATE_STATUS; 3217 *(p++) = SSL3_MT_CERTIFICATE_STATUS;
3508 /* message length */ 3218 /* message length */
3509 l2n3(s->tlsext_ocsp_resplen + 4, p); 3219 l2n3(s->tlsext_ocsp_resplen + 4, p);
3510 /* status type */ 3220 /* status type */
3511 *(p++)= s->tlsext_status_type; 3221 *(p++) = s->tlsext_status_type;
3512 /* length of OCSP response */ 3222 /* length of OCSP response */
3513 l2n3(s->tlsext_ocsp_resplen, p); 3223 l2n3(s->tlsext_ocsp_resplen, p);
3514 /* actual response */ 3224 /* actual response */
3515 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 3225 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
3516 /* number of bytes to write */ 3226 /* number of bytes to write */
3517 s->init_num = 8 + s->tlsext_ocsp_resplen; 3227 s->init_num = 8 + s->tlsext_ocsp_resplen;
3518 s->state=SSL3_ST_SW_CERT_STATUS_B; 3228 s->state = SSL3_ST_SW_CERT_STATUS_B;
3519 s->init_off = 0; 3229 s->init_off = 0;
3520 } 3230 }
3521 3231
3522 /* SSL3_ST_SW_CERT_STATUS_B */ 3232 /* SSL3_ST_SW_CERT_STATUS_B */
3523 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3233 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3524 } 3234}
3525 3235
3526# ifndef OPENSSL_NO_NEXTPROTONEG 3236# ifndef OPENSSL_NO_NEXTPROTONEG
3527/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It 3237/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
3528 * sets the next_proto member in s if found */ 3238 * sets the next_proto member in s if found */
3529int ssl3_get_next_proto(SSL *s) 3239int
3530 { 3240ssl3_get_next_proto(SSL *s)
3241{
3531 int ok; 3242 int ok;
3532 int proto_len, padding_len; 3243 int proto_len, padding_len;
3533 long n; 3244 long n;
@@ -3535,35 +3246,30 @@ int ssl3_get_next_proto(SSL *s)
3535 3246
3536 /* Clients cannot send a NextProtocol message if we didn't see the 3247 /* Clients cannot send a NextProtocol message if we didn't see the
3537 * extension in their ClientHello */ 3248 * extension in their ClientHello */
3538 if (!s->s3->next_proto_neg_seen) 3249 if (!s->s3->next_proto_neg_seen) {
3539 { 3250 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3540 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3541 return -1; 3251 return -1;
3542 } 3252 }
3543
3544 n=s->method->ssl_get_message(s,
3545 SSL3_ST_SR_NEXT_PROTO_A,
3546 SSL3_ST_SR_NEXT_PROTO_B,
3547 SSL3_MT_NEXT_PROTO,
3548 514, /* See the payload format below */
3549 &ok);
3550 3253
3254 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
3255 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
3256 514, /* See the payload format below */ &ok);
3551 if (!ok) 3257 if (!ok)
3552 return((int)n); 3258 return ((int)n);
3553 3259
3554 /* s->state doesn't reflect whether ChangeCipherSpec has been received 3260 /* s->state doesn't reflect whether ChangeCipherSpec has been received
3555 * in this handshake, but s->s3->change_cipher_spec does (will be reset 3261 * in this handshake, but s->s3->change_cipher_spec does (will be reset
3556 * by ssl3_get_finished). */ 3262 * by ssl3_get_finished). */
3557 if (!s->s3->change_cipher_spec) 3263 if (!s->s3->change_cipher_spec) {
3558 { 3264 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3559 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3560 return -1; 3265 return -1;
3561 } 3266 }
3562 3267
3563 if (n < 2) 3268 if (n < 2)
3564 return 0; /* The body must be > 1 bytes long */ 3269 return 0;
3270 /* The body must be > 1 bytes long */
3565 3271
3566 p=(unsigned char *)s->init_msg; 3272 p = (unsigned char *)s->init_msg;
3567 3273
3568 /* The payload looks like: 3274 /* The payload looks like:
3569 * uint8 proto_len; 3275 * uint8 proto_len;
@@ -3579,15 +3285,14 @@ int ssl3_get_next_proto(SSL *s)
3579 return 0; 3285 return 0;
3580 3286
3581 s->next_proto_negotiated = OPENSSL_malloc(proto_len); 3287 s->next_proto_negotiated = OPENSSL_malloc(proto_len);
3582 if (!s->next_proto_negotiated) 3288 if (!s->next_proto_negotiated) {
3583 { 3289 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE);
3584 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
3585 return 0; 3290 return 0;
3586 } 3291 }
3587 memcpy(s->next_proto_negotiated, p + 1, proto_len); 3292 memcpy(s->next_proto_negotiated, p + 1, proto_len);
3588 s->next_proto_negotiated_len = proto_len; 3293 s->next_proto_negotiated_len = proto_len;
3589 3294
3590 return 1; 3295 return 1;
3591 } 3296}
3592# endif 3297# endif
3593#endif 3298#endif
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 64e7be8d67..b9ca6b6f9b 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -168,62 +168,60 @@
168#endif 168#endif
169 169
170static const SSL_METHOD *ssl3_get_client_method(int ver); 170static const SSL_METHOD *ssl3_get_client_method(int ver);
171static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 171static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
172 172
173static const SSL_METHOD *ssl3_get_client_method(int ver) 173static const SSL_METHOD
174 { 174*ssl3_get_client_method(int ver)
175{
175 if (ver == SSL3_VERSION) 176 if (ver == SSL3_VERSION)
176 return(SSLv3_client_method()); 177 return (SSLv3_client_method());
177 else 178 else
178 return(NULL); 179 return (NULL);
179 } 180}
180 181
181IMPLEMENT_ssl3_meth_func(SSLv3_client_method, 182IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
182 ssl_undefined_function, 183 ssl_undefined_function, ssl3_connect, ssl3_get_client_method)
183 ssl3_connect,
184 ssl3_get_client_method)
185 184
186int ssl3_connect(SSL *s) 185int
187 { 186ssl3_connect(SSL *s)
188 BUF_MEM *buf=NULL; 187{
189 unsigned long Time=(unsigned long)time(NULL); 188 BUF_MEM *buf = NULL;
190 void (*cb)(const SSL *ssl,int type,int val)=NULL; 189 unsigned long Time = (unsigned long)time(NULL);
191 int ret= -1; 190 void (*cb)(const SSL *ssl, int type, int val) = NULL;
192 int new_state,state,skip=0; 191 int ret = -1;
192 int new_state, state, skip = 0;
193 193
194 RAND_add(&Time,sizeof(Time),0); 194 RAND_add(&Time, sizeof(Time), 0);
195 ERR_clear_error(); 195 ERR_clear_error();
196 errno = 0; 196 errno = 0;
197 197
198 if (s->info_callback != NULL) 198 if (s->info_callback != NULL)
199 cb=s->info_callback; 199 cb = s->info_callback;
200 else if (s->ctx->info_callback != NULL) 200 else if (s->ctx->info_callback != NULL)
201 cb=s->ctx->info_callback; 201 cb = s->ctx->info_callback;
202 202
203 s->in_handshake++; 203 s->in_handshake++;
204 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 204 if (!SSL_in_init(s) || SSL_in_before(s))
205 SSL_clear(s);
205 206
206#ifndef OPENSSL_NO_HEARTBEATS 207#ifndef OPENSSL_NO_HEARTBEATS
207 /* If we're awaiting a HeartbeatResponse, pretend we 208 /* If we're awaiting a HeartbeatResponse, pretend we
208 * already got and don't await it anymore, because 209 * already got and don't await it anymore, because
209 * Heartbeats don't make sense during handshakes anyway. 210 * Heartbeats don't make sense during handshakes anyway.
210 */ 211 */
211 if (s->tlsext_hb_pending) 212 if (s->tlsext_hb_pending) {
212 {
213 s->tlsext_hb_pending = 0; 213 s->tlsext_hb_pending = 0;
214 s->tlsext_hb_seq++; 214 s->tlsext_hb_seq++;
215 } 215 }
216#endif 216#endif
217 217
218 for (;;) 218 for (;;) {
219 { 219 state = s->state;
220 state=s->state;
221 220
222 switch(s->state) 221 switch (s->state) {
223 {
224 case SSL_ST_RENEGOTIATE: 222 case SSL_ST_RENEGOTIATE:
225 s->renegotiate=1; 223 s->renegotiate = 1;
226 s->state=SSL_ST_CONNECT; 224 s->state = SSL_ST_CONNECT;
227 s->ctx->stats.sess_connect_renegotiate++; 225 s->ctx->stats.sess_connect_renegotiate++;
228 /* break */ 226 /* break */
229 case SSL_ST_BEFORE: 227 case SSL_ST_BEFORE:
@@ -231,173 +229,172 @@ int ssl3_connect(SSL *s)
231 case SSL_ST_BEFORE|SSL_ST_CONNECT: 229 case SSL_ST_BEFORE|SSL_ST_CONNECT:
232 case SSL_ST_OK|SSL_ST_CONNECT: 230 case SSL_ST_OK|SSL_ST_CONNECT:
233 231
234 s->server=0; 232 s->server = 0;
235 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 233 if (cb != NULL)
234 cb(s, SSL_CB_HANDSHAKE_START, 1);
236 235
237 if ((s->version & 0xff00 ) != 0x0300) 236 if ((s->version & 0xff00 ) != 0x0300) {
238 {
239 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 237 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
240 ret = -1; 238 ret = -1;
241 goto end; 239 goto end;
242 } 240 }
243 241
244 /* s->version=SSL3_VERSION; */ 242 /* s->version=SSL3_VERSION; */
245 s->type=SSL_ST_CONNECT; 243 s->type = SSL_ST_CONNECT;
246 244
247 if (s->init_buf == NULL) 245 if (s->init_buf == NULL) {
248 { 246 if ((buf = BUF_MEM_new()) == NULL) {
249 if ((buf=BUF_MEM_new()) == NULL) 247 ret = -1;
250 {
251 ret= -1;
252 goto end; 248 goto end;
253 } 249 }
254 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 250 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
255 { 251 ret = -1;
256 ret= -1;
257 goto end; 252 goto end;
258 }
259 s->init_buf=buf;
260 buf=NULL;
261 } 253 }
254 s->init_buf = buf;
255 buf = NULL;
256 }
262 257
263 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 258 if (!ssl3_setup_buffers(s)) {
259 ret = -1;
260 goto end;
261 }
264 262
265 /* setup buffing BIO */ 263 /* setup buffing BIO */
266 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 264 if (!ssl_init_wbio_buffer(s, 0)) {
265 ret = -1;
266 goto end;
267 }
267 268
268 /* don't push the buffering BIO quite yet */ 269 /* don't push the buffering BIO quite yet */
269 270
270 ssl3_init_finished_mac(s); 271 ssl3_init_finished_mac(s);
271 272
272 s->state=SSL3_ST_CW_CLNT_HELLO_A; 273 s->state = SSL3_ST_CW_CLNT_HELLO_A;
273 s->ctx->stats.sess_connect++; 274 s->ctx->stats.sess_connect++;
274 s->init_num=0; 275 s->init_num = 0;
275 break; 276 break;
276 277
277 case SSL3_ST_CW_CLNT_HELLO_A: 278 case SSL3_ST_CW_CLNT_HELLO_A:
278 case SSL3_ST_CW_CLNT_HELLO_B: 279 case SSL3_ST_CW_CLNT_HELLO_B:
279 280
280 s->shutdown=0; 281 s->shutdown = 0;
281 ret=ssl3_client_hello(s); 282 ret = ssl3_client_hello(s);
282 if (ret <= 0) goto end; 283 if (ret <= 0)
283 s->state=SSL3_ST_CR_SRVR_HELLO_A; 284 goto end;
284 s->init_num=0; 285 s->state = SSL3_ST_CR_SRVR_HELLO_A;
286 s->init_num = 0;
285 287
286 /* turn on buffering for the next lot of output */ 288 /* turn on buffering for the next lot of output */
287 if (s->bbio != s->wbio) 289 if (s->bbio != s->wbio)
288 s->wbio=BIO_push(s->bbio,s->wbio); 290 s->wbio = BIO_push(s->bbio, s->wbio);
289 291
290 break; 292 break;
291 293
292 case SSL3_ST_CR_SRVR_HELLO_A: 294 case SSL3_ST_CR_SRVR_HELLO_A:
293 case SSL3_ST_CR_SRVR_HELLO_B: 295 case SSL3_ST_CR_SRVR_HELLO_B:
294 ret=ssl3_get_server_hello(s); 296 ret = ssl3_get_server_hello(s);
295 if (ret <= 0) goto end; 297 if (ret <= 0)
298 goto end;
296 299
297 if (s->hit) 300 if (s->hit) {
298 { 301 s->state = SSL3_ST_CR_FINISHED_A;
299 s->state=SSL3_ST_CR_FINISHED_A;
300#ifndef OPENSSL_NO_TLSEXT 302#ifndef OPENSSL_NO_TLSEXT
301 if (s->tlsext_ticket_expected) 303 if (s->tlsext_ticket_expected) {
302 {
303 /* receive renewed session ticket */ 304 /* receive renewed session ticket */
304 s->state=SSL3_ST_CR_SESSION_TICKET_A; 305 s->state = SSL3_ST_CR_SESSION_TICKET_A;
305 }
306#endif
307 } 306 }
308 else 307#endif
309 s->state=SSL3_ST_CR_CERT_A; 308 } else
310 s->init_num=0; 309 s->state = SSL3_ST_CR_CERT_A;
310 s->init_num = 0;
311 break; 311 break;
312 312
313 case SSL3_ST_CR_CERT_A: 313 case SSL3_ST_CR_CERT_A:
314 case SSL3_ST_CR_CERT_B: 314 case SSL3_ST_CR_CERT_B:
315#ifndef OPENSSL_NO_TLSEXT 315#ifndef OPENSSL_NO_TLSEXT
316 ret=ssl3_check_finished(s); 316 ret = ssl3_check_finished(s);
317 if (ret <= 0) goto end; 317 if (ret <= 0)
318 if (ret == 2) 318 goto end;
319 { 319 if (ret == 2) {
320 s->hit = 1; 320 s->hit = 1;
321 if (s->tlsext_ticket_expected) 321 if (s->tlsext_ticket_expected)
322 s->state=SSL3_ST_CR_SESSION_TICKET_A; 322 s->state = SSL3_ST_CR_SESSION_TICKET_A;
323 else 323 else
324 s->state=SSL3_ST_CR_FINISHED_A; 324 s->state = SSL3_ST_CR_FINISHED_A;
325 s->init_num=0; 325 s->init_num = 0;
326 break; 326 break;
327 } 327 }
328#endif 328#endif
329 /* Check if it is anon DH/ECDH */ 329 /* Check if it is anon DH/ECDH */
330 /* or PSK */ 330 /* or PSK */
331 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 331 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
332 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 332 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
333 { 333 ret = ssl3_get_server_certificate(s);
334 ret=ssl3_get_server_certificate(s); 334 if (ret <= 0)
335 if (ret <= 0) goto end; 335 goto end;
336#ifndef OPENSSL_NO_TLSEXT 336#ifndef OPENSSL_NO_TLSEXT
337 if (s->tlsext_status_expected) 337 if (s->tlsext_status_expected)
338 s->state=SSL3_ST_CR_CERT_STATUS_A; 338 s->state = SSL3_ST_CR_CERT_STATUS_A;
339 else 339 else
340 s->state=SSL3_ST_CR_KEY_EXCH_A; 340 s->state = SSL3_ST_CR_KEY_EXCH_A;
341 } 341 } else {
342 else
343 {
344 skip = 1; 342 skip = 1;
345 s->state=SSL3_ST_CR_KEY_EXCH_A; 343 s->state = SSL3_ST_CR_KEY_EXCH_A;
346 } 344 }
347#else 345#else
348 } 346 } else
349 else 347 skip = 1;
350 skip=1;
351 348
352 s->state=SSL3_ST_CR_KEY_EXCH_A; 349 s->state = SSL3_ST_CR_KEY_EXCH_A;
353#endif 350#endif
354 s->init_num=0; 351 s->init_num = 0;
355 break; 352 break;
356 353
357 case SSL3_ST_CR_KEY_EXCH_A: 354 case SSL3_ST_CR_KEY_EXCH_A:
358 case SSL3_ST_CR_KEY_EXCH_B: 355 case SSL3_ST_CR_KEY_EXCH_B:
359 ret=ssl3_get_key_exchange(s); 356 ret = ssl3_get_key_exchange(s);
360 if (ret <= 0) goto end; 357 if (ret <= 0)
361 s->state=SSL3_ST_CR_CERT_REQ_A; 358 goto end;
362 s->init_num=0; 359 s->state = SSL3_ST_CR_CERT_REQ_A;
360 s->init_num = 0;
363 361
364 /* at this point we check that we have the 362 /* at this point we check that we have the
365 * required stuff from the server */ 363 * required stuff from the server */
366 if (!ssl3_check_cert_and_algorithm(s)) 364 if (!ssl3_check_cert_and_algorithm(s)) {
367 { 365 ret = -1;
368 ret= -1;
369 goto end; 366 goto end;
370 } 367 }
371 break; 368 break;
372 369
373 case SSL3_ST_CR_CERT_REQ_A: 370 case SSL3_ST_CR_CERT_REQ_A:
374 case SSL3_ST_CR_CERT_REQ_B: 371 case SSL3_ST_CR_CERT_REQ_B:
375 ret=ssl3_get_certificate_request(s); 372 ret = ssl3_get_certificate_request(s);
376 if (ret <= 0) goto end; 373 if (ret <= 0)
377 s->state=SSL3_ST_CR_SRVR_DONE_A; 374 goto end;
378 s->init_num=0; 375 s->state = SSL3_ST_CR_SRVR_DONE_A;
376 s->init_num = 0;
379 break; 377 break;
380 378
381 case SSL3_ST_CR_SRVR_DONE_A: 379 case SSL3_ST_CR_SRVR_DONE_A:
382 case SSL3_ST_CR_SRVR_DONE_B: 380 case SSL3_ST_CR_SRVR_DONE_B:
383 ret=ssl3_get_server_done(s); 381 ret = ssl3_get_server_done(s);
384 if (ret <= 0) goto end; 382 if (ret <= 0)
383 goto end;
385#ifndef OPENSSL_NO_SRP 384#ifndef OPENSSL_NO_SRP
386 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) 385 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
387 { 386 if ((ret = SRP_Calc_A_param(s)) <= 0) {
388 if ((ret = SRP_Calc_A_param(s))<=0) 387 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
389 { 388 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
390 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC);
391 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
392 goto end; 389 goto end;
393 }
394 } 390 }
391 }
395#endif 392#endif
396 if (s->s3->tmp.cert_req) 393 if (s->s3->tmp.cert_req)
397 s->state=SSL3_ST_CW_CERT_A; 394 s->state = SSL3_ST_CW_CERT_A;
398 else 395 else
399 s->state=SSL3_ST_CW_KEY_EXCH_A; 396 s->state = SSL3_ST_CW_KEY_EXCH_A;
400 s->init_num=0; 397 s->init_num = 0;
401 398
402 break; 399 break;
403 400
@@ -405,16 +402,18 @@ int ssl3_connect(SSL *s)
405 case SSL3_ST_CW_CERT_B: 402 case SSL3_ST_CW_CERT_B:
406 case SSL3_ST_CW_CERT_C: 403 case SSL3_ST_CW_CERT_C:
407 case SSL3_ST_CW_CERT_D: 404 case SSL3_ST_CW_CERT_D:
408 ret=ssl3_send_client_certificate(s); 405 ret = ssl3_send_client_certificate(s);
409 if (ret <= 0) goto end; 406 if (ret <= 0)
410 s->state=SSL3_ST_CW_KEY_EXCH_A; 407 goto end;
411 s->init_num=0; 408 s->state = SSL3_ST_CW_KEY_EXCH_A;
409 s->init_num = 0;
412 break; 410 break;
413 411
414 case SSL3_ST_CW_KEY_EXCH_A: 412 case SSL3_ST_CW_KEY_EXCH_A:
415 case SSL3_ST_CW_KEY_EXCH_B: 413 case SSL3_ST_CW_KEY_EXCH_B:
416 ret=ssl3_send_client_key_exchange(s); 414 ret = ssl3_send_client_key_exchange(s);
417 if (ret <= 0) goto end; 415 if (ret <= 0)
416 goto end;
418 /* EAY EAY EAY need to check for DH fix cert 417 /* EAY EAY EAY need to check for DH fix cert
419 * sent back */ 418 * sent back */
420 /* For TLS, cert_req is set to 2, so a cert chain 419 /* For TLS, cert_req is set to 2, so a cert chain
@@ -426,170 +425,165 @@ int ssl3_connect(SSL *s)
426 * message when client's ECDH public key is sent 425 * message when client's ECDH public key is sent
427 * inside the client certificate. 426 * inside the client certificate.
428 */ 427 */
429 if (s->s3->tmp.cert_req == 1) 428 if (s->s3->tmp.cert_req == 1) {
430 { 429 s->state = SSL3_ST_CW_CERT_VRFY_A;
431 s->state=SSL3_ST_CW_CERT_VRFY_A; 430 } else {
432 } 431 s->state = SSL3_ST_CW_CHANGE_A;
433 else 432 s->s3->change_cipher_spec = 0;
434 { 433 }
435 s->state=SSL3_ST_CW_CHANGE_A; 434 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
436 s->s3->change_cipher_spec=0; 435 s->state = SSL3_ST_CW_CHANGE_A;
437 } 436 s->s3->change_cipher_spec = 0;
438 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) 437 }
439 {
440 s->state=SSL3_ST_CW_CHANGE_A;
441 s->s3->change_cipher_spec=0;
442 }
443 438
444 s->init_num=0; 439 s->init_num = 0;
445 break; 440 break;
446 441
447 case SSL3_ST_CW_CERT_VRFY_A: 442 case SSL3_ST_CW_CERT_VRFY_A:
448 case SSL3_ST_CW_CERT_VRFY_B: 443 case SSL3_ST_CW_CERT_VRFY_B:
449 ret=ssl3_send_client_verify(s); 444 ret = ssl3_send_client_verify(s);
450 if (ret <= 0) goto end; 445 if (ret <= 0)
451 s->state=SSL3_ST_CW_CHANGE_A; 446 goto end;
452 s->init_num=0; 447 s->state = SSL3_ST_CW_CHANGE_A;
453 s->s3->change_cipher_spec=0; 448 s->init_num = 0;
449 s->s3->change_cipher_spec = 0;
454 break; 450 break;
455 451
456 case SSL3_ST_CW_CHANGE_A: 452 case SSL3_ST_CW_CHANGE_A:
457 case SSL3_ST_CW_CHANGE_B: 453 case SSL3_ST_CW_CHANGE_B:
458 ret=ssl3_send_change_cipher_spec(s, 454 ret = ssl3_send_change_cipher_spec(s,
459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 455 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
460 if (ret <= 0) goto end; 456 if (ret <= 0)
457 goto end;
461 458
462#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 459#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
463 s->state=SSL3_ST_CW_FINISHED_A; 460 s->state = SSL3_ST_CW_FINISHED_A;
464#else 461#else
465 if (s->s3->next_proto_neg_seen) 462 if (s->s3->next_proto_neg_seen)
466 s->state=SSL3_ST_CW_NEXT_PROTO_A; 463 s->state = SSL3_ST_CW_NEXT_PROTO_A;
467 else 464 else
468 s->state=SSL3_ST_CW_FINISHED_A; 465 s->state = SSL3_ST_CW_FINISHED_A;
469#endif 466#endif
470 s->init_num=0; 467 s->init_num = 0;
471 468
472 s->session->cipher=s->s3->tmp.new_cipher; 469 s->session->cipher = s->s3->tmp.new_cipher;
473#ifdef OPENSSL_NO_COMP 470#ifdef OPENSSL_NO_COMP
474 s->session->compress_meth=0; 471 s->session->compress_meth = 0;
475#else 472#else
476 if (s->s3->tmp.new_compression == NULL) 473 if (s->s3->tmp.new_compression == NULL)
477 s->session->compress_meth=0; 474 s->session->compress_meth = 0;
478 else 475 else
479 s->session->compress_meth= 476 s->session->compress_meth =
480 s->s3->tmp.new_compression->id; 477 s->s3->tmp.new_compression->id;
481#endif 478#endif
482 if (!s->method->ssl3_enc->setup_key_block(s)) 479 if (!s->method->ssl3_enc->setup_key_block(s)) {
483 { 480 ret = -1;
484 ret= -1;
485 goto end; 481 goto end;
486 } 482 }
487 483
488 if (!s->method->ssl3_enc->change_cipher_state(s, 484 if (!s->method->ssl3_enc->change_cipher_state(s,
489 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 485 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
490 { 486 ret = -1;
491 ret= -1;
492 goto end; 487 goto end;
493 } 488 }
494 489
495 break; 490 break;
496 491
497#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 492#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
498 case SSL3_ST_CW_NEXT_PROTO_A: 493 case SSL3_ST_CW_NEXT_PROTO_A:
499 case SSL3_ST_CW_NEXT_PROTO_B: 494 case SSL3_ST_CW_NEXT_PROTO_B:
500 ret=ssl3_send_next_proto(s); 495 ret = ssl3_send_next_proto(s);
501 if (ret <= 0) goto end; 496 if (ret <= 0)
502 s->state=SSL3_ST_CW_FINISHED_A; 497 goto end;
498 s->state = SSL3_ST_CW_FINISHED_A;
503 break; 499 break;
504#endif 500#endif
505 501
506 case SSL3_ST_CW_FINISHED_A: 502 case SSL3_ST_CW_FINISHED_A:
507 case SSL3_ST_CW_FINISHED_B: 503 case SSL3_ST_CW_FINISHED_B:
508 ret=ssl3_send_finished(s, 504 ret = ssl3_send_finished(s,
509 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 505 SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
510 s->method->ssl3_enc->client_finished_label, 506 s->method->ssl3_enc->client_finished_label,
511 s->method->ssl3_enc->client_finished_label_len); 507 s->method->ssl3_enc->client_finished_label_len);
512 if (ret <= 0) goto end; 508 if (ret <= 0)
513 s->state=SSL3_ST_CW_FLUSH; 509 goto end;
510 s->state = SSL3_ST_CW_FLUSH;
514 511
515 /* clear flags */ 512 /* clear flags */
516 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 513 s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
517 if (s->hit) 514 if (s->hit) {
518 { 515 s->s3->tmp.next_state = SSL_ST_OK;
519 s->s3->tmp.next_state=SSL_ST_OK; 516 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
520 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 517 s->state = SSL_ST_OK;
521 {
522 s->state=SSL_ST_OK;
523 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 518 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
524 s->s3->delay_buf_pop_ret=0; 519 s->s3->delay_buf_pop_ret = 0;
525 }
526 } 520 }
527 else 521 } else {
528 {
529#ifndef OPENSSL_NO_TLSEXT 522#ifndef OPENSSL_NO_TLSEXT
530 /* Allow NewSessionTicket if ticket expected */ 523 /* Allow NewSessionTicket if ticket expected */
531 if (s->tlsext_ticket_expected) 524 if (s->tlsext_ticket_expected)
532 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 525 s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
533 else 526 else
534#endif 527#endif
535 528
536 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 529 s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
537 } 530 }
538 s->init_num=0; 531 s->init_num = 0;
539 break; 532 break;
540 533
541#ifndef OPENSSL_NO_TLSEXT 534#ifndef OPENSSL_NO_TLSEXT
542 case SSL3_ST_CR_SESSION_TICKET_A: 535 case SSL3_ST_CR_SESSION_TICKET_A:
543 case SSL3_ST_CR_SESSION_TICKET_B: 536 case SSL3_ST_CR_SESSION_TICKET_B:
544 ret=ssl3_get_new_session_ticket(s); 537 ret = ssl3_get_new_session_ticket(s);
545 if (ret <= 0) goto end; 538 if (ret <= 0)
546 s->state=SSL3_ST_CR_FINISHED_A; 539 goto end;
547 s->init_num=0; 540 s->state = SSL3_ST_CR_FINISHED_A;
548 break; 541 s->init_num = 0;
542 break;
549 543
550 case SSL3_ST_CR_CERT_STATUS_A: 544 case SSL3_ST_CR_CERT_STATUS_A:
551 case SSL3_ST_CR_CERT_STATUS_B: 545 case SSL3_ST_CR_CERT_STATUS_B:
552 ret=ssl3_get_cert_status(s); 546 ret = ssl3_get_cert_status(s);
553 if (ret <= 0) goto end; 547 if (ret <= 0)
554 s->state=SSL3_ST_CR_KEY_EXCH_A; 548 goto end;
555 s->init_num=0; 549 s->state = SSL3_ST_CR_KEY_EXCH_A;
556 break; 550 s->init_num = 0;
551 break;
557#endif 552#endif
558 553
559 case SSL3_ST_CR_FINISHED_A: 554 case SSL3_ST_CR_FINISHED_A:
560 case SSL3_ST_CR_FINISHED_B: 555 case SSL3_ST_CR_FINISHED_B:
561 556
562 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 557 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
563 SSL3_ST_CR_FINISHED_B); 558 SSL3_ST_CR_FINISHED_B);
564 if (ret <= 0) goto end; 559 if (ret <= 0)
560 goto end;
565 561
566 if (s->hit) 562 if (s->hit)
567 s->state=SSL3_ST_CW_CHANGE_A; 563 s->state = SSL3_ST_CW_CHANGE_A;
568 else 564 else
569 s->state=SSL_ST_OK; 565 s->state = SSL_ST_OK;
570 s->init_num=0; 566 s->init_num = 0;
571 break; 567 break;
572 568
573 case SSL3_ST_CW_FLUSH: 569 case SSL3_ST_CW_FLUSH:
574 s->rwstate=SSL_WRITING; 570 s->rwstate = SSL_WRITING;
575 if (BIO_flush(s->wbio) <= 0) 571 if (BIO_flush(s->wbio) <= 0) {
576 { 572 ret = -1;
577 ret= -1;
578 goto end; 573 goto end;
579 } 574 }
580 s->rwstate=SSL_NOTHING; 575 s->rwstate = SSL_NOTHING;
581 s->state=s->s3->tmp.next_state; 576 s->state = s->s3->tmp.next_state;
582 break; 577 break;
583 578
584 case SSL_ST_OK: 579 case SSL_ST_OK:
585 /* clean a few things up */ 580 /* clean a few things up */
586 ssl3_cleanup_key_block(s); 581 ssl3_cleanup_key_block(s);
587 582
588 if (s->init_buf != NULL) 583 if (s->init_buf != NULL) {
589 {
590 BUF_MEM_free(s->init_buf); 584 BUF_MEM_free(s->init_buf);
591 s->init_buf=NULL; 585 s->init_buf = NULL;
592 } 586 }
593 587
594 /* If we are not 'joining' the last two packets, 588 /* If we are not 'joining' the last two packets,
595 * remove the buffering now */ 589 * remove the buffering now */
@@ -597,63 +591,63 @@ int ssl3_connect(SSL *s)
597 ssl_free_wbio_buffer(s); 591 ssl_free_wbio_buffer(s);
598 /* else do it later in ssl3_write */ 592 /* else do it later in ssl3_write */
599 593
600 s->init_num=0; 594 s->init_num = 0;
601 s->renegotiate=0; 595 s->renegotiate = 0;
602 s->new_session=0; 596 s->new_session = 0;
603 597
604 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 598 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
605 if (s->hit) s->ctx->stats.sess_hit++; 599 if (s->hit)
600 s->ctx->stats.sess_hit++;
606 601
607 ret=1; 602 ret = 1;
608 /* s->server=0; */ 603 /* s->server=0; */
609 s->handshake_func=ssl3_connect; 604 s->handshake_func = ssl3_connect;
610 s->ctx->stats.sess_connect_good++; 605 s->ctx->stats.sess_connect_good++;
611 606
612 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 607 if (cb != NULL)
608 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
613 609
614 goto end; 610 goto end;
615 /* break; */ 611 /* break; */
616 612
617 default: 613 default:
618 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 614 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_UNKNOWN_STATE);
619 ret= -1; 615 ret = -1;
620 goto end; 616 goto end;
621 /* break; */ 617 /* break; */
622 } 618 }
623 619
624 /* did we do anything */ 620 /* did we do anything */
625 if (!s->s3->tmp.reuse_message && !skip) 621 if (!s->s3->tmp.reuse_message && !skip) {
626 { 622 if (s->debug) {
627 if (s->debug) 623 if ((ret = BIO_flush(s->wbio)) <= 0)
628 {
629 if ((ret=BIO_flush(s->wbio)) <= 0)
630 goto end; 624 goto end;
631 } 625 }
632 626
633 if ((cb != NULL) && (s->state != state)) 627 if ((cb != NULL) && (s->state != state)) {
634 { 628 new_state = s->state;
635 new_state=s->state; 629 s->state = state;
636 s->state=state; 630 cb(s, SSL_CB_CONNECT_LOOP, 1);
637 cb(s,SSL_CB_CONNECT_LOOP,1); 631 s->state = new_state;
638 s->state=new_state;
639 }
640 } 632 }
641 skip=0;
642 } 633 }
634 skip = 0;
635 }
643end: 636end:
644 s->in_handshake--; 637 s->in_handshake--;
645 if (buf != NULL) 638 if (buf != NULL)
646 BUF_MEM_free(buf); 639 BUF_MEM_free(buf);
647 if (cb != NULL) 640 if (cb != NULL)
648 cb(s,SSL_CB_CONNECT_EXIT,ret); 641 cb(s, SSL_CB_CONNECT_EXIT, ret);
649 return(ret); 642 return (ret);
650 } 643}
651 644
652 645
653int ssl3_client_hello(SSL *s) 646int
654 { 647ssl3_client_hello(SSL *s)
648{
655 unsigned char *buf; 649 unsigned char *buf;
656 unsigned char *p,*d; 650 unsigned char *p, *d;
657 int i; 651 int i;
658 unsigned long l; 652 unsigned long l;
659#ifndef OPENSSL_NO_COMP 653#ifndef OPENSSL_NO_COMP
@@ -661,31 +655,29 @@ int ssl3_client_hello(SSL *s)
661 SSL_COMP *comp; 655 SSL_COMP *comp;
662#endif 656#endif
663 657
664 buf=(unsigned char *)s->init_buf->data; 658 buf = (unsigned char *)s->init_buf->data;
665 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 659 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
666 {
667 SSL_SESSION *sess = s->session; 660 SSL_SESSION *sess = s->session;
668 if ((sess == NULL) || 661 if ((sess == NULL) ||
669 (sess->ssl_version != s->version) || 662 (sess->ssl_version != s->version) ||
670#ifdef OPENSSL_NO_TLSEXT 663#ifdef OPENSSL_NO_TLSEXT
671 !sess->session_id_length || 664 !sess->session_id_length ||
672#else 665#else
673 (!sess->session_id_length && !sess->tlsext_tick) || 666 (!sess->session_id_length && !sess->tlsext_tick) ||
674#endif 667#endif
675 (sess->not_resumable)) 668 (sess->not_resumable)) {
676 { 669 if (!ssl_get_new_session(s, 0))
677 if (!ssl_get_new_session(s,0))
678 goto err; 670 goto err;
679 } 671 }
680 /* else use the pre-loaded session */ 672 /* else use the pre-loaded session */
681 673
682 p=s->s3->client_random; 674 p = s->s3->client_random;
683 675
684 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 676 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
685 goto err; 677 goto err;
686 678
687 /* Do the message type and length last */ 679 /* Do the message type and length last */
688 d=p= &(buf[4]); 680 d = p= &(buf[4]);
689 681
690 /* version indicates the negotiated version: for example from 682 /* version indicates the negotiated version: for example from
691 * an SSLv2/v3 compatible client hello). The client_version 683 * an SSLv2/v3 compatible client hello). The client_version
@@ -717,562 +709,510 @@ int ssl3_client_hello(SSL *s)
717 * the negotiated version. 709 * the negotiated version.
718 */ 710 */
719#if 0 711#if 0
720 *(p++)=s->version>>8; 712 *(p++) = s->version >> 8;
721 *(p++)=s->version&0xff; 713 *(p++) = s->version&0xff;
722 s->client_version=s->version; 714 s->client_version = s->version;
723#else 715#else
724 *(p++)=s->client_version>>8; 716 *(p++) = s->client_version >> 8;
725 *(p++)=s->client_version&0xff; 717 *(p++) = s->client_version&0xff;
726#endif 718#endif
727 719
728 /* Random stuff */ 720 /* Random stuff */
729 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 721 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
730 p+=SSL3_RANDOM_SIZE; 722 p += SSL3_RANDOM_SIZE;
731 723
732 /* Session ID */ 724 /* Session ID */
733 if (s->new_session) 725 if (s->new_session)
734 i=0; 726 i = 0;
735 else 727 else
736 i=s->session->session_id_length; 728 i = s->session->session_id_length;
737 *(p++)=i; 729 *(p++) = i;
738 if (i != 0) 730 if (i != 0) {
739 { 731 if (i > (int)sizeof(s->session->session_id)) {
740 if (i > (int)sizeof(s->session->session_id))
741 {
742 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 732 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
743 goto err; 733 goto err;
744 }
745 memcpy(p,s->session->session_id,i);
746 p+=i;
747 } 734 }
748 735 memcpy(p, s->session->session_id, i);
736 p += i;
737 }
738
749 /* Ciphers supported */ 739 /* Ciphers supported */
750 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 740 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0);
751 if (i == 0) 741 if (i == 0) {
752 { 742 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
753 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
754 goto err; 743 goto err;
755 } 744 }
756#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 745#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
757 /* Some servers hang if client hello > 256 bytes 746 /* Some servers hang if client hello > 256 bytes
758 * as hack workaround chop number of supported ciphers 747 * as hack workaround chop number of supported ciphers
759 * to keep it well below this if we use TLS v1.2 748 * to keep it well below this if we use TLS v1.2
760 */ 749 */
761 if (TLS1_get_version(s) >= TLS1_2_VERSION 750 if (TLS1_get_version(s) >= TLS1_2_VERSION &&
762 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 751 i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
763 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 752 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
764#endif 753#endif
765 s2n(i,p); 754 s2n(i, p);
766 p+=i; 755 p += i;
767 756
768 /* COMPRESSION */ 757 /* COMPRESSION */
769#ifdef OPENSSL_NO_COMP 758#ifdef OPENSSL_NO_COMP
770 *(p++)=1; 759 *(p++) = 1;
771#else 760#else
772 761
773 if ((s->options & SSL_OP_NO_COMPRESSION) 762 if ((s->options & SSL_OP_NO_COMPRESSION) ||
774 || !s->ctx->comp_methods) 763 !s->ctx->comp_methods)
775 j=0; 764 j = 0;
776 else 765 else
777 j=sk_SSL_COMP_num(s->ctx->comp_methods); 766 j = sk_SSL_COMP_num(s->ctx->comp_methods);
778 *(p++)=1+j; 767 *(p++) = 1 + j;
779 for (i=0; i<j; i++) 768 for (i = 0; i < j; i++) {
780 { 769 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
781 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 770 *(p++) = comp->id;
782 *(p++)=comp->id; 771 }
783 }
784#endif 772#endif
785 *(p++)=0; /* Add the NULL method */ 773 *(p++) = 0; /* Add the NULL method */
786 774
787#ifndef OPENSSL_NO_TLSEXT 775#ifndef OPENSSL_NO_TLSEXT
788 /* TLS extensions*/ 776 /* TLS extensions*/
789 if (ssl_prepare_clienthello_tlsext(s) <= 0) 777 if (ssl_prepare_clienthello_tlsext(s) <= 0) {
790 { 778 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
791 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
792 goto err; 779 goto err;
793 } 780 }
794 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 781 if ((p = ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
795 { 782 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
796 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
797 goto err; 783 goto err;
798 } 784 }
799#endif 785#endif
800
801 l=(p-d);
802 d=buf;
803 *(d++)=SSL3_MT_CLIENT_HELLO;
804 l2n3(l,d);
805 786
806 s->state=SSL3_ST_CW_CLNT_HELLO_B; 787 l = (p - d);
788 d = buf;
789 *(d++) = SSL3_MT_CLIENT_HELLO;
790 l2n3(l, d);
791
792 s->state = SSL3_ST_CW_CLNT_HELLO_B;
807 /* number of bytes to write */ 793 /* number of bytes to write */
808 s->init_num=p-buf; 794 s->init_num = p - buf;
809 s->init_off=0; 795 s->init_off = 0;
810 } 796 }
811 797
812 /* SSL3_ST_CW_CLNT_HELLO_B */ 798 /* SSL3_ST_CW_CLNT_HELLO_B */
813 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 799 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
814err: 800err:
815 return(-1); 801 return (-1);
816 } 802}
817 803
818int ssl3_get_server_hello(SSL *s) 804int
819 { 805ssl3_get_server_hello(SSL *s)
806{
820 STACK_OF(SSL_CIPHER) *sk; 807 STACK_OF(SSL_CIPHER) *sk;
821 const SSL_CIPHER *c; 808 const SSL_CIPHER *c;
822 unsigned char *p,*d; 809 unsigned char *p, *d;
823 int i,al,ok; 810 int i, al, ok;
824 unsigned int j; 811 unsigned int j;
825 long n; 812 long n;
826#ifndef OPENSSL_NO_COMP 813#ifndef OPENSSL_NO_COMP
827 SSL_COMP *comp; 814 SSL_COMP *comp;
828#endif 815#endif
829 816
830 n=s->method->ssl_get_message(s, 817 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
831 SSL3_ST_CR_SRVR_HELLO_A, 818 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok);
832 SSL3_ST_CR_SRVR_HELLO_B,
833 -1,
834 20000, /* ?? */
835 &ok);
836 819
837 if (!ok) return((int)n); 820 if (!ok)
821 return ((int)n);
838 822
839 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 823 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) {
840 { 824 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
841 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 825 if (s->d1->send_cookie == 0) {
842 {
843 if ( s->d1->send_cookie == 0)
844 {
845 s->s3->tmp.reuse_message = 1; 826 s->s3->tmp.reuse_message = 1;
846 return 1; 827 return 1;
847 } 828 }
848 else /* already sent a cookie */ 829 else /* already sent a cookie */
849 { 830 {
850 al=SSL_AD_UNEXPECTED_MESSAGE; 831 al = SSL_AD_UNEXPECTED_MESSAGE;
851 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 832 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
852 goto f_err; 833 goto f_err;
853 }
854 } 834 }
855 } 835 }
856 836 }
857 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 837
858 { 838 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) {
859 al=SSL_AD_UNEXPECTED_MESSAGE; 839 al = SSL_AD_UNEXPECTED_MESSAGE;
860 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 840 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
861 goto f_err; 841 goto f_err;
862 } 842 }
863 843
864 d=p=(unsigned char *)s->init_msg; 844 d = p=(unsigned char *)s->init_msg;
865 845
866 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 846 if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) {
867 { 847 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
868 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 848 s->version = (s->version&0xff00)|p[1];
869 s->version=(s->version&0xff00)|p[1]; 849 al = SSL_AD_PROTOCOL_VERSION;
870 al=SSL_AD_PROTOCOL_VERSION;
871 goto f_err; 850 goto f_err;
872 } 851 }
873 p+=2; 852 p += 2;
874 853
875 /* load the server hello data */ 854 /* load the server hello data */
876 /* load the server random */ 855 /* load the server random */
877 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 856 memcpy(s->s3->server_random, p, SSL3_RANDOM_SIZE);
878 p+=SSL3_RANDOM_SIZE; 857 p += SSL3_RANDOM_SIZE;
879 858
880 /* get the session-id */ 859 /* get the session-id */
881 j= *(p++); 860 j= *(p++);
882 861
883 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 862 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) {
884 { 863 al = SSL_AD_ILLEGAL_PARAMETER;
885 al=SSL_AD_ILLEGAL_PARAMETER; 864 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
886 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
887 goto f_err; 865 goto f_err;
888 } 866 }
889 867
890#ifndef OPENSSL_NO_TLSEXT 868#ifndef OPENSSL_NO_TLSEXT
891 /* check if we want to resume the session based on external pre-shared secret */ 869 /* check if we want to resume the session based on external pre-shared secret */
892 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 870 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
893 { 871 SSL_CIPHER *pref_cipher = NULL;
894 SSL_CIPHER *pref_cipher=NULL; 872 s->session->master_key_length = sizeof(s->session->master_key);
895 s->session->master_key_length=sizeof(s->session->master_key);
896 if (s->tls_session_secret_cb(s, s->session->master_key, 873 if (s->tls_session_secret_cb(s, s->session->master_key,
897 &s->session->master_key_length, 874 &s->session->master_key_length, NULL, &pref_cipher,
898 NULL, &pref_cipher, 875 s->tls_session_secret_cb_arg)) {
899 s->tls_session_secret_cb_arg))
900 {
901 s->session->cipher = pref_cipher ? 876 s->session->cipher = pref_cipher ?
902 pref_cipher : ssl_get_cipher_by_char(s, p+j); 877 pref_cipher : ssl_get_cipher_by_char(s, p + j);
903 }
904 } 878 }
879 }
905#endif /* OPENSSL_NO_TLSEXT */ 880#endif /* OPENSSL_NO_TLSEXT */
906 881
907 if (j != 0 && j == s->session->session_id_length 882 if (j != 0 && j == s->session->session_id_length &&
908 && memcmp(p,s->session->session_id,j) == 0) 883 memcmp(p, s->session->session_id, j) == 0) {
909 { 884 if (s->sid_ctx_length != s->session->sid_ctx_length ||
910 if(s->sid_ctx_length != s->session->sid_ctx_length 885 memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
911 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 886 /* actually a client application bug */
912 { 887 al = SSL_AD_ILLEGAL_PARAMETER;
913 /* actually a client application bug */ 888 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
914 al=SSL_AD_ILLEGAL_PARAMETER; 889 goto f_err;
915 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
916 goto f_err;
917 } 890 }
918 s->hit=1; 891 s->hit = 1;
919 } 892 }
920 else /* a miss or crap from the other end */ 893 else /* a miss or crap from the other end */
921 { 894 {
922 /* If we were trying for session-id reuse, make a new 895 /* If we were trying for session-id reuse, make a new
923 * SSL_SESSION so we don't stuff up other people */ 896 * SSL_SESSION so we don't stuff up other people */
924 s->hit=0; 897 s->hit = 0;
925 if (s->session->session_id_length > 0) 898 if (s->session->session_id_length > 0) {
926 { 899 if (!ssl_get_new_session(s, 0)) {
927 if (!ssl_get_new_session(s,0)) 900 al = SSL_AD_INTERNAL_ERROR;
928 {
929 al=SSL_AD_INTERNAL_ERROR;
930 goto f_err; 901 goto f_err;
931 }
932 } 902 }
933 s->session->session_id_length=j;
934 memcpy(s->session->session_id,p,j); /* j could be 0 */
935 } 903 }
936 p+=j; 904 s->session->session_id_length = j;
937 c=ssl_get_cipher_by_char(s,p); 905 memcpy(s->session->session_id,p,j); /* j could be 0 */
938 if (c == NULL) 906 }
939 { 907 p += j;
908 c = ssl_get_cipher_by_char(s, p);
909 if (c == NULL) {
940 /* unknown cipher */ 910 /* unknown cipher */
941 al=SSL_AD_ILLEGAL_PARAMETER; 911 al = SSL_AD_ILLEGAL_PARAMETER;
942 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 912 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
943 goto f_err; 913 goto f_err;
944 } 914 }
945 /* TLS v1.2 only ciphersuites require v1.2 or later */ 915 /* TLS v1.2 only ciphersuites require v1.2 or later */
946 if ((c->algorithm_ssl & SSL_TLSV1_2) && 916 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
947 (TLS1_get_version(s) < TLS1_2_VERSION)) 917 (TLS1_get_version(s) < TLS1_2_VERSION)) {
948 { 918 al = SSL_AD_ILLEGAL_PARAMETER;
949 al=SSL_AD_ILLEGAL_PARAMETER; 919 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
950 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
951 goto f_err; 920 goto f_err;
952 } 921 }
953 p+=ssl_put_cipher_by_char(s,NULL,NULL); 922 p += ssl_put_cipher_by_char(s, NULL, NULL);
954 923
955 sk=ssl_get_ciphers_by_id(s); 924 sk = ssl_get_ciphers_by_id(s);
956 i=sk_SSL_CIPHER_find(sk,c); 925 i = sk_SSL_CIPHER_find(sk, c);
957 if (i < 0) 926 if (i < 0) {
958 {
959 /* we did not say we would use this cipher */ 927 /* we did not say we would use this cipher */
960 al=SSL_AD_ILLEGAL_PARAMETER; 928 al = SSL_AD_ILLEGAL_PARAMETER;
961 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 929 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
962 goto f_err; 930 goto f_err;
963 } 931 }
964 932
965 /* Depending on the session caching (internal/external), the cipher 933 /* Depending on the session caching (internal/external), the cipher
966 and/or cipher_id values may not be set. Make sure that 934 and/or cipher_id values may not be set. Make sure that
967 cipher_id is set and use it for comparison. */ 935 cipher_id is set and use it for comparison. */
968 if (s->session->cipher) 936 if (s->session->cipher)
969 s->session->cipher_id = s->session->cipher->id; 937 s->session->cipher_id = s->session->cipher->id;
970 if (s->hit && (s->session->cipher_id != c->id)) 938 if (s->hit && (s->session->cipher_id != c->id)) {
971 {
972/* Workaround is now obsolete */ 939/* Workaround is now obsolete */
973#if 0 940#if 0
974 if (!(s->options & 941 if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
975 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
976#endif 942#endif
977 { 943 {
978 al=SSL_AD_ILLEGAL_PARAMETER; 944 al = SSL_AD_ILLEGAL_PARAMETER;
979 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 945 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
980 goto f_err; 946 goto f_err;
981 }
982 } 947 }
983 s->s3->tmp.new_cipher=c; 948 }
949 s->s3->tmp.new_cipher = c;
984 /* Don't digest cached records if TLS v1.2: we may need them for 950 /* Don't digest cached records if TLS v1.2: we may need them for
985 * client authentication. 951 * client authentication.
986 */ 952 */
987 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 953 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) {
988 {
989 al = SSL_AD_INTERNAL_ERROR; 954 al = SSL_AD_INTERNAL_ERROR;
990 goto f_err; 955 goto f_err;
991 } 956 }
992 /* lets get the compression algorithm */ 957 /* lets get the compression algorithm */
993 /* COMPRESSION */ 958 /* COMPRESSION */
994#ifdef OPENSSL_NO_COMP 959#ifdef OPENSSL_NO_COMP
995 if (*(p++) != 0) 960 if (*(p++) != 0) {
996 { 961 al = SSL_AD_ILLEGAL_PARAMETER;
997 al=SSL_AD_ILLEGAL_PARAMETER; 962 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
998 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
999 goto f_err; 963 goto f_err;
1000 } 964 }
1001 /* If compression is disabled we'd better not try to resume a session 965 /* If compression is disabled we'd better not try to resume a session
1002 * using compression. 966 * using compression.
1003 */ 967 */
1004 if (s->session->compress_meth != 0) 968 if (s->session->compress_meth != 0) {
1005 { 969 al = SSL_AD_INTERNAL_ERROR;
1006 al=SSL_AD_INTERNAL_ERROR; 970 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1007 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1008 goto f_err; 971 goto f_err;
1009 } 972 }
1010#else 973#else
1011 j= *(p++); 974 j= *(p++);
1012 if (s->hit && j != s->session->compress_meth) 975 if (s->hit && j != s->session->compress_meth) {
1013 { 976 al = SSL_AD_ILLEGAL_PARAMETER;
1014 al=SSL_AD_ILLEGAL_PARAMETER; 977 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1015 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1016 goto f_err; 978 goto f_err;
1017 } 979 }
1018 if (j == 0) 980 if (j == 0)
1019 comp=NULL; 981 comp = NULL;
1020 else if (s->options & SSL_OP_NO_COMPRESSION) 982 else if (s->options & SSL_OP_NO_COMPRESSION) {
1021 { 983 al = SSL_AD_ILLEGAL_PARAMETER;
1022 al=SSL_AD_ILLEGAL_PARAMETER; 984 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED);
1023 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
1024 goto f_err; 985 goto f_err;
1025 } 986 } else
1026 else 987 comp = ssl3_comp_find(s->ctx->comp_methods, j);
1027 comp=ssl3_comp_find(s->ctx->comp_methods,j); 988
1028 989 if ((j != 0) && (comp == NULL)) {
1029 if ((j != 0) && (comp == NULL)) 990 al = SSL_AD_ILLEGAL_PARAMETER;
1030 { 991 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1031 al=SSL_AD_ILLEGAL_PARAMETER;
1032 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1033 goto f_err; 992 goto f_err;
1034 } 993 } else {
1035 else 994 s->s3->tmp.new_compression = comp;
1036 { 995 }
1037 s->s3->tmp.new_compression=comp;
1038 }
1039#endif 996#endif
1040 997
1041#ifndef OPENSSL_NO_TLSEXT 998#ifndef OPENSSL_NO_TLSEXT
1042 /* TLS extensions*/ 999 /* TLS extensions*/
1043 if (s->version >= SSL3_VERSION) 1000 if (s->version >= SSL3_VERSION) {
1044 { 1001 if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {
1045 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
1046 {
1047 /* 'al' set by ssl_parse_serverhello_tlsext */ 1002 /* 'al' set by ssl_parse_serverhello_tlsext */
1048 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 1003 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
1049 goto f_err; 1004 goto f_err;
1050 } 1005
1051 if (ssl_check_serverhello_tlsext(s) <= 0)
1052 {
1053 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1054 goto err;
1055 }
1056 } 1006 }
1007 if (ssl_check_serverhello_tlsext(s) <= 0) {
1008 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
1009 goto err;
1010 }
1011 }
1057#endif 1012#endif
1058 1013
1059 if (p != (d+n)) 1014 if (p != (d + n)) {
1060 {
1061 /* wrong packet length */ 1015 /* wrong packet length */
1062 al=SSL_AD_DECODE_ERROR; 1016 al = SSL_AD_DECODE_ERROR;
1063 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 1017 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
1064 goto f_err; 1018 goto f_err;
1065 } 1019 }
1066 1020
1067 return(1); 1021 return (1);
1068f_err: 1022f_err:
1069 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1023 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1070err: 1024err:
1071 return(-1); 1025 return (-1);
1072 } 1026}
1073 1027
1074int ssl3_get_server_certificate(SSL *s) 1028int
1075 { 1029ssl3_get_server_certificate(SSL *s)
1076 int al,i,ok,ret= -1; 1030{
1077 unsigned long n,nc,llen,l; 1031 int al, i, ok, ret = -1;
1078 X509 *x=NULL; 1032 unsigned long n, nc, llen, l;
1079 const unsigned char *q,*p; 1033 X509 *x = NULL;
1034 const unsigned char *q, *p;
1080 unsigned char *d; 1035 unsigned char *d;
1081 STACK_OF(X509) *sk=NULL; 1036 STACK_OF(X509) *sk = NULL;
1082 SESS_CERT *sc; 1037 SESS_CERT *sc;
1083 EVP_PKEY *pkey=NULL; 1038 EVP_PKEY *pkey = NULL;
1084 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 1039 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
1085 1040
1086 n=s->method->ssl_get_message(s, 1041 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
1087 SSL3_ST_CR_CERT_A, 1042 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
1088 SSL3_ST_CR_CERT_B,
1089 -1,
1090 s->max_cert_list,
1091 &ok);
1092 1043
1093 if (!ok) return((int)n); 1044 if (!ok)
1045 return ((int)n);
1094 1046
1095 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1047 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
1096 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 1048 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1097 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 1049 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) {
1098 { 1050 s->s3->tmp.reuse_message = 1;
1099 s->s3->tmp.reuse_message=1; 1051 return (1);
1100 return(1); 1052 }
1101 }
1102 1053
1103 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 1054 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
1104 { 1055 al = SSL_AD_UNEXPECTED_MESSAGE;
1105 al=SSL_AD_UNEXPECTED_MESSAGE; 1056 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE);
1106 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
1107 goto f_err; 1057 goto f_err;
1108 } 1058 }
1109 p=d=(unsigned char *)s->init_msg; 1059 p = d = (unsigned char *)s->init_msg;
1110 1060
1111 if ((sk=sk_X509_new_null()) == NULL) 1061 if ((sk = sk_X509_new_null()) == NULL) {
1112 { 1062 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1113 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1114 goto err; 1063 goto err;
1115 } 1064 }
1116 1065
1117 n2l3(p,llen); 1066 n2l3(p, llen);
1118 if (llen+3 != n) 1067 if (llen + 3 != n) {
1119 { 1068 al = SSL_AD_DECODE_ERROR;
1120 al=SSL_AD_DECODE_ERROR; 1069 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
1121 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1122 goto f_err; 1070 goto f_err;
1123 } 1071 }
1124 for (nc=0; nc<llen; ) 1072 for (nc = 0; nc < llen; ) {
1125 { 1073 n2l3(p, l);
1126 n2l3(p,l); 1074 if ((l + nc + 3) > llen) {
1127 if ((l+nc+3) > llen) 1075 al = SSL_AD_DECODE_ERROR;
1128 { 1076 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
1129 al=SSL_AD_DECODE_ERROR;
1130 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1131 goto f_err; 1077 goto f_err;
1132 } 1078 }
1133 1079
1134 q=p; 1080 q = p;
1135 x=d2i_X509(NULL,&q,l); 1081 x = d2i_X509(NULL, &q, l);
1136 if (x == NULL) 1082 if (x == NULL) {
1137 { 1083 al = SSL_AD_BAD_CERTIFICATE;
1138 al=SSL_AD_BAD_CERTIFICATE; 1084 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
1139 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
1140 goto f_err; 1085 goto f_err;
1141 } 1086 }
1142 if (q != (p+l)) 1087 if (q != (p + l)) {
1143 { 1088 al = SSL_AD_DECODE_ERROR;
1144 al=SSL_AD_DECODE_ERROR; 1089 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
1145 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1146 goto f_err; 1090 goto f_err;
1147 } 1091 }
1148 if (!sk_X509_push(sk,x)) 1092 if (!sk_X509_push(sk, x)) {
1149 { 1093 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1150 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1151 goto err; 1094 goto err;
1152 }
1153 x=NULL;
1154 nc+=l+3;
1155 p=q;
1156 } 1095 }
1096 x = NULL;
1097 nc += l + 3;
1098 p = q;
1099 }
1157 1100
1158 i=ssl_verify_cert_chain(s,sk); 1101 i = ssl_verify_cert_chain(s, sk);
1159 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1102 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1160#ifndef OPENSSL_NO_KRB5 1103#ifndef OPENSSL_NO_KRB5
1161 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1104 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1162 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1105 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1163#endif /* OPENSSL_NO_KRB5 */ 1106#endif /* OPENSSL_NO_KRB5 */
1164 ) 1107 ) {
1165 { 1108 al = ssl_verify_alarm_type(s->verify_result);
1166 al=ssl_verify_alarm_type(s->verify_result); 1109 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERTIFICATE_VERIFY_FAILED);
1167 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 1110 goto f_err;
1168 goto f_err; 1111
1169 } 1112 }
1170 ERR_clear_error(); /* but we keep s->verify_result */ 1113 ERR_clear_error(); /* but we keep s->verify_result */
1171 1114
1172 sc=ssl_sess_cert_new(); 1115 sc = ssl_sess_cert_new();
1173 if (sc == NULL) goto err; 1116 if (sc == NULL)
1117 goto err;
1174 1118
1175 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 1119 if (s->session->sess_cert)
1176 s->session->sess_cert=sc; 1120 ssl_sess_cert_free(s->session->sess_cert);
1121 s->session->sess_cert = sc;
1177 1122
1178 sc->cert_chain=sk; 1123 sc->cert_chain = sk;
1179 /* Inconsistency alert: cert_chain does include the peer's 1124 /* Inconsistency alert: cert_chain does include the peer's
1180 * certificate, which we don't include in s3_srvr.c */ 1125 * certificate, which we don't include in s3_srvr.c */
1181 x=sk_X509_value(sk,0); 1126 x = sk_X509_value(sk, 0);
1182 sk=NULL; 1127 sk = NULL;
1183 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1128 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1184 1129
1185 pkey=X509_get_pubkey(x); 1130 pkey = X509_get_pubkey(x);
1186 1131
1187 /* VRS: allow null cert if auth == KRB5 */ 1132 /* VRS: allow null cert if auth == KRB5 */
1188 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1133 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1189 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1134 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1190 ? 0 : 1; 1135 ? 0 : 1;
1191 1136
1192#ifdef KSSL_DEBUG 1137#ifdef KSSL_DEBUG
1193 printf("pkey,x = %p, %p\n", pkey,x); 1138 printf("pkey, x = %p, %p\n", pkey, x);
1194 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1139 printf("ssl_cert_type(x, pkey) = %d\n", ssl_cert_type(x, pkey));
1195 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1140 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
1196 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1141 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1197#endif /* KSSL_DEBUG */ 1142#endif /* KSSL_DEBUG */
1198 1143
1199 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 1144 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) {
1200 { 1145 x = NULL;
1201 x=NULL; 1146 al = SSL3_AL_FATAL;
1202 al=SSL3_AL_FATAL;
1203 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1147 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1204 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1148 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1205 goto f_err; 1149 goto f_err;
1206 } 1150 }
1207 1151
1208 i=ssl_cert_type(x,pkey); 1152 i = ssl_cert_type(x, pkey);
1209 if (need_cert && i < 0) 1153 if (need_cert && i < 0) {
1210 { 1154 x = NULL;
1211 x=NULL; 1155 al = SSL3_AL_FATAL;
1212 al=SSL3_AL_FATAL;
1213 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1156 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1214 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1157 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1215 goto f_err; 1158 goto f_err;
1216 } 1159 }
1217 1160
1218 if (need_cert) 1161 if (need_cert) {
1219 { 1162 sc->peer_cert_type = i;
1220 sc->peer_cert_type=i; 1163 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1221 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1222 /* Why would the following ever happen? 1164 /* Why would the following ever happen?
1223 * We just created sc a couple of lines ago. */ 1165 * We just created sc a couple of lines ago. */
1224 if (sc->peer_pkeys[i].x509 != NULL) 1166 if (sc->peer_pkeys[i].x509 != NULL)
1225 X509_free(sc->peer_pkeys[i].x509); 1167 X509_free(sc->peer_pkeys[i].x509);
1226 sc->peer_pkeys[i].x509=x; 1168 sc->peer_pkeys[i].x509 = x;
1227 sc->peer_key= &(sc->peer_pkeys[i]); 1169 sc->peer_key = &(sc->peer_pkeys[i]);
1228 1170
1229 if (s->session->peer != NULL) 1171 if (s->session->peer != NULL)
1230 X509_free(s->session->peer); 1172 X509_free(s->session->peer);
1231 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1173 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1232 s->session->peer=x; 1174 s->session->peer = x;
1233 } 1175 } else {
1234 else 1176 sc->peer_cert_type = i;
1235 { 1177 sc->peer_key = NULL;
1236 sc->peer_cert_type=i;
1237 sc->peer_key= NULL;
1238 1178
1239 if (s->session->peer != NULL) 1179 if (s->session->peer != NULL)
1240 X509_free(s->session->peer); 1180 X509_free(s->session->peer);
1241 s->session->peer=NULL; 1181 s->session->peer = NULL;
1242 } 1182 }
1243 s->session->verify_result = s->verify_result; 1183 s->session->verify_result = s->verify_result;
1244 1184
1245 x=NULL; 1185 x = NULL;
1246 ret=1; 1186 ret = 1;
1247 1187
1248 if (0) 1188 if (0) {
1249 {
1250f_err: 1189f_err:
1251 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1190 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1252 } 1191 }
1253err: 1192err:
1254 EVP_PKEY_free(pkey); 1193 EVP_PKEY_free(pkey);
1255 X509_free(x); 1194 X509_free(x);
1256 sk_X509_pop_free(sk,X509_free); 1195 sk_X509_pop_free(sk, X509_free);
1257 return(ret); 1196 return (ret);
1258 } 1197}
1259 1198
1260int ssl3_get_key_exchange(SSL *s) 1199int
1261 { 1200ssl3_get_key_exchange(SSL *s)
1201{
1262#ifndef OPENSSL_NO_RSA 1202#ifndef OPENSSL_NO_RSA
1263 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 1203 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1264#endif 1204#endif
1265 EVP_MD_CTX md_ctx; 1205 EVP_MD_CTX md_ctx;
1266 unsigned char *param,*p; 1206 unsigned char *param, *p;
1267 int al,i,j,param_len,ok; 1207 int al, i, j, param_len, ok;
1268 long n,alg_k,alg_a; 1208 long n, alg_k, alg_a;
1269 EVP_PKEY *pkey=NULL; 1209 EVP_PKEY *pkey = NULL;
1270 const EVP_MD *md = NULL; 1210 const EVP_MD *md = NULL;
1271#ifndef OPENSSL_NO_RSA 1211#ifndef OPENSSL_NO_RSA
1272 RSA *rsa=NULL; 1212 RSA *rsa = NULL;
1273#endif 1213#endif
1274#ifndef OPENSSL_NO_DH 1214#ifndef OPENSSL_NO_DH
1275 DH *dh=NULL; 1215 DH *dh = NULL;
1276#endif 1216#endif
1277#ifndef OPENSSL_NO_ECDH 1217#ifndef OPENSSL_NO_ECDH
1278 EC_KEY *ecdh = NULL; 1218 EC_KEY *ecdh = NULL;
@@ -1284,336 +1224,291 @@ int ssl3_get_key_exchange(SSL *s)
1284 1224
1285 /* use same message size as in ssl3_get_certificate_request() 1225 /* use same message size as in ssl3_get_certificate_request()
1286 * as ServerKeyExchange message may be skipped */ 1226 * as ServerKeyExchange message may be skipped */
1287 n=s->method->ssl_get_message(s, 1227 n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1288 SSL3_ST_CR_KEY_EXCH_A, 1228 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok);
1289 SSL3_ST_CR_KEY_EXCH_B, 1229 if (!ok)
1290 -1, 1230 return ((int)n);
1291 s->max_cert_list, 1231
1292 &ok); 1232 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1293 if (!ok) return((int)n);
1294
1295 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1296 {
1297#ifndef OPENSSL_NO_PSK 1233#ifndef OPENSSL_NO_PSK
1298 /* In plain PSK ciphersuite, ServerKeyExchange can be 1234 /* In plain PSK ciphersuite, ServerKeyExchange can be
1299 omitted if no identity hint is sent. Set 1235 omitted if no identity hint is sent. Set
1300 session->sess_cert anyway to avoid problems 1236 session->sess_cert anyway to avoid problems
1301 later.*/ 1237 later.*/
1302 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 1238 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) {
1303 { 1239 s->session->sess_cert = ssl_sess_cert_new();
1304 s->session->sess_cert=ssl_sess_cert_new();
1305 if (s->ctx->psk_identity_hint) 1240 if (s->ctx->psk_identity_hint)
1306 OPENSSL_free(s->ctx->psk_identity_hint); 1241 OPENSSL_free(s->ctx->psk_identity_hint);
1307 s->ctx->psk_identity_hint = NULL; 1242 s->ctx->psk_identity_hint = NULL;
1308 }
1309#endif
1310 s->s3->tmp.reuse_message=1;
1311 return(1);
1312 } 1243 }
1244#endif
1245 s->s3->tmp.reuse_message = 1;
1246 return (1);
1247 }
1313 1248
1314 param=p=(unsigned char *)s->init_msg; 1249 param = p = (unsigned char *)s->init_msg;
1315 if (s->session->sess_cert != NULL) 1250 if (s->session->sess_cert != NULL) {
1316 {
1317#ifndef OPENSSL_NO_RSA 1251#ifndef OPENSSL_NO_RSA
1318 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1252 if (s->session->sess_cert->peer_rsa_tmp != NULL) {
1319 {
1320 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1253 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1321 s->session->sess_cert->peer_rsa_tmp=NULL; 1254 s->session->sess_cert->peer_rsa_tmp = NULL;
1322 } 1255 }
1323#endif 1256#endif
1324#ifndef OPENSSL_NO_DH 1257#ifndef OPENSSL_NO_DH
1325 if (s->session->sess_cert->peer_dh_tmp) 1258 if (s->session->sess_cert->peer_dh_tmp) {
1326 {
1327 DH_free(s->session->sess_cert->peer_dh_tmp); 1259 DH_free(s->session->sess_cert->peer_dh_tmp);
1328 s->session->sess_cert->peer_dh_tmp=NULL; 1260 s->session->sess_cert->peer_dh_tmp = NULL;
1329 } 1261 }
1330#endif 1262#endif
1331#ifndef OPENSSL_NO_ECDH 1263#ifndef OPENSSL_NO_ECDH
1332 if (s->session->sess_cert->peer_ecdh_tmp) 1264 if (s->session->sess_cert->peer_ecdh_tmp) {
1333 {
1334 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1265 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1335 s->session->sess_cert->peer_ecdh_tmp=NULL; 1266 s->session->sess_cert->peer_ecdh_tmp = NULL;
1336 }
1337#endif
1338 }
1339 else
1340 {
1341 s->session->sess_cert=ssl_sess_cert_new();
1342 } 1267 }
1268#endif
1269 } else {
1270 s->session->sess_cert = ssl_sess_cert_new();
1271 }
1343 1272
1344 param_len=0; 1273 param_len = 0;
1345 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1274 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1346 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1275 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1347 EVP_MD_CTX_init(&md_ctx); 1276 EVP_MD_CTX_init(&md_ctx);
1348 1277
1349#ifndef OPENSSL_NO_PSK 1278#ifndef OPENSSL_NO_PSK
1350 if (alg_k & SSL_kPSK) 1279 if (alg_k & SSL_kPSK) {
1351 { 1280 char tmp_id_hint[PSK_MAX_IDENTITY_LEN + 1];
1352 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
1353 1281
1354 al=SSL_AD_HANDSHAKE_FAILURE; 1282 al = SSL_AD_HANDSHAKE_FAILURE;
1355 n2s(p,i); 1283 n2s(p, i);
1356 param_len=i+2; 1284 param_len = i + 2;
1357 /* Store PSK identity hint for later use, hint is used 1285 /* Store PSK identity hint for later use, hint is used
1358 * in ssl3_send_client_key_exchange. Assume that the 1286 * in ssl3_send_client_key_exchange. Assume that the
1359 * maximum length of a PSK identity hint can be as 1287 * maximum length of a PSK identity hint can be as
1360 * long as the maximum length of a PSK identity. */ 1288 * long as the maximum length of a PSK identity. */
1361 if (i > PSK_MAX_IDENTITY_LEN) 1289 if (i > PSK_MAX_IDENTITY_LEN) {
1362 {
1363 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1290 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1364 SSL_R_DATA_LENGTH_TOO_LONG); 1291 SSL_R_DATA_LENGTH_TOO_LONG);
1365 goto f_err; 1292 goto f_err;
1366 } 1293 }
1367 if (param_len > n) 1294 if (param_len > n) {
1368 { 1295 al = SSL_AD_DECODE_ERROR;
1369 al=SSL_AD_DECODE_ERROR;
1370 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1296 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1371 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1297 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1372 goto f_err; 1298 goto f_err;
1373 } 1299 }
1374 /* If received PSK identity hint contains NULL 1300 /* If received PSK identity hint contains NULL
1375 * characters, the hint is truncated from the first 1301 * characters, the hint is truncated from the first
1376 * NULL. p may not be ending with NULL, so create a 1302 * NULL. p may not be ending with NULL, so create a
1377 * NULL-terminated string. */ 1303 * NULL-terminated string. */
1378 memcpy(tmp_id_hint, p, i); 1304 memcpy(tmp_id_hint, p, i);
1379 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1305 memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
1380 if (s->ctx->psk_identity_hint != NULL) 1306 if (s->ctx->psk_identity_hint != NULL)
1381 OPENSSL_free(s->ctx->psk_identity_hint); 1307 OPENSSL_free(s->ctx->psk_identity_hint);
1382 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1308 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
1383 if (s->ctx->psk_identity_hint == NULL) 1309 if (s->ctx->psk_identity_hint == NULL) {
1384 {
1385 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1310 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1386 goto f_err; 1311 goto f_err;
1387 }
1388
1389 p+=i;
1390 n-=param_len;
1391 } 1312 }
1392 else 1313
1314 p += i;
1315 n -= param_len;
1316 } else
1393#endif /* !OPENSSL_NO_PSK */ 1317#endif /* !OPENSSL_NO_PSK */
1394#ifndef OPENSSL_NO_SRP 1318#ifndef OPENSSL_NO_SRP
1395 if (alg_k & SSL_kSRP) 1319 if (alg_k & SSL_kSRP) {
1396 { 1320 n2s(p, i);
1397 n2s(p,i); 1321 param_len = i + 2;
1398 param_len=i+2; 1322 if (param_len > n) {
1399 if (param_len > n) 1323 al = SSL_AD_DECODE_ERROR;
1400 { 1324 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);
1401 al=SSL_AD_DECODE_ERROR;
1402 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH);
1403 goto f_err; 1325 goto f_err;
1404 } 1326 }
1405 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL))) 1327 if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
1406 { 1328 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1407 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1408 goto err; 1329 goto err;
1409 } 1330 }
1410 p+=i; 1331 p += i;
1411 1332
1412 n2s(p,i); 1333 n2s(p, i);
1413 param_len+=i+2; 1334 param_len += i + 2;
1414 if (param_len > n) 1335 if (param_len > n) {
1415 { 1336 al = SSL_AD_DECODE_ERROR;
1416 al=SSL_AD_DECODE_ERROR; 1337 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);
1417 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH);
1418 goto f_err; 1338 goto f_err;
1419 } 1339 }
1420 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL))) 1340 if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
1421 { 1341 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1422 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1423 goto err; 1342 goto err;
1424 } 1343 }
1425 p+=i; 1344 p += i;
1426 1345
1427 i = (unsigned int)(p[0]); 1346 i = (unsigned int)(p[0]);
1428 p++; 1347 p++;
1429 param_len+=i+1; 1348 param_len += i + 1;
1430 if (param_len > n) 1349 if (param_len > n) {
1431 { 1350 al = SSL_AD_DECODE_ERROR;
1432 al=SSL_AD_DECODE_ERROR; 1351 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);
1433 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH);
1434 goto f_err; 1352 goto f_err;
1435 } 1353 }
1436 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL))) 1354 if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
1437 { 1355 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1439 goto err; 1356 goto err;
1440 } 1357 }
1441 p+=i; 1358 p += i;
1442 1359
1443 n2s(p,i); 1360 n2s(p, i);
1444 param_len+=i+2; 1361 param_len += i + 2;
1445 if (param_len > n) 1362 if (param_len > n) {
1446 { 1363 al = SSL_AD_DECODE_ERROR;
1447 al=SSL_AD_DECODE_ERROR; 1364 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);
1448 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH);
1449 goto f_err; 1365 goto f_err;
1450 } 1366 }
1451 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL))) 1367 if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
1452 { 1368 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1453 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1454 goto err; 1369 goto err;
1455 } 1370 }
1456 p+=i; 1371 p += i;
1457 n-=param_len; 1372 n -= param_len;
1458 1373
1459/* We must check if there is a certificate */ 1374/* We must check if there is a certificate */
1460#ifndef OPENSSL_NO_RSA 1375#ifndef OPENSSL_NO_RSA
1461 if (alg_a & SSL_aRSA) 1376 if (alg_a & SSL_aRSA)
1462 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1377 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1463#else 1378#else
1464 if (0) 1379 if (0)
1465 ; 1380;
1466#endif 1381#endif
1467#ifndef OPENSSL_NO_DSA 1382#ifndef OPENSSL_NO_DSA
1468 else if (alg_a & SSL_aDSS) 1383 else if (alg_a & SSL_aDSS)
1469 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1384 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1470#endif 1385#endif
1471 } 1386 } else
1472 else
1473#endif /* !OPENSSL_NO_SRP */ 1387#endif /* !OPENSSL_NO_SRP */
1474#ifndef OPENSSL_NO_RSA 1388#ifndef OPENSSL_NO_RSA
1475 if (alg_k & SSL_kRSA) 1389 if (alg_k & SSL_kRSA) {
1476 { 1390 if ((rsa = RSA_new()) == NULL) {
1477 if ((rsa=RSA_new()) == NULL) 1391 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1478 {
1479 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1480 goto err; 1392 goto err;
1481 } 1393 }
1482 n2s(p,i); 1394 n2s(p, i);
1483 param_len=i+2; 1395 param_len = i + 2;
1484 if (param_len > n) 1396 if (param_len > n) {
1485 { 1397 al = SSL_AD_DECODE_ERROR;
1486 al=SSL_AD_DECODE_ERROR; 1398 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_MODULUS_LENGTH);
1487 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1488 goto f_err; 1399 goto f_err;
1489 } 1400 }
1490 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 1401 if (!(rsa->n = BN_bin2bn(p, i, rsa->n))) {
1491 { 1402 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1492 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1493 goto err; 1403 goto err;
1494 } 1404 }
1495 p+=i; 1405 p += i;
1496 1406
1497 n2s(p,i); 1407 n2s(p, i);
1498 param_len+=i+2; 1408 param_len += i + 2;
1499 if (param_len > n) 1409 if (param_len > n) {
1500 { 1410 al = SSL_AD_DECODE_ERROR;
1501 al=SSL_AD_DECODE_ERROR; 1411 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_E_LENGTH);
1502 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1503 goto f_err; 1412 goto f_err;
1504 } 1413 }
1505 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 1414 if (!(rsa->e = BN_bin2bn(p, i, rsa->e))) {
1506 { 1415 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1507 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1508 goto err; 1416 goto err;
1509 } 1417 }
1510 p+=i; 1418 p += i;
1511 n-=param_len; 1419 n -= param_len;
1512 1420
1513 /* this should be because we are using an export cipher */ 1421 /* this should be because we are using an export cipher */
1514 if (alg_a & SSL_aRSA) 1422 if (alg_a & SSL_aRSA)
1515 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1423 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1516 else 1424 else {
1517 { 1425 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1518 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1519 goto err; 1426 goto err;
1520 }
1521 s->session->sess_cert->peer_rsa_tmp=rsa;
1522 rsa=NULL;
1523 } 1427 }
1428 s->session->sess_cert->peer_rsa_tmp = rsa;
1429 rsa = NULL;
1430 }
1524#else /* OPENSSL_NO_RSA */ 1431#else /* OPENSSL_NO_RSA */
1525 if (0) 1432 if (0)
1526 ; 1433;
1527#endif 1434#endif
1528#ifndef OPENSSL_NO_DH 1435#ifndef OPENSSL_NO_DH
1529 else if (alg_k & SSL_kEDH) 1436 else if (alg_k & SSL_kEDH) {
1530 { 1437 if ((dh = DH_new()) == NULL) {
1531 if ((dh=DH_new()) == NULL) 1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
1532 {
1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1534 goto err; 1439 goto err;
1535 } 1440 }
1536 n2s(p,i); 1441 n2s(p, i);
1537 param_len=i+2; 1442 param_len = i + 2;
1538 if (param_len > n) 1443 if (param_len > n) {
1539 { 1444 al = SSL_AD_DECODE_ERROR;
1540 al=SSL_AD_DECODE_ERROR; 1445 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
1541 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1542 goto f_err; 1446 goto f_err;
1543 } 1447 }
1544 if (!(dh->p=BN_bin2bn(p,i,NULL))) 1448 if (!(dh->p = BN_bin2bn(p, i, NULL))) {
1545 { 1449 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1546 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1547 goto err; 1450 goto err;
1548 } 1451 }
1549 p+=i; 1452 p += i;
1550 1453
1551 n2s(p,i); 1454 n2s(p, i);
1552 param_len+=i+2; 1455 param_len += i + 2;
1553 if (param_len > n) 1456 if (param_len > n) {
1554 { 1457 al = SSL_AD_DECODE_ERROR;
1555 al=SSL_AD_DECODE_ERROR; 1458 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH);
1556 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1557 goto f_err; 1459 goto f_err;
1558 } 1460 }
1559 if (!(dh->g=BN_bin2bn(p,i,NULL))) 1461 if (!(dh->g = BN_bin2bn(p, i, NULL))) {
1560 { 1462 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1561 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1562 goto err; 1463 goto err;
1563 } 1464 }
1564 p+=i; 1465 p += i;
1565 1466
1566 n2s(p,i); 1467 n2s(p, i);
1567 param_len+=i+2; 1468 param_len += i + 2;
1568 if (param_len > n) 1469 if (param_len > n) {
1569 { 1470 al = SSL_AD_DECODE_ERROR;
1570 al=SSL_AD_DECODE_ERROR; 1471 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1571 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1572 goto f_err; 1472 goto f_err;
1573 } 1473 }
1574 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 1474 if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1575 { 1475 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1576 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1577 goto err; 1476 goto err;
1578 } 1477 }
1579 p+=i; 1478 p += i;
1580 n-=param_len; 1479 n -= param_len;
1581 1480
1582#ifndef OPENSSL_NO_RSA 1481#ifndef OPENSSL_NO_RSA
1583 if (alg_a & SSL_aRSA) 1482 if (alg_a & SSL_aRSA)
1584 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1483 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1585#else 1484#else
1586 if (0) 1485 if (0)
1587 ; 1486;
1588#endif 1487#endif
1589#ifndef OPENSSL_NO_DSA 1488#ifndef OPENSSL_NO_DSA
1590 else if (alg_a & SSL_aDSS) 1489 else if (alg_a & SSL_aDSS)
1591 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1490 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1592#endif 1491#endif
1593 /* else anonymous DH, so no certificate or pkey. */ 1492 /* else anonymous DH, so no certificate or pkey. */
1594 1493
1595 s->session->sess_cert->peer_dh_tmp=dh; 1494 s->session->sess_cert->peer_dh_tmp = dh;
1596 dh=NULL; 1495 dh = NULL;
1597 } 1496 } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
1598 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 1497 al = SSL_AD_ILLEGAL_PARAMETER;
1599 { 1498 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1600 al=SSL_AD_ILLEGAL_PARAMETER;
1601 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1602 goto f_err; 1499 goto f_err;
1603 } 1500 }
1604#endif /* !OPENSSL_NO_DH */ 1501#endif /* !OPENSSL_NO_DH */
1605 1502
1606#ifndef OPENSSL_NO_ECDH 1503#ifndef OPENSSL_NO_ECDH
1607 else if (alg_k & SSL_kEECDH) 1504 else if (alg_k & SSL_kEECDH) {
1608 {
1609 EC_GROUP *ngroup; 1505 EC_GROUP *ngroup;
1610 const EC_GROUP *group; 1506 const EC_GROUP *group;
1611 1507
1612 if ((ecdh=EC_KEY_new()) == NULL) 1508 if ((ecdh = EC_KEY_new()) == NULL) {
1613 { 1509 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1614 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1615 goto err; 1510 goto err;
1616 } 1511 }
1617 1512
1618 /* Extract elliptic curve parameters and the 1513 /* Extract elliptic curve parameters and the
1619 * server's ephemeral ECDH public key. 1514 * server's ephemeral ECDH public key.
@@ -1624,217 +1519,194 @@ int ssl3_get_key_exchange(SSL *s)
1624 /* XXX: For now we only support named (not generic) curves 1519 /* XXX: For now we only support named (not generic) curves
1625 * and the ECParameters in this case is just three bytes. 1520 * and the ECParameters in this case is just three bytes.
1626 */ 1521 */
1627 param_len=3; 1522 param_len = 3;
1628 if ((param_len > n) || 1523 if ((param_len > n) ||
1629 (*p != NAMED_CURVE_TYPE) || 1524 (*p != NAMED_CURVE_TYPE) ||
1630 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 1525 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) {
1631 { 1526 al = SSL_AD_INTERNAL_ERROR;
1632 al=SSL_AD_INTERNAL_ERROR; 1527 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1633 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1634 goto f_err; 1528 goto f_err;
1635 } 1529 }
1636 1530
1637 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1531 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1638 if (ngroup == NULL) 1532 if (ngroup == NULL) {
1639 { 1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1640 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1641 goto err; 1534 goto err;
1642 } 1535 }
1643 if (EC_KEY_set_group(ecdh, ngroup) == 0) 1536 if (EC_KEY_set_group(ecdh, ngroup) == 0) {
1644 { 1537 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1645 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1646 goto err; 1538 goto err;
1647 } 1539 }
1648 EC_GROUP_free(ngroup); 1540 EC_GROUP_free(ngroup);
1649 1541
1650 group = EC_KEY_get0_group(ecdh); 1542 group = EC_KEY_get0_group(ecdh);
1651 1543
1652 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1544 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1653 (EC_GROUP_get_degree(group) > 163)) 1545 (EC_GROUP_get_degree(group) > 163)) {
1654 { 1546 al = SSL_AD_EXPORT_RESTRICTION;
1655 al=SSL_AD_EXPORT_RESTRICTION; 1547 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1656 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1657 goto f_err; 1548 goto f_err;
1658 } 1549 }
1659 1550
1660 p+=3; 1551 p += 3;
1661 1552
1662 /* Next, get the encoded ECPoint */ 1553 /* Next, get the encoded ECPoint */
1663 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1554 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1664 ((bn_ctx = BN_CTX_new()) == NULL)) 1555 ((bn_ctx = BN_CTX_new()) == NULL)) {
1665 { 1556 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1666 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1667 goto err; 1557 goto err;
1668 } 1558 }
1669 1559
1670 encoded_pt_len = *p; /* length of encoded point */ 1560 encoded_pt_len = *p;
1671 p+=1; 1561 /* length of encoded point */
1562 p += 1;
1672 param_len += (1 + encoded_pt_len); 1563 param_len += (1 + encoded_pt_len);
1673 if ((param_len > n) || 1564 if ((param_len > n) ||
1674 (EC_POINT_oct2point(group, srvr_ecpoint, 1565 (EC_POINT_oct2point(group, srvr_ecpoint,
1675 p, encoded_pt_len, bn_ctx) == 0)) 1566 p, encoded_pt_len, bn_ctx) == 0)) {
1676 { 1567 al = SSL_AD_DECODE_ERROR;
1677 al=SSL_AD_DECODE_ERROR; 1568 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
1678 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1679 goto f_err; 1569 goto f_err;
1680 } 1570 }
1681 1571
1682 n-=param_len; 1572 n -= param_len;
1683 p+=encoded_pt_len; 1573 p += encoded_pt_len;
1684 1574
1685 /* The ECC/TLS specification does not mention 1575 /* The ECC/TLS specification does not mention
1686 * the use of DSA to sign ECParameters in the server 1576 * the use of DSA to sign ECParameters in the server
1687 * key exchange message. We do support RSA and ECDSA. 1577 * key exchange message. We do support RSA and ECDSA.
1688 */ 1578 */
1689 if (0) ; 1579 if (0);
1690#ifndef OPENSSL_NO_RSA 1580#ifndef OPENSSL_NO_RSA
1691 else if (alg_a & SSL_aRSA) 1581 else if (alg_a & SSL_aRSA)
1692 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1582 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1693#endif 1583#endif
1694#ifndef OPENSSL_NO_ECDSA 1584#ifndef OPENSSL_NO_ECDSA
1695 else if (alg_a & SSL_aECDSA) 1585 else if (alg_a & SSL_aECDSA)
1696 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1586 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1697#endif 1587#endif
1698 /* else anonymous ECDH, so no certificate or pkey. */ 1588 /* else anonymous ECDH, so no certificate or pkey. */
1699 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1589 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1700 s->session->sess_cert->peer_ecdh_tmp=ecdh; 1590 s->session->sess_cert->peer_ecdh_tmp = ecdh;
1701 ecdh=NULL; 1591 ecdh = NULL;
1702 BN_CTX_free(bn_ctx); 1592 BN_CTX_free(bn_ctx);
1703 bn_ctx = NULL; 1593 bn_ctx = NULL;
1704 EC_POINT_free(srvr_ecpoint); 1594 EC_POINT_free(srvr_ecpoint);
1705 srvr_ecpoint = NULL; 1595 srvr_ecpoint = NULL;
1706 } 1596 } else if (alg_k) {
1707 else if (alg_k) 1597 al = SSL_AD_UNEXPECTED_MESSAGE;
1708 { 1598 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1709 al=SSL_AD_UNEXPECTED_MESSAGE;
1710 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1711 goto f_err; 1599 goto f_err;
1712 } 1600 }
1713#endif /* !OPENSSL_NO_ECDH */ 1601#endif /* !OPENSSL_NO_ECDH */
1714 1602
1715 1603
1716 /* p points to the next byte, there are 'n' bytes left */ 1604 /* p points to the next byte, there are 'n' bytes left */
1717 1605
1718 /* if it was signed, check the signature */ 1606 /* if it was signed, check the signature */
1719 if (pkey != NULL) 1607 if (pkey != NULL) {
1720 { 1608 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1721 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1722 {
1723 int sigalg = tls12_get_sigid(pkey); 1609 int sigalg = tls12_get_sigid(pkey);
1724 /* Should never happen */ 1610 /* Should never happen */
1725 if (sigalg == -1) 1611 if (sigalg == -1) {
1726 { 1612 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1727 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1728 goto err; 1613 goto err;
1729 } 1614 }
1730 /* Check key type is consistent with signature */ 1615 /* Check key type is consistent with signature */
1731 if (sigalg != (int)p[1]) 1616 if (sigalg != (int)p[1]) {
1732 { 1617 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_TYPE);
1733 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE); 1618 al = SSL_AD_DECODE_ERROR;
1734 al=SSL_AD_DECODE_ERROR;
1735 goto f_err; 1619 goto f_err;
1736 } 1620 }
1737 md = tls12_get_hash(p[0]); 1621 md = tls12_get_hash(p[0]);
1738 if (md == NULL) 1622 if (md == NULL) {
1739 { 1623 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNKNOWN_DIGEST);
1740 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST); 1624 al = SSL_AD_DECODE_ERROR;
1741 al=SSL_AD_DECODE_ERROR;
1742 goto f_err; 1625 goto f_err;
1743 } 1626 }
1744#ifdef SSL_DEBUG 1627#ifdef SSL_DEBUG
1745fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 1628 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1746#endif 1629#endif
1747 p += 2; 1630 p += 2;
1748 n -= 2; 1631 n -= 2;
1749 } 1632 } else
1750 else
1751 md = EVP_sha1(); 1633 md = EVP_sha1();
1752
1753 n2s(p,i);
1754 n-=2;
1755 j=EVP_PKEY_size(pkey);
1756 1634
1757 if ((i != n) || (n > j) || (n <= 0)) 1635 n2s(p, i);
1758 { 1636 n -= 2;
1637 j = EVP_PKEY_size(pkey);
1638
1639 if ((i != n) || (n > j) || (n <= 0)) {
1759 /* wrong packet length */ 1640 /* wrong packet length */
1760 al=SSL_AD_DECODE_ERROR; 1641 al = SSL_AD_DECODE_ERROR;
1761 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1642 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH);
1762 goto f_err; 1643 goto f_err;
1763 } 1644 }
1764 1645
1765#ifndef OPENSSL_NO_RSA 1646#ifndef OPENSSL_NO_RSA
1766 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) 1647 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) {
1767 {
1768 int num; 1648 int num;
1769 1649
1770 j=0; 1650 j = 0;
1771 q=md_buf; 1651 q = md_buf;
1772 for (num=2; num > 0; num--) 1652 for (num = 2; num > 0; num--) {
1773 {
1774 EVP_MD_CTX_set_flags(&md_ctx, 1653 EVP_MD_CTX_set_flags(&md_ctx,
1775 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1654 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1776 EVP_DigestInit_ex(&md_ctx,(num == 2) 1655 EVP_DigestInit_ex(&md_ctx,(num == 2)
1777 ?s->ctx->md5:s->ctx->sha1, NULL); 1656 ?s->ctx->md5 : s->ctx->sha1, NULL);
1778 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1657 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1779 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1658 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1780 EVP_DigestUpdate(&md_ctx,param,param_len); 1659 EVP_DigestUpdate(&md_ctx, param, param_len);
1781 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1660 EVP_DigestFinal_ex(&md_ctx, q,(unsigned int *)&i);
1782 q+=i; 1661 q += i;
1783 j+=i; 1662 j += i;
1784 } 1663 }
1785 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1664 i = RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1786 pkey->pkey.rsa); 1665 pkey->pkey.rsa);
1787 if (i < 0) 1666 if (i < 0) {
1788 { 1667 al = SSL_AD_DECRYPT_ERROR;
1789 al=SSL_AD_DECRYPT_ERROR; 1668 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_DECRYPT);
1790 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1791 goto f_err; 1669 goto f_err;
1792 } 1670 }
1793 if (i == 0) 1671 if (i == 0) {
1794 {
1795 /* bad signature */ 1672 /* bad signature */
1796 al=SSL_AD_DECRYPT_ERROR; 1673 al = SSL_AD_DECRYPT_ERROR;
1797 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1674 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1798 goto f_err; 1675 goto f_err;
1799 }
1800 } 1676 }
1801 else 1677 } else
1802#endif 1678#endif
1803 { 1679 {
1804 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1680 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1805 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1681 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1806 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1682 EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1807 EVP_VerifyUpdate(&md_ctx,param,param_len); 1683 EVP_VerifyUpdate(&md_ctx, param, param_len);
1808 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1684 if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) {
1809 {
1810 /* bad signature */ 1685 /* bad signature */
1811 al=SSL_AD_DECRYPT_ERROR; 1686 al = SSL_AD_DECRYPT_ERROR;
1812 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1687 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1813 goto f_err; 1688 goto f_err;
1814 }
1815 } 1689 }
1816 } 1690 }
1817 else 1691 } else {
1818 {
1819 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1692 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
1820 /* aNULL or kPSK do not need public keys */ 1693 /* aNULL or kPSK do not need public keys */
1821 { 1694 {
1822 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1695 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1823 goto err; 1696 goto err;
1824 } 1697 }
1825 /* still data left over */ 1698 /* still data left over */
1826 if (n != 0) 1699 if (n != 0) {
1827 { 1700 al = SSL_AD_DECODE_ERROR;
1828 al=SSL_AD_DECODE_ERROR; 1701 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE);
1829 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1830 goto f_err; 1702 goto f_err;
1831 }
1832 } 1703 }
1704 }
1833 EVP_PKEY_free(pkey); 1705 EVP_PKEY_free(pkey);
1834 EVP_MD_CTX_cleanup(&md_ctx); 1706 EVP_MD_CTX_cleanup(&md_ctx);
1835 return(1); 1707 return (1);
1836f_err: 1708f_err:
1837 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1709 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1838err: 1710err:
1839 EVP_PKEY_free(pkey); 1711 EVP_PKEY_free(pkey);
1840#ifndef OPENSSL_NO_RSA 1712#ifndef OPENSSL_NO_RSA
@@ -1852,241 +1724,219 @@ err:
1852 EC_KEY_free(ecdh); 1724 EC_KEY_free(ecdh);
1853#endif 1725#endif
1854 EVP_MD_CTX_cleanup(&md_ctx); 1726 EVP_MD_CTX_cleanup(&md_ctx);
1855 return(-1); 1727 return (-1);
1856 } 1728}
1857 1729
1858int ssl3_get_certificate_request(SSL *s) 1730int
1859 { 1731ssl3_get_certificate_request(SSL *s)
1860 int ok,ret=0; 1732{
1861 unsigned long n,nc,l; 1733 int ok, ret = 0;
1862 unsigned int llen, ctype_num,i; 1734 unsigned long n, nc, l;
1863 X509_NAME *xn=NULL; 1735 unsigned int llen, ctype_num, i;
1864 const unsigned char *p,*q; 1736 X509_NAME *xn = NULL;
1737 const unsigned char *p, *q;
1865 unsigned char *d; 1738 unsigned char *d;
1866 STACK_OF(X509_NAME) *ca_sk=NULL; 1739 STACK_OF(X509_NAME) *ca_sk = NULL;
1867 1740
1868 n=s->method->ssl_get_message(s, 1741 n = s->method->ssl_get_message(s,
1869 SSL3_ST_CR_CERT_REQ_A, 1742 SSL3_ST_CR_CERT_REQ_A,
1870 SSL3_ST_CR_CERT_REQ_B, 1743 SSL3_ST_CR_CERT_REQ_B,
1871 -1, 1744 -1,
1872 s->max_cert_list, 1745 s->max_cert_list,
1873 &ok); 1746 &ok);
1874 1747
1875 if (!ok) return((int)n); 1748 if (!ok)
1749 return ((int)n);
1876 1750
1877 s->s3->tmp.cert_req=0; 1751 s->s3->tmp.cert_req = 0;
1878 1752
1879 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1753 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) {
1880 { 1754 s->s3->tmp.reuse_message = 1;
1881 s->s3->tmp.reuse_message=1;
1882 /* If we get here we don't need any cached handshake records 1755 /* If we get here we don't need any cached handshake records
1883 * as we wont be doing client auth. 1756 * as we wont be doing client auth.
1884 */ 1757 */
1885 if (s->s3->handshake_buffer) 1758 if (s->s3->handshake_buffer) {
1886 {
1887 if (!ssl3_digest_cached_records(s)) 1759 if (!ssl3_digest_cached_records(s))
1888 goto err; 1760 goto err;
1889 }
1890 return(1);
1891 } 1761 }
1762 return (1);
1763 }
1892 1764
1893 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 1765 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1894 { 1766 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1895 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1767 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_WRONG_MESSAGE_TYPE);
1896 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1897 goto err; 1768 goto err;
1898 } 1769 }
1899 1770
1900 /* TLS does not like anon-DH with client cert */ 1771 /* TLS does not like anon-DH with client cert */
1901 if (s->version > SSL3_VERSION) 1772 if (s->version > SSL3_VERSION) {
1902 { 1773 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
1903 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1774 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1904 { 1775 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1905 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1906 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1907 goto err; 1776 goto err;
1908 }
1909 } 1777 }
1778 }
1910 1779
1911 p=d=(unsigned char *)s->init_msg; 1780 p = d=(unsigned char *)s->init_msg;
1912 1781
1913 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 1782 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1914 { 1783 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1915 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1916 goto err; 1784 goto err;
1917 } 1785 }
1918 1786
1919 /* get the certificate types */ 1787 /* get the certificate types */
1920 ctype_num= *(p++); 1788 ctype_num= *(p++);
1921 if (ctype_num > SSL3_CT_NUMBER) 1789 if (ctype_num > SSL3_CT_NUMBER)
1922 ctype_num=SSL3_CT_NUMBER; 1790 ctype_num = SSL3_CT_NUMBER;
1923 for (i=0; i<ctype_num; i++) 1791 for (i = 0; i < ctype_num; i++)
1924 s->s3->tmp.ctype[i]= p[i]; 1792 s->s3->tmp.ctype[i] = p[i];
1925 p+=ctype_num; 1793 p += ctype_num;
1926 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1794 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1927 {
1928 n2s(p, llen); 1795 n2s(p, llen);
1929 /* Check we have enough room for signature algorithms and 1796 /* Check we have enough room for signature algorithms and
1930 * following length value. 1797 * following length value.
1931 */ 1798 */
1932 if ((unsigned long)(p - d + llen + 2) > n) 1799 if ((unsigned long)(p - d + llen + 2) > n) {
1933 { 1800 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1934 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1801 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_DATA_LENGTH_TOO_LONG);
1935 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG);
1936 goto err; 1802 goto err;
1937 } 1803 }
1938 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) 1804 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) {
1939 { 1805 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1940 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1806 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1941 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1942 goto err; 1807 goto err;
1943 }
1944 p += llen;
1945 } 1808 }
1809 p += llen;
1810 }
1946 1811
1947 /* get the CA RDNs */ 1812 /* get the CA RDNs */
1948 n2s(p,llen); 1813 n2s(p, llen);
1949#if 0 1814#if 0
1950{ 1815 {
1951FILE *out; 1816 FILE *out;
1952out=fopen("/tmp/vsign.der","w"); 1817 out = fopen("/tmp/vsign.der", "w");
1953fwrite(p,1,llen,out); 1818 fwrite(p, 1, llen, out);
1954fclose(out); 1819 fclose(out);
1955} 1820 }
1956#endif 1821#endif
1957 1822
1958 if ((unsigned long)(p - d + llen) != n) 1823 if ((unsigned long)(p - d + llen) != n) {
1959 { 1824 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1960 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1825 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
1961 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1962 goto err; 1826 goto err;
1963 } 1827 }
1964 1828
1965 for (nc=0; nc<llen; ) 1829 for (nc = 0; nc < llen; ) {
1966 { 1830 n2s(p, l);
1967 n2s(p,l); 1831 if ((l + nc + 2) > llen) {
1968 if ((l+nc+2) > llen)
1969 {
1970 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1832 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1971 goto cont; /* netscape bugs */ 1833 goto cont; /* netscape bugs */
1972 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1834 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1973 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 1835 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
1974 goto err; 1836 goto err;
1975 } 1837 }
1976 1838
1977 q=p; 1839 q = p;
1978 1840
1979 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 1841 if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
1980 {
1981 /* If netscape tolerance is on, ignore errors */ 1842 /* If netscape tolerance is on, ignore errors */
1982 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1843 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1983 goto cont; 1844 goto cont;
1984 else 1845 else {
1985 { 1846 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1986 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1847 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
1987 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1988 goto err; 1848 goto err;
1989 }
1990 } 1849 }
1850 }
1991 1851
1992 if (q != (p+l)) 1852 if (q != (p + l)) {
1993 { 1853 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1994 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1854 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_LENGTH_MISMATCH);
1995 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1996 goto err; 1855 goto err;
1997 } 1856 }
1998 if (!sk_X509_NAME_push(ca_sk,xn)) 1857 if (!sk_X509_NAME_push(ca_sk, xn)) {
1999 { 1858 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
2000 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
2001 goto err; 1859 goto err;
2002 }
2003
2004 p+=l;
2005 nc+=l+2;
2006 } 1860 }
2007 1861
2008 if (0) 1862 p += l;
2009 { 1863 nc += l + 2;
1864 }
1865
1866 if (0) {
2010cont: 1867cont:
2011 ERR_clear_error(); 1868 ERR_clear_error();
2012 } 1869 }
2013 1870
2014 /* we should setup a certificate to return.... */ 1871 /* we should setup a certificate to return.... */
2015 s->s3->tmp.cert_req=1; 1872 s->s3->tmp.cert_req = 1;
2016 s->s3->tmp.ctype_num=ctype_num; 1873 s->s3->tmp.ctype_num = ctype_num;
2017 if (s->s3->tmp.ca_names != NULL) 1874 if (s->s3->tmp.ca_names != NULL)
2018 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1875 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
2019 s->s3->tmp.ca_names=ca_sk; 1876 s->s3->tmp.ca_names = ca_sk;
2020 ca_sk=NULL; 1877 ca_sk = NULL;
2021 1878
2022 ret=1; 1879 ret = 1;
2023err: 1880err:
2024 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 1881 if (ca_sk != NULL)
2025 return(ret); 1882 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2026 } 1883 return (ret);
1884}
1885
1886static int
1887ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1888{
1889 return (X509_NAME_cmp(*a, *b));
1890}
2027 1891
2028static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
2029 {
2030 return(X509_NAME_cmp(*a,*b));
2031 }
2032#ifndef OPENSSL_NO_TLSEXT 1892#ifndef OPENSSL_NO_TLSEXT
2033int ssl3_get_new_session_ticket(SSL *s) 1893int
2034 { 1894ssl3_get_new_session_ticket(SSL *s)
2035 int ok,al,ret=0, ticklen; 1895{
1896 int ok, al, ret = 0, ticklen;
2036 long n; 1897 long n;
2037 const unsigned char *p; 1898 const unsigned char *p;
2038 unsigned char *d; 1899 unsigned char *d;
2039 1900
2040 n=s->method->ssl_get_message(s, 1901 n = s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
2041 SSL3_ST_CR_SESSION_TICKET_A, 1902 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok);
2042 SSL3_ST_CR_SESSION_TICKET_B,
2043 -1,
2044 16384,
2045 &ok);
2046
2047 if (!ok) 1903 if (!ok)
2048 return((int)n); 1904 return ((int)n);
2049 1905
2050 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 1906 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) {
2051 { 1907 s->s3->tmp.reuse_message = 1;
2052 s->s3->tmp.reuse_message=1; 1908 return (1);
2053 return(1); 1909 }
2054 } 1910 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) {
2055 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 1911 al = SSL_AD_UNEXPECTED_MESSAGE;
2056 { 1912 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_BAD_MESSAGE_TYPE);
2057 al=SSL_AD_UNEXPECTED_MESSAGE;
2058 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
2059 goto f_err; 1913 goto f_err;
2060 } 1914 }
2061 if (n < 6) 1915 if (n < 6) {
2062 {
2063 /* need at least ticket_lifetime_hint + ticket length */ 1916 /* need at least ticket_lifetime_hint + ticket length */
2064 al = SSL_AD_DECODE_ERROR; 1917 al = SSL_AD_DECODE_ERROR;
2065 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1918 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2066 goto f_err; 1919 goto f_err;
2067 } 1920 }
2068 1921
2069 p=d=(unsigned char *)s->init_msg; 1922 p = d = (unsigned char *)s->init_msg;
2070 n2l(p, s->session->tlsext_tick_lifetime_hint); 1923 n2l(p, s->session->tlsext_tick_lifetime_hint);
2071 n2s(p, ticklen); 1924 n2s(p, ticklen);
2072 /* ticket_lifetime_hint + ticket_length + ticket */ 1925 /* ticket_lifetime_hint + ticket_length + ticket */
2073 if (ticklen + 6 != n) 1926 if (ticklen + 6 != n) {
2074 {
2075 al = SSL_AD_DECODE_ERROR; 1927 al = SSL_AD_DECODE_ERROR;
2076 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1928 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2077 goto f_err; 1929 goto f_err;
2078 } 1930 }
2079 if (s->session->tlsext_tick) 1931 if (s->session->tlsext_tick) {
2080 {
2081 OPENSSL_free(s->session->tlsext_tick); 1932 OPENSSL_free(s->session->tlsext_tick);
2082 s->session->tlsext_ticklen = 0; 1933 s->session->tlsext_ticklen = 0;
2083 } 1934 }
2084 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 1935 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2085 if (!s->session->tlsext_tick) 1936 if (!s->session->tlsext_tick) {
2086 { 1937 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
2087 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
2088 goto err; 1938 goto err;
2089 } 1939 }
2090 memcpy(s->session->tlsext_tick, p, ticklen); 1940 memcpy(s->session->tlsext_tick, p, ticklen);
2091 s->session->tlsext_ticklen = ticklen; 1941 s->session->tlsext_ticklen = ticklen;
2092 /* There are two ways to detect a resumed ticket sesion. 1942 /* There are two ways to detect a resumed ticket sesion.
@@ -2105,122 +1955,116 @@ int ssl3_get_new_session_ticket(SSL *s)
2105 * ticket. 1955 * ticket.
2106 */ 1956 */
2107 EVP_Digest(p, ticklen, 1957 EVP_Digest(p, ticklen,
2108 s->session->session_id, &s->session->session_id_length, 1958 s->session->session_id, &s->session->session_id_length,
2109#ifndef OPENSSL_NO_SHA256 1959#ifndef OPENSSL_NO_SHA256
2110 EVP_sha256(), NULL); 1960 EVP_sha256(), NULL);
2111#else 1961#else
2112 EVP_sha1(), NULL); 1962 EVP_sha1(), NULL);
2113#endif 1963#endif
2114 ret=1; 1964 ret = 1;
2115 return(ret); 1965 return (ret);
2116f_err: 1966f_err:
2117 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1967 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2118err: 1968err:
2119 return(-1); 1969 return (-1);
2120 } 1970}
2121 1971
2122int ssl3_get_cert_status(SSL *s) 1972int
2123 { 1973ssl3_get_cert_status(SSL *s)
1974{
2124 int ok, al; 1975 int ok, al;
2125 unsigned long resplen,n; 1976 unsigned long resplen, n;
2126 const unsigned char *p; 1977 const unsigned char *p;
2127 1978
2128 n=s->method->ssl_get_message(s, 1979 n = s->method->ssl_get_message(s,
2129 SSL3_ST_CR_CERT_STATUS_A, 1980 SSL3_ST_CR_CERT_STATUS_A,
2130 SSL3_ST_CR_CERT_STATUS_B, 1981 SSL3_ST_CR_CERT_STATUS_B,
2131 SSL3_MT_CERTIFICATE_STATUS, 1982 SSL3_MT_CERTIFICATE_STATUS,
2132 16384, 1983 16384,
2133 &ok); 1984 &ok);
2134 1985
2135 if (!ok) return((int)n); 1986 if (!ok)
2136 if (n < 4) 1987 return ((int)n);
2137 { 1988 if (n < 4) {
2138 /* need at least status type + length */ 1989 /* need at least status type + length */
2139 al = SSL_AD_DECODE_ERROR; 1990 al = SSL_AD_DECODE_ERROR;
2140 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1991 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2141 goto f_err; 1992 goto f_err;
2142 } 1993 }
2143 p = (unsigned char *)s->init_msg; 1994 p = (unsigned char *)s->init_msg;
2144 if (*p++ != TLSEXT_STATUSTYPE_ocsp) 1995 if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
2145 {
2146 al = SSL_AD_DECODE_ERROR; 1996 al = SSL_AD_DECODE_ERROR;
2147 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 1997 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
2148 goto f_err; 1998 goto f_err;
2149 } 1999 }
2150 n2l3(p, resplen); 2000 n2l3(p, resplen);
2151 if (resplen + 4 != n) 2001 if (resplen + 4 != n) {
2152 {
2153 al = SSL_AD_DECODE_ERROR; 2002 al = SSL_AD_DECODE_ERROR;
2154 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2003 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2155 goto f_err; 2004 goto f_err;
2156 } 2005 }
2157 if (s->tlsext_ocsp_resp) 2006 if (s->tlsext_ocsp_resp)
2158 OPENSSL_free(s->tlsext_ocsp_resp); 2007 OPENSSL_free(s->tlsext_ocsp_resp);
2159 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 2008 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
2160 if (!s->tlsext_ocsp_resp) 2009 if (!s->tlsext_ocsp_resp) {
2161 {
2162 al = SSL_AD_INTERNAL_ERROR; 2010 al = SSL_AD_INTERNAL_ERROR;
2163 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2011 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2164 goto f_err; 2012 goto f_err;
2165 } 2013 }
2166 s->tlsext_ocsp_resplen = resplen; 2014 s->tlsext_ocsp_resplen = resplen;
2167 if (s->ctx->tlsext_status_cb) 2015 if (s->ctx->tlsext_status_cb) {
2168 {
2169 int ret; 2016 int ret;
2170 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2017 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2171 if (ret == 0) 2018 if (ret == 0) {
2172 {
2173 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2019 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2174 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 2020 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_INVALID_STATUS_RESPONSE);
2175 goto f_err; 2021 goto f_err;
2176 } 2022 }
2177 if (ret < 0) 2023 if (ret < 0) {
2178 {
2179 al = SSL_AD_INTERNAL_ERROR; 2024 al = SSL_AD_INTERNAL_ERROR;
2180 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2025 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2181 goto f_err; 2026 goto f_err;
2182 }
2183 } 2027 }
2028 }
2184 return 1; 2029 return 1;
2185f_err: 2030f_err:
2186 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2031 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2187 return(-1); 2032 return (-1);
2188 } 2033}
2189#endif 2034#endif
2190 2035
2191int ssl3_get_server_done(SSL *s) 2036int
2192 { 2037ssl3_get_server_done(SSL *s)
2193 int ok,ret=0; 2038{
2039 int ok, ret = 0;
2194 long n; 2040 long n;
2195 2041
2196 n=s->method->ssl_get_message(s, 2042 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
2197 SSL3_ST_CR_SRVR_DONE_A, 2043 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
2198 SSL3_ST_CR_SRVR_DONE_B, 2044 30, /* should be very small, like 0 :-) */ &ok);
2199 SSL3_MT_SERVER_DONE,
2200 30, /* should be very small, like 0 :-) */
2201 &ok);
2202 2045
2203 if (!ok) return((int)n); 2046 if (!ok)
2204 if (n > 0) 2047 return ((int)n);
2205 { 2048 if (n > 0) {
2206 /* should contain no data */ 2049 /* should contain no data */
2207 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2050 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2208 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 2051 SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
2209 return -1; 2052 return -1;
2210 }
2211 ret=1;
2212 return(ret);
2213 } 2053 }
2054 ret = 1;
2055 return (ret);
2056}
2214 2057
2215 2058
2216int ssl3_send_client_key_exchange(SSL *s) 2059int
2217 { 2060ssl3_send_client_key_exchange(SSL *s)
2218 unsigned char *p,*d; 2061{
2062 unsigned char *p, *d;
2219 int n; 2063 int n;
2220 unsigned long alg_k; 2064 unsigned long alg_k;
2221#ifndef OPENSSL_NO_RSA 2065#ifndef OPENSSL_NO_RSA
2222 unsigned char *q; 2066 unsigned char *q;
2223 EVP_PKEY *pkey=NULL; 2067 EVP_PKEY *pkey = NULL;
2224#endif 2068#endif
2225#ifndef OPENSSL_NO_KRB5 2069#ifndef OPENSSL_NO_KRB5
2226 KSSL_ERR kssl_err; 2070 KSSL_ERR kssl_err;
@@ -2234,77 +2078,73 @@ int ssl3_send_client_key_exchange(SSL *s)
2234 BN_CTX * bn_ctx = NULL; 2078 BN_CTX * bn_ctx = NULL;
2235#endif 2079#endif
2236 2080
2237 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 2081 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
2238 { 2082 d = (unsigned char *)s->init_buf->data;
2239 d=(unsigned char *)s->init_buf->data; 2083 p = &(d[4]);
2240 p= &(d[4]);
2241 2084
2242 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2085 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2243 2086
2244 /* Fool emacs indentation */ 2087 /* Fool emacs indentation */
2245 if (0) {} 2088 if (0) {
2089 }
2246#ifndef OPENSSL_NO_RSA 2090#ifndef OPENSSL_NO_RSA
2247 else if (alg_k & SSL_kRSA) 2091 else if (alg_k & SSL_kRSA) {
2248 {
2249 RSA *rsa; 2092 RSA *rsa;
2250 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2093 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2251 2094
2252 if (s->session->sess_cert->peer_rsa_tmp != NULL) 2095 if (s->session->sess_cert->peer_rsa_tmp != NULL)
2253 rsa=s->session->sess_cert->peer_rsa_tmp; 2096 rsa = s->session->sess_cert->peer_rsa_tmp;
2254 else 2097 else {
2255 { 2098 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2256 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2257 if ((pkey == NULL) || 2099 if ((pkey == NULL) ||
2258 (pkey->type != EVP_PKEY_RSA) || 2100 (pkey->type != EVP_PKEY_RSA) ||
2259 (pkey->pkey.rsa == NULL)) 2101 (pkey->pkey.rsa == NULL)) {
2260 { 2102 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2261 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2262 goto err; 2103 goto err;
2263 }
2264 rsa=pkey->pkey.rsa;
2265 EVP_PKEY_free(pkey);
2266 } 2104 }
2267 2105 rsa = pkey->pkey.rsa;
2268 tmp_buf[0]=s->client_version>>8; 2106 EVP_PKEY_free(pkey);
2269 tmp_buf[1]=s->client_version&0xff; 2107 }
2270 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2108
2271 goto err; 2109 tmp_buf[0] = s->client_version >> 8;
2110 tmp_buf[1] = s->client_version & 0xff;
2111 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2112 goto err;
2272 2113
2273 s->session->master_key_length=sizeof tmp_buf; 2114 s->session->master_key_length = sizeof tmp_buf;
2274 2115
2275 q=p; 2116 q = p;
2276 /* Fix buf for TLS and beyond */ 2117 /* Fix buf for TLS and beyond */
2277 if (s->version > SSL3_VERSION) 2118 if (s->version > SSL3_VERSION)
2278 p+=2; 2119 p += 2;
2279 n=RSA_public_encrypt(sizeof tmp_buf, 2120 n = RSA_public_encrypt(sizeof tmp_buf,
2280 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 2121 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
2281#ifdef PKCS1_CHECK 2122#ifdef PKCS1_CHECK
2282 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 2123 if (s->options & SSL_OP_PKCS1_CHECK_1)
2283 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 2124 p[1]++;
2125 if (s->options & SSL_OP_PKCS1_CHECK_2)
2126 tmp_buf[0] = 0x70;
2284#endif 2127#endif
2285 if (n <= 0) 2128 if (n <= 0) {
2286 { 2129 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
2287 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
2288 goto err; 2130 goto err;
2289 } 2131 }
2290 2132
2291 /* Fix buf for TLS and beyond */ 2133 /* Fix buf for TLS and beyond */
2292 if (s->version > SSL3_VERSION) 2134 if (s->version > SSL3_VERSION) {
2293 { 2135 s2n(n, q);
2294 s2n(n,q); 2136 n += 2;
2295 n+=2;
2296 }
2297
2298 s->session->master_key_length=
2299 s->method->ssl3_enc->generate_master_secret(s,
2300 s->session->master_key,
2301 tmp_buf,sizeof tmp_buf);
2302 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2303 } 2137 }
2138
2139 s->session->master_key_length =
2140 s->method->ssl3_enc->generate_master_secret(
2141 s, s->session->master_key, tmp_buf,
2142 sizeof tmp_buf);
2143 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2144 }
2304#endif 2145#endif
2305#ifndef OPENSSL_NO_KRB5 2146#ifndef OPENSSL_NO_KRB5
2306 else if (alg_k & SSL_kKRB5) 2147 else if (alg_k & SSL_kKRB5) {
2307 {
2308 krb5_error_code krb5rc; 2148 krb5_error_code krb5rc;
2309 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2149 KSSL_CTX *kssl_ctx = s->kssl_ctx;
2310 /* krb5_data krb5_ap_req; */ 2150 /* krb5_data krb5_ap_req; */
@@ -2314,43 +2154,43 @@ int ssl3_send_client_key_exchange(SSL *s)
2314 const EVP_CIPHER *enc = NULL; 2154 const EVP_CIPHER *enc = NULL;
2315 unsigned char iv[EVP_MAX_IV_LENGTH]; 2155 unsigned char iv[EVP_MAX_IV_LENGTH];
2316 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2156 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2317 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2157 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2318 + EVP_MAX_IV_LENGTH]; 2158 + EVP_MAX_IV_LENGTH];
2319 int padl, outl = sizeof(epms); 2159 int padl, outl = sizeof(epms);
2320 2160
2321 EVP_CIPHER_CTX_init(&ciph_ctx); 2161 EVP_CIPHER_CTX_init(&ciph_ctx);
2322 2162
2323#ifdef KSSL_DEBUG 2163#ifdef KSSL_DEBUG
2324 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2164 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
2325 alg_k, SSL_kKRB5); 2165 alg_k, SSL_kKRB5);
2326#endif /* KSSL_DEBUG */ 2166#endif /* KSSL_DEBUG */
2327 2167
2328 authp = NULL; 2168 authp = NULL;
2329#ifdef KRB5SENDAUTH 2169#ifdef KRB5SENDAUTH
2330 if (KRB5SENDAUTH) authp = &authenticator; 2170 if (KRB5SENDAUTH)
2171 authp = &authenticator;
2331#endif /* KRB5SENDAUTH */ 2172#endif /* KRB5SENDAUTH */
2332 2173
2333 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2174 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket,
2334 &kssl_err); 2175 authp, &kssl_err);
2335 enc = kssl_map_enc(kssl_ctx->enctype); 2176 enc = kssl_map_enc(kssl_ctx->enctype);
2336 if (enc == NULL) 2177 if (enc == NULL)
2337 goto err; 2178 goto err;
2338#ifdef KSSL_DEBUG 2179#ifdef KSSL_DEBUG
2339 { 2180 {
2340 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2181 printf("kssl_cget_tkt rtn %d\n", krb5rc);
2341 if (krb5rc && kssl_err.text) 2182 if (krb5rc && kssl_err.text)
2342 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2183 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
2343 } 2184 }
2344#endif /* KSSL_DEBUG */ 2185#endif /* KSSL_DEBUG */
2345 2186
2346 if (krb5rc) 2187 if (krb5rc) {
2347 { 2188 ssl3_send_alert(s, SSL3_AL_FATAL,
2348 ssl3_send_alert(s,SSL3_AL_FATAL, 2189 SSL_AD_HANDSHAKE_FAILURE);
2349 SSL_AD_HANDSHAKE_FAILURE);
2350 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2190 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2351 kssl_err.reason); 2191 kssl_err.reason);
2352 goto err; 2192 goto err;
2353 } 2193 }
2354 2194
2355 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2195 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
2356 ** in place of RFC 2712 KerberosWrapper, as in: 2196 ** in place of RFC 2712 KerberosWrapper, as in:
@@ -2372,32 +2212,29 @@ int ssl3_send_client_key_exchange(SSL *s)
2372 */ 2212 */
2373 2213
2374 /* KerberosWrapper.Ticket */ 2214 /* KerberosWrapper.Ticket */
2375 s2n(enc_ticket->length,p); 2215 s2n(enc_ticket->length, p);
2376 memcpy(p, enc_ticket->data, enc_ticket->length); 2216 memcpy(p, enc_ticket->data, enc_ticket->length);
2377 p+= enc_ticket->length; 2217 p += enc_ticket->length;
2378 n = enc_ticket->length + 2; 2218 n = enc_ticket->length + 2;
2379 2219
2380 /* KerberosWrapper.Authenticator */ 2220 /* KerberosWrapper.Authenticator */
2381 if (authp && authp->length) 2221 if (authp && authp->length) {
2382 { 2222 s2n(authp->length, p);
2383 s2n(authp->length,p);
2384 memcpy(p, authp->data, authp->length); 2223 memcpy(p, authp->data, authp->length);
2385 p+= authp->length; 2224 p += authp->length;
2386 n+= authp->length + 2; 2225 n += authp->length + 2;
2387 2226
2388 free(authp->data); 2227 free(authp->data);
2389 authp->data = NULL; 2228 authp->data = NULL;
2390 authp->length = 0; 2229 authp->length = 0;
2391 } 2230 } else {
2392 else
2393 {
2394 s2n(0,p);/* null authenticator length */ 2231 s2n(0,p);/* null authenticator length */
2395 n+=2; 2232 n += 2;
2396 } 2233 }
2397 2234
2398 tmp_buf[0]=s->client_version>>8; 2235 tmp_buf[0] = s->client_version >> 8;
2399 tmp_buf[1]=s->client_version&0xff; 2236 tmp_buf[1] = s->client_version&0xff;
2400 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2237 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2401 goto err; 2238 goto err;
2402 2239
2403 /* 20010420 VRS. Tried it this way; failed. 2240 /* 20010420 VRS. Tried it this way; failed.
@@ -2407,104 +2244,97 @@ int ssl3_send_client_key_exchange(SSL *s)
2407 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2244 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2408 */ 2245 */
2409 2246
2410 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2247 memset(iv, 0, sizeof iv);
2411 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2248 /* per RFC 1510 */
2412 kssl_ctx->key,iv); 2249 EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
2413 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2250 kssl_ctx->key, iv);
2414 sizeof tmp_buf); 2251 EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
2415 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2252 sizeof tmp_buf);
2253 EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
2416 outl += padl; 2254 outl += padl;
2417 if (outl > (int)sizeof epms) 2255 if (outl > (int)sizeof epms) {
2418 {
2419 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2256 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2420 goto err; 2257 goto err;
2421 } 2258 }
2422 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2259 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2423 2260
2424 /* KerberosWrapper.EncryptedPreMasterSecret */ 2261 /* KerberosWrapper.EncryptedPreMasterSecret */
2425 s2n(outl,p); 2262 s2n(outl, p);
2426 memcpy(p, epms, outl); 2263 memcpy(p, epms, outl);
2427 p+=outl; 2264 p += outl;
2428 n+=outl + 2; 2265 n += outl + 2;
2429 2266
2430 s->session->master_key_length= 2267 s->session->master_key_length =
2431 s->method->ssl3_enc->generate_master_secret(s, 2268 s->method->ssl3_enc->generate_master_secret(s,
2432 s->session->master_key, 2269 s->session->master_key,
2433 tmp_buf, sizeof tmp_buf); 2270 tmp_buf, sizeof tmp_buf);
2434 2271
2435 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2272 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2436 OPENSSL_cleanse(epms, outl); 2273 OPENSSL_cleanse(epms, outl);
2437 } 2274 }
2438#endif 2275#endif
2439#ifndef OPENSSL_NO_DH 2276#ifndef OPENSSL_NO_DH
2440 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2277 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2441 { 2278 DH *dh_srvr, *dh_clnt;
2442 DH *dh_srvr,*dh_clnt;
2443 2279
2444 if (s->session->sess_cert == NULL) 2280 if (s->session->sess_cert == NULL) {
2445 { 2281 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
2446 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2282 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
2447 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
2448 goto err; 2283 goto err;
2449 } 2284 }
2450 2285
2451 if (s->session->sess_cert->peer_dh_tmp != NULL) 2286 if (s->session->sess_cert->peer_dh_tmp != NULL)
2452 dh_srvr=s->session->sess_cert->peer_dh_tmp; 2287 dh_srvr = s->session->sess_cert->peer_dh_tmp;
2453 else 2288 else {
2454 {
2455 /* we get them from the cert */ 2289 /* we get them from the cert */
2456 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2290 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2457 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2291 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2458 goto err; 2292 goto err;
2459 } 2293 }
2460 2294
2461 /* generate a new random key */ 2295 /* generate a new random key */
2462 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 2296 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
2463 { 2297 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2464 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2465 goto err; 2298 goto err;
2466 } 2299 }
2467 if (!DH_generate_key(dh_clnt)) 2300 if (!DH_generate_key(dh_clnt)) {
2468 { 2301 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2469 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2470 DH_free(dh_clnt); 2302 DH_free(dh_clnt);
2471 goto err; 2303 goto err;
2472 } 2304 }
2473 2305
2474 /* use the 'p' output buffer for the DH key, but 2306 /* use the 'p' output buffer for the DH key, but
2475 * make sure to clear it out afterwards */ 2307 * make sure to clear it out afterwards */
2476 2308
2477 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 2309 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt);
2478 2310
2479 if (n <= 0) 2311 if (n <= 0) {
2480 { 2312 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2481 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2482 DH_free(dh_clnt); 2313 DH_free(dh_clnt);
2483 goto err; 2314 goto err;
2484 } 2315 }
2485 2316
2486 /* generate master key from the result */ 2317 /* generate master key from the result */
2487 s->session->master_key_length= 2318 s->session->master_key_length =
2488 s->method->ssl3_enc->generate_master_secret(s, 2319 s->method->ssl3_enc->generate_master_secret(s,
2489 s->session->master_key,p,n); 2320 s->session->master_key, p, n);
2490 /* clean up */ 2321 /* clean up */
2491 memset(p,0,n); 2322 memset(p, 0, n);
2492 2323
2493 /* send off the data */ 2324 /* send off the data */
2494 n=BN_num_bytes(dh_clnt->pub_key); 2325 n = BN_num_bytes(dh_clnt->pub_key);
2495 s2n(n,p); 2326 s2n(n, p);
2496 BN_bn2bin(dh_clnt->pub_key,p); 2327 BN_bn2bin(dh_clnt->pub_key, p);
2497 n+=2; 2328 n += 2;
2498 2329
2499 DH_free(dh_clnt); 2330 DH_free(dh_clnt);
2500 2331
2501 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2332 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2502 } 2333 }
2503#endif 2334#endif
2504 2335
2505#ifndef OPENSSL_NO_ECDH 2336#ifndef OPENSSL_NO_ECDH
2506 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2337 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2507 {
2508 const EC_GROUP *srvr_group = NULL; 2338 const EC_GROUP *srvr_group = NULL;
2509 EC_KEY *tkey; 2339 EC_KEY *tkey;
2510 int ecdh_clnt_cert = 0; 2340 int ecdh_clnt_cert = 0;
@@ -2515,8 +2345,7 @@ int ssl3_send_client_key_exchange(SSL *s)
2515 * computation as part of client certificate? 2345 * computation as part of client certificate?
2516 * If so, set ecdh_clnt_cert to 1. 2346 * If so, set ecdh_clnt_cert to 1.
2517 */ 2347 */
2518 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 2348 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) {
2519 {
2520 /* XXX: For now, we do not support client 2349 /* XXX: For now, we do not support client
2521 * authentication using ECDH certificates. 2350 * authentication using ECDH certificates.
2522 * To add such support, one needs to add 2351 * To add such support, one needs to add
@@ -2536,52 +2365,44 @@ int ssl3_send_client_key_exchange(SSL *s)
2536 * EVP_PKEY_EC) && ...) 2365 * EVP_PKEY_EC) && ...)
2537 * ecdh_clnt_cert = 1; 2366 * ecdh_clnt_cert = 1;
2538 */ 2367 */
2539 } 2368 }
2540 2369
2541 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2370 if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
2542 {
2543 tkey = s->session->sess_cert->peer_ecdh_tmp; 2371 tkey = s->session->sess_cert->peer_ecdh_tmp;
2544 } 2372 } else {
2545 else
2546 {
2547 /* Get the Server Public Key from Cert */ 2373 /* Get the Server Public Key from Cert */
2548 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2374 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2549 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2375 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2550 if ((srvr_pub_pkey == NULL) || 2376 if ((srvr_pub_pkey == NULL) ||
2551 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2377 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2552 (srvr_pub_pkey->pkey.ec == NULL)) 2378 (srvr_pub_pkey->pkey.ec == NULL)) {
2553 {
2554 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2379 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2555 ERR_R_INTERNAL_ERROR); 2380 ERR_R_INTERNAL_ERROR);
2556 goto err; 2381 goto err;
2557 } 2382 }
2558 2383
2559 tkey = srvr_pub_pkey->pkey.ec; 2384 tkey = srvr_pub_pkey->pkey.ec;
2560 } 2385 }
2561 2386
2562 srvr_group = EC_KEY_get0_group(tkey); 2387 srvr_group = EC_KEY_get0_group(tkey);
2563 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2388 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2564 2389
2565 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2390 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
2566 {
2567 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2391 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2568 ERR_R_INTERNAL_ERROR); 2392 ERR_R_INTERNAL_ERROR);
2569 goto err; 2393 goto err;
2570 } 2394 }
2571 2395
2572 if ((clnt_ecdh=EC_KEY_new()) == NULL) 2396 if ((clnt_ecdh = EC_KEY_new()) == NULL) {
2573 { 2397 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2574 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2575 goto err; 2398 goto err;
2576 } 2399 }
2577 2400
2578 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2401 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
2579 { 2402 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2580 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2581 goto err; 2403 goto err;
2582 } 2404 }
2583 if (ecdh_clnt_cert) 2405 if (ecdh_clnt_cert) {
2584 {
2585 /* Reuse key info from our certificate 2406 /* Reuse key info from our certificate
2586 * We only need our private key to perform 2407 * We only need our private key to perform
2587 * the ECDH computation. 2408 * the ECDH computation.
@@ -2589,581 +2410,529 @@ int ssl3_send_client_key_exchange(SSL *s)
2589 const BIGNUM *priv_key; 2410 const BIGNUM *priv_key;
2590 tkey = s->cert->key->privatekey->pkey.ec; 2411 tkey = s->cert->key->privatekey->pkey.ec;
2591 priv_key = EC_KEY_get0_private_key(tkey); 2412 priv_key = EC_KEY_get0_private_key(tkey);
2592 if (priv_key == NULL) 2413 if (priv_key == NULL) {
2593 { 2414 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2594 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2595 goto err; 2415 goto err;
2596 } 2416 }
2597 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2417 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) {
2598 { 2418 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2599 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2600 goto err; 2419 goto err;
2601 }
2602 } 2420 }
2603 else 2421 } else {
2604 {
2605 /* Generate a new ECDH key pair */ 2422 /* Generate a new ECDH key pair */
2606 if (!(EC_KEY_generate_key(clnt_ecdh))) 2423 if (!(EC_KEY_generate_key(clnt_ecdh))) {
2607 {
2608 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2424 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2609 goto err; 2425 goto err;
2610 }
2611 } 2426 }
2427 }
2612 2428
2613 /* use the 'p' output buffer for the ECDH key, but 2429 /* use the 'p' output buffer for the ECDH key, but
2614 * make sure to clear it out afterwards 2430 * make sure to clear it out afterwards
2615 */ 2431 */
2616 2432
2617 field_size = EC_GROUP_get_degree(srvr_group); 2433 field_size = EC_GROUP_get_degree(srvr_group);
2618 if (field_size <= 0) 2434 if (field_size <= 0) {
2619 { 2435 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2620 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2436 ERR_R_ECDH_LIB);
2621 ERR_R_ECDH_LIB);
2622 goto err; 2437 goto err;
2623 } 2438 }
2624 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2439 n = ECDH_compute_key(p, (field_size + 7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2625 if (n <= 0) 2440 if (n <= 0) {
2626 { 2441 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2627 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2442 ERR_R_ECDH_LIB);
2628 ERR_R_ECDH_LIB);
2629 goto err; 2443 goto err;
2630 } 2444 }
2631 2445
2632 /* generate master key from the result */ 2446 /* generate master key from the result */
2633 s->session->master_key_length = s->method->ssl3_enc \ 2447 s->session->master_key_length = s->method->ssl3_enc \
2634 -> generate_master_secret(s, 2448 -> generate_master_secret(s,
2635 s->session->master_key, 2449 s->session->master_key,
2636 p, n); 2450 p, n);
2637 2451
2638 memset(p, 0, n); /* clean up */ 2452 memset(p, 0, n); /* clean up */
2639 2453
2640 if (ecdh_clnt_cert) 2454 if (ecdh_clnt_cert) {
2641 {
2642 /* Send empty client key exch message */ 2455 /* Send empty client key exch message */
2643 n = 0; 2456 n = 0;
2644 } 2457 } else {
2645 else
2646 {
2647 /* First check the size of encoding and 2458 /* First check the size of encoding and
2648 * allocate memory accordingly. 2459 * allocate memory accordingly.
2649 */ 2460 */
2650 encoded_pt_len = 2461 encoded_pt_len =
2651 EC_POINT_point2oct(srvr_group, 2462 EC_POINT_point2oct(srvr_group,
2652 EC_KEY_get0_public_key(clnt_ecdh), 2463 EC_KEY_get0_public_key(clnt_ecdh),
2653 POINT_CONVERSION_UNCOMPRESSED, 2464 POINT_CONVERSION_UNCOMPRESSED,
2654 NULL, 0, NULL); 2465 NULL, 0, NULL);
2655 2466
2656 encodedPoint = (unsigned char *) 2467 encodedPoint =
2657 OPENSSL_malloc(encoded_pt_len * 2468 (unsigned char *)OPENSSL_malloc(
2658 sizeof(unsigned char)); 2469 encoded_pt_len * sizeof(unsigned char));
2470
2659 bn_ctx = BN_CTX_new(); 2471 bn_ctx = BN_CTX_new();
2660 if ((encodedPoint == NULL) || 2472 if ((encodedPoint == NULL) ||
2661 (bn_ctx == NULL)) 2473 (bn_ctx == NULL)) {
2662 { 2474 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2663 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2664 goto err; 2475 goto err;
2665 } 2476 }
2666 2477
2667 /* Encode the public key */ 2478 /* Encode the public key */
2668 n = EC_POINT_point2oct(srvr_group, 2479 n = EC_POINT_point2oct(srvr_group,
2669 EC_KEY_get0_public_key(clnt_ecdh), 2480 EC_KEY_get0_public_key(clnt_ecdh),
2670 POINT_CONVERSION_UNCOMPRESSED, 2481 POINT_CONVERSION_UNCOMPRESSED,
2671 encodedPoint, encoded_pt_len, bn_ctx); 2482 encodedPoint, encoded_pt_len, bn_ctx);
2672 2483
2673 *p = n; /* length of encoded point */ 2484 *p = n; /* length of encoded point */
2674 /* Encoded point will be copied here */ 2485 /* Encoded point will be copied here */
2675 p += 1; 2486 p += 1;
2487
2676 /* copy the point */ 2488 /* copy the point */
2677 memcpy((unsigned char *)p, encodedPoint, n); 2489 memcpy((unsigned char *)p, encodedPoint, n);
2678 /* increment n to account for length field */ 2490 /* increment n to account for length field */
2679 n += 1; 2491 n += 1;
2680 } 2492
2493 }
2681 2494
2682 /* Free allocated memory */ 2495 /* Free allocated memory */
2683 BN_CTX_free(bn_ctx); 2496 BN_CTX_free(bn_ctx);
2684 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2497 if (encodedPoint != NULL)
2685 if (clnt_ecdh != NULL) 2498 OPENSSL_free(encodedPoint);
2686 EC_KEY_free(clnt_ecdh); 2499 if (clnt_ecdh != NULL)
2500 EC_KEY_free(clnt_ecdh);
2687 EVP_PKEY_free(srvr_pub_pkey); 2501 EVP_PKEY_free(srvr_pub_pkey);
2688 } 2502 }
2689#endif /* !OPENSSL_NO_ECDH */ 2503#endif /* !OPENSSL_NO_ECDH */
2690 else if (alg_k & SSL_kGOST) 2504 else if (alg_k & SSL_kGOST) {
2691 {
2692 /* GOST key exchange message creation */ 2505 /* GOST key exchange message creation */
2693 EVP_PKEY_CTX *pkey_ctx; 2506 EVP_PKEY_CTX *pkey_ctx;
2694 X509 *peer_cert; 2507 X509 *peer_cert;
2508
2695 size_t msglen; 2509 size_t msglen;
2696 unsigned int md_len; 2510 unsigned int md_len;
2697 int keytype; 2511 int keytype;
2698 unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 2512 unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
2699 EVP_MD_CTX *ukm_hash; 2513 EVP_MD_CTX *ukm_hash;
2700 EVP_PKEY *pub_key; 2514 EVP_PKEY *pub_key;
2701 2515
2702 /* Get server sertificate PKEY and create ctx from it */ 2516 /* Get server sertificate PKEY and create ctx from it */
2703 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 2517 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST01)].x509;
2704 if (!peer_cert) 2518 if (!peer_cert)
2705 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 2519 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST94)].x509;
2706 if (!peer_cert) { 2520 if (!peer_cert) {
2707 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2521 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2708 goto err; 2522 goto err;
2709 } 2523 }
2710 2524
2711 pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 2525 pkey_ctx = EVP_PKEY_CTX_new(pub_key = X509_get_pubkey(peer_cert), NULL);
2712 /* If we have send a certificate, and certificate key 2526 /* If we have send a certificate, and certificate key
2713 2527
2714 * parameters match those of server certificate, use 2528 * parameters match those of server certificate, use
2715 * certificate key for key exchange 2529 * certificate key for key exchange
2716 */ 2530 */
2717 2531
2718 /* Otherwise, generate ephemeral key pair */ 2532 /* Otherwise, generate ephemeral key pair */
2719 2533
2720 EVP_PKEY_encrypt_init(pkey_ctx); 2534 EVP_PKEY_encrypt_init(pkey_ctx);
2721 /* Generate session key */ 2535 /* Generate session key */
2722 RAND_bytes(premaster_secret,32); 2536 RAND_bytes(premaster_secret, 32);
2723 /* If we have client certificate, use its secret as peer key */ 2537 /* If we have client certificate, use its secret as peer key */
2724 if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2538 if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2725 if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 2539 if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <=0) {
2726 /* If there was an error - just ignore it. Ephemeral key 2540 /* If there was an error - just ignore it. Ephemeral key
2727 * would be used 2541 * would be used
2728 */ 2542 */
2729 ERR_clear_error(); 2543 ERR_clear_error();
2730 } 2544 }
2731 } 2545 }
2732 /* Compute shared IV and store it in algorithm-specific 2546 /* Compute shared IV and store it in algorithm-specific
2733 * context data */ 2547 * context data */
2734 ukm_hash = EVP_MD_CTX_create(); 2548 ukm_hash = EVP_MD_CTX_create();
2735 EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 2549 EVP_DigestInit(ukm_hash, EVP_get_digestbynid(NID_id_GostR3411_94));
2736 EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 2550 EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE);
2737 EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 2551 EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE);
2738 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2552 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
2739 EVP_MD_CTX_destroy(ukm_hash); 2553 EVP_MD_CTX_destroy(ukm_hash);
2740 if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV, 2554 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV,
2741 8,shared_ukm)<0) { 2555 8, shared_ukm) < 0) {
2742 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2556 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2743 SSL_R_LIBRARY_BUG); 2557 SSL_R_LIBRARY_BUG);
2744 goto err; 2558 goto err;
2745 } 2559 }
2746 /* Make GOST keytransport blob message */ 2560 /* Make GOST keytransport blob message */
2747 /*Encapsulate it into sequence */ 2561 /*Encapsulate it into sequence */
2748 *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 2562 *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
2749 msglen=255; 2563 msglen = 255;
2750 if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) { 2564 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, 32) < 0) {
2751 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2565 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2752 SSL_R_LIBRARY_BUG); 2566 SSL_R_LIBRARY_BUG);
2753 goto err; 2567 goto err;
2754 } 2568 }
2755 if (msglen >= 0x80) 2569 if (msglen >= 0x80) {
2756 { 2570 *(p++) = 0x81;
2757 *(p++)=0x81; 2571 *(p++) = msglen & 0xff;
2758 *(p++)= msglen & 0xff; 2572 n = msglen + 3;
2759 n=msglen+3; 2573 } else {
2760 } 2574 *(p++) = msglen & 0xff;
2761 else 2575 n = msglen + 2;
2762 { 2576 }
2763 *(p++)= msglen & 0xff;
2764 n=msglen+2;
2765 }
2766 memcpy(p, tmp, msglen); 2577 memcpy(p, tmp, msglen);
2767 /* Check if pubkey from client certificate was used */ 2578 /* Check if pubkey from client certificate was used */
2768 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2579 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) {
2769 {
2770 /* Set flag "skip certificate verify" */ 2580 /* Set flag "skip certificate verify" */
2771 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2581 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2772 } 2582 }
2773 EVP_PKEY_CTX_free(pkey_ctx); 2583 EVP_PKEY_CTX_free(pkey_ctx);
2774 s->session->master_key_length= 2584 s->session->master_key_length =
2775 s->method->ssl3_enc->generate_master_secret(s, 2585 s->method->ssl3_enc->generate_master_secret(s,
2776 s->session->master_key,premaster_secret,32); 2586 s->session->master_key, premaster_secret, 32);
2777 EVP_PKEY_free(pub_key); 2587 EVP_PKEY_free(pub_key);
2778 2588
2779 } 2589 }
2780#ifndef OPENSSL_NO_SRP 2590#ifndef OPENSSL_NO_SRP
2781 else if (alg_k & SSL_kSRP) 2591 else if (alg_k & SSL_kSRP) {
2782 { 2592 if (s->srp_ctx.A != NULL) {
2783 if (s->srp_ctx.A != NULL)
2784 {
2785 /* send off the data */ 2593 /* send off the data */
2786 n=BN_num_bytes(s->srp_ctx.A); 2594 n = BN_num_bytes(s->srp_ctx.A);
2787 s2n(n,p); 2595 s2n(n, p);
2788 BN_bn2bin(s->srp_ctx.A,p); 2596 BN_bn2bin(s->srp_ctx.A, p);
2789 n+=2; 2597 n += 2;
2790 } 2598 } else {
2791 else 2599 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2792 {
2793 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2794 goto err; 2600 goto err;
2795 } 2601 }
2796 if (s->session->srp_username != NULL) 2602 if (s->session->srp_username != NULL)
2797 OPENSSL_free(s->session->srp_username); 2603 OPENSSL_free(s->session->srp_username);
2798 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2604 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2799 if (s->session->srp_username == NULL) 2605 if (s->session->srp_username == NULL) {
2800 {
2801 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2606 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2802 ERR_R_MALLOC_FAILURE); 2607 ERR_R_MALLOC_FAILURE);
2803 goto err; 2608 goto err;
2804 } 2609 }
2805 2610
2806 if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0) 2611 if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) {
2807 { 2612 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2808 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2809 goto err; 2613 goto err;
2810 }
2811 } 2614 }
2615 }
2812#endif 2616#endif
2813#ifndef OPENSSL_NO_PSK 2617#ifndef OPENSSL_NO_PSK
2814 else if (alg_k & SSL_kPSK) 2618 else if (alg_k & SSL_kPSK) {
2815 {
2816 char identity[PSK_MAX_IDENTITY_LEN]; 2619 char identity[PSK_MAX_IDENTITY_LEN];
2817 unsigned char *t = NULL; 2620 unsigned char *t = NULL;
2818 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2621 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
2819 unsigned int pre_ms_len = 0, psk_len = 0; 2622 unsigned int pre_ms_len = 0, psk_len = 0;
2820 int psk_err = 1; 2623 int psk_err = 1;
2821 2624
2822 n = 0; 2625 n = 0;
2823 if (s->psk_client_callback == NULL) 2626 if (s->psk_client_callback == NULL) {
2824 {
2825 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2627 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2826 SSL_R_PSK_NO_CLIENT_CB); 2628 SSL_R_PSK_NO_CLIENT_CB);
2827 goto err; 2629 goto err;
2828 } 2630 }
2829 2631
2830 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 2632 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
2831 identity, PSK_MAX_IDENTITY_LEN, 2633 identity, PSK_MAX_IDENTITY_LEN,
2832 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2634 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2833 if (psk_len > PSK_MAX_PSK_LEN) 2635 if (psk_len > PSK_MAX_PSK_LEN) {
2834 {
2835 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2636 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2836 ERR_R_INTERNAL_ERROR); 2637 ERR_R_INTERNAL_ERROR);
2837 goto psk_err; 2638 goto psk_err;
2838 } 2639 } else if (psk_len == 0) {
2839 else if (psk_len == 0)
2840 {
2841 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2640 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2842 SSL_R_PSK_IDENTITY_NOT_FOUND); 2641 SSL_R_PSK_IDENTITY_NOT_FOUND);
2843 goto psk_err; 2642 goto psk_err;
2844 } 2643 }
2845 2644
2846 /* create PSK pre_master_secret */ 2645 /* create PSK pre_master_secret */
2847 pre_ms_len = 2+psk_len+2+psk_len; 2646 pre_ms_len = 2 + psk_len + 2 + psk_len;
2848 t = psk_or_pre_ms; 2647 t = psk_or_pre_ms;
2849 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2648 memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
2850 s2n(psk_len, t); 2649 s2n(psk_len, t);
2851 memset(t, 0, psk_len); 2650 memset(t, 0, psk_len);
2852 t+=psk_len; 2651 t += psk_len;
2853 s2n(psk_len, t); 2652 s2n(psk_len, t);
2854 2653
2855 if (s->session->psk_identity_hint != NULL) 2654 if (s->session->psk_identity_hint != NULL)
2856 OPENSSL_free(s->session->psk_identity_hint); 2655 OPENSSL_free(s->session->psk_identity_hint);
2857 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2656 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2858 if (s->ctx->psk_identity_hint != NULL && 2657 if (s->ctx->psk_identity_hint != NULL &&
2859 s->session->psk_identity_hint == NULL) 2658 s->session->psk_identity_hint == NULL) {
2860 {
2861 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2659 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2862 ERR_R_MALLOC_FAILURE); 2660 ERR_R_MALLOC_FAILURE);
2863 goto psk_err; 2661 goto psk_err;
2864 } 2662 }
2865 2663
2866 if (s->session->psk_identity != NULL) 2664 if (s->session->psk_identity != NULL)
2867 OPENSSL_free(s->session->psk_identity); 2665 OPENSSL_free(s->session->psk_identity);
2868 s->session->psk_identity = BUF_strdup(identity); 2666 s->session->psk_identity = BUF_strdup(identity);
2869 if (s->session->psk_identity == NULL) 2667 if (s->session->psk_identity == NULL) {
2870 {
2871 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2668 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2872 ERR_R_MALLOC_FAILURE); 2669 ERR_R_MALLOC_FAILURE);
2873 goto psk_err; 2670 goto psk_err;
2874 } 2671 }
2875 2672
2876 s->session->master_key_length = 2673 s->session->master_key_length =
2877 s->method->ssl3_enc->generate_master_secret(s, 2674 s->method->ssl3_enc->generate_master_secret(
2878 s->session->master_key, 2675 s, s->session->master_key, psk_or_pre_ms,
2879 psk_or_pre_ms, pre_ms_len); 2676 pre_ms_len);
2677
2880 n = strlen(identity); 2678 n = strlen(identity);
2881 s2n(n, p); 2679 s2n(n, p);
2882 memcpy(p, identity, n); 2680 memcpy(p, identity, n);
2883 n+=2; 2681 n += 2;
2884 psk_err = 0; 2682 psk_err = 0;
2885 psk_err: 2683 psk_err:
2886 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 2684 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2887 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2685 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2888 if (psk_err != 0) 2686 if (psk_err != 0) {
2889 {
2890 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2687 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2891 goto err; 2688 goto err;
2892 }
2893 } 2689 }
2690 }
2894#endif 2691#endif
2895 else 2692 else {
2896 {
2897 ssl3_send_alert(s, SSL3_AL_FATAL, 2693 ssl3_send_alert(s, SSL3_AL_FATAL,
2898 SSL_AD_HANDSHAKE_FAILURE); 2694 SSL_AD_HANDSHAKE_FAILURE);
2899 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2695 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2900 ERR_R_INTERNAL_ERROR); 2696 ERR_R_INTERNAL_ERROR);
2901 goto err; 2697 goto err;
2902 } 2698 }
2903
2904 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2905 l2n3(n,d);
2906 2699
2907 s->state=SSL3_ST_CW_KEY_EXCH_B; 2700 *(d++) = SSL3_MT_CLIENT_KEY_EXCHANGE;
2701 l2n3(n, d);
2702
2703 s->state = SSL3_ST_CW_KEY_EXCH_B;
2908 /* number of bytes to write */ 2704 /* number of bytes to write */
2909 s->init_num=n+4; 2705 s->init_num = n + 4;
2910 s->init_off=0; 2706 s->init_off = 0;
2911 } 2707 }
2912 2708
2913 /* SSL3_ST_CW_KEY_EXCH_B */ 2709 /* SSL3_ST_CW_KEY_EXCH_B */
2914 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2710 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2915err: 2711err:
2916#ifndef OPENSSL_NO_ECDH 2712#ifndef OPENSSL_NO_ECDH
2917 BN_CTX_free(bn_ctx); 2713 BN_CTX_free(bn_ctx);
2918 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2714 if (encodedPoint != NULL)
2919 if (clnt_ecdh != NULL) 2715 OPENSSL_free(encodedPoint);
2716 if (clnt_ecdh != NULL)
2920 EC_KEY_free(clnt_ecdh); 2717 EC_KEY_free(clnt_ecdh);
2921 EVP_PKEY_free(srvr_pub_pkey); 2718 EVP_PKEY_free(srvr_pub_pkey);
2922#endif 2719#endif
2923 return(-1); 2720 return (-1);
2924 } 2721}
2925 2722
2926int ssl3_send_client_verify(SSL *s) 2723int
2927 { 2724ssl3_send_client_verify(SSL *s)
2928 unsigned char *p,*d; 2725{
2929 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 2726 unsigned char *p, *d;
2727 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
2930 EVP_PKEY *pkey; 2728 EVP_PKEY *pkey;
2931 EVP_PKEY_CTX *pctx=NULL; 2729 EVP_PKEY_CTX *pctx = NULL;
2932 EVP_MD_CTX mctx; 2730 EVP_MD_CTX mctx;
2933 unsigned u=0; 2731 unsigned u = 0;
2934 unsigned long n; 2732 unsigned long n;
2935 int j; 2733 int j;
2936 2734
2937 EVP_MD_CTX_init(&mctx); 2735 EVP_MD_CTX_init(&mctx);
2938 2736
2939 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 2737 if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
2940 { 2738 d = (unsigned char *)s->init_buf->data;
2941 d=(unsigned char *)s->init_buf->data; 2739 p = &(d[4]);
2942 p= &(d[4]); 2740 pkey = s->cert->key->privatekey;
2943 pkey=s->cert->key->privatekey;
2944/* Create context from key and test if sha1 is allowed as digest */ 2741/* Create context from key and test if sha1 is allowed as digest */
2945 pctx = EVP_PKEY_CTX_new(pkey,NULL); 2742 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2946 EVP_PKEY_sign_init(pctx); 2743 EVP_PKEY_sign_init(pctx);
2947 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 2744 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
2948 {
2949 if (TLS1_get_version(s) < TLS1_2_VERSION) 2745 if (TLS1_get_version(s) < TLS1_2_VERSION)
2950 s->method->ssl3_enc->cert_verify_mac(s, 2746 s->method->ssl3_enc->cert_verify_mac(s,
2951 NID_sha1, 2747 NID_sha1,
2952 &(data[MD5_DIGEST_LENGTH])); 2748 &(data[MD5_DIGEST_LENGTH]));
2953 } 2749 } else {
2954 else
2955 {
2956 ERR_clear_error(); 2750 ERR_clear_error();
2957 } 2751 }
2958 /* For TLS v1.2 send signature algorithm and signature 2752 /* For TLS v1.2 send signature algorithm and signature
2959 * using agreed digest and cached handshake records. 2753 * using agreed digest and cached handshake records.
2960 */ 2754 */
2961 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2755 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2962 {
2963 long hdatalen = 0; 2756 long hdatalen = 0;
2964 void *hdata; 2757 void *hdata;
2965 const EVP_MD *md = s->cert->key->digest; 2758 const EVP_MD *md = s->cert->key->digest;
2966 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 2759 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
2967 &hdata); 2760 &hdata);
2968 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) 2761 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {
2969 {
2970 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2762 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2971 ERR_R_INTERNAL_ERROR); 2763 ERR_R_INTERNAL_ERROR);
2972 goto err; 2764 goto err;
2973 } 2765 }
2974 p += 2; 2766 p += 2;
2975#ifdef SSL_DEBUG 2767#ifdef SSL_DEBUG
2976 fprintf(stderr, "Using TLS 1.2 with client alg %s\n", 2768 fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
2977 EVP_MD_name(md)); 2769 EVP_MD_name(md));
2978#endif 2770#endif
2979 if (!EVP_SignInit_ex(&mctx, md, NULL) 2771 if (!EVP_SignInit_ex(&mctx, md, NULL) ||
2980 || !EVP_SignUpdate(&mctx, hdata, hdatalen) 2772 !EVP_SignUpdate(&mctx, hdata, hdatalen) ||
2981 || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) 2773 !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
2982 {
2983 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2774 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2984 ERR_R_EVP_LIB); 2775 ERR_R_EVP_LIB);
2985 goto err; 2776 goto err;
2986 } 2777 }
2987 s2n(u,p); 2778 s2n(u, p);
2988 n = u + 4; 2779 n = u + 4;
2989 if (!ssl3_digest_cached_records(s)) 2780 if (!ssl3_digest_cached_records(s))
2990 goto err; 2781 goto err;
2991 } 2782 } else
2992 else
2993#ifndef OPENSSL_NO_RSA 2783#ifndef OPENSSL_NO_RSA
2994 if (pkey->type == EVP_PKEY_RSA) 2784 if (pkey->type == EVP_PKEY_RSA) {
2995 { 2785 s->method->ssl3_enc->cert_verify_mac(
2996 s->method->ssl3_enc->cert_verify_mac(s, 2786 s, NID_md5, &(data[0]));
2997 NID_md5,
2998 &(data[0]));
2999 if (RSA_sign(NID_md5_sha1, data, 2787 if (RSA_sign(NID_md5_sha1, data,
3000 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 2788 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
3001 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 2789 &u, pkey->pkey.rsa) <= 0 ) {
3002 { 2790 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB);
3003 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
3004 goto err; 2791 goto err;
3005 }
3006 s2n(u,p);
3007 n=u+2;
3008 } 2792 }
3009 else 2793 s2n(u, p);
2794 n = u + 2;
2795 } else
3010#endif 2796#endif
3011#ifndef OPENSSL_NO_DSA 2797#ifndef OPENSSL_NO_DSA
3012 if (pkey->type == EVP_PKEY_DSA) 2798 if (pkey->type == EVP_PKEY_DSA) {
3013 {
3014 if (!DSA_sign(pkey->save_type, 2799 if (!DSA_sign(pkey->save_type,
3015 &(data[MD5_DIGEST_LENGTH]), 2800 &(data[MD5_DIGEST_LENGTH]),
3016 SHA_DIGEST_LENGTH,&(p[2]), 2801 SHA_DIGEST_LENGTH, &(p[2]),
3017 (unsigned int *)&j,pkey->pkey.dsa)) 2802 (unsigned int *)&j, pkey->pkey.dsa)) {
3018 { 2803 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB);
3019 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
3020 goto err; 2804 goto err;
3021 }
3022 s2n(j,p);
3023 n=j+2;
3024 } 2805 }
3025 else 2806 s2n(j, p);
2807 n = j + 2;
2808 } else
3026#endif 2809#endif
3027#ifndef OPENSSL_NO_ECDSA 2810#ifndef OPENSSL_NO_ECDSA
3028 if (pkey->type == EVP_PKEY_EC) 2811 if (pkey->type == EVP_PKEY_EC) {
3029 {
3030 if (!ECDSA_sign(pkey->save_type, 2812 if (!ECDSA_sign(pkey->save_type,
3031 &(data[MD5_DIGEST_LENGTH]), 2813 &(data[MD5_DIGEST_LENGTH]),
3032 SHA_DIGEST_LENGTH,&(p[2]), 2814 SHA_DIGEST_LENGTH, &(p[2]),
3033 (unsigned int *)&j,pkey->pkey.ec)) 2815 (unsigned int *)&j, pkey->pkey.ec)) {
3034 {
3035 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2816 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
3036 ERR_R_ECDSA_LIB); 2817 ERR_R_ECDSA_LIB);
3037 goto err; 2818 goto err;
3038 }
3039 s2n(j,p);
3040 n=j+2;
3041 } 2819 }
3042 else 2820 s2n(j, p);
2821 n = j + 2;
2822 } else
3043#endif 2823#endif
3044 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 2824 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) {
3045 { 2825 unsigned char signbuf[64];
3046 unsigned char signbuf[64]; 2826 int i;
3047 int i; 2827 size_t sigsize = 64;
3048 size_t sigsize=64; 2828 s->method->ssl3_enc->cert_verify_mac(s,
3049 s->method->ssl3_enc->cert_verify_mac(s,
3050 NID_id_GostR3411_94, 2829 NID_id_GostR3411_94,
3051 data); 2830 data);
3052 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 2831 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
3053 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2832 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
3054 ERR_R_INTERNAL_ERROR); 2833 ERR_R_INTERNAL_ERROR);
3055 goto err; 2834 goto err;
3056 } 2835 }
3057 for (i=63,j=0; i>=0; j++, i--) { 2836 for (i = 63, j = 0; i >= 0; j++, i--) {
3058 p[2+j]=signbuf[i]; 2837 p[2 + j] = signbuf[i];
3059 } 2838 }
3060 s2n(j,p); 2839 s2n(j, p);
3061 n=j+2; 2840 n = j + 2;
3062 } 2841 } else {
3063 else 2842 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
3064 {
3065 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
3066 goto err; 2843 goto err;
3067 } 2844 }
3068 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 2845 *(d++) = SSL3_MT_CERTIFICATE_VERIFY;
3069 l2n3(n,d); 2846 l2n3(n, d);
3070 2847
3071 s->state=SSL3_ST_CW_CERT_VRFY_B; 2848 s->state = SSL3_ST_CW_CERT_VRFY_B;
3072 s->init_num=(int)n+4; 2849 s->init_num = (int)n + 4;
3073 s->init_off=0; 2850 s->init_off = 0;
3074 } 2851 }
3075 EVP_MD_CTX_cleanup(&mctx); 2852 EVP_MD_CTX_cleanup(&mctx);
3076 EVP_PKEY_CTX_free(pctx); 2853 EVP_PKEY_CTX_free(pctx);
3077 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2854 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3078err: 2855err:
3079 EVP_MD_CTX_cleanup(&mctx); 2856 EVP_MD_CTX_cleanup(&mctx);
3080 EVP_PKEY_CTX_free(pctx); 2857 EVP_PKEY_CTX_free(pctx);
3081 return(-1); 2858 return (-1);
3082 } 2859}
3083 2860
3084int ssl3_send_client_certificate(SSL *s) 2861int
3085 { 2862ssl3_send_client_certificate(SSL *s)
3086 X509 *x509=NULL; 2863{
3087 EVP_PKEY *pkey=NULL; 2864 X509 *x509 = NULL;
2865 EVP_PKEY *pkey = NULL;
3088 int i; 2866 int i;
3089 unsigned long l; 2867 unsigned long l;
3090 2868
3091 if (s->state == SSL3_ST_CW_CERT_A) 2869 if (s->state == SSL3_ST_CW_CERT_A) {
3092 { 2870 if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
3093 if ((s->cert == NULL) || 2871 (s->cert->key->privatekey == NULL))
3094 (s->cert->key->x509 == NULL) || 2872 s->state = SSL3_ST_CW_CERT_B;
3095 (s->cert->key->privatekey == NULL))
3096 s->state=SSL3_ST_CW_CERT_B;
3097 else 2873 else
3098 s->state=SSL3_ST_CW_CERT_C; 2874 s->state = SSL3_ST_CW_CERT_C;
3099 } 2875 }
3100 2876
3101 /* We need to get a client cert */ 2877 /* We need to get a client cert */
3102 if (s->state == SSL3_ST_CW_CERT_B) 2878 if (s->state == SSL3_ST_CW_CERT_B) {
3103 {
3104 /* If we get an error, we need to 2879 /* If we get an error, we need to
3105 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 2880 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
3106 * We then get retied later */ 2881 * We then get retied later */
3107 i=0; 2882 i = 0;
3108 i = ssl_do_client_cert_cb(s, &x509, &pkey); 2883 i = ssl_do_client_cert_cb(s, &x509, &pkey);
3109 if (i < 0) 2884 if (i < 0) {
3110 { 2885 s->rwstate = SSL_X509_LOOKUP;
3111 s->rwstate=SSL_X509_LOOKUP; 2886 return (-1);
3112 return(-1); 2887 }
3113 } 2888 s->rwstate = SSL_NOTHING;
3114 s->rwstate=SSL_NOTHING; 2889 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
3115 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 2890 s->state = SSL3_ST_CW_CERT_B;
3116 { 2891 if (!SSL_use_certificate(s, x509) ||
3117 s->state=SSL3_ST_CW_CERT_B; 2892 !SSL_use_PrivateKey(s, pkey))
3118 if ( !SSL_use_certificate(s,x509) || 2893 i = 0;
3119 !SSL_use_PrivateKey(s,pkey)) 2894 } else if (i == 1) {
3120 i=0; 2895 i = 0;
3121 } 2896 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3122 else if (i == 1) 2897 }
3123 { 2898
3124 i=0; 2899 if (x509 != NULL)
3125 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 2900 X509_free(x509);
3126 } 2901 if (pkey != NULL)
3127 2902 EVP_PKEY_free(pkey);
3128 if (x509 != NULL) X509_free(x509); 2903 if (i == 0) {
3129 if (pkey != NULL) EVP_PKEY_free(pkey); 2904 if (s->version == SSL3_VERSION) {
3130 if (i == 0) 2905 s->s3->tmp.cert_req = 0;
3131 { 2906 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
3132 if (s->version == SSL3_VERSION) 2907 return (1);
3133 { 2908 } else {
3134 s->s3->tmp.cert_req=0; 2909 s->s3->tmp.cert_req = 2;
3135 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
3136 return(1);
3137 }
3138 else
3139 {
3140 s->s3->tmp.cert_req=2;
3141 }
3142 } 2910 }
2911 }
3143 2912
3144 /* Ok, we have a cert */ 2913 /* Ok, we have a cert */
3145 s->state=SSL3_ST_CW_CERT_C; 2914 s->state = SSL3_ST_CW_CERT_C;
3146 } 2915 }
3147 2916
3148 if (s->state == SSL3_ST_CW_CERT_C) 2917 if (s->state == SSL3_ST_CW_CERT_C) {
3149 { 2918 s->state = SSL3_ST_CW_CERT_D;
3150 s->state=SSL3_ST_CW_CERT_D; 2919 l = ssl3_output_cert_chain(s,
3151 l=ssl3_output_cert_chain(s, 2920 (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
3152 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 2921 s->init_num = (int)l;
3153 s->init_num=(int)l; 2922 s->init_off = 0;
3154 s->init_off=0;
3155 }
3156 /* SSL3_ST_CW_CERT_D */
3157 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3158 } 2923 }
2924 /* SSL3_ST_CW_CERT_D */
2925 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2926}
3159 2927
3160#define has_bits(i,m) (((i)&(m)) == (m)) 2928#define has_bits(i,m) (((i)&(m)) == (m))
3161 2929
3162int ssl3_check_cert_and_algorithm(SSL *s) 2930int
3163 { 2931ssl3_check_cert_and_algorithm(SSL *s)
3164 int i,idx; 2932{
3165 long alg_k,alg_a; 2933 int i, idx;
3166 EVP_PKEY *pkey=NULL; 2934 long alg_k, alg_a;
2935 EVP_PKEY *pkey = NULL;
3167 SESS_CERT *sc; 2936 SESS_CERT *sc;
3168#ifndef OPENSSL_NO_RSA 2937#ifndef OPENSSL_NO_RSA
3169 RSA *rsa; 2938 RSA *rsa;
@@ -3172,138 +2941,120 @@ int ssl3_check_cert_and_algorithm(SSL *s)
3172 DH *dh; 2941 DH *dh;
3173#endif 2942#endif
3174 2943
3175 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2944 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3176 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 2945 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3177 2946
3178 /* we don't have a certificate */ 2947 /* we don't have a certificate */
3179 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 2948 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
3180 return(1); 2949 return (1);
3181 2950
3182 sc=s->session->sess_cert; 2951 sc = s->session->sess_cert;
3183 if (sc == NULL) 2952 if (sc == NULL) {
3184 { 2953 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
3185 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
3186 goto err; 2954 goto err;
3187 } 2955 }
3188 2956
3189#ifndef OPENSSL_NO_RSA 2957#ifndef OPENSSL_NO_RSA
3190 rsa=s->session->sess_cert->peer_rsa_tmp; 2958 rsa = s->session->sess_cert->peer_rsa_tmp;
3191#endif 2959#endif
3192#ifndef OPENSSL_NO_DH 2960#ifndef OPENSSL_NO_DH
3193 dh=s->session->sess_cert->peer_dh_tmp; 2961 dh = s->session->sess_cert->peer_dh_tmp;
3194#endif 2962#endif
3195 2963
3196 /* This is the passed certificate */ 2964 /* This is the passed certificate */
3197 2965
3198 idx=sc->peer_cert_type; 2966 idx = sc->peer_cert_type;
3199#ifndef OPENSSL_NO_ECDH 2967#ifndef OPENSSL_NO_ECDH
3200 if (idx == SSL_PKEY_ECC) 2968 if (idx == SSL_PKEY_ECC) {
3201 {
3202 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 2969 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
3203 s) == 0) 2970 s) == 0)
3204 { /* check failed */ 2971 { /* check failed */
3205 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 2972 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
3206 goto f_err; 2973 goto f_err;
3207 } 2974 } else {
3208 else
3209 {
3210 return 1; 2975 return 1;
3211 }
3212 } 2976 }
2977 }
3213#endif 2978#endif
3214 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 2979 pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
3215 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 2980 i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
3216 EVP_PKEY_free(pkey); 2981 EVP_PKEY_free(pkey);
3217 2982
3218 2983
3219 /* Check that we have a certificate if we require one */ 2984 /* Check that we have a certificate if we require one */
3220 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 2985 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
3221 { 2986 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT);
3222 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
3223 goto f_err; 2987 goto f_err;
3224 } 2988 }
3225#ifndef OPENSSL_NO_DSA 2989#ifndef OPENSSL_NO_DSA
3226 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 2990 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
3227 { 2991 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT);
3228 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
3229 goto f_err; 2992 goto f_err;
3230 } 2993 }
3231#endif 2994#endif
3232#ifndef OPENSSL_NO_RSA 2995#ifndef OPENSSL_NO_RSA
3233 if ((alg_k & SSL_kRSA) && 2996 if ((alg_k & SSL_kRSA) &&
3234 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 2997 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) {
3235 { 2998 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3236 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3237 goto f_err; 2999 goto f_err;
3238 } 3000 }
3239#endif 3001#endif
3240#ifndef OPENSSL_NO_DH 3002#ifndef OPENSSL_NO_DH
3241 if ((alg_k & SSL_kEDH) && 3003 if ((alg_k & SSL_kEDH) &&
3242 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 3004 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
3243 { 3005 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY);
3244 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
3245 goto f_err; 3006 goto f_err;
3246 } 3007 } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) {
3247 else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 3008 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT);
3248 {
3249 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
3250 goto f_err; 3009 goto f_err;
3251 } 3010 }
3252#ifndef OPENSSL_NO_DSA 3011#ifndef OPENSSL_NO_DSA
3253 else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 3012 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
3254 { 3013 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT);
3255 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
3256 goto f_err; 3014 goto f_err;
3257 } 3015 }
3258#endif 3016#endif
3259#endif 3017#endif
3260 3018
3261 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 3019 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
3262 {
3263#ifndef OPENSSL_NO_RSA 3020#ifndef OPENSSL_NO_RSA
3264 if (alg_k & SSL_kRSA) 3021 if (alg_k & SSL_kRSA) {
3265 { 3022 if (rsa == NULL ||
3266 if (rsa == NULL 3023 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3267 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3024 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3268 {
3269 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3270 goto f_err; 3025 goto f_err;
3271 }
3272 } 3026 }
3273 else 3027 } else
3274#endif 3028#endif
3275#ifndef OPENSSL_NO_DH 3029#ifndef OPENSSL_NO_DH
3276 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 3030 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
3277 { 3031 if (dh == NULL ||
3278 if (dh == NULL 3032 DH_size(dh) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3279 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3033 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3280 {
3281 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3282 goto f_err; 3034 goto f_err;
3283 }
3284 } 3035 }
3285 else 3036 } else
3286#endif 3037#endif
3287 { 3038 {
3288 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 3039 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
3289 goto f_err; 3040 goto f_err;
3290 }
3291 } 3041 }
3292 return(1); 3042 }
3043 return (1);
3293f_err: 3044f_err:
3294 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 3045 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
3295err: 3046err:
3296 return(0); 3047 return (0);
3297 } 3048}
3298 3049
3299#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 3050#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
3300int ssl3_send_next_proto(SSL *s) 3051int
3301 { 3052ssl3_send_next_proto(SSL *s)
3053{
3302 unsigned int len, padding_len; 3054 unsigned int len, padding_len;
3303 unsigned char *d; 3055 unsigned char *d;
3304 3056
3305 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) 3057 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {
3306 {
3307 len = s->next_proto_negotiated_len; 3058 len = s->next_proto_negotiated_len;
3308 padding_len = 32 - ((len + 2) % 32); 3059 padding_len = 32 - ((len + 2) % 32);
3309 d = (unsigned char *)s->init_buf->data; 3060 d = (unsigned char *)s->init_buf->data;
@@ -3311,12 +3062,12 @@ int ssl3_send_next_proto(SSL *s)
3311 memcpy(d + 5, s->next_proto_negotiated, len); 3062 memcpy(d + 5, s->next_proto_negotiated, len);
3312 d[5 + len] = padding_len; 3063 d[5 + len] = padding_len;
3313 memset(d + 6 + len, 0, padding_len); 3064 memset(d + 6 + len, 0, padding_len);
3314 *(d++)=SSL3_MT_NEXT_PROTO; 3065 *(d++) = SSL3_MT_NEXT_PROTO;
3315 l2n3(2 + len + padding_len, d); 3066 l2n3(2 + len + padding_len, d);
3316 s->state = SSL3_ST_CW_NEXT_PROTO_B; 3067 s->state = SSL3_ST_CW_NEXT_PROTO_B;
3317 s->init_num = 4 + 2 + len + padding_len; 3068 s->init_num = 4 + 2 + len + padding_len;
3318 s->init_off = 0; 3069 s->init_off = 0;
3319 } 3070 }
3320 3071
3321 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3072 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3322} 3073}
@@ -3328,8 +3079,9 @@ int ssl3_send_next_proto(SSL *s)
3328 */ 3079 */
3329 3080
3330#ifndef OPENSSL_NO_TLSEXT 3081#ifndef OPENSSL_NO_TLSEXT
3331int ssl3_check_finished(SSL *s) 3082int
3332 { 3083ssl3_check_finished(SSL *s)
3084{
3333 int ok; 3085 int ok;
3334 long n; 3086 long n;
3335 /* If we have no ticket it cannot be a resumed session. */ 3087 /* If we have no ticket it cannot be a resumed session. */
@@ -3337,36 +3089,33 @@ int ssl3_check_finished(SSL *s)
3337 return 1; 3089 return 1;
3338 /* this function is called when we really expect a Certificate 3090 /* this function is called when we really expect a Certificate
3339 * message, so permit appropriate message length */ 3091 * message, so permit appropriate message length */
3340 n=s->method->ssl_get_message(s, 3092 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
3341 SSL3_ST_CR_CERT_A, 3093 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
3342 SSL3_ST_CR_CERT_B, 3094 if (!ok)
3343 -1, 3095 return ((int)n);
3344 s->max_cert_list,
3345 &ok);
3346 if (!ok) return((int)n);
3347 s->s3->tmp.reuse_message = 1; 3096 s->s3->tmp.reuse_message = 1;
3348 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 3097 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) ||
3349 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3098 (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
3350 return 2; 3099 return 2;
3351 3100
3352 return 1; 3101 return 1;
3353 } 3102}
3354#endif 3103#endif
3355 3104
3356int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3105int
3357 { 3106ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3107{
3358 int i = 0; 3108 int i = 0;
3359#ifndef OPENSSL_NO_ENGINE 3109#ifndef OPENSSL_NO_ENGINE
3360 if (s->ctx->client_cert_engine) 3110 if (s->ctx->client_cert_engine) {
3361 {
3362 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3111 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3363 SSL_get_client_CA_list(s), 3112 SSL_get_client_CA_list(s),
3364 px509, ppkey, NULL, NULL, NULL); 3113 px509, ppkey, NULL, NULL, NULL);
3365 if (i != 0) 3114 if (i != 0)
3366 return i; 3115 return i;
3367 } 3116 }
3368#endif 3117#endif
3369 if (s->ctx->client_cert_cb) 3118 if (s->ctx->client_cert_cb)
3370 i = s->ctx->client_cert_cb(s,px509,ppkey); 3119 i = s->ctx->client_cert_cb(s, px509, ppkey);
3371 return i; 3120 return i;
3372 } 3121}
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 518dfcd5e2..eeadb160d1 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -171,92 +171,86 @@
171 171
172static const SSL_METHOD *ssl3_get_server_method(int ver); 172static const SSL_METHOD *ssl3_get_server_method(int ver);
173 173
174static const SSL_METHOD *ssl3_get_server_method(int ver) 174static const SSL_METHOD
175 { 175*ssl3_get_server_method(int ver)
176{
176 if (ver == SSL3_VERSION) 177 if (ver == SSL3_VERSION)
177 return(SSLv3_server_method()); 178 return (SSLv3_server_method());
178 else 179 else
179 return(NULL); 180 return (NULL);
180 } 181}
181 182
182#ifndef OPENSSL_NO_SRP 183#ifndef OPENSSL_NO_SRP
183static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) 184static int
184 { 185ssl_check_srp_ext_ClientHello(SSL *s, int *al)
186{
185 int ret = SSL_ERROR_NONE; 187 int ret = SSL_ERROR_NONE;
186 188
187 *al = SSL_AD_UNRECOGNIZED_NAME; 189 *al = SSL_AD_UNRECOGNIZED_NAME;
188 190
189 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 191 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
190 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) 192 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
191 { 193 if (s->srp_ctx.login == NULL) {
192 if(s->srp_ctx.login == NULL)
193 {
194 /* RFC 5054 says SHOULD reject, 194 /* RFC 5054 says SHOULD reject,
195 we do so if There is no srp login name */ 195 we do so if There is no srp login name */
196 ret = SSL3_AL_FATAL; 196 ret = SSL3_AL_FATAL;
197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
198 } 198 } else {
199 else 199 ret = SSL_srp_server_param_with_username(s, al);
200 {
201 ret = SSL_srp_server_param_with_username(s,al);
202 }
203 } 200 }
204 return ret;
205 } 201 }
202 return ret;
203}
206#endif 204#endif
207 205
208IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 206IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
209 ssl3_accept, 207 ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
210 ssl_undefined_function,
211 ssl3_get_server_method)
212 208
213int ssl3_accept(SSL *s) 209int
214 { 210ssl3_accept(SSL *s)
211{
215 BUF_MEM *buf; 212 BUF_MEM *buf;
216 unsigned long alg_k,Time=(unsigned long)time(NULL); 213 unsigned long alg_k, Time = (unsigned long)time(NULL);
217 void (*cb)(const SSL *ssl,int type,int val)=NULL; 214 void (*cb)(const SSL *ssl, int type, int val) = NULL;
218 int ret= -1; 215 int ret = -1;
219 int new_state,state,skip=0; 216 int new_state, state, skip = 0;
220 217
221 RAND_add(&Time,sizeof(Time),0); 218 RAND_add(&Time, sizeof(Time), 0);
222 ERR_clear_error(); 219 ERR_clear_error();
223 errno = 0; 220 errno = 0;
224 221
225 if (s->info_callback != NULL) 222 if (s->info_callback != NULL)
226 cb=s->info_callback; 223 cb = s->info_callback;
227 else if (s->ctx->info_callback != NULL) 224 else if (s->ctx->info_callback != NULL)
228 cb=s->ctx->info_callback; 225 cb = s->ctx->info_callback;
229 226
230 /* init things to blank */ 227 /* init things to blank */
231 s->in_handshake++; 228 s->in_handshake++;
232 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 229 if (!SSL_in_init(s) || SSL_in_before(s))
230 SSL_clear(s);
233 231
234 if (s->cert == NULL) 232 if (s->cert == NULL) {
235 { 233 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
236 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 234 return (-1);
237 return(-1); 235 }
238 }
239 236
240#ifndef OPENSSL_NO_HEARTBEATS 237#ifndef OPENSSL_NO_HEARTBEATS
241 /* If we're awaiting a HeartbeatResponse, pretend we 238 /* If we're awaiting a HeartbeatResponse, pretend we
242 * already got and don't await it anymore, because 239 * already got and don't await it anymore, because
243 * Heartbeats don't make sense during handshakes anyway. 240 * Heartbeats don't make sense during handshakes anyway.
244 */ 241 */
245 if (s->tlsext_hb_pending) 242 if (s->tlsext_hb_pending) {
246 {
247 s->tlsext_hb_pending = 0; 243 s->tlsext_hb_pending = 0;
248 s->tlsext_hb_seq++; 244 s->tlsext_hb_seq++;
249 } 245 }
250#endif 246#endif
251 247
252 for (;;) 248 for (;;) {
253 { 249 state = s->state;
254 state=s->state;
255 250
256 switch (s->state) 251 switch (s->state) {
257 {
258 case SSL_ST_RENEGOTIATE: 252 case SSL_ST_RENEGOTIATE:
259 s->renegotiate=1; 253 s->renegotiate = 1;
260 /* s->state=SSL_ST_ACCEPT; */ 254 /* s->state=SSL_ST_ACCEPT; */
261 255
262 case SSL_ST_BEFORE: 256 case SSL_ST_BEFORE:
@@ -264,146 +258,143 @@ int ssl3_accept(SSL *s)
264 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 258 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
265 case SSL_ST_OK|SSL_ST_ACCEPT: 259 case SSL_ST_OK|SSL_ST_ACCEPT:
266 260
267 s->server=1; 261 s->server = 1;
268 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 262 if (cb != NULL)
263 cb(s, SSL_CB_HANDSHAKE_START, 1);
269 264
270 if ((s->version>>8) != 3) 265 if ((s->version >> 8) != 3) {
271 {
272 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 266 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
273 return -1; 267 return -1;
274 } 268 }
275 s->type=SSL_ST_ACCEPT; 269 s->type = SSL_ST_ACCEPT;
276 270
277 if (s->init_buf == NULL) 271 if (s->init_buf == NULL) {
278 { 272 if ((buf = BUF_MEM_new()) == NULL) {
279 if ((buf=BUF_MEM_new()) == NULL) 273 ret = -1;
280 {
281 ret= -1;
282 goto end; 274 goto end;
283 } 275 }
284 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 276 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
285 { 277 ret = -1;
286 ret= -1;
287 goto end; 278 goto end;
288 }
289 s->init_buf=buf;
290 } 279 }
280 s->init_buf = buf;
281 }
291 282
292 if (!ssl3_setup_buffers(s)) 283 if (!ssl3_setup_buffers(s)) {
293 { 284 ret = -1;
294 ret= -1;
295 goto end; 285 goto end;
296 } 286 }
297 287
298 s->init_num=0; 288 s->init_num = 0;
299 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 289 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
300 290
301 if (s->state != SSL_ST_RENEGOTIATE) 291 if (s->state != SSL_ST_RENEGOTIATE) {
302 {
303 /* Ok, we now need to push on a buffering BIO so that 292 /* Ok, we now need to push on a buffering BIO so that
304 * the output is sent in a way that TCP likes :-) 293 * the output is sent in a way that TCP likes :-)
305 */ 294 */
306 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 295 if (!ssl_init_wbio_buffer(s, 1)) {
307 296 ret = -1;
297 goto end;
298 }
299
308 ssl3_init_finished_mac(s); 300 ssl3_init_finished_mac(s);
309 s->state=SSL3_ST_SR_CLNT_HELLO_A; 301 s->state = SSL3_ST_SR_CLNT_HELLO_A;
310 s->ctx->stats.sess_accept++; 302 s->ctx->stats.sess_accept++;
311 } 303 } else if (!s->s3->send_connection_binding &&
312 else if (!s->s3->send_connection_binding && 304 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
313 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
314 {
315 /* Server attempting to renegotiate with 305 /* Server attempting to renegotiate with
316 * client that doesn't support secure 306 * client that doesn't support secure
317 * renegotiation. 307 * renegotiation.
318 */ 308 */
319 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 309 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
320 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 310 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
321 ret = -1; 311 ret = -1;
322 goto end; 312 goto end;
323 } 313 } else {
324 else
325 {
326 /* s->state == SSL_ST_RENEGOTIATE, 314 /* s->state == SSL_ST_RENEGOTIATE,
327 * we will just send a HelloRequest */ 315 * we will just send a HelloRequest */
328 s->ctx->stats.sess_accept_renegotiate++; 316 s->ctx->stats.sess_accept_renegotiate++;
329 s->state=SSL3_ST_SW_HELLO_REQ_A; 317 s->state = SSL3_ST_SW_HELLO_REQ_A;
330 } 318 }
331 break; 319 break;
332 320
333 case SSL3_ST_SW_HELLO_REQ_A: 321 case SSL3_ST_SW_HELLO_REQ_A:
334 case SSL3_ST_SW_HELLO_REQ_B: 322 case SSL3_ST_SW_HELLO_REQ_B:
335 323
336 s->shutdown=0; 324 s->shutdown = 0;
337 ret=ssl3_send_hello_request(s); 325 ret = ssl3_send_hello_request(s);
338 if (ret <= 0) goto end; 326 if (ret <= 0)
339 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 327 goto end;
340 s->state=SSL3_ST_SW_FLUSH; 328 s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C;
341 s->init_num=0; 329 s->state = SSL3_ST_SW_FLUSH;
330 s->init_num = 0;
342 331
343 ssl3_init_finished_mac(s); 332 ssl3_init_finished_mac(s);
344 break; 333 break;
345 334
346 case SSL3_ST_SW_HELLO_REQ_C: 335 case SSL3_ST_SW_HELLO_REQ_C:
347 s->state=SSL_ST_OK; 336 s->state = SSL_ST_OK;
348 break; 337 break;
349 338
350 case SSL3_ST_SR_CLNT_HELLO_A: 339 case SSL3_ST_SR_CLNT_HELLO_A:
351 case SSL3_ST_SR_CLNT_HELLO_B: 340 case SSL3_ST_SR_CLNT_HELLO_B:
352 case SSL3_ST_SR_CLNT_HELLO_C: 341 case SSL3_ST_SR_CLNT_HELLO_C:
353 342
354 s->shutdown=0; 343 s->shutdown = 0;
355 if (s->rwstate != SSL_X509_LOOKUP) 344 if (s->rwstate != SSL_X509_LOOKUP) {
356 { 345 ret = ssl3_get_client_hello(s);
357 ret=ssl3_get_client_hello(s); 346 if (ret <= 0)
358 if (ret <= 0) goto end; 347 goto end;
359 } 348 }
360#ifndef OPENSSL_NO_SRP 349#ifndef OPENSSL_NO_SRP
361 { 350 {
362 int al; 351 int al;
363 if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0) 352 if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
364 {
365 /* callback indicates firther work to be done */ 353 /* callback indicates firther work to be done */
366 s->rwstate=SSL_X509_LOOKUP; 354 s->rwstate = SSL_X509_LOOKUP;
367 goto end; 355 goto end;
368 } 356 }
369 if (ret != SSL_ERROR_NONE) 357 if (ret != SSL_ERROR_NONE) {
370 { 358 ssl3_send_alert(s, SSL3_AL_FATAL, al);
371 ssl3_send_alert(s,SSL3_AL_FATAL,al); 359
372 /* This is not really an error but the only means to 360 /* This is not really an error but the only means to
373 for a client to detect whether srp is supported. */ 361 for a client to detect whether srp is supported. */
374 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 362 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
375 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); 363 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
376 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 364
377 ret= -1; 365 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
378 goto end; 366
367 ret = -1;
368 goto end;
369
379 } 370 }
380 } 371 }
381#endif 372#endif
382 373
383 s->renegotiate = 2; 374 s->renegotiate = 2;
384 s->state=SSL3_ST_SW_SRVR_HELLO_A; 375 s->state = SSL3_ST_SW_SRVR_HELLO_A;
385 s->init_num=0; 376 s->init_num = 0;
386 break; 377 break;
387 378
388 case SSL3_ST_SW_SRVR_HELLO_A: 379 case SSL3_ST_SW_SRVR_HELLO_A:
389 case SSL3_ST_SW_SRVR_HELLO_B: 380 case SSL3_ST_SW_SRVR_HELLO_B:
390 ret=ssl3_send_server_hello(s); 381 ret = ssl3_send_server_hello(s);
391 if (ret <= 0) goto end; 382 if (ret <= 0)
383 goto end;
392#ifndef OPENSSL_NO_TLSEXT 384#ifndef OPENSSL_NO_TLSEXT
393 if (s->hit) 385 if (s->hit) {
394 {
395 if (s->tlsext_ticket_expected) 386 if (s->tlsext_ticket_expected)
396 s->state=SSL3_ST_SW_SESSION_TICKET_A; 387 s->state = SSL3_ST_SW_SESSION_TICKET_A;
397 else 388 else
398 s->state=SSL3_ST_SW_CHANGE_A; 389 s->state = SSL3_ST_SW_CHANGE_A;
399 } 390 }
400#else 391#else
401 if (s->hit) 392 if (s->hit)
402 s->state=SSL3_ST_SW_CHANGE_A; 393 s->state = SSL3_ST_SW_CHANGE_A;
403#endif 394#endif
404 else 395 else
405 s->state=SSL3_ST_SW_CERT_A; 396 s->state = SSL3_ST_SW_CERT_A;
406 s->init_num=0; 397 s->init_num = 0;
407 break; 398 break;
408 399
409 case SSL3_ST_SW_CERT_A: 400 case SSL3_ST_SW_CERT_A:
@@ -412,29 +403,26 @@ int ssl3_accept(SSL *s)
412 /* normal PSK or KRB5 or SRP */ 403 /* normal PSK or KRB5 or SRP */
413 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 404 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
414 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 405 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
415 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 406 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) {
416 { 407 ret = ssl3_send_server_certificate(s);
417 ret=ssl3_send_server_certificate(s); 408 if (ret <= 0)
418 if (ret <= 0) goto end; 409 goto end;
419#ifndef OPENSSL_NO_TLSEXT 410#ifndef OPENSSL_NO_TLSEXT
420 if (s->tlsext_status_expected) 411 if (s->tlsext_status_expected)
421 s->state=SSL3_ST_SW_CERT_STATUS_A; 412 s->state = SSL3_ST_SW_CERT_STATUS_A;
422 else 413 else
423 s->state=SSL3_ST_SW_KEY_EXCH_A; 414 s->state = SSL3_ST_SW_KEY_EXCH_A;
424 } 415 } else {
425 else
426 {
427 skip = 1; 416 skip = 1;
428 s->state=SSL3_ST_SW_KEY_EXCH_A; 417 s->state = SSL3_ST_SW_KEY_EXCH_A;
429 } 418 }
430#else 419#else
431 } 420 } else
432 else 421 skip = 1;
433 skip=1;
434 422
435 s->state=SSL3_ST_SW_KEY_EXCH_A; 423 s->state = SSL3_ST_SW_KEY_EXCH_A;
436#endif 424#endif
437 s->init_num=0; 425 s->init_num = 0;
438 break; 426 break;
439 427
440 case SSL3_ST_SW_KEY_EXCH_A: 428 case SSL3_ST_SW_KEY_EXCH_A:
@@ -445,16 +433,16 @@ int ssl3_accept(SSL *s)
445 * send_server_key_exchange */ 433 * send_server_key_exchange */
446 if ((s->options & SSL_OP_EPHEMERAL_RSA) 434 if ((s->options & SSL_OP_EPHEMERAL_RSA)
447#ifndef OPENSSL_NO_KRB5 435#ifndef OPENSSL_NO_KRB5
448 && !(alg_k & SSL_kKRB5) 436 && !(alg_k & SSL_kKRB5)
449#endif /* OPENSSL_NO_KRB5 */ 437#endif /* OPENSSL_NO_KRB5 */
450 ) 438 )
451 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 439 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
452 * even when forbidden by protocol specs 440 * even when forbidden by protocol specs
453 * (handshake may fail as clients are not required to 441 * (handshake may fail as clients are not required to
454 * be able to handle this) */ 442 * be able to handle this) */
455 s->s3->tmp.use_rsa_tmp=1; 443 s->s3->tmp.use_rsa_tmp = 1;
456 else 444 else
457 s->s3->tmp.use_rsa_tmp=0; 445 s->s3->tmp.use_rsa_tmp = 0;
458 446
459 447
460 /* only send if a DH key exchange, fortezza or 448 /* only send if a DH key exchange, fortezza or
@@ -475,83 +463,81 @@ int ssl3_accept(SSL *s)
475 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 463 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
476#endif 464#endif
477#ifndef OPENSSL_NO_SRP 465#ifndef OPENSSL_NO_SRP
478 /* SRP: send ServerKeyExchange */ 466 /* SRP: send ServerKeyExchange */
479 || (alg_k & SSL_kSRP) 467 || (alg_k & SSL_kSRP)
480#endif 468#endif
481 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 469 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
482 || (alg_k & SSL_kEECDH) 470 || (alg_k & SSL_kEECDH)
483 || ((alg_k & SSL_kRSA) 471 || ((alg_k & SSL_kRSA)
484 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 472 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
485 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 473 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
486 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 474 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
487 )
488 )
489 )
490 ) 475 )
491 { 476 )
492 ret=ssl3_send_server_key_exchange(s); 477 )
493 if (ret <= 0) goto end; 478 ) {
494 } 479 ret = ssl3_send_server_key_exchange(s);
495 else 480 if (ret <= 0)
496 skip=1; 481 goto end;
482 } else
483 skip = 1;
497 484
498 s->state=SSL3_ST_SW_CERT_REQ_A; 485 s->state = SSL3_ST_SW_CERT_REQ_A;
499 s->init_num=0; 486 s->init_num = 0;
500 break; 487 break;
501 488
502 case SSL3_ST_SW_CERT_REQ_A: 489 case SSL3_ST_SW_CERT_REQ_A:
503 case SSL3_ST_SW_CERT_REQ_B: 490 case SSL3_ST_SW_CERT_REQ_B:
504 if (/* don't request cert unless asked for it: */ 491 if (/* don't request cert unless asked for it: */
505 !(s->verify_mode & SSL_VERIFY_PEER) || 492 !(s->verify_mode & SSL_VERIFY_PEER) ||
506 /* if SSL_VERIFY_CLIENT_ONCE is set, 493 /* if SSL_VERIFY_CLIENT_ONCE is set,
507 * don't request cert during re-negotiation: */ 494 * don't request cert during re-negotiation: */
508 ((s->session->peer != NULL) && 495 ((s->session->peer != NULL) &&
509 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 496 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
510 /* never request cert in anonymous ciphersuites 497 /* never request cert in anonymous ciphersuites
511 * (see section "Certificate request" in SSL 3 drafts 498 * (see section "Certificate request" in SSL 3 drafts
512 * and in RFC 2246): */ 499 * and in RFC 2246): */
513 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 500 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
514 /* ... except when the application insists on verification 501 /* ... except when the application insists on verification
515 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 502 * (against the specs, but s3_clnt.c accepts this for SSL 3) */
516 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 503 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
517 /* never request cert in Kerberos ciphersuites */ 504 /* never request cert in Kerberos ciphersuites */
518 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) 505 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
519 /* With normal PSK Certificates and 506 /* With normal PSK Certificates and
520 * Certificate Requests are omitted */ 507 * Certificate Requests are omitted */
521 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 508 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
522 {
523 /* no cert request */ 509 /* no cert request */
524 skip=1; 510 skip = 1;
525 s->s3->tmp.cert_request=0; 511 s->s3->tmp.cert_request = 0;
526 s->state=SSL3_ST_SW_SRVR_DONE_A; 512 s->state = SSL3_ST_SW_SRVR_DONE_A;
527 if (s->s3->handshake_buffer) 513 if (s->s3->handshake_buffer)
528 if (!ssl3_digest_cached_records(s)) 514 if (!ssl3_digest_cached_records(s))
529 return -1; 515 return -1;
530 } 516 } else {
531 else 517 s->s3->tmp.cert_request = 1;
532 { 518 ret = ssl3_send_certificate_request(s);
533 s->s3->tmp.cert_request=1; 519 if (ret <= 0)
534 ret=ssl3_send_certificate_request(s); 520 goto end;
535 if (ret <= 0) goto end;
536#ifndef NETSCAPE_HANG_BUG 521#ifndef NETSCAPE_HANG_BUG
537 s->state=SSL3_ST_SW_SRVR_DONE_A; 522 s->state = SSL3_ST_SW_SRVR_DONE_A;
538#else 523#else
539 s->state=SSL3_ST_SW_FLUSH; 524 s->state = SSL3_ST_SW_FLUSH;
540 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 525 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
541#endif 526#endif
542 s->init_num=0; 527 s->init_num = 0;
543 } 528 }
544 break; 529 break;
545 530
546 case SSL3_ST_SW_SRVR_DONE_A: 531 case SSL3_ST_SW_SRVR_DONE_A:
547 case SSL3_ST_SW_SRVR_DONE_B: 532 case SSL3_ST_SW_SRVR_DONE_B:
548 ret=ssl3_send_server_done(s); 533 ret = ssl3_send_server_done(s);
549 if (ret <= 0) goto end; 534 if (ret <= 0)
550 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 535 goto end;
551 s->state=SSL3_ST_SW_FLUSH; 536 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
552 s->init_num=0; 537 s->state = SSL3_ST_SW_FLUSH;
538 s->init_num = 0;
553 break; 539 break;
554 540
555 case SSL3_ST_SW_FLUSH: 541 case SSL3_ST_SW_FLUSH:
556 542
557 /* This code originally checked to see if 543 /* This code originally checked to see if
@@ -564,15 +550,14 @@ int ssl3_accept(SSL *s)
564 * unconditionally. 550 * unconditionally.
565 */ 551 */
566 552
567 s->rwstate=SSL_WRITING; 553 s->rwstate = SSL_WRITING;
568 if (BIO_flush(s->wbio) <= 0) 554 if (BIO_flush(s->wbio) <= 0) {
569 { 555 ret = -1;
570 ret= -1;
571 goto end; 556 goto end;
572 } 557 }
573 s->rwstate=SSL_NOTHING; 558 s->rwstate = SSL_NOTHING;
574 559
575 s->state=s->s3->tmp.next_state; 560 s->state = s->s3->tmp.next_state;
576 break; 561 break;
577 562
578 case SSL3_ST_SR_CERT_A: 563 case SSL3_ST_SR_CERT_A:
@@ -584,23 +569,22 @@ int ssl3_accept(SSL *s)
584 if (ret == 2) 569 if (ret == 2)
585 s->state = SSL3_ST_SR_CLNT_HELLO_C; 570 s->state = SSL3_ST_SR_CLNT_HELLO_C;
586 else { 571 else {
587 if (s->s3->tmp.cert_request) 572 if (s->s3->tmp.cert_request) {
588 { 573 ret = ssl3_get_client_certificate(s);
589 ret=ssl3_get_client_certificate(s); 574 if (ret <= 0)
590 if (ret <= 0) goto end; 575 goto end;
591 } 576 }
592 s->init_num=0; 577 s->init_num = 0;
593 s->state=SSL3_ST_SR_KEY_EXCH_A; 578 s->state = SSL3_ST_SR_KEY_EXCH_A;
594 } 579 }
595 break; 580 break;
596 581
597 case SSL3_ST_SR_KEY_EXCH_A: 582 case SSL3_ST_SR_KEY_EXCH_A:
598 case SSL3_ST_SR_KEY_EXCH_B: 583 case SSL3_ST_SR_KEY_EXCH_B:
599 ret=ssl3_get_client_key_exchange(s); 584 ret = ssl3_get_client_key_exchange(s);
600 if (ret <= 0) 585 if (ret <= 0)
601 goto end; 586 goto end;
602 if (ret == 2) 587 if (ret == 2) {
603 {
604 /* For the ECDH ciphersuites when 588 /* For the ECDH ciphersuites when
605 * the client sends its ECDH pub key in 589 * the client sends its ECDH pub key in
606 * a certificate, the CertificateVerify 590 * a certificate, the CertificateVerify
@@ -610,40 +594,35 @@ int ssl3_accept(SSL *s)
610 * for key exchange. 594 * for key exchange.
611 */ 595 */
612#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 596#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
613 s->state=SSL3_ST_SR_FINISHED_A; 597 s->state = SSL3_ST_SR_FINISHED_A;
614#else 598#else
615 if (s->s3->next_proto_neg_seen) 599 if (s->s3->next_proto_neg_seen)
616 s->state=SSL3_ST_SR_NEXT_PROTO_A; 600 s->state = SSL3_ST_SR_NEXT_PROTO_A;
617 else 601 else
618 s->state=SSL3_ST_SR_FINISHED_A; 602 s->state = SSL3_ST_SR_FINISHED_A;
619#endif 603#endif
620 s->init_num = 0; 604 s->init_num = 0;
621 } 605 } else if (TLS1_get_version(s) >= TLS1_2_VERSION) {
622 else if (TLS1_get_version(s) >= TLS1_2_VERSION) 606 s->state = SSL3_ST_SR_CERT_VRFY_A;
623 { 607 s->init_num = 0;
624 s->state=SSL3_ST_SR_CERT_VRFY_A;
625 s->init_num=0;
626 if (!s->session->peer) 608 if (!s->session->peer)
627 break; 609 break;
628 /* For TLS v1.2 freeze the handshake buffer 610 /* For TLS v1.2 freeze the handshake buffer
629 * at this point and digest cached records. 611 * at this point and digest cached records.
630 */ 612 */
631 if (!s->s3->handshake_buffer) 613 if (!s->s3->handshake_buffer) {
632 { 614 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
633 SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR);
634 return -1; 615 return -1;
635 } 616 }
636 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 617 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
637 if (!ssl3_digest_cached_records(s)) 618 if (!ssl3_digest_cached_records(s))
638 return -1; 619 return -1;
639 } 620 } else {
640 else 621 int offset = 0;
641 {
642 int offset=0;
643 int dgst_num; 622 int dgst_num;
644 623
645 s->state=SSL3_ST_SR_CERT_VRFY_A; 624 s->state = SSL3_ST_SR_CERT_VRFY_A;
646 s->init_num=0; 625 s->init_num = 0;
647 626
648 /* We need to get hashes here so if there is 627 /* We need to get hashes here so if there is
649 * a client cert, it can be verified 628 * a client cert, it can be verified
@@ -653,82 +632,85 @@ int ssl3_accept(SSL *s)
653 if (s->s3->handshake_buffer) 632 if (s->s3->handshake_buffer)
654 if (!ssl3_digest_cached_records(s)) 633 if (!ssl3_digest_cached_records(s))
655 return -1; 634 return -1;
656 for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) 635 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++)
657 if (s->s3->handshake_dgst[dgst_num]) 636 if (s->s3->handshake_dgst[dgst_num]) {
658 { 637 int dgst_size;
659 int dgst_size; 638
660 639 s->method->ssl3_enc->cert_verify_mac(s, EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]), &(s->s3->tmp.cert_verify_md[offset]));
661 s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); 640 dgst_size = EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
662 dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); 641 if (dgst_size < 0) {
663 if (dgst_size < 0) 642 ret = -1;
664 { 643 goto end;
665 ret = -1; 644 }
666 goto end; 645 offset += dgst_size;
667 }
668 offset+=dgst_size;
669 }
670 } 646 }
647 }
671 break; 648 break;
672 649
673 case SSL3_ST_SR_CERT_VRFY_A: 650 case SSL3_ST_SR_CERT_VRFY_A:
674 case SSL3_ST_SR_CERT_VRFY_B: 651 case SSL3_ST_SR_CERT_VRFY_B:
675 652
676 /* we should decide if we expected this one */ 653 /* we should decide if we expected this one */
677 ret=ssl3_get_cert_verify(s); 654 ret = ssl3_get_cert_verify(s);
678 if (ret <= 0) goto end; 655 if (ret <= 0)
656 goto end;
679 657
680#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 658#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
681 s->state=SSL3_ST_SR_FINISHED_A; 659 s->state = SSL3_ST_SR_FINISHED_A;
682#else 660#else
683 if (s->s3->next_proto_neg_seen) 661 if (s->s3->next_proto_neg_seen)
684 s->state=SSL3_ST_SR_NEXT_PROTO_A; 662 s->state = SSL3_ST_SR_NEXT_PROTO_A;
685 else 663 else
686 s->state=SSL3_ST_SR_FINISHED_A; 664 s->state = SSL3_ST_SR_FINISHED_A;
687#endif 665#endif
688 s->init_num=0; 666 s->init_num = 0;
689 break; 667 break;
690 668
691#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 669#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
692 case SSL3_ST_SR_NEXT_PROTO_A: 670 case SSL3_ST_SR_NEXT_PROTO_A:
693 case SSL3_ST_SR_NEXT_PROTO_B: 671 case SSL3_ST_SR_NEXT_PROTO_B:
694 ret=ssl3_get_next_proto(s); 672 ret = ssl3_get_next_proto(s);
695 if (ret <= 0) goto end; 673 if (ret <= 0)
674 goto end;
696 s->init_num = 0; 675 s->init_num = 0;
697 s->state=SSL3_ST_SR_FINISHED_A; 676 s->state = SSL3_ST_SR_FINISHED_A;
698 break; 677 break;
699#endif 678#endif
700 679
701 case SSL3_ST_SR_FINISHED_A: 680 case SSL3_ST_SR_FINISHED_A:
702 case SSL3_ST_SR_FINISHED_B: 681 case SSL3_ST_SR_FINISHED_B:
703 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 682 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
704 SSL3_ST_SR_FINISHED_B); 683 SSL3_ST_SR_FINISHED_B);
705 if (ret <= 0) goto end; 684 if (ret <= 0)
685 goto end;
706 if (s->hit) 686 if (s->hit)
707 s->state=SSL_ST_OK; 687 s->state = SSL_ST_OK;
708#ifndef OPENSSL_NO_TLSEXT 688#ifndef OPENSSL_NO_TLSEXT
709 else if (s->tlsext_ticket_expected) 689 else if (s->tlsext_ticket_expected)
710 s->state=SSL3_ST_SW_SESSION_TICKET_A; 690 s->state = SSL3_ST_SW_SESSION_TICKET_A;
711#endif 691#endif
712 else 692 else
713 s->state=SSL3_ST_SW_CHANGE_A; 693 s->state = SSL3_ST_SW_CHANGE_A;
714 s->init_num=0; 694 s->init_num = 0;
715 break; 695 break;
716 696
717#ifndef OPENSSL_NO_TLSEXT 697#ifndef OPENSSL_NO_TLSEXT
718 case SSL3_ST_SW_SESSION_TICKET_A: 698 case SSL3_ST_SW_SESSION_TICKET_A:
719 case SSL3_ST_SW_SESSION_TICKET_B: 699 case SSL3_ST_SW_SESSION_TICKET_B:
720 ret=ssl3_send_newsession_ticket(s); 700 ret = ssl3_send_newsession_ticket(s);
721 if (ret <= 0) goto end; 701 if (ret <= 0)
722 s->state=SSL3_ST_SW_CHANGE_A; 702 goto end;
723 s->init_num=0; 703 s->state = SSL3_ST_SW_CHANGE_A;
704 s->init_num = 0;
724 break; 705 break;
725 706
726 case SSL3_ST_SW_CERT_STATUS_A: 707 case SSL3_ST_SW_CERT_STATUS_A:
727 case SSL3_ST_SW_CERT_STATUS_B: 708 case SSL3_ST_SW_CERT_STATUS_B:
728 ret=ssl3_send_cert_status(s); 709 ret = ssl3_send_cert_status(s);
729 if (ret <= 0) goto end; 710 if (ret <= 0)
730 s->state=SSL3_ST_SW_KEY_EXCH_A; 711 goto end;
731 s->init_num=0; 712 s->state = SSL3_ST_SW_KEY_EXCH_A;
713 s->init_num = 0;
732 break; 714 break;
733 715
734#endif 716#endif
@@ -736,48 +718,49 @@ int ssl3_accept(SSL *s)
736 case SSL3_ST_SW_CHANGE_A: 718 case SSL3_ST_SW_CHANGE_A:
737 case SSL3_ST_SW_CHANGE_B: 719 case SSL3_ST_SW_CHANGE_B:
738 720
739 s->session->cipher=s->s3->tmp.new_cipher; 721 s->session->cipher = s->s3->tmp.new_cipher;
740 if (!s->method->ssl3_enc->setup_key_block(s)) 722 if (!s->method->ssl3_enc->setup_key_block(s)) {
741 { ret= -1; goto end; } 723 ret = -1;
724 goto end;
725 }
742 726
743 ret=ssl3_send_change_cipher_spec(s, 727 ret = ssl3_send_change_cipher_spec(s,
744 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 728 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
745 729
746 if (ret <= 0) goto end; 730 if (ret <= 0)
747 s->state=SSL3_ST_SW_FINISHED_A; 731 goto end;
748 s->init_num=0; 732 s->state = SSL3_ST_SW_FINISHED_A;
733 s->init_num = 0;
749 734
750 if (!s->method->ssl3_enc->change_cipher_state(s, 735 if (!s->method->ssl3_enc->change_cipher_state(
751 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 736 s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
752 { 737 ret = -1;
753 ret= -1;
754 goto end; 738 goto end;
755 } 739 }
756 740
757 break; 741 break;
758 742
759 case SSL3_ST_SW_FINISHED_A: 743 case SSL3_ST_SW_FINISHED_A:
760 case SSL3_ST_SW_FINISHED_B: 744 case SSL3_ST_SW_FINISHED_B:
761 ret=ssl3_send_finished(s, 745 ret = ssl3_send_finished(s,
762 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 746 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
763 s->method->ssl3_enc->server_finished_label, 747 s->method->ssl3_enc->server_finished_label,
764 s->method->ssl3_enc->server_finished_label_len); 748 s->method->ssl3_enc->server_finished_label_len);
765 if (ret <= 0) goto end; 749 if (ret <= 0)
766 s->state=SSL3_ST_SW_FLUSH; 750 goto end;
767 if (s->hit) 751 s->state = SSL3_ST_SW_FLUSH;
768 { 752 if (s->hit) {
769#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 753#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
770 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 754 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
771#else 755#else
772 if (s->s3->next_proto_neg_seen) 756 if (s->s3->next_proto_neg_seen)
773 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; 757 s->s3->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A;
774 else 758 else
775 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 759 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
776#endif 760#endif
777 } 761 } else
778 else 762 s->s3->tmp.next_state = SSL_ST_OK;
779 s->s3->tmp.next_state=SSL_ST_OK; 763 s->init_num = 0;
780 s->init_num=0;
781 break; 764 break;
782 765
783 case SSL_ST_OK: 766 case SSL_ST_OK:
@@ -785,146 +768,143 @@ int ssl3_accept(SSL *s)
785 ssl3_cleanup_key_block(s); 768 ssl3_cleanup_key_block(s);
786 769
787 BUF_MEM_free(s->init_buf); 770 BUF_MEM_free(s->init_buf);
788 s->init_buf=NULL; 771 s->init_buf = NULL;
789 772
790 /* remove buffering on output */ 773 /* remove buffering on output */
791 ssl_free_wbio_buffer(s); 774 ssl_free_wbio_buffer(s);
792 775
793 s->init_num=0; 776 s->init_num = 0;
794 777
795 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ 778 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
796 { 779 {
797 s->renegotiate=0; 780 s->renegotiate = 0;
798 s->new_session=0; 781 s->new_session = 0;
799 782
800 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 783 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
801 784
802 s->ctx->stats.sess_accept_good++; 785 s->ctx->stats.sess_accept_good++;
803 /* s->server=1; */ 786 /* s->server=1; */
804 s->handshake_func=ssl3_accept; 787 s->handshake_func = ssl3_accept;
788
789 if (cb != NULL)
790 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
791 }
805 792
806 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
807 }
808
809 ret = 1; 793 ret = 1;
810 goto end; 794 goto end;
811 /* break; */ 795 /* break; */
812 796
813 default: 797 default:
814 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 798 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE);
815 ret= -1; 799 ret = -1;
816 goto end; 800 goto end;
817 /* break; */ 801 /* break; */
818 } 802 }
819 803
820 if (!s->s3->tmp.reuse_message && !skip) 804 if (!s->s3->tmp.reuse_message && !skip) {
821 { 805 if (s->debug) {
822 if (s->debug) 806 if ((ret = BIO_flush(s->wbio)) <= 0)
823 {
824 if ((ret=BIO_flush(s->wbio)) <= 0)
825 goto end; 807 goto end;
826 } 808 }
827 809
828 810
829 if ((cb != NULL) && (s->state != state)) 811 if ((cb != NULL) && (s->state != state)) {
830 { 812 new_state = s->state;
831 new_state=s->state; 813 s->state = state;
832 s->state=state; 814 cb(s, SSL_CB_ACCEPT_LOOP, 1);
833 cb(s,SSL_CB_ACCEPT_LOOP,1); 815 s->state = new_state;
834 s->state=new_state;
835 }
836 } 816 }
837 skip=0;
838 } 817 }
818 skip = 0;
819 }
839end: 820end:
840 /* BIO_flush(s->wbio); */ 821 /* BIO_flush(s->wbio); */
841 822
842 s->in_handshake--; 823 s->in_handshake--;
843 if (cb != NULL) 824 if (cb != NULL)
844 cb(s,SSL_CB_ACCEPT_EXIT,ret); 825 cb(s, SSL_CB_ACCEPT_EXIT, ret);
845 return(ret); 826 return (ret);
846 } 827}
847 828
848int ssl3_send_hello_request(SSL *s) 829int
849 { 830ssl3_send_hello_request(SSL *s)
831{
850 unsigned char *p; 832 unsigned char *p;
851 833
852 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 834 if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
853 { 835 p = (unsigned char *)s->init_buf->data;
854 p=(unsigned char *)s->init_buf->data; 836 *(p++) = SSL3_MT_HELLO_REQUEST;
855 *(p++)=SSL3_MT_HELLO_REQUEST; 837 *(p++) = 0;
856 *(p++)=0; 838 *(p++) = 0;
857 *(p++)=0; 839 *(p++) = 0;
858 *(p++)=0;
859 840
860 s->state=SSL3_ST_SW_HELLO_REQ_B; 841 s->state = SSL3_ST_SW_HELLO_REQ_B;
861 /* number of bytes to write */ 842 /* number of bytes to write */
862 s->init_num=4; 843 s->init_num = 4;
863 s->init_off=0; 844 s->init_off = 0;
864 } 845 }
865 846
866 /* SSL3_ST_SW_HELLO_REQ_B */ 847 /* SSL3_ST_SW_HELLO_REQ_B */
867 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 848 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
868 } 849}
869 850
870int ssl3_check_client_hello(SSL *s) 851int
871 { 852ssl3_check_client_hello(SSL *s)
853{
872 int ok; 854 int ok;
873 long n; 855 long n;
874 856
875 /* this function is called when we really expect a Certificate message, 857 /* this function is called when we really expect a Certificate message,
876 * so permit appropriate message length */ 858 * so permit appropriate message length */
877 n=s->method->ssl_get_message(s, 859 n = s->method->ssl_get_message(s,
878 SSL3_ST_SR_CERT_A, 860 SSL3_ST_SR_CERT_A,
879 SSL3_ST_SR_CERT_B, 861 SSL3_ST_SR_CERT_B,
880 -1, 862 -1,
881 s->max_cert_list, 863 s->max_cert_list,
882 &ok); 864 &ok);
883 if (!ok) return((int)n); 865 if (!ok)
866 return ((int)n);
884 s->s3->tmp.reuse_message = 1; 867 s->s3->tmp.reuse_message = 1;
885 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 868 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) {
886 {
887 /* We only allow the client to restart the handshake once per 869 /* We only allow the client to restart the handshake once per
888 * negotiation. */ 870 * negotiation. */
889 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) 871 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
890 {
891 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 872 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
892 return -1; 873 return -1;
893 } 874 }
894 /* Throw away what we have done so far in the current handshake, 875 /* Throw away what we have done so far in the current handshake,
895 * which will now be aborted. (A full SSL_clear would be too much.) */ 876 * which will now be aborted. (A full SSL_clear would be too much.) */
896#ifndef OPENSSL_NO_DH 877#ifndef OPENSSL_NO_DH
897 if (s->s3->tmp.dh != NULL) 878 if (s->s3->tmp.dh != NULL) {
898 {
899 DH_free(s->s3->tmp.dh); 879 DH_free(s->s3->tmp.dh);
900 s->s3->tmp.dh = NULL; 880 s->s3->tmp.dh = NULL;
901 } 881 }
902#endif 882#endif
903#ifndef OPENSSL_NO_ECDH 883#ifndef OPENSSL_NO_ECDH
904 if (s->s3->tmp.ecdh != NULL) 884 if (s->s3->tmp.ecdh != NULL) {
905 {
906 EC_KEY_free(s->s3->tmp.ecdh); 885 EC_KEY_free(s->s3->tmp.ecdh);
907 s->s3->tmp.ecdh = NULL; 886 s->s3->tmp.ecdh = NULL;
908 } 887 }
909#endif 888#endif
910 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 889 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
911 return 2; 890 return 2;
912 } 891 }
913 return 1; 892 return 1;
914} 893}
915 894
916int ssl3_get_client_hello(SSL *s) 895int
917 { 896ssl3_get_client_hello(SSL *s)
918 int i,j,ok,al,ret= -1; 897{
898 int i, j, ok, al, ret = -1;
919 unsigned int cookie_len; 899 unsigned int cookie_len;
920 long n; 900 long n;
921 unsigned long id; 901 unsigned long id;
922 unsigned char *p,*d,*q; 902 unsigned char *p, *d, *q;
923 SSL_CIPHER *c; 903 SSL_CIPHER *c;
924#ifndef OPENSSL_NO_COMP 904#ifndef OPENSSL_NO_COMP
925 SSL_COMP *comp=NULL; 905 SSL_COMP *comp = NULL;
926#endif 906#endif
927 STACK_OF(SSL_CIPHER) *ciphers=NULL; 907 STACK_OF(SSL_CIPHER) *ciphers = NULL;
928 908
929 /* We do this so that we will respond with our native type. 909 /* We do this so that we will respond with our native type.
930 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 910 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
@@ -932,65 +912,61 @@ int ssl3_get_client_hello(SSL *s)
932 * If we are SSLv3, we will respond with SSLv3, even if prompted with 912 * If we are SSLv3, we will respond with SSLv3, even if prompted with
933 * TLSv1. 913 * TLSv1.
934 */ 914 */
935 if (s->state == SSL3_ST_SR_CLNT_HELLO_A 915 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) {
936 ) 916 s->state = SSL3_ST_SR_CLNT_HELLO_B;
937 { 917 }
938 s->state=SSL3_ST_SR_CLNT_HELLO_B; 918 s->first_packet = 1;
939 } 919 n = s->method->ssl_get_message(s,
940 s->first_packet=1; 920 SSL3_ST_SR_CLNT_HELLO_B,
941 n=s->method->ssl_get_message(s, 921 SSL3_ST_SR_CLNT_HELLO_C,
942 SSL3_ST_SR_CLNT_HELLO_B, 922 SSL3_MT_CLIENT_HELLO,
943 SSL3_ST_SR_CLNT_HELLO_C, 923 SSL3_RT_MAX_PLAIN_LENGTH,
944 SSL3_MT_CLIENT_HELLO, 924 &ok);
945 SSL3_RT_MAX_PLAIN_LENGTH,
946 &ok);
947 925
948 if (!ok) return((int)n); 926 if (!ok)
949 s->first_packet=0; 927 return ((int)n);
950 d=p=(unsigned char *)s->init_msg; 928 s->first_packet = 0;
929 d = p=(unsigned char *)s->init_msg;
951 930
952 /* use version from inside client hello, not from record header 931 /* use version from inside client hello, not from record header
953 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 932 * (may differ: see RFC 2246, Appendix E, second paragraph) */
954 s->client_version=(((int)p[0])<<8)|(int)p[1]; 933 s->client_version = (((int)p[0]) << 8)|(int)p[1];
955 p+=2; 934 p += 2;
956 935
957 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 936 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
958 (s->version != DTLS1_VERSION && s->client_version < s->version)) 937 (s->version != DTLS1_VERSION && s->client_version < s->version)) {
959 {
960 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 938 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
961 if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 939 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
962 !s->enc_write_ctx && !s->write_hash) 940 !s->enc_write_ctx && !s->write_hash) {
963 {
964 /* similar to ssl3_get_record, send alert using remote version number */ 941 /* similar to ssl3_get_record, send alert using remote version number */
965 s->version = s->client_version; 942 s->version = s->client_version;
966 } 943 }
967 al = SSL_AD_PROTOCOL_VERSION; 944 al = SSL_AD_PROTOCOL_VERSION;
968 goto f_err; 945 goto f_err;
969 } 946 }
970 947
971 /* If we require cookies and this ClientHello doesn't 948 /* If we require cookies and this ClientHello doesn't
972 * contain one, just return since we do not want to 949 * contain one, just return since we do not want to
973 * allocate any memory yet. So check cookie length... 950 * allocate any memory yet. So check cookie length...
974 */ 951 */
975 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) 952 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
976 {
977 unsigned int session_length, cookie_length; 953 unsigned int session_length, cookie_length;
978 954
979 session_length = *(p + SSL3_RANDOM_SIZE); 955 session_length = *(p + SSL3_RANDOM_SIZE);
980 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 956 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
981 957
982 if (cookie_length == 0) 958 if (cookie_length == 0)
983 return 1; 959 return 1;
984 } 960 }
985 961
986 /* load the client random */ 962 /* load the client random */
987 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 963 memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
988 p+=SSL3_RANDOM_SIZE; 964 p += SSL3_RANDOM_SIZE;
989 965
990 /* get the session-id */ 966 /* get the session-id */
991 j= *(p++); 967 j= *(p++);
992 968
993 s->hit=0; 969 s->hit = 0;
994 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation. 970 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
995 * 0.9.7 and later allow this by default, but optionally ignore resumption requests 971 * 0.9.7 and later allow this by default, but optionally ignore resumption requests
996 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 972 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
@@ -1002,31 +978,26 @@ int ssl3_get_client_hello(SSL *s)
1002 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 978 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1003 * setting will be ignored. 979 * setting will be ignored.
1004 */ 980 */
1005 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 981 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1006 { 982 if (!ssl_get_new_session(s, 1))
1007 if (!ssl_get_new_session(s,1))
1008 goto err; 983 goto err;
1009 } 984 } else {
1010 else 985 i = ssl_get_prev_session(s, p, j, d + n);
1011 {
1012 i=ssl_get_prev_session(s, p, j, d + n);
1013 if (i == 1) 986 if (i == 1)
1014 { /* previous session */ 987 { /* previous session */
1015 s->hit=1; 988 s->hit = 1;
1016 } 989 } else if (i == -1)
1017 else if (i == -1)
1018 goto err; 990 goto err;
1019 else /* i == 0 */ 991 else /* i == 0 */
1020 { 992 {
1021 if (!ssl_get_new_session(s,1)) 993 if (!ssl_get_new_session(s, 1))
1022 goto err; 994 goto err;
1023 }
1024 } 995 }
996 }
1025 997
1026 p+=j; 998 p += j;
1027 999
1028 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 1000 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
1029 {
1030 /* cookie stuff */ 1001 /* cookie stuff */
1031 cookie_len = *(p++); 1002 cookie_len = *(p++);
1032 1003
@@ -1035,159 +1006,141 @@ int ssl3_get_client_hello(SSL *s)
1035 * HelloVerify message has not been sent--make sure that it 1006 * HelloVerify message has not been sent--make sure that it
1036 * does not cause an overflow. 1007 * does not cause an overflow.
1037 */ 1008 */
1038 if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 1009 if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
1039 {
1040 /* too much data */ 1010 /* too much data */
1041 al = SSL_AD_DECODE_ERROR; 1011 al = SSL_AD_DECODE_ERROR;
1042 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1012 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
1043 goto f_err; 1013 goto f_err;
1044 } 1014 }
1045 1015
1046 /* verify the cookie if appropriate option is set. */ 1016 /* verify the cookie if appropriate option is set. */
1047 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 1017 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
1048 cookie_len > 0) 1018 cookie_len > 0) {
1049 {
1050 memcpy(s->d1->rcvd_cookie, p, cookie_len); 1019 memcpy(s->d1->rcvd_cookie, p, cookie_len);
1051 1020
1052 if ( s->ctx->app_verify_cookie_cb != NULL) 1021 if (s->ctx->app_verify_cookie_cb != NULL) {
1053 { 1022 if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
1054 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 1023 cookie_len) == 0) {
1055 cookie_len) == 0) 1024 al = SSL_AD_HANDSHAKE_FAILURE;
1056 { 1025 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1057 al=SSL_AD_HANDSHAKE_FAILURE; 1026 SSL_R_COOKIE_MISMATCH);
1058 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1059 SSL_R_COOKIE_MISMATCH);
1060 goto f_err;
1061 }
1062 /* else cookie verification succeeded */
1063 }
1064 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1065 s->d1->cookie_len) != 0) /* default verification */
1066 {
1067 al=SSL_AD_HANDSHAKE_FAILURE;
1068 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1069 SSL_R_COOKIE_MISMATCH);
1070 goto f_err; 1027 goto f_err;
1071 } 1028 }
1029 /* else cookie verification succeeded */
1030 } else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1031 s->d1->cookie_len) != 0) /* default verification */
1032 {
1033 al = SSL_AD_HANDSHAKE_FAILURE;
1034 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1035 SSL_R_COOKIE_MISMATCH);
1036 goto f_err;
1037 }
1072 1038
1073 ret = 2; 1039 ret = 2;
1074 } 1040 }
1075 1041
1076 p += cookie_len; 1042 p += cookie_len;
1077 } 1043 }
1078 1044
1079 n2s(p,i); 1045 n2s(p, i);
1080 if ((i == 0) && (j != 0)) 1046 if ((i == 0) && (j != 0)) {
1081 {
1082 /* we need a cipher if we are not resuming a session */ 1047 /* we need a cipher if we are not resuming a session */
1083 al=SSL_AD_ILLEGAL_PARAMETER; 1048 al = SSL_AD_ILLEGAL_PARAMETER;
1084 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 1049 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
1085 goto f_err; 1050 goto f_err;
1086 } 1051 }
1087 if ((p+i) >= (d+n)) 1052 if ((p + i) >= (d + n)) {
1088 {
1089 /* not enough data */ 1053 /* not enough data */
1090 al=SSL_AD_DECODE_ERROR; 1054 al = SSL_AD_DECODE_ERROR;
1091 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1055 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1092 goto f_err; 1056 goto f_err;
1093 } 1057 }
1094 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 1058 if ((i > 0) &&
1095 == NULL)) 1059 (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL)) {
1096 {
1097 goto err; 1060 goto err;
1098 } 1061 }
1099 p+=i; 1062 p += i;
1100 1063
1101 /* If it is a hit, check that the cipher is in the list */ 1064 /* If it is a hit, check that the cipher is in the list */
1102 if ((s->hit) && (i > 0)) 1065 if ((s->hit) && (i > 0)) {
1103 { 1066 j = 0;
1104 j=0; 1067 id = s->session->cipher->id;
1105 id=s->session->cipher->id;
1106 1068
1107#ifdef CIPHER_DEBUG 1069#ifdef CIPHER_DEBUG
1108 printf("client sent %d ciphers\n",sk_num(ciphers)); 1070 printf("client sent %d ciphers\n", sk_num(ciphers));
1109#endif 1071#endif
1110 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 1072 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1111 { 1073 c = sk_SSL_CIPHER_value(ciphers, i);
1112 c=sk_SSL_CIPHER_value(ciphers,i);
1113#ifdef CIPHER_DEBUG 1074#ifdef CIPHER_DEBUG
1114 printf("client [%2d of %2d]:%s\n", 1075 printf("client [%2d of %2d]:%s\n",
1115 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 1076 i, sk_num(ciphers), SSL_CIPHER_get_name(c));
1116#endif 1077#endif
1117 if (c->id == id) 1078 if (c->id == id) {
1118 { 1079 j = 1;
1119 j=1;
1120 break; 1080 break;
1121 }
1122 } 1081 }
1082 }
1123/* Disabled because it can be used in a ciphersuite downgrade 1083/* Disabled because it can be used in a ciphersuite downgrade
1124 * attack: CVE-2010-4180. 1084 * attack: CVE-2010-4180.
1125 */ 1085 */
1126#if 0 1086#if 0
1127 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 1087 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) {
1128 {
1129 /* Special case as client bug workaround: the previously used cipher may 1088 /* Special case as client bug workaround: the previously used cipher may
1130 * not be in the current list, the client instead might be trying to 1089 * not be in the current list, the client instead might be trying to
1131 * continue using a cipher that before wasn't chosen due to server 1090 * continue using a cipher that before wasn't chosen due to server
1132 * preferences. We'll have to reject the connection if the cipher is not 1091 * preferences. We'll have to reject the connection if the cipher is not
1133 * enabled, though. */ 1092 * enabled, though. */
1134 c = sk_SSL_CIPHER_value(ciphers, 0); 1093 c = sk_SSL_CIPHER_value(ciphers, 0);
1135 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 1094 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
1136 {
1137 s->session->cipher = c; 1095 s->session->cipher = c;
1138 j = 1; 1096 j = 1;
1139 }
1140 } 1097 }
1098 }
1141#endif 1099#endif
1142 if (j == 0) 1100 if (j == 0) {
1143 {
1144 /* we need to have the cipher in the cipher 1101 /* we need to have the cipher in the cipher
1145 * list if we are asked to reuse it */ 1102 * list if we are asked to reuse it */
1146 al=SSL_AD_ILLEGAL_PARAMETER; 1103 al = SSL_AD_ILLEGAL_PARAMETER;
1147 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 1104 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING);
1148 goto f_err; 1105 goto f_err;
1149 }
1150 } 1106 }
1107 }
1151 1108
1152 /* compression */ 1109 /* compression */
1153 i= *(p++); 1110 i= *(p++);
1154 if ((p+i) > (d+n)) 1111 if ((p + i) > (d + n)) {
1155 {
1156 /* not enough data */ 1112 /* not enough data */
1157 al=SSL_AD_DECODE_ERROR; 1113 al = SSL_AD_DECODE_ERROR;
1158 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1114 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1159 goto f_err; 1115 goto f_err;
1160 } 1116 }
1161 q=p; 1117 q = p;
1162 for (j=0; j<i; j++) 1118 for (j = 0; j < i; j++) {
1163 { 1119 if (p[j] == 0)
1164 if (p[j] == 0) break; 1120 break;
1165 } 1121 }
1166 1122
1167 p+=i; 1123 p += i;
1168 if (j >= i) 1124 if (j >= i) {
1169 {
1170 /* no compress */ 1125 /* no compress */
1171 al=SSL_AD_DECODE_ERROR; 1126 al = SSL_AD_DECODE_ERROR;
1172 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 1127 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1173 goto f_err; 1128 goto f_err;
1174 } 1129 }
1175 1130
1176#ifndef OPENSSL_NO_TLSEXT 1131#ifndef OPENSSL_NO_TLSEXT
1177 /* TLS extensions*/ 1132 /* TLS extensions*/
1178 if (s->version >= SSL3_VERSION) 1133 if (s->version >= SSL3_VERSION) {
1179 { 1134 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
1180 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
1181 {
1182 /* 'al' set by ssl_parse_clienthello_tlsext */ 1135 /* 'al' set by ssl_parse_clienthello_tlsext */
1183 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 1136 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1184 goto f_err; 1137 goto f_err;
1185 }
1186 }
1187 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1188 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
1189 goto err;
1190 } 1138 }
1139 }
1140 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1141 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1142 goto err;
1143 }
1191 1144
1192 /* Check if we want to use external pre-shared secret for this 1145 /* Check if we want to use external pre-shared secret for this
1193 * handshake for not reused session only. We need to generate 1146 * handshake for not reused session only. We need to generate
@@ -1195,38 +1148,34 @@ int ssl3_get_client_hello(SSL *s)
1195 * SessionTicket processing to use it in key derivation. */ 1148 * SessionTicket processing to use it in key derivation. */
1196 { 1149 {
1197 unsigned char *pos; 1150 unsigned char *pos;
1198 pos=s->s3->server_random; 1151 pos = s->s3->server_random;
1199 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) 1152 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
1200 { 1153 al = SSL_AD_INTERNAL_ERROR;
1201 al=SSL_AD_INTERNAL_ERROR;
1202 goto f_err; 1154 goto f_err;
1203 } 1155 }
1204 } 1156 }
1205 1157
1206 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) 1158 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1207 { 1159 SSL_CIPHER *pref_cipher = NULL;
1208 SSL_CIPHER *pref_cipher=NULL;
1209 1160
1210 s->session->master_key_length=sizeof(s->session->master_key); 1161 s->session->master_key_length = sizeof(s->session->master_key);
1211 if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, 1162 if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
1212 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) 1163 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) {
1213 { 1164 s->hit = 1;
1214 s->hit=1; 1165 s->session->ciphers = ciphers;
1215 s->session->ciphers=ciphers; 1166 s->session->verify_result = X509_V_OK;
1216 s->session->verify_result=X509_V_OK;
1217 1167
1218 ciphers=NULL; 1168 ciphers = NULL;
1219 1169
1220 /* check if some cipher was preferred by call back */ 1170 /* check if some cipher was preferred by call back */
1221 pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 1171 pref_cipher = pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1222 if (pref_cipher == NULL) 1172 if (pref_cipher == NULL) {
1223 { 1173 al = SSL_AD_HANDSHAKE_FAILURE;
1224 al=SSL_AD_HANDSHAKE_FAILURE; 1174 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1225 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1226 goto f_err; 1175 goto f_err;
1227 } 1176 }
1228 1177
1229 s->session->cipher=pref_cipher; 1178 s->session->cipher = pref_cipher;
1230 1179
1231 if (s->cipher_list) 1180 if (s->cipher_list)
1232 sk_SSL_CIPHER_free(s->cipher_list); 1181 sk_SSL_CIPHER_free(s->cipher_list);
@@ -1236,165 +1185,144 @@ int ssl3_get_client_hello(SSL *s)
1236 1185
1237 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1186 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1238 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1187 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1239 }
1240 } 1188 }
1189 }
1241#endif 1190#endif
1242 1191
1243 /* Worst case, we will use the NULL compression, but if we have other 1192 /* Worst case, we will use the NULL compression, but if we have other
1244 * options, we will now look for them. We have i-1 compression 1193 * options, we will now look for them. We have i-1 compression
1245 * algorithms from the client, starting at q. */ 1194 * algorithms from the client, starting at q. */
1246 s->s3->tmp.new_compression=NULL; 1195 s->s3->tmp.new_compression = NULL;
1247#ifndef OPENSSL_NO_COMP 1196#ifndef OPENSSL_NO_COMP
1248 /* This only happens if we have a cache hit */ 1197 /* This only happens if we have a cache hit */
1249 if (s->session->compress_meth != 0) 1198 if (s->session->compress_meth != 0) {
1250 {
1251 int m, comp_id = s->session->compress_meth; 1199 int m, comp_id = s->session->compress_meth;
1252 /* Perform sanity checks on resumed compression algorithm */ 1200 /* Perform sanity checks on resumed compression algorithm */
1253 /* Can't disable compression */ 1201 /* Can't disable compression */
1254 if (s->options & SSL_OP_NO_COMPRESSION) 1202 if (s->options & SSL_OP_NO_COMPRESSION) {
1255 { 1203 al = SSL_AD_INTERNAL_ERROR;
1256 al=SSL_AD_INTERNAL_ERROR; 1204 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1257 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1258 goto f_err; 1205 goto f_err;
1259 } 1206 }
1260 /* Look for resumed compression method */ 1207 /* Look for resumed compression method */
1261 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) 1208 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
1262 { 1209 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1263 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1210 if (comp_id == comp->id) {
1264 if (comp_id == comp->id) 1211 s->s3->tmp.new_compression = comp;
1265 {
1266 s->s3->tmp.new_compression=comp;
1267 break; 1212 break;
1268 }
1269 } 1213 }
1270 if (s->s3->tmp.new_compression == NULL) 1214 }
1271 { 1215 if (s->s3->tmp.new_compression == NULL) {
1272 al=SSL_AD_INTERNAL_ERROR; 1216 al = SSL_AD_INTERNAL_ERROR;
1273 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM); 1217 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INVALID_COMPRESSION_ALGORITHM);
1274 goto f_err; 1218 goto f_err;
1275 } 1219 }
1276 /* Look for resumed method in compression list */ 1220 /* Look for resumed method in compression list */
1277 for (m = 0; m < i; m++) 1221 for (m = 0; m < i; m++) {
1278 {
1279 if (q[m] == comp_id) 1222 if (q[m] == comp_id)
1280 break; 1223 break;
1281 } 1224 }
1282 if (m >= i) 1225 if (m >= i) {
1283 { 1226 al = SSL_AD_ILLEGAL_PARAMETER;
1284 al=SSL_AD_ILLEGAL_PARAMETER; 1227 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1285 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1286 goto f_err; 1228 goto f_err;
1287 }
1288 } 1229 }
1289 else if (s->hit) 1230 } else if (s->hit)
1290 comp = NULL; 1231 comp = NULL;
1291 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) 1232 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
1292 { /* See if we have a match */ 1233 { /* See if we have a match */
1293 int m,nn,o,v,done=0; 1234 int m, nn, o, v, done = 0;
1294 1235
1295 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1236 nn = sk_SSL_COMP_num(s->ctx->comp_methods);
1296 for (m=0; m<nn; m++) 1237 for (m = 0; m < nn; m++) {
1297 { 1238 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1298 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1239 v = comp->id;
1299 v=comp->id; 1240 for (o = 0; o < i; o++) {
1300 for (o=0; o<i; o++) 1241 if (v == q[o]) {
1301 { 1242 done = 1;
1302 if (v == q[o])
1303 {
1304 done=1;
1305 break; 1243 break;
1306 }
1307 } 1244 }
1308 if (done) break;
1309 } 1245 }
1246 if (done)
1247 break;
1248 }
1310 if (done) 1249 if (done)
1311 s->s3->tmp.new_compression=comp; 1250 s->s3->tmp.new_compression = comp;
1312 else 1251 else
1313 comp=NULL; 1252 comp = NULL;
1314 } 1253 }
1315#else 1254#else
1316 /* If compression is disabled we'd better not try to resume a session 1255 /* If compression is disabled we'd better not try to resume a session
1317 * using compression. 1256 * using compression.
1318 */ 1257 */
1319 if (s->session->compress_meth != 0) 1258 if (s->session->compress_meth != 0) {
1320 { 1259 al = SSL_AD_INTERNAL_ERROR;
1321 al=SSL_AD_INTERNAL_ERROR; 1260 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1322 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1323 goto f_err; 1261 goto f_err;
1324 } 1262 }
1325#endif 1263#endif
1326 1264
1327 /* Given s->session->ciphers and SSL_get_ciphers, we must 1265 /* Given s->session->ciphers and SSL_get_ciphers, we must
1328 * pick a cipher */ 1266 * pick a cipher */
1329 1267
1330 if (!s->hit) 1268 if (!s->hit) {
1331 {
1332#ifdef OPENSSL_NO_COMP 1269#ifdef OPENSSL_NO_COMP
1333 s->session->compress_meth=0; 1270 s->session->compress_meth = 0;
1334#else 1271#else
1335 s->session->compress_meth=(comp == NULL)?0:comp->id; 1272 s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1336#endif 1273#endif
1337 if (s->session->ciphers != NULL) 1274 if (s->session->ciphers != NULL)
1338 sk_SSL_CIPHER_free(s->session->ciphers); 1275 sk_SSL_CIPHER_free(s->session->ciphers);
1339 s->session->ciphers=ciphers; 1276 s->session->ciphers = ciphers;
1340 if (ciphers == NULL) 1277 if (ciphers == NULL) {
1341 { 1278 al = SSL_AD_ILLEGAL_PARAMETER;
1342 al=SSL_AD_ILLEGAL_PARAMETER; 1279 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED);
1343 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
1344 goto f_err; 1280 goto f_err;
1345 } 1281 }
1346 ciphers=NULL; 1282 ciphers = NULL;
1347 c=ssl3_choose_cipher(s,s->session->ciphers, 1283 c = ssl3_choose_cipher(s, s->session->ciphers,
1348 SSL_get_ciphers(s)); 1284 SSL_get_ciphers(s));
1349 1285
1350 if (c == NULL) 1286 if (c == NULL) {
1351 { 1287 al = SSL_AD_HANDSHAKE_FAILURE;
1352 al=SSL_AD_HANDSHAKE_FAILURE; 1288 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1353 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1354 goto f_err; 1289 goto f_err;
1355 }
1356 s->s3->tmp.new_cipher=c;
1357 } 1290 }
1358 else 1291 s->s3->tmp.new_cipher = c;
1359 { 1292 } else {
1360 /* Session-id reuse */ 1293 /* Session-id reuse */
1361#ifdef REUSE_CIPHER_BUG 1294#ifdef REUSE_CIPHER_BUG
1362 STACK_OF(SSL_CIPHER) *sk; 1295 STACK_OF(SSL_CIPHER) *sk;
1363 SSL_CIPHER *nc=NULL; 1296 SSL_CIPHER *nc = NULL;
1364 SSL_CIPHER *ec=NULL; 1297 SSL_CIPHER *ec = NULL;
1365 1298
1366 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1299 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
1367 { 1300 sk = s->session->ciphers;
1368 sk=s->session->ciphers; 1301 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
1369 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1302 c = sk_SSL_CIPHER_value(sk, i);
1370 {
1371 c=sk_SSL_CIPHER_value(sk,i);
1372 if (c->algorithm_enc & SSL_eNULL) 1303 if (c->algorithm_enc & SSL_eNULL)
1373 nc=c; 1304 nc = c;
1374 if (SSL_C_IS_EXPORT(c)) 1305 if (SSL_C_IS_EXPORT(c))
1375 ec=c; 1306 ec = c;
1376 } 1307 }
1377 if (nc != NULL) 1308 if (nc != NULL)
1378 s->s3->tmp.new_cipher=nc; 1309 s->s3->tmp.new_cipher = nc;
1379 else if (ec != NULL) 1310 else if (ec != NULL)
1380 s->s3->tmp.new_cipher=ec; 1311 s->s3->tmp.new_cipher = ec;
1381 else 1312 else
1382 s->s3->tmp.new_cipher=s->session->cipher; 1313 s->s3->tmp.new_cipher = s->session->cipher;
1383 } 1314 } else
1384 else
1385#endif 1315#endif
1386 s->s3->tmp.new_cipher=s->session->cipher; 1316 s->s3->tmp.new_cipher = s->session->cipher;
1387 } 1317 }
1388 1318
1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) 1319 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) {
1390 { 1320 if (!ssl3_digest_cached_records(s)) {
1391 if (!ssl3_digest_cached_records(s))
1392 {
1393 al = SSL_AD_INTERNAL_ERROR; 1321 al = SSL_AD_INTERNAL_ERROR;
1394 goto f_err; 1322 goto f_err;
1395 }
1396 } 1323 }
1397 1324 }
1325
1398 /* we now have the following setup. 1326 /* we now have the following setup.
1399 * client_random 1327 * client_random
1400 * cipher_list - our prefered list of ciphers 1328 * cipher_list - our prefered list of ciphers
@@ -1407,50 +1335,49 @@ int ssl3_get_client_hello(SSL *s)
1407 */ 1335 */
1408 1336
1409 /* Handles TLS extensions that we couldn't check earlier */ 1337 /* Handles TLS extensions that we couldn't check earlier */
1410 if (s->version >= SSL3_VERSION) 1338 if (s->version >= SSL3_VERSION) {
1411 { 1339 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1412 if (ssl_check_clienthello_tlsext_late(s) <= 0)
1413 {
1414 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1340 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1415 goto err; 1341 goto err;
1416 }
1417 } 1342 }
1343 }
1418 1344
1419 if (ret < 0) ret=1; 1345 if (ret < 0)
1420 if (0) 1346 ret = 1;
1421 { 1347 if (0) {
1422f_err: 1348f_err:
1423 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1349 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1424 }
1425err:
1426 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
1427 return(ret);
1428 } 1350 }
1351err:
1352 if (ciphers != NULL)
1353 sk_SSL_CIPHER_free(ciphers);
1354 return (ret);
1355}
1429 1356
1430int ssl3_send_server_hello(SSL *s) 1357int
1431 { 1358ssl3_send_server_hello(SSL *s)
1359{
1432 unsigned char *buf; 1360 unsigned char *buf;
1433 unsigned char *p,*d; 1361 unsigned char *p, *d;
1434 int i,sl; 1362 int i, sl;
1435 unsigned long l; 1363 unsigned long l;
1436 1364
1437 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1365 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
1438 { 1366 buf = (unsigned char *)s->init_buf->data;
1439 buf=(unsigned char *)s->init_buf->data;
1440#ifdef OPENSSL_NO_TLSEXT 1367#ifdef OPENSSL_NO_TLSEXT
1441 p=s->s3->server_random; 1368 p = s->s3->server_random;
1442 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) 1369 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
1443 return -1; 1370 return -1;
1444#endif 1371#endif
1445 /* Do the message type and length last */ 1372 /* Do the message type and length last */
1446 d=p= &(buf[4]); 1373 d = p= &(buf[4]);
1447 1374
1448 *(p++)=s->version>>8; 1375 *(p++) = s->version >> 8;
1449 *(p++)=s->version&0xff; 1376 *(p++) = s->version&0xff;
1450 1377
1451 /* Random stuff */ 1378 /* Random stuff */
1452 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1379 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1453 p+=SSL3_RANDOM_SIZE; 1380 p += SSL3_RANDOM_SIZE;
1454 1381
1455 /* There are several cases for the session ID to send 1382 /* There are several cases for the session ID to send
1456 * back in the server hello: 1383 * back in the server hello:
@@ -1469,317 +1396,287 @@ int ssl3_send_server_hello(SSL *s)
1469 */ 1396 */
1470 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1397 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1471 && !s->hit) 1398 && !s->hit)
1472 s->session->session_id_length=0; 1399 s->session->session_id_length = 0;
1473 1400
1474 sl=s->session->session_id_length; 1401 sl = s->session->session_id_length;
1475 if (sl > (int)sizeof(s->session->session_id)) 1402 if (sl > (int)sizeof(s->session->session_id)) {
1476 {
1477 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1403 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1478 return -1; 1404 return -1;
1479 } 1405 }
1480 *(p++)=sl; 1406 *(p++) = sl;
1481 memcpy(p,s->session->session_id,sl); 1407 memcpy(p, s->session->session_id, sl);
1482 p+=sl; 1408 p += sl;
1483 1409
1484 /* put the cipher */ 1410 /* put the cipher */
1485 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1411 i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
1486 p+=i; 1412 p += i;
1487 1413
1488 /* put the compression method */ 1414 /* put the compression method */
1489#ifdef OPENSSL_NO_COMP 1415#ifdef OPENSSL_NO_COMP
1490 *(p++)=0; 1416 *(p++) = 0;
1491#else 1417#else
1492 if (s->s3->tmp.new_compression == NULL) 1418 if (s->s3->tmp.new_compression == NULL)
1493 *(p++)=0; 1419 *(p++) = 0;
1494 else 1420 else
1495 *(p++)=s->s3->tmp.new_compression->id; 1421 *(p++) = s->s3->tmp.new_compression->id;
1496#endif 1422#endif
1497#ifndef OPENSSL_NO_TLSEXT 1423#ifndef OPENSSL_NO_TLSEXT
1498 if (ssl_prepare_serverhello_tlsext(s) <= 0) 1424 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1499 { 1425 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
1500 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1501 return -1; 1426 return -1;
1502 } 1427 }
1503 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1428 if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
1504 { 1429 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1505 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
1506 return -1; 1430 return -1;
1507 } 1431 }
1508#endif 1432#endif
1509 /* do the header */ 1433 /* do the header */
1510 l=(p-d); 1434 l = (p - d);
1511 d=buf; 1435 d = buf;
1512 *(d++)=SSL3_MT_SERVER_HELLO; 1436 *(d++) = SSL3_MT_SERVER_HELLO;
1513 l2n3(l,d); 1437 l2n3(l, d);
1514 1438
1515 s->state=SSL3_ST_SW_SRVR_HELLO_B; 1439 s->state = SSL3_ST_SW_SRVR_HELLO_B;
1516 /* number of bytes to write */ 1440 /* number of bytes to write */
1517 s->init_num=p-buf; 1441 s->init_num = p - buf;
1518 s->init_off=0; 1442 s->init_off = 0;
1519 } 1443 }
1520 1444
1521 /* SSL3_ST_SW_SRVR_HELLO_B */ 1445 /* SSL3_ST_SW_SRVR_HELLO_B */
1522 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1446 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1523 } 1447}
1524 1448
1525int ssl3_send_server_done(SSL *s) 1449int
1526 { 1450ssl3_send_server_done(SSL *s)
1451{
1527 unsigned char *p; 1452 unsigned char *p;
1528 1453
1529 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1454 if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
1530 { 1455 p = (unsigned char *)s->init_buf->data;
1531 p=(unsigned char *)s->init_buf->data;
1532 1456
1533 /* do the header */ 1457 /* do the header */
1534 *(p++)=SSL3_MT_SERVER_DONE; 1458 *(p++) = SSL3_MT_SERVER_DONE;
1535 *(p++)=0; 1459 *(p++) = 0;
1536 *(p++)=0; 1460 *(p++) = 0;
1537 *(p++)=0; 1461 *(p++) = 0;
1538 1462
1539 s->state=SSL3_ST_SW_SRVR_DONE_B; 1463 s->state = SSL3_ST_SW_SRVR_DONE_B;
1540 /* number of bytes to write */ 1464 /* number of bytes to write */
1541 s->init_num=4; 1465 s->init_num = 4;
1542 s->init_off=0; 1466 s->init_off = 0;
1543 } 1467 }
1544 1468
1545 /* SSL3_ST_SW_SRVR_DONE_B */ 1469 /* SSL3_ST_SW_SRVR_DONE_B */
1546 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1470 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1547 } 1471}
1548 1472
1549int ssl3_send_server_key_exchange(SSL *s) 1473int
1550 { 1474ssl3_send_server_key_exchange(SSL *s)
1475{
1551#ifndef OPENSSL_NO_RSA 1476#ifndef OPENSSL_NO_RSA
1552 unsigned char *q; 1477 unsigned char *q;
1553 int j,num; 1478 int j, num;
1554 RSA *rsa; 1479 RSA *rsa;
1555 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1480 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1556 unsigned int u; 1481 unsigned int u;
1557#endif 1482#endif
1558#ifndef OPENSSL_NO_DH 1483#ifndef OPENSSL_NO_DH
1559 DH *dh=NULL,*dhp; 1484 DH *dh = NULL, *dhp;
1560#endif 1485#endif
1561#ifndef OPENSSL_NO_ECDH 1486#ifndef OPENSSL_NO_ECDH
1562 EC_KEY *ecdh=NULL, *ecdhp; 1487 EC_KEY *ecdh = NULL, *ecdhp;
1563 unsigned char *encodedPoint = NULL; 1488 unsigned char *encodedPoint = NULL;
1564 int encodedlen = 0; 1489 int encodedlen = 0;
1565 int curve_id = 0; 1490 int curve_id = 0;
1566 BN_CTX *bn_ctx = NULL; 1491 BN_CTX *bn_ctx = NULL;
1492
1567#endif 1493#endif
1568 EVP_PKEY *pkey; 1494 EVP_PKEY *pkey;
1569 const EVP_MD *md = NULL; 1495 const EVP_MD *md = NULL;
1570 unsigned char *p,*d; 1496 unsigned char *p, *d;
1571 int al,i; 1497 int al, i;
1572 unsigned long type; 1498 unsigned long type;
1573 int n; 1499 int n;
1574 CERT *cert; 1500 CERT *cert;
1575 BIGNUM *r[4]; 1501 BIGNUM *r[4];
1576 int nr[4],kn; 1502 int nr[4], kn;
1577 BUF_MEM *buf; 1503 BUF_MEM *buf;
1578 EVP_MD_CTX md_ctx; 1504 EVP_MD_CTX md_ctx;
1579 1505
1580 EVP_MD_CTX_init(&md_ctx); 1506 EVP_MD_CTX_init(&md_ctx);
1581 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1507 if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1582 { 1508 type = s->s3->tmp.new_cipher->algorithm_mkey;
1583 type=s->s3->tmp.new_cipher->algorithm_mkey; 1509 cert = s->cert;
1584 cert=s->cert;
1585 1510
1586 buf=s->init_buf; 1511 buf = s->init_buf;
1587 1512
1588 r[0]=r[1]=r[2]=r[3]=NULL; 1513 r[0] = r[1] = r[2] = r[3] = NULL;
1589 n=0; 1514 n = 0;
1590#ifndef OPENSSL_NO_RSA 1515#ifndef OPENSSL_NO_RSA
1591 if (type & SSL_kRSA) 1516 if (type & SSL_kRSA) {
1592 { 1517 rsa = cert->rsa_tmp;
1593 rsa=cert->rsa_tmp; 1518 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
1594 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1519 rsa = s->cert->rsa_tmp_cb(s,
1595 { 1520 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1596 rsa=s->cert->rsa_tmp_cb(s, 1521 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1597 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1522 if (rsa == NULL) {
1598 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1523 al = SSL_AD_HANDSHAKE_FAILURE;
1599 if(rsa == NULL) 1524 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1600 {
1601 al=SSL_AD_HANDSHAKE_FAILURE;
1602 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1603 goto f_err; 1525 goto f_err;
1604 } 1526 }
1605 RSA_up_ref(rsa); 1527 RSA_up_ref(rsa);
1606 cert->rsa_tmp=rsa; 1528 cert->rsa_tmp = rsa;
1607 } 1529 }
1608 if (rsa == NULL) 1530 if (rsa == NULL) {
1609 { 1531 al = SSL_AD_HANDSHAKE_FAILURE;
1610 al=SSL_AD_HANDSHAKE_FAILURE; 1532 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_KEY);
1611 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
1612 goto f_err; 1533 goto f_err;
1613 }
1614 r[0]=rsa->n;
1615 r[1]=rsa->e;
1616 s->s3->tmp.use_rsa_tmp=1;
1617 } 1534 }
1618 else 1535 r[0] = rsa->n;
1536 r[1] = rsa->e;
1537 s->s3->tmp.use_rsa_tmp = 1;
1538 } else
1619#endif 1539#endif
1620#ifndef OPENSSL_NO_DH 1540#ifndef OPENSSL_NO_DH
1621 if (type & SSL_kEDH) 1541 if (type & SSL_kEDH) {
1622 { 1542 dhp = cert->dh_tmp;
1623 dhp=cert->dh_tmp;
1624 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1543 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
1625 dhp=s->cert->dh_tmp_cb(s, 1544 dhp = s->cert->dh_tmp_cb(s,
1626 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1545 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1627 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1546 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1628 if (dhp == NULL) 1547 if (dhp == NULL) {
1629 { 1548 al = SSL_AD_HANDSHAKE_FAILURE;
1630 al=SSL_AD_HANDSHAKE_FAILURE; 1549 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
1631 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1632 goto f_err; 1550 goto f_err;
1633 } 1551 }
1634 1552
1635 if (s->s3->tmp.dh != NULL) 1553 if (s->s3->tmp.dh != NULL) {
1636 {
1637 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1554 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1638 goto err; 1555 goto err;
1639 } 1556 }
1640 1557
1641 if ((dh=DHparams_dup(dhp)) == NULL) 1558 if ((dh = DHparams_dup(dhp)) == NULL) {
1642 { 1559 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1643 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1644 goto err; 1560 goto err;
1645 } 1561 }
1646 1562
1647 s->s3->tmp.dh=dh; 1563 s->s3->tmp.dh = dh;
1648 if ((dhp->pub_key == NULL || 1564 if ((dhp->pub_key == NULL || dhp->priv_key == NULL ||
1649 dhp->priv_key == NULL || 1565 (s->options & SSL_OP_SINGLE_DH_USE))) {
1650 (s->options & SSL_OP_SINGLE_DH_USE))) 1566 if (!DH_generate_key(dh)) {
1651 { 1567 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1652 if(!DH_generate_key(dh)) 1568 ERR_R_DH_LIB);
1653 { 1569 goto err;
1654 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1655 ERR_R_DH_LIB);
1656 goto err;
1657 }
1658 } 1570 }
1659 else 1571 } else {
1660 { 1572 dh->pub_key = BN_dup(dhp->pub_key);
1661 dh->pub_key=BN_dup(dhp->pub_key); 1573 dh->priv_key = BN_dup(dhp->priv_key);
1662 dh->priv_key=BN_dup(dhp->priv_key);
1663 if ((dh->pub_key == NULL) || 1574 if ((dh->pub_key == NULL) ||
1664 (dh->priv_key == NULL)) 1575 (dh->priv_key == NULL)) {
1665 { 1576 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1666 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1667 goto err; 1577 goto err;
1668 }
1669 } 1578 }
1670 r[0]=dh->p;
1671 r[1]=dh->g;
1672 r[2]=dh->pub_key;
1673 } 1579 }
1674 else 1580 r[0] = dh->p;
1581 r[1] = dh->g;
1582 r[2] = dh->pub_key;
1583 } else
1675#endif 1584#endif
1676#ifndef OPENSSL_NO_ECDH 1585#ifndef OPENSSL_NO_ECDH
1677 if (type & SSL_kEECDH) 1586 if (type & SSL_kEECDH) {
1678 {
1679 const EC_GROUP *group; 1587 const EC_GROUP *group;
1680 1588
1681 ecdhp=cert->ecdh_tmp; 1589 ecdhp = cert->ecdh_tmp;
1682 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1590 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) {
1683 { 1591 ecdhp = s->cert->ecdh_tmp_cb(
1684 ecdhp=s->cert->ecdh_tmp_cb(s, 1592 s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1685 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1593 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1686 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1594 }
1687 } 1595 if (ecdhp == NULL) {
1688 if (ecdhp == NULL) 1596 al = SSL_AD_HANDSHAKE_FAILURE;
1689 { 1597 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
1690 al=SSL_AD_HANDSHAKE_FAILURE;
1691 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
1692 goto f_err; 1598 goto f_err;
1693 } 1599 }
1694 1600
1695 if (s->s3->tmp.ecdh != NULL) 1601 if (s->s3->tmp.ecdh != NULL) {
1696 {
1697 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1602 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1698 goto err; 1603 goto err;
1699 } 1604 }
1700 1605
1701 /* Duplicate the ECDH structure. */ 1606 /* Duplicate the ECDH structure. */
1702 if (ecdhp == NULL) 1607 if (ecdhp == NULL) {
1703 { 1608 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1704 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1705 goto err; 1609 goto err;
1706 } 1610 }
1707 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) 1611 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1708 { 1612 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1709 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1710 goto err; 1613 goto err;
1711 } 1614 }
1712 1615
1713 s->s3->tmp.ecdh=ecdh; 1616 s->s3->tmp.ecdh = ecdh;
1714 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1617 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1715 (EC_KEY_get0_private_key(ecdh) == NULL) || 1618 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1716 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1619 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1717 { 1620 if (!EC_KEY_generate_key(ecdh)) {
1718 if(!EC_KEY_generate_key(ecdh)) 1621 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1719 { 1622 goto err;
1720 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1721 goto err;
1722 }
1723 } 1623 }
1624 }
1724 1625
1725 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1626 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1726 (EC_KEY_get0_public_key(ecdh) == NULL) || 1627 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1727 (EC_KEY_get0_private_key(ecdh) == NULL)) 1628 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1728 { 1629 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1729 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1730 goto err; 1630 goto err;
1731 } 1631 }
1732 1632
1733 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1633 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1734 (EC_GROUP_get_degree(group) > 163)) 1634 (EC_GROUP_get_degree(group) > 163)) {
1735 { 1635 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1736 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1737 goto err; 1636 goto err;
1738 } 1637 }
1739 1638
1740 /* XXX: For now, we only support ephemeral ECDH 1639 /* XXX: For now, we only support ephemeral ECDH
1741 * keys over named (not generic) curves. For 1640 * keys over named (not generic) curves. For
1742 * supported named curves, curve_id is non-zero. 1641 * supported named curves, curve_id is non-zero.
1743 */ 1642 */
1744 if ((curve_id = 1643 if ((curve_id = tls1_ec_nid2curve_id(
1745 tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) 1644 EC_GROUP_get_curve_name(group))) == 0) {
1746 == 0) 1645 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1747 {
1748 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1749 goto err; 1646 goto err;
1750 } 1647 }
1751 1648
1752 /* Encode the public key. 1649 /* Encode the public key.
1753 * First check the size of encoding and 1650 * First check the size of encoding and
1754 * allocate memory accordingly. 1651 * allocate memory accordingly.
1755 */ 1652 */
1756 encodedlen = EC_POINT_point2oct(group, 1653 encodedlen = EC_POINT_point2oct(group,
1757 EC_KEY_get0_public_key(ecdh), 1654 EC_KEY_get0_public_key(ecdh),
1758 POINT_CONVERSION_UNCOMPRESSED, 1655 POINT_CONVERSION_UNCOMPRESSED,
1759 NULL, 0, NULL); 1656 NULL, 0, NULL);
1657
1658 encodedPoint = (unsigned char *)
1659 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1760 1660
1761 encodedPoint = (unsigned char *)
1762 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1763 bn_ctx = BN_CTX_new(); 1661 bn_ctx = BN_CTX_new();
1764 if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1662 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1765 { 1663 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1766 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1767 goto err; 1664 goto err;
1768 } 1665 }
1769 1666
1770 1667
1771 encodedlen = EC_POINT_point2oct(group, 1668 encodedlen = EC_POINT_point2oct(group,
1772 EC_KEY_get0_public_key(ecdh), 1669 EC_KEY_get0_public_key(ecdh),
1773 POINT_CONVERSION_UNCOMPRESSED, 1670 POINT_CONVERSION_UNCOMPRESSED,
1774 encodedPoint, encodedlen, bn_ctx); 1671 encodedPoint, encodedlen, bn_ctx);
1775 1672
1776 if (encodedlen == 0) 1673 if (encodedlen == 0) {
1777 { 1674 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1778 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1779 goto err; 1675 goto err;
1780 } 1676 }
1781 1677
1782 BN_CTX_free(bn_ctx); bn_ctx=NULL; 1678 BN_CTX_free(bn_ctx);
1679 bn_ctx = NULL;
1783 1680
1784 /* XXX: For now, we only support named (not 1681 /* XXX: For now, we only support named (not
1785 * generic) curves in ECDH ephemeral key exchanges. 1682 * generic) curves in ECDH ephemeral key exchanges.
@@ -1792,98 +1689,80 @@ int ssl3_send_server_key_exchange(SSL *s)
1792 /* We'll generate the serverKeyExchange message 1689 /* We'll generate the serverKeyExchange message
1793 * explicitly so we can set these to NULLs 1690 * explicitly so we can set these to NULLs
1794 */ 1691 */
1795 r[0]=NULL; 1692 r[0] = NULL;
1796 r[1]=NULL; 1693 r[1] = NULL;
1797 r[2]=NULL; 1694 r[2] = NULL;
1798 r[3]=NULL; 1695 r[3] = NULL;
1799 } 1696 } else
1800 else
1801#endif /* !OPENSSL_NO_ECDH */ 1697#endif /* !OPENSSL_NO_ECDH */
1802#ifndef OPENSSL_NO_PSK 1698#ifndef OPENSSL_NO_PSK
1803 if (type & SSL_kPSK) 1699 if (type & SSL_kPSK) {
1804 { 1700 /* reserve size for record length and PSK identity hint*/
1805 /* reserve size for record length and PSK identity hint*/ 1701 n += 2 + strlen(s->ctx->psk_identity_hint);
1806 n+=2+strlen(s->ctx->psk_identity_hint); 1702 } else
1807 }
1808 else
1809#endif /* !OPENSSL_NO_PSK */ 1703#endif /* !OPENSSL_NO_PSK */
1810#ifndef OPENSSL_NO_SRP 1704#ifndef OPENSSL_NO_SRP
1811 if (type & SSL_kSRP) 1705 if (type & SSL_kSRP) {
1812 { 1706 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
1813 if ((s->srp_ctx.N == NULL) || 1707 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
1814 (s->srp_ctx.g == NULL) || 1708 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM);
1815 (s->srp_ctx.s == NULL) ||
1816 (s->srp_ctx.B == NULL))
1817 {
1818 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_SRP_PARAM);
1819 goto err; 1709 goto err;
1820 }
1821 r[0]=s->srp_ctx.N;
1822 r[1]=s->srp_ctx.g;
1823 r[2]=s->srp_ctx.s;
1824 r[3]=s->srp_ctx.B;
1825 } 1710 }
1826 else 1711 r[0] = s->srp_ctx.N;
1712 r[1] = s->srp_ctx.g;
1713 r[2] = s->srp_ctx.s;
1714 r[3] = s->srp_ctx.B;
1715 } else
1827#endif 1716#endif
1828 { 1717 {
1829 al=SSL_AD_HANDSHAKE_FAILURE; 1718 al = SSL_AD_HANDSHAKE_FAILURE;
1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1719 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1831 goto f_err; 1720 goto f_err;
1832 } 1721 }
1833 for (i=0; i < 4 && r[i] != NULL; i++) 1722 for (i = 0; i < 4 && r[i] != NULL; i++) {
1834 { 1723 nr[i] = BN_num_bytes(r[i]);
1835 nr[i]=BN_num_bytes(r[i]);
1836#ifndef OPENSSL_NO_SRP 1724#ifndef OPENSSL_NO_SRP
1837 if ((i == 2) && (type & SSL_kSRP)) 1725 if ((i == 2) && (type & SSL_kSRP))
1838 n+=1+nr[i]; 1726 n += 1 + nr[i];
1839 else 1727 else
1840#endif 1728#endif
1841 n+=2+nr[i]; 1729 n += 2 + nr[i];
1842 } 1730 }
1843 1731
1844 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1732 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
1845 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 1733 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1846 { 1734 if ((pkey = ssl_get_sign_pkey(
1847 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md)) 1735 s, s->s3->tmp.new_cipher, &md)) == NULL) {
1848 == NULL) 1736 al = SSL_AD_DECODE_ERROR;
1849 {
1850 al=SSL_AD_DECODE_ERROR;
1851 goto f_err; 1737 goto f_err;
1852 }
1853 kn=EVP_PKEY_size(pkey);
1854 }
1855 else
1856 {
1857 pkey=NULL;
1858 kn=0;
1859 } 1738 }
1739 kn = EVP_PKEY_size(pkey);
1740 } else {
1741 pkey = NULL;
1742 kn = 0;
1743 }
1860 1744
1861 if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1745 if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) {
1862 { 1746 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
1863 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1864 goto err; 1747 goto err;
1865 } 1748 }
1866 d=(unsigned char *)s->init_buf->data; 1749 d = (unsigned char *)s->init_buf->data;
1867 p= &(d[4]); 1750 p = &(d[4]);
1868 1751
1869 for (i=0; i < 4 && r[i] != NULL; i++) 1752 for (i = 0; i < 4 && r[i] != NULL; i++) {
1870 {
1871#ifndef OPENSSL_NO_SRP 1753#ifndef OPENSSL_NO_SRP
1872 if ((i == 2) && (type & SSL_kSRP)) 1754 if ((i == 2) && (type & SSL_kSRP)) {
1873 {
1874 *p = nr[i]; 1755 *p = nr[i];
1875 p++; 1756 p++;
1876 } 1757 } else
1877 else
1878#endif 1758#endif
1879 s2n(nr[i],p); 1759 s2n(nr[i], p);
1880 BN_bn2bin(r[i],p); 1760 BN_bn2bin(r[i], p);
1881 p+=nr[i]; 1761 p += nr[i];
1882 } 1762 }
1883 1763
1884#ifndef OPENSSL_NO_ECDH 1764#ifndef OPENSSL_NO_ECDH
1885 if (type & SSL_kEECDH) 1765 if (type & SSL_kEECDH) {
1886 {
1887 /* XXX: For now, we only support named (not generic) curves. 1766 /* XXX: For now, we only support named (not generic) curves.
1888 * In this situation, the serverKeyExchange message has: 1767 * In this situation, the serverKeyExchange message has:
1889 * [1 byte CurveType], [2 byte CurveName] 1768 * [1 byte CurveType], [2 byte CurveName]
@@ -1898,236 +1777,220 @@ int ssl3_send_server_key_exchange(SSL *s)
1898 p += 1; 1777 p += 1;
1899 *p = encodedlen; 1778 *p = encodedlen;
1900 p += 1; 1779 p += 1;
1901 memcpy((unsigned char*)p, 1780 memcpy((unsigned char*)p,
1902 (unsigned char *)encodedPoint, 1781 (unsigned char *)encodedPoint, encodedlen);
1903 encodedlen);
1904 OPENSSL_free(encodedPoint); 1782 OPENSSL_free(encodedPoint);
1905 encodedPoint = NULL; 1783 encodedPoint = NULL;
1906 p += encodedlen; 1784 p += encodedlen;
1907 } 1785 }
1908#endif 1786#endif
1909 1787
1910#ifndef OPENSSL_NO_PSK 1788#ifndef OPENSSL_NO_PSK
1911 if (type & SSL_kPSK) 1789 if (type & SSL_kPSK) {
1912 {
1913 /* copy PSK identity hint */ 1790 /* copy PSK identity hint */
1914 s2n(strlen(s->ctx->psk_identity_hint), p); 1791 s2n(strlen(s->ctx->psk_identity_hint), p);
1792
1915 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); 1793 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
1916 p+=strlen(s->ctx->psk_identity_hint); 1794 p += strlen(s->ctx->psk_identity_hint);
1917 } 1795 }
1918#endif 1796#endif
1919 1797
1920 /* not anonymous */ 1798 /* not anonymous */
1921 if (pkey != NULL) 1799 if (pkey != NULL) {
1922 {
1923 /* n is the length of the params, they start at &(d[4]) 1800 /* n is the length of the params, they start at &(d[4])
1924 * and p points to the space at the end. */ 1801 * and p points to the space at the end. */
1925#ifndef OPENSSL_NO_RSA 1802#ifndef OPENSSL_NO_RSA
1926 if (pkey->type == EVP_PKEY_RSA 1803 if (pkey->type == EVP_PKEY_RSA
1927 && TLS1_get_version(s) < TLS1_2_VERSION) 1804 && TLS1_get_version(s) < TLS1_2_VERSION) {
1928 { 1805 q = md_buf;
1929 q=md_buf; 1806 j = 0;
1930 j=0; 1807 for (num = 2; num > 0; num--) {
1931 for (num=2; num > 0; num--)
1932 {
1933 EVP_MD_CTX_set_flags(&md_ctx, 1808 EVP_MD_CTX_set_flags(&md_ctx,
1934 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1809 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1935 EVP_DigestInit_ex(&md_ctx,(num == 2) 1810 EVP_DigestInit_ex(&md_ctx,
1936 ?s->ctx->md5:s->ctx->sha1, NULL); 1811 (num == 2) ? s->ctx->md5 : s->ctx->sha1, NULL);
1937 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1812 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1938 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1813 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1939 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1814 EVP_DigestUpdate(&md_ctx, &(d[4]), n);
1940 EVP_DigestFinal_ex(&md_ctx,q, 1815 EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i);
1941 (unsigned int *)&i); 1816 q += i;
1942 q+=i; 1817 j += i;
1943 j+=i; 1818 }
1944 }
1945 if (RSA_sign(NID_md5_sha1, md_buf, j, 1819 if (RSA_sign(NID_md5_sha1, md_buf, j,
1946 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1820 &(p[2]), &u, pkey->pkey.rsa) <= 0) {
1947 { 1821 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA);
1948 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1949 goto err; 1822 goto err;
1950 }
1951 s2n(u,p);
1952 n+=u+2;
1953 } 1823 }
1954 else 1824 s2n(u, p);
1825 n += u + 2;
1826 } else
1955#endif 1827#endif
1956 if (md) 1828 if (md) {
1957 {
1958 /* For TLS1.2 and later send signature 1829 /* For TLS1.2 and later send signature
1959 * algorithm */ 1830 * algorithm */
1960 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1831 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1961 { 1832 if (!tls12_get_sigandhash(p, pkey, md)) {
1962 if (!tls12_get_sigandhash(p, pkey, md))
1963 {
1964 /* Should never happen */ 1833 /* Should never happen */
1965 al=SSL_AD_INTERNAL_ERROR; 1834 al = SSL_AD_INTERNAL_ERROR;
1966 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1835 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1967 goto f_err; 1836 goto f_err;
1968 }
1969 p+=2;
1970 } 1837 }
1838 p += 2;
1839 }
1971#ifdef SSL_DEBUG 1840#ifdef SSL_DEBUG
1972 fprintf(stderr, "Using hash %s\n", 1841 fprintf(stderr, "Using hash %s\n",
1973 EVP_MD_name(md)); 1842 EVP_MD_name(md));
1974#endif 1843#endif
1975 EVP_SignInit_ex(&md_ctx, md, NULL); 1844 EVP_SignInit_ex(&md_ctx, md, NULL);
1976 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1845 EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1977 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1846 EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1978 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1847 EVP_SignUpdate(&md_ctx, &(d[4]), n);
1979 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1848 if (!EVP_SignFinal(&md_ctx, &(p[2]),
1980 (unsigned int *)&i,pkey)) 1849 (unsigned int *)&i, pkey)) {
1981 { 1850 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
1982 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_EVP);
1983 goto err; 1851 goto err;
1984 }
1985 s2n(i,p);
1986 n+=i+2;
1987 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1988 n+= 2;
1989 } 1852 }
1990 else 1853 s2n(i, p);
1991 { 1854 n += i + 2;
1855 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1856 n += 2;
1857 } else {
1992 /* Is this error check actually needed? */ 1858 /* Is this error check actually needed? */
1993 al=SSL_AD_HANDSHAKE_FAILURE; 1859 al = SSL_AD_HANDSHAKE_FAILURE;
1994 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1860 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_PKEY_TYPE);
1995 goto f_err; 1861 goto f_err;
1996 }
1997 } 1862 }
1863 }
1998 1864
1999 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 1865 *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
2000 l2n3(n,d); 1866 l2n3(n, d);
2001 1867
2002 /* we should now have things packed up, so lets send 1868 /* we should now have things packed up, so lets send
2003 * it off */ 1869 * it off */
2004 s->init_num=n+4; 1870 s->init_num = n + 4;
2005 s->init_off=0; 1871 s->init_off = 0;
2006 } 1872 }
2007 1873
2008 s->state = SSL3_ST_SW_KEY_EXCH_B; 1874 s->state = SSL3_ST_SW_KEY_EXCH_B;
2009 EVP_MD_CTX_cleanup(&md_ctx); 1875 EVP_MD_CTX_cleanup(&md_ctx);
2010 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1876 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2011f_err: 1877f_err:
2012 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1878 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2013err: 1879err:
2014#ifndef OPENSSL_NO_ECDH 1880#ifndef OPENSSL_NO_ECDH
2015 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1881 if (encodedPoint != NULL)
1882 OPENSSL_free(encodedPoint);
2016 BN_CTX_free(bn_ctx); 1883 BN_CTX_free(bn_ctx);
2017#endif 1884#endif
2018 EVP_MD_CTX_cleanup(&md_ctx); 1885 EVP_MD_CTX_cleanup(&md_ctx);
2019 return(-1); 1886 return (-1);
2020 } 1887}
2021 1888
2022int ssl3_send_certificate_request(SSL *s) 1889int
2023 { 1890ssl3_send_certificate_request(SSL *s)
2024 unsigned char *p,*d; 1891{
2025 int i,j,nl,off,n; 1892 unsigned char *p, *d;
2026 STACK_OF(X509_NAME) *sk=NULL; 1893 int i, j, nl, off, n;
1894 STACK_OF(X509_NAME) *sk = NULL;
2027 X509_NAME *name; 1895 X509_NAME *name;
2028 BUF_MEM *buf; 1896 BUF_MEM *buf;
2029 1897
2030 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1898 if (s->state == SSL3_ST_SW_CERT_REQ_A) {
2031 { 1899 buf = s->init_buf;
2032 buf=s->init_buf;
2033 1900
2034 d=p=(unsigned char *)&(buf->data[4]); 1901 d = p = (unsigned char *)&(buf->data[4]);
2035 1902
2036 /* get the list of acceptable cert types */ 1903 /* get the list of acceptable cert types */
2037 p++; 1904 p++;
2038 n=ssl3_get_req_cert_type(s,p); 1905 n = ssl3_get_req_cert_type(s, p);
2039 d[0]=n; 1906 d[0] = n;
2040 p+=n; 1907 p += n;
2041 n++; 1908 n++;
2042 1909
2043 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1910 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2044 {
2045 nl = tls12_get_req_sig_algs(s, p + 2); 1911 nl = tls12_get_req_sig_algs(s, p + 2);
2046 s2n(nl, p); 1912 s2n(nl, p);
2047 p += nl + 2; 1913 p += nl + 2;
2048 n += nl + 2; 1914 n += nl + 2;
2049 } 1915 }
2050
2051 off=n;
2052 p+=2;
2053 n+=2;
2054 1916
2055 sk=SSL_get_client_CA_list(s); 1917 off = n;
2056 nl=0; 1918 p += 2;
2057 if (sk != NULL) 1919 n += 2;
2058 { 1920
2059 for (i=0; i<sk_X509_NAME_num(sk); i++) 1921 sk = SSL_get_client_CA_list(s);
2060 { 1922 nl = 0;
2061 name=sk_X509_NAME_value(sk,i); 1923 if (sk != NULL) {
2062 j=i2d_X509_NAME(name,NULL); 1924 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2063 if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 1925 name = sk_X509_NAME_value(sk, i);
2064 { 1926 j = i2d_X509_NAME(name, NULL);
2065 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1927 if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) {
1928 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_BUF_LIB);
2066 goto err; 1929 goto err;
2067 } 1930 }
2068 p=(unsigned char *)&(buf->data[4+n]); 1931 p = (unsigned char *)&(buf->data[4 + n]);
2069 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1932 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
2070 { 1933 s2n(j, p);
2071 s2n(j,p); 1934 i2d_X509_NAME(name, &p);
2072 i2d_X509_NAME(name,&p); 1935 n += 2 + j;
2073 n+=2+j; 1936 nl += 2 + j;
2074 nl+=2+j; 1937 } else {
2075 } 1938 d = p;
2076 else 1939 i2d_X509_NAME(name, &p);
2077 { 1940 j -= 2;
2078 d=p; 1941 s2n(j, d);
2079 i2d_X509_NAME(name,&p); 1942 j += 2;
2080 j-=2; s2n(j,d); j+=2; 1943 n += j;
2081 n+=j; 1944 nl += j;
2082 nl+=j;
2083 }
2084 } 1945 }
2085 } 1946 }
1947 }
2086 /* else no CA names */ 1948 /* else no CA names */
2087 p=(unsigned char *)&(buf->data[4+off]); 1949 p = (unsigned char *)&(buf->data[4 + off]);
2088 s2n(nl,p); 1950 s2n(nl, p);
2089 1951
2090 d=(unsigned char *)buf->data; 1952 d = (unsigned char *)buf->data;
2091 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1953 *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
2092 l2n3(n,d); 1954 l2n3(n, d);
2093 1955
2094 /* we should now have things packed up, so lets send 1956 /* we should now have things packed up, so lets send
2095 * it off */ 1957 * it off */
2096 1958
2097 s->init_num=n+4; 1959 s->init_num = n + 4;
2098 s->init_off=0; 1960 s->init_off = 0;
2099#ifdef NETSCAPE_HANG_BUG 1961#ifdef NETSCAPE_HANG_BUG
2100 p=(unsigned char *)s->init_buf->data + s->init_num; 1962 p = (unsigned char *)s->init_buf->data + s->init_num;
2101 1963
2102 /* do the header */ 1964 /* do the header */
2103 *(p++)=SSL3_MT_SERVER_DONE; 1965 *(p++) = SSL3_MT_SERVER_DONE;
2104 *(p++)=0; 1966 *(p++) = 0;
2105 *(p++)=0; 1967 *(p++) = 0;
2106 *(p++)=0; 1968 *(p++) = 0;
2107 s->init_num += 4; 1969 s->init_num += 4;
2108#endif 1970#endif
2109 1971
2110 s->state = SSL3_ST_SW_CERT_REQ_B; 1972 s->state = SSL3_ST_SW_CERT_REQ_B;
2111 } 1973 }
2112 1974
2113 /* SSL3_ST_SW_CERT_REQ_B */ 1975 /* SSL3_ST_SW_CERT_REQ_B */
2114 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1976 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2115err: 1977err:
2116 return(-1); 1978 return (-1);
2117 } 1979}
2118 1980
2119int ssl3_get_client_key_exchange(SSL *s) 1981int
2120 { 1982ssl3_get_client_key_exchange(SSL *s)
2121 int i,al,ok; 1983{
1984 int i, al, ok;
2122 long n; 1985 long n;
2123 unsigned long alg_k; 1986 unsigned long alg_k;
2124 unsigned char *p; 1987 unsigned char *p;
2125#ifndef OPENSSL_NO_RSA 1988#ifndef OPENSSL_NO_RSA
2126 RSA *rsa=NULL; 1989 RSA *rsa = NULL;
2127 EVP_PKEY *pkey=NULL; 1990 EVP_PKEY *pkey = NULL;
2128#endif 1991#endif
2129#ifndef OPENSSL_NO_DH 1992#ifndef OPENSSL_NO_DH
2130 BIGNUM *pub=NULL; 1993 BIGNUM *pub = NULL;
2131 DH *dh_srvr; 1994 DH *dh_srvr;
2132#endif 1995#endif
2133#ifndef OPENSSL_NO_KRB5 1996#ifndef OPENSSL_NO_KRB5
@@ -2138,83 +2001,67 @@ int ssl3_get_client_key_exchange(SSL *s)
2138 EC_KEY *srvr_ecdh = NULL; 2001 EC_KEY *srvr_ecdh = NULL;
2139 EVP_PKEY *clnt_pub_pkey = NULL; 2002 EVP_PKEY *clnt_pub_pkey = NULL;
2140 EC_POINT *clnt_ecpoint = NULL; 2003 EC_POINT *clnt_ecpoint = NULL;
2141 BN_CTX *bn_ctx = NULL; 2004 BN_CTX *bn_ctx = NULL;
2142#endif
2143 2005
2144 n=s->method->ssl_get_message(s, 2006#endif
2145 SSL3_ST_SR_KEY_EXCH_A,
2146 SSL3_ST_SR_KEY_EXCH_B,
2147 SSL3_MT_CLIENT_KEY_EXCHANGE,
2148 2048, /* ??? */
2149 &ok);
2150 2007
2151 if (!ok) return((int)n); 2008 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
2152 p=(unsigned char *)s->init_msg; 2009 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,
2010 2048, /* ??? */ &ok);
2011 if (!ok)
2012 return ((int)n);
2013 p = (unsigned char *)s->init_msg;
2153 2014
2154 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2015 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2155 2016
2156#ifndef OPENSSL_NO_RSA 2017#ifndef OPENSSL_NO_RSA
2157 if (alg_k & SSL_kRSA) 2018 if (alg_k & SSL_kRSA) {
2158 {
2159 /* FIX THIS UP EAY EAY EAY EAY */ 2019 /* FIX THIS UP EAY EAY EAY EAY */
2160 if (s->s3->tmp.use_rsa_tmp) 2020 if (s->s3->tmp.use_rsa_tmp) {
2161 {
2162 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 2021 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
2163 rsa=s->cert->rsa_tmp; 2022 rsa = s->cert->rsa_tmp;
2164 /* Don't do a callback because rsa_tmp should 2023 /* Don't do a callback because rsa_tmp should
2165 * be sent already */ 2024 * be sent already */
2166 if (rsa == NULL) 2025 if (rsa == NULL) {
2167 { 2026 al = SSL_AD_HANDSHAKE_FAILURE;
2168 al=SSL_AD_HANDSHAKE_FAILURE; 2027 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_PKEY);
2169 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
2170 goto f_err; 2028 goto f_err;
2171 2029
2172 }
2173 } 2030 }
2174 else 2031 } else {
2175 { 2032 pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
2176 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 2033 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
2177 if ( (pkey == NULL) || 2034 (pkey->pkey.rsa == NULL)) {
2178 (pkey->type != EVP_PKEY_RSA) || 2035 al = SSL_AD_HANDSHAKE_FAILURE;
2179 (pkey->pkey.rsa == NULL)) 2036 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_RSA_CERTIFICATE);
2180 {
2181 al=SSL_AD_HANDSHAKE_FAILURE;
2182 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
2183 goto f_err; 2037 goto f_err;
2184 }
2185 rsa=pkey->pkey.rsa;
2186 } 2038 }
2039 rsa = pkey->pkey.rsa;
2040 }
2187 2041
2188 /* TLS and [incidentally] DTLS{0xFEFF} */ 2042 /* TLS and [incidentally] DTLS{0xFEFF} */
2189 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) 2043 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
2190 { 2044 n2s(p, i);
2191 n2s(p,i); 2045 if (n != i + 2) {
2192 if (n != i+2) 2046 if (!(s->options & SSL_OP_TLS_D5_BUG)) {
2193 { 2047 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2194 if (!(s->options & SSL_OP_TLS_D5_BUG))
2195 {
2196 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2197 goto err; 2048 goto err;
2198 } 2049 } else
2199 else 2050 p -= 2;
2200 p-=2; 2051 } else
2201 } 2052 n = i;
2202 else 2053 }
2203 n=i;
2204 }
2205 2054
2206 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 2055 i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
2207 2056
2208 al = -1; 2057 al = -1;
2209 2058
2210 if (i != SSL_MAX_MASTER_KEY_LENGTH) 2059 if (i != SSL_MAX_MASTER_KEY_LENGTH) {
2211 { 2060 al = SSL_AD_DECODE_ERROR;
2212 al=SSL_AD_DECODE_ERROR;
2213 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 2061 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
2214 } 2062 }
2215 2063
2216 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) 2064 if ((al == -1) && !((p[0] == (s->client_version >> 8)) && (p[1] == (s->client_version & 0xff)))) {
2217 {
2218 /* The premaster secret must contain the same version number as the 2065 /* The premaster secret must contain the same version number as the
2219 * ClientHello to detect version rollback attacks (strangely, the 2066 * ClientHello to detect version rollback attacks (strangely, the
2220 * protocol does not offer such protection for DH ciphersuites). 2067 * protocol does not offer such protection for DH ciphersuites).
@@ -2223,9 +2070,8 @@ int ssl3_get_client_key_exchange(SSL *s)
2223 * protocol version. 2070 * protocol version.
2224 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 2071 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
2225 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 2072 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
2226 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 2073 (p[0] == (s->version >> 8)) && (p[1] == (s->version & 0xff)))) {
2227 { 2074 al = SSL_AD_DECODE_ERROR;
2228 al=SSL_AD_DECODE_ERROR;
2229 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 2075 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
2230 2076
2231 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 2077 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
@@ -2235,11 +2081,10 @@ int ssl3_get_client_key_exchange(SSL *s)
2235 * made up by the adversary is properly formatted except 2081 * made up by the adversary is properly formatted except
2236 * that the version number is wrong. To avoid such attacks, 2082 * that the version number is wrong. To avoid such attacks,
2237 * we should treat this just like any other decryption error. */ 2083 * we should treat this just like any other decryption error. */
2238 }
2239 } 2084 }
2085 }
2240 2086
2241 if (al != -1) 2087 if (al != -1) {
2242 {
2243 /* Some decryption failure -- use random value instead as countermeasure 2088 /* Some decryption failure -- use random value instead as countermeasure
2244 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 2089 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
2245 * (see RFC 2246, section 7.4.7.1). */ 2090 * (see RFC 2246, section 7.4.7.1). */
@@ -2249,83 +2094,69 @@ int ssl3_get_client_key_exchange(SSL *s)
2249 p[1] = s->client_version & 0xff; 2094 p[1] = s->client_version & 0xff;
2250 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 2095 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
2251 goto err; 2096 goto err;
2252 }
2253
2254 s->session->master_key_length=
2255 s->method->ssl3_enc->generate_master_secret(s,
2256 s->session->master_key,
2257 p,i);
2258 OPENSSL_cleanse(p,i);
2259 } 2097 }
2260 else 2098
2099 s->session->master_key_length =
2100 s->method->ssl3_enc->generate_master_secret(s,
2101 s->session->master_key,
2102 p, i);
2103 OPENSSL_cleanse(p, i);
2104 } else
2261#endif 2105#endif
2262#ifndef OPENSSL_NO_DH 2106#ifndef OPENSSL_NO_DH
2263 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2107 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2264 { 2108 n2s(p, i);
2265 n2s(p,i); 2109 if (n != i + 2) {
2266 if (n != i+2) 2110 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
2267 { 2111 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2268 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
2269 {
2270 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2271 goto err; 2112 goto err;
2272 } 2113 } else {
2273 else 2114 p -= 2;
2274 { 2115 i = (int)n;
2275 p-=2;
2276 i=(int)n;
2277 }
2278 } 2116 }
2117 }
2279 2118
2280 if (n == 0L) /* the parameters are in the cert */ 2119 if (n == 0L) /* the parameters are in the cert */
2281 { 2120 {
2282 al=SSL_AD_HANDSHAKE_FAILURE; 2121 al = SSL_AD_HANDSHAKE_FAILURE;
2283 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 2122 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_DECODE_DH_CERTS);
2284 goto f_err; 2123 goto f_err;
2285 } 2124 } else {
2286 else 2125 if (s->s3->tmp.dh == NULL) {
2287 { 2126 al = SSL_AD_HANDSHAKE_FAILURE;
2288 if (s->s3->tmp.dh == NULL) 2127 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
2289 {
2290 al=SSL_AD_HANDSHAKE_FAILURE;
2291 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
2292 goto f_err; 2128 goto f_err;
2293 } 2129 } else
2294 else 2130 dh_srvr = s->s3->tmp.dh;
2295 dh_srvr=s->s3->tmp.dh; 2131 }
2296 }
2297 2132
2298 pub=BN_bin2bn(p,i,NULL); 2133 pub = BN_bin2bn(p, i, NULL);
2299 if (pub == NULL) 2134 if (pub == NULL) {
2300 { 2135 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2301 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
2302 goto err; 2136 goto err;
2303 } 2137 }
2304 2138
2305 i=DH_compute_key(p,pub,dh_srvr); 2139 i = DH_compute_key(p, pub, dh_srvr);
2306 2140
2307 if (i <= 0) 2141 if (i <= 0) {
2308 { 2142 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2309 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2310 BN_clear_free(pub); 2143 BN_clear_free(pub);
2311 goto err; 2144 goto err;
2312 } 2145 }
2313 2146
2314 DH_free(s->s3->tmp.dh); 2147 DH_free(s->s3->tmp.dh);
2315 s->s3->tmp.dh=NULL; 2148 s->s3->tmp.dh = NULL;
2316 2149
2317 BN_clear_free(pub); 2150 BN_clear_free(pub);
2318 pub=NULL; 2151 pub = NULL;
2319 s->session->master_key_length= 2152 s->session->master_key_length =
2320 s->method->ssl3_enc->generate_master_secret(s, 2153 s->method->ssl3_enc->generate_master_secret(
2321 s->session->master_key,p,i); 2154 s, s->session->master_key, p, i);
2322 OPENSSL_cleanse(p,i); 2155 OPENSSL_cleanse(p, i);
2323 } 2156 } else
2324 else
2325#endif 2157#endif
2326#ifndef OPENSSL_NO_KRB5 2158#ifndef OPENSSL_NO_KRB5
2327 if (alg_k & SSL_kKRB5) 2159 if (alg_k & SSL_kKRB5) {
2328 {
2329 krb5_error_code krb5rc; 2160 krb5_error_code krb5rc;
2330 krb5_data enc_ticket; 2161 krb5_data enc_ticket;
2331 krb5_data authenticator; 2162 krb5_data authenticator;
@@ -2335,100 +2166,94 @@ int ssl3_get_client_key_exchange(SSL *s)
2335 const EVP_CIPHER *enc = NULL; 2166 const EVP_CIPHER *enc = NULL;
2336 unsigned char iv[EVP_MAX_IV_LENGTH]; 2167 unsigned char iv[EVP_MAX_IV_LENGTH];
2337 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2168 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
2338 + EVP_MAX_BLOCK_LENGTH]; 2169 + EVP_MAX_BLOCK_LENGTH];
2339 int padl, outl; 2170 int padl, outl;
2340 krb5_timestamp authtime = 0; 2171 krb5_timestamp authtime = 0;
2341 krb5_ticket_times ttimes; 2172 krb5_ticket_times ttimes;
2342 2173
2343 EVP_CIPHER_CTX_init(&ciph_ctx); 2174 EVP_CIPHER_CTX_init(&ciph_ctx);
2344 2175
2345 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2176 if (!kssl_ctx)
2177 kssl_ctx = kssl_ctx_new();
2346 2178
2347 n2s(p,i); 2179 n2s(p, i);
2348 enc_ticket.length = i; 2180 enc_ticket.length = i;
2349 2181
2350 if (n < (long)(enc_ticket.length + 6)) 2182 if (n < (long)(enc_ticket.length + 6)) {
2351 {
2352 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2183 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2353 SSL_R_DATA_LENGTH_TOO_LONG); 2184 SSL_R_DATA_LENGTH_TOO_LONG);
2354 goto err; 2185 goto err;
2355 } 2186 }
2356 2187
2357 enc_ticket.data = (char *)p; 2188 enc_ticket.data = (char *)p;
2358 p+=enc_ticket.length; 2189 p += enc_ticket.length;
2359 2190
2360 n2s(p,i); 2191 n2s(p, i);
2361 authenticator.length = i; 2192 authenticator.length = i;
2362 2193
2363 if (n < (long)(enc_ticket.length + authenticator.length + 6)) 2194 if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
2364 {
2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2195 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2366 SSL_R_DATA_LENGTH_TOO_LONG); 2196 SSL_R_DATA_LENGTH_TOO_LONG);
2367 goto err; 2197 goto err;
2368 } 2198 }
2369 2199
2370 authenticator.data = (char *)p; 2200 authenticator.data = (char *)p;
2371 p+=authenticator.length; 2201 p += authenticator.length;
2372 2202
2373 n2s(p,i); 2203 n2s(p, i);
2374 enc_pms.length = i; 2204 enc_pms.length = i;
2375 enc_pms.data = (char *)p; 2205 enc_pms.data = (char *)p;
2376 p+=enc_pms.length; 2206 p += enc_pms.length;
2377 2207
2378 /* Note that the length is checked again below, 2208 /* Note that the length is checked again below,
2379 ** after decryption 2209 ** after decryption
2380 */ 2210 */
2381 if(enc_pms.length > sizeof pms) 2211 if (enc_pms.length > sizeof pms) {
2382 {
2383 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2212 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2384 SSL_R_DATA_LENGTH_TOO_LONG); 2213 SSL_R_DATA_LENGTH_TOO_LONG);
2385 goto err; 2214 goto err;
2386 } 2215 }
2387 2216
2388 if (n != (long)(enc_ticket.length + authenticator.length + 2217 if (n != (long)(enc_ticket.length + authenticator.length +
2389 enc_pms.length + 6)) 2218 enc_pms.length + 6)) {
2390 {
2391 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2219 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2392 SSL_R_DATA_LENGTH_TOO_LONG); 2220 SSL_R_DATA_LENGTH_TOO_LONG);
2393 goto err; 2221 goto err;
2394 } 2222 }
2395 2223
2396 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2224 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
2397 &kssl_err)) != 0) 2225 &kssl_err)) != 0) {
2398 {
2399#ifdef KSSL_DEBUG 2226#ifdef KSSL_DEBUG
2400 printf("kssl_sget_tkt rtn %d [%d]\n", 2227 printf("kssl_sget_tkt rtn %d [%d]\n",
2401 krb5rc, kssl_err.reason); 2228 krb5rc, kssl_err.reason);
2402 if (kssl_err.text) 2229 if (kssl_err.text)
2403 printf("kssl_err text= %s\n", kssl_err.text); 2230 printf("kssl_err text= %s\n", kssl_err.text);
2404#endif /* KSSL_DEBUG */ 2231#endif /* KSSL_DEBUG */
2405 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2232 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2406 kssl_err.reason); 2233 kssl_err.reason);
2407 goto err; 2234 goto err;
2408 } 2235 }
2409 2236
2410 /* Note: no authenticator is not considered an error, 2237 /* Note: no authenticator is not considered an error,
2411 ** but will return authtime == 0. 2238 ** but will return authtime == 0.
2412 */ 2239 */
2413 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2240 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
2414 &authtime, &kssl_err)) != 0) 2241 &authtime, &kssl_err)) != 0) {
2415 {
2416#ifdef KSSL_DEBUG 2242#ifdef KSSL_DEBUG
2417 printf("kssl_check_authent rtn %d [%d]\n", 2243 printf("kssl_check_authent rtn %d [%d]\n",
2418 krb5rc, kssl_err.reason); 2244 krb5rc, kssl_err.reason);
2419 if (kssl_err.text) 2245 if (kssl_err.text)
2420 printf("kssl_err text= %s\n", kssl_err.text); 2246 printf("kssl_err text= %s\n", kssl_err.text);
2421#endif /* KSSL_DEBUG */ 2247#endif /* KSSL_DEBUG */
2422 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2248 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2423 kssl_err.reason); 2249 kssl_err.reason);
2424 goto err; 2250 goto err;
2425 } 2251 }
2426 2252
2427 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2253 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
2428 {
2429 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2254 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
2430 goto err; 2255 goto err;
2431 } 2256 }
2432 2257
2433#ifdef KSSL_DEBUG 2258#ifdef KSSL_DEBUG
2434 kssl_ctx_show(kssl_ctx); 2259 kssl_ctx_show(kssl_ctx);
@@ -2436,44 +2261,38 @@ int ssl3_get_client_key_exchange(SSL *s)
2436 2261
2437 enc = kssl_map_enc(kssl_ctx->enctype); 2262 enc = kssl_map_enc(kssl_ctx->enctype);
2438 if (enc == NULL) 2263 if (enc == NULL)
2439 goto err; 2264 goto err;
2440 2265
2441 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2266 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2442 2267
2443 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2268 if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) {
2444 {
2445 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2269 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2446 SSL_R_DECRYPTION_FAILED); 2270 SSL_R_DECRYPTION_FAILED);
2447 goto err; 2271 goto err;
2448 } 2272 }
2449 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2273 if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
2450 (unsigned char *)enc_pms.data, enc_pms.length)) 2274 (unsigned char *)enc_pms.data, enc_pms.length)) {
2451 {
2452 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2275 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2453 SSL_R_DECRYPTION_FAILED); 2276 SSL_R_DECRYPTION_FAILED);
2454 goto err; 2277 goto err;
2455 } 2278 }
2456 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2279 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2457 {
2458 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2280 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2459 SSL_R_DATA_LENGTH_TOO_LONG); 2281 SSL_R_DATA_LENGTH_TOO_LONG);
2460 goto err; 2282 goto err;
2461 } 2283 }
2462 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2284 if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
2463 {
2464 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2285 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2465 SSL_R_DECRYPTION_FAILED); 2286 SSL_R_DECRYPTION_FAILED);
2466 goto err; 2287 goto err;
2467 } 2288 }
2468 outl += padl; 2289 outl += padl;
2469 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2290 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2470 {
2471 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2291 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2472 SSL_R_DATA_LENGTH_TOO_LONG); 2292 SSL_R_DATA_LENGTH_TOO_LONG);
2473 goto err; 2293 goto err;
2474 } 2294 }
2475 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) 2295 if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) {
2476 {
2477 /* The premaster secret must contain the same version number as the 2296 /* The premaster secret must contain the same version number as the
2478 * ClientHello to detect version rollback attacks (strangely, the 2297 * ClientHello to detect version rollback attacks (strangely, the
2479 * protocol does not offer such protection for DH ciphersuites). 2298 * protocol does not offer such protection for DH ciphersuites).
@@ -2482,29 +2301,26 @@ int ssl3_get_client_key_exchange(SSL *s)
2482 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2301 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
2483 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2302 * (Perhaps we should have a separate BUG value for the Kerberos cipher)
2484 */ 2303 */
2485 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2304 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
2486 { 2305 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2487 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2306 SSL_AD_DECODE_ERROR);
2488 SSL_AD_DECODE_ERROR); 2307 goto err;
2489 goto err;
2490 } 2308 }
2491 } 2309 }
2492 2310
2493 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2311 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2494 2312
2495 s->session->master_key_length= 2313 s->session->master_key_length =
2496 s->method->ssl3_enc->generate_master_secret(s, 2314 s->method->ssl3_enc->generate_master_secret(s,
2497 s->session->master_key, pms, outl); 2315 s->session->master_key, pms, outl);
2498 2316
2499 if (kssl_ctx->client_princ) 2317 if (kssl_ctx->client_princ) {
2500 {
2501 size_t len = strlen(kssl_ctx->client_princ); 2318 size_t len = strlen(kssl_ctx->client_princ);
2502 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2319 if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) {
2503 {
2504 s->session->krb5_client_princ_len = len; 2320 s->session->krb5_client_princ_len = len;
2505 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2321 memcpy(s->session->krb5_client_princ, kssl_ctx->client_princ, len);
2506 }
2507 } 2322 }
2323 }
2508 2324
2509 2325
2510 /* Was doing kssl_ctx_free() here, 2326 /* Was doing kssl_ctx_free() here,
@@ -2512,13 +2328,11 @@ int ssl3_get_client_key_exchange(SSL *s)
2512 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2328 ** kssl_ctx = kssl_ctx_free(kssl_ctx);
2513 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2329 ** if (s->kssl_ctx) s->kssl_ctx = NULL;
2514 */ 2330 */
2515 } 2331 } else
2516 else
2517#endif /* OPENSSL_NO_KRB5 */ 2332#endif /* OPENSSL_NO_KRB5 */
2518 2333
2519#ifndef OPENSSL_NO_ECDH 2334#ifndef OPENSSL_NO_ECDH
2520 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2335 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2521 {
2522 int ret = 1; 2336 int ret = 1;
2523 int field_size = 0; 2337 int field_size = 0;
2524 const EC_KEY *tkey; 2338 const EC_KEY *tkey;
@@ -2526,60 +2340,51 @@ int ssl3_get_client_key_exchange(SSL *s)
2526 const BIGNUM *priv_key; 2340 const BIGNUM *priv_key;
2527 2341
2528 /* initialize structures for server's ECDH key pair */ 2342 /* initialize structures for server's ECDH key pair */
2529 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2343 if ((srvr_ecdh = EC_KEY_new()) == NULL) {
2530 {
2531 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2344 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2532 ERR_R_MALLOC_FAILURE); 2345 ERR_R_MALLOC_FAILURE);
2533 goto err; 2346 goto err;
2534 } 2347 }
2535 2348
2536 /* Let's get server private key and group information */ 2349 /* Let's get server private key and group information */
2537 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) 2350 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
2538 {
2539 /* use the certificate */ 2351 /* use the certificate */
2540 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2352 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2541 } 2353 } else {
2542 else
2543 {
2544 /* use the ephermeral values we saved when 2354 /* use the ephermeral values we saved when
2545 * generating the ServerKeyExchange msg. 2355 * generating the ServerKeyExchange msg.
2546 */ 2356 */
2547 tkey = s->s3->tmp.ecdh; 2357 tkey = s->s3->tmp.ecdh;
2548 } 2358 }
2549 2359
2550 group = EC_KEY_get0_group(tkey); 2360 group = EC_KEY_get0_group(tkey);
2551 priv_key = EC_KEY_get0_private_key(tkey); 2361 priv_key = EC_KEY_get0_private_key(tkey);
2552 2362
2553 if (!EC_KEY_set_group(srvr_ecdh, group) || 2363 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2554 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2364 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
2555 {
2556 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2557 ERR_R_EC_LIB); 2366 ERR_R_EC_LIB);
2558 goto err; 2367 goto err;
2559 } 2368 }
2560 2369
2561 /* Let's get client's public key */ 2370 /* Let's get client's public key */
2562 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2371 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
2563 {
2564 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2372 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2565 ERR_R_MALLOC_FAILURE); 2373 ERR_R_MALLOC_FAILURE);
2566 goto err; 2374 goto err;
2567 } 2375 }
2568 2376
2569 if (n == 0L) 2377 if (n == 0L) {
2570 {
2571 /* Client Publickey was in Client Certificate */ 2378 /* Client Publickey was in Client Certificate */
2572 2379
2573 if (alg_k & SSL_kEECDH) 2380 if (alg_k & SSL_kEECDH) {
2574 { 2381 al = SSL_AD_HANDSHAKE_FAILURE;
2575 al=SSL_AD_HANDSHAKE_FAILURE; 2382 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
2576 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2383 goto f_err;
2577 goto f_err; 2384 }
2578 } 2385 if (((clnt_pub_pkey = X509_get_pubkey(
2579 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2386 s->session->peer)) == NULL) ||
2580 == NULL) || 2387 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
2581 (clnt_pub_pkey->type != EVP_PKEY_EC))
2582 {
2583 /* XXX: For now, we do not support client 2388 /* XXX: For now, we do not support client
2584 * authentication using ECDH certificates 2389 * authentication using ECDH certificates
2585 * so this branch (n == 0L) of the code is 2390 * so this branch (n == 0L) of the code is
@@ -2591,771 +2396,680 @@ int ssl3_get_client_key_exchange(SSL *s)
2591 * the two ECDH shares are for the same 2396 * the two ECDH shares are for the same
2592 * group. 2397 * group.
2593 */ 2398 */
2594 al=SSL_AD_HANDSHAKE_FAILURE; 2399 al = SSL_AD_HANDSHAKE_FAILURE;
2595 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2400 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2596 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2401 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2597 goto f_err; 2402 goto f_err;
2598 } 2403 }
2599 2404
2600 if (EC_POINT_copy(clnt_ecpoint, 2405 if (EC_POINT_copy(clnt_ecpoint,
2601 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2406 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) {
2602 {
2603 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2407 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2604 ERR_R_EC_LIB); 2408 ERR_R_EC_LIB);
2605 goto err; 2409 goto err;
2606 }
2607 ret = 2; /* Skip certificate verify processing */
2608 } 2410 }
2609 else 2411 ret = 2; /* Skip certificate verify processing */
2610 { 2412 } else {
2611 /* Get client's public key from encoded point 2413 /* Get client's public key from encoded point
2612 * in the ClientKeyExchange message. 2414 * in the ClientKeyExchange message.
2613 */ 2415 */
2614 if ((bn_ctx = BN_CTX_new()) == NULL) 2416 if ((bn_ctx = BN_CTX_new()) == NULL) {
2615 {
2616 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2417 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2617 ERR_R_MALLOC_FAILURE); 2418 ERR_R_MALLOC_FAILURE);
2618 goto err; 2419 goto err;
2619 } 2420 }
2620 2421
2621 /* Get encoded point length */ 2422 /* Get encoded point length */
2622 i = *p; 2423 i = *p;
2424
2623 p += 1; 2425 p += 1;
2624 if (n != 1 + i) 2426 if (n != 1 + i) {
2625 {
2626 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2427 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2627 ERR_R_EC_LIB); 2428 ERR_R_EC_LIB);
2628 goto err; 2429 goto err;
2629 } 2430 }
2630 if (EC_POINT_oct2point(group, 2431 if (EC_POINT_oct2point(group,
2631 clnt_ecpoint, p, i, bn_ctx) == 0) 2432 clnt_ecpoint, p, i, bn_ctx) == 0) {
2632 {
2633 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2433 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2634 ERR_R_EC_LIB); 2434 ERR_R_EC_LIB);
2635 goto err; 2435 goto err;
2636 } 2436 }
2637 /* p is pointing to somewhere in the buffer 2437 /* p is pointing to somewhere in the buffer
2638 * currently, so set it to the start 2438 * currently, so set it to the start
2639 */ 2439 */
2640 p=(unsigned char *)s->init_buf->data; 2440 p = (unsigned char *)s->init_buf->data;
2641 } 2441 }
2642 2442
2643 /* Compute the shared pre-master secret */ 2443 /* Compute the shared pre-master secret */
2644 field_size = EC_GROUP_get_degree(group); 2444 field_size = EC_GROUP_get_degree(group);
2645 if (field_size <= 0) 2445 if (field_size <= 0) {
2646 { 2446 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2647 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2447 ERR_R_ECDH_LIB);
2648 ERR_R_ECDH_LIB);
2649 goto err; 2448 goto err;
2650 } 2449 }
2651 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2450 i = ECDH_compute_key(p, (field_size + 7)/8, clnt_ecpoint, srvr_ecdh, NULL);
2652 if (i <= 0) 2451 if (i <= 0) {
2653 {
2654 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2452 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2655 ERR_R_ECDH_LIB); 2453 ERR_R_ECDH_LIB);
2656 goto err; 2454 goto err;
2657 } 2455 }
2658 2456
2659 EVP_PKEY_free(clnt_pub_pkey); 2457 EVP_PKEY_free(clnt_pub_pkey);
2660 EC_POINT_free(clnt_ecpoint); 2458 EC_POINT_free(clnt_ecpoint);
2661 EC_KEY_free(srvr_ecdh); 2459 EC_KEY_free(srvr_ecdh);
2662 BN_CTX_free(bn_ctx); 2460 BN_CTX_free(bn_ctx);
2663 EC_KEY_free(s->s3->tmp.ecdh); 2461 EC_KEY_free(s->s3->tmp.ecdh);
2664 s->s3->tmp.ecdh = NULL; 2462 s->s3->tmp.ecdh = NULL;
2463
2665 2464
2666 /* Compute the master secret */ 2465 /* Compute the master secret */
2667 s->session->master_key_length = s->method->ssl3_enc-> \ 2466 s->session->master_key_length = s->method->ssl3_enc-> \
2668 generate_master_secret(s, s->session->master_key, p, i); 2467 generate_master_secret(s, s->session->master_key, p, i);
2669 2468
2670 OPENSSL_cleanse(p, i); 2469 OPENSSL_cleanse(p, i);
2671 return (ret); 2470 return (ret);
2672 } 2471 } else
2673 else
2674#endif 2472#endif
2675#ifndef OPENSSL_NO_PSK 2473#ifndef OPENSSL_NO_PSK
2676 if (alg_k & SSL_kPSK) 2474 if (alg_k & SSL_kPSK) {
2677 { 2475 unsigned char *t = NULL;
2678 unsigned char *t = NULL; 2476 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
2679 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2477 unsigned int pre_ms_len = 0, psk_len = 0;
2680 unsigned int pre_ms_len = 0, psk_len = 0; 2478 int psk_err = 1;
2681 int psk_err = 1; 2479 char tmp_id[PSK_MAX_IDENTITY_LEN + 1];
2682 char tmp_id[PSK_MAX_IDENTITY_LEN+1];
2683 2480
2684 al=SSL_AD_HANDSHAKE_FAILURE; 2481 al = SSL_AD_HANDSHAKE_FAILURE;
2685
2686 n2s(p,i);
2687 if (n != i+2)
2688 {
2689 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2690 SSL_R_LENGTH_MISMATCH);
2691 goto psk_err;
2692 }
2693 if (i > PSK_MAX_IDENTITY_LEN)
2694 {
2695 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2696 SSL_R_DATA_LENGTH_TOO_LONG);
2697 goto psk_err;
2698 }
2699 if (s->psk_server_callback == NULL)
2700 {
2701 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2702 SSL_R_PSK_NO_SERVER_CB);
2703 goto psk_err;
2704 }
2705 2482
2706 /* Create guaranteed NULL-terminated identity 2483 n2s(p, i);
2707 * string for the callback */ 2484 if (n != i + 2) {
2708 memcpy(tmp_id, p, i); 2485 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2709 memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 2486 SSL_R_LENGTH_MISMATCH);
2710 psk_len = s->psk_server_callback(s, tmp_id, 2487 goto psk_err;
2711 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2488 }
2712 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); 2489 if (i > PSK_MAX_IDENTITY_LEN) {
2490 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2491 SSL_R_DATA_LENGTH_TOO_LONG);
2492 goto psk_err;
2493 }
2494 if (s->psk_server_callback == NULL) {
2495 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2496 SSL_R_PSK_NO_SERVER_CB);
2497 goto psk_err;
2498 }
2713 2499
2714 if (psk_len > PSK_MAX_PSK_LEN) 2500 /* Create guaranteed NULL-terminated identity
2715 { 2501 * string for the callback */
2716 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2502 memcpy(tmp_id, p, i);
2717 ERR_R_INTERNAL_ERROR); 2503 memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
2718 goto psk_err; 2504 psk_len = s->psk_server_callback(s, tmp_id,
2719 } 2505 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2720 else if (psk_len == 0) 2506 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
2721 {
2722 /* PSK related to the given identity not found */
2723 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2724 SSL_R_PSK_IDENTITY_NOT_FOUND);
2725 al=SSL_AD_UNKNOWN_PSK_IDENTITY;
2726 goto psk_err;
2727 }
2728 2507
2729 /* create PSK pre_master_secret */ 2508 if (psk_len > PSK_MAX_PSK_LEN) {
2730 pre_ms_len=2+psk_len+2+psk_len; 2509 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2731 t = psk_or_pre_ms; 2510 ERR_R_INTERNAL_ERROR);
2732 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2511 goto psk_err;
2733 s2n(psk_len, t); 2512 } else if (psk_len == 0) {
2734 memset(t, 0, psk_len); 2513 /* PSK related to the given identity not found */
2735 t+=psk_len; 2514 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2736 s2n(psk_len, t); 2515 SSL_R_PSK_IDENTITY_NOT_FOUND);
2737 2516 al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2738 if (s->session->psk_identity != NULL) 2517 goto psk_err;
2739 OPENSSL_free(s->session->psk_identity); 2518 }
2740 s->session->psk_identity = BUF_strdup((char *)p); 2519
2741 if (s->session->psk_identity == NULL) 2520 /* create PSK pre_master_secret */
2742 { 2521 pre_ms_len = 2 + psk_len + 2 + psk_len;
2743 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2522 t = psk_or_pre_ms;
2744 ERR_R_MALLOC_FAILURE); 2523 memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
2745 goto psk_err; 2524 s2n(psk_len, t);
2746 } 2525 memset(t, 0, psk_len);
2526 t += psk_len;
2527 s2n(psk_len, t);
2528
2529 if (s->session->psk_identity != NULL)
2530 OPENSSL_free(s->session->psk_identity);
2531 s->session->psk_identity = BUF_strdup((char *)p);
2532 if (s->session->psk_identity == NULL) {
2533 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2534 ERR_R_MALLOC_FAILURE);
2535 goto psk_err;
2536 }
2747 2537
2748 if (s->session->psk_identity_hint != NULL) 2538 if (s->session->psk_identity_hint != NULL)
2749 OPENSSL_free(s->session->psk_identity_hint); 2539 OPENSSL_free(s->session->psk_identity_hint);
2750 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2540 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2751 if (s->ctx->psk_identity_hint != NULL && 2541 if (s->ctx->psk_identity_hint != NULL &&
2752 s->session->psk_identity_hint == NULL) 2542 s->session->psk_identity_hint == NULL) {
2753 { 2543 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2754 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2544 ERR_R_MALLOC_FAILURE);
2755 ERR_R_MALLOC_FAILURE); 2545 goto psk_err;
2756 goto psk_err; 2546 }
2757 }
2758 2547
2759 s->session->master_key_length= 2548 s->session->master_key_length =
2760 s->method->ssl3_enc->generate_master_secret(s, 2549 s->method->ssl3_enc->generate_master_secret(
2761 s->session->master_key, psk_or_pre_ms, pre_ms_len); 2550 s, s->session->master_key, psk_or_pre_ms, pre_ms_len);
2762 psk_err = 0; 2551 psk_err = 0;
2763 psk_err: 2552 psk_err:
2764 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2553 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2765 if (psk_err != 0) 2554 if (psk_err != 0)
2766 goto f_err; 2555 goto f_err;
2767 } 2556 } else
2768 else
2769#endif 2557#endif
2770#ifndef OPENSSL_NO_SRP 2558#ifndef OPENSSL_NO_SRP
2771 if (alg_k & SSL_kSRP) 2559 if (alg_k & SSL_kSRP) {
2772 { 2560 int param_len;
2773 int param_len;
2774
2775 n2s(p,i);
2776 param_len=i+2;
2777 if (param_len > n)
2778 {
2779 al=SSL_AD_DECODE_ERROR;
2780 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH);
2781 goto f_err;
2782 }
2783 if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL)))
2784 {
2785 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB);
2786 goto err;
2787 }
2788 if (s->session->srp_username != NULL)
2789 OPENSSL_free(s->session->srp_username);
2790 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2791 if (s->session->srp_username == NULL)
2792 {
2793 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2794 ERR_R_MALLOC_FAILURE);
2795 goto err;
2796 }
2797 2561
2798 if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0) 2562 n2s(p, i);
2799 { 2563 param_len = i + 2;
2800 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2564 if (param_len > n) {
2801 goto err; 2565 al = SSL_AD_DECODE_ERROR;
2802 } 2566 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
2567 goto f_err;
2568 }
2569 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
2570 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
2571 goto err;
2572 }
2573 if (s->session->srp_username != NULL)
2574 OPENSSL_free(s->session->srp_username);
2575 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2576 if (s->session->srp_username == NULL) {
2577 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2578 ERR_R_MALLOC_FAILURE);
2579 goto err;
2580 }
2803 2581
2804 p+=i; 2582 if ((s->session->master_key_length = SRP_generate_server_master_secret(s, s->session->master_key)) < 0) {
2805 } 2583 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2806 else 2584 goto err;
2585 }
2586
2587 p += i;
2588 } else
2807#endif /* OPENSSL_NO_SRP */ 2589#endif /* OPENSSL_NO_SRP */
2808 if (alg_k & SSL_kGOST) 2590 if (alg_k & SSL_kGOST) {
2809 { 2591 int ret = 0;
2810 int ret = 0; 2592 EVP_PKEY_CTX *pkey_ctx;
2811 EVP_PKEY_CTX *pkey_ctx; 2593 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
2812 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 2594 unsigned char premaster_secret[32], *start;
2813 unsigned char premaster_secret[32], *start; 2595 size_t outlen = 32, inlen;
2814 size_t outlen=32, inlen; 2596 unsigned long alg_a;
2815 unsigned long alg_a; 2597
2816 2598 /* Get our certificate private key*/
2817 /* Get our certificate private key*/ 2599 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2818 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2600 if (alg_a & SSL_aGOST94)
2819 if (alg_a & SSL_aGOST94) 2601 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
2820 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; 2602 else if (alg_a & SSL_aGOST01)
2821 else if (alg_a & SSL_aGOST01) 2603 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2822 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 2604
2823 2605 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2824 pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); 2606 EVP_PKEY_decrypt_init(pkey_ctx);
2825 EVP_PKEY_decrypt_init(pkey_ctx);
2826 /* If client certificate is present and is of the same type, maybe 2607 /* If client certificate is present and is of the same type, maybe
2827 * use it for key exchange. Don't mind errors from 2608 * use it for key exchange. Don't mind errors from
2828 * EVP_PKEY_derive_set_peer, because it is completely valid to use 2609 * EVP_PKEY_derive_set_peer, because it is completely valid to use
2829 * a client certificate for authorization only. */ 2610 * a client certificate for authorization only. */
2830 client_pub_pkey = X509_get_pubkey(s->session->peer); 2611 client_pub_pkey = X509_get_pubkey(s->session->peer);
2831 if (client_pub_pkey) 2612 if (client_pub_pkey) {
2832 { 2613 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
2833 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 2614 ERR_clear_error();
2834 ERR_clear_error(); 2615 }
2835 } 2616 /* Decrypt session key */
2836 /* Decrypt session key */ 2617 if ((*p != ( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) {
2837 if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) 2618 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2838 { 2619 goto gerr;
2839 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2620 }
2840 goto gerr; 2621 if (p[1] == 0x81) {
2841 } 2622 start = p + 3;
2842 if (p[1] == 0x81) 2623 inlen = p[2];
2843 { 2624 } else if (p[1] < 0x80) {
2844 start = p+3; 2625 start = p + 2;
2845 inlen = p[2]; 2626 inlen = p[1];
2846 } 2627 } else {
2847 else if (p[1] < 0x80) 2628 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2848 { 2629 goto gerr;
2849 start = p+2; 2630 }
2850 inlen = p[1]; 2631 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <=0)
2851 } 2632
2852 else 2633 {
2853 { 2634 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2854 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2635 goto gerr;
2855 goto gerr; 2636 }
2856 } 2637 /* Generate master secret */
2857 if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 2638 s->session->master_key_length =
2858 2639 s->method->ssl3_enc->generate_master_secret(
2859 { 2640 s, s->session->master_key, premaster_secret, 32);
2860 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2641 /* Check if pubkey from client certificate was used */
2861 goto gerr; 2642 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2862 } 2643 ret = 2;
2863 /* Generate master secret */ 2644 else
2864 s->session->master_key_length= 2645 ret = 1;
2865 s->method->ssl3_enc->generate_master_secret(s,
2866 s->session->master_key,premaster_secret,32);
2867 /* Check if pubkey from client certificate was used */
2868 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2869 ret = 2;
2870 else
2871 ret = 1;
2872 gerr: 2646 gerr:
2873 EVP_PKEY_free(client_pub_pkey); 2647 EVP_PKEY_free(client_pub_pkey);
2874 EVP_PKEY_CTX_free(pkey_ctx); 2648 EVP_PKEY_CTX_free(pkey_ctx);
2875 if (ret) 2649 if (ret)
2876 return ret; 2650 return ret;
2877 else
2878 goto err;
2879 }
2880 else 2651 else
2881 { 2652 goto err;
2882 al=SSL_AD_HANDSHAKE_FAILURE; 2653 } else {
2654 al = SSL_AD_HANDSHAKE_FAILURE;
2883 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2655 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2884 SSL_R_UNKNOWN_CIPHER_TYPE); 2656 SSL_R_UNKNOWN_CIPHER_TYPE);
2885 goto f_err; 2657 goto f_err;
2886 } 2658 }
2887 2659
2888 return(1); 2660 return (1);
2889f_err: 2661f_err:
2890 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2662 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2891#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP) 2663#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2892err: 2664err:
2893#endif 2665#endif
2894#ifndef OPENSSL_NO_ECDH 2666#ifndef OPENSSL_NO_ECDH
2895 EVP_PKEY_free(clnt_pub_pkey); 2667 EVP_PKEY_free(clnt_pub_pkey);
2896 EC_POINT_free(clnt_ecpoint); 2668 EC_POINT_free(clnt_ecpoint);
2897 if (srvr_ecdh != NULL) 2669 if (srvr_ecdh != NULL)
2898 EC_KEY_free(srvr_ecdh); 2670 EC_KEY_free(srvr_ecdh);
2899 BN_CTX_free(bn_ctx); 2671 BN_CTX_free(bn_ctx);
2900#endif 2672#endif
2901 return(-1); 2673 return (-1);
2902 } 2674}
2903 2675
2904int ssl3_get_cert_verify(SSL *s) 2676int
2905 { 2677ssl3_get_cert_verify(SSL *s)
2906 EVP_PKEY *pkey=NULL; 2678{
2679 EVP_PKEY *pkey = NULL;
2907 unsigned char *p; 2680 unsigned char *p;
2908 int al,ok,ret=0; 2681 int al, ok, ret = 0;
2909 long n; 2682 long n;
2910 int type=0,i,j; 2683 int type = 0, i, j;
2911 X509 *peer; 2684 X509 *peer;
2912 const EVP_MD *md = NULL; 2685 const EVP_MD *md = NULL;
2913 EVP_MD_CTX mctx; 2686 EVP_MD_CTX mctx;
2914 EVP_MD_CTX_init(&mctx); 2687 EVP_MD_CTX_init(&mctx);
2915 2688
2916 n=s->method->ssl_get_message(s, 2689 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2917 SSL3_ST_SR_CERT_VRFY_A, 2690 SSL3_ST_SR_CERT_VRFY_B, -1,
2918 SSL3_ST_SR_CERT_VRFY_B, 2691 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
2919 -1, 2692 if (!ok)
2920 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ 2693 return ((int)n);
2921 &ok); 2694
2922 2695 if (s->session->peer != NULL) {
2923 if (!ok) return((int)n); 2696 peer = s->session->peer;
2924 2697 pkey = X509_get_pubkey(peer);
2925 if (s->session->peer != NULL) 2698 type = X509_certificate_type(peer, pkey);
2926 { 2699 } else {
2927 peer=s->session->peer; 2700 peer = NULL;
2928 pkey=X509_get_pubkey(peer); 2701 pkey = NULL;
2929 type=X509_certificate_type(peer,pkey); 2702 }
2930 }
2931 else
2932 {
2933 peer=NULL;
2934 pkey=NULL;
2935 }
2936 2703
2937 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2704 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
2938 { 2705 s->s3->tmp.reuse_message = 1;
2939 s->s3->tmp.reuse_message=1; 2706 if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
2940 if ((peer != NULL) && (type & EVP_PKT_SIGN)) 2707 al = SSL_AD_UNEXPECTED_MESSAGE;
2941 { 2708 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE);
2942 al=SSL_AD_UNEXPECTED_MESSAGE;
2943 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
2944 goto f_err; 2709 goto f_err;
2945 }
2946 ret=1;
2947 goto end;
2948 } 2710 }
2711 ret = 1;
2712 goto end;
2713 }
2949 2714
2950 if (peer == NULL) 2715 if (peer == NULL) {
2951 { 2716 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_NO_CLIENT_CERT_RECEIVED);
2952 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 2717 al = SSL_AD_UNEXPECTED_MESSAGE;
2953 al=SSL_AD_UNEXPECTED_MESSAGE;
2954 goto f_err; 2718 goto f_err;
2955 } 2719 }
2956 2720
2957 if (!(type & EVP_PKT_SIGN)) 2721 if (!(type & EVP_PKT_SIGN)) {
2958 { 2722 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2959 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2723 al = SSL_AD_ILLEGAL_PARAMETER;
2960 al=SSL_AD_ILLEGAL_PARAMETER;
2961 goto f_err; 2724 goto f_err;
2962 } 2725 }
2963 2726
2964 if (s->s3->change_cipher_spec) 2727 if (s->s3->change_cipher_spec) {
2965 { 2728 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_CCS_RECEIVED_EARLY);
2966 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2729 al = SSL_AD_UNEXPECTED_MESSAGE;
2967 al=SSL_AD_UNEXPECTED_MESSAGE;
2968 goto f_err; 2730 goto f_err;
2969 } 2731 }
2970 2732
2971 /* we now have a signature that we need to verify */ 2733 /* we now have a signature that we need to verify */
2972 p=(unsigned char *)s->init_msg; 2734 p = (unsigned char *)s->init_msg;
2973 /* Check for broken implementations of GOST ciphersuites */ 2735 /* Check for broken implementations of GOST ciphersuites */
2974 /* If key is GOST and n is exactly 64, it is bare 2736 /* If key is GOST and n is exactly 64, it is bare
2975 * signature without length field */ 2737 * signature without length field */
2976 if (n==64 && (pkey->type==NID_id_GostR3410_94 || 2738 if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
2977 pkey->type == NID_id_GostR3410_2001) ) 2739 pkey->type == NID_id_GostR3410_2001) ) {
2978 { 2740 i = 64;
2979 i=64; 2741 } else {
2980 } 2742 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2981 else
2982 {
2983 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2984 {
2985 int sigalg = tls12_get_sigid(pkey); 2743 int sigalg = tls12_get_sigid(pkey);
2986 /* Should never happen */ 2744 /* Should never happen */
2987 if (sigalg == -1) 2745 if (sigalg == -1) {
2988 { 2746 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
2989 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2747 al = SSL_AD_INTERNAL_ERROR;
2990 al=SSL_AD_INTERNAL_ERROR;
2991 goto f_err; 2748 goto f_err;
2992 } 2749 }
2993 /* Check key type is consistent with signature */ 2750 /* Check key type is consistent with signature */
2994 if (sigalg != (int)p[1]) 2751 if (sigalg != (int)p[1]) {
2995 { 2752 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_TYPE);
2996 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE); 2753 al = SSL_AD_DECODE_ERROR;
2997 al=SSL_AD_DECODE_ERROR;
2998 goto f_err; 2754 goto f_err;
2999 } 2755 }
3000 md = tls12_get_hash(p[0]); 2756 md = tls12_get_hash(p[0]);
3001 if (md == NULL) 2757 if (md == NULL) {
3002 { 2758 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_UNKNOWN_DIGEST);
3003 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST); 2759 al = SSL_AD_DECODE_ERROR;
3004 al=SSL_AD_DECODE_ERROR;
3005 goto f_err; 2760 goto f_err;
3006 } 2761 }
3007#ifdef SSL_DEBUG 2762#ifdef SSL_DEBUG
3008fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 2763 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
3009#endif 2764#endif
3010 p += 2; 2765 p += 2;
3011 n -= 2; 2766 n -= 2;
3012 } 2767 }
3013 n2s(p,i); 2768 n2s(p, i);
3014 n-=2; 2769 n -= 2;
3015 if (i > n) 2770 if (i > n) {
3016 { 2771 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
3017 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2772 al = SSL_AD_DECODE_ERROR;
3018 al=SSL_AD_DECODE_ERROR;
3019 goto f_err; 2773 goto f_err;
3020 }
3021 }
3022 j=EVP_PKEY_size(pkey);
3023 if ((i > j) || (n > j) || (n <= 0))
3024 {
3025 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
3026 al=SSL_AD_DECODE_ERROR;
3027 goto f_err;
3028 } 2774 }
2775 }
2776 j = EVP_PKEY_size(pkey);
2777 if ((i > j) || (n > j) || (n <= 0)) {
2778 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2779 al = SSL_AD_DECODE_ERROR;
2780 goto f_err;
2781 }
3029 2782
3030 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2783 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
3031 {
3032 long hdatalen = 0; 2784 long hdatalen = 0;
3033 void *hdata; 2785 void *hdata;
3034 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 2786 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
3035 if (hdatalen <= 0) 2787 if (hdatalen <= 0) {
3036 {
3037 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 2788 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3038 al=SSL_AD_INTERNAL_ERROR; 2789 al = SSL_AD_INTERNAL_ERROR;
3039 goto f_err; 2790 goto f_err;
3040 } 2791 }
3041#ifdef SSL_DEBUG 2792#ifdef SSL_DEBUG
3042 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n", 2793 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
3043 EVP_MD_name(md)); 2794 EVP_MD_name(md));
3044#endif 2795#endif
3045 if (!EVP_VerifyInit_ex(&mctx, md, NULL) 2796 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
3046 || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) 2797 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
3047 {
3048 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB); 2798 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB);
3049 al=SSL_AD_INTERNAL_ERROR; 2799 al = SSL_AD_INTERNAL_ERROR;
3050 goto f_err; 2800 goto f_err;
3051 } 2801 }
3052 2802
3053 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) 2803 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) {
3054 { 2804 al = SSL_AD_DECRYPT_ERROR;
3055 al=SSL_AD_DECRYPT_ERROR; 2805 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
3056 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_SIGNATURE);
3057 goto f_err; 2806 goto f_err;
3058 }
3059 } 2807 }
3060 else 2808 } else
3061#ifndef OPENSSL_NO_RSA 2809#ifndef OPENSSL_NO_RSA
3062 if (pkey->type == EVP_PKEY_RSA) 2810 if (pkey->type == EVP_PKEY_RSA) {
3063 { 2811 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
3064 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 2812 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
3065 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 2813 pkey->pkey.rsa);
3066 pkey->pkey.rsa); 2814 if (i < 0) {
3067 if (i < 0) 2815 al = SSL_AD_DECRYPT_ERROR;
3068 { 2816 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT);
3069 al=SSL_AD_DECRYPT_ERROR;
3070 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
3071 goto f_err; 2817 goto f_err;
3072 } 2818 }
3073 if (i == 0) 2819 if (i == 0) {
3074 { 2820 al = SSL_AD_DECRYPT_ERROR;
3075 al=SSL_AD_DECRYPT_ERROR; 2821 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE);
3076 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
3077 goto f_err; 2822 goto f_err;
3078 }
3079 } 2823 }
3080 else 2824 } else
3081#endif 2825#endif
3082#ifndef OPENSSL_NO_DSA 2826#ifndef OPENSSL_NO_DSA
3083 if (pkey->type == EVP_PKEY_DSA) 2827 if (pkey->type == EVP_PKEY_DSA) {
3084 { 2828 j = DSA_verify(pkey->save_type,
3085 j=DSA_verify(pkey->save_type, 2829 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
3086 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2830 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
3087 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 2831 if (j <= 0) {
3088 if (j <= 0)
3089 {
3090 /* bad signature */ 2832 /* bad signature */
3091 al=SSL_AD_DECRYPT_ERROR; 2833 al = SSL_AD_DECRYPT_ERROR;
3092 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 2834 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE);
3093 goto f_err; 2835 goto f_err;
3094 }
3095 } 2836 }
3096 else 2837 } else
3097#endif 2838#endif
3098#ifndef OPENSSL_NO_ECDSA 2839#ifndef OPENSSL_NO_ECDSA
3099 if (pkey->type == EVP_PKEY_EC) 2840 if (pkey->type == EVP_PKEY_EC) {
3100 { 2841 j = ECDSA_verify(pkey->save_type,
3101 j=ECDSA_verify(pkey->save_type, 2842 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
3102 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2843 SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec);
3103 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 2844 if (j <= 0) {
3104 if (j <= 0)
3105 {
3106 /* bad signature */ 2845 /* bad signature */
3107 al=SSL_AD_DECRYPT_ERROR; 2846 al = SSL_AD_DECRYPT_ERROR;
3108 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2847 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3109 SSL_R_BAD_ECDSA_SIGNATURE); 2848 SSL_R_BAD_ECDSA_SIGNATURE);
3110 goto f_err; 2849 goto f_err;
3111 }
3112 } 2850 }
3113 else 2851 } else
3114#endif 2852#endif
3115 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 2853 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) {
3116 { unsigned char signature[64]; 2854 unsigned char signature[64];
3117 int idx; 2855 int idx;
3118 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL); 2856 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
3119 EVP_PKEY_verify_init(pctx); 2857 EVP_PKEY_verify_init(pctx);
3120 if (i!=64) { 2858 if (i != 64) {
3121 fprintf(stderr,"GOST signature length is %d",i); 2859 fprintf(stderr, "GOST signature length is %d", i);
3122 } 2860 }
3123 for (idx=0;idx<64;idx++) { 2861 for (idx = 0; idx < 64; idx++) {
3124 signature[63-idx]=p[idx]; 2862 signature[63 - idx] = p[idx];
3125 } 2863 }
3126 j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_verify_md,32); 2864 j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md, 32);
3127 EVP_PKEY_CTX_free(pctx); 2865 EVP_PKEY_CTX_free(pctx);
3128 if (j<=0) 2866 if (j <= 0) {
3129 { 2867 al = SSL_AD_DECRYPT_ERROR;
3130 al=SSL_AD_DECRYPT_ERROR; 2868 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3131 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2869 SSL_R_BAD_ECDSA_SIGNATURE);
3132 SSL_R_BAD_ECDSA_SIGNATURE); 2870 goto f_err;
3133 goto f_err;
3134 }
3135 } 2871 }
3136 else 2872 } else {
3137 { 2873 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3138 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2874 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
3139 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
3140 goto f_err; 2875 goto f_err;
3141 } 2876 }
3142 2877
3143 2878
3144 ret=1; 2879 ret = 1;
3145 if (0) 2880 if (0) {
3146 {
3147f_err: 2881f_err:
3148 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2882 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3149 } 2883 }
3150end: 2884end:
3151 if (s->s3->handshake_buffer) 2885 if (s->s3->handshake_buffer) {
3152 {
3153 BIO_free(s->s3->handshake_buffer); 2886 BIO_free(s->s3->handshake_buffer);
3154 s->s3->handshake_buffer = NULL; 2887 s->s3->handshake_buffer = NULL;
3155 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; 2888 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
3156 } 2889 }
3157 EVP_MD_CTX_cleanup(&mctx); 2890 EVP_MD_CTX_cleanup(&mctx);
3158 EVP_PKEY_free(pkey); 2891 EVP_PKEY_free(pkey);
3159 return(ret); 2892 return (ret);
3160 } 2893}
3161 2894
3162int ssl3_get_client_certificate(SSL *s) 2895int
3163 { 2896ssl3_get_client_certificate(SSL *s)
3164 int i,ok,al,ret= -1; 2897{
3165 X509 *x=NULL; 2898 int i, ok, al, ret = -1;
3166 unsigned long l,nc,llen,n; 2899 X509 *x = NULL;
3167 const unsigned char *p,*q; 2900 unsigned long l, nc, llen, n;
2901 const unsigned char *p, *q;
3168 unsigned char *d; 2902 unsigned char *d;
3169 STACK_OF(X509) *sk=NULL; 2903 STACK_OF(X509) *sk = NULL;
3170 2904
3171 n=s->method->ssl_get_message(s, 2905 n = s->method->ssl_get_message(s,
3172 SSL3_ST_SR_CERT_A, 2906 SSL3_ST_SR_CERT_A,
3173 SSL3_ST_SR_CERT_B, 2907 SSL3_ST_SR_CERT_B,
3174 -1, 2908 -1,
3175 s->max_cert_list, 2909 s->max_cert_list,
3176 &ok); 2910 &ok);
3177 2911
3178 if (!ok) return((int)n); 2912 if (!ok)
2913 return ((int)n);
3179 2914
3180 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 2915 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
3181 { 2916 if ((s->verify_mode & SSL_VERIFY_PEER) &&
3182 if ( (s->verify_mode & SSL_VERIFY_PEER) && 2917 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3183 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2918 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3184 { 2919 al = SSL_AD_HANDSHAKE_FAILURE;
3185 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3186 al=SSL_AD_HANDSHAKE_FAILURE;
3187 goto f_err; 2920 goto f_err;
3188 } 2921 }
3189 /* If tls asked for a client cert, the client must return a 0 list */ 2922 /* If tls asked for a client cert, the client must return a 0 list */
3190 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 2923 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
3191 { 2924 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
3192 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 2925 al = SSL_AD_UNEXPECTED_MESSAGE;
3193 al=SSL_AD_UNEXPECTED_MESSAGE;
3194 goto f_err; 2926 goto f_err;
3195 }
3196 s->s3->tmp.reuse_message=1;
3197 return(1);
3198 } 2927 }
2928 s->s3->tmp.reuse_message = 1;
2929 return (1);
2930 }
3199 2931
3200 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 2932 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
3201 { 2933 al = SSL_AD_UNEXPECTED_MESSAGE;
3202 al=SSL_AD_UNEXPECTED_MESSAGE; 2934 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE);
3203 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
3204 goto f_err; 2935 goto f_err;
3205 } 2936 }
3206 p=d=(unsigned char *)s->init_msg; 2937 p = d = (unsigned char *)s->init_msg;
3207 2938
3208 if ((sk=sk_X509_new_null()) == NULL) 2939 if ((sk = sk_X509_new_null()) == NULL) {
3209 { 2940 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3210 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
3211 goto err; 2941 goto err;
3212 } 2942 }
3213 2943
3214 n2l3(p,llen); 2944 n2l3(p, llen);
3215 if (llen+3 != n) 2945 if (llen + 3 != n) {
3216 { 2946 al = SSL_AD_DECODE_ERROR;
3217 al=SSL_AD_DECODE_ERROR; 2947 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
3218 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
3219 goto f_err; 2948 goto f_err;
3220 } 2949 }
3221 for (nc=0; nc<llen; ) 2950 for (nc = 0; nc < llen;) {
3222 { 2951 n2l3(p, l);
3223 n2l3(p,l); 2952 if ((l + nc + 3) > llen) {
3224 if ((l+nc+3) > llen) 2953 al = SSL_AD_DECODE_ERROR;
3225 { 2954 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
3226 al=SSL_AD_DECODE_ERROR;
3227 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
3228 goto f_err; 2955 goto f_err;
3229 } 2956 }
3230 2957
3231 q=p; 2958 q = p;
3232 x=d2i_X509(NULL,&p,l); 2959 x = d2i_X509(NULL, &p, l);
3233 if (x == NULL) 2960 if (x == NULL) {
3234 { 2961 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
3235 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
3236 goto err; 2962 goto err;
3237 } 2963 }
3238 if (p != (q+l)) 2964 if (p != (q + l)) {
3239 { 2965 al = SSL_AD_DECODE_ERROR;
3240 al=SSL_AD_DECODE_ERROR; 2966 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
3241 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
3242 goto f_err; 2967 goto f_err;
3243 } 2968 }
3244 if (!sk_X509_push(sk,x)) 2969 if (!sk_X509_push(sk, x)) {
3245 { 2970 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3246 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
3247 goto err; 2971 goto err;
3248 }
3249 x=NULL;
3250 nc+=l+3;
3251 } 2972 }
2973 x = NULL;
2974 nc += l + 3;
2975 }
3252 2976
3253 if (sk_X509_num(sk) <= 0) 2977 if (sk_X509_num(sk) <= 0) {
3254 {
3255 /* TLS does not mind 0 certs returned */ 2978 /* TLS does not mind 0 certs returned */
3256 if (s->version == SSL3_VERSION) 2979 if (s->version == SSL3_VERSION) {
3257 { 2980 al = SSL_AD_HANDSHAKE_FAILURE;
3258 al=SSL_AD_HANDSHAKE_FAILURE; 2981 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATES_RETURNED);
3259 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
3260 goto f_err; 2982 goto f_err;
3261 } 2983 }
3262 /* Fail for TLS only if we required a certificate */ 2984 /* Fail for TLS only if we required a certificate */
3263 else if ((s->verify_mode & SSL_VERIFY_PEER) && 2985 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
3264 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2986 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3265 { 2987 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3266 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2988 al = SSL_AD_HANDSHAKE_FAILURE;
3267 al=SSL_AD_HANDSHAKE_FAILURE;
3268 goto f_err; 2989 goto f_err;
3269 } 2990 }
3270 /* No client certificate so digest cached records */ 2991 /* No client certificate so digest cached records */
3271 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) 2992 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
3272 { 2993 al = SSL_AD_INTERNAL_ERROR;
3273 al=SSL_AD_INTERNAL_ERROR;
3274 goto f_err; 2994 goto f_err;
3275 }
3276 } 2995 }
3277 else 2996 } else {
3278 { 2997 i = ssl_verify_cert_chain(s, sk);
3279 i=ssl_verify_cert_chain(s,sk); 2998 if (i <= 0) {
3280 if (i <= 0) 2999 al = ssl_verify_alarm_type(s->verify_result);
3281 { 3000 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATE_RETURNED);
3282 al=ssl_verify_alarm_type(s->verify_result);
3283 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
3284 goto f_err; 3001 goto f_err;
3285 }
3286 } 3002 }
3003 }
3287 3004
3288 if (s->session->peer != NULL) /* This should not be needed */ 3005 if (s->session->peer != NULL) /* This should not be needed */
3289 X509_free(s->session->peer); 3006 X509_free(s->session->peer);
3290 s->session->peer=sk_X509_shift(sk); 3007 s->session->peer = sk_X509_shift(sk);
3291 s->session->verify_result = s->verify_result; 3008 s->session->verify_result = s->verify_result;
3292 3009
3293 /* With the current implementation, sess_cert will always be NULL 3010 /* With the current implementation, sess_cert will always be NULL
3294 * when we arrive here. */ 3011 * when we arrive here. */
3295 if (s->session->sess_cert == NULL) 3012 if (s->session->sess_cert == NULL) {
3296 {
3297 s->session->sess_cert = ssl_sess_cert_new(); 3013 s->session->sess_cert = ssl_sess_cert_new();
3298 if (s->session->sess_cert == NULL) 3014 if (s->session->sess_cert == NULL) {
3299 {
3300 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3015 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3301 goto err; 3016 goto err;
3302 }
3303 } 3017 }
3018 }
3304 if (s->session->sess_cert->cert_chain != NULL) 3019 if (s->session->sess_cert->cert_chain != NULL)
3305 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 3020 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
3306 s->session->sess_cert->cert_chain=sk; 3021 s->session->sess_cert->cert_chain = sk;
3307 /* Inconsistency alert: cert_chain does *not* include the 3022 /* Inconsistency alert: cert_chain does *not* include the
3308 * peer's own certificate, while we do include it in s3_clnt.c */ 3023 * peer's own certificate, while we do include it in s3_clnt.c */
3309 3024
3310 sk=NULL; 3025 sk = NULL;
3311 3026
3312 ret=1; 3027 ret = 1;
3313 if (0) 3028 if (0) {
3314 {
3315f_err: 3029f_err:
3316 ssl3_send_alert(s,SSL3_AL_FATAL,al); 3030 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3317 }
3318err:
3319 if (x != NULL) X509_free(x);
3320 if (sk != NULL) sk_X509_pop_free(sk,X509_free);
3321 return(ret);
3322 } 3031 }
3032err:
3033 if (x != NULL)
3034 X509_free(x);
3035 if (sk != NULL)
3036 sk_X509_pop_free(sk, X509_free);
3037 return (ret);
3038}
3323 3039
3324int ssl3_send_server_certificate(SSL *s) 3040int
3325 { 3041ssl3_send_server_certificate(SSL *s)
3042{
3326 unsigned long l; 3043 unsigned long l;
3327 X509 *x; 3044 X509 *x;
3328 3045
3329 if (s->state == SSL3_ST_SW_CERT_A) 3046 if (s->state == SSL3_ST_SW_CERT_A) {
3330 { 3047 x = ssl_get_server_send_cert(s);
3331 x=ssl_get_server_send_cert(s); 3048 if (x == NULL) {
3332 if (x == NULL)
3333 {
3334 /* VRS: allow null cert if auth == KRB5 */ 3049 /* VRS: allow null cert if auth == KRB5 */
3335 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || 3050 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
3336 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) 3051 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) {
3337 { 3052 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3338 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 3053 return (0);
3339 return(0);
3340 }
3341 } 3054 }
3342
3343 l=ssl3_output_cert_chain(s,x);
3344 s->state=SSL3_ST_SW_CERT_B;
3345 s->init_num=(int)l;
3346 s->init_off=0;
3347 } 3055 }
3348 3056
3349 /* SSL3_ST_SW_CERT_B */ 3057 l = ssl3_output_cert_chain(s, x);
3350 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3058 s->state = SSL3_ST_SW_CERT_B;
3059 s->init_num = (int)l;
3060 s->init_off = 0;
3351 } 3061 }
3352 3062
3063 /* SSL3_ST_SW_CERT_B */
3064 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3065}
3066
3353#ifndef OPENSSL_NO_TLSEXT 3067#ifndef OPENSSL_NO_TLSEXT
3354/* send a new session ticket (not necessarily for a new session) */ 3068/* send a new session ticket (not necessarily for a new session) */
3355int ssl3_send_newsession_ticket(SSL *s) 3069int
3356 { 3070ssl3_send_newsession_ticket(SSL *s)
3357 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 3071{
3358 { 3072 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
3359 unsigned char *p, *senc, *macstart; 3073 unsigned char *p, *senc, *macstart;
3360 const unsigned char *const_p; 3074 const unsigned char *const_p;
3361 int len, slen_full, slen; 3075 int len, slen_full, slen;
@@ -3383,19 +3097,18 @@ int ssl3_send_newsession_ticket(SSL *s)
3383 /* create a fresh copy (not shared with other threads) to clean up */ 3097 /* create a fresh copy (not shared with other threads) to clean up */
3384 const_p = senc; 3098 const_p = senc;
3385 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3099 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3386 if (sess == NULL) 3100 if (sess == NULL) {
3387 {
3388 OPENSSL_free(senc); 3101 OPENSSL_free(senc);
3389 return -1; 3102 return -1;
3390 } 3103 }
3391 sess->session_id_length = 0; /* ID is irrelevant for the ticket */ 3104 sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3392 3105
3393 slen = i2d_SSL_SESSION(sess, NULL); 3106 slen = i2d_SSL_SESSION(sess, NULL);
3394 if (slen > slen_full) /* shouldn't ever happen */ 3107 if (slen > slen_full) /* shouldn't ever happen */
3395 { 3108 {
3396 OPENSSL_free(senc); 3109 OPENSSL_free(senc);
3397 return -1; 3110 return -1;
3398 } 3111 }
3399 p = senc; 3112 p = senc;
3400 i2d_SSL_SESSION(sess, &p); 3113 i2d_SSL_SESSION(sess, &p);
3401 SSL_SESSION_free(sess); 3114 SSL_SESSION_free(sess);
@@ -3409,12 +3122,12 @@ int ssl3_send_newsession_ticket(SSL *s)
3409 */ 3122 */
3410 if (!BUF_MEM_grow(s->init_buf, 3123 if (!BUF_MEM_grow(s->init_buf,
3411 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3124 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3412 EVP_MAX_MD_SIZE + slen)) 3125 EVP_MAX_MD_SIZE + slen))
3413 return -1; 3126 return -1;
3414 3127
3415 p=(unsigned char *)s->init_buf->data; 3128 p = (unsigned char *)s->init_buf->data;
3416 /* do the header */ 3129 /* do the header */
3417 *(p++)=SSL3_MT_NEWSESSION_TICKET; 3130 *(p++) = SSL3_MT_NEWSESSION_TICKET;
3418 /* Skip message length for now */ 3131 /* Skip message length for now */
3419 p += 3; 3132 p += 3;
3420 EVP_CIPHER_CTX_init(&ctx); 3133 EVP_CIPHER_CTX_init(&ctx);
@@ -3423,24 +3136,20 @@ int ssl3_send_newsession_ticket(SSL *s)
3423 * it does all the work otherwise use generated values 3136 * it does all the work otherwise use generated values
3424 * from parent ctx. 3137 * from parent ctx.
3425 */ 3138 */
3426 if (tctx->tlsext_ticket_key_cb) 3139 if (tctx->tlsext_ticket_key_cb) {
3427 {
3428 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3140 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
3429 &hctx, 1) < 0) 3141 &hctx, 1) < 0) {
3430 {
3431 OPENSSL_free(senc); 3142 OPENSSL_free(senc);
3432 return -1; 3143 return -1;
3433 }
3434 } 3144 }
3435 else 3145 } else {
3436 {
3437 RAND_pseudo_bytes(iv, 16); 3146 RAND_pseudo_bytes(iv, 16);
3438 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 3147 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3439 tctx->tlsext_tick_aes_key, iv); 3148 tctx->tlsext_tick_aes_key, iv);
3440 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 3149 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3441 tlsext_tick_md(), NULL); 3150 tlsext_tick_md(), NULL);
3442 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3151 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3443 } 3152 }
3444 3153
3445 /* Ticket lifetime hint (advisory only): 3154 /* Ticket lifetime hint (advisory only):
3446 * We leave this unspecified for resumed session (for simplicity), 3155 * We leave this unspecified for resumed session (for simplicity),
@@ -3472,26 +3181,27 @@ int ssl3_send_newsession_ticket(SSL *s)
3472 /* Now write out lengths: p points to end of data written */ 3181 /* Now write out lengths: p points to end of data written */
3473 /* Total length */ 3182 /* Total length */
3474 len = p - (unsigned char *)s->init_buf->data; 3183 len = p - (unsigned char *)s->init_buf->data;
3475 p=(unsigned char *)s->init_buf->data + 1; 3184 p = (unsigned char *)s->init_buf->data + 1;
3476 l2n3(len - 4, p); /* Message length */ 3185 l2n3(len - 4, p); /* Message length */
3477 p += 4; 3186 p += 4;
3478 s2n(len - 10, p); /* Ticket length */ 3187 s2n(len - 10, p);
3188 /* Ticket length */
3479 3189
3480 /* number of bytes to write */ 3190 /* number of bytes to write */
3481 s->init_num= len; 3191 s->init_num = len;
3482 s->state=SSL3_ST_SW_SESSION_TICKET_B; 3192 s->state = SSL3_ST_SW_SESSION_TICKET_B;
3483 s->init_off=0; 3193 s->init_off = 0;
3484 OPENSSL_free(senc); 3194 OPENSSL_free(senc);
3485 } 3195 }
3486 3196
3487 /* SSL3_ST_SW_SESSION_TICKET_B */ 3197 /* SSL3_ST_SW_SESSION_TICKET_B */
3488 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3198 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3489 } 3199}
3490 3200
3491int ssl3_send_cert_status(SSL *s) 3201int
3492 { 3202ssl3_send_cert_status(SSL *s)
3493 if (s->state == SSL3_ST_SW_CERT_STATUS_A) 3203{
3494 { 3204 if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
3495 unsigned char *p; 3205 unsigned char *p;
3496 /* Grow buffer if need be: the length calculation is as 3206 /* Grow buffer if need be: the length calculation is as
3497 * follows 1 (message type) + 3 (message length) + 3207 * follows 1 (message type) + 3 (message length) +
@@ -3501,33 +3211,34 @@ int ssl3_send_cert_status(SSL *s)
3501 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 3211 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
3502 return -1; 3212 return -1;
3503 3213
3504 p=(unsigned char *)s->init_buf->data; 3214 p = (unsigned char *)s->init_buf->data;
3505 3215
3506 /* do the header */ 3216 /* do the header */
3507 *(p++)=SSL3_MT_CERTIFICATE_STATUS; 3217 *(p++) = SSL3_MT_CERTIFICATE_STATUS;
3508 /* message length */ 3218 /* message length */
3509 l2n3(s->tlsext_ocsp_resplen + 4, p); 3219 l2n3(s->tlsext_ocsp_resplen + 4, p);
3510 /* status type */ 3220 /* status type */
3511 *(p++)= s->tlsext_status_type; 3221 *(p++) = s->tlsext_status_type;
3512 /* length of OCSP response */ 3222 /* length of OCSP response */
3513 l2n3(s->tlsext_ocsp_resplen, p); 3223 l2n3(s->tlsext_ocsp_resplen, p);
3514 /* actual response */ 3224 /* actual response */
3515 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 3225 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
3516 /* number of bytes to write */ 3226 /* number of bytes to write */
3517 s->init_num = 8 + s->tlsext_ocsp_resplen; 3227 s->init_num = 8 + s->tlsext_ocsp_resplen;
3518 s->state=SSL3_ST_SW_CERT_STATUS_B; 3228 s->state = SSL3_ST_SW_CERT_STATUS_B;
3519 s->init_off = 0; 3229 s->init_off = 0;
3520 } 3230 }
3521 3231
3522 /* SSL3_ST_SW_CERT_STATUS_B */ 3232 /* SSL3_ST_SW_CERT_STATUS_B */
3523 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3233 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3524 } 3234}
3525 3235
3526# ifndef OPENSSL_NO_NEXTPROTONEG 3236# ifndef OPENSSL_NO_NEXTPROTONEG
3527/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It 3237/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
3528 * sets the next_proto member in s if found */ 3238 * sets the next_proto member in s if found */
3529int ssl3_get_next_proto(SSL *s) 3239int
3530 { 3240ssl3_get_next_proto(SSL *s)
3241{
3531 int ok; 3242 int ok;
3532 int proto_len, padding_len; 3243 int proto_len, padding_len;
3533 long n; 3244 long n;
@@ -3535,35 +3246,30 @@ int ssl3_get_next_proto(SSL *s)
3535 3246
3536 /* Clients cannot send a NextProtocol message if we didn't see the 3247 /* Clients cannot send a NextProtocol message if we didn't see the
3537 * extension in their ClientHello */ 3248 * extension in their ClientHello */
3538 if (!s->s3->next_proto_neg_seen) 3249 if (!s->s3->next_proto_neg_seen) {
3539 { 3250 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3540 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3541 return -1; 3251 return -1;
3542 } 3252 }
3543
3544 n=s->method->ssl_get_message(s,
3545 SSL3_ST_SR_NEXT_PROTO_A,
3546 SSL3_ST_SR_NEXT_PROTO_B,
3547 SSL3_MT_NEXT_PROTO,
3548 514, /* See the payload format below */
3549 &ok);
3550 3253
3254 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
3255 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
3256 514, /* See the payload format below */ &ok);
3551 if (!ok) 3257 if (!ok)
3552 return((int)n); 3258 return ((int)n);
3553 3259
3554 /* s->state doesn't reflect whether ChangeCipherSpec has been received 3260 /* s->state doesn't reflect whether ChangeCipherSpec has been received
3555 * in this handshake, but s->s3->change_cipher_spec does (will be reset 3261 * in this handshake, but s->s3->change_cipher_spec does (will be reset
3556 * by ssl3_get_finished). */ 3262 * by ssl3_get_finished). */
3557 if (!s->s3->change_cipher_spec) 3263 if (!s->s3->change_cipher_spec) {
3558 { 3264 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3559 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3560 return -1; 3265 return -1;
3561 } 3266 }
3562 3267
3563 if (n < 2) 3268 if (n < 2)
3564 return 0; /* The body must be > 1 bytes long */ 3269 return 0;
3270 /* The body must be > 1 bytes long */
3565 3271
3566 p=(unsigned char *)s->init_msg; 3272 p = (unsigned char *)s->init_msg;
3567 3273
3568 /* The payload looks like: 3274 /* The payload looks like:
3569 * uint8 proto_len; 3275 * uint8 proto_len;
@@ -3579,15 +3285,14 @@ int ssl3_get_next_proto(SSL *s)
3579 return 0; 3285 return 0;
3580 3286
3581 s->next_proto_negotiated = OPENSSL_malloc(proto_len); 3287 s->next_proto_negotiated = OPENSSL_malloc(proto_len);
3582 if (!s->next_proto_negotiated) 3288 if (!s->next_proto_negotiated) {
3583 { 3289 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE);
3584 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
3585 return 0; 3290 return 0;
3586 } 3291 }
3587 memcpy(s->next_proto_negotiated, p + 1, proto_len); 3292 memcpy(s->next_proto_negotiated, p + 1, proto_len);
3588 s->next_proto_negotiated_len = proto_len; 3293 s->next_proto_negotiated_len = proto_len;
3589 3294
3590 return 1; 3295 return 1;
3591 } 3296}
3592# endif 3297# endif
3593#endif 3298#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 16:41:53 +0000