summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_clnt.c
diff options
context:
space:
mode:
authormcbride <>2014-04-24 12:21:26 +0000
committermcbride <>2014-04-24 12:21:26 +0000
commita8d067331dc94d6605ac28365db8ef5acb460b95 (patch)
tree302cdf06d655a8ff432cef500986f2786e9f4709 /src/lib/libssl/s3_clnt.c
parent2e912582a3c02782ff63159bad4ca1c02e8a095e (diff)
downloadopenbsd-a8d067331dc94d6605ac28365db8ef5acb460b95.tar.gz
openbsd-a8d067331dc94d6605ac28365db8ef5acb460b95.tar.bz2
openbsd-a8d067331dc94d6605ac28365db8ef5acb460b95.zip
KNF
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
-rw-r--r--src/lib/libssl/s3_clnt.c1526
1 files changed, 890 insertions, 636 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 0cd40f3a2d..b63f0bf0c9 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -181,10 +181,10 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
181int 181int
182ssl3_connect(SSL *s) 182ssl3_connect(SSL *s)
183{ 183{
184 BUF_MEM *buf = NULL; 184 BUF_MEM *buf = NULL;
185 void (*cb)(const SSL *ssl, int type, int val) = NULL; 185 void (*cb)(const SSL *ssl, int type, int val) = NULL;
186 int ret = -1; 186 int ret = -1;
187 int new_state, state, skip = 0; 187 int new_state, state, skip = 0;
188 188
189 ERR_clear_error(); 189 ERR_clear_error();
190 errno = 0; 190 errno = 0;
@@ -217,7 +217,8 @@ ssl3_connect(SSL *s)
217 cb(s, SSL_CB_HANDSHAKE_START, 1); 217 cb(s, SSL_CB_HANDSHAKE_START, 1);
218 218
219 if ((s->version & 0xff00 ) != 0x0300) { 219 if ((s->version & 0xff00 ) != 0x0300) {
220 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 220 SSLerr(SSL_F_SSL3_CONNECT,
221 ERR_R_INTERNAL_ERROR);
221 ret = -1; 222 ret = -1;
222 goto end; 223 goto end;
223 } 224 }
@@ -230,7 +231,8 @@ ssl3_connect(SSL *s)
230 ret = -1; 231 ret = -1;
231 goto end; 232 goto end;
232 } 233 }
233 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 234 if (!BUF_MEM_grow(buf,
235 SSL3_RT_MAX_PLAIN_LENGTH)) {
234 ret = -1; 236 ret = -1;
235 goto end; 237 goto end;
236 } 238 }
@@ -309,10 +311,11 @@ ssl3_connect(SSL *s)
309 break; 311 break;
310 } 312 }
311#endif 313#endif
312 /* Check if it is anon DH/ECDH */ 314 /* Check if it is anon DH/ECDH or PSK */
313 /* or PSK */ 315 if (!(s->s3->tmp.new_cipher->algorithm_auth &
314 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 316 SSL_aNULL) &&
315 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 317 !(s->s3->tmp.new_cipher->algorithm_mkey &
318 SSL_kPSK)) {
316 ret = ssl3_get_server_certificate(s); 319 ret = ssl3_get_server_certificate(s);
317 if (ret <= 0) 320 if (ret <= 0)
318 goto end; 321 goto end;
@@ -342,8 +345,10 @@ ssl3_connect(SSL *s)
342 s->state = SSL3_ST_CR_CERT_REQ_A; 345 s->state = SSL3_ST_CR_CERT_REQ_A;
343 s->init_num = 0; 346 s->init_num = 0;
344 347
345 /* at this point we check that we have the 348 /*
346 * required stuff from the server */ 349 * At this point we check that we have the
350 * required stuff from the server.
351 */
347 if (!ssl3_check_cert_and_algorithm(s)) { 352 if (!ssl3_check_cert_and_algorithm(s)) {
348 ret = -1; 353 ret = -1;
349 goto end; 354 goto end;
@@ -367,8 +372,10 @@ ssl3_connect(SSL *s)
367#ifndef OPENSSL_NO_SRP 372#ifndef OPENSSL_NO_SRP
368 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { 373 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
369 if ((ret = SRP_Calc_A_param(s)) <= 0) { 374 if ((ret = SRP_Calc_A_param(s)) <= 0) {
370 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC); 375 SSLerr(SSL_F_SSL3_CONNECT,
371 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 376 SSL_R_SRP_A_CALC);
377 ssl3_send_alert(s, SSL3_AL_FATAL,
378 SSL_AD_INTERNAL_ERROR);
372 goto end; 379 goto end;
373 } 380 }
374 } 381 }
@@ -397,11 +404,16 @@ ssl3_connect(SSL *s)
397 ret = ssl3_send_client_key_exchange(s); 404 ret = ssl3_send_client_key_exchange(s);
398 if (ret <= 0) 405 if (ret <= 0)
399 goto end; 406 goto end;
400 /* EAY EAY EAY need to check for DH fix cert 407 /*
401 * sent back */ 408 * EAY EAY EAY need to check for DH fix cert
402 /* For TLS, cert_req is set to 2, so a cert chain 409 * sent back
403 * of nothing is sent, but no verify packet is sent */ 410 */
404 /* XXX: For now, we do not support client 411 /*
412 * For TLS, cert_req is set to 2, so a cert chain
413 * of nothing is sent, but no verify packet is sent
414 */
415 /*
416 * XXX: For now, we do not support client
405 * authentication in ECDH cipher suites with 417 * authentication in ECDH cipher suites with
406 * ECDH (rather than ECDSA) certificates. 418 * ECDH (rather than ECDSA) certificates.
407 * We need to skip the certificate verify 419 * We need to skip the certificate verify
@@ -457,7 +469,7 @@ ssl3_connect(SSL *s)
457 s->session->compress_meth = 0; 469 s->session->compress_meth = 0;
458 else 470 else
459 s->session->compress_meth = 471 s->session->compress_meth =
460 s->s3->tmp.new_compression->id; 472 s->s3->tmp.new_compression->id;
461#endif 473#endif
462 if (!s->method->ssl3_enc->setup_key_block(s)) { 474 if (!s->method->ssl3_enc->setup_key_block(s)) {
463 ret = -1; 475 ret = -1;
@@ -465,7 +477,7 @@ ssl3_connect(SSL *s)
465 } 477 }
466 478
467 if (!s->method->ssl3_enc->change_cipher_state(s, 479 if (!s->method->ssl3_enc->change_cipher_state(s,
468 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { 480 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
469 ret = -1; 481 ret = -1;
470 goto end; 482 goto end;
471 } 483 }
@@ -496,7 +508,8 @@ ssl3_connect(SSL *s)
496 s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; 508 s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
497 if (s->hit) { 509 if (s->hit) {
498 s->s3->tmp.next_state = SSL_ST_OK; 510 s->s3->tmp.next_state = SSL_ST_OK;
499 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { 511 if (s->s3->flags &
512 SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
500 s->state = SSL_ST_OK; 513 s->state = SSL_ST_OK;
501 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 514 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
502 s->s3->delay_buf_pop_ret = 0; 515 s->s3->delay_buf_pop_ret = 0;
@@ -505,7 +518,8 @@ ssl3_connect(SSL *s)
505#ifndef OPENSSL_NO_TLSEXT 518#ifndef OPENSSL_NO_TLSEXT
506 /* Allow NewSessionTicket if ticket expected */ 519 /* Allow NewSessionTicket if ticket expected */
507 if (s->tlsext_ticket_expected) 520 if (s->tlsext_ticket_expected)
508 s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; 521 s->s3->tmp.next_state =
522 SSL3_ST_CR_SESSION_TICKET_A;
509 else 523 else
510#endif 524#endif
511 525
@@ -568,8 +582,10 @@ ssl3_connect(SSL *s)
568 s->init_buf = NULL; 582 s->init_buf = NULL;
569 } 583 }
570 584
571 /* If we are not 'joining' the last two packets, 585 /*
572 * remove the buffering now */ 586 * If we are not 'joining' the last two packets,
587 * remove the buffering now
588 */
573 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 589 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
574 ssl_free_wbio_buffer(s); 590 ssl_free_wbio_buffer(s);
575 /* else do it later in ssl3_write */ 591 /* else do it later in ssl3_write */
@@ -594,7 +610,8 @@ ssl3_connect(SSL *s)
594 /* break; */ 610 /* break; */
595 611
596 default: 612 default:
597 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_UNKNOWN_STATE); 613 SSLerr(SSL_F_SSL3_CONNECT,
614 SSL_R_UNKNOWN_STATE);
598 ret = -1; 615 ret = -1;
599 goto end; 616 goto end;
600 /* break; */ 617 /* break; */
@@ -616,7 +633,7 @@ ssl3_connect(SSL *s)
616 } 633 }
617 skip = 0; 634 skip = 0;
618 } 635 }
619end: 636 end:
620 s->in_handshake--; 637 s->in_handshake--;
621 if (buf != NULL) 638 if (buf != NULL)
622 BUF_MEM_free(buf); 639 BUF_MEM_free(buf);
@@ -629,13 +646,13 @@ end:
629int 646int
630ssl3_client_hello(SSL *s) 647ssl3_client_hello(SSL *s)
631{ 648{
632 unsigned char *buf; 649 unsigned char *buf;
633 unsigned char *p, *d; 650 unsigned char *p, *d;
634 int i; 651 int i;
635 unsigned long l; 652 unsigned long l;
636#ifndef OPENSSL_NO_COMP 653#ifndef OPENSSL_NO_COMP
637 int j; 654 int j;
638 SSL_COMP *comp; 655 SSL_COMP *comp;
639#endif 656#endif
640 657
641 buf = (unsigned char *)s->init_buf->data; 658 buf = (unsigned char *)s->init_buf->data;
@@ -660,9 +677,10 @@ ssl3_client_hello(SSL *s)
660 goto err; 677 goto err;
661 678
662 /* Do the message type and length last */ 679 /* Do the message type and length last */
663 d = p= &(buf[4]); 680 d = p = &(buf[4]);
664 681
665 /* version indicates the negotiated version: for example from 682 /*
683 * Version indicates the negotiated version: for example from
666 * an SSLv2/v3 compatible client hello). The client_version 684 * an SSLv2/v3 compatible client hello). The client_version
667 * field is the maximum version we permit and it is also 685 * field is the maximum version we permit and it is also
668 * used in RSA encrypted premaster secrets. Some servers can 686 * used in RSA encrypted premaster secrets. Some servers can
@@ -697,7 +715,7 @@ ssl3_client_hello(SSL *s)
697 s->client_version = s->version; 715 s->client_version = s->version;
698#else 716#else
699 *(p++) = s->client_version >> 8; 717 *(p++) = s->client_version >> 8;
700 *(p++) = s->client_version&0xff; 718 *(p++) = s->client_version & 0xff;
701#endif 719#endif
702 720
703 /* Random stuff */ 721 /* Random stuff */
@@ -712,7 +730,8 @@ ssl3_client_hello(SSL *s)
712 *(p++) = i; 730 *(p++) = i;
713 if (i != 0) { 731 if (i != 0) {
714 if (i > (int)sizeof(s->session->session_id)) { 732 if (i > (int)sizeof(s->session->session_id)) {
715 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 733 SSLerr(SSL_F_SSL3_CLIENT_HELLO,
734 ERR_R_INTERNAL_ERROR);
716 goto err; 735 goto err;
717 } 736 }
718 memcpy(p, s->session->session_id, i); 737 memcpy(p, s->session->session_id, i);
@@ -722,11 +741,13 @@ ssl3_client_hello(SSL *s)
722 /* Ciphers supported */ 741 /* Ciphers supported */
723 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0); 742 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0);
724 if (i == 0) { 743 if (i == 0) {
725 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); 744 SSLerr(SSL_F_SSL3_CLIENT_HELLO,
745 SSL_R_NO_CIPHERS_AVAILABLE);
726 goto err; 746 goto err;
727 } 747 }
728#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 748#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
729 /* Some servers hang if client hello > 256 bytes 749 /*
750 * Some servers hang if client hello > 256 bytes
730 * as hack workaround chop number of supported ciphers 751 * as hack workaround chop number of supported ciphers
731 * to keep it well below this if we use TLS v1.2 752 * to keep it well below this if we use TLS v1.2
732 */ 753 */
@@ -758,11 +779,14 @@ ssl3_client_hello(SSL *s)
758#ifndef OPENSSL_NO_TLSEXT 779#ifndef OPENSSL_NO_TLSEXT
759 /* TLS extensions*/ 780 /* TLS extensions*/
760 if (ssl_prepare_clienthello_tlsext(s) <= 0) { 781 if (ssl_prepare_clienthello_tlsext(s) <= 0) {
761 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 782 SSLerr(SSL_F_SSL3_CLIENT_HELLO,
783 SSL_R_CLIENTHELLO_TLSEXT);
762 goto err; 784 goto err;
763 } 785 }
764 if ((p = ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) { 786 if ((p = ssl_add_clienthello_tlsext(s, p,
765 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 787 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
788 SSLerr(SSL_F_SSL3_CLIENT_HELLO,
789 ERR_R_INTERNAL_ERROR);
766 goto err; 790 goto err;
767 } 791 }
768#endif 792#endif
@@ -780,21 +804,21 @@ ssl3_client_hello(SSL *s)
780 804
781 /* SSL3_ST_CW_CLNT_HELLO_B */ 805 /* SSL3_ST_CW_CLNT_HELLO_B */
782 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 806 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
783err: 807 err:
784 return (-1); 808 return (-1);
785} 809}
786 810
787int 811int
788ssl3_get_server_hello(SSL *s) 812ssl3_get_server_hello(SSL *s)
789{ 813{
790 STACK_OF(SSL_CIPHER) *sk; 814 STACK_OF(SSL_CIPHER) *sk;
791 const SSL_CIPHER *c; 815 const SSL_CIPHER *c;
792 unsigned char *p, *d; 816 unsigned char *p, *d;
793 int i, al, ok; 817 int i, al, ok;
794 unsigned int j; 818 unsigned int j;
795 long n; 819 long n;
796#ifndef OPENSSL_NO_COMP 820#ifndef OPENSSL_NO_COMP
797 SSL_COMP *comp; 821 SSL_COMP *comp;
798#endif 822#endif
799 823
800 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, 824 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
@@ -803,7 +827,8 @@ ssl3_get_server_hello(SSL *s)
803 if (!ok) 827 if (!ok)
804 return ((int)n); 828 return ((int)n);
805 829
806 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) { 830 if (SSL_version(s) == DTLS1_VERSION ||
831 SSL_version(s) == DTLS1_BAD_VER) {
807 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { 832 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
808 if (s->d1->send_cookie == 0) { 833 if (s->d1->send_cookie == 0) {
809 s->s3->tmp.reuse_message = 1; 834 s->s3->tmp.reuse_message = 1;
@@ -812,7 +837,8 @@ ssl3_get_server_hello(SSL *s)
812 else /* already sent a cookie */ 837 else /* already sent a cookie */
813 { 838 {
814 al = SSL_AD_UNEXPECTED_MESSAGE; 839 al = SSL_AD_UNEXPECTED_MESSAGE;
815 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE); 840 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
841 SSL_R_BAD_MESSAGE_TYPE);
816 goto f_err; 842 goto f_err;
817 } 843 }
818 } 844 }
@@ -820,14 +846,16 @@ ssl3_get_server_hello(SSL *s)
820 846
821 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) { 847 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) {
822 al = SSL_AD_UNEXPECTED_MESSAGE; 848 al = SSL_AD_UNEXPECTED_MESSAGE;
823 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE); 849 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
850 SSL_R_BAD_MESSAGE_TYPE);
824 goto f_err; 851 goto f_err;
825 } 852 }
826 853
827 d = p=(unsigned char *)s->init_msg; 854 d = p=(unsigned char *)s->init_msg;
828 855
829 if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) { 856 if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) {
830 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION); 857 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
858 SSL_R_WRONG_SSL_VERSION);
831 s->version = (s->version&0xff00)|p[1]; 859 s->version = (s->version&0xff00)|p[1];
832 al = SSL_AD_PROTOCOL_VERSION; 860 al = SSL_AD_PROTOCOL_VERSION;
833 goto f_err; 861 goto f_err;
@@ -842,14 +870,19 @@ ssl3_get_server_hello(SSL *s)
842 /* get the session-id */ 870 /* get the session-id */
843 j= *(p++); 871 j= *(p++);
844 872
845 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) { 873 if ((j > sizeof s->session->session_id) ||
874 (j > SSL3_SESSION_ID_SIZE)) {
846 al = SSL_AD_ILLEGAL_PARAMETER; 875 al = SSL_AD_ILLEGAL_PARAMETER;
847 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG); 876 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
877 SSL_R_SSL3_SESSION_ID_TOO_LONG);
848 goto f_err; 878 goto f_err;
849 } 879 }
850 880
851#ifndef OPENSSL_NO_TLSEXT 881#ifndef OPENSSL_NO_TLSEXT
852 /* check if we want to resume the session based on external pre-shared secret */ 882 /*
883 * Check if we want to resume the session based on external
884 * pre-shared secret
885 */
853 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) { 886 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
854 SSL_CIPHER *pref_cipher = NULL; 887 SSL_CIPHER *pref_cipher = NULL;
855 s->session->master_key_length = sizeof(s->session->master_key); 888 s->session->master_key_length = sizeof(s->session->master_key);
@@ -865,16 +898,17 @@ ssl3_get_server_hello(SSL *s)
865 if (j != 0 && j == s->session->session_id_length && 898 if (j != 0 && j == s->session->session_id_length &&
866 memcmp(p, s->session->session_id, j) == 0) { 899 memcmp(p, s->session->session_id, j) == 0) {
867 if (s->sid_ctx_length != s->session->sid_ctx_length || 900 if (s->sid_ctx_length != s->session->sid_ctx_length ||
868 memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { 901 memcmp(s->session->sid_ctx,
902 s->sid_ctx, s->sid_ctx_length)) {
869 /* actually a client application bug */ 903 /* actually a client application bug */
870 al = SSL_AD_ILLEGAL_PARAMETER; 904 al = SSL_AD_ILLEGAL_PARAMETER;
871 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 905 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
906 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
872 goto f_err; 907 goto f_err;
873 } 908 }
874 s->hit = 1; 909 s->hit = 1;
875 } 910 } else { /* a miss or crap from the other end */
876 else /* a miss or crap from the other end */ 911
877 {
878 /* If we were trying for session-id reuse, make a new 912 /* If we were trying for session-id reuse, make a new
879 * SSL_SESSION so we don't stuff up other people */ 913 * SSL_SESSION so we don't stuff up other people */
880 s->hit = 0; 914 s->hit = 0;
@@ -892,14 +926,16 @@ ssl3_get_server_hello(SSL *s)
892 if (c == NULL) { 926 if (c == NULL) {
893 /* unknown cipher */ 927 /* unknown cipher */
894 al = SSL_AD_ILLEGAL_PARAMETER; 928 al = SSL_AD_ILLEGAL_PARAMETER;
895 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED); 929 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
930 SSL_R_UNKNOWN_CIPHER_RETURNED);
896 goto f_err; 931 goto f_err;
897 } 932 }
898 /* TLS v1.2 only ciphersuites require v1.2 or later */ 933 /* TLS v1.2 only ciphersuites require v1.2 or later */
899 if ((c->algorithm_ssl & SSL_TLSV1_2) && 934 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
900 (TLS1_get_version(s) < TLS1_2_VERSION)) { 935 (TLS1_get_version(s) < TLS1_2_VERSION)) {
901 al = SSL_AD_ILLEGAL_PARAMETER; 936 al = SSL_AD_ILLEGAL_PARAMETER;
902 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED); 937 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
938 SSL_R_WRONG_CIPHER_RETURNED);
903 goto f_err; 939 goto f_err;
904 } 940 }
905 p += ssl_put_cipher_by_char(s, NULL, NULL); 941 p += ssl_put_cipher_by_char(s, NULL, NULL);
@@ -909,25 +945,31 @@ ssl3_get_server_hello(SSL *s)
909 if (i < 0) { 945 if (i < 0) {
910 /* we did not say we would use this cipher */ 946 /* we did not say we would use this cipher */
911 al = SSL_AD_ILLEGAL_PARAMETER; 947 al = SSL_AD_ILLEGAL_PARAMETER;
912 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED); 948 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
949 SSL_R_WRONG_CIPHER_RETURNED);
913 goto f_err; 950 goto f_err;
914 } 951 }
915 952
916 /* Depending on the session caching (internal/external), the cipher 953 /*
917 and/or cipher_id values may not be set. Make sure that 954 * Depending on the session caching (internal/external), the cipher
918 cipher_id is set and use it for comparison. */ 955 * and/or cipher_id values may not be set. Make sure that
956 * cipher_id is set and use it for comparison.
957 */
919 if (s->session->cipher) 958 if (s->session->cipher)
920 s->session->cipher_id = s->session->cipher->id; 959 s->session->cipher_id = s->session->cipher->id;
921 if (s->hit && (s->session->cipher_id != c->id)) { 960 if (s->hit && (s->session->cipher_id != c->id)) {
922 al = SSL_AD_ILLEGAL_PARAMETER; 961 al = SSL_AD_ILLEGAL_PARAMETER;
923 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 962 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
963 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
924 goto f_err; 964 goto f_err;
925 } 965 }
926 s->s3->tmp.new_cipher = c; 966 s->s3->tmp.new_cipher = c;
927 /* Don't digest cached records if TLS v1.2: we may need them for 967 /*
968 * Don't digest cached records if TLS v1.2: we may need them for
928 * client authentication. 969 * client authentication.
929 */ 970 */
930 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) { 971 if (TLS1_get_version(s) < TLS1_2_VERSION &&
972 !ssl3_digest_cached_records(s)) {
931 al = SSL_AD_INTERNAL_ERROR; 973 al = SSL_AD_INTERNAL_ERROR;
932 goto f_err; 974 goto f_err;
933 } 975 }
@@ -936,36 +978,42 @@ ssl3_get_server_hello(SSL *s)
936#ifdef OPENSSL_NO_COMP 978#ifdef OPENSSL_NO_COMP
937 if (*(p++) != 0) { 979 if (*(p++) != 0) {
938 al = SSL_AD_ILLEGAL_PARAMETER; 980 al = SSL_AD_ILLEGAL_PARAMETER;
939 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 981 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
982 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
940 goto f_err; 983 goto f_err;
941 } 984 }
942 /* If compression is disabled we'd better not try to resume a session 985 /*
986 * If compression is disabled we'd better not try to resume a session
943 * using compression. 987 * using compression.
944 */ 988 */
945 if (s->session->compress_meth != 0) { 989 if (s->session->compress_meth != 0) {
946 al = SSL_AD_INTERNAL_ERROR; 990 al = SSL_AD_INTERNAL_ERROR;
947 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION); 991 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
992 SSL_R_INCONSISTENT_COMPRESSION);
948 goto f_err; 993 goto f_err;
949 } 994 }
950#else 995#else
951 j= *(p++); 996 j= *(p++);
952 if (s->hit && j != s->session->compress_meth) { 997 if (s->hit && j != s->session->compress_meth) {
953 al = SSL_AD_ILLEGAL_PARAMETER; 998 al = SSL_AD_ILLEGAL_PARAMETER;
954 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED); 999 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1000 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
955 goto f_err; 1001 goto f_err;
956 } 1002 }
957 if (j == 0) 1003 if (j == 0)
958 comp = NULL; 1004 comp = NULL;
959 else if (s->options & SSL_OP_NO_COMPRESSION) { 1005 else if (s->options & SSL_OP_NO_COMPRESSION) {
960 al = SSL_AD_ILLEGAL_PARAMETER; 1006 al = SSL_AD_ILLEGAL_PARAMETER;
961 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED); 1007 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1008 SSL_R_COMPRESSION_DISABLED);
962 goto f_err; 1009 goto f_err;
963 } else 1010 } else
964 comp = ssl3_comp_find(s->ctx->comp_methods, j); 1011 comp = ssl3_comp_find(s->ctx->comp_methods, j);
965 1012
966 if ((j != 0) && (comp == NULL)) { 1013 if ((j != 0) && (comp == NULL)) {
967 al = SSL_AD_ILLEGAL_PARAMETER; 1014 al = SSL_AD_ILLEGAL_PARAMETER;
968 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 1015 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1016 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
969 goto f_err; 1017 goto f_err;
970 } else { 1018 } else {
971 s->s3->tmp.new_compression = comp; 1019 s->s3->tmp.new_compression = comp;
@@ -977,12 +1025,14 @@ ssl3_get_server_hello(SSL *s)
977 if (s->version >= SSL3_VERSION) { 1025 if (s->version >= SSL3_VERSION) {
978 if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) { 1026 if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {
979 /* 'al' set by ssl_parse_serverhello_tlsext */ 1027 /* 'al' set by ssl_parse_serverhello_tlsext */
980 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT); 1028 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1029 SSL_R_PARSE_TLSEXT);
981 goto f_err; 1030 goto f_err;
982 1031
983 } 1032 }
984 if (ssl_check_serverhello_tlsext(s) <= 0) { 1033 if (ssl_check_serverhello_tlsext(s) <= 0) {
985 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); 1034 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1035 SSL_R_SERVERHELLO_TLSEXT);
986 goto err; 1036 goto err;
987 } 1037 }
988 } 1038 }
@@ -991,29 +1041,32 @@ ssl3_get_server_hello(SSL *s)
991 if (p != (d + n)) { 1041 if (p != (d + n)) {
992 /* wrong packet length */ 1042 /* wrong packet length */
993 al = SSL_AD_DECODE_ERROR; 1043 al = SSL_AD_DECODE_ERROR;
994 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH); 1044 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
1045 SSL_R_BAD_PACKET_LENGTH);
995 goto f_err; 1046 goto f_err;
996 } 1047 }
997 1048
998 return (1); 1049 return (1);
999f_err: 1050 f_err:
1000 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1051 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1001err: 1052 err:
1002 return (-1); 1053 return (-1);
1003} 1054}
1004 1055
1005int 1056int
1006ssl3_get_server_certificate(SSL *s) 1057ssl3_get_server_certificate(SSL *s)
1007{ 1058{
1008 int al, i, ok, ret = -1; 1059 int al, i, ok, ret = -1;
1009 unsigned long n, nc, llen, l; 1060 unsigned long n, nc, llen, l;
1010 X509 *x = NULL; 1061 X509 *x = NULL;
1011 const unsigned char *q, *p; 1062 const unsigned char *q, *p;
1012 unsigned char *d; 1063 unsigned char *d;
1013 STACK_OF(X509) *sk = NULL; 1064 STACK_OF(X509) *sk = NULL;
1014 SESS_CERT *sc; 1065 SESS_CERT *sc;
1015 EVP_PKEY *pkey = NULL; 1066 EVP_PKEY *pkey = NULL;
1016 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 1067
1068 /* VRS: 0=> will allow null cert if auth == KRB5 */
1069 int need_cert = 1;
1017 1070
1018 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, 1071 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
1019 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok); 1072 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
@@ -1030,27 +1083,31 @@ ssl3_get_server_certificate(SSL *s)
1030 1083
1031 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { 1084 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
1032 al = SSL_AD_UNEXPECTED_MESSAGE; 1085 al = SSL_AD_UNEXPECTED_MESSAGE;
1033 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE); 1086 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1087 SSL_R_BAD_MESSAGE_TYPE);
1034 goto f_err; 1088 goto f_err;
1035 } 1089 }
1036 p = d = (unsigned char *)s->init_msg; 1090 p = d = (unsigned char *)s->init_msg;
1037 1091
1038 if ((sk = sk_X509_new_null()) == NULL) { 1092 if ((sk = sk_X509_new_null()) == NULL) {
1039 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); 1093 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1094 ERR_R_MALLOC_FAILURE);
1040 goto err; 1095 goto err;
1041 } 1096 }
1042 1097
1043 n2l3(p, llen); 1098 n2l3(p, llen);
1044 if (llen + 3 != n) { 1099 if (llen + 3 != n) {
1045 al = SSL_AD_DECODE_ERROR; 1100 al = SSL_AD_DECODE_ERROR;
1046 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH); 1101 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1102 SSL_R_LENGTH_MISMATCH);
1047 goto f_err; 1103 goto f_err;
1048 } 1104 }
1049 for (nc = 0; nc < llen; ) { 1105 for (nc = 0; nc < llen; ) {
1050 n2l3(p, l); 1106 n2l3(p, l);
1051 if ((l + nc + 3) > llen) { 1107 if ((l + nc + 3) > llen) {
1052 al = SSL_AD_DECODE_ERROR; 1108 al = SSL_AD_DECODE_ERROR;
1053 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH); 1109 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1110 SSL_R_CERT_LENGTH_MISMATCH);
1054 goto f_err; 1111 goto f_err;
1055 } 1112 }
1056 1113
@@ -1058,16 +1115,19 @@ ssl3_get_server_certificate(SSL *s)
1058 x = d2i_X509(NULL, &q, l); 1115 x = d2i_X509(NULL, &q, l);
1059 if (x == NULL) { 1116 if (x == NULL) {
1060 al = SSL_AD_BAD_CERTIFICATE; 1117 al = SSL_AD_BAD_CERTIFICATE;
1061 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); 1118 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1119 ERR_R_ASN1_LIB);
1062 goto f_err; 1120 goto f_err;
1063 } 1121 }
1064 if (q != (p + l)) { 1122 if (q != (p + l)) {
1065 al = SSL_AD_DECODE_ERROR; 1123 al = SSL_AD_DECODE_ERROR;
1066 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH); 1124 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1125 SSL_R_CERT_LENGTH_MISMATCH);
1067 goto f_err; 1126 goto f_err;
1068 } 1127 }
1069 if (!sk_X509_push(sk, x)) { 1128 if (!sk_X509_push(sk, x)) {
1070 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); 1129 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1130 ERR_R_MALLOC_FAILURE);
1071 goto err; 1131 goto err;
1072 } 1132 }
1073 x = NULL; 1133 x = NULL;
@@ -1083,7 +1143,8 @@ ssl3_get_server_certificate(SSL *s)
1083#endif /* OPENSSL_NO_KRB5 */ 1143#endif /* OPENSSL_NO_KRB5 */
1084 ) { 1144 ) {
1085 al = ssl_verify_alarm_type(s->verify_result); 1145 al = ssl_verify_alarm_type(s->verify_result);
1086 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERTIFICATE_VERIFY_FAILED); 1146 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1147 SSL_R_CERTIFICATE_VERIFY_FAILED);
1087 goto f_err; 1148 goto f_err;
1088 1149
1089 } 1150 }
@@ -1098,8 +1159,10 @@ ssl3_get_server_certificate(SSL *s)
1098 s->session->sess_cert = sc; 1159 s->session->sess_cert = sc;
1099 1160
1100 sc->cert_chain = sk; 1161 sc->cert_chain = sk;
1101 /* Inconsistency alert: cert_chain does include the peer's 1162 /*
1102 * certificate, which we don't include in s3_srvr.c */ 1163 * Inconsistency alert: cert_chain does include the peer's
1164 * certificate, which we don't include in s3_srvr.c
1165 */
1103 x = sk_X509_value(sk, 0); 1166 x = sk_X509_value(sk, 0);
1104 sk = NULL; 1167 sk = NULL;
1105 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1168 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
@@ -1108,17 +1171,19 @@ ssl3_get_server_certificate(SSL *s)
1108 1171
1109 /* VRS: allow null cert if auth == KRB5 */ 1172 /* VRS: allow null cert if auth == KRB5 */
1110 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1173 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1111 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1174 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1112 ? 0 : 1; 1175 ? 0 : 1;
1113 1176
1114#ifdef KSSL_DEBUG 1177#ifdef KSSL_DEBUG
1115 printf("pkey, x = %p, %p\n", pkey, x); 1178 printf("pkey, x = %p, %p\n", pkey, x);
1116 printf("ssl_cert_type(x, pkey) = %d\n", ssl_cert_type(x, pkey)); 1179 printf("ssl_cert_type(x, pkey) = %d\n", ssl_cert_type(x, pkey));
1117 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1180 printf("cipher, alg, nc = %s, %lx, %lx, %d\n",
1118 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1181 s->s3->tmp.new_cipher->name, s->s3->tmp.new_cipher->algorithm_mkey,
1182 s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1119#endif /* KSSL_DEBUG */ 1183#endif /* KSSL_DEBUG */
1120 1184
1121 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) { 1185 if (need_cert && ((pkey == NULL) ||
1186 EVP_PKEY_missing_parameters(pkey))) {
1122 x = NULL; 1187 x = NULL;
1123 al = SSL3_AL_FATAL; 1188 al = SSL3_AL_FATAL;
1124 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1189 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1138,8 +1203,10 @@ ssl3_get_server_certificate(SSL *s)
1138 if (need_cert) { 1203 if (need_cert) {
1139 sc->peer_cert_type = i; 1204 sc->peer_cert_type = i;
1140 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 1205 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1141 /* Why would the following ever happen? 1206 /*
1142 * We just created sc a couple of lines ago. */ 1207 * Why would the following ever happen?
1208 * We just created sc a couple of lines ago.
1209 */
1143 if (sc->peer_pkeys[i].x509 != NULL) 1210 if (sc->peer_pkeys[i].x509 != NULL)
1144 X509_free(sc->peer_pkeys[i].x509); 1211 X509_free(sc->peer_pkeys[i].x509);
1145 sc->peer_pkeys[i].x509 = x; 1212 sc->peer_pkeys[i].x509 = x;
@@ -1163,10 +1230,10 @@ ssl3_get_server_certificate(SSL *s)
1163 ret = 1; 1230 ret = 1;
1164 1231
1165 if (0) { 1232 if (0) {
1166f_err: 1233 f_err:
1167 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1234 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1168 } 1235 }
1169err: 1236 err:
1170 EVP_PKEY_free(pkey); 1237 EVP_PKEY_free(pkey);
1171 X509_free(x); 1238 X509_free(x);
1172 sk_X509_pop_free(sk, X509_free); 1239 sk_X509_pop_free(sk, X509_free);
@@ -1176,27 +1243,29 @@ err:
1176int 1243int
1177ssl3_get_key_exchange(SSL *s) 1244ssl3_get_key_exchange(SSL *s)
1178{ 1245{
1179 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2]; 1246 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1180 EVP_MD_CTX md_ctx; 1247 EVP_MD_CTX md_ctx;
1181 unsigned char *param, *p; 1248 unsigned char *param, *p;
1182 int al, i, j, param_len, ok; 1249 int al, i, j, param_len, ok;
1183 long n, alg_k, alg_a; 1250 long n, alg_k, alg_a;
1184 EVP_PKEY *pkey = NULL; 1251 EVP_PKEY *pkey = NULL;
1185 const EVP_MD *md = NULL; 1252 const EVP_MD *md = NULL;
1186 RSA *rsa = NULL; 1253 RSA *rsa = NULL;
1187#ifndef OPENSSL_NO_DH 1254#ifndef OPENSSL_NO_DH
1188 DH *dh = NULL; 1255 DH *dh = NULL;
1189#endif 1256#endif
1190#ifndef OPENSSL_NO_ECDH 1257#ifndef OPENSSL_NO_ECDH
1191 EC_KEY *ecdh = NULL; 1258 EC_KEY *ecdh = NULL;
1192 BN_CTX *bn_ctx = NULL; 1259 BN_CTX *bn_ctx = NULL;
1193 EC_POINT *srvr_ecpoint = NULL; 1260 EC_POINT *srvr_ecpoint = NULL;
1194 int curve_nid = 0; 1261 int curve_nid = 0;
1195 int encoded_pt_len = 0; 1262 int encoded_pt_len = 0;
1196#endif 1263#endif
1197 1264
1198 /* use same message size as in ssl3_get_certificate_request() 1265 /*
1199 * as ServerKeyExchange message may be skipped */ 1266 * Use same message size as in ssl3_get_certificate_request()
1267 * as ServerKeyExchange message may be skipped.
1268 */
1200 n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, 1269 n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1201 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); 1270 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok);
1202 if (!ok) 1271 if (!ok)
@@ -1204,10 +1273,11 @@ ssl3_get_key_exchange(SSL *s)
1204 1273
1205 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { 1274 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1206#ifndef OPENSSL_NO_PSK 1275#ifndef OPENSSL_NO_PSK
1207 /* In plain PSK ciphersuite, ServerKeyExchange can be 1276 /*
1208 omitted if no identity hint is sent. Set 1277 * In plain PSK ciphersuite, ServerKeyExchange can be
1209 session->sess_cert anyway to avoid problems 1278 * omitted if no identity hint is sent. Set session->sess_cert
1210 later.*/ 1279 * anyway to avoid problems later.
1280 */
1211 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) { 1281 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) {
1212 s->session->sess_cert = ssl_sess_cert_new(); 1282 s->session->sess_cert = ssl_sess_cert_new();
1213 if (s->ctx->psk_identity_hint) 1283 if (s->ctx->psk_identity_hint)
@@ -1253,32 +1323,37 @@ ssl3_get_key_exchange(SSL *s)
1253 al = SSL_AD_HANDSHAKE_FAILURE; 1323 al = SSL_AD_HANDSHAKE_FAILURE;
1254 n2s(p, i); 1324 n2s(p, i);
1255 param_len = i + 2; 1325 param_len = i + 2;
1256 /* Store PSK identity hint for later use, hint is used 1326 /*
1327 * Store PSK identity hint for later use, hint is used
1257 * in ssl3_send_client_key_exchange. Assume that the 1328 * in ssl3_send_client_key_exchange. Assume that the
1258 * maximum length of a PSK identity hint can be as 1329 * maximum length of a PSK identity hint can be as
1259 * long as the maximum length of a PSK identity. */ 1330 * long as the maximum length of a PSK identity.
1331 */
1260 if (i > PSK_MAX_IDENTITY_LEN) { 1332 if (i > PSK_MAX_IDENTITY_LEN) {
1261 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1333 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1262 SSL_R_DATA_LENGTH_TOO_LONG); 1334 SSL_R_DATA_LENGTH_TOO_LONG);
1263 goto f_err; 1335 goto f_err;
1264 } 1336 }
1265 if (param_len > n) { 1337 if (param_len > n) {
1266 al = SSL_AD_DECODE_ERROR; 1338 al = SSL_AD_DECODE_ERROR;
1267 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1339 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1268 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1340 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1269 goto f_err; 1341 goto f_err;
1270 } 1342 }
1271 /* If received PSK identity hint contains NULL 1343 /*
1344 * If received PSK identity hint contains NULL
1272 * characters, the hint is truncated from the first 1345 * characters, the hint is truncated from the first
1273 * NULL. p may not be ending with NULL, so create a 1346 * NULL. p may not be ending with NULL, so create a
1274 * NULL-terminated string. */ 1347 * NULL-terminated string.
1348 */
1275 memcpy(tmp_id_hint, p, i); 1349 memcpy(tmp_id_hint, p, i);
1276 memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); 1350 memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
1277 if (s->ctx->psk_identity_hint != NULL) 1351 if (s->ctx->psk_identity_hint != NULL)
1278 free(s->ctx->psk_identity_hint); 1352 free(s->ctx->psk_identity_hint);
1279 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1353 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
1280 if (s->ctx->psk_identity_hint == NULL) { 1354 if (s->ctx->psk_identity_hint == NULL) {
1281 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1355 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1356 ERR_R_MALLOC_FAILURE);
1282 goto f_err; 1357 goto f_err;
1283 } 1358 }
1284 1359
@@ -1292,11 +1367,13 @@ ssl3_get_key_exchange(SSL *s)
1292 param_len = i + 2; 1367 param_len = i + 2;
1293 if (param_len > n) { 1368 if (param_len > n) {
1294 al = SSL_AD_DECODE_ERROR; 1369 al = SSL_AD_DECODE_ERROR;
1295 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH); 1370 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1371 SSL_R_BAD_SRP_N_LENGTH);
1296 goto f_err; 1372 goto f_err;
1297 } 1373 }
1298 if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) { 1374 if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
1299 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); 1375 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1376 ERR_R_BN_LIB);
1300 goto err; 1377 goto err;
1301 } 1378 }
1302 p += i; 1379 p += i;
@@ -1305,11 +1382,13 @@ ssl3_get_key_exchange(SSL *s)
1305 param_len += i + 2; 1382 param_len += i + 2;
1306 if (param_len > n) { 1383 if (param_len > n) {
1307 al = SSL_AD_DECODE_ERROR; 1384 al = SSL_AD_DECODE_ERROR;
1308 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH); 1385 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1386 SSL_R_BAD_SRP_G_LENGTH);
1309 goto f_err; 1387 goto f_err;
1310 } 1388 }
1311 if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) { 1389 if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
1312 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); 1390 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1391 ERR_R_BN_LIB);
1313 goto err; 1392 goto err;
1314 } 1393 }
1315 p += i; 1394 p += i;
@@ -1319,11 +1398,13 @@ ssl3_get_key_exchange(SSL *s)
1319 param_len += i + 1; 1398 param_len += i + 1;
1320 if (param_len > n) { 1399 if (param_len > n) {
1321 al = SSL_AD_DECODE_ERROR; 1400 al = SSL_AD_DECODE_ERROR;
1322 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH); 1401 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1402 SSL_R_BAD_SRP_S_LENGTH);
1323 goto f_err; 1403 goto f_err;
1324 } 1404 }
1325 if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) { 1405 if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
1326 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); 1406 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1407 ERR_R_BN_LIB);
1327 goto err; 1408 goto err;
1328 } 1409 }
1329 p += i; 1410 p += i;
@@ -1332,224 +1413,268 @@ ssl3_get_key_exchange(SSL *s)
1332 param_len += i + 2; 1413 param_len += i + 2;
1333 if (param_len > n) { 1414 if (param_len > n) {
1334 al = SSL_AD_DECODE_ERROR; 1415 al = SSL_AD_DECODE_ERROR;
1335 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH); 1416 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1417 SSL_R_BAD_SRP_B_LENGTH);
1336 goto f_err; 1418 goto f_err;
1337 } 1419 }
1338 if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) { 1420 if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
1339 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); 1421 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1422 ERR_R_BN_LIB);
1340 goto err; 1423 goto err;
1341 } 1424 }
1342 p += i; 1425 p += i;
1343 n -= param_len; 1426 n -= param_len;
1344 1427
1345/* We must check if there is a certificate */ 1428 /* We must check if there is a certificate */
1346 if (alg_a & SSL_aRSA) 1429 if (alg_a & SSL_aRSA)
1347 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1430 pkey = X509_get_pubkey(
1431 s->session->sess_cert->peer_pkeys[
1432 SSL_PKEY_RSA_ENC].x509);
1348 else if (alg_a & SSL_aDSS) 1433 else if (alg_a & SSL_aDSS)
1349 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1434 pkey = X509_get_pubkey(
1435 s->session->sess_cert->peer_pkeys[
1436 SSL_PKEY_DSA_SIGN].x509);
1350 } else 1437 } else
1351#endif /* !OPENSSL_NO_SRP */ 1438#endif /* !OPENSSL_NO_SRP */
1352 if (alg_k & SSL_kRSA) { 1439 if (alg_k & SSL_kRSA) {
1353 if ((rsa = RSA_new()) == NULL) { 1440 if ((rsa = RSA_new()) == NULL) {
1354 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1441 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1355 goto err; 1442 ERR_R_MALLOC_FAILURE);
1356 } 1443 goto err;
1357 n2s(p, i); 1444 }
1358 param_len = i + 2; 1445 n2s(p, i);
1359 if (param_len > n) { 1446 param_len = i + 2;
1360 al = SSL_AD_DECODE_ERROR; 1447 if (param_len > n) {
1361 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_MODULUS_LENGTH); 1448 al = SSL_AD_DECODE_ERROR;
1362 goto f_err; 1449 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1363 } 1450 SSL_R_BAD_RSA_MODULUS_LENGTH);
1364 if (!(rsa->n = BN_bin2bn(p, i, rsa->n))) { 1451 goto f_err;
1365 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); 1452 }
1366 goto err; 1453 if (!(rsa->n = BN_bin2bn(p, i, rsa->n))) {
1367 } 1454 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1368 p += i; 1455 ERR_R_BN_LIB);
1456 goto err;
1457 }
1458 p += i;
1369 1459
1370 n2s(p, i); 1460 n2s(p, i);
1371 param_len += i + 2; 1461 param_len += i + 2;
1372 if (param_len > n) { 1462 if (param_len > n) {
1373 al = SSL_AD_DECODE_ERROR; 1463 al = SSL_AD_DECODE_ERROR;
1374 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_E_LENGTH); 1464 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1375 goto f_err; 1465 SSL_R_BAD_RSA_E_LENGTH);
1376 } 1466 goto f_err;
1377 if (!(rsa->e = BN_bin2bn(p, i, rsa->e))) { 1467 }
1378 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); 1468 if (!(rsa->e = BN_bin2bn(p, i, rsa->e))) {
1379 goto err; 1469 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1380 } 1470 ERR_R_BN_LIB);
1381 p += i; 1471 goto err;
1382 n -= param_len; 1472 }
1473 p += i;
1474 n -= param_len;
1383 1475
1384 /* this should be because we are using an export cipher */ 1476 /*
1385 if (alg_a & SSL_aRSA) 1477 * This should be because we are using an
1386 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1478 * export cipher
1387 else { 1479 */
1388 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1480 if (alg_a & SSL_aRSA)
1389 goto err; 1481 pkey = X509_get_pubkey(
1482 s->session->sess_cert->peer_pkeys[
1483 SSL_PKEY_RSA_ENC].x509);
1484 else {
1485 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1486 ERR_R_INTERNAL_ERROR);
1487 goto err;
1488 }
1489 s->session->sess_cert->peer_rsa_tmp = rsa;
1490 rsa = NULL;
1390 } 1491 }
1391 s->session->sess_cert->peer_rsa_tmp = rsa;
1392 rsa = NULL;
1393 }
1394#ifndef OPENSSL_NO_DH 1492#ifndef OPENSSL_NO_DH
1395 else if (alg_k & SSL_kEDH) { 1493 else if (alg_k & SSL_kEDH) {
1396 if ((dh = DH_new()) == NULL) { 1494 if ((dh = DH_new()) == NULL) {
1397 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB); 1495 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1398 goto err; 1496 ERR_R_DH_LIB);
1399 } 1497 goto err;
1400 n2s(p, i); 1498 }
1401 param_len = i + 2; 1499 n2s(p, i);
1402 if (param_len > n) { 1500 param_len = i + 2;
1403 al = SSL_AD_DECODE_ERROR; 1501 if (param_len > n) {
1404 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH); 1502 al = SSL_AD_DECODE_ERROR;
1405 goto f_err; 1503 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1406 } 1504 SSL_R_BAD_DH_P_LENGTH);
1407 if (!(dh->p = BN_bin2bn(p, i, NULL))) { 1505 goto f_err;
1408 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); 1506 }
1409 goto err; 1507 if (!(dh->p = BN_bin2bn(p, i, NULL))) {
1410 } 1508 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1411 p += i; 1509 ERR_R_BN_LIB);
1510 goto err;
1511 }
1512 p += i;
1412 1513
1413 n2s(p, i); 1514 n2s(p, i);
1414 param_len += i + 2; 1515 param_len += i + 2;
1415 if (param_len > n) { 1516 if (param_len > n) {
1416 al = SSL_AD_DECODE_ERROR; 1517 al = SSL_AD_DECODE_ERROR;
1417 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH); 1518 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1418 goto f_err; 1519 SSL_R_BAD_DH_G_LENGTH);
1419 } 1520 goto f_err;
1420 if (!(dh->g = BN_bin2bn(p, i, NULL))) { 1521 }
1421 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); 1522 if (!(dh->g = BN_bin2bn(p, i, NULL))) {
1422 goto err; 1523 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1423 } 1524 ERR_R_BN_LIB);
1424 p += i; 1525 goto err;
1526 }
1527 p += i;
1425 1528
1426 n2s(p, i); 1529 n2s(p, i);
1427 param_len += i + 2; 1530 param_len += i + 2;
1428 if (param_len > n) { 1531 if (param_len > n) {
1429 al = SSL_AD_DECODE_ERROR; 1532 al = SSL_AD_DECODE_ERROR;
1430 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_LENGTH); 1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1534 SSL_R_BAD_DH_PUB_KEY_LENGTH);
1535 goto f_err;
1536 }
1537 if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1538 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1539 ERR_R_BN_LIB);
1540 goto err;
1541 }
1542 p += i;
1543 n -= param_len;
1544
1545 if (alg_a & SSL_aRSA)
1546 pkey = X509_get_pubkey(
1547 s->session->sess_cert->peer_pkeys[
1548 SSL_PKEY_RSA_ENC].x509);
1549 else if (alg_a & SSL_aDSS)
1550 pkey = X509_get_pubkey(
1551 s->session->sess_cert->peer_pkeys[
1552 SSL_PKEY_DSA_SIGN].x509);
1553 /* else anonymous DH, so no certificate or pkey. */
1554
1555 s->session->sess_cert->peer_dh_tmp = dh;
1556 dh = NULL;
1557 } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
1558 al = SSL_AD_ILLEGAL_PARAMETER;
1559 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1560 SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1431 goto f_err; 1561 goto f_err;
1432 } 1562 }
1433 if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1434 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1435 goto err;
1436 }
1437 p += i;
1438 n -= param_len;
1439
1440 if (alg_a & SSL_aRSA)
1441 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1442 else if (alg_a & SSL_aDSS)
1443 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1444 /* else anonymous DH, so no certificate or pkey. */
1445
1446 s->session->sess_cert->peer_dh_tmp = dh;
1447 dh = NULL;
1448 } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
1449 al = SSL_AD_ILLEGAL_PARAMETER;
1450 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1451 goto f_err;
1452 }
1453#endif /* !OPENSSL_NO_DH */ 1563#endif /* !OPENSSL_NO_DH */
1454 1564
1455#ifndef OPENSSL_NO_ECDH 1565#ifndef OPENSSL_NO_ECDH
1456 else if (alg_k & SSL_kEECDH) { 1566 else if (alg_k & SSL_kEECDH) {
1457 EC_GROUP *ngroup; 1567 EC_GROUP *ngroup;
1458 const EC_GROUP *group; 1568 const EC_GROUP *group;
1459 1569
1460 if ((ecdh = EC_KEY_new()) == NULL) { 1570 if ((ecdh = EC_KEY_new()) == NULL) {
1461 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1571 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1462 goto err; 1572 ERR_R_MALLOC_FAILURE);
1463 } 1573 goto err;
1574 }
1464 1575
1465 /* Extract elliptic curve parameters and the 1576 /*
1466 * server's ephemeral ECDH public key. 1577 * Extract elliptic curve parameters and the
1467 * Keep accumulating lengths of various components in 1578 * server's ephemeral ECDH public key.
1468 * param_len and make sure it never exceeds n. 1579 * Keep accumulating lengths of various components in
1469 */ 1580 * param_len and make sure it never exceeds n.
1581 */
1470 1582
1471 /* XXX: For now we only support named (not generic) curves 1583 /*
1472 * and the ECParameters in this case is just three bytes. 1584 * XXX: For now we only support named (not generic)
1473 */ 1585 * curves and the ECParameters in this case is just
1474 param_len = 3; 1586 * three bytes.
1475 if ((param_len > n) || 1587 */
1476 (*p != NAMED_CURVE_TYPE) || 1588 param_len = 3;
1477 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) { 1589 if ((param_len > n) || (*p != NAMED_CURVE_TYPE) ||
1478 al = SSL_AD_INTERNAL_ERROR; 1590 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2)))
1479 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 1591 == 0)) {
1480 goto f_err; 1592 al = SSL_AD_INTERNAL_ERROR;
1481 } 1593 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1594 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1595 goto f_err;
1596 }
1482 1597
1483 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1598 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1484 if (ngroup == NULL) { 1599 if (ngroup == NULL) {
1485 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB); 1600 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1486 goto err; 1601 ERR_R_EC_LIB);
1487 } 1602 goto err;
1488 if (EC_KEY_set_group(ecdh, ngroup) == 0) { 1603 }
1489 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB); 1604 if (EC_KEY_set_group(ecdh, ngroup) == 0) {
1490 goto err; 1605 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1491 } 1606 ERR_R_EC_LIB);
1492 EC_GROUP_free(ngroup); 1607 goto err;
1608 }
1609 EC_GROUP_free(ngroup);
1493 1610
1494 group = EC_KEY_get0_group(ecdh); 1611 group = EC_KEY_get0_group(ecdh);
1495 1612
1496 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1613 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1497 (EC_GROUP_get_degree(group) > 163)) { 1614 (EC_GROUP_get_degree(group) > 163)) {
1498 al = SSL_AD_EXPORT_RESTRICTION; 1615 al = SSL_AD_EXPORT_RESTRICTION;
1499 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1616 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1500 goto f_err; 1617 SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1501 } 1618 goto f_err;
1619 }
1502 1620
1503 p += 3; 1621 p += 3;
1504 1622
1505 /* Next, get the encoded ECPoint */ 1623 /* Next, get the encoded ECPoint */
1506 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1624 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1507 ((bn_ctx = BN_CTX_new()) == NULL)) { 1625 ((bn_ctx = BN_CTX_new()) == NULL)) {
1508 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1626 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1509 goto err; 1627 ERR_R_MALLOC_FAILURE);
1510 } 1628 goto err;
1629 }
1511 1630
1512 encoded_pt_len = *p; 1631 encoded_pt_len = *p;
1513 /* length of encoded point */ 1632 /* length of encoded point */
1514 p += 1; 1633 p += 1;
1515 param_len += (1 + encoded_pt_len); 1634 param_len += (1 + encoded_pt_len);
1516 if ((param_len > n) || 1635 if ((param_len > n) ||
1517 (EC_POINT_oct2point(group, srvr_ecpoint, 1636 (EC_POINT_oct2point(group, srvr_ecpoint,
1518 p, encoded_pt_len, bn_ctx) == 0)) { 1637 p, encoded_pt_len, bn_ctx) == 0)) {
1519 al = SSL_AD_DECODE_ERROR; 1638 al = SSL_AD_DECODE_ERROR;
1520 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT); 1639 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1521 goto f_err; 1640 SSL_R_BAD_ECPOINT);
1522 } 1641 goto f_err;
1642 }
1523 1643
1524 n -= param_len; 1644 n -= param_len;
1525 p += encoded_pt_len; 1645 p += encoded_pt_len;
1526 1646
1527 /* The ECC/TLS specification does not mention 1647 /*
1528 * the use of DSA to sign ECParameters in the server 1648 * The ECC/TLS specification does not mention the use
1529 * key exchange message. We do support RSA and ECDSA. 1649 * of DSA to sign ECParameters in the server key
1530 */ 1650 * exchange message. We do support RSA and ECDSA.
1531 if (alg_a & SSL_aRSA) 1651 */
1532 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1652 if (alg_a & SSL_aRSA)
1653 pkey = X509_get_pubkey(
1654 s->session->sess_cert->peer_pkeys[
1655 SSL_PKEY_RSA_ENC].x509);
1533#ifndef OPENSSL_NO_ECDSA 1656#ifndef OPENSSL_NO_ECDSA
1534 else if (alg_a & SSL_aECDSA) 1657 else if (alg_a & SSL_aECDSA)
1535 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1658 pkey = X509_get_pubkey(
1659 s->session->sess_cert->peer_pkeys[
1660 SSL_PKEY_ECC].x509);
1536#endif 1661#endif
1537 /* else anonymous ECDH, so no certificate or pkey. */ 1662 /* Else anonymous ECDH, so no certificate or pkey. */
1538 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1663 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1539 s->session->sess_cert->peer_ecdh_tmp = ecdh; 1664 s->session->sess_cert->peer_ecdh_tmp = ecdh;
1540 ecdh = NULL; 1665 ecdh = NULL;
1541 BN_CTX_free(bn_ctx); 1666 BN_CTX_free(bn_ctx);
1542 bn_ctx = NULL; 1667 bn_ctx = NULL;
1543 EC_POINT_free(srvr_ecpoint); 1668 EC_POINT_free(srvr_ecpoint);
1544 srvr_ecpoint = NULL; 1669 srvr_ecpoint = NULL;
1545 } else if (alg_k) { 1670 } else if (alg_k) {
1546 al = SSL_AD_UNEXPECTED_MESSAGE; 1671 al = SSL_AD_UNEXPECTED_MESSAGE;
1547 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); 1672 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1548 goto f_err; 1673 SSL_R_UNEXPECTED_MESSAGE);
1549 } 1674 goto f_err;
1675 }
1550#endif /* !OPENSSL_NO_ECDH */ 1676#endif /* !OPENSSL_NO_ECDH */
1551 1677
1552
1553 /* p points to the next byte, there are 'n' bytes left */ 1678 /* p points to the next byte, there are 'n' bytes left */
1554 1679
1555 /* if it was signed, check the signature */ 1680 /* if it was signed, check the signature */
@@ -1558,23 +1683,30 @@ ssl3_get_key_exchange(SSL *s)
1558 int sigalg = tls12_get_sigid(pkey); 1683 int sigalg = tls12_get_sigid(pkey);
1559 /* Should never happen */ 1684 /* Should never happen */
1560 if (sigalg == -1) { 1685 if (sigalg == -1) {
1561 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1686 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1687 ERR_R_INTERNAL_ERROR);
1562 goto err; 1688 goto err;
1563 } 1689 }
1564 /* Check key type is consistent with signature */ 1690 /*
1691 * Check key type is consistent
1692 * with signature
1693 */
1565 if (sigalg != (int)p[1]) { 1694 if (sigalg != (int)p[1]) {
1566 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_TYPE); 1695 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1696 SSL_R_WRONG_SIGNATURE_TYPE);
1567 al = SSL_AD_DECODE_ERROR; 1697 al = SSL_AD_DECODE_ERROR;
1568 goto f_err; 1698 goto f_err;
1569 } 1699 }
1570 md = tls12_get_hash(p[0]); 1700 md = tls12_get_hash(p[0]);
1571 if (md == NULL) { 1701 if (md == NULL) {
1572 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNKNOWN_DIGEST); 1702 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1703 SSL_R_UNKNOWN_DIGEST);
1573 al = SSL_AD_DECODE_ERROR; 1704 al = SSL_AD_DECODE_ERROR;
1574 goto f_err; 1705 goto f_err;
1575 } 1706 }
1576#ifdef SSL_DEBUG 1707#ifdef SSL_DEBUG
1577 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 1708 fprintf(stderr, "USING TLSv1.2 HASH %s\n",
1709 EVP_MD_name(md));
1578#endif 1710#endif
1579 p += 2; 1711 p += 2;
1580 n -= 2; 1712 n -= 2;
@@ -1588,11 +1720,13 @@ ssl3_get_key_exchange(SSL *s)
1588 if ((i != n) || (n > j) || (n <= 0)) { 1720 if ((i != n) || (n > j) || (n <= 0)) {
1589 /* wrong packet length */ 1721 /* wrong packet length */
1590 al = SSL_AD_DECODE_ERROR; 1722 al = SSL_AD_DECODE_ERROR;
1591 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH); 1723 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1724 SSL_R_WRONG_SIGNATURE_LENGTH);
1592 goto f_err; 1725 goto f_err;
1593 } 1726 }
1594 1727
1595 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) { 1728 if (pkey->type == EVP_PKEY_RSA &&
1729 TLS1_get_version(s) < TLS1_2_VERSION) {
1596 int num; 1730 int num;
1597 1731
1598 j = 0; 1732 j = 0;
@@ -1600,61 +1734,72 @@ ssl3_get_key_exchange(SSL *s)
1600 for (num = 2; num > 0; num--) { 1734 for (num = 2; num > 0; num--) {
1601 EVP_MD_CTX_set_flags(&md_ctx, 1735 EVP_MD_CTX_set_flags(&md_ctx,
1602 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1736 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1603 EVP_DigestInit_ex(&md_ctx,(num == 2) 1737 EVP_DigestInit_ex(&md_ctx,
1604 ?s->ctx->md5 : s->ctx->sha1, NULL); 1738 (num == 2) ? s->ctx->md5 : s->ctx->sha1,
1605 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 1739 NULL);
1606 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); 1740 EVP_DigestUpdate(&md_ctx,
1741 &(s->s3->client_random[0]),
1742 SSL3_RANDOM_SIZE);
1743 EVP_DigestUpdate(&md_ctx,
1744 &(s->s3->server_random[0]),
1745 SSL3_RANDOM_SIZE);
1607 EVP_DigestUpdate(&md_ctx, param, param_len); 1746 EVP_DigestUpdate(&md_ctx, param, param_len);
1608 EVP_DigestFinal_ex(&md_ctx, q,(unsigned int *)&i); 1747 EVP_DigestFinal_ex(&md_ctx, q,
1748 (unsigned int *)&i);
1609 q += i; 1749 q += i;
1610 j += i; 1750 j += i;
1611 } 1751 }
1612 i = RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1752 i = RSA_verify(NID_md5_sha1, md_buf, j,
1613 pkey->pkey.rsa); 1753 p, n, pkey->pkey.rsa);
1614 if (i < 0) { 1754 if (i < 0) {
1615 al = SSL_AD_DECRYPT_ERROR; 1755 al = SSL_AD_DECRYPT_ERROR;
1616 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_DECRYPT); 1756 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1757 SSL_R_BAD_RSA_DECRYPT);
1617 goto f_err; 1758 goto f_err;
1618 } 1759 }
1619 if (i == 0) { 1760 if (i == 0) {
1620 /* bad signature */ 1761 /* bad signature */
1621 al = SSL_AD_DECRYPT_ERROR; 1762 al = SSL_AD_DECRYPT_ERROR;
1622 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE); 1763 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1764 SSL_R_BAD_SIGNATURE);
1623 goto f_err; 1765 goto f_err;
1624 } 1766 }
1625 } else 1767 } else {
1626 {
1627 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1768 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1628 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 1769 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]),
1629 EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); 1770 SSL3_RANDOM_SIZE);
1771 EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]),
1772 SSL3_RANDOM_SIZE);
1630 EVP_VerifyUpdate(&md_ctx, param, param_len); 1773 EVP_VerifyUpdate(&md_ctx, param, param_len);
1631 if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) { 1774 if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) {
1632 /* bad signature */ 1775 /* bad signature */
1633 al = SSL_AD_DECRYPT_ERROR; 1776 al = SSL_AD_DECRYPT_ERROR;
1634 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE); 1777 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1778 SSL_R_BAD_SIGNATURE);
1635 goto f_err; 1779 goto f_err;
1636 } 1780 }
1637 } 1781 }
1638 } else { 1782 } else {
1639 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1783 /* aNULL or kPSK do not need public keys */
1640 /* aNULL or kPSK do not need public keys */ 1784 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) {
1641 { 1785 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1642 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1786 ERR_R_INTERNAL_ERROR);
1643 goto err; 1787 goto err;
1644 } 1788 }
1645 /* still data left over */ 1789 /* still data left over */
1646 if (n != 0) { 1790 if (n != 0) {
1647 al = SSL_AD_DECODE_ERROR; 1791 al = SSL_AD_DECODE_ERROR;
1648 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE); 1792 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1793 SSL_R_EXTRA_DATA_IN_MESSAGE);
1649 goto f_err; 1794 goto f_err;
1650 } 1795 }
1651 } 1796 }
1652 EVP_PKEY_free(pkey); 1797 EVP_PKEY_free(pkey);
1653 EVP_MD_CTX_cleanup(&md_ctx); 1798 EVP_MD_CTX_cleanup(&md_ctx);
1654 return (1); 1799 return (1);
1655f_err: 1800 f_err:
1656 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1801 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1657err: 1802 err:
1658 EVP_PKEY_free(pkey); 1803 EVP_PKEY_free(pkey);
1659 if (rsa != NULL) 1804 if (rsa != NULL)
1660 RSA_free(rsa); 1805 RSA_free(rsa);
@@ -1675,20 +1820,16 @@ err:
1675int 1820int
1676ssl3_get_certificate_request(SSL *s) 1821ssl3_get_certificate_request(SSL *s)
1677{ 1822{
1678 int ok, ret = 0; 1823 int ok, ret = 0;
1679 unsigned long n, nc, l; 1824 unsigned long n, nc, l;
1680 unsigned int llen, ctype_num, i; 1825 unsigned int llen, ctype_num, i;
1681 X509_NAME *xn = NULL; 1826 X509_NAME *xn = NULL;
1682 const unsigned char *p, *q; 1827 const unsigned char *p, *q;
1683 unsigned char *d; 1828 unsigned char *d;
1684 STACK_OF(X509_NAME) *ca_sk = NULL; 1829 STACK_OF(X509_NAME) *ca_sk = NULL;
1685 1830
1686 n = s->method->ssl_get_message(s, 1831 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A,
1687 SSL3_ST_CR_CERT_REQ_A, 1832 SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list, &ok);
1688 SSL3_ST_CR_CERT_REQ_B,
1689 -1,
1690 s->max_cert_list,
1691 &ok);
1692 1833
1693 if (!ok) 1834 if (!ok)
1694 return ((int)n); 1835 return ((int)n);
@@ -1697,7 +1838,8 @@ ssl3_get_certificate_request(SSL *s)
1697 1838
1698 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) { 1839 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) {
1699 s->s3->tmp.reuse_message = 1; 1840 s->s3->tmp.reuse_message = 1;
1700 /* If we get here we don't need any cached handshake records 1841 /*
1842 * If we get here we don't need any cached handshake records
1701 * as we wont be doing client auth. 1843 * as we wont be doing client auth.
1702 */ 1844 */
1703 if (s->s3->handshake_buffer) { 1845 if (s->s3->handshake_buffer) {
@@ -1709,15 +1851,18 @@ ssl3_get_certificate_request(SSL *s)
1709 1851
1710 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { 1852 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1711 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1853 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1712 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_WRONG_MESSAGE_TYPE); 1854 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1855 SSL_R_WRONG_MESSAGE_TYPE);
1713 goto err; 1856 goto err;
1714 } 1857 }
1715 1858
1716 /* TLS does not like anon-DH with client cert */ 1859 /* TLS does not like anon-DH with client cert */
1717 if (s->version > SSL3_VERSION) { 1860 if (s->version > SSL3_VERSION) {
1718 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) { 1861 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
1719 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1862 ssl3_send_alert(s, SSL3_AL_FATAL,
1720 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 1863 SSL_AD_UNEXPECTED_MESSAGE);
1864 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1865 SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1721 goto err; 1866 goto err;
1722 } 1867 }
1723 } 1868 }
@@ -1725,7 +1870,8 @@ ssl3_get_certificate_request(SSL *s)
1725 p = d=(unsigned char *)s->init_msg; 1870 p = d=(unsigned char *)s->init_msg;
1726 1871
1727 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { 1872 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1728 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); 1873 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1874 ERR_R_MALLOC_FAILURE);
1729 goto err; 1875 goto err;
1730 } 1876 }
1731 1877
@@ -1743,12 +1889,14 @@ ssl3_get_certificate_request(SSL *s)
1743 */ 1889 */
1744 if ((unsigned long)(p - d + llen + 2) > n) { 1890 if ((unsigned long)(p - d + llen + 2) > n) {
1745 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1891 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1746 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_DATA_LENGTH_TOO_LONG); 1892 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1893 SSL_R_DATA_LENGTH_TOO_LONG);
1747 goto err; 1894 goto err;
1748 } 1895 }
1749 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) { 1896 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) {
1750 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1897 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1751 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_SIGNATURE_ALGORITHMS_ERROR); 1898 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1899 SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1752 goto err; 1900 goto err;
1753 } 1901 }
1754 p += llen; 1902 p += llen;
@@ -1759,7 +1907,8 @@ ssl3_get_certificate_request(SSL *s)
1759 1907
1760 if ((unsigned long)(p - d + llen) != n) { 1908 if ((unsigned long)(p - d + llen) != n) {
1761 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1909 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1762 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH); 1910 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1911 SSL_R_LENGTH_MISMATCH);
1763 goto err; 1912 goto err;
1764 } 1913 }
1765 1914
@@ -1769,7 +1918,8 @@ ssl3_get_certificate_request(SSL *s)
1769 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1918 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1770 goto cont; /* netscape bugs */ 1919 goto cont; /* netscape bugs */
1771 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1920 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1772 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG); 1921 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1922 SSL_R_CA_DN_TOO_LONG);
1773 goto err; 1923 goto err;
1774 } 1924 }
1775 1925
@@ -1780,19 +1930,23 @@ ssl3_get_certificate_request(SSL *s)
1780 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1930 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1781 goto cont; 1931 goto cont;
1782 else { 1932 else {
1783 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1933 ssl3_send_alert(s, SSL3_AL_FATAL,
1784 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB); 1934 SSL_AD_DECODE_ERROR);
1935 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1936 ERR_R_ASN1_LIB);
1785 goto err; 1937 goto err;
1786 } 1938 }
1787 } 1939 }
1788 1940
1789 if (q != (p + l)) { 1941 if (q != (p + l)) {
1790 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1942 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1791 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_LENGTH_MISMATCH); 1943 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1944 SSL_R_CA_DN_LENGTH_MISMATCH);
1792 goto err; 1945 goto err;
1793 } 1946 }
1794 if (!sk_X509_NAME_push(ca_sk, xn)) { 1947 if (!sk_X509_NAME_push(ca_sk, xn)) {
1795 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); 1948 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1949 ERR_R_MALLOC_FAILURE);
1796 goto err; 1950 goto err;
1797 } 1951 }
1798 1952
@@ -1801,7 +1955,7 @@ ssl3_get_certificate_request(SSL *s)
1801 } 1955 }
1802 1956
1803 if (0) { 1957 if (0) {
1804cont: 1958 cont:
1805 ERR_clear_error(); 1959 ERR_clear_error();
1806 } 1960 }
1807 1961
@@ -1814,7 +1968,7 @@ cont:
1814 ca_sk = NULL; 1968 ca_sk = NULL;
1815 1969
1816 ret = 1; 1970 ret = 1;
1817err: 1971 err:
1818 if (ca_sk != NULL) 1972 if (ca_sk != NULL)
1819 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); 1973 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
1820 return (ret); 1974 return (ret);
@@ -1830,10 +1984,10 @@ ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1830int 1984int
1831ssl3_get_new_session_ticket(SSL *s) 1985ssl3_get_new_session_ticket(SSL *s)
1832{ 1986{
1833 int ok, al, ret = 0, ticklen; 1987 int ok, al, ret = 0, ticklen;
1834 long n; 1988 long n;
1835 const unsigned char *p; 1989 const unsigned char *p;
1836 unsigned char *d; 1990 unsigned char *d;
1837 1991
1838 n = s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, 1992 n = s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
1839 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok); 1993 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok);
@@ -1846,13 +2000,15 @@ ssl3_get_new_session_ticket(SSL *s)
1846 } 2000 }
1847 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { 2001 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) {
1848 al = SSL_AD_UNEXPECTED_MESSAGE; 2002 al = SSL_AD_UNEXPECTED_MESSAGE;
1849 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_BAD_MESSAGE_TYPE); 2003 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,
2004 SSL_R_BAD_MESSAGE_TYPE);
1850 goto f_err; 2005 goto f_err;
1851 } 2006 }
1852 if (n < 6) { 2007 if (n < 6) {
1853 /* need at least ticket_lifetime_hint + ticket length */ 2008 /* need at least ticket_lifetime_hint + ticket length */
1854 al = SSL_AD_DECODE_ERROR; 2009 al = SSL_AD_DECODE_ERROR;
1855 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH); 2010 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,
2011 SSL_R_LENGTH_MISMATCH);
1856 goto f_err; 2012 goto f_err;
1857 } 2013 }
1858 2014
@@ -1862,7 +2018,8 @@ ssl3_get_new_session_ticket(SSL *s)
1862 /* ticket_lifetime_hint + ticket_length + ticket */ 2018 /* ticket_lifetime_hint + ticket_length + ticket */
1863 if (ticklen + 6 != n) { 2019 if (ticklen + 6 != n) {
1864 al = SSL_AD_DECODE_ERROR; 2020 al = SSL_AD_DECODE_ERROR;
1865 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH); 2021 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,
2022 SSL_R_LENGTH_MISMATCH);
1866 goto f_err; 2023 goto f_err;
1867 } 2024 }
1868 if (s->session->tlsext_tick) { 2025 if (s->session->tlsext_tick) {
@@ -1871,12 +2028,14 @@ ssl3_get_new_session_ticket(SSL *s)
1871 } 2028 }
1872 s->session->tlsext_tick = malloc(ticklen); 2029 s->session->tlsext_tick = malloc(ticklen);
1873 if (!s->session->tlsext_tick) { 2030 if (!s->session->tlsext_tick) {
1874 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); 2031 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,
2032 ERR_R_MALLOC_FAILURE);
1875 goto err; 2033 goto err;
1876 } 2034 }
1877 memcpy(s->session->tlsext_tick, p, ticklen); 2035 memcpy(s->session->tlsext_tick, p, ticklen);
1878 s->session->tlsext_ticklen = ticklen; 2036 s->session->tlsext_ticklen = ticklen;
1879 /* There are two ways to detect a resumed ticket sesion. 2037 /*
2038 * There are two ways to detect a resumed ticket sesion.
1880 * One is to set an appropriate session ID and then the server 2039 * One is to set an appropriate session ID and then the server
1881 * must return a match in ServerHello. This allows the normal 2040 * must return a match in ServerHello. This allows the normal
1882 * client session ID matching to work and we know much 2041 * client session ID matching to work and we know much
@@ -1891,23 +2050,22 @@ ssl3_get_new_session_ticket(SSL *s)
1891 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 2050 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
1892 * ticket. 2051 * ticket.
1893 */ 2052 */
1894 EVP_Digest(p, ticklen, 2053 EVP_Digest(p, ticklen, s->session->session_id,
1895 s->session->session_id, &s->session->session_id_length, 2054 &s->session->session_id_length, EVP_sha256(), NULL);
1896 EVP_sha256(), NULL);
1897 ret = 1; 2055 ret = 1;
1898 return (ret); 2056 return (ret);
1899f_err: 2057 f_err:
1900 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2058 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1901err: 2059 err:
1902 return (-1); 2060 return (-1);
1903} 2061}
1904 2062
1905int 2063int
1906ssl3_get_cert_status(SSL *s) 2064ssl3_get_cert_status(SSL *s)
1907{ 2065{
1908 int ok, al; 2066 int ok, al;
1909 unsigned long resplen, n; 2067 unsigned long resplen, n;
1910 const unsigned char *p; 2068 const unsigned char *p;
1911 2069
1912 n = s->method->ssl_get_message(s, 2070 n = s->method->ssl_get_message(s,
1913 SSL3_ST_CR_CERT_STATUS_A, 2071 SSL3_ST_CR_CERT_STATUS_A,
@@ -1921,19 +2079,22 @@ ssl3_get_cert_status(SSL *s)
1921 if (n < 4) { 2079 if (n < 4) {
1922 /* need at least status type + length */ 2080 /* need at least status type + length */
1923 al = SSL_AD_DECODE_ERROR; 2081 al = SSL_AD_DECODE_ERROR;
1924 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH); 2082 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
2083 SSL_R_LENGTH_MISMATCH);
1925 goto f_err; 2084 goto f_err;
1926 } 2085 }
1927 p = (unsigned char *)s->init_msg; 2086 p = (unsigned char *)s->init_msg;
1928 if (*p++ != TLSEXT_STATUSTYPE_ocsp) { 2087 if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
1929 al = SSL_AD_DECODE_ERROR; 2088 al = SSL_AD_DECODE_ERROR;
1930 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE); 2089 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
2090 SSL_R_UNSUPPORTED_STATUS_TYPE);
1931 goto f_err; 2091 goto f_err;
1932 } 2092 }
1933 n2l3(p, resplen); 2093 n2l3(p, resplen);
1934 if (resplen + 4 != n) { 2094 if (resplen + 4 != n) {
1935 al = SSL_AD_DECODE_ERROR; 2095 al = SSL_AD_DECODE_ERROR;
1936 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH); 2096 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
2097 SSL_R_LENGTH_MISMATCH);
1937 goto f_err; 2098 goto f_err;
1938 } 2099 }
1939 if (s->tlsext_ocsp_resp) 2100 if (s->tlsext_ocsp_resp)
@@ -1941,7 +2102,8 @@ ssl3_get_cert_status(SSL *s)
1941 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 2102 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
1942 if (!s->tlsext_ocsp_resp) { 2103 if (!s->tlsext_ocsp_resp) {
1943 al = SSL_AD_INTERNAL_ERROR; 2104 al = SSL_AD_INTERNAL_ERROR;
1944 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE); 2105 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
2106 ERR_R_MALLOC_FAILURE);
1945 goto f_err; 2107 goto f_err;
1946 } 2108 }
1947 s->tlsext_ocsp_resplen = resplen; 2109 s->tlsext_ocsp_resplen = resplen;
@@ -1950,17 +2112,19 @@ ssl3_get_cert_status(SSL *s)
1950 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2112 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1951 if (ret == 0) { 2113 if (ret == 0) {
1952 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2114 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1953 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_INVALID_STATUS_RESPONSE); 2115 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
2116 SSL_R_INVALID_STATUS_RESPONSE);
1954 goto f_err; 2117 goto f_err;
1955 } 2118 }
1956 if (ret < 0) { 2119 if (ret < 0) {
1957 al = SSL_AD_INTERNAL_ERROR; 2120 al = SSL_AD_INTERNAL_ERROR;
1958 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE); 2121 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
2122 ERR_R_MALLOC_FAILURE);
1959 goto f_err; 2123 goto f_err;
1960 } 2124 }
1961 } 2125 }
1962 return 1; 2126 return 1;
1963f_err: 2127 f_err:
1964 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2128 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1965 return (-1); 2129 return (-1);
1966} 2130}
@@ -1969,8 +2133,8 @@ f_err:
1969int 2133int
1970ssl3_get_server_done(SSL *s) 2134ssl3_get_server_done(SSL *s)
1971{ 2135{
1972 int ok, ret = 0; 2136 int ok, ret = 0;
1973 long n; 2137 long n;
1974 2138
1975 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A, 2139 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
1976 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE, 2140 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
@@ -1981,7 +2145,8 @@ ssl3_get_server_done(SSL *s)
1981 if (n > 0) { 2145 if (n > 0) {
1982 /* should contain no data */ 2146 /* should contain no data */
1983 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 2147 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1984 SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH); 2148 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,
2149 SSL_R_LENGTH_MISMATCH);
1985 return -1; 2150 return -1;
1986 } 2151 }
1987 ret = 1; 2152 ret = 1;
@@ -1992,21 +2157,21 @@ ssl3_get_server_done(SSL *s)
1992int 2157int
1993ssl3_send_client_key_exchange(SSL *s) 2158ssl3_send_client_key_exchange(SSL *s)
1994{ 2159{
1995 unsigned char *p, *d; 2160 unsigned char *p, *d;
1996 int n; 2161 int n;
1997 unsigned long alg_k; 2162 unsigned long alg_k;
1998 unsigned char *q; 2163 unsigned char *q;
1999 EVP_PKEY *pkey = NULL; 2164 EVP_PKEY *pkey = NULL;
2000#ifndef OPENSSL_NO_KRB5 2165#ifndef OPENSSL_NO_KRB5
2001 KSSL_ERR kssl_err; 2166 KSSL_ERR kssl_err;
2002#endif /* OPENSSL_NO_KRB5 */ 2167#endif /* OPENSSL_NO_KRB5 */
2003#ifndef OPENSSL_NO_ECDH 2168#ifndef OPENSSL_NO_ECDH
2004 EC_KEY *clnt_ecdh = NULL; 2169 EC_KEY *clnt_ecdh = NULL;
2005 const EC_POINT *srvr_ecpoint = NULL; 2170 const EC_POINT *srvr_ecpoint = NULL;
2006 EVP_PKEY *srvr_pub_pkey = NULL; 2171 EVP_PKEY *srvr_pub_pkey = NULL;
2007 unsigned char *encodedPoint = NULL; 2172 unsigned char *encodedPoint = NULL;
2008 int encoded_pt_len = 0; 2173 int encoded_pt_len = 0;
2009 BN_CTX * bn_ctx = NULL; 2174 BN_CTX *bn_ctx = NULL;
2010#endif 2175#endif
2011 2176
2012 if (s->state == SSL3_ST_CW_KEY_EXCH_A) { 2177 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
@@ -2022,11 +2187,15 @@ ssl3_send_client_key_exchange(SSL *s)
2022 if (s->session->sess_cert->peer_rsa_tmp != NULL) 2187 if (s->session->sess_cert->peer_rsa_tmp != NULL)
2023 rsa = s->session->sess_cert->peer_rsa_tmp; 2188 rsa = s->session->sess_cert->peer_rsa_tmp;
2024 else { 2189 else {
2025 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 2190 pkey = X509_get_pubkey(
2191 s->session->sess_cert->peer_pkeys[
2192 SSL_PKEY_RSA_ENC].x509);
2026 if ((pkey == NULL) || 2193 if ((pkey == NULL) ||
2027 (pkey->type != EVP_PKEY_RSA) || 2194 (pkey->type != EVP_PKEY_RSA) ||
2028 (pkey->pkey.rsa == NULL)) { 2195 (pkey->pkey.rsa == NULL)) {
2029 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2196 SSLerr(
2197 SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2198 ERR_R_INTERNAL_ERROR);
2030 goto err; 2199 goto err;
2031 } 2200 }
2032 rsa = pkey->pkey.rsa; 2201 rsa = pkey->pkey.rsa;
@@ -2047,7 +2216,8 @@ ssl3_send_client_key_exchange(SSL *s)
2047 n = RSA_public_encrypt(sizeof tmp_buf, 2216 n = RSA_public_encrypt(sizeof tmp_buf,
2048 tmp_buf, p, rsa, RSA_PKCS1_PADDING); 2217 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
2049 if (n <= 0) { 2218 if (n <= 0) {
2050 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT); 2219 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2220 SSL_R_BAD_RSA_ENCRYPT);
2051 goto err; 2221 goto err;
2052 } 2222 }
2053 2223
@@ -2075,14 +2245,14 @@ ssl3_send_client_key_exchange(SSL *s)
2075 unsigned char iv[EVP_MAX_IV_LENGTH]; 2245 unsigned char iv[EVP_MAX_IV_LENGTH];
2076 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2246 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2077 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2247 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2078 + EVP_MAX_IV_LENGTH]; 2248 + EVP_MAX_IV_LENGTH];
2079 int padl, outl = sizeof(epms); 2249 int padl, outl = sizeof(epms);
2080 2250
2081 EVP_CIPHER_CTX_init(&ciph_ctx); 2251 EVP_CIPHER_CTX_init(&ciph_ctx);
2082 2252
2083#ifdef KSSL_DEBUG 2253#ifdef KSSL_DEBUG
2084 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2254 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
2085 alg_k, SSL_kKRB5); 2255 alg_k, SSL_kKRB5);
2086#endif /* KSSL_DEBUG */ 2256#endif /* KSSL_DEBUG */
2087 2257
2088 authp = NULL; 2258 authp = NULL;
@@ -2100,44 +2270,46 @@ ssl3_send_client_key_exchange(SSL *s)
2100 { 2270 {
2101 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2271 printf("kssl_cget_tkt rtn %d\n", krb5rc);
2102 if (krb5rc && kssl_err.text) 2272 if (krb5rc && kssl_err.text)
2103 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2273 printf("kssl_cget_tkt kssl_err=%s\n",
2274 kssl_err.text);
2104 } 2275 }
2105#endif /* KSSL_DEBUG */ 2276#endif /* KSSL_DEBUG */
2106 2277
2107 if (krb5rc) { 2278 if (krb5rc) {
2108 ssl3_send_alert(s, SSL3_AL_FATAL, 2279 ssl3_send_alert(s, SSL3_AL_FATAL,
2109 SSL_AD_HANDSHAKE_FAILURE); 2280 SSL_AD_HANDSHAKE_FAILURE);
2110 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2281 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2111 kssl_err.reason); 2282 kssl_err.reason);
2112 goto err; 2283 goto err;
2113 } 2284 }
2114 2285
2115 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2286 /*
2116 ** in place of RFC 2712 KerberosWrapper, as in: 2287 * 20010406 VRS - Earlier versions used KRB5 AP_REQ
2117 ** 2288 * in place of RFC 2712 KerberosWrapper, as in:
2118 ** Send ticket (copy to *p, set n = length) 2289 *
2119 ** n = krb5_ap_req.length; 2290 * Send ticket (copy to *p, set n = length)
2120 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2291 * n = krb5_ap_req.length;
2121 ** if (krb5_ap_req.data) 2292 * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
2122 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2293 * if (krb5_ap_req.data)
2123 ** 2294 * kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
2124 ** Now using real RFC 2712 KerberosWrapper 2295 *
2125 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 2296 * Now using real RFC 2712 KerberosWrapper
2126 ** Note: 2712 "opaque" types are here replaced 2297 * (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
2127 ** with a 2-byte length followed by the value. 2298 * Note: 2712 "opaque" types are here replaced
2128 ** Example: 2299 * with a 2-byte length followed by the value.
2129 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 2300 * Example:
2130 ** Where "xx xx" = length bytes. Shown here with 2301 * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
2131 ** optional authenticator omitted. 2302 * Where "xx xx" = length bytes. Shown here with
2132 */ 2303 * optional authenticator omitted.
2133 2304 */
2134 /* KerberosWrapper.Ticket */ 2305
2306 /* KerberosWrapper.Ticket */
2135 s2n(enc_ticket->length, p); 2307 s2n(enc_ticket->length, p);
2136 memcpy(p, enc_ticket->data, enc_ticket->length); 2308 memcpy(p, enc_ticket->data, enc_ticket->length);
2137 p += enc_ticket->length; 2309 p += enc_ticket->length;
2138 n = enc_ticket->length + 2; 2310 n = enc_ticket->length + 2;
2139 2311
2140 /* KerberosWrapper.Authenticator */ 2312 /* KerberosWrapper.Authenticator */
2141 if (authp && authp->length) { 2313 if (authp && authp->length) {
2142 s2n(authp->length, p); 2314 s2n(authp->length, p);
2143 memcpy(p, authp->data, authp->length); 2315 memcpy(p, authp->data, authp->length);
@@ -2153,32 +2325,34 @@ ssl3_send_client_key_exchange(SSL *s)
2153 } 2325 }
2154 2326
2155 tmp_buf[0] = s->client_version >> 8; 2327 tmp_buf[0] = s->client_version >> 8;
2156 tmp_buf[1] = s->client_version&0xff; 2328 tmp_buf[1] = s->client_version & 0xff;
2157 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) 2329 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2158 goto err; 2330 goto err;
2159 2331
2160 /* 20010420 VRS. Tried it this way; failed. 2332 /*
2161 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 2333 * 20010420 VRS. Tried it this way; failed.
2162 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 2334 * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
2163 ** kssl_ctx->length); 2335 * EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
2164 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2336 * kssl_ctx->length);
2165 */ 2337 * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2338 */
2166 2339
2167 memset(iv, 0, sizeof iv); 2340 memset(iv, 0, sizeof iv);
2168 /* per RFC 1510 */ 2341 /* per RFC 1510 */
2169 EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, 2342 EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
2170 kssl_ctx->key, iv); 2343 kssl_ctx->key, iv);
2171 EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf, 2344 EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
2172 sizeof tmp_buf); 2345 sizeof tmp_buf);
2173 EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl); 2346 EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
2174 outl += padl; 2347 outl += padl;
2175 if (outl > (int)sizeof epms) { 2348 if (outl > (int)sizeof epms) {
2176 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2349 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2350 ERR_R_INTERNAL_ERROR);
2177 goto err; 2351 goto err;
2178 } 2352 }
2179 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2353 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2180 2354
2181 /* KerberosWrapper.EncryptedPreMasterSecret */ 2355 /* KerberosWrapper.EncryptedPreMasterSecret */
2182 s2n(outl, p); 2356 s2n(outl, p);
2183 memcpy(p, epms, outl); 2357 memcpy(p, epms, outl);
2184 p += outl; 2358 p += outl;
@@ -2198,50 +2372,58 @@ ssl3_send_client_key_exchange(SSL *s)
2198 DH *dh_srvr, *dh_clnt; 2372 DH *dh_srvr, *dh_clnt;
2199 2373
2200 if (s->session->sess_cert == NULL) { 2374 if (s->session->sess_cert == NULL) {
2201 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 2375 ssl3_send_alert(s, SSL3_AL_FATAL,
2202 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); 2376 SSL_AD_UNEXPECTED_MESSAGE);
2377 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2378 SSL_R_UNEXPECTED_MESSAGE);
2203 goto err; 2379 goto err;
2204 } 2380 }
2205 2381
2206 if (s->session->sess_cert->peer_dh_tmp != NULL) 2382 if (s->session->sess_cert->peer_dh_tmp != NULL)
2207 dh_srvr = s->session->sess_cert->peer_dh_tmp; 2383 dh_srvr = s->session->sess_cert->peer_dh_tmp;
2208 else { 2384 else {
2209 /* we get them from the cert */ 2385 /* We get them from the cert. */
2210 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2386 ssl3_send_alert(s, SSL3_AL_FATAL,
2211 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2387 SSL_AD_HANDSHAKE_FAILURE);
2388 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2389 SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2212 goto err; 2390 goto err;
2213 } 2391 }
2214 2392
2215 /* generate a new random key */ 2393 /* Generate a new random key. */
2216 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { 2394 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
2217 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 2395 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2396 ERR_R_DH_LIB);
2218 goto err; 2397 goto err;
2219 } 2398 }
2220 if (!DH_generate_key(dh_clnt)) { 2399 if (!DH_generate_key(dh_clnt)) {
2221 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 2400 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2401 ERR_R_DH_LIB);
2222 DH_free(dh_clnt); 2402 DH_free(dh_clnt);
2223 goto err; 2403 goto err;
2224 } 2404 }
2225 2405
2226 /* use the 'p' output buffer for the DH key, but 2406 /*
2227 * make sure to clear it out afterwards */ 2407 * Use the 'p' output buffer for the DH key, but
2228 2408 * make sure to clear it out afterwards.
2409 */
2229 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt); 2410 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt);
2230 2411
2231 if (n <= 0) { 2412 if (n <= 0) {
2232 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 2413 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2414 ERR_R_DH_LIB);
2233 DH_free(dh_clnt); 2415 DH_free(dh_clnt);
2234 goto err; 2416 goto err;
2235 } 2417 }
2236 2418
2237 /* generate master key from the result */ 2419 /* Generate master key from the result. */
2238 s->session->master_key_length = 2420 s->session->master_key_length =
2239 s->method->ssl3_enc->generate_master_secret(s, 2421 s->method->ssl3_enc->generate_master_secret(s,
2240 s->session->master_key, p, n); 2422 s->session->master_key, p, n);
2241 /* clean up */ 2423 /* Clean up. */
2242 memset(p, 0, n); 2424 memset(p, 0, n);
2243 2425
2244 /* send off the data */ 2426 /* Send off the data. */
2245 n = BN_num_bytes(dh_clnt->pub_key); 2427 n = BN_num_bytes(dh_clnt->pub_key);
2246 s2n(n, p); 2428 s2n(n, p);
2247 BN_bn2bin(dh_clnt->pub_key, p); 2429 BN_bn2bin(dh_clnt->pub_key, p);
@@ -2260,13 +2442,15 @@ ssl3_send_client_key_exchange(SSL *s)
2260 int ecdh_clnt_cert = 0; 2442 int ecdh_clnt_cert = 0;
2261 int field_size = 0; 2443 int field_size = 0;
2262 2444
2263 /* Did we send out the client's 2445 /*
2264 * ECDH share for use in premaster 2446 * Did we send out the client's ECDH share for use
2265 * computation as part of client certificate? 2447 * in premaster computation as part of client
2266 * If so, set ecdh_clnt_cert to 1. 2448 * certificate? If so, set ecdh_clnt_cert to 1.
2267 */ 2449 */
2268 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) { 2450 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) &&
2269 /* XXX: For now, we do not support client 2451 (s->cert != NULL)) {
2452 /*
2453 * XXX: For now, we do not support client
2270 * authentication using ECDH certificates. 2454 * authentication using ECDH certificates.
2271 * To add such support, one needs to add 2455 * To add such support, one needs to add
2272 * code that checks for appropriate 2456 * code that checks for appropriate
@@ -2294,10 +2478,11 @@ ssl3_send_client_key_exchange(SSL *s)
2294 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2478 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2295 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2479 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2296 if ((srvr_pub_pkey == NULL) || 2480 if ((srvr_pub_pkey == NULL) ||
2297 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2481 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2298 (srvr_pub_pkey->pkey.ec == NULL)) { 2482 (srvr_pub_pkey->pkey.ec == NULL)) {
2299 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2483 SSLerr(
2300 ERR_R_INTERNAL_ERROR); 2484 SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2485 ERR_R_INTERNAL_ERROR);
2301 goto err; 2486 goto err;
2302 } 2487 }
2303 2488
@@ -2309,21 +2494,24 @@ ssl3_send_client_key_exchange(SSL *s)
2309 2494
2310 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) { 2495 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
2311 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2496 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2312 ERR_R_INTERNAL_ERROR); 2497 ERR_R_INTERNAL_ERROR);
2313 goto err; 2498 goto err;
2314 } 2499 }
2315 2500
2316 if ((clnt_ecdh = EC_KEY_new()) == NULL) { 2501 if ((clnt_ecdh = EC_KEY_new()) == NULL) {
2317 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 2502 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2503 ERR_R_MALLOC_FAILURE);
2318 goto err; 2504 goto err;
2319 } 2505 }
2320 2506
2321 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) { 2507 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
2322 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); 2508 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2509 ERR_R_EC_LIB);
2323 goto err; 2510 goto err;
2324 } 2511 }
2325 if (ecdh_clnt_cert) { 2512 if (ecdh_clnt_cert) {
2326 /* Reuse key info from our certificate 2513 /*
2514 * Reuse key info from our certificate
2327 * We only need our private key to perform 2515 * We only need our private key to perform
2328 * the ECDH computation. 2516 * the ECDH computation.
2329 */ 2517 */
@@ -2331,73 +2519,83 @@ ssl3_send_client_key_exchange(SSL *s)
2331 tkey = s->cert->key->privatekey->pkey.ec; 2519 tkey = s->cert->key->privatekey->pkey.ec;
2332 priv_key = EC_KEY_get0_private_key(tkey); 2520 priv_key = EC_KEY_get0_private_key(tkey);
2333 if (priv_key == NULL) { 2521 if (priv_key == NULL) {
2334 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 2522 SSLerr(
2523 SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2524 ERR_R_MALLOC_FAILURE);
2335 goto err; 2525 goto err;
2336 } 2526 }
2337 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) { 2527 if (!EC_KEY_set_private_key(clnt_ecdh,
2338 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); 2528 priv_key)) {
2529 SSLerr(
2530 SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2531 ERR_R_EC_LIB);
2339 goto err; 2532 goto err;
2340 } 2533 }
2341 } else { 2534 } else {
2342 /* Generate a new ECDH key pair */ 2535 /* Generate a new ECDH key pair */
2343 if (!(EC_KEY_generate_key(clnt_ecdh))) { 2536 if (!(EC_KEY_generate_key(clnt_ecdh))) {
2344 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2537 SSLerr(
2538 SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2539 ERR_R_ECDH_LIB);
2345 goto err; 2540 goto err;
2346 } 2541 }
2347 } 2542 }
2348 2543
2349 /* use the 'p' output buffer for the ECDH key, but 2544 /*
2350 * make sure to clear it out afterwards 2545 * Use the 'p' output buffer for the ECDH key, but
2546 * make sure to clear it out afterwards.
2351 */ 2547 */
2352
2353 field_size = EC_GROUP_get_degree(srvr_group); 2548 field_size = EC_GROUP_get_degree(srvr_group);
2354 if (field_size <= 0) { 2549 if (field_size <= 0) {
2355 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2550 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2356 ERR_R_ECDH_LIB); 2551 ERR_R_ECDH_LIB);
2357 goto err; 2552 goto err;
2358 } 2553 }
2359 n = ECDH_compute_key(p, (field_size + 7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2554 n = ECDH_compute_key(p, (field_size + 7)/8,
2555 srvr_ecpoint, clnt_ecdh, NULL);
2360 if (n <= 0) { 2556 if (n <= 0) {
2361 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2557 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2362 ERR_R_ECDH_LIB); 2558 ERR_R_ECDH_LIB);
2363 goto err; 2559 goto err;
2364 } 2560 }
2365 2561
2366 /* generate master key from the result */ 2562 /* generate master key from the result */
2367 s->session->master_key_length = s->method->ssl3_enc \ 2563 s->session->master_key_length = s->method->ssl3_enc \
2368 -> generate_master_secret(s, 2564 -> generate_master_secret(s,
2369 s->session->master_key, 2565 s->session->master_key, p, n);
2370 p, n);
2371 2566
2372 memset(p, 0, n); /* clean up */ 2567 memset(p, 0, n); /* clean up */
2373 2568
2374 if (ecdh_clnt_cert) { 2569 if (ecdh_clnt_cert) {
2375 /* Send empty client key exch message */ 2570 /* Send empty client key exch message. */
2376 n = 0; 2571 n = 0;
2377 } else { 2572 } else {
2378 /* First check the size of encoding and 2573 /*
2574 * First check the size of encoding and
2379 * allocate memory accordingly. 2575 * allocate memory accordingly.
2380 */ 2576 */
2381 encoded_pt_len = 2577 encoded_pt_len = EC_POINT_point2oct(
2382 EC_POINT_point2oct(srvr_group, 2578 srvr_group,
2383 EC_KEY_get0_public_key(clnt_ecdh), 2579 EC_KEY_get0_public_key(clnt_ecdh),
2384 POINT_CONVERSION_UNCOMPRESSED, 2580 POINT_CONVERSION_UNCOMPRESSED,
2385 NULL, 0, NULL); 2581 NULL, 0, NULL);
2386 2582
2387 encodedPoint = malloc(encoded_pt_len); 2583 encodedPoint = malloc(encoded_pt_len);
2388 2584
2389 bn_ctx = BN_CTX_new(); 2585 bn_ctx = BN_CTX_new();
2390 if ((encodedPoint == NULL) || 2586 if ((encodedPoint == NULL) ||
2391 (bn_ctx == NULL)) { 2587 (bn_ctx == NULL)) {
2392 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 2588 SSLerr(
2589 SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2590 ERR_R_MALLOC_FAILURE);
2393 goto err; 2591 goto err;
2394 } 2592 }
2395 2593
2396 /* Encode the public key */ 2594 /* Encode the public key */
2397 n = EC_POINT_point2oct(srvr_group, 2595 n = EC_POINT_point2oct(srvr_group,
2398 EC_KEY_get0_public_key(clnt_ecdh), 2596 EC_KEY_get0_public_key(clnt_ecdh),
2399 POINT_CONVERSION_UNCOMPRESSED, 2597 POINT_CONVERSION_UNCOMPRESSED,
2400 encodedPoint, encoded_pt_len, bn_ctx); 2598 encodedPoint, encoded_pt_len, bn_ctx);
2401 2599
2402 *p = n; /* length of encoded point */ 2600 *p = n; /* length of encoded point */
2403 /* Encoded point will be copied here */ 2601 /* Encoded point will be copied here */
@@ -2427,61 +2625,80 @@ ssl3_send_client_key_exchange(SSL *s)
2427 size_t msglen; 2625 size_t msglen;
2428 unsigned int md_len; 2626 unsigned int md_len;
2429 int keytype; 2627 int keytype;
2430 unsigned char premaster_secret[32], shared_ukm[32], tmp[256]; 2628 unsigned char premaster_secret[32], shared_ukm[32],
2629 tmp[256];
2431 EVP_MD_CTX *ukm_hash; 2630 EVP_MD_CTX *ukm_hash;
2432 EVP_PKEY *pub_key; 2631 EVP_PKEY *pub_key;
2433 2632
2434 /* Get server sertificate PKEY and create ctx from it */ 2633 /* Get server sertificate PKEY and create ctx from it */
2435 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST01)].x509; 2634 peer_cert = s->session->sess_cert->peer_pkeys[(
2635 keytype = SSL_PKEY_GOST01)].x509;
2436 if (!peer_cert) 2636 if (!peer_cert)
2437 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST94)].x509; 2637 peer_cert = s->session->sess_cert->peer_pkeys[
2638 (keytype = SSL_PKEY_GOST94)].x509;
2438 if (!peer_cert) { 2639 if (!peer_cert) {
2439 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2640 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2641 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2440 goto err; 2642 goto err;
2441 } 2643 }
2442 2644
2443 pkey_ctx = EVP_PKEY_CTX_new(pub_key = X509_get_pubkey(peer_cert), NULL); 2645 pkey_ctx = EVP_PKEY_CTX_new(
2444 /* If we have send a certificate, and certificate key 2646 pub_key = X509_get_pubkey(peer_cert),
2445 2647 NULL);
2648 /*
2649 * If we have send a certificate, and certificate key
2446 * parameters match those of server certificate, use 2650 * parameters match those of server certificate, use
2447 * certificate key for key exchange 2651 * certificate key for key exchange.
2652 * Otherwise, generate ephemeral key pair.
2448 */ 2653 */
2449 2654
2450 /* Otherwise, generate ephemeral key pair */
2451
2452 EVP_PKEY_encrypt_init(pkey_ctx); 2655 EVP_PKEY_encrypt_init(pkey_ctx);
2453 /* Generate session key */ 2656 /* Generate session key. */
2454 RAND_bytes(premaster_secret, 32); 2657 RAND_bytes(premaster_secret, 32);
2455 /* If we have client certificate, use its secret as peer key */ 2658 /*
2659 * If we have client certificate, use its secret
2660 * as peer key.
2661 */
2456 if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2662 if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2457 if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <=0) { 2663 if (EVP_PKEY_derive_set_peer(pkey_ctx,
2458 /* If there was an error - just ignore it. Ephemeral key 2664 s->cert->key->privatekey) <=0) {
2459 * would be used 2665 /*
2460 */ 2666 * If there was an error -
2667 * just ignore it. Ephemeral key
2668 * would be used
2669 */
2461 ERR_clear_error(); 2670 ERR_clear_error();
2462 } 2671 }
2463 } 2672 }
2464 /* Compute shared IV and store it in algorithm-specific 2673 /*
2465 * context data */ 2674 * Compute shared IV and store it in algorithm-specific
2675 * context data
2676 */
2466 ukm_hash = EVP_MD_CTX_create(); 2677 ukm_hash = EVP_MD_CTX_create();
2467 EVP_DigestInit(ukm_hash, EVP_get_digestbynid(NID_id_GostR3411_94)); 2678 EVP_DigestInit(ukm_hash,
2468 EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE); 2679 EVP_get_digestbynid(NID_id_GostR3411_94));
2469 EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE); 2680 EVP_DigestUpdate(ukm_hash,
2681 s->s3->client_random, SSL3_RANDOM_SIZE);
2682 EVP_DigestUpdate(ukm_hash,
2683 s->s3->server_random, SSL3_RANDOM_SIZE);
2470 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2684 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
2471 EVP_MD_CTX_destroy(ukm_hash); 2685 EVP_MD_CTX_destroy(ukm_hash);
2472 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 2686 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
2473 8, shared_ukm) < 0) { 2687 EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
2474 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2688 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2475 SSL_R_LIBRARY_BUG); 2689 SSL_R_LIBRARY_BUG);
2476 goto err; 2690 goto err;
2477 } 2691 }
2478 /* Make GOST keytransport blob message */ 2692 /*
2479 /*Encapsulate it into sequence */ 2693 * Make GOST keytransport blob message,
2694 * encapsulate it into sequence.
2695 */
2480 *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 2696 *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
2481 msglen = 255; 2697 msglen = 255;
2482 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, 32) < 0) { 2698 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen,
2699 premaster_secret, 32) < 0) {
2483 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2700 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2484 SSL_R_LIBRARY_BUG); 2701 SSL_R_LIBRARY_BUG);
2485 goto err; 2702 goto err;
2486 } 2703 }
2487 if (msglen >= 0x80) { 2704 if (msglen >= 0x80) {
@@ -2493,16 +2710,17 @@ ssl3_send_client_key_exchange(SSL *s)
2493 n = msglen + 2; 2710 n = msglen + 2;
2494 } 2711 }
2495 memcpy(p, tmp, msglen); 2712 memcpy(p, tmp, msglen);
2496 /* Check if pubkey from client certificate was used */ 2713 /* Check if pubkey from client certificate was used. */
2497 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) { 2714 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1,
2498 /* Set flag "skip certificate verify" */ 2715 EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) {
2716 /* Set flag "skip certificate verify". */
2499 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2717 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2500 } 2718 }
2501 EVP_PKEY_CTX_free(pkey_ctx); 2719 EVP_PKEY_CTX_free(pkey_ctx);
2502 s->session->master_key_length = 2720 s->session->master_key_length =
2503 s->method->ssl3_enc->generate_master_secret(s, 2721 s->method->ssl3_enc->generate_master_secret(s,
2504 s->session->master_key, premaster_secret, 32); 2722 s->session->master_key, premaster_secret, 32);
2505 EVP_PKEY_free(pub_key); 2723 EVP_PKEY_free(pub_key);
2506 2724
2507 } 2725 }
2508#ifndef OPENSSL_NO_SRP 2726#ifndef OPENSSL_NO_SRP
@@ -2514,7 +2732,8 @@ ssl3_send_client_key_exchange(SSL *s)
2514 BN_bn2bin(s->srp_ctx.A, p); 2732 BN_bn2bin(s->srp_ctx.A, p);
2515 n += 2; 2733 n += 2;
2516 } else { 2734 } else {
2517 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2735 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2736 ERR_R_INTERNAL_ERROR);
2518 goto err; 2737 goto err;
2519 } 2738 }
2520 if (s->session->srp_username != NULL) 2739 if (s->session->srp_username != NULL)
@@ -2522,12 +2741,15 @@ ssl3_send_client_key_exchange(SSL *s)
2522 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2741 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2523 if (s->session->srp_username == NULL) { 2742 if (s->session->srp_username == NULL) {
2524 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2743 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2525 ERR_R_MALLOC_FAILURE); 2744 ERR_R_MALLOC_FAILURE);
2526 goto err; 2745 goto err;
2527 } 2746 }
2528 2747
2529 if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) { 2748 if ((s->session->master_key_length =
2530 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2749 SRP_generate_client_master_secret(s,
2750 s->session->master_key)) < 0) {
2751 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2752 ERR_R_INTERNAL_ERROR);
2531 goto err; 2753 goto err;
2532 } 2754 }
2533 } 2755 }
@@ -2543,27 +2765,29 @@ ssl3_send_client_key_exchange(SSL *s)
2543 n = 0; 2765 n = 0;
2544 if (s->psk_client_callback == NULL) { 2766 if (s->psk_client_callback == NULL) {
2545 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2767 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2546 SSL_R_PSK_NO_CLIENT_CB); 2768 SSL_R_PSK_NO_CLIENT_CB);
2547 goto err; 2769 goto err;
2548 } 2770 }
2549 2771
2550 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 2772 psk_len = s->psk_client_callback(s,
2551 identity, PSK_MAX_IDENTITY_LEN, 2773 s->ctx->psk_identity_hint, identity,
2552 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2774 PSK_MAX_IDENTITY_LEN, psk_or_pre_ms,
2775 sizeof(psk_or_pre_ms));
2553 if (psk_len > PSK_MAX_PSK_LEN) { 2776 if (psk_len > PSK_MAX_PSK_LEN) {
2554 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2777 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2555 ERR_R_INTERNAL_ERROR); 2778 ERR_R_INTERNAL_ERROR);
2556 goto psk_err; 2779 goto psk_err;
2557 } else if (psk_len == 0) { 2780 } else if (psk_len == 0) {
2558 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2781 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2559 SSL_R_PSK_IDENTITY_NOT_FOUND); 2782 SSL_R_PSK_IDENTITY_NOT_FOUND);
2560 goto psk_err; 2783 goto psk_err;
2561 } 2784 }
2562 2785
2563 /* create PSK pre_master_secret */ 2786 /* create PSK pre_master_secret */
2564 pre_ms_len = 2 + psk_len + 2 + psk_len; 2787 pre_ms_len = 2 + psk_len + 2 + psk_len;
2565 t = psk_or_pre_ms; 2788 t = psk_or_pre_ms;
2566 memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len); 2789 memmove(psk_or_pre_ms + psk_len + 4,
2790 psk_or_pre_ms, psk_len);
2567 s2n(psk_len, t); 2791 s2n(psk_len, t);
2568 memset(t, 0, psk_len); 2792 memset(t, 0, psk_len);
2569 t += psk_len; 2793 t += psk_len;
@@ -2571,11 +2795,12 @@ ssl3_send_client_key_exchange(SSL *s)
2571 2795
2572 if (s->session->psk_identity_hint != NULL) 2796 if (s->session->psk_identity_hint != NULL)
2573 free(s->session->psk_identity_hint); 2797 free(s->session->psk_identity_hint);
2574 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2798 s->session->psk_identity_hint =
2799 BUF_strdup(s->ctx->psk_identity_hint);
2575 if (s->ctx->psk_identity_hint != NULL && 2800 if (s->ctx->psk_identity_hint != NULL &&
2576 s->session->psk_identity_hint == NULL) { 2801 s->session->psk_identity_hint == NULL) {
2577 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2802 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2578 ERR_R_MALLOC_FAILURE); 2803 ERR_R_MALLOC_FAILURE);
2579 goto psk_err; 2804 goto psk_err;
2580 } 2805 }
2581 2806
@@ -2584,25 +2809,26 @@ ssl3_send_client_key_exchange(SSL *s)
2584 s->session->psk_identity = BUF_strdup(identity); 2809 s->session->psk_identity = BUF_strdup(identity);
2585 if (s->session->psk_identity == NULL) { 2810 if (s->session->psk_identity == NULL) {
2586 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2811 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2587 ERR_R_MALLOC_FAILURE); 2812 ERR_R_MALLOC_FAILURE);
2588 goto psk_err; 2813 goto psk_err;
2589 } 2814 }
2590 2815
2591 s->session->master_key_length = 2816 s->session->master_key_length =
2592 s->method->ssl3_enc->generate_master_secret( 2817 s->method->ssl3_enc->generate_master_secret(
2593 s, s->session->master_key, psk_or_pre_ms, 2818 s, s->session->master_key, psk_or_pre_ms,
2594 pre_ms_len); 2819 pre_ms_len);
2595 2820
2596 n = strlen(identity); 2821 n = strlen(identity);
2597 s2n(n, p); 2822 s2n(n, p);
2598 memcpy(p, identity, n); 2823 memcpy(p, identity, n);
2599 n += 2; 2824 n += 2;
2600 psk_err = 0; 2825 psk_err = 0;
2601 psk_err: 2826 psk_err:
2602 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 2827 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2603 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2828 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2604 if (psk_err != 0) { 2829 if (psk_err != 0) {
2605 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2830 ssl3_send_alert(s, SSL3_AL_FATAL,
2831 SSL_AD_HANDSHAKE_FAILURE);
2606 goto err; 2832 goto err;
2607 } 2833 }
2608 } 2834 }
@@ -2626,7 +2852,7 @@ ssl3_send_client_key_exchange(SSL *s)
2626 2852
2627 /* SSL3_ST_CW_KEY_EXCH_B */ 2853 /* SSL3_ST_CW_KEY_EXCH_B */
2628 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 2854 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2629err: 2855 err:
2630#ifndef OPENSSL_NO_ECDH 2856#ifndef OPENSSL_NO_ECDH
2631 BN_CTX_free(bn_ctx); 2857 BN_CTX_free(bn_ctx);
2632 if (encodedPoint != NULL) 2858 if (encodedPoint != NULL)
@@ -2641,14 +2867,14 @@ err:
2641int 2867int
2642ssl3_send_client_verify(SSL *s) 2868ssl3_send_client_verify(SSL *s)
2643{ 2869{
2644 unsigned char *p, *d; 2870 unsigned char *p, *d;
2645 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 2871 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
2646 EVP_PKEY *pkey; 2872 EVP_PKEY *pkey;
2647 EVP_PKEY_CTX *pctx = NULL; 2873 EVP_PKEY_CTX *pctx = NULL;
2648 EVP_MD_CTX mctx; 2874 EVP_MD_CTX mctx;
2649 unsigned u = 0; 2875 unsigned u = 0;
2650 unsigned long n; 2876 unsigned long n;
2651 int j; 2877 int j;
2652 2878
2653 EVP_MD_CTX_init(&mctx); 2879 EVP_MD_CTX_init(&mctx);
2654 2880
@@ -2656,18 +2882,21 @@ ssl3_send_client_verify(SSL *s)
2656 d = (unsigned char *)s->init_buf->data; 2882 d = (unsigned char *)s->init_buf->data;
2657 p = &(d[4]); 2883 p = &(d[4]);
2658 pkey = s->cert->key->privatekey; 2884 pkey = s->cert->key->privatekey;
2659/* Create context from key and test if sha1 is allowed as digest */ 2885 /*
2886 * Create context from key and test if sha1 is allowed as
2887 * digest.
2888 */
2660 pctx = EVP_PKEY_CTX_new(pkey, NULL); 2889 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2661 EVP_PKEY_sign_init(pctx); 2890 EVP_PKEY_sign_init(pctx);
2662 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) { 2891 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
2663 if (TLS1_get_version(s) < TLS1_2_VERSION) 2892 if (TLS1_get_version(s) < TLS1_2_VERSION)
2664 s->method->ssl3_enc->cert_verify_mac(s, 2893 s->method->ssl3_enc->cert_verify_mac(s,
2665 NID_sha1, 2894 NID_sha1, &(data[MD5_DIGEST_LENGTH]));
2666 &(data[MD5_DIGEST_LENGTH]));
2667 } else { 2895 } else {
2668 ERR_clear_error(); 2896 ERR_clear_error();
2669 } 2897 }
2670 /* For TLS v1.2 send signature algorithm and signature 2898 /*
2899 * For TLS v1.2 send signature algorithm and signature
2671 * using agreed digest and cached handshake records. 2900 * using agreed digest and cached handshake records.
2672 */ 2901 */
2673 if (TLS1_get_version(s) >= TLS1_2_VERSION) { 2902 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
@@ -2675,10 +2904,11 @@ ssl3_send_client_verify(SSL *s)
2675 void *hdata; 2904 void *hdata;
2676 const EVP_MD *md = s->cert->key->digest; 2905 const EVP_MD *md = s->cert->key->digest;
2677 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 2906 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
2678 &hdata); 2907 &hdata);
2679 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) { 2908 if (hdatalen <= 0 ||
2909 !tls12_get_sigandhash(p, pkey, md)) {
2680 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2910 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2681 ERR_R_INTERNAL_ERROR); 2911 ERR_R_INTERNAL_ERROR);
2682 goto err; 2912 goto err;
2683 } 2913 }
2684 p += 2; 2914 p += 2;
@@ -2690,7 +2920,7 @@ ssl3_send_client_verify(SSL *s)
2690 !EVP_SignUpdate(&mctx, hdata, hdatalen) || 2920 !EVP_SignUpdate(&mctx, hdata, hdatalen) ||
2691 !EVP_SignFinal(&mctx, p + 2, &u, pkey)) { 2921 !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
2692 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2922 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2693 ERR_R_EVP_LIB); 2923 ERR_R_EVP_LIB);
2694 goto err; 2924 goto err;
2695 } 2925 }
2696 s2n(u, p); 2926 s2n(u, p);
@@ -2704,7 +2934,8 @@ ssl3_send_client_verify(SSL *s)
2704 if (RSA_sign(NID_md5_sha1, data, 2934 if (RSA_sign(NID_md5_sha1, data,
2705 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]), 2935 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
2706 &u, pkey->pkey.rsa) <= 0 ) { 2936 &u, pkey->pkey.rsa) <= 0 ) {
2707 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB); 2937 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2938 ERR_R_RSA_LIB);
2708 goto err; 2939 goto err;
2709 } 2940 }
2710 s2n(u, p); 2941 s2n(u, p);
@@ -2715,7 +2946,8 @@ ssl3_send_client_verify(SSL *s)
2715 &(data[MD5_DIGEST_LENGTH]), 2946 &(data[MD5_DIGEST_LENGTH]),
2716 SHA_DIGEST_LENGTH, &(p[2]), 2947 SHA_DIGEST_LENGTH, &(p[2]),
2717 (unsigned int *)&j, pkey->pkey.dsa)) { 2948 (unsigned int *)&j, pkey->pkey.dsa)) {
2718 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB); 2949 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2950 ERR_R_DSA_LIB);
2719 goto err; 2951 goto err;
2720 } 2952 }
2721 s2n(j, p); 2953 s2n(j, p);
@@ -2728,23 +2960,24 @@ ssl3_send_client_verify(SSL *s)
2728 SHA_DIGEST_LENGTH, &(p[2]), 2960 SHA_DIGEST_LENGTH, &(p[2]),
2729 (unsigned int *)&j, pkey->pkey.ec)) { 2961 (unsigned int *)&j, pkey->pkey.ec)) {
2730 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2962 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2731 ERR_R_ECDSA_LIB); 2963 ERR_R_ECDSA_LIB);
2732 goto err; 2964 goto err;
2733 } 2965 }
2734 s2n(j, p); 2966 s2n(j, p);
2735 n = j + 2; 2967 n = j + 2;
2736 } else 2968 } else
2737#endif 2969#endif
2738 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) { 2970 if (pkey->type == NID_id_GostR3410_94 ||
2971 pkey->type == NID_id_GostR3410_2001) {
2739 unsigned char signbuf[64]; 2972 unsigned char signbuf[64];
2740 int i; 2973 int i;
2741 size_t sigsize = 64; 2974 size_t sigsize = 64;
2742 s->method->ssl3_enc->cert_verify_mac(s, 2975 s->method->ssl3_enc->cert_verify_mac(s,
2743 NID_id_GostR3411_94, 2976 NID_id_GostR3411_94, data);
2744 data); 2977 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32)
2745 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 2978 <= 0) {
2746 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2979 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2747 ERR_R_INTERNAL_ERROR); 2980 ERR_R_INTERNAL_ERROR);
2748 goto err; 2981 goto err;
2749 } 2982 }
2750 for (i = 63, j = 0; i >= 0; j++, i--) { 2983 for (i = 63, j = 0; i >= 0; j++, i--) {
@@ -2753,7 +2986,8 @@ ssl3_send_client_verify(SSL *s)
2753 s2n(j, p); 2986 s2n(j, p);
2754 n = j + 2; 2987 n = j + 2;
2755 } else { 2988 } else {
2756 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); 2989 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2990 ERR_R_INTERNAL_ERROR);
2757 goto err; 2991 goto err;
2758 } 2992 }
2759 *(d++) = SSL3_MT_CERTIFICATE_VERIFY; 2993 *(d++) = SSL3_MT_CERTIFICATE_VERIFY;
@@ -2766,7 +3000,7 @@ ssl3_send_client_verify(SSL *s)
2766 EVP_MD_CTX_cleanup(&mctx); 3000 EVP_MD_CTX_cleanup(&mctx);
2767 EVP_PKEY_CTX_free(pctx); 3001 EVP_PKEY_CTX_free(pctx);
2768 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); 3002 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2769err: 3003 err:
2770 EVP_MD_CTX_cleanup(&mctx); 3004 EVP_MD_CTX_cleanup(&mctx);
2771 EVP_PKEY_CTX_free(pctx); 3005 EVP_PKEY_CTX_free(pctx);
2772 return (-1); 3006 return (-1);
@@ -2775,10 +3009,10 @@ err:
2775int 3009int
2776ssl3_send_client_certificate(SSL *s) 3010ssl3_send_client_certificate(SSL *s)
2777{ 3011{
2778 X509 *x509 = NULL; 3012 X509 *x509 = NULL;
2779 EVP_PKEY *pkey = NULL; 3013 EVP_PKEY *pkey = NULL;
2780 int i; 3014 int i;
2781 unsigned long l; 3015 unsigned long l;
2782 3016
2783 if (s->state == SSL3_ST_CW_CERT_A) { 3017 if (s->state == SSL3_ST_CW_CERT_A) {
2784 if ((s->cert == NULL) || (s->cert->key->x509 == NULL) || 3018 if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
@@ -2792,7 +3026,8 @@ ssl3_send_client_certificate(SSL *s)
2792 if (s->state == SSL3_ST_CW_CERT_B) { 3026 if (s->state == SSL3_ST_CW_CERT_B) {
2793 /* If we get an error, we need to 3027 /* If we get an error, we need to
2794 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 3028 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
2795 * We then get retied later */ 3029 * We then get retied later
3030 */
2796 i = ssl_do_client_cert_cb(s, &x509, &pkey); 3031 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2797 if (i < 0) { 3032 if (i < 0) {
2798 s->rwstate = SSL_X509_LOOKUP; 3033 s->rwstate = SSL_X509_LOOKUP;
@@ -2806,7 +3041,8 @@ ssl3_send_client_certificate(SSL *s)
2806 i = 0; 3041 i = 0;
2807 } else if (i == 1) { 3042 } else if (i == 1) {
2808 i = 0; 3043 i = 0;
2809 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 3044 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,
3045 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2810 } 3046 }
2811 3047
2812 if (x509 != NULL) 3048 if (x509 != NULL)
@@ -2816,7 +3052,8 @@ ssl3_send_client_certificate(SSL *s)
2816 if (i == 0) { 3052 if (i == 0) {
2817 if (s->version == SSL3_VERSION) { 3053 if (s->version == SSL3_VERSION) {
2818 s->s3->tmp.cert_req = 0; 3054 s->s3->tmp.cert_req = 0;
2819 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 3055 ssl3_send_alert(s, SSL3_AL_WARNING,
3056 SSL_AD_NO_CERTIFICATE);
2820 return (1); 3057 return (1);
2821 } else { 3058 } else {
2822 s->s3->tmp.cert_req = 2; 3059 s->s3->tmp.cert_req = 2;
@@ -2830,7 +3067,7 @@ ssl3_send_client_certificate(SSL *s)
2830 if (s->state == SSL3_ST_CW_CERT_C) { 3067 if (s->state == SSL3_ST_CW_CERT_C) {
2831 s->state = SSL3_ST_CW_CERT_D; 3068 s->state = SSL3_ST_CW_CERT_D;
2832 l = ssl3_output_cert_chain(s, 3069 l = ssl3_output_cert_chain(s,
2833 (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509); 3070 (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
2834 s->init_num = (int)l; 3071 s->init_num = (int)l;
2835 s->init_off = 0; 3072 s->init_off = 0;
2836 } 3073 }
@@ -2843,25 +3080,26 @@ ssl3_send_client_certificate(SSL *s)
2843int 3080int
2844ssl3_check_cert_and_algorithm(SSL *s) 3081ssl3_check_cert_and_algorithm(SSL *s)
2845{ 3082{
2846 int i, idx; 3083 int i, idx;
2847 long alg_k, alg_a; 3084 long alg_k, alg_a;
2848 EVP_PKEY *pkey = NULL; 3085 EVP_PKEY *pkey = NULL;
2849 SESS_CERT *sc; 3086 SESS_CERT *sc;
2850 RSA *rsa; 3087 RSA *rsa;
2851#ifndef OPENSSL_NO_DH 3088#ifndef OPENSSL_NO_DH
2852 DH *dh; 3089 DH *dh;
2853#endif 3090#endif
2854 3091
2855 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 3092 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2856 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 3093 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2857 3094
2858 /* we don't have a certificate */ 3095 /* We don't have a certificate. */
2859 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 3096 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
2860 return (1); 3097 return (1);
2861 3098
2862 sc = s->session->sess_cert; 3099 sc = s->session->sess_cert;
2863 if (sc == NULL) { 3100 if (sc == NULL) {
2864 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR); 3101 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3102 ERR_R_INTERNAL_ERROR);
2865 goto err; 3103 goto err;
2866 } 3104 }
2867 3105
@@ -2870,15 +3108,16 @@ ssl3_check_cert_and_algorithm(SSL *s)
2870 dh = s->session->sess_cert->peer_dh_tmp; 3108 dh = s->session->sess_cert->peer_dh_tmp;
2871#endif 3109#endif
2872 3110
2873 /* This is the passed certificate */ 3111 /* This is the passed certificate. */
2874 3112
2875 idx = sc->peer_cert_type; 3113 idx = sc->peer_cert_type;
2876#ifndef OPENSSL_NO_ECDH 3114#ifndef OPENSSL_NO_ECDH
2877 if (idx == SSL_PKEY_ECC) { 3115 if (idx == SSL_PKEY_ECC) {
2878 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 3116 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2879 s) == 0) 3117 s) == 0)
2880 { /* check failed */ 3118 { /* check failed */
2881 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT); 3119 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3120 SSL_R_BAD_ECC_CERT);
2882 goto f_err; 3121 goto f_err;
2883 } else { 3122 } else {
2884 return 1; 3123 return 1;
@@ -2892,59 +3131,71 @@ ssl3_check_cert_and_algorithm(SSL *s)
2892 3131
2893 /* Check that we have a certificate if we require one */ 3132 /* Check that we have a certificate if we require one */
2894 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) { 3133 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
2895 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT); 3134 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3135 SSL_R_MISSING_RSA_SIGNING_CERT);
2896 goto f_err; 3136 goto f_err;
2897 } 3137 }
2898 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) { 3138 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
2899 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT); 3139 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3140 SSL_R_MISSING_DSA_SIGNING_CERT);
2900 goto f_err; 3141 goto f_err;
2901 } 3142 }
2902 if ((alg_k & SSL_kRSA) && 3143 if ((alg_k & SSL_kRSA) &&
2903 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) { 3144 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) {
2904 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT); 3145 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3146 SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2905 goto f_err; 3147 goto f_err;
2906 } 3148 }
2907#ifndef OPENSSL_NO_DH 3149#ifndef OPENSSL_NO_DH
2908 if ((alg_k & SSL_kEDH) && 3150 if ((alg_k & SSL_kEDH) &&
2909 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { 3151 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
2910 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY); 3152 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3153 SSL_R_MISSING_DH_KEY);
2911 goto f_err; 3154 goto f_err;
2912 } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) { 3155 } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) {
2913 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT); 3156 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3157 SSL_R_MISSING_DH_RSA_CERT);
2914 goto f_err; 3158 goto f_err;
2915 } 3159 }
2916 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) { 3160 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
2917 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT); 3161 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3162 SSL_R_MISSING_DH_DSA_CERT);
2918 goto f_err; 3163 goto f_err;
2919 } 3164 }
2920#endif 3165#endif
2921 3166
2922 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) { 3167 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
3168 !has_bits(i, EVP_PKT_EXP)) {
2923 if (alg_k & SSL_kRSA) { 3169 if (alg_k & SSL_kRSA) {
2924 if (rsa == NULL || 3170 if (rsa == NULL || RSA_size(rsa) * 8 >
2925 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { 3171 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
2926 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 3172 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3173 SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
2927 goto f_err; 3174 goto f_err;
2928 } 3175 }
2929 } else 3176 } else
2930#ifndef OPENSSL_NO_DH 3177#ifndef OPENSSL_NO_DH
2931 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { 3178 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2932 if (dh == NULL || 3179 if (dh == NULL || DH_size(dh) * 8 >
2933 DH_size(dh) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { 3180 SSL_C_EXPORT_PKEYLENGTH(
2934 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_DH_KEY); 3181 s->s3->tmp.new_cipher)) {
3182 SSLerr(
3183 SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3184 SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3185 goto f_err;
3186 }
3187 } else
3188#endif
3189 {
3190 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3191 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2935 goto f_err; 3192 goto f_err;
2936 } 3193 }
2937 } else
2938#endif
2939 {
2940 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
2941 goto f_err;
2942 }
2943 } 3194 }
2944 return (1); 3195 return (1);
2945f_err: 3196 f_err:
2946 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 3197 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2947err: 3198 err:
2948 return (0); 3199 return (0);
2949} 3200}
2950 3201
@@ -2952,8 +3203,8 @@ err:
2952int 3203int
2953ssl3_send_next_proto(SSL *s) 3204ssl3_send_next_proto(SSL *s)
2954{ 3205{
2955 unsigned int len, padding_len; 3206 unsigned int len, padding_len;
2956 unsigned char *d; 3207 unsigned char *d;
2957 3208
2958 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) { 3209 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {
2959 len = s->next_proto_negotiated_len; 3210 len = s->next_proto_negotiated_len;
@@ -2974,7 +3225,8 @@ ssl3_send_next_proto(SSL *s)
2974} 3225}
2975#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ 3226#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
2976 3227
2977/* Check to see if handshake is full or resumed. Usually this is just a 3228/*
3229 * Check to see if handshake is full or resumed. Usually this is just a
2978 * case of checking to see if a cache hit has occurred. In the case of 3230 * case of checking to see if a cache hit has occurred. In the case of
2979 * session tickets we have to check the next message to be sure. 3231 * session tickets we have to check the next message to be sure.
2980 */ 3232 */
@@ -2983,8 +3235,9 @@ ssl3_send_next_proto(SSL *s)
2983int 3235int
2984ssl3_check_finished(SSL *s) 3236ssl3_check_finished(SSL *s)
2985{ 3237{
2986 int ok; 3238 int ok;
2987 long n; 3239 long n;
3240
2988 /* If we have no ticket it cannot be a resumed session. */ 3241 /* If we have no ticket it cannot be a resumed session. */
2989 if (!s->session->tlsext_tick) 3242 if (!s->session->tlsext_tick)
2990 return 1; 3243 return 1;
@@ -3006,7 +3259,8 @@ ssl3_check_finished(SSL *s)
3006int 3259int
3007ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3260ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3008{ 3261{
3009 int i = 0; 3262 int i = 0;
3263
3010#ifndef OPENSSL_NO_ENGINE 3264#ifndef OPENSSL_NO_ENGINE
3011 if (s->ctx->client_cert_engine) { 3265 if (s->ctx->client_cert_engine) {
3012 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3266 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 08:20:25 +0000