summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2014-04-14 16:43:25 +0000
committerjsing <>2014-04-14 16:43:25 +0000
commit9ed612cec343ccff3513e7cf2e37938164df6b5b (patch)
tree5a919c79a7dcee39aad6ec4645d9dcecba40cfb0 /src
parent3779c39bff8e2ae1adcc6f1324eb388d0bd49a15 (diff)
downloadopenbsd-9ed612cec343ccff3513e7cf2e37938164df6b5b.tar.gz
openbsd-9ed612cec343ccff3513e7cf2e37938164df6b5b.tar.bz2
openbsd-9ed612cec343ccff3513e7cf2e37938164df6b5b.zip
First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using tr and md5.
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_clnt.c3329
-rw-r--r--src/lib/libssl/s3_srvr.c3489
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c3329
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c3489
4 files changed, 6272 insertions, 7364 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 64e7be8d67..b9ca6b6f9b 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -168,62 +168,60 @@
168#endif 168#endif
169 169
170static const SSL_METHOD *ssl3_get_client_method(int ver); 170static const SSL_METHOD *ssl3_get_client_method(int ver);
171static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 171static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
172 172
173static const SSL_METHOD *ssl3_get_client_method(int ver) 173static const SSL_METHOD
174 { 174*ssl3_get_client_method(int ver)
175{
175 if (ver == SSL3_VERSION) 176 if (ver == SSL3_VERSION)
176 return(SSLv3_client_method()); 177 return (SSLv3_client_method());
177 else 178 else
178 return(NULL); 179 return (NULL);
179 } 180}
180 181
181IMPLEMENT_ssl3_meth_func(SSLv3_client_method, 182IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
182 ssl_undefined_function, 183 ssl_undefined_function, ssl3_connect, ssl3_get_client_method)
183 ssl3_connect,
184 ssl3_get_client_method)
185 184
186int ssl3_connect(SSL *s) 185int
187 { 186ssl3_connect(SSL *s)
188 BUF_MEM *buf=NULL; 187{
189 unsigned long Time=(unsigned long)time(NULL); 188 BUF_MEM *buf = NULL;
190 void (*cb)(const SSL *ssl,int type,int val)=NULL; 189 unsigned long Time = (unsigned long)time(NULL);
191 int ret= -1; 190 void (*cb)(const SSL *ssl, int type, int val) = NULL;
192 int new_state,state,skip=0; 191 int ret = -1;
192 int new_state, state, skip = 0;
193 193
194 RAND_add(&Time,sizeof(Time),0); 194 RAND_add(&Time, sizeof(Time), 0);
195 ERR_clear_error(); 195 ERR_clear_error();
196 errno = 0; 196 errno = 0;
197 197
198 if (s->info_callback != NULL) 198 if (s->info_callback != NULL)
199 cb=s->info_callback; 199 cb = s->info_callback;
200 else if (s->ctx->info_callback != NULL) 200 else if (s->ctx->info_callback != NULL)
201 cb=s->ctx->info_callback; 201 cb = s->ctx->info_callback;
202 202
203 s->in_handshake++; 203 s->in_handshake++;
204 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 204 if (!SSL_in_init(s) || SSL_in_before(s))
205 SSL_clear(s);
205 206
206#ifndef OPENSSL_NO_HEARTBEATS 207#ifndef OPENSSL_NO_HEARTBEATS
207 /* If we're awaiting a HeartbeatResponse, pretend we 208 /* If we're awaiting a HeartbeatResponse, pretend we
208 * already got and don't await it anymore, because 209 * already got and don't await it anymore, because
209 * Heartbeats don't make sense during handshakes anyway. 210 * Heartbeats don't make sense during handshakes anyway.
210 */ 211 */
211 if (s->tlsext_hb_pending) 212 if (s->tlsext_hb_pending) {
212 {
213 s->tlsext_hb_pending = 0; 213 s->tlsext_hb_pending = 0;
214 s->tlsext_hb_seq++; 214 s->tlsext_hb_seq++;
215 } 215 }
216#endif 216#endif
217 217
218 for (;;) 218 for (;;) {
219 { 219 state = s->state;
220 state=s->state;
221 220
222 switch(s->state) 221 switch (s->state) {
223 {
224 case SSL_ST_RENEGOTIATE: 222 case SSL_ST_RENEGOTIATE:
225 s->renegotiate=1; 223 s->renegotiate = 1;
226 s->state=SSL_ST_CONNECT; 224 s->state = SSL_ST_CONNECT;
227 s->ctx->stats.sess_connect_renegotiate++; 225 s->ctx->stats.sess_connect_renegotiate++;
228 /* break */ 226 /* break */
229 case SSL_ST_BEFORE: 227 case SSL_ST_BEFORE:
@@ -231,173 +229,172 @@ int ssl3_connect(SSL *s)
231 case SSL_ST_BEFORE|SSL_ST_CONNECT: 229 case SSL_ST_BEFORE|SSL_ST_CONNECT:
232 case SSL_ST_OK|SSL_ST_CONNECT: 230 case SSL_ST_OK|SSL_ST_CONNECT:
233 231
234 s->server=0; 232 s->server = 0;
235 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 233 if (cb != NULL)
234 cb(s, SSL_CB_HANDSHAKE_START, 1);
236 235
237 if ((s->version & 0xff00 ) != 0x0300) 236 if ((s->version & 0xff00 ) != 0x0300) {
238 {
239 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 237 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
240 ret = -1; 238 ret = -1;
241 goto end; 239 goto end;
242 } 240 }
243 241
244 /* s->version=SSL3_VERSION; */ 242 /* s->version=SSL3_VERSION; */
245 s->type=SSL_ST_CONNECT; 243 s->type = SSL_ST_CONNECT;
246 244
247 if (s->init_buf == NULL) 245 if (s->init_buf == NULL) {
248 { 246 if ((buf = BUF_MEM_new()) == NULL) {
249 if ((buf=BUF_MEM_new()) == NULL) 247 ret = -1;
250 {
251 ret= -1;
252 goto end; 248 goto end;
253 } 249 }
254 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 250 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
255 { 251 ret = -1;
256 ret= -1;
257 goto end; 252 goto end;
258 }
259 s->init_buf=buf;
260 buf=NULL;
261 } 253 }
254 s->init_buf = buf;
255 buf = NULL;
256 }
262 257
263 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 258 if (!ssl3_setup_buffers(s)) {
259 ret = -1;
260 goto end;
261 }
264 262
265 /* setup buffing BIO */ 263 /* setup buffing BIO */
266 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 264 if (!ssl_init_wbio_buffer(s, 0)) {
265 ret = -1;
266 goto end;
267 }
267 268
268 /* don't push the buffering BIO quite yet */ 269 /* don't push the buffering BIO quite yet */
269 270
270 ssl3_init_finished_mac(s); 271 ssl3_init_finished_mac(s);
271 272
272 s->state=SSL3_ST_CW_CLNT_HELLO_A; 273 s->state = SSL3_ST_CW_CLNT_HELLO_A;
273 s->ctx->stats.sess_connect++; 274 s->ctx->stats.sess_connect++;
274 s->init_num=0; 275 s->init_num = 0;
275 break; 276 break;
276 277
277 case SSL3_ST_CW_CLNT_HELLO_A: 278 case SSL3_ST_CW_CLNT_HELLO_A:
278 case SSL3_ST_CW_CLNT_HELLO_B: 279 case SSL3_ST_CW_CLNT_HELLO_B:
279 280
280 s->shutdown=0; 281 s->shutdown = 0;
281 ret=ssl3_client_hello(s); 282 ret = ssl3_client_hello(s);
282 if (ret <= 0) goto end; 283 if (ret <= 0)
283 s->state=SSL3_ST_CR_SRVR_HELLO_A; 284 goto end;
284 s->init_num=0; 285 s->state = SSL3_ST_CR_SRVR_HELLO_A;
286 s->init_num = 0;
285 287
286 /* turn on buffering for the next lot of output */ 288 /* turn on buffering for the next lot of output */
287 if (s->bbio != s->wbio) 289 if (s->bbio != s->wbio)
288 s->wbio=BIO_push(s->bbio,s->wbio); 290 s->wbio = BIO_push(s->bbio, s->wbio);
289 291
290 break; 292 break;
291 293
292 case SSL3_ST_CR_SRVR_HELLO_A: 294 case SSL3_ST_CR_SRVR_HELLO_A:
293 case SSL3_ST_CR_SRVR_HELLO_B: 295 case SSL3_ST_CR_SRVR_HELLO_B:
294 ret=ssl3_get_server_hello(s); 296 ret = ssl3_get_server_hello(s);
295 if (ret <= 0) goto end; 297 if (ret <= 0)
298 goto end;
296 299
297 if (s->hit) 300 if (s->hit) {
298 { 301 s->state = SSL3_ST_CR_FINISHED_A;
299 s->state=SSL3_ST_CR_FINISHED_A;
300#ifndef OPENSSL_NO_TLSEXT 302#ifndef OPENSSL_NO_TLSEXT
301 if (s->tlsext_ticket_expected) 303 if (s->tlsext_ticket_expected) {
302 {
303 /* receive renewed session ticket */ 304 /* receive renewed session ticket */
304 s->state=SSL3_ST_CR_SESSION_TICKET_A; 305 s->state = SSL3_ST_CR_SESSION_TICKET_A;
305 }
306#endif
307 } 306 }
308 else 307#endif
309 s->state=SSL3_ST_CR_CERT_A; 308 } else
310 s->init_num=0; 309 s->state = SSL3_ST_CR_CERT_A;
310 s->init_num = 0;
311 break; 311 break;
312 312
313 case SSL3_ST_CR_CERT_A: 313 case SSL3_ST_CR_CERT_A:
314 case SSL3_ST_CR_CERT_B: 314 case SSL3_ST_CR_CERT_B:
315#ifndef OPENSSL_NO_TLSEXT 315#ifndef OPENSSL_NO_TLSEXT
316 ret=ssl3_check_finished(s); 316 ret = ssl3_check_finished(s);
317 if (ret <= 0) goto end; 317 if (ret <= 0)
318 if (ret == 2) 318 goto end;
319 { 319 if (ret == 2) {
320 s->hit = 1; 320 s->hit = 1;
321 if (s->tlsext_ticket_expected) 321 if (s->tlsext_ticket_expected)
322 s->state=SSL3_ST_CR_SESSION_TICKET_A; 322 s->state = SSL3_ST_CR_SESSION_TICKET_A;
323 else 323 else
324 s->state=SSL3_ST_CR_FINISHED_A; 324 s->state = SSL3_ST_CR_FINISHED_A;
325 s->init_num=0; 325 s->init_num = 0;
326 break; 326 break;
327 } 327 }
328#endif 328#endif
329 /* Check if it is anon DH/ECDH */ 329 /* Check if it is anon DH/ECDH */
330 /* or PSK */ 330 /* or PSK */
331 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 331 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
332 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 332 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
333 { 333 ret = ssl3_get_server_certificate(s);
334 ret=ssl3_get_server_certificate(s); 334 if (ret <= 0)
335 if (ret <= 0) goto end; 335 goto end;
336#ifndef OPENSSL_NO_TLSEXT 336#ifndef OPENSSL_NO_TLSEXT
337 if (s->tlsext_status_expected) 337 if (s->tlsext_status_expected)
338 s->state=SSL3_ST_CR_CERT_STATUS_A; 338 s->state = SSL3_ST_CR_CERT_STATUS_A;
339 else 339 else
340 s->state=SSL3_ST_CR_KEY_EXCH_A; 340 s->state = SSL3_ST_CR_KEY_EXCH_A;
341 } 341 } else {
342 else
343 {
344 skip = 1; 342 skip = 1;
345 s->state=SSL3_ST_CR_KEY_EXCH_A; 343 s->state = SSL3_ST_CR_KEY_EXCH_A;
346 } 344 }
347#else 345#else
348 } 346 } else
349 else 347 skip = 1;
350 skip=1;
351 348
352 s->state=SSL3_ST_CR_KEY_EXCH_A; 349 s->state = SSL3_ST_CR_KEY_EXCH_A;
353#endif 350#endif
354 s->init_num=0; 351 s->init_num = 0;
355 break; 352 break;
356 353
357 case SSL3_ST_CR_KEY_EXCH_A: 354 case SSL3_ST_CR_KEY_EXCH_A:
358 case SSL3_ST_CR_KEY_EXCH_B: 355 case SSL3_ST_CR_KEY_EXCH_B:
359 ret=ssl3_get_key_exchange(s); 356 ret = ssl3_get_key_exchange(s);
360 if (ret <= 0) goto end; 357 if (ret <= 0)
361 s->state=SSL3_ST_CR_CERT_REQ_A; 358 goto end;
362 s->init_num=0; 359 s->state = SSL3_ST_CR_CERT_REQ_A;
360 s->init_num = 0;
363 361
364 /* at this point we check that we have the 362 /* at this point we check that we have the
365 * required stuff from the server */ 363 * required stuff from the server */
366 if (!ssl3_check_cert_and_algorithm(s)) 364 if (!ssl3_check_cert_and_algorithm(s)) {
367 { 365 ret = -1;
368 ret= -1;
369 goto end; 366 goto end;
370 } 367 }
371 break; 368 break;
372 369
373 case SSL3_ST_CR_CERT_REQ_A: 370 case SSL3_ST_CR_CERT_REQ_A:
374 case SSL3_ST_CR_CERT_REQ_B: 371 case SSL3_ST_CR_CERT_REQ_B:
375 ret=ssl3_get_certificate_request(s); 372 ret = ssl3_get_certificate_request(s);
376 if (ret <= 0) goto end; 373 if (ret <= 0)
377 s->state=SSL3_ST_CR_SRVR_DONE_A; 374 goto end;
378 s->init_num=0; 375 s->state = SSL3_ST_CR_SRVR_DONE_A;
376 s->init_num = 0;
379 break; 377 break;
380 378
381 case SSL3_ST_CR_SRVR_DONE_A: 379 case SSL3_ST_CR_SRVR_DONE_A:
382 case SSL3_ST_CR_SRVR_DONE_B: 380 case SSL3_ST_CR_SRVR_DONE_B:
383 ret=ssl3_get_server_done(s); 381 ret = ssl3_get_server_done(s);
384 if (ret <= 0) goto end; 382 if (ret <= 0)
383 goto end;
385#ifndef OPENSSL_NO_SRP 384#ifndef OPENSSL_NO_SRP
386 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) 385 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
387 { 386 if ((ret = SRP_Calc_A_param(s)) <= 0) {
388 if ((ret = SRP_Calc_A_param(s))<=0) 387 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
389 { 388 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
390 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC);
391 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
392 goto end; 389 goto end;
393 }
394 } 390 }
391 }
395#endif 392#endif
396 if (s->s3->tmp.cert_req) 393 if (s->s3->tmp.cert_req)
397 s->state=SSL3_ST_CW_CERT_A; 394 s->state = SSL3_ST_CW_CERT_A;
398 else 395 else
399 s->state=SSL3_ST_CW_KEY_EXCH_A; 396 s->state = SSL3_ST_CW_KEY_EXCH_A;
400 s->init_num=0; 397 s->init_num = 0;
401 398
402 break; 399 break;
403 400
@@ -405,16 +402,18 @@ int ssl3_connect(SSL *s)
405 case SSL3_ST_CW_CERT_B: 402 case SSL3_ST_CW_CERT_B:
406 case SSL3_ST_CW_CERT_C: 403 case SSL3_ST_CW_CERT_C:
407 case SSL3_ST_CW_CERT_D: 404 case SSL3_ST_CW_CERT_D:
408 ret=ssl3_send_client_certificate(s); 405 ret = ssl3_send_client_certificate(s);
409 if (ret <= 0) goto end; 406 if (ret <= 0)
410 s->state=SSL3_ST_CW_KEY_EXCH_A; 407 goto end;
411 s->init_num=0; 408 s->state = SSL3_ST_CW_KEY_EXCH_A;
409 s->init_num = 0;
412 break; 410 break;
413 411
414 case SSL3_ST_CW_KEY_EXCH_A: 412 case SSL3_ST_CW_KEY_EXCH_A:
415 case SSL3_ST_CW_KEY_EXCH_B: 413 case SSL3_ST_CW_KEY_EXCH_B:
416 ret=ssl3_send_client_key_exchange(s); 414 ret = ssl3_send_client_key_exchange(s);
417 if (ret <= 0) goto end; 415 if (ret <= 0)
416 goto end;
418 /* EAY EAY EAY need to check for DH fix cert 417 /* EAY EAY EAY need to check for DH fix cert
419 * sent back */ 418 * sent back */
420 /* For TLS, cert_req is set to 2, so a cert chain 419 /* For TLS, cert_req is set to 2, so a cert chain
@@ -426,170 +425,165 @@ int ssl3_connect(SSL *s)
426 * message when client's ECDH public key is sent 425 * message when client's ECDH public key is sent
427 * inside the client certificate. 426 * inside the client certificate.
428 */ 427 */
429 if (s->s3->tmp.cert_req == 1) 428 if (s->s3->tmp.cert_req == 1) {
430 { 429 s->state = SSL3_ST_CW_CERT_VRFY_A;
431 s->state=SSL3_ST_CW_CERT_VRFY_A; 430 } else {
432 } 431 s->state = SSL3_ST_CW_CHANGE_A;
433 else 432 s->s3->change_cipher_spec = 0;
434 { 433 }
435 s->state=SSL3_ST_CW_CHANGE_A; 434 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
436 s->s3->change_cipher_spec=0; 435 s->state = SSL3_ST_CW_CHANGE_A;
437 } 436 s->s3->change_cipher_spec = 0;
438 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) 437 }
439 {
440 s->state=SSL3_ST_CW_CHANGE_A;
441 s->s3->change_cipher_spec=0;
442 }
443 438
444 s->init_num=0; 439 s->init_num = 0;
445 break; 440 break;
446 441
447 case SSL3_ST_CW_CERT_VRFY_A: 442 case SSL3_ST_CW_CERT_VRFY_A:
448 case SSL3_ST_CW_CERT_VRFY_B: 443 case SSL3_ST_CW_CERT_VRFY_B:
449 ret=ssl3_send_client_verify(s); 444 ret = ssl3_send_client_verify(s);
450 if (ret <= 0) goto end; 445 if (ret <= 0)
451 s->state=SSL3_ST_CW_CHANGE_A; 446 goto end;
452 s->init_num=0; 447 s->state = SSL3_ST_CW_CHANGE_A;
453 s->s3->change_cipher_spec=0; 448 s->init_num = 0;
449 s->s3->change_cipher_spec = 0;
454 break; 450 break;
455 451
456 case SSL3_ST_CW_CHANGE_A: 452 case SSL3_ST_CW_CHANGE_A:
457 case SSL3_ST_CW_CHANGE_B: 453 case SSL3_ST_CW_CHANGE_B:
458 ret=ssl3_send_change_cipher_spec(s, 454 ret = ssl3_send_change_cipher_spec(s,
459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 455 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
460 if (ret <= 0) goto end; 456 if (ret <= 0)
457 goto end;
461 458
462#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 459#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
463 s->state=SSL3_ST_CW_FINISHED_A; 460 s->state = SSL3_ST_CW_FINISHED_A;
464#else 461#else
465 if (s->s3->next_proto_neg_seen) 462 if (s->s3->next_proto_neg_seen)
466 s->state=SSL3_ST_CW_NEXT_PROTO_A; 463 s->state = SSL3_ST_CW_NEXT_PROTO_A;
467 else 464 else
468 s->state=SSL3_ST_CW_FINISHED_A; 465 s->state = SSL3_ST_CW_FINISHED_A;
469#endif 466#endif
470 s->init_num=0; 467 s->init_num = 0;
471 468
472 s->session->cipher=s->s3->tmp.new_cipher; 469 s->session->cipher = s->s3->tmp.new_cipher;
473#ifdef OPENSSL_NO_COMP 470#ifdef OPENSSL_NO_COMP
474 s->session->compress_meth=0; 471 s->session->compress_meth = 0;
475#else 472#else
476 if (s->s3->tmp.new_compression == NULL) 473 if (s->s3->tmp.new_compression == NULL)
477 s->session->compress_meth=0; 474 s->session->compress_meth = 0;
478 else 475 else
479 s->session->compress_meth= 476 s->session->compress_meth =
480 s->s3->tmp.new_compression->id; 477 s->s3->tmp.new_compression->id;
481#endif 478#endif
482 if (!s->method->ssl3_enc->setup_key_block(s)) 479 if (!s->method->ssl3_enc->setup_key_block(s)) {
483 { 480 ret = -1;
484 ret= -1;
485 goto end; 481 goto end;
486 } 482 }
487 483
488 if (!s->method->ssl3_enc->change_cipher_state(s, 484 if (!s->method->ssl3_enc->change_cipher_state(s,
489 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 485 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
490 { 486 ret = -1;
491 ret= -1;
492 goto end; 487 goto end;
493 } 488 }
494 489
495 break; 490 break;
496 491
497#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 492#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
498 case SSL3_ST_CW_NEXT_PROTO_A: 493 case SSL3_ST_CW_NEXT_PROTO_A:
499 case SSL3_ST_CW_NEXT_PROTO_B: 494 case SSL3_ST_CW_NEXT_PROTO_B:
500 ret=ssl3_send_next_proto(s); 495 ret = ssl3_send_next_proto(s);
501 if (ret <= 0) goto end; 496 if (ret <= 0)
502 s->state=SSL3_ST_CW_FINISHED_A; 497 goto end;
498 s->state = SSL3_ST_CW_FINISHED_A;
503 break; 499 break;
504#endif 500#endif
505 501
506 case SSL3_ST_CW_FINISHED_A: 502 case SSL3_ST_CW_FINISHED_A:
507 case SSL3_ST_CW_FINISHED_B: 503 case SSL3_ST_CW_FINISHED_B:
508 ret=ssl3_send_finished(s, 504 ret = ssl3_send_finished(s,
509 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 505 SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
510 s->method->ssl3_enc->client_finished_label, 506 s->method->ssl3_enc->client_finished_label,
511 s->method->ssl3_enc->client_finished_label_len); 507 s->method->ssl3_enc->client_finished_label_len);
512 if (ret <= 0) goto end; 508 if (ret <= 0)
513 s->state=SSL3_ST_CW_FLUSH; 509 goto end;
510 s->state = SSL3_ST_CW_FLUSH;
514 511
515 /* clear flags */ 512 /* clear flags */
516 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 513 s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
517 if (s->hit) 514 if (s->hit) {
518 { 515 s->s3->tmp.next_state = SSL_ST_OK;
519 s->s3->tmp.next_state=SSL_ST_OK; 516 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
520 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 517 s->state = SSL_ST_OK;
521 {
522 s->state=SSL_ST_OK;
523 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 518 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
524 s->s3->delay_buf_pop_ret=0; 519 s->s3->delay_buf_pop_ret = 0;
525 }
526 } 520 }
527 else 521 } else {
528 {
529#ifndef OPENSSL_NO_TLSEXT 522#ifndef OPENSSL_NO_TLSEXT
530 /* Allow NewSessionTicket if ticket expected */ 523 /* Allow NewSessionTicket if ticket expected */
531 if (s->tlsext_ticket_expected) 524 if (s->tlsext_ticket_expected)
532 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 525 s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
533 else 526 else
534#endif 527#endif
535 528
536 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 529 s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
537 } 530 }
538 s->init_num=0; 531 s->init_num = 0;
539 break; 532 break;
540 533
541#ifndef OPENSSL_NO_TLSEXT 534#ifndef OPENSSL_NO_TLSEXT
542 case SSL3_ST_CR_SESSION_TICKET_A: 535 case SSL3_ST_CR_SESSION_TICKET_A:
543 case SSL3_ST_CR_SESSION_TICKET_B: 536 case SSL3_ST_CR_SESSION_TICKET_B:
544 ret=ssl3_get_new_session_ticket(s); 537 ret = ssl3_get_new_session_ticket(s);
545 if (ret <= 0) goto end; 538 if (ret <= 0)
546 s->state=SSL3_ST_CR_FINISHED_A; 539 goto end;
547 s->init_num=0; 540 s->state = SSL3_ST_CR_FINISHED_A;
548 break; 541 s->init_num = 0;
542 break;
549 543
550 case SSL3_ST_CR_CERT_STATUS_A: 544 case SSL3_ST_CR_CERT_STATUS_A:
551 case SSL3_ST_CR_CERT_STATUS_B: 545 case SSL3_ST_CR_CERT_STATUS_B:
552 ret=ssl3_get_cert_status(s); 546 ret = ssl3_get_cert_status(s);
553 if (ret <= 0) goto end; 547 if (ret <= 0)
554 s->state=SSL3_ST_CR_KEY_EXCH_A; 548 goto end;
555 s->init_num=0; 549 s->state = SSL3_ST_CR_KEY_EXCH_A;
556 break; 550 s->init_num = 0;
551 break;
557#endif 552#endif
558 553
559 case SSL3_ST_CR_FINISHED_A: 554 case SSL3_ST_CR_FINISHED_A:
560 case SSL3_ST_CR_FINISHED_B: 555 case SSL3_ST_CR_FINISHED_B:
561 556
562 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 557 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
563 SSL3_ST_CR_FINISHED_B); 558 SSL3_ST_CR_FINISHED_B);
564 if (ret <= 0) goto end; 559 if (ret <= 0)
560 goto end;
565 561
566 if (s->hit) 562 if (s->hit)
567 s->state=SSL3_ST_CW_CHANGE_A; 563 s->state = SSL3_ST_CW_CHANGE_A;
568 else 564 else
569 s->state=SSL_ST_OK; 565 s->state = SSL_ST_OK;
570 s->init_num=0; 566 s->init_num = 0;
571 break; 567 break;
572 568
573 case SSL3_ST_CW_FLUSH: 569 case SSL3_ST_CW_FLUSH:
574 s->rwstate=SSL_WRITING; 570 s->rwstate = SSL_WRITING;
575 if (BIO_flush(s->wbio) <= 0) 571 if (BIO_flush(s->wbio) <= 0) {
576 { 572 ret = -1;
577 ret= -1;
578 goto end; 573 goto end;
579 } 574 }
580 s->rwstate=SSL_NOTHING; 575 s->rwstate = SSL_NOTHING;
581 s->state=s->s3->tmp.next_state; 576 s->state = s->s3->tmp.next_state;
582 break; 577 break;
583 578
584 case SSL_ST_OK: 579 case SSL_ST_OK:
585 /* clean a few things up */ 580 /* clean a few things up */
586 ssl3_cleanup_key_block(s); 581 ssl3_cleanup_key_block(s);
587 582
588 if (s->init_buf != NULL) 583 if (s->init_buf != NULL) {
589 {
590 BUF_MEM_free(s->init_buf); 584 BUF_MEM_free(s->init_buf);
591 s->init_buf=NULL; 585 s->init_buf = NULL;
592 } 586 }
593 587
594 /* If we are not 'joining' the last two packets, 588 /* If we are not 'joining' the last two packets,
595 * remove the buffering now */ 589 * remove the buffering now */
@@ -597,63 +591,63 @@ int ssl3_connect(SSL *s)
597 ssl_free_wbio_buffer(s); 591 ssl_free_wbio_buffer(s);
598 /* else do it later in ssl3_write */ 592 /* else do it later in ssl3_write */
599 593
600 s->init_num=0; 594 s->init_num = 0;
601 s->renegotiate=0; 595 s->renegotiate = 0;
602 s->new_session=0; 596 s->new_session = 0;
603 597
604 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 598 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
605 if (s->hit) s->ctx->stats.sess_hit++; 599 if (s->hit)
600 s->ctx->stats.sess_hit++;
606 601
607 ret=1; 602 ret = 1;
608 /* s->server=0; */ 603 /* s->server=0; */
609 s->handshake_func=ssl3_connect; 604 s->handshake_func = ssl3_connect;
610 s->ctx->stats.sess_connect_good++; 605 s->ctx->stats.sess_connect_good++;
611 606
612 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 607 if (cb != NULL)
608 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
613 609
614 goto end; 610 goto end;
615 /* break; */ 611 /* break; */
616 612
617 default: 613 default:
618 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 614 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_UNKNOWN_STATE);
619 ret= -1; 615 ret = -1;
620 goto end; 616 goto end;
621 /* break; */ 617 /* break; */
622 } 618 }
623 619
624 /* did we do anything */ 620 /* did we do anything */
625 if (!s->s3->tmp.reuse_message && !skip) 621 if (!s->s3->tmp.reuse_message && !skip) {
626 { 622 if (s->debug) {
627 if (s->debug) 623 if ((ret = BIO_flush(s->wbio)) <= 0)
628 {
629 if ((ret=BIO_flush(s->wbio)) <= 0)
630 goto end; 624 goto end;
631 } 625 }
632 626
633 if ((cb != NULL) && (s->state != state)) 627 if ((cb != NULL) && (s->state != state)) {
634 { 628 new_state = s->state;
635 new_state=s->state; 629 s->state = state;
636 s->state=state; 630 cb(s, SSL_CB_CONNECT_LOOP, 1);
637 cb(s,SSL_CB_CONNECT_LOOP,1); 631 s->state = new_state;
638 s->state=new_state;
639 }
640 } 632 }
641 skip=0;
642 } 633 }
634 skip = 0;
635 }
643end: 636end:
644 s->in_handshake--; 637 s->in_handshake--;
645 if (buf != NULL) 638 if (buf != NULL)
646 BUF_MEM_free(buf); 639 BUF_MEM_free(buf);
647 if (cb != NULL) 640 if (cb != NULL)
648 cb(s,SSL_CB_CONNECT_EXIT,ret); 641 cb(s, SSL_CB_CONNECT_EXIT, ret);
649 return(ret); 642 return (ret);
650 } 643}
651 644
652 645
653int ssl3_client_hello(SSL *s) 646int
654 { 647ssl3_client_hello(SSL *s)
648{
655 unsigned char *buf; 649 unsigned char *buf;
656 unsigned char *p,*d; 650 unsigned char *p, *d;
657 int i; 651 int i;
658 unsigned long l; 652 unsigned long l;
659#ifndef OPENSSL_NO_COMP 653#ifndef OPENSSL_NO_COMP
@@ -661,31 +655,29 @@ int ssl3_client_hello(SSL *s)
661 SSL_COMP *comp; 655 SSL_COMP *comp;
662#endif 656#endif
663 657
664 buf=(unsigned char *)s->init_buf->data; 658 buf = (unsigned char *)s->init_buf->data;
665 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 659 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
666 {
667 SSL_SESSION *sess = s->session; 660 SSL_SESSION *sess = s->session;
668 if ((sess == NULL) || 661 if ((sess == NULL) ||
669 (sess->ssl_version != s->version) || 662 (sess->ssl_version != s->version) ||
670#ifdef OPENSSL_NO_TLSEXT 663#ifdef OPENSSL_NO_TLSEXT
671 !sess->session_id_length || 664 !sess->session_id_length ||
672#else 665#else
673 (!sess->session_id_length && !sess->tlsext_tick) || 666 (!sess->session_id_length && !sess->tlsext_tick) ||
674#endif 667#endif
675 (sess->not_resumable)) 668 (sess->not_resumable)) {
676 { 669 if (!ssl_get_new_session(s, 0))
677 if (!ssl_get_new_session(s,0))
678 goto err; 670 goto err;
679 } 671 }
680 /* else use the pre-loaded session */ 672 /* else use the pre-loaded session */
681 673
682 p=s->s3->client_random; 674 p = s->s3->client_random;
683 675
684 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 676 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
685 goto err; 677 goto err;
686 678
687 /* Do the message type and length last */ 679 /* Do the message type and length last */
688 d=p= &(buf[4]); 680 d = p= &(buf[4]);
689 681
690 /* version indicates the negotiated version: for example from 682 /* version indicates the negotiated version: for example from
691 * an SSLv2/v3 compatible client hello). The client_version 683 * an SSLv2/v3 compatible client hello). The client_version
@@ -717,562 +709,510 @@ int ssl3_client_hello(SSL *s)
717 * the negotiated version. 709 * the negotiated version.
718 */ 710 */
719#if 0 711#if 0
720 *(p++)=s->version>>8; 712 *(p++) = s->version >> 8;
721 *(p++)=s->version&0xff; 713 *(p++) = s->version&0xff;
722 s->client_version=s->version; 714 s->client_version = s->version;
723#else 715#else
724 *(p++)=s->client_version>>8; 716 *(p++) = s->client_version >> 8;
725 *(p++)=s->client_version&0xff; 717 *(p++) = s->client_version&0xff;
726#endif 718#endif
727 719
728 /* Random stuff */ 720 /* Random stuff */
729 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 721 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
730 p+=SSL3_RANDOM_SIZE; 722 p += SSL3_RANDOM_SIZE;
731 723
732 /* Session ID */ 724 /* Session ID */
733 if (s->new_session) 725 if (s->new_session)
734 i=0; 726 i = 0;
735 else 727 else
736 i=s->session->session_id_length; 728 i = s->session->session_id_length;
737 *(p++)=i; 729 *(p++) = i;
738 if (i != 0) 730 if (i != 0) {
739 { 731 if (i > (int)sizeof(s->session->session_id)) {
740 if (i > (int)sizeof(s->session->session_id))
741 {
742 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 732 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
743 goto err; 733 goto err;
744 }
745 memcpy(p,s->session->session_id,i);
746 p+=i;
747 } 734 }
748 735 memcpy(p, s->session->session_id, i);
736 p += i;
737 }
738
749 /* Ciphers supported */ 739 /* Ciphers supported */
750 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 740 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0);
751 if (i == 0) 741 if (i == 0) {
752 { 742 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
753 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
754 goto err; 743 goto err;
755 } 744 }
756#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 745#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
757 /* Some servers hang if client hello > 256 bytes 746 /* Some servers hang if client hello > 256 bytes
758 * as hack workaround chop number of supported ciphers 747 * as hack workaround chop number of supported ciphers
759 * to keep it well below this if we use TLS v1.2 748 * to keep it well below this if we use TLS v1.2
760 */ 749 */
761 if (TLS1_get_version(s) >= TLS1_2_VERSION 750 if (TLS1_get_version(s) >= TLS1_2_VERSION &&
762 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 751 i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
763 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 752 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
764#endif 753#endif
765 s2n(i,p); 754 s2n(i, p);
766 p+=i; 755 p += i;
767 756
768 /* COMPRESSION */ 757 /* COMPRESSION */
769#ifdef OPENSSL_NO_COMP 758#ifdef OPENSSL_NO_COMP
770 *(p++)=1; 759 *(p++) = 1;
771#else 760#else
772 761
773 if ((s->options & SSL_OP_NO_COMPRESSION) 762 if ((s->options & SSL_OP_NO_COMPRESSION) ||
774 || !s->ctx->comp_methods) 763 !s->ctx->comp_methods)
775 j=0; 764 j = 0;
776 else 765 else
777 j=sk_SSL_COMP_num(s->ctx->comp_methods); 766 j = sk_SSL_COMP_num(s->ctx->comp_methods);
778 *(p++)=1+j; 767 *(p++) = 1 + j;
779 for (i=0; i<j; i++) 768 for (i = 0; i < j; i++) {
780 { 769 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
781 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 770 *(p++) = comp->id;
782 *(p++)=comp->id; 771 }
783 }
784#endif 772#endif
785 *(p++)=0; /* Add the NULL method */ 773 *(p++) = 0; /* Add the NULL method */
786 774
787#ifndef OPENSSL_NO_TLSEXT 775#ifndef OPENSSL_NO_TLSEXT
788 /* TLS extensions*/ 776 /* TLS extensions*/
789 if (ssl_prepare_clienthello_tlsext(s) <= 0) 777 if (ssl_prepare_clienthello_tlsext(s) <= 0) {
790 { 778 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
791 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
792 goto err; 779 goto err;
793 } 780 }
794 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 781 if ((p = ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
795 { 782 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
796 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
797 goto err; 783 goto err;
798 } 784 }
799#endif 785#endif
800
801 l=(p-d);
802 d=buf;
803 *(d++)=SSL3_MT_CLIENT_HELLO;
804 l2n3(l,d);
805 786
806 s->state=SSL3_ST_CW_CLNT_HELLO_B; 787 l = (p - d);
788 d = buf;
789 *(d++) = SSL3_MT_CLIENT_HELLO;
790 l2n3(l, d);
791
792 s->state = SSL3_ST_CW_CLNT_HELLO_B;
807 /* number of bytes to write */ 793 /* number of bytes to write */
808 s->init_num=p-buf; 794 s->init_num = p - buf;
809 s->init_off=0; 795 s->init_off = 0;
810 } 796 }
811 797
812 /* SSL3_ST_CW_CLNT_HELLO_B */ 798 /* SSL3_ST_CW_CLNT_HELLO_B */
813 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 799 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
814err: 800err:
815 return(-1); 801 return (-1);
816 } 802}
817 803
818int ssl3_get_server_hello(SSL *s) 804int
819 { 805ssl3_get_server_hello(SSL *s)
806{
820 STACK_OF(SSL_CIPHER) *sk; 807 STACK_OF(SSL_CIPHER) *sk;
821 const SSL_CIPHER *c; 808 const SSL_CIPHER *c;
822 unsigned char *p,*d; 809 unsigned char *p, *d;
823 int i,al,ok; 810 int i, al, ok;
824 unsigned int j; 811 unsigned int j;
825 long n; 812 long n;
826#ifndef OPENSSL_NO_COMP 813#ifndef OPENSSL_NO_COMP
827 SSL_COMP *comp; 814 SSL_COMP *comp;
828#endif 815#endif
829 816
830 n=s->method->ssl_get_message(s, 817 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
831 SSL3_ST_CR_SRVR_HELLO_A, 818 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok);
832 SSL3_ST_CR_SRVR_HELLO_B,
833 -1,
834 20000, /* ?? */
835 &ok);
836 819
837 if (!ok) return((int)n); 820 if (!ok)
821 return ((int)n);
838 822
839 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 823 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) {
840 { 824 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
841 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 825 if (s->d1->send_cookie == 0) {
842 {
843 if ( s->d1->send_cookie == 0)
844 {
845 s->s3->tmp.reuse_message = 1; 826 s->s3->tmp.reuse_message = 1;
846 return 1; 827 return 1;
847 } 828 }
848 else /* already sent a cookie */ 829 else /* already sent a cookie */
849 { 830 {
850 al=SSL_AD_UNEXPECTED_MESSAGE; 831 al = SSL_AD_UNEXPECTED_MESSAGE;
851 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 832 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
852 goto f_err; 833 goto f_err;
853 }
854 } 834 }
855 } 835 }
856 836 }
857 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 837
858 { 838 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) {
859 al=SSL_AD_UNEXPECTED_MESSAGE; 839 al = SSL_AD_UNEXPECTED_MESSAGE;
860 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 840 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
861 goto f_err; 841 goto f_err;
862 } 842 }
863 843
864 d=p=(unsigned char *)s->init_msg; 844 d = p=(unsigned char *)s->init_msg;
865 845
866 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 846 if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) {
867 { 847 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
868 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 848 s->version = (s->version&0xff00)|p[1];
869 s->version=(s->version&0xff00)|p[1]; 849 al = SSL_AD_PROTOCOL_VERSION;
870 al=SSL_AD_PROTOCOL_VERSION;
871 goto f_err; 850 goto f_err;
872 } 851 }
873 p+=2; 852 p += 2;
874 853
875 /* load the server hello data */ 854 /* load the server hello data */
876 /* load the server random */ 855 /* load the server random */
877 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 856 memcpy(s->s3->server_random, p, SSL3_RANDOM_SIZE);
878 p+=SSL3_RANDOM_SIZE; 857 p += SSL3_RANDOM_SIZE;
879 858
880 /* get the session-id */ 859 /* get the session-id */
881 j= *(p++); 860 j= *(p++);
882 861
883 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 862 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) {
884 { 863 al = SSL_AD_ILLEGAL_PARAMETER;
885 al=SSL_AD_ILLEGAL_PARAMETER; 864 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
886 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
887 goto f_err; 865 goto f_err;
888 } 866 }
889 867
890#ifndef OPENSSL_NO_TLSEXT 868#ifndef OPENSSL_NO_TLSEXT
891 /* check if we want to resume the session based on external pre-shared secret */ 869 /* check if we want to resume the session based on external pre-shared secret */
892 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 870 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
893 { 871 SSL_CIPHER *pref_cipher = NULL;
894 SSL_CIPHER *pref_cipher=NULL; 872 s->session->master_key_length = sizeof(s->session->master_key);
895 s->session->master_key_length=sizeof(s->session->master_key);
896 if (s->tls_session_secret_cb(s, s->session->master_key, 873 if (s->tls_session_secret_cb(s, s->session->master_key,
897 &s->session->master_key_length, 874 &s->session->master_key_length, NULL, &pref_cipher,
898 NULL, &pref_cipher, 875 s->tls_session_secret_cb_arg)) {
899 s->tls_session_secret_cb_arg))
900 {
901 s->session->cipher = pref_cipher ? 876 s->session->cipher = pref_cipher ?
902 pref_cipher : ssl_get_cipher_by_char(s, p+j); 877 pref_cipher : ssl_get_cipher_by_char(s, p + j);
903 }
904 } 878 }
879 }
905#endif /* OPENSSL_NO_TLSEXT */ 880#endif /* OPENSSL_NO_TLSEXT */
906 881
907 if (j != 0 && j == s->session->session_id_length 882 if (j != 0 && j == s->session->session_id_length &&
908 && memcmp(p,s->session->session_id,j) == 0) 883 memcmp(p, s->session->session_id, j) == 0) {
909 { 884 if (s->sid_ctx_length != s->session->sid_ctx_length ||
910 if(s->sid_ctx_length != s->session->sid_ctx_length 885 memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
911 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 886 /* actually a client application bug */
912 { 887 al = SSL_AD_ILLEGAL_PARAMETER;
913 /* actually a client application bug */ 888 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
914 al=SSL_AD_ILLEGAL_PARAMETER; 889 goto f_err;
915 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
916 goto f_err;
917 } 890 }
918 s->hit=1; 891 s->hit = 1;
919 } 892 }
920 else /* a miss or crap from the other end */ 893 else /* a miss or crap from the other end */
921 { 894 {
922 /* If we were trying for session-id reuse, make a new 895 /* If we were trying for session-id reuse, make a new
923 * SSL_SESSION so we don't stuff up other people */ 896 * SSL_SESSION so we don't stuff up other people */
924 s->hit=0; 897 s->hit = 0;
925 if (s->session->session_id_length > 0) 898 if (s->session->session_id_length > 0) {
926 { 899 if (!ssl_get_new_session(s, 0)) {
927 if (!ssl_get_new_session(s,0)) 900 al = SSL_AD_INTERNAL_ERROR;
928 {
929 al=SSL_AD_INTERNAL_ERROR;
930 goto f_err; 901 goto f_err;
931 }
932 } 902 }
933 s->session->session_id_length=j;
934 memcpy(s->session->session_id,p,j); /* j could be 0 */
935 } 903 }
936 p+=j; 904 s->session->session_id_length = j;
937 c=ssl_get_cipher_by_char(s,p); 905 memcpy(s->session->session_id,p,j); /* j could be 0 */
938 if (c == NULL) 906 }
939 { 907 p += j;
908 c = ssl_get_cipher_by_char(s, p);
909 if (c == NULL) {
940 /* unknown cipher */ 910 /* unknown cipher */
941 al=SSL_AD_ILLEGAL_PARAMETER; 911 al = SSL_AD_ILLEGAL_PARAMETER;
942 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 912 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
943 goto f_err; 913 goto f_err;
944 } 914 }
945 /* TLS v1.2 only ciphersuites require v1.2 or later */ 915 /* TLS v1.2 only ciphersuites require v1.2 or later */
946 if ((c->algorithm_ssl & SSL_TLSV1_2) && 916 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
947 (TLS1_get_version(s) < TLS1_2_VERSION)) 917 (TLS1_get_version(s) < TLS1_2_VERSION)) {
948 { 918 al = SSL_AD_ILLEGAL_PARAMETER;
949 al=SSL_AD_ILLEGAL_PARAMETER; 919 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
950 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
951 goto f_err; 920 goto f_err;
952 } 921 }
953 p+=ssl_put_cipher_by_char(s,NULL,NULL); 922 p += ssl_put_cipher_by_char(s, NULL, NULL);
954 923
955 sk=ssl_get_ciphers_by_id(s); 924 sk = ssl_get_ciphers_by_id(s);
956 i=sk_SSL_CIPHER_find(sk,c); 925 i = sk_SSL_CIPHER_find(sk, c);
957 if (i < 0) 926 if (i < 0) {
958 {
959 /* we did not say we would use this cipher */ 927 /* we did not say we would use this cipher */
960 al=SSL_AD_ILLEGAL_PARAMETER; 928 al = SSL_AD_ILLEGAL_PARAMETER;
961 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 929 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
962 goto f_err; 930 goto f_err;
963 } 931 }
964 932
965 /* Depending on the session caching (internal/external), the cipher 933 /* Depending on the session caching (internal/external), the cipher
966 and/or cipher_id values may not be set. Make sure that 934 and/or cipher_id values may not be set. Make sure that
967 cipher_id is set and use it for comparison. */ 935 cipher_id is set and use it for comparison. */
968 if (s->session->cipher) 936 if (s->session->cipher)
969 s->session->cipher_id = s->session->cipher->id; 937 s->session->cipher_id = s->session->cipher->id;
970 if (s->hit && (s->session->cipher_id != c->id)) 938 if (s->hit && (s->session->cipher_id != c->id)) {
971 {
972/* Workaround is now obsolete */ 939/* Workaround is now obsolete */
973#if 0 940#if 0
974 if (!(s->options & 941 if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
975 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
976#endif 942#endif
977 { 943 {
978 al=SSL_AD_ILLEGAL_PARAMETER; 944 al = SSL_AD_ILLEGAL_PARAMETER;
979 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 945 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
980 goto f_err; 946 goto f_err;
981 }
982 } 947 }
983 s->s3->tmp.new_cipher=c; 948 }
949 s->s3->tmp.new_cipher = c;
984 /* Don't digest cached records if TLS v1.2: we may need them for 950 /* Don't digest cached records if TLS v1.2: we may need them for
985 * client authentication. 951 * client authentication.
986 */ 952 */
987 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 953 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) {
988 {
989 al = SSL_AD_INTERNAL_ERROR; 954 al = SSL_AD_INTERNAL_ERROR;
990 goto f_err; 955 goto f_err;
991 } 956 }
992 /* lets get the compression algorithm */ 957 /* lets get the compression algorithm */
993 /* COMPRESSION */ 958 /* COMPRESSION */
994#ifdef OPENSSL_NO_COMP 959#ifdef OPENSSL_NO_COMP
995 if (*(p++) != 0) 960 if (*(p++) != 0) {
996 { 961 al = SSL_AD_ILLEGAL_PARAMETER;
997 al=SSL_AD_ILLEGAL_PARAMETER; 962 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
998 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
999 goto f_err; 963 goto f_err;
1000 } 964 }
1001 /* If compression is disabled we'd better not try to resume a session 965 /* If compression is disabled we'd better not try to resume a session
1002 * using compression. 966 * using compression.
1003 */ 967 */
1004 if (s->session->compress_meth != 0) 968 if (s->session->compress_meth != 0) {
1005 { 969 al = SSL_AD_INTERNAL_ERROR;
1006 al=SSL_AD_INTERNAL_ERROR; 970 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1007 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1008 goto f_err; 971 goto f_err;
1009 } 972 }
1010#else 973#else
1011 j= *(p++); 974 j= *(p++);
1012 if (s->hit && j != s->session->compress_meth) 975 if (s->hit && j != s->session->compress_meth) {
1013 { 976 al = SSL_AD_ILLEGAL_PARAMETER;
1014 al=SSL_AD_ILLEGAL_PARAMETER; 977 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1015 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1016 goto f_err; 978 goto f_err;
1017 } 979 }
1018 if (j == 0) 980 if (j == 0)
1019 comp=NULL; 981 comp = NULL;
1020 else if (s->options & SSL_OP_NO_COMPRESSION) 982 else if (s->options & SSL_OP_NO_COMPRESSION) {
1021 { 983 al = SSL_AD_ILLEGAL_PARAMETER;
1022 al=SSL_AD_ILLEGAL_PARAMETER; 984 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED);
1023 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
1024 goto f_err; 985 goto f_err;
1025 } 986 } else
1026 else 987 comp = ssl3_comp_find(s->ctx->comp_methods, j);
1027 comp=ssl3_comp_find(s->ctx->comp_methods,j); 988
1028 989 if ((j != 0) && (comp == NULL)) {
1029 if ((j != 0) && (comp == NULL)) 990 al = SSL_AD_ILLEGAL_PARAMETER;
1030 { 991 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1031 al=SSL_AD_ILLEGAL_PARAMETER;
1032 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1033 goto f_err; 992 goto f_err;
1034 } 993 } else {
1035 else 994 s->s3->tmp.new_compression = comp;
1036 { 995 }
1037 s->s3->tmp.new_compression=comp;
1038 }
1039#endif 996#endif
1040 997
1041#ifndef OPENSSL_NO_TLSEXT 998#ifndef OPENSSL_NO_TLSEXT
1042 /* TLS extensions*/ 999 /* TLS extensions*/
1043 if (s->version >= SSL3_VERSION) 1000 if (s->version >= SSL3_VERSION) {
1044 { 1001 if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {
1045 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
1046 {
1047 /* 'al' set by ssl_parse_serverhello_tlsext */ 1002 /* 'al' set by ssl_parse_serverhello_tlsext */
1048 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 1003 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
1049 goto f_err; 1004 goto f_err;
1050 } 1005
1051 if (ssl_check_serverhello_tlsext(s) <= 0)
1052 {
1053 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1054 goto err;
1055 }
1056 } 1006 }
1007 if (ssl_check_serverhello_tlsext(s) <= 0) {
1008 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
1009 goto err;
1010 }
1011 }
1057#endif 1012#endif
1058 1013
1059 if (p != (d+n)) 1014 if (p != (d + n)) {
1060 {
1061 /* wrong packet length */ 1015 /* wrong packet length */
1062 al=SSL_AD_DECODE_ERROR; 1016 al = SSL_AD_DECODE_ERROR;
1063 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 1017 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
1064 goto f_err; 1018 goto f_err;
1065 } 1019 }
1066 1020
1067 return(1); 1021 return (1);
1068f_err: 1022f_err:
1069 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1023 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1070err: 1024err:
1071 return(-1); 1025 return (-1);
1072 } 1026}
1073 1027
1074int ssl3_get_server_certificate(SSL *s) 1028int
1075 { 1029ssl3_get_server_certificate(SSL *s)
1076 int al,i,ok,ret= -1; 1030{
1077 unsigned long n,nc,llen,l; 1031 int al, i, ok, ret = -1;
1078 X509 *x=NULL; 1032 unsigned long n, nc, llen, l;
1079 const unsigned char *q,*p; 1033 X509 *x = NULL;
1034 const unsigned char *q, *p;
1080 unsigned char *d; 1035 unsigned char *d;
1081 STACK_OF(X509) *sk=NULL; 1036 STACK_OF(X509) *sk = NULL;
1082 SESS_CERT *sc; 1037 SESS_CERT *sc;
1083 EVP_PKEY *pkey=NULL; 1038 EVP_PKEY *pkey = NULL;
1084 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 1039 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
1085 1040
1086 n=s->method->ssl_get_message(s, 1041 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
1087 SSL3_ST_CR_CERT_A, 1042 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
1088 SSL3_ST_CR_CERT_B,
1089 -1,
1090 s->max_cert_list,
1091 &ok);
1092 1043
1093 if (!ok) return((int)n); 1044 if (!ok)
1045 return ((int)n);
1094 1046
1095 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1047 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
1096 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 1048 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1097 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 1049 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) {
1098 { 1050 s->s3->tmp.reuse_message = 1;
1099 s->s3->tmp.reuse_message=1; 1051 return (1);
1100 return(1); 1052 }
1101 }
1102 1053
1103 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 1054 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
1104 { 1055 al = SSL_AD_UNEXPECTED_MESSAGE;
1105 al=SSL_AD_UNEXPECTED_MESSAGE; 1056 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE);
1106 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
1107 goto f_err; 1057 goto f_err;
1108 } 1058 }
1109 p=d=(unsigned char *)s->init_msg; 1059 p = d = (unsigned char *)s->init_msg;
1110 1060
1111 if ((sk=sk_X509_new_null()) == NULL) 1061 if ((sk = sk_X509_new_null()) == NULL) {
1112 { 1062 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1113 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1114 goto err; 1063 goto err;
1115 } 1064 }
1116 1065
1117 n2l3(p,llen); 1066 n2l3(p, llen);
1118 if (llen+3 != n) 1067 if (llen + 3 != n) {
1119 { 1068 al = SSL_AD_DECODE_ERROR;
1120 al=SSL_AD_DECODE_ERROR; 1069 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
1121 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1122 goto f_err; 1070 goto f_err;
1123 } 1071 }
1124 for (nc=0; nc<llen; ) 1072 for (nc = 0; nc < llen; ) {
1125 { 1073 n2l3(p, l);
1126 n2l3(p,l); 1074 if ((l + nc + 3) > llen) {
1127 if ((l+nc+3) > llen) 1075 al = SSL_AD_DECODE_ERROR;
1128 { 1076 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
1129 al=SSL_AD_DECODE_ERROR;
1130 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1131 goto f_err; 1077 goto f_err;
1132 } 1078 }
1133 1079
1134 q=p; 1080 q = p;
1135 x=d2i_X509(NULL,&q,l); 1081 x = d2i_X509(NULL, &q, l);
1136 if (x == NULL) 1082 if (x == NULL) {
1137 { 1083 al = SSL_AD_BAD_CERTIFICATE;
1138 al=SSL_AD_BAD_CERTIFICATE; 1084 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
1139 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
1140 goto f_err; 1085 goto f_err;
1141 } 1086 }
1142 if (q != (p+l)) 1087 if (q != (p + l)) {
1143 { 1088 al = SSL_AD_DECODE_ERROR;
1144 al=SSL_AD_DECODE_ERROR; 1089 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
1145 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1146 goto f_err; 1090 goto f_err;
1147 } 1091 }
1148 if (!sk_X509_push(sk,x)) 1092 if (!sk_X509_push(sk, x)) {
1149 { 1093 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1150 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1151 goto err; 1094 goto err;
1152 }
1153 x=NULL;
1154 nc+=l+3;
1155 p=q;
1156 } 1095 }
1096 x = NULL;
1097 nc += l + 3;
1098 p = q;
1099 }
1157 1100
1158 i=ssl_verify_cert_chain(s,sk); 1101 i = ssl_verify_cert_chain(s, sk);
1159 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1102 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1160#ifndef OPENSSL_NO_KRB5 1103#ifndef OPENSSL_NO_KRB5
1161 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1104 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1162 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1105 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1163#endif /* OPENSSL_NO_KRB5 */ 1106#endif /* OPENSSL_NO_KRB5 */
1164 ) 1107 ) {
1165 { 1108 al = ssl_verify_alarm_type(s->verify_result);
1166 al=ssl_verify_alarm_type(s->verify_result); 1109 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERTIFICATE_VERIFY_FAILED);
1167 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 1110 goto f_err;
1168 goto f_err; 1111
1169 } 1112 }
1170 ERR_clear_error(); /* but we keep s->verify_result */ 1113 ERR_clear_error(); /* but we keep s->verify_result */
1171 1114
1172 sc=ssl_sess_cert_new(); 1115 sc = ssl_sess_cert_new();
1173 if (sc == NULL) goto err; 1116 if (sc == NULL)
1117 goto err;
1174 1118
1175 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 1119 if (s->session->sess_cert)
1176 s->session->sess_cert=sc; 1120 ssl_sess_cert_free(s->session->sess_cert);
1121 s->session->sess_cert = sc;
1177 1122
1178 sc->cert_chain=sk; 1123 sc->cert_chain = sk;
1179 /* Inconsistency alert: cert_chain does include the peer's 1124 /* Inconsistency alert: cert_chain does include the peer's
1180 * certificate, which we don't include in s3_srvr.c */ 1125 * certificate, which we don't include in s3_srvr.c */
1181 x=sk_X509_value(sk,0); 1126 x = sk_X509_value(sk, 0);
1182 sk=NULL; 1127 sk = NULL;
1183 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1128 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1184 1129
1185 pkey=X509_get_pubkey(x); 1130 pkey = X509_get_pubkey(x);
1186 1131
1187 /* VRS: allow null cert if auth == KRB5 */ 1132 /* VRS: allow null cert if auth == KRB5 */
1188 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1133 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1189 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1134 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1190 ? 0 : 1; 1135 ? 0 : 1;
1191 1136
1192#ifdef KSSL_DEBUG 1137#ifdef KSSL_DEBUG
1193 printf("pkey,x = %p, %p\n", pkey,x); 1138 printf("pkey, x = %p, %p\n", pkey, x);
1194 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1139 printf("ssl_cert_type(x, pkey) = %d\n", ssl_cert_type(x, pkey));
1195 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1140 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
1196 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1141 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1197#endif /* KSSL_DEBUG */ 1142#endif /* KSSL_DEBUG */
1198 1143
1199 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 1144 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) {
1200 { 1145 x = NULL;
1201 x=NULL; 1146 al = SSL3_AL_FATAL;
1202 al=SSL3_AL_FATAL;
1203 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1147 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1204 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1148 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1205 goto f_err; 1149 goto f_err;
1206 } 1150 }
1207 1151
1208 i=ssl_cert_type(x,pkey); 1152 i = ssl_cert_type(x, pkey);
1209 if (need_cert && i < 0) 1153 if (need_cert && i < 0) {
1210 { 1154 x = NULL;
1211 x=NULL; 1155 al = SSL3_AL_FATAL;
1212 al=SSL3_AL_FATAL;
1213 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1156 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1214 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1157 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1215 goto f_err; 1158 goto f_err;
1216 } 1159 }
1217 1160
1218 if (need_cert) 1161 if (need_cert) {
1219 { 1162 sc->peer_cert_type = i;
1220 sc->peer_cert_type=i; 1163 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1221 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1222 /* Why would the following ever happen? 1164 /* Why would the following ever happen?
1223 * We just created sc a couple of lines ago. */ 1165 * We just created sc a couple of lines ago. */
1224 if (sc->peer_pkeys[i].x509 != NULL) 1166 if (sc->peer_pkeys[i].x509 != NULL)
1225 X509_free(sc->peer_pkeys[i].x509); 1167 X509_free(sc->peer_pkeys[i].x509);
1226 sc->peer_pkeys[i].x509=x; 1168 sc->peer_pkeys[i].x509 = x;
1227 sc->peer_key= &(sc->peer_pkeys[i]); 1169 sc->peer_key = &(sc->peer_pkeys[i]);
1228 1170
1229 if (s->session->peer != NULL) 1171 if (s->session->peer != NULL)
1230 X509_free(s->session->peer); 1172 X509_free(s->session->peer);
1231 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1173 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1232 s->session->peer=x; 1174 s->session->peer = x;
1233 } 1175 } else {
1234 else 1176 sc->peer_cert_type = i;
1235 { 1177 sc->peer_key = NULL;
1236 sc->peer_cert_type=i;
1237 sc->peer_key= NULL;
1238 1178
1239 if (s->session->peer != NULL) 1179 if (s->session->peer != NULL)
1240 X509_free(s->session->peer); 1180 X509_free(s->session->peer);
1241 s->session->peer=NULL; 1181 s->session->peer = NULL;
1242 } 1182 }
1243 s->session->verify_result = s->verify_result; 1183 s->session->verify_result = s->verify_result;
1244 1184
1245 x=NULL; 1185 x = NULL;
1246 ret=1; 1186 ret = 1;
1247 1187
1248 if (0) 1188 if (0) {
1249 {
1250f_err: 1189f_err:
1251 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1190 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1252 } 1191 }
1253err: 1192err:
1254 EVP_PKEY_free(pkey); 1193 EVP_PKEY_free(pkey);
1255 X509_free(x); 1194 X509_free(x);
1256 sk_X509_pop_free(sk,X509_free); 1195 sk_X509_pop_free(sk, X509_free);
1257 return(ret); 1196 return (ret);
1258 } 1197}
1259 1198
1260int ssl3_get_key_exchange(SSL *s) 1199int
1261 { 1200ssl3_get_key_exchange(SSL *s)
1201{
1262#ifndef OPENSSL_NO_RSA 1202#ifndef OPENSSL_NO_RSA
1263 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 1203 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1264#endif 1204#endif
1265 EVP_MD_CTX md_ctx; 1205 EVP_MD_CTX md_ctx;
1266 unsigned char *param,*p; 1206 unsigned char *param, *p;
1267 int al,i,j,param_len,ok; 1207 int al, i, j, param_len, ok;
1268 long n,alg_k,alg_a; 1208 long n, alg_k, alg_a;
1269 EVP_PKEY *pkey=NULL; 1209 EVP_PKEY *pkey = NULL;
1270 const EVP_MD *md = NULL; 1210 const EVP_MD *md = NULL;
1271#ifndef OPENSSL_NO_RSA 1211#ifndef OPENSSL_NO_RSA
1272 RSA *rsa=NULL; 1212 RSA *rsa = NULL;
1273#endif 1213#endif
1274#ifndef OPENSSL_NO_DH 1214#ifndef OPENSSL_NO_DH
1275 DH *dh=NULL; 1215 DH *dh = NULL;
1276#endif 1216#endif
1277#ifndef OPENSSL_NO_ECDH 1217#ifndef OPENSSL_NO_ECDH
1278 EC_KEY *ecdh = NULL; 1218 EC_KEY *ecdh = NULL;
@@ -1284,336 +1224,291 @@ int ssl3_get_key_exchange(SSL *s)
1284 1224
1285 /* use same message size as in ssl3_get_certificate_request() 1225 /* use same message size as in ssl3_get_certificate_request()
1286 * as ServerKeyExchange message may be skipped */ 1226 * as ServerKeyExchange message may be skipped */
1287 n=s->method->ssl_get_message(s, 1227 n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1288 SSL3_ST_CR_KEY_EXCH_A, 1228 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok);
1289 SSL3_ST_CR_KEY_EXCH_B, 1229 if (!ok)
1290 -1, 1230 return ((int)n);
1291 s->max_cert_list, 1231
1292 &ok); 1232 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1293 if (!ok) return((int)n);
1294
1295 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1296 {
1297#ifndef OPENSSL_NO_PSK 1233#ifndef OPENSSL_NO_PSK
1298 /* In plain PSK ciphersuite, ServerKeyExchange can be 1234 /* In plain PSK ciphersuite, ServerKeyExchange can be
1299 omitted if no identity hint is sent. Set 1235 omitted if no identity hint is sent. Set
1300 session->sess_cert anyway to avoid problems 1236 session->sess_cert anyway to avoid problems
1301 later.*/ 1237 later.*/
1302 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 1238 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) {
1303 { 1239 s->session->sess_cert = ssl_sess_cert_new();
1304 s->session->sess_cert=ssl_sess_cert_new();
1305 if (s->ctx->psk_identity_hint) 1240 if (s->ctx->psk_identity_hint)
1306 OPENSSL_free(s->ctx->psk_identity_hint); 1241 OPENSSL_free(s->ctx->psk_identity_hint);
1307 s->ctx->psk_identity_hint = NULL; 1242 s->ctx->psk_identity_hint = NULL;
1308 }
1309#endif
1310 s->s3->tmp.reuse_message=1;
1311 return(1);
1312 } 1243 }
1244#endif
1245 s->s3->tmp.reuse_message = 1;
1246 return (1);
1247 }
1313 1248
1314 param=p=(unsigned char *)s->init_msg; 1249 param = p = (unsigned char *)s->init_msg;
1315 if (s->session->sess_cert != NULL) 1250 if (s->session->sess_cert != NULL) {
1316 {
1317#ifndef OPENSSL_NO_RSA 1251#ifndef OPENSSL_NO_RSA
1318 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1252 if (s->session->sess_cert->peer_rsa_tmp != NULL) {
1319 {
1320 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1253 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1321 s->session->sess_cert->peer_rsa_tmp=NULL; 1254 s->session->sess_cert->peer_rsa_tmp = NULL;
1322 } 1255 }
1323#endif 1256#endif
1324#ifndef OPENSSL_NO_DH 1257#ifndef OPENSSL_NO_DH
1325 if (s->session->sess_cert->peer_dh_tmp) 1258 if (s->session->sess_cert->peer_dh_tmp) {
1326 {
1327 DH_free(s->session->sess_cert->peer_dh_tmp); 1259 DH_free(s->session->sess_cert->peer_dh_tmp);
1328 s->session->sess_cert->peer_dh_tmp=NULL; 1260 s->session->sess_cert->peer_dh_tmp = NULL;
1329 } 1261 }
1330#endif 1262#endif
1331#ifndef OPENSSL_NO_ECDH 1263#ifndef OPENSSL_NO_ECDH
1332 if (s->session->sess_cert->peer_ecdh_tmp) 1264 if (s->session->sess_cert->peer_ecdh_tmp) {
1333 {
1334 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1265 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1335 s->session->sess_cert->peer_ecdh_tmp=NULL; 1266 s->session->sess_cert->peer_ecdh_tmp = NULL;
1336 }
1337#endif
1338 }
1339 else
1340 {
1341 s->session->sess_cert=ssl_sess_cert_new();
1342 } 1267 }
1268#endif
1269 } else {
1270 s->session->sess_cert = ssl_sess_cert_new();
1271 }
1343 1272
1344 param_len=0; 1273 param_len = 0;
1345 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1274 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1346 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1275 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1347 EVP_MD_CTX_init(&md_ctx); 1276 EVP_MD_CTX_init(&md_ctx);
1348 1277
1349#ifndef OPENSSL_NO_PSK 1278#ifndef OPENSSL_NO_PSK
1350 if (alg_k & SSL_kPSK) 1279 if (alg_k & SSL_kPSK) {
1351 { 1280 char tmp_id_hint[PSK_MAX_IDENTITY_LEN + 1];
1352 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
1353 1281
1354 al=SSL_AD_HANDSHAKE_FAILURE; 1282 al = SSL_AD_HANDSHAKE_FAILURE;
1355 n2s(p,i); 1283 n2s(p, i);
1356 param_len=i+2; 1284 param_len = i + 2;
1357 /* Store PSK identity hint for later use, hint is used 1285 /* Store PSK identity hint for later use, hint is used
1358 * in ssl3_send_client_key_exchange. Assume that the 1286 * in ssl3_send_client_key_exchange. Assume that the
1359 * maximum length of a PSK identity hint can be as 1287 * maximum length of a PSK identity hint can be as
1360 * long as the maximum length of a PSK identity. */ 1288 * long as the maximum length of a PSK identity. */
1361 if (i > PSK_MAX_IDENTITY_LEN) 1289 if (i > PSK_MAX_IDENTITY_LEN) {
1362 {
1363 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1290 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1364 SSL_R_DATA_LENGTH_TOO_LONG); 1291 SSL_R_DATA_LENGTH_TOO_LONG);
1365 goto f_err; 1292 goto f_err;
1366 } 1293 }
1367 if (param_len > n) 1294 if (param_len > n) {
1368 { 1295 al = SSL_AD_DECODE_ERROR;
1369 al=SSL_AD_DECODE_ERROR;
1370 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1296 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1371 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1297 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1372 goto f_err; 1298 goto f_err;
1373 } 1299 }
1374 /* If received PSK identity hint contains NULL 1300 /* If received PSK identity hint contains NULL
1375 * characters, the hint is truncated from the first 1301 * characters, the hint is truncated from the first
1376 * NULL. p may not be ending with NULL, so create a 1302 * NULL. p may not be ending with NULL, so create a
1377 * NULL-terminated string. */ 1303 * NULL-terminated string. */
1378 memcpy(tmp_id_hint, p, i); 1304 memcpy(tmp_id_hint, p, i);
1379 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1305 memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
1380 if (s->ctx->psk_identity_hint != NULL) 1306 if (s->ctx->psk_identity_hint != NULL)
1381 OPENSSL_free(s->ctx->psk_identity_hint); 1307 OPENSSL_free(s->ctx->psk_identity_hint);
1382 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1308 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
1383 if (s->ctx->psk_identity_hint == NULL) 1309 if (s->ctx->psk_identity_hint == NULL) {
1384 {
1385 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1310 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1386 goto f_err; 1311 goto f_err;
1387 }
1388
1389 p+=i;
1390 n-=param_len;
1391 } 1312 }
1392 else 1313
1314 p += i;
1315 n -= param_len;
1316 } else
1393#endif /* !OPENSSL_NO_PSK */ 1317#endif /* !OPENSSL_NO_PSK */
1394#ifndef OPENSSL_NO_SRP 1318#ifndef OPENSSL_NO_SRP
1395 if (alg_k & SSL_kSRP) 1319 if (alg_k & SSL_kSRP) {
1396 { 1320 n2s(p, i);
1397 n2s(p,i); 1321 param_len = i + 2;
1398 param_len=i+2; 1322 if (param_len > n) {
1399 if (param_len > n) 1323 al = SSL_AD_DECODE_ERROR;
1400 { 1324 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);
1401 al=SSL_AD_DECODE_ERROR;
1402 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH);
1403 goto f_err; 1325 goto f_err;
1404 } 1326 }
1405 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL))) 1327 if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
1406 { 1328 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1407 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1408 goto err; 1329 goto err;
1409 } 1330 }
1410 p+=i; 1331 p += i;
1411 1332
1412 n2s(p,i); 1333 n2s(p, i);
1413 param_len+=i+2; 1334 param_len += i + 2;
1414 if (param_len > n) 1335 if (param_len > n) {
1415 { 1336 al = SSL_AD_DECODE_ERROR;
1416 al=SSL_AD_DECODE_ERROR; 1337 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);
1417 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH);
1418 goto f_err; 1338 goto f_err;
1419 } 1339 }
1420 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL))) 1340 if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
1421 { 1341 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1422 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1423 goto err; 1342 goto err;
1424 } 1343 }
1425 p+=i; 1344 p += i;
1426 1345
1427 i = (unsigned int)(p[0]); 1346 i = (unsigned int)(p[0]);
1428 p++; 1347 p++;
1429 param_len+=i+1; 1348 param_len += i + 1;
1430 if (param_len > n) 1349 if (param_len > n) {
1431 { 1350 al = SSL_AD_DECODE_ERROR;
1432 al=SSL_AD_DECODE_ERROR; 1351 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);
1433 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH);
1434 goto f_err; 1352 goto f_err;
1435 } 1353 }
1436 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL))) 1354 if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
1437 { 1355 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1439 goto err; 1356 goto err;
1440 } 1357 }
1441 p+=i; 1358 p += i;
1442 1359
1443 n2s(p,i); 1360 n2s(p, i);
1444 param_len+=i+2; 1361 param_len += i + 2;
1445 if (param_len > n) 1362 if (param_len > n) {
1446 { 1363 al = SSL_AD_DECODE_ERROR;
1447 al=SSL_AD_DECODE_ERROR; 1364 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);
1448 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH);
1449 goto f_err; 1365 goto f_err;
1450 } 1366 }
1451 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL))) 1367 if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
1452 { 1368 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1453 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1454 goto err; 1369 goto err;
1455 } 1370 }
1456 p+=i; 1371 p += i;
1457 n-=param_len; 1372 n -= param_len;
1458 1373
1459/* We must check if there is a certificate */ 1374/* We must check if there is a certificate */
1460#ifndef OPENSSL_NO_RSA 1375#ifndef OPENSSL_NO_RSA
1461 if (alg_a & SSL_aRSA) 1376 if (alg_a & SSL_aRSA)
1462 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1377 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1463#else 1378#else
1464 if (0) 1379 if (0)
1465 ; 1380;
1466#endif 1381#endif
1467#ifndef OPENSSL_NO_DSA 1382#ifndef OPENSSL_NO_DSA
1468 else if (alg_a & SSL_aDSS) 1383 else if (alg_a & SSL_aDSS)
1469 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1384 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1470#endif 1385#endif
1471 } 1386 } else
1472 else
1473#endif /* !OPENSSL_NO_SRP */ 1387#endif /* !OPENSSL_NO_SRP */
1474#ifndef OPENSSL_NO_RSA 1388#ifndef OPENSSL_NO_RSA
1475 if (alg_k & SSL_kRSA) 1389 if (alg_k & SSL_kRSA) {
1476 { 1390 if ((rsa = RSA_new()) == NULL) {
1477 if ((rsa=RSA_new()) == NULL) 1391 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1478 {
1479 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1480 goto err; 1392 goto err;
1481 } 1393 }
1482 n2s(p,i); 1394 n2s(p, i);
1483 param_len=i+2; 1395 param_len = i + 2;
1484 if (param_len > n) 1396 if (param_len > n) {
1485 { 1397 al = SSL_AD_DECODE_ERROR;
1486 al=SSL_AD_DECODE_ERROR; 1398 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_MODULUS_LENGTH);
1487 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1488 goto f_err; 1399 goto f_err;
1489 } 1400 }
1490 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 1401 if (!(rsa->n = BN_bin2bn(p, i, rsa->n))) {
1491 { 1402 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1492 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1493 goto err; 1403 goto err;
1494 } 1404 }
1495 p+=i; 1405 p += i;
1496 1406
1497 n2s(p,i); 1407 n2s(p, i);
1498 param_len+=i+2; 1408 param_len += i + 2;
1499 if (param_len > n) 1409 if (param_len > n) {
1500 { 1410 al = SSL_AD_DECODE_ERROR;
1501 al=SSL_AD_DECODE_ERROR; 1411 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_E_LENGTH);
1502 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1503 goto f_err; 1412 goto f_err;
1504 } 1413 }
1505 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 1414 if (!(rsa->e = BN_bin2bn(p, i, rsa->e))) {
1506 { 1415 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1507 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1508 goto err; 1416 goto err;
1509 } 1417 }
1510 p+=i; 1418 p += i;
1511 n-=param_len; 1419 n -= param_len;
1512 1420
1513 /* this should be because we are using an export cipher */ 1421 /* this should be because we are using an export cipher */
1514 if (alg_a & SSL_aRSA) 1422 if (alg_a & SSL_aRSA)
1515 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1423 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1516 else 1424 else {
1517 { 1425 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1518 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1519 goto err; 1426 goto err;
1520 }
1521 s->session->sess_cert->peer_rsa_tmp=rsa;
1522 rsa=NULL;
1523 } 1427 }
1428 s->session->sess_cert->peer_rsa_tmp = rsa;
1429 rsa = NULL;
1430 }
1524#else /* OPENSSL_NO_RSA */ 1431#else /* OPENSSL_NO_RSA */
1525 if (0) 1432 if (0)
1526 ; 1433;
1527#endif 1434#endif
1528#ifndef OPENSSL_NO_DH 1435#ifndef OPENSSL_NO_DH
1529 else if (alg_k & SSL_kEDH) 1436 else if (alg_k & SSL_kEDH) {
1530 { 1437 if ((dh = DH_new()) == NULL) {
1531 if ((dh=DH_new()) == NULL) 1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
1532 {
1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1534 goto err; 1439 goto err;
1535 } 1440 }
1536 n2s(p,i); 1441 n2s(p, i);
1537 param_len=i+2; 1442 param_len = i + 2;
1538 if (param_len > n) 1443 if (param_len > n) {
1539 { 1444 al = SSL_AD_DECODE_ERROR;
1540 al=SSL_AD_DECODE_ERROR; 1445 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
1541 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1542 goto f_err; 1446 goto f_err;
1543 } 1447 }
1544 if (!(dh->p=BN_bin2bn(p,i,NULL))) 1448 if (!(dh->p = BN_bin2bn(p, i, NULL))) {
1545 { 1449 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1546 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1547 goto err; 1450 goto err;
1548 } 1451 }
1549 p+=i; 1452 p += i;
1550 1453
1551 n2s(p,i); 1454 n2s(p, i);
1552 param_len+=i+2; 1455 param_len += i + 2;
1553 if (param_len > n) 1456 if (param_len > n) {
1554 { 1457 al = SSL_AD_DECODE_ERROR;
1555 al=SSL_AD_DECODE_ERROR; 1458 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH);
1556 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1557 goto f_err; 1459 goto f_err;
1558 } 1460 }
1559 if (!(dh->g=BN_bin2bn(p,i,NULL))) 1461 if (!(dh->g = BN_bin2bn(p, i, NULL))) {
1560 { 1462 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1561 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1562 goto err; 1463 goto err;
1563 } 1464 }
1564 p+=i; 1465 p += i;
1565 1466
1566 n2s(p,i); 1467 n2s(p, i);
1567 param_len+=i+2; 1468 param_len += i + 2;
1568 if (param_len > n) 1469 if (param_len > n) {
1569 { 1470 al = SSL_AD_DECODE_ERROR;
1570 al=SSL_AD_DECODE_ERROR; 1471 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1571 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1572 goto f_err; 1472 goto f_err;
1573 } 1473 }
1574 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 1474 if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1575 { 1475 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1576 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1577 goto err; 1476 goto err;
1578 } 1477 }
1579 p+=i; 1478 p += i;
1580 n-=param_len; 1479 n -= param_len;
1581 1480
1582#ifndef OPENSSL_NO_RSA 1481#ifndef OPENSSL_NO_RSA
1583 if (alg_a & SSL_aRSA) 1482 if (alg_a & SSL_aRSA)
1584 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1483 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1585#else 1484#else
1586 if (0) 1485 if (0)
1587 ; 1486;
1588#endif 1487#endif
1589#ifndef OPENSSL_NO_DSA 1488#ifndef OPENSSL_NO_DSA
1590 else if (alg_a & SSL_aDSS) 1489 else if (alg_a & SSL_aDSS)
1591 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1490 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1592#endif 1491#endif
1593 /* else anonymous DH, so no certificate or pkey. */ 1492 /* else anonymous DH, so no certificate or pkey. */
1594 1493
1595 s->session->sess_cert->peer_dh_tmp=dh; 1494 s->session->sess_cert->peer_dh_tmp = dh;
1596 dh=NULL; 1495 dh = NULL;
1597 } 1496 } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
1598 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 1497 al = SSL_AD_ILLEGAL_PARAMETER;
1599 { 1498 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1600 al=SSL_AD_ILLEGAL_PARAMETER;
1601 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1602 goto f_err; 1499 goto f_err;
1603 } 1500 }
1604#endif /* !OPENSSL_NO_DH */ 1501#endif /* !OPENSSL_NO_DH */
1605 1502
1606#ifndef OPENSSL_NO_ECDH 1503#ifndef OPENSSL_NO_ECDH
1607 else if (alg_k & SSL_kEECDH) 1504 else if (alg_k & SSL_kEECDH) {
1608 {
1609 EC_GROUP *ngroup; 1505 EC_GROUP *ngroup;
1610 const EC_GROUP *group; 1506 const EC_GROUP *group;
1611 1507
1612 if ((ecdh=EC_KEY_new()) == NULL) 1508 if ((ecdh = EC_KEY_new()) == NULL) {
1613 { 1509 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1614 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1615 goto err; 1510 goto err;
1616 } 1511 }
1617 1512
1618 /* Extract elliptic curve parameters and the 1513 /* Extract elliptic curve parameters and the
1619 * server's ephemeral ECDH public key. 1514 * server's ephemeral ECDH public key.
@@ -1624,217 +1519,194 @@ int ssl3_get_key_exchange(SSL *s)
1624 /* XXX: For now we only support named (not generic) curves 1519 /* XXX: For now we only support named (not generic) curves
1625 * and the ECParameters in this case is just three bytes. 1520 * and the ECParameters in this case is just three bytes.
1626 */ 1521 */
1627 param_len=3; 1522 param_len = 3;
1628 if ((param_len > n) || 1523 if ((param_len > n) ||
1629 (*p != NAMED_CURVE_TYPE) || 1524 (*p != NAMED_CURVE_TYPE) ||
1630 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 1525 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) {
1631 { 1526 al = SSL_AD_INTERNAL_ERROR;
1632 al=SSL_AD_INTERNAL_ERROR; 1527 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1633 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1634 goto f_err; 1528 goto f_err;
1635 } 1529 }
1636 1530
1637 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1531 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1638 if (ngroup == NULL) 1532 if (ngroup == NULL) {
1639 { 1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1640 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1641 goto err; 1534 goto err;
1642 } 1535 }
1643 if (EC_KEY_set_group(ecdh, ngroup) == 0) 1536 if (EC_KEY_set_group(ecdh, ngroup) == 0) {
1644 { 1537 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1645 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1646 goto err; 1538 goto err;
1647 } 1539 }
1648 EC_GROUP_free(ngroup); 1540 EC_GROUP_free(ngroup);
1649 1541
1650 group = EC_KEY_get0_group(ecdh); 1542 group = EC_KEY_get0_group(ecdh);
1651 1543
1652 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1544 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1653 (EC_GROUP_get_degree(group) > 163)) 1545 (EC_GROUP_get_degree(group) > 163)) {
1654 { 1546 al = SSL_AD_EXPORT_RESTRICTION;
1655 al=SSL_AD_EXPORT_RESTRICTION; 1547 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1656 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1657 goto f_err; 1548 goto f_err;
1658 } 1549 }
1659 1550
1660 p+=3; 1551 p += 3;
1661 1552
1662 /* Next, get the encoded ECPoint */ 1553 /* Next, get the encoded ECPoint */
1663 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1554 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1664 ((bn_ctx = BN_CTX_new()) == NULL)) 1555 ((bn_ctx = BN_CTX_new()) == NULL)) {
1665 { 1556 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1666 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1667 goto err; 1557 goto err;
1668 } 1558 }
1669 1559
1670 encoded_pt_len = *p; /* length of encoded point */ 1560 encoded_pt_len = *p;
1671 p+=1; 1561 /* length of encoded point */
1562 p += 1;
1672 param_len += (1 + encoded_pt_len); 1563 param_len += (1 + encoded_pt_len);
1673 if ((param_len > n) || 1564 if ((param_len > n) ||
1674 (EC_POINT_oct2point(group, srvr_ecpoint, 1565 (EC_POINT_oct2point(group, srvr_ecpoint,
1675 p, encoded_pt_len, bn_ctx) == 0)) 1566 p, encoded_pt_len, bn_ctx) == 0)) {
1676 { 1567 al = SSL_AD_DECODE_ERROR;
1677 al=SSL_AD_DECODE_ERROR; 1568 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
1678 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1679 goto f_err; 1569 goto f_err;
1680 } 1570 }
1681 1571
1682 n-=param_len; 1572 n -= param_len;
1683 p+=encoded_pt_len; 1573 p += encoded_pt_len;
1684 1574
1685 /* The ECC/TLS specification does not mention 1575 /* The ECC/TLS specification does not mention
1686 * the use of DSA to sign ECParameters in the server 1576 * the use of DSA to sign ECParameters in the server
1687 * key exchange message. We do support RSA and ECDSA. 1577 * key exchange message. We do support RSA and ECDSA.
1688 */ 1578 */
1689 if (0) ; 1579 if (0);
1690#ifndef OPENSSL_NO_RSA 1580#ifndef OPENSSL_NO_RSA
1691 else if (alg_a & SSL_aRSA) 1581 else if (alg_a & SSL_aRSA)
1692 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1582 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1693#endif 1583#endif
1694#ifndef OPENSSL_NO_ECDSA 1584#ifndef OPENSSL_NO_ECDSA
1695 else if (alg_a & SSL_aECDSA) 1585 else if (alg_a & SSL_aECDSA)
1696 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1586 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1697#endif 1587#endif
1698 /* else anonymous ECDH, so no certificate or pkey. */ 1588 /* else anonymous ECDH, so no certificate or pkey. */
1699 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1589 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1700 s->session->sess_cert->peer_ecdh_tmp=ecdh; 1590 s->session->sess_cert->peer_ecdh_tmp = ecdh;
1701 ecdh=NULL; 1591 ecdh = NULL;
1702 BN_CTX_free(bn_ctx); 1592 BN_CTX_free(bn_ctx);
1703 bn_ctx = NULL; 1593 bn_ctx = NULL;
1704 EC_POINT_free(srvr_ecpoint); 1594 EC_POINT_free(srvr_ecpoint);
1705 srvr_ecpoint = NULL; 1595 srvr_ecpoint = NULL;
1706 } 1596 } else if (alg_k) {
1707 else if (alg_k) 1597 al = SSL_AD_UNEXPECTED_MESSAGE;
1708 { 1598 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1709 al=SSL_AD_UNEXPECTED_MESSAGE;
1710 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1711 goto f_err; 1599 goto f_err;
1712 } 1600 }
1713#endif /* !OPENSSL_NO_ECDH */ 1601#endif /* !OPENSSL_NO_ECDH */
1714 1602
1715 1603
1716 /* p points to the next byte, there are 'n' bytes left */ 1604 /* p points to the next byte, there are 'n' bytes left */
1717 1605
1718 /* if it was signed, check the signature */ 1606 /* if it was signed, check the signature */
1719 if (pkey != NULL) 1607 if (pkey != NULL) {
1720 { 1608 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1721 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1722 {
1723 int sigalg = tls12_get_sigid(pkey); 1609 int sigalg = tls12_get_sigid(pkey);
1724 /* Should never happen */ 1610 /* Should never happen */
1725 if (sigalg == -1) 1611 if (sigalg == -1) {
1726 { 1612 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1727 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1728 goto err; 1613 goto err;
1729 } 1614 }
1730 /* Check key type is consistent with signature */ 1615 /* Check key type is consistent with signature */
1731 if (sigalg != (int)p[1]) 1616 if (sigalg != (int)p[1]) {
1732 { 1617 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_TYPE);
1733 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE); 1618 al = SSL_AD_DECODE_ERROR;
1734 al=SSL_AD_DECODE_ERROR;
1735 goto f_err; 1619 goto f_err;
1736 } 1620 }
1737 md = tls12_get_hash(p[0]); 1621 md = tls12_get_hash(p[0]);
1738 if (md == NULL) 1622 if (md == NULL) {
1739 { 1623 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNKNOWN_DIGEST);
1740 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST); 1624 al = SSL_AD_DECODE_ERROR;
1741 al=SSL_AD_DECODE_ERROR;
1742 goto f_err; 1625 goto f_err;
1743 } 1626 }
1744#ifdef SSL_DEBUG 1627#ifdef SSL_DEBUG
1745fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 1628 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1746#endif 1629#endif
1747 p += 2; 1630 p += 2;
1748 n -= 2; 1631 n -= 2;
1749 } 1632 } else
1750 else
1751 md = EVP_sha1(); 1633 md = EVP_sha1();
1752
1753 n2s(p,i);
1754 n-=2;
1755 j=EVP_PKEY_size(pkey);
1756 1634
1757 if ((i != n) || (n > j) || (n <= 0)) 1635 n2s(p, i);
1758 { 1636 n -= 2;
1637 j = EVP_PKEY_size(pkey);
1638
1639 if ((i != n) || (n > j) || (n <= 0)) {
1759 /* wrong packet length */ 1640 /* wrong packet length */
1760 al=SSL_AD_DECODE_ERROR; 1641 al = SSL_AD_DECODE_ERROR;
1761 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1642 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH);
1762 goto f_err; 1643 goto f_err;
1763 } 1644 }
1764 1645
1765#ifndef OPENSSL_NO_RSA 1646#ifndef OPENSSL_NO_RSA
1766 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) 1647 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) {
1767 {
1768 int num; 1648 int num;
1769 1649
1770 j=0; 1650 j = 0;
1771 q=md_buf; 1651 q = md_buf;
1772 for (num=2; num > 0; num--) 1652 for (num = 2; num > 0; num--) {
1773 {
1774 EVP_MD_CTX_set_flags(&md_ctx, 1653 EVP_MD_CTX_set_flags(&md_ctx,
1775 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1654 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1776 EVP_DigestInit_ex(&md_ctx,(num == 2) 1655 EVP_DigestInit_ex(&md_ctx,(num == 2)
1777 ?s->ctx->md5:s->ctx->sha1, NULL); 1656 ?s->ctx->md5 : s->ctx->sha1, NULL);
1778 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1657 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1779 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1658 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1780 EVP_DigestUpdate(&md_ctx,param,param_len); 1659 EVP_DigestUpdate(&md_ctx, param, param_len);
1781 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1660 EVP_DigestFinal_ex(&md_ctx, q,(unsigned int *)&i);
1782 q+=i; 1661 q += i;
1783 j+=i; 1662 j += i;
1784 } 1663 }
1785 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1664 i = RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1786 pkey->pkey.rsa); 1665 pkey->pkey.rsa);
1787 if (i < 0) 1666 if (i < 0) {
1788 { 1667 al = SSL_AD_DECRYPT_ERROR;
1789 al=SSL_AD_DECRYPT_ERROR; 1668 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_DECRYPT);
1790 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1791 goto f_err; 1669 goto f_err;
1792 } 1670 }
1793 if (i == 0) 1671 if (i == 0) {
1794 {
1795 /* bad signature */ 1672 /* bad signature */
1796 al=SSL_AD_DECRYPT_ERROR; 1673 al = SSL_AD_DECRYPT_ERROR;
1797 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1674 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1798 goto f_err; 1675 goto f_err;
1799 }
1800 } 1676 }
1801 else 1677 } else
1802#endif 1678#endif
1803 { 1679 {
1804 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1680 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1805 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1681 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1806 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1682 EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1807 EVP_VerifyUpdate(&md_ctx,param,param_len); 1683 EVP_VerifyUpdate(&md_ctx, param, param_len);
1808 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1684 if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) {
1809 {
1810 /* bad signature */ 1685 /* bad signature */
1811 al=SSL_AD_DECRYPT_ERROR; 1686 al = SSL_AD_DECRYPT_ERROR;
1812 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1687 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1813 goto f_err; 1688 goto f_err;
1814 }
1815 } 1689 }
1816 } 1690 }
1817 else 1691 } else {
1818 {
1819 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1692 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
1820 /* aNULL or kPSK do not need public keys */ 1693 /* aNULL or kPSK do not need public keys */
1821 { 1694 {
1822 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1695 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1823 goto err; 1696 goto err;
1824 } 1697 }
1825 /* still data left over */ 1698 /* still data left over */
1826 if (n != 0) 1699 if (n != 0) {
1827 { 1700 al = SSL_AD_DECODE_ERROR;
1828 al=SSL_AD_DECODE_ERROR; 1701 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE);
1829 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1830 goto f_err; 1702 goto f_err;
1831 }
1832 } 1703 }
1704 }
1833 EVP_PKEY_free(pkey); 1705 EVP_PKEY_free(pkey);
1834 EVP_MD_CTX_cleanup(&md_ctx); 1706 EVP_MD_CTX_cleanup(&md_ctx);
1835 return(1); 1707 return (1);
1836f_err: 1708f_err:
1837 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1709 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1838err: 1710err:
1839 EVP_PKEY_free(pkey); 1711 EVP_PKEY_free(pkey);
1840#ifndef OPENSSL_NO_RSA 1712#ifndef OPENSSL_NO_RSA
@@ -1852,241 +1724,219 @@ err:
1852 EC_KEY_free(ecdh); 1724 EC_KEY_free(ecdh);
1853#endif 1725#endif
1854 EVP_MD_CTX_cleanup(&md_ctx); 1726 EVP_MD_CTX_cleanup(&md_ctx);
1855 return(-1); 1727 return (-1);
1856 } 1728}
1857 1729
1858int ssl3_get_certificate_request(SSL *s) 1730int
1859 { 1731ssl3_get_certificate_request(SSL *s)
1860 int ok,ret=0; 1732{
1861 unsigned long n,nc,l; 1733 int ok, ret = 0;
1862 unsigned int llen, ctype_num,i; 1734 unsigned long n, nc, l;
1863 X509_NAME *xn=NULL; 1735 unsigned int llen, ctype_num, i;
1864 const unsigned char *p,*q; 1736 X509_NAME *xn = NULL;
1737 const unsigned char *p, *q;
1865 unsigned char *d; 1738 unsigned char *d;
1866 STACK_OF(X509_NAME) *ca_sk=NULL; 1739 STACK_OF(X509_NAME) *ca_sk = NULL;
1867 1740
1868 n=s->method->ssl_get_message(s, 1741 n = s->method->ssl_get_message(s,
1869 SSL3_ST_CR_CERT_REQ_A, 1742 SSL3_ST_CR_CERT_REQ_A,
1870 SSL3_ST_CR_CERT_REQ_B, 1743 SSL3_ST_CR_CERT_REQ_B,
1871 -1, 1744 -1,
1872 s->max_cert_list, 1745 s->max_cert_list,
1873 &ok); 1746 &ok);
1874 1747
1875 if (!ok) return((int)n); 1748 if (!ok)
1749 return ((int)n);
1876 1750
1877 s->s3->tmp.cert_req=0; 1751 s->s3->tmp.cert_req = 0;
1878 1752
1879 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1753 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) {
1880 { 1754 s->s3->tmp.reuse_message = 1;
1881 s->s3->tmp.reuse_message=1;
1882 /* If we get here we don't need any cached handshake records 1755 /* If we get here we don't need any cached handshake records
1883 * as we wont be doing client auth. 1756 * as we wont be doing client auth.
1884 */ 1757 */
1885 if (s->s3->handshake_buffer) 1758 if (s->s3->handshake_buffer) {
1886 {
1887 if (!ssl3_digest_cached_records(s)) 1759 if (!ssl3_digest_cached_records(s))
1888 goto err; 1760 goto err;
1889 }
1890 return(1);
1891 } 1761 }
1762 return (1);
1763 }
1892 1764
1893 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 1765 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1894 { 1766 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1895 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1767 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_WRONG_MESSAGE_TYPE);
1896 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1897 goto err; 1768 goto err;
1898 } 1769 }
1899 1770
1900 /* TLS does not like anon-DH with client cert */ 1771 /* TLS does not like anon-DH with client cert */
1901 if (s->version > SSL3_VERSION) 1772 if (s->version > SSL3_VERSION) {
1902 { 1773 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
1903 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1774 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1904 { 1775 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1905 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1906 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1907 goto err; 1776 goto err;
1908 }
1909 } 1777 }
1778 }
1910 1779
1911 p=d=(unsigned char *)s->init_msg; 1780 p = d=(unsigned char *)s->init_msg;
1912 1781
1913 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 1782 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1914 { 1783 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1915 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1916 goto err; 1784 goto err;
1917 } 1785 }
1918 1786
1919 /* get the certificate types */ 1787 /* get the certificate types */
1920 ctype_num= *(p++); 1788 ctype_num= *(p++);
1921 if (ctype_num > SSL3_CT_NUMBER) 1789 if (ctype_num > SSL3_CT_NUMBER)
1922 ctype_num=SSL3_CT_NUMBER; 1790 ctype_num = SSL3_CT_NUMBER;
1923 for (i=0; i<ctype_num; i++) 1791 for (i = 0; i < ctype_num; i++)
1924 s->s3->tmp.ctype[i]= p[i]; 1792 s->s3->tmp.ctype[i] = p[i];
1925 p+=ctype_num; 1793 p += ctype_num;
1926 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1794 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1927 {
1928 n2s(p, llen); 1795 n2s(p, llen);
1929 /* Check we have enough room for signature algorithms and 1796 /* Check we have enough room for signature algorithms and
1930 * following length value. 1797 * following length value.
1931 */ 1798 */
1932 if ((unsigned long)(p - d + llen + 2) > n) 1799 if ((unsigned long)(p - d + llen + 2) > n) {
1933 { 1800 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1934 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1801 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_DATA_LENGTH_TOO_LONG);
1935 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG);
1936 goto err; 1802 goto err;
1937 } 1803 }
1938 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) 1804 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) {
1939 { 1805 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1940 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1806 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1941 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1942 goto err; 1807 goto err;
1943 }
1944 p += llen;
1945 } 1808 }
1809 p += llen;
1810 }
1946 1811
1947 /* get the CA RDNs */ 1812 /* get the CA RDNs */
1948 n2s(p,llen); 1813 n2s(p, llen);
1949#if 0 1814#if 0
1950{ 1815 {
1951FILE *out; 1816 FILE *out;
1952out=fopen("/tmp/vsign.der","w"); 1817 out = fopen("/tmp/vsign.der", "w");
1953fwrite(p,1,llen,out); 1818 fwrite(p, 1, llen, out);
1954fclose(out); 1819 fclose(out);
1955} 1820 }
1956#endif 1821#endif
1957 1822
1958 if ((unsigned long)(p - d + llen) != n) 1823 if ((unsigned long)(p - d + llen) != n) {
1959 { 1824 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1960 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1825 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
1961 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1962 goto err; 1826 goto err;
1963 } 1827 }
1964 1828
1965 for (nc=0; nc<llen; ) 1829 for (nc = 0; nc < llen; ) {
1966 { 1830 n2s(p, l);
1967 n2s(p,l); 1831 if ((l + nc + 2) > llen) {
1968 if ((l+nc+2) > llen)
1969 {
1970 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1832 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1971 goto cont; /* netscape bugs */ 1833 goto cont; /* netscape bugs */
1972 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1834 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1973 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 1835 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
1974 goto err; 1836 goto err;
1975 } 1837 }
1976 1838
1977 q=p; 1839 q = p;
1978 1840
1979 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 1841 if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
1980 {
1981 /* If netscape tolerance is on, ignore errors */ 1842 /* If netscape tolerance is on, ignore errors */
1982 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1843 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1983 goto cont; 1844 goto cont;
1984 else 1845 else {
1985 { 1846 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1986 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1847 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
1987 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1988 goto err; 1848 goto err;
1989 }
1990 } 1849 }
1850 }
1991 1851
1992 if (q != (p+l)) 1852 if (q != (p + l)) {
1993 { 1853 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1994 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1854 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_LENGTH_MISMATCH);
1995 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1996 goto err; 1855 goto err;
1997 } 1856 }
1998 if (!sk_X509_NAME_push(ca_sk,xn)) 1857 if (!sk_X509_NAME_push(ca_sk, xn)) {
1999 { 1858 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
2000 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
2001 goto err; 1859 goto err;
2002 }
2003
2004 p+=l;
2005 nc+=l+2;
2006 } 1860 }
2007 1861
2008 if (0) 1862 p += l;
2009 { 1863 nc += l + 2;
1864 }
1865
1866 if (0) {
2010cont: 1867cont:
2011 ERR_clear_error(); 1868 ERR_clear_error();
2012 } 1869 }
2013 1870
2014 /* we should setup a certificate to return.... */ 1871 /* we should setup a certificate to return.... */
2015 s->s3->tmp.cert_req=1; 1872 s->s3->tmp.cert_req = 1;
2016 s->s3->tmp.ctype_num=ctype_num; 1873 s->s3->tmp.ctype_num = ctype_num;
2017 if (s->s3->tmp.ca_names != NULL) 1874 if (s->s3->tmp.ca_names != NULL)
2018 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1875 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
2019 s->s3->tmp.ca_names=ca_sk; 1876 s->s3->tmp.ca_names = ca_sk;
2020 ca_sk=NULL; 1877 ca_sk = NULL;
2021 1878
2022 ret=1; 1879 ret = 1;
2023err: 1880err:
2024 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 1881 if (ca_sk != NULL)
2025 return(ret); 1882 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2026 } 1883 return (ret);
1884}
1885
1886static int
1887ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1888{
1889 return (X509_NAME_cmp(*a, *b));
1890}
2027 1891
2028static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
2029 {
2030 return(X509_NAME_cmp(*a,*b));
2031 }
2032#ifndef OPENSSL_NO_TLSEXT 1892#ifndef OPENSSL_NO_TLSEXT
2033int ssl3_get_new_session_ticket(SSL *s) 1893int
2034 { 1894ssl3_get_new_session_ticket(SSL *s)
2035 int ok,al,ret=0, ticklen; 1895{
1896 int ok, al, ret = 0, ticklen;
2036 long n; 1897 long n;
2037 const unsigned char *p; 1898 const unsigned char *p;
2038 unsigned char *d; 1899 unsigned char *d;
2039 1900
2040 n=s->method->ssl_get_message(s, 1901 n = s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
2041 SSL3_ST_CR_SESSION_TICKET_A, 1902 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok);
2042 SSL3_ST_CR_SESSION_TICKET_B,
2043 -1,
2044 16384,
2045 &ok);
2046
2047 if (!ok) 1903 if (!ok)
2048 return((int)n); 1904 return ((int)n);
2049 1905
2050 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 1906 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) {
2051 { 1907 s->s3->tmp.reuse_message = 1;
2052 s->s3->tmp.reuse_message=1; 1908 return (1);
2053 return(1); 1909 }
2054 } 1910 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) {
2055 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 1911 al = SSL_AD_UNEXPECTED_MESSAGE;
2056 { 1912 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_BAD_MESSAGE_TYPE);
2057 al=SSL_AD_UNEXPECTED_MESSAGE;
2058 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
2059 goto f_err; 1913 goto f_err;
2060 } 1914 }
2061 if (n < 6) 1915 if (n < 6) {
2062 {
2063 /* need at least ticket_lifetime_hint + ticket length */ 1916 /* need at least ticket_lifetime_hint + ticket length */
2064 al = SSL_AD_DECODE_ERROR; 1917 al = SSL_AD_DECODE_ERROR;
2065 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1918 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2066 goto f_err; 1919 goto f_err;
2067 } 1920 }
2068 1921
2069 p=d=(unsigned char *)s->init_msg; 1922 p = d = (unsigned char *)s->init_msg;
2070 n2l(p, s->session->tlsext_tick_lifetime_hint); 1923 n2l(p, s->session->tlsext_tick_lifetime_hint);
2071 n2s(p, ticklen); 1924 n2s(p, ticklen);
2072 /* ticket_lifetime_hint + ticket_length + ticket */ 1925 /* ticket_lifetime_hint + ticket_length + ticket */
2073 if (ticklen + 6 != n) 1926 if (ticklen + 6 != n) {
2074 {
2075 al = SSL_AD_DECODE_ERROR; 1927 al = SSL_AD_DECODE_ERROR;
2076 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1928 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2077 goto f_err; 1929 goto f_err;
2078 } 1930 }
2079 if (s->session->tlsext_tick) 1931 if (s->session->tlsext_tick) {
2080 {
2081 OPENSSL_free(s->session->tlsext_tick); 1932 OPENSSL_free(s->session->tlsext_tick);
2082 s->session->tlsext_ticklen = 0; 1933 s->session->tlsext_ticklen = 0;
2083 } 1934 }
2084 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 1935 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2085 if (!s->session->tlsext_tick) 1936 if (!s->session->tlsext_tick) {
2086 { 1937 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
2087 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
2088 goto err; 1938 goto err;
2089 } 1939 }
2090 memcpy(s->session->tlsext_tick, p, ticklen); 1940 memcpy(s->session->tlsext_tick, p, ticklen);
2091 s->session->tlsext_ticklen = ticklen; 1941 s->session->tlsext_ticklen = ticklen;
2092 /* There are two ways to detect a resumed ticket sesion. 1942 /* There are two ways to detect a resumed ticket sesion.
@@ -2105,122 +1955,116 @@ int ssl3_get_new_session_ticket(SSL *s)
2105 * ticket. 1955 * ticket.
2106 */ 1956 */
2107 EVP_Digest(p, ticklen, 1957 EVP_Digest(p, ticklen,
2108 s->session->session_id, &s->session->session_id_length, 1958 s->session->session_id, &s->session->session_id_length,
2109#ifndef OPENSSL_NO_SHA256 1959#ifndef OPENSSL_NO_SHA256
2110 EVP_sha256(), NULL); 1960 EVP_sha256(), NULL);
2111#else 1961#else
2112 EVP_sha1(), NULL); 1962 EVP_sha1(), NULL);
2113#endif 1963#endif
2114 ret=1; 1964 ret = 1;
2115 return(ret); 1965 return (ret);
2116f_err: 1966f_err:
2117 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1967 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2118err: 1968err:
2119 return(-1); 1969 return (-1);
2120 } 1970}
2121 1971
2122int ssl3_get_cert_status(SSL *s) 1972int
2123 { 1973ssl3_get_cert_status(SSL *s)
1974{
2124 int ok, al; 1975 int ok, al;
2125 unsigned long resplen,n; 1976 unsigned long resplen, n;
2126 const unsigned char *p; 1977 const unsigned char *p;
2127 1978
2128 n=s->method->ssl_get_message(s, 1979 n = s->method->ssl_get_message(s,
2129 SSL3_ST_CR_CERT_STATUS_A, 1980 SSL3_ST_CR_CERT_STATUS_A,
2130 SSL3_ST_CR_CERT_STATUS_B, 1981 SSL3_ST_CR_CERT_STATUS_B,
2131 SSL3_MT_CERTIFICATE_STATUS, 1982 SSL3_MT_CERTIFICATE_STATUS,
2132 16384, 1983 16384,
2133 &ok); 1984 &ok);
2134 1985
2135 if (!ok) return((int)n); 1986 if (!ok)
2136 if (n < 4) 1987 return ((int)n);
2137 { 1988 if (n < 4) {
2138 /* need at least status type + length */ 1989 /* need at least status type + length */
2139 al = SSL_AD_DECODE_ERROR; 1990 al = SSL_AD_DECODE_ERROR;
2140 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1991 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2141 goto f_err; 1992 goto f_err;
2142 } 1993 }
2143 p = (unsigned char *)s->init_msg; 1994 p = (unsigned char *)s->init_msg;
2144 if (*p++ != TLSEXT_STATUSTYPE_ocsp) 1995 if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
2145 {
2146 al = SSL_AD_DECODE_ERROR; 1996 al = SSL_AD_DECODE_ERROR;
2147 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 1997 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
2148 goto f_err; 1998 goto f_err;
2149 } 1999 }
2150 n2l3(p, resplen); 2000 n2l3(p, resplen);
2151 if (resplen + 4 != n) 2001 if (resplen + 4 != n) {
2152 {
2153 al = SSL_AD_DECODE_ERROR; 2002 al = SSL_AD_DECODE_ERROR;
2154 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2003 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2155 goto f_err; 2004 goto f_err;
2156 } 2005 }
2157 if (s->tlsext_ocsp_resp) 2006 if (s->tlsext_ocsp_resp)
2158 OPENSSL_free(s->tlsext_ocsp_resp); 2007 OPENSSL_free(s->tlsext_ocsp_resp);
2159 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 2008 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
2160 if (!s->tlsext_ocsp_resp) 2009 if (!s->tlsext_ocsp_resp) {
2161 {
2162 al = SSL_AD_INTERNAL_ERROR; 2010 al = SSL_AD_INTERNAL_ERROR;
2163 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2011 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2164 goto f_err; 2012 goto f_err;
2165 } 2013 }
2166 s->tlsext_ocsp_resplen = resplen; 2014 s->tlsext_ocsp_resplen = resplen;
2167 if (s->ctx->tlsext_status_cb) 2015 if (s->ctx->tlsext_status_cb) {
2168 {
2169 int ret; 2016 int ret;
2170 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2017 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2171 if (ret == 0) 2018 if (ret == 0) {
2172 {
2173 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2019 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2174 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 2020 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_INVALID_STATUS_RESPONSE);
2175 goto f_err; 2021 goto f_err;
2176 } 2022 }
2177 if (ret < 0) 2023 if (ret < 0) {
2178 {
2179 al = SSL_AD_INTERNAL_ERROR; 2024 al = SSL_AD_INTERNAL_ERROR;
2180 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2025 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2181 goto f_err; 2026 goto f_err;
2182 }
2183 } 2027 }
2028 }
2184 return 1; 2029 return 1;
2185f_err: 2030f_err:
2186 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2031 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2187 return(-1); 2032 return (-1);
2188 } 2033}
2189#endif 2034#endif
2190 2035
2191int ssl3_get_server_done(SSL *s) 2036int
2192 { 2037ssl3_get_server_done(SSL *s)
2193 int ok,ret=0; 2038{
2039 int ok, ret = 0;
2194 long n; 2040 long n;
2195 2041
2196 n=s->method->ssl_get_message(s, 2042 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
2197 SSL3_ST_CR_SRVR_DONE_A, 2043 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
2198 SSL3_ST_CR_SRVR_DONE_B, 2044 30, /* should be very small, like 0 :-) */ &ok);
2199 SSL3_MT_SERVER_DONE,
2200 30, /* should be very small, like 0 :-) */
2201 &ok);
2202 2045
2203 if (!ok) return((int)n); 2046 if (!ok)
2204 if (n > 0) 2047 return ((int)n);
2205 { 2048 if (n > 0) {
2206 /* should contain no data */ 2049 /* should contain no data */
2207 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2050 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2208 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 2051 SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
2209 return -1; 2052 return -1;
2210 }
2211 ret=1;
2212 return(ret);
2213 } 2053 }
2054 ret = 1;
2055 return (ret);
2056}
2214 2057
2215 2058
2216int ssl3_send_client_key_exchange(SSL *s) 2059int
2217 { 2060ssl3_send_client_key_exchange(SSL *s)
2218 unsigned char *p,*d; 2061{
2062 unsigned char *p, *d;
2219 int n; 2063 int n;
2220 unsigned long alg_k; 2064 unsigned long alg_k;
2221#ifndef OPENSSL_NO_RSA 2065#ifndef OPENSSL_NO_RSA
2222 unsigned char *q; 2066 unsigned char *q;
2223 EVP_PKEY *pkey=NULL; 2067 EVP_PKEY *pkey = NULL;
2224#endif 2068#endif
2225#ifndef OPENSSL_NO_KRB5 2069#ifndef OPENSSL_NO_KRB5
2226 KSSL_ERR kssl_err; 2070 KSSL_ERR kssl_err;
@@ -2234,77 +2078,73 @@ int ssl3_send_client_key_exchange(SSL *s)
2234 BN_CTX * bn_ctx = NULL; 2078 BN_CTX * bn_ctx = NULL;
2235#endif 2079#endif
2236 2080
2237 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 2081 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
2238 { 2082 d = (unsigned char *)s->init_buf->data;
2239 d=(unsigned char *)s->init_buf->data; 2083 p = &(d[4]);
2240 p= &(d[4]);
2241 2084
2242 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2085 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2243 2086
2244 /* Fool emacs indentation */ 2087 /* Fool emacs indentation */
2245 if (0) {} 2088 if (0) {
2089 }
2246#ifndef OPENSSL_NO_RSA 2090#ifndef OPENSSL_NO_RSA
2247 else if (alg_k & SSL_kRSA) 2091 else if (alg_k & SSL_kRSA) {
2248 {
2249 RSA *rsa; 2092 RSA *rsa;
2250 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2093 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2251 2094
2252 if (s->session->sess_cert->peer_rsa_tmp != NULL) 2095 if (s->session->sess_cert->peer_rsa_tmp != NULL)
2253 rsa=s->session->sess_cert->peer_rsa_tmp; 2096 rsa = s->session->sess_cert->peer_rsa_tmp;
2254 else 2097 else {
2255 { 2098 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2256 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2257 if ((pkey == NULL) || 2099 if ((pkey == NULL) ||
2258 (pkey->type != EVP_PKEY_RSA) || 2100 (pkey->type != EVP_PKEY_RSA) ||
2259 (pkey->pkey.rsa == NULL)) 2101 (pkey->pkey.rsa == NULL)) {
2260 { 2102 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2261 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2262 goto err; 2103 goto err;
2263 }
2264 rsa=pkey->pkey.rsa;
2265 EVP_PKEY_free(pkey);
2266 } 2104 }
2267 2105 rsa = pkey->pkey.rsa;
2268 tmp_buf[0]=s->client_version>>8; 2106 EVP_PKEY_free(pkey);
2269 tmp_buf[1]=s->client_version&0xff; 2107 }
2270 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2108
2271 goto err; 2109 tmp_buf[0] = s->client_version >> 8;
2110 tmp_buf[1] = s->client_version & 0xff;
2111 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2112 goto err;
2272 2113
2273 s->session->master_key_length=sizeof tmp_buf; 2114 s->session->master_key_length = sizeof tmp_buf;
2274 2115
2275 q=p; 2116 q = p;
2276 /* Fix buf for TLS and beyond */ 2117 /* Fix buf for TLS and beyond */
2277 if (s->version > SSL3_VERSION) 2118 if (s->version > SSL3_VERSION)
2278 p+=2; 2119 p += 2;
2279 n=RSA_public_encrypt(sizeof tmp_buf, 2120 n = RSA_public_encrypt(sizeof tmp_buf,
2280 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 2121 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
2281#ifdef PKCS1_CHECK 2122#ifdef PKCS1_CHECK
2282 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 2123 if (s->options & SSL_OP_PKCS1_CHECK_1)
2283 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 2124 p[1]++;
2125 if (s->options & SSL_OP_PKCS1_CHECK_2)
2126 tmp_buf[0] = 0x70;
2284#endif 2127#endif
2285 if (n <= 0) 2128 if (n <= 0) {
2286 { 2129 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
2287 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
2288 goto err; 2130 goto err;
2289 } 2131 }
2290 2132
2291 /* Fix buf for TLS and beyond */ 2133 /* Fix buf for TLS and beyond */
2292 if (s->version > SSL3_VERSION) 2134 if (s->version > SSL3_VERSION) {
2293 { 2135 s2n(n, q);
2294 s2n(n,q); 2136 n += 2;
2295 n+=2;
2296 }
2297
2298 s->session->master_key_length=
2299 s->method->ssl3_enc->generate_master_secret(s,
2300 s->session->master_key,
2301 tmp_buf,sizeof tmp_buf);
2302 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2303 } 2137 }
2138
2139 s->session->master_key_length =
2140 s->method->ssl3_enc->generate_master_secret(
2141 s, s->session->master_key, tmp_buf,
2142 sizeof tmp_buf);
2143 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2144 }
2304#endif 2145#endif
2305#ifndef OPENSSL_NO_KRB5 2146#ifndef OPENSSL_NO_KRB5
2306 else if (alg_k & SSL_kKRB5) 2147 else if (alg_k & SSL_kKRB5) {
2307 {
2308 krb5_error_code krb5rc; 2148 krb5_error_code krb5rc;
2309 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2149 KSSL_CTX *kssl_ctx = s->kssl_ctx;
2310 /* krb5_data krb5_ap_req; */ 2150 /* krb5_data krb5_ap_req; */
@@ -2314,43 +2154,43 @@ int ssl3_send_client_key_exchange(SSL *s)
2314 const EVP_CIPHER *enc = NULL; 2154 const EVP_CIPHER *enc = NULL;
2315 unsigned char iv[EVP_MAX_IV_LENGTH]; 2155 unsigned char iv[EVP_MAX_IV_LENGTH];
2316 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2156 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2317 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2157 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2318 + EVP_MAX_IV_LENGTH]; 2158 + EVP_MAX_IV_LENGTH];
2319 int padl, outl = sizeof(epms); 2159 int padl, outl = sizeof(epms);
2320 2160
2321 EVP_CIPHER_CTX_init(&ciph_ctx); 2161 EVP_CIPHER_CTX_init(&ciph_ctx);
2322 2162
2323#ifdef KSSL_DEBUG 2163#ifdef KSSL_DEBUG
2324 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2164 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
2325 alg_k, SSL_kKRB5); 2165 alg_k, SSL_kKRB5);
2326#endif /* KSSL_DEBUG */ 2166#endif /* KSSL_DEBUG */
2327 2167
2328 authp = NULL; 2168 authp = NULL;
2329#ifdef KRB5SENDAUTH 2169#ifdef KRB5SENDAUTH
2330 if (KRB5SENDAUTH) authp = &authenticator; 2170 if (KRB5SENDAUTH)
2171 authp = &authenticator;
2331#endif /* KRB5SENDAUTH */ 2172#endif /* KRB5SENDAUTH */
2332 2173
2333 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2174 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket,
2334 &kssl_err); 2175 authp, &kssl_err);
2335 enc = kssl_map_enc(kssl_ctx->enctype); 2176 enc = kssl_map_enc(kssl_ctx->enctype);
2336 if (enc == NULL) 2177 if (enc == NULL)
2337 goto err; 2178 goto err;
2338#ifdef KSSL_DEBUG 2179#ifdef KSSL_DEBUG
2339 { 2180 {
2340 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2181 printf("kssl_cget_tkt rtn %d\n", krb5rc);
2341 if (krb5rc && kssl_err.text) 2182 if (krb5rc && kssl_err.text)
2342 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2183 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
2343 } 2184 }
2344#endif /* KSSL_DEBUG */ 2185#endif /* KSSL_DEBUG */
2345 2186
2346 if (krb5rc) 2187 if (krb5rc) {
2347 { 2188 ssl3_send_alert(s, SSL3_AL_FATAL,
2348 ssl3_send_alert(s,SSL3_AL_FATAL, 2189 SSL_AD_HANDSHAKE_FAILURE);
2349 SSL_AD_HANDSHAKE_FAILURE);
2350 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2190 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2351 kssl_err.reason); 2191 kssl_err.reason);
2352 goto err; 2192 goto err;
2353 } 2193 }
2354 2194
2355 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2195 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
2356 ** in place of RFC 2712 KerberosWrapper, as in: 2196 ** in place of RFC 2712 KerberosWrapper, as in:
@@ -2372,32 +2212,29 @@ int ssl3_send_client_key_exchange(SSL *s)
2372 */ 2212 */
2373 2213
2374 /* KerberosWrapper.Ticket */ 2214 /* KerberosWrapper.Ticket */
2375 s2n(enc_ticket->length,p); 2215 s2n(enc_ticket->length, p);
2376 memcpy(p, enc_ticket->data, enc_ticket->length); 2216 memcpy(p, enc_ticket->data, enc_ticket->length);
2377 p+= enc_ticket->length; 2217 p += enc_ticket->length;
2378 n = enc_ticket->length + 2; 2218 n = enc_ticket->length + 2;
2379 2219
2380 /* KerberosWrapper.Authenticator */ 2220 /* KerberosWrapper.Authenticator */
2381 if (authp && authp->length) 2221 if (authp && authp->length) {
2382 { 2222 s2n(authp->length, p);
2383 s2n(authp->length,p);
2384 memcpy(p, authp->data, authp->length); 2223 memcpy(p, authp->data, authp->length);
2385 p+= authp->length; 2224 p += authp->length;
2386 n+= authp->length + 2; 2225 n += authp->length + 2;
2387 2226
2388 free(authp->data); 2227 free(authp->data);
2389 authp->data = NULL; 2228 authp->data = NULL;
2390 authp->length = 0; 2229 authp->length = 0;
2391 } 2230 } else {
2392 else
2393 {
2394 s2n(0,p);/* null authenticator length */ 2231 s2n(0,p);/* null authenticator length */
2395 n+=2; 2232 n += 2;
2396 } 2233 }
2397 2234
2398 tmp_buf[0]=s->client_version>>8; 2235 tmp_buf[0] = s->client_version >> 8;
2399 tmp_buf[1]=s->client_version&0xff; 2236 tmp_buf[1] = s->client_version&0xff;
2400 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2237 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2401 goto err; 2238 goto err;
2402 2239
2403 /* 20010420 VRS. Tried it this way; failed. 2240 /* 20010420 VRS. Tried it this way; failed.
@@ -2407,104 +2244,97 @@ int ssl3_send_client_key_exchange(SSL *s)
2407 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2244 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2408 */ 2245 */
2409 2246
2410 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2247 memset(iv, 0, sizeof iv);
2411 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2248 /* per RFC 1510 */
2412 kssl_ctx->key,iv); 2249 EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
2413 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2250 kssl_ctx->key, iv);
2414 sizeof tmp_buf); 2251 EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
2415 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2252 sizeof tmp_buf);
2253 EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
2416 outl += padl; 2254 outl += padl;
2417 if (outl > (int)sizeof epms) 2255 if (outl > (int)sizeof epms) {
2418 {
2419 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2256 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2420 goto err; 2257 goto err;
2421 } 2258 }
2422 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2259 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2423 2260
2424 /* KerberosWrapper.EncryptedPreMasterSecret */ 2261 /* KerberosWrapper.EncryptedPreMasterSecret */
2425 s2n(outl,p); 2262 s2n(outl, p);
2426 memcpy(p, epms, outl); 2263 memcpy(p, epms, outl);
2427 p+=outl; 2264 p += outl;
2428 n+=outl + 2; 2265 n += outl + 2;
2429 2266
2430 s->session->master_key_length= 2267 s->session->master_key_length =
2431 s->method->ssl3_enc->generate_master_secret(s, 2268 s->method->ssl3_enc->generate_master_secret(s,
2432 s->session->master_key, 2269 s->session->master_key,
2433 tmp_buf, sizeof tmp_buf); 2270 tmp_buf, sizeof tmp_buf);
2434 2271
2435 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2272 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2436 OPENSSL_cleanse(epms, outl); 2273 OPENSSL_cleanse(epms, outl);
2437 } 2274 }
2438#endif 2275#endif
2439#ifndef OPENSSL_NO_DH 2276#ifndef OPENSSL_NO_DH
2440 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2277 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2441 { 2278 DH *dh_srvr, *dh_clnt;
2442 DH *dh_srvr,*dh_clnt;
2443 2279
2444 if (s->session->sess_cert == NULL) 2280 if (s->session->sess_cert == NULL) {
2445 { 2281 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
2446 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2282 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
2447 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
2448 goto err; 2283 goto err;
2449 } 2284 }
2450 2285
2451 if (s->session->sess_cert->peer_dh_tmp != NULL) 2286 if (s->session->sess_cert->peer_dh_tmp != NULL)
2452 dh_srvr=s->session->sess_cert->peer_dh_tmp; 2287 dh_srvr = s->session->sess_cert->peer_dh_tmp;
2453 else 2288 else {
2454 {
2455 /* we get them from the cert */ 2289 /* we get them from the cert */
2456 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2290 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2457 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2291 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2458 goto err; 2292 goto err;
2459 } 2293 }
2460 2294
2461 /* generate a new random key */ 2295 /* generate a new random key */
2462 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 2296 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
2463 { 2297 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2464 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2465 goto err; 2298 goto err;
2466 } 2299 }
2467 if (!DH_generate_key(dh_clnt)) 2300 if (!DH_generate_key(dh_clnt)) {
2468 { 2301 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2469 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2470 DH_free(dh_clnt); 2302 DH_free(dh_clnt);
2471 goto err; 2303 goto err;
2472 } 2304 }
2473 2305
2474 /* use the 'p' output buffer for the DH key, but 2306 /* use the 'p' output buffer for the DH key, but
2475 * make sure to clear it out afterwards */ 2307 * make sure to clear it out afterwards */
2476 2308
2477 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 2309 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt);
2478 2310
2479 if (n <= 0) 2311 if (n <= 0) {
2480 { 2312 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2481 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2482 DH_free(dh_clnt); 2313 DH_free(dh_clnt);
2483 goto err; 2314 goto err;
2484 } 2315 }
2485 2316
2486 /* generate master key from the result */ 2317 /* generate master key from the result */
2487 s->session->master_key_length= 2318 s->session->master_key_length =
2488 s->method->ssl3_enc->generate_master_secret(s, 2319 s->method->ssl3_enc->generate_master_secret(s,
2489 s->session->master_key,p,n); 2320 s->session->master_key, p, n);
2490 /* clean up */ 2321 /* clean up */
2491 memset(p,0,n); 2322 memset(p, 0, n);
2492 2323
2493 /* send off the data */ 2324 /* send off the data */
2494 n=BN_num_bytes(dh_clnt->pub_key); 2325 n = BN_num_bytes(dh_clnt->pub_key);
2495 s2n(n,p); 2326 s2n(n, p);
2496 BN_bn2bin(dh_clnt->pub_key,p); 2327 BN_bn2bin(dh_clnt->pub_key, p);
2497 n+=2; 2328 n += 2;
2498 2329
2499 DH_free(dh_clnt); 2330 DH_free(dh_clnt);
2500 2331
2501 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2332 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2502 } 2333 }
2503#endif 2334#endif
2504 2335
2505#ifndef OPENSSL_NO_ECDH 2336#ifndef OPENSSL_NO_ECDH
2506 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2337 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2507 {
2508 const EC_GROUP *srvr_group = NULL; 2338 const EC_GROUP *srvr_group = NULL;
2509 EC_KEY *tkey; 2339 EC_KEY *tkey;
2510 int ecdh_clnt_cert = 0; 2340 int ecdh_clnt_cert = 0;
@@ -2515,8 +2345,7 @@ int ssl3_send_client_key_exchange(SSL *s)
2515 * computation as part of client certificate? 2345 * computation as part of client certificate?
2516 * If so, set ecdh_clnt_cert to 1. 2346 * If so, set ecdh_clnt_cert to 1.
2517 */ 2347 */
2518 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 2348 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) {
2519 {
2520 /* XXX: For now, we do not support client 2349 /* XXX: For now, we do not support client
2521 * authentication using ECDH certificates. 2350 * authentication using ECDH certificates.
2522 * To add such support, one needs to add 2351 * To add such support, one needs to add
@@ -2536,52 +2365,44 @@ int ssl3_send_client_key_exchange(SSL *s)
2536 * EVP_PKEY_EC) && ...) 2365 * EVP_PKEY_EC) && ...)
2537 * ecdh_clnt_cert = 1; 2366 * ecdh_clnt_cert = 1;
2538 */ 2367 */
2539 } 2368 }
2540 2369
2541 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2370 if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
2542 {
2543 tkey = s->session->sess_cert->peer_ecdh_tmp; 2371 tkey = s->session->sess_cert->peer_ecdh_tmp;
2544 } 2372 } else {
2545 else
2546 {
2547 /* Get the Server Public Key from Cert */ 2373 /* Get the Server Public Key from Cert */
2548 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2374 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2549 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2375 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2550 if ((srvr_pub_pkey == NULL) || 2376 if ((srvr_pub_pkey == NULL) ||
2551 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2377 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2552 (srvr_pub_pkey->pkey.ec == NULL)) 2378 (srvr_pub_pkey->pkey.ec == NULL)) {
2553 {
2554 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2379 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2555 ERR_R_INTERNAL_ERROR); 2380 ERR_R_INTERNAL_ERROR);
2556 goto err; 2381 goto err;
2557 } 2382 }
2558 2383
2559 tkey = srvr_pub_pkey->pkey.ec; 2384 tkey = srvr_pub_pkey->pkey.ec;
2560 } 2385 }
2561 2386
2562 srvr_group = EC_KEY_get0_group(tkey); 2387 srvr_group = EC_KEY_get0_group(tkey);
2563 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2388 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2564 2389
2565 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2390 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
2566 {
2567 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2391 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2568 ERR_R_INTERNAL_ERROR); 2392 ERR_R_INTERNAL_ERROR);
2569 goto err; 2393 goto err;
2570 } 2394 }
2571 2395
2572 if ((clnt_ecdh=EC_KEY_new()) == NULL) 2396 if ((clnt_ecdh = EC_KEY_new()) == NULL) {
2573 { 2397 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2574 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2575 goto err; 2398 goto err;
2576 } 2399 }
2577 2400
2578 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2401 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
2579 { 2402 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2580 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2581 goto err; 2403 goto err;
2582 } 2404 }
2583 if (ecdh_clnt_cert) 2405 if (ecdh_clnt_cert) {
2584 {
2585 /* Reuse key info from our certificate 2406 /* Reuse key info from our certificate
2586 * We only need our private key to perform 2407 * We only need our private key to perform
2587 * the ECDH computation. 2408 * the ECDH computation.
@@ -2589,581 +2410,529 @@ int ssl3_send_client_key_exchange(SSL *s)
2589 const BIGNUM *priv_key; 2410 const BIGNUM *priv_key;
2590 tkey = s->cert->key->privatekey->pkey.ec; 2411 tkey = s->cert->key->privatekey->pkey.ec;
2591 priv_key = EC_KEY_get0_private_key(tkey); 2412 priv_key = EC_KEY_get0_private_key(tkey);
2592 if (priv_key == NULL) 2413 if (priv_key == NULL) {
2593 { 2414 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2594 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2595 goto err; 2415 goto err;
2596 } 2416 }
2597 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2417 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) {
2598 { 2418 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2599 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2600 goto err; 2419 goto err;
2601 }
2602 } 2420 }
2603 else 2421 } else {
2604 {
2605 /* Generate a new ECDH key pair */ 2422 /* Generate a new ECDH key pair */
2606 if (!(EC_KEY_generate_key(clnt_ecdh))) 2423 if (!(EC_KEY_generate_key(clnt_ecdh))) {
2607 {
2608 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2424 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2609 goto err; 2425 goto err;
2610 }
2611 } 2426 }
2427 }
2612 2428
2613 /* use the 'p' output buffer for the ECDH key, but 2429 /* use the 'p' output buffer for the ECDH key, but
2614 * make sure to clear it out afterwards 2430 * make sure to clear it out afterwards
2615 */ 2431 */
2616 2432
2617 field_size = EC_GROUP_get_degree(srvr_group); 2433 field_size = EC_GROUP_get_degree(srvr_group);
2618 if (field_size <= 0) 2434 if (field_size <= 0) {
2619 { 2435 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2620 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2436 ERR_R_ECDH_LIB);
2621 ERR_R_ECDH_LIB);
2622 goto err; 2437 goto err;
2623 } 2438 }
2624 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2439 n = ECDH_compute_key(p, (field_size + 7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2625 if (n <= 0) 2440 if (n <= 0) {
2626 { 2441 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2627 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2442 ERR_R_ECDH_LIB);
2628 ERR_R_ECDH_LIB);
2629 goto err; 2443 goto err;
2630 } 2444 }
2631 2445
2632 /* generate master key from the result */ 2446 /* generate master key from the result */
2633 s->session->master_key_length = s->method->ssl3_enc \ 2447 s->session->master_key_length = s->method->ssl3_enc \
2634 -> generate_master_secret(s, 2448 -> generate_master_secret(s,
2635 s->session->master_key, 2449 s->session->master_key,
2636 p, n); 2450 p, n);
2637 2451
2638 memset(p, 0, n); /* clean up */ 2452 memset(p, 0, n); /* clean up */
2639 2453
2640 if (ecdh_clnt_cert) 2454 if (ecdh_clnt_cert) {
2641 {
2642 /* Send empty client key exch message */ 2455 /* Send empty client key exch message */
2643 n = 0; 2456 n = 0;
2644 } 2457 } else {
2645 else
2646 {
2647 /* First check the size of encoding and 2458 /* First check the size of encoding and
2648 * allocate memory accordingly. 2459 * allocate memory accordingly.
2649 */ 2460 */
2650 encoded_pt_len = 2461 encoded_pt_len =
2651 EC_POINT_point2oct(srvr_group, 2462 EC_POINT_point2oct(srvr_group,
2652 EC_KEY_get0_public_key(clnt_ecdh), 2463 EC_KEY_get0_public_key(clnt_ecdh),
2653 POINT_CONVERSION_UNCOMPRESSED, 2464 POINT_CONVERSION_UNCOMPRESSED,
2654 NULL, 0, NULL); 2465 NULL, 0, NULL);
2655 2466
2656 encodedPoint = (unsigned char *) 2467 encodedPoint =
2657 OPENSSL_malloc(encoded_pt_len * 2468 (unsigned char *)OPENSSL_malloc(
2658 sizeof(unsigned char)); 2469 encoded_pt_len * sizeof(unsigned char));
2470
2659 bn_ctx = BN_CTX_new(); 2471 bn_ctx = BN_CTX_new();
2660 if ((encodedPoint == NULL) || 2472 if ((encodedPoint == NULL) ||
2661 (bn_ctx == NULL)) 2473 (bn_ctx == NULL)) {
2662 { 2474 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2663 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2664 goto err; 2475 goto err;
2665 } 2476 }
2666 2477
2667 /* Encode the public key */ 2478 /* Encode the public key */
2668 n = EC_POINT_point2oct(srvr_group, 2479 n = EC_POINT_point2oct(srvr_group,
2669 EC_KEY_get0_public_key(clnt_ecdh), 2480 EC_KEY_get0_public_key(clnt_ecdh),
2670 POINT_CONVERSION_UNCOMPRESSED, 2481 POINT_CONVERSION_UNCOMPRESSED,
2671 encodedPoint, encoded_pt_len, bn_ctx); 2482 encodedPoint, encoded_pt_len, bn_ctx);
2672 2483
2673 *p = n; /* length of encoded point */ 2484 *p = n; /* length of encoded point */
2674 /* Encoded point will be copied here */ 2485 /* Encoded point will be copied here */
2675 p += 1; 2486 p += 1;
2487
2676 /* copy the point */ 2488 /* copy the point */
2677 memcpy((unsigned char *)p, encodedPoint, n); 2489 memcpy((unsigned char *)p, encodedPoint, n);
2678 /* increment n to account for length field */ 2490 /* increment n to account for length field */
2679 n += 1; 2491 n += 1;
2680 } 2492
2493 }
2681 2494
2682 /* Free allocated memory */ 2495 /* Free allocated memory */
2683 BN_CTX_free(bn_ctx); 2496 BN_CTX_free(bn_ctx);
2684 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2497 if (encodedPoint != NULL)
2685 if (clnt_ecdh != NULL) 2498 OPENSSL_free(encodedPoint);
2686 EC_KEY_free(clnt_ecdh); 2499 if (clnt_ecdh != NULL)
2500 EC_KEY_free(clnt_ecdh);
2687 EVP_PKEY_free(srvr_pub_pkey); 2501 EVP_PKEY_free(srvr_pub_pkey);
2688 } 2502 }
2689#endif /* !OPENSSL_NO_ECDH */ 2503#endif /* !OPENSSL_NO_ECDH */
2690 else if (alg_k & SSL_kGOST) 2504 else if (alg_k & SSL_kGOST) {
2691 {
2692 /* GOST key exchange message creation */ 2505 /* GOST key exchange message creation */
2693 EVP_PKEY_CTX *pkey_ctx; 2506 EVP_PKEY_CTX *pkey_ctx;
2694 X509 *peer_cert; 2507 X509 *peer_cert;
2508
2695 size_t msglen; 2509 size_t msglen;
2696 unsigned int md_len; 2510 unsigned int md_len;
2697 int keytype; 2511 int keytype;
2698 unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 2512 unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
2699 EVP_MD_CTX *ukm_hash; 2513 EVP_MD_CTX *ukm_hash;
2700 EVP_PKEY *pub_key; 2514 EVP_PKEY *pub_key;
2701 2515
2702 /* Get server sertificate PKEY and create ctx from it */ 2516 /* Get server sertificate PKEY and create ctx from it */
2703 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 2517 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST01)].x509;
2704 if (!peer_cert) 2518 if (!peer_cert)
2705 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 2519 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST94)].x509;
2706 if (!peer_cert) { 2520 if (!peer_cert) {
2707 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2521 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2708 goto err; 2522 goto err;
2709 } 2523 }
2710 2524
2711 pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 2525 pkey_ctx = EVP_PKEY_CTX_new(pub_key = X509_get_pubkey(peer_cert), NULL);
2712 /* If we have send a certificate, and certificate key 2526 /* If we have send a certificate, and certificate key
2713 2527
2714 * parameters match those of server certificate, use 2528 * parameters match those of server certificate, use
2715 * certificate key for key exchange 2529 * certificate key for key exchange
2716 */ 2530 */
2717 2531
2718 /* Otherwise, generate ephemeral key pair */ 2532 /* Otherwise, generate ephemeral key pair */
2719 2533
2720 EVP_PKEY_encrypt_init(pkey_ctx); 2534 EVP_PKEY_encrypt_init(pkey_ctx);
2721 /* Generate session key */ 2535 /* Generate session key */
2722 RAND_bytes(premaster_secret,32); 2536 RAND_bytes(premaster_secret, 32);
2723 /* If we have client certificate, use its secret as peer key */ 2537 /* If we have client certificate, use its secret as peer key */
2724 if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2538 if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2725 if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 2539 if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <=0) {
2726 /* If there was an error - just ignore it. Ephemeral key 2540 /* If there was an error - just ignore it. Ephemeral key
2727 * would be used 2541 * would be used
2728 */ 2542 */
2729 ERR_clear_error(); 2543 ERR_clear_error();
2730 } 2544 }
2731 } 2545 }
2732 /* Compute shared IV and store it in algorithm-specific 2546 /* Compute shared IV and store it in algorithm-specific
2733 * context data */ 2547 * context data */
2734 ukm_hash = EVP_MD_CTX_create(); 2548 ukm_hash = EVP_MD_CTX_create();
2735 EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 2549 EVP_DigestInit(ukm_hash, EVP_get_digestbynid(NID_id_GostR3411_94));
2736 EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 2550 EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE);
2737 EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 2551 EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE);
2738 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2552 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
2739 EVP_MD_CTX_destroy(ukm_hash); 2553 EVP_MD_CTX_destroy(ukm_hash);
2740 if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV, 2554 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV,
2741 8,shared_ukm)<0) { 2555 8, shared_ukm) < 0) {
2742 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2556 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2743 SSL_R_LIBRARY_BUG); 2557 SSL_R_LIBRARY_BUG);
2744 goto err; 2558 goto err;
2745 } 2559 }
2746 /* Make GOST keytransport blob message */ 2560 /* Make GOST keytransport blob message */
2747 /*Encapsulate it into sequence */ 2561 /*Encapsulate it into sequence */
2748 *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 2562 *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
2749 msglen=255; 2563 msglen = 255;
2750 if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) { 2564 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, 32) < 0) {
2751 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2565 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2752 SSL_R_LIBRARY_BUG); 2566 SSL_R_LIBRARY_BUG);
2753 goto err; 2567 goto err;
2754 } 2568 }
2755 if (msglen >= 0x80) 2569 if (msglen >= 0x80) {
2756 { 2570 *(p++) = 0x81;
2757 *(p++)=0x81; 2571 *(p++) = msglen & 0xff;
2758 *(p++)= msglen & 0xff; 2572 n = msglen + 3;
2759 n=msglen+3; 2573 } else {
2760 } 2574 *(p++) = msglen & 0xff;
2761 else 2575 n = msglen + 2;
2762 { 2576 }
2763 *(p++)= msglen & 0xff;
2764 n=msglen+2;
2765 }
2766 memcpy(p, tmp, msglen); 2577 memcpy(p, tmp, msglen);
2767 /* Check if pubkey from client certificate was used */ 2578 /* Check if pubkey from client certificate was used */
2768 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2579 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) {
2769 {
2770 /* Set flag "skip certificate verify" */ 2580 /* Set flag "skip certificate verify" */
2771 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2581 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2772 } 2582 }
2773 EVP_PKEY_CTX_free(pkey_ctx); 2583 EVP_PKEY_CTX_free(pkey_ctx);
2774 s->session->master_key_length= 2584 s->session->master_key_length =
2775 s->method->ssl3_enc->generate_master_secret(s, 2585 s->method->ssl3_enc->generate_master_secret(s,
2776 s->session->master_key,premaster_secret,32); 2586 s->session->master_key, premaster_secret, 32);
2777 EVP_PKEY_free(pub_key); 2587 EVP_PKEY_free(pub_key);
2778 2588
2779 } 2589 }
2780#ifndef OPENSSL_NO_SRP 2590#ifndef OPENSSL_NO_SRP
2781 else if (alg_k & SSL_kSRP) 2591 else if (alg_k & SSL_kSRP) {
2782 { 2592 if (s->srp_ctx.A != NULL) {
2783 if (s->srp_ctx.A != NULL)
2784 {
2785 /* send off the data */ 2593 /* send off the data */
2786 n=BN_num_bytes(s->srp_ctx.A); 2594 n = BN_num_bytes(s->srp_ctx.A);
2787 s2n(n,p); 2595 s2n(n, p);
2788 BN_bn2bin(s->srp_ctx.A,p); 2596 BN_bn2bin(s->srp_ctx.A, p);
2789 n+=2; 2597 n += 2;
2790 } 2598 } else {
2791 else 2599 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2792 {
2793 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2794 goto err; 2600 goto err;
2795 } 2601 }
2796 if (s->session->srp_username != NULL) 2602 if (s->session->srp_username != NULL)
2797 OPENSSL_free(s->session->srp_username); 2603 OPENSSL_free(s->session->srp_username);
2798 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2604 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2799 if (s->session->srp_username == NULL) 2605 if (s->session->srp_username == NULL) {
2800 {
2801 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2606 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2802 ERR_R_MALLOC_FAILURE); 2607 ERR_R_MALLOC_FAILURE);
2803 goto err; 2608 goto err;
2804 } 2609 }
2805 2610
2806 if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0) 2611 if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) {
2807 { 2612 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2808 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2809 goto err; 2613 goto err;
2810 }
2811 } 2614 }
2615 }
2812#endif 2616#endif
2813#ifndef OPENSSL_NO_PSK 2617#ifndef OPENSSL_NO_PSK
2814 else if (alg_k & SSL_kPSK) 2618 else if (alg_k & SSL_kPSK) {
2815 {
2816 char identity[PSK_MAX_IDENTITY_LEN]; 2619 char identity[PSK_MAX_IDENTITY_LEN];
2817 unsigned char *t = NULL; 2620 unsigned char *t = NULL;
2818 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2621 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
2819 unsigned int pre_ms_len = 0, psk_len = 0; 2622 unsigned int pre_ms_len = 0, psk_len = 0;
2820 int psk_err = 1; 2623 int psk_err = 1;
2821 2624
2822 n = 0; 2625 n = 0;
2823 if (s->psk_client_callback == NULL) 2626 if (s->psk_client_callback == NULL) {
2824 {
2825 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2627 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2826 SSL_R_PSK_NO_CLIENT_CB); 2628 SSL_R_PSK_NO_CLIENT_CB);
2827 goto err; 2629 goto err;
2828 } 2630 }
2829 2631
2830 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 2632 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
2831 identity, PSK_MAX_IDENTITY_LEN, 2633 identity, PSK_MAX_IDENTITY_LEN,
2832 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2634 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2833 if (psk_len > PSK_MAX_PSK_LEN) 2635 if (psk_len > PSK_MAX_PSK_LEN) {
2834 {
2835 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2636 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2836 ERR_R_INTERNAL_ERROR); 2637 ERR_R_INTERNAL_ERROR);
2837 goto psk_err; 2638 goto psk_err;
2838 } 2639 } else if (psk_len == 0) {
2839 else if (psk_len == 0)
2840 {
2841 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2640 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2842 SSL_R_PSK_IDENTITY_NOT_FOUND); 2641 SSL_R_PSK_IDENTITY_NOT_FOUND);
2843 goto psk_err; 2642 goto psk_err;
2844 } 2643 }
2845 2644
2846 /* create PSK pre_master_secret */ 2645 /* create PSK pre_master_secret */
2847 pre_ms_len = 2+psk_len+2+psk_len; 2646 pre_ms_len = 2 + psk_len + 2 + psk_len;
2848 t = psk_or_pre_ms; 2647 t = psk_or_pre_ms;
2849 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2648 memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
2850 s2n(psk_len, t); 2649 s2n(psk_len, t);
2851 memset(t, 0, psk_len); 2650 memset(t, 0, psk_len);
2852 t+=psk_len; 2651 t += psk_len;
2853 s2n(psk_len, t); 2652 s2n(psk_len, t);
2854 2653
2855 if (s->session->psk_identity_hint != NULL) 2654 if (s->session->psk_identity_hint != NULL)
2856 OPENSSL_free(s->session->psk_identity_hint); 2655 OPENSSL_free(s->session->psk_identity_hint);
2857 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2656 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2858 if (s->ctx->psk_identity_hint != NULL && 2657 if (s->ctx->psk_identity_hint != NULL &&
2859 s->session->psk_identity_hint == NULL) 2658 s->session->psk_identity_hint == NULL) {
2860 {
2861 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2659 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2862 ERR_R_MALLOC_FAILURE); 2660 ERR_R_MALLOC_FAILURE);
2863 goto psk_err; 2661 goto psk_err;
2864 } 2662 }
2865 2663
2866 if (s->session->psk_identity != NULL) 2664 if (s->session->psk_identity != NULL)
2867 OPENSSL_free(s->session->psk_identity); 2665 OPENSSL_free(s->session->psk_identity);
2868 s->session->psk_identity = BUF_strdup(identity); 2666 s->session->psk_identity = BUF_strdup(identity);
2869 if (s->session->psk_identity == NULL) 2667 if (s->session->psk_identity == NULL) {
2870 {
2871 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2668 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2872 ERR_R_MALLOC_FAILURE); 2669 ERR_R_MALLOC_FAILURE);
2873 goto psk_err; 2670 goto psk_err;
2874 } 2671 }
2875 2672
2876 s->session->master_key_length = 2673 s->session->master_key_length =
2877 s->method->ssl3_enc->generate_master_secret(s, 2674 s->method->ssl3_enc->generate_master_secret(
2878 s->session->master_key, 2675 s, s->session->master_key, psk_or_pre_ms,
2879 psk_or_pre_ms, pre_ms_len); 2676 pre_ms_len);
2677
2880 n = strlen(identity); 2678 n = strlen(identity);
2881 s2n(n, p); 2679 s2n(n, p);
2882 memcpy(p, identity, n); 2680 memcpy(p, identity, n);
2883 n+=2; 2681 n += 2;
2884 psk_err = 0; 2682 psk_err = 0;
2885 psk_err: 2683 psk_err:
2886 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 2684 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2887 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2685 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2888 if (psk_err != 0) 2686 if (psk_err != 0) {
2889 {
2890 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2687 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2891 goto err; 2688 goto err;
2892 }
2893 } 2689 }
2690 }
2894#endif 2691#endif
2895 else 2692 else {
2896 {
2897 ssl3_send_alert(s, SSL3_AL_FATAL, 2693 ssl3_send_alert(s, SSL3_AL_FATAL,
2898 SSL_AD_HANDSHAKE_FAILURE); 2694 SSL_AD_HANDSHAKE_FAILURE);
2899 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2695 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2900 ERR_R_INTERNAL_ERROR); 2696 ERR_R_INTERNAL_ERROR);
2901 goto err; 2697 goto err;
2902 } 2698 }
2903
2904 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2905 l2n3(n,d);
2906 2699
2907 s->state=SSL3_ST_CW_KEY_EXCH_B; 2700 *(d++) = SSL3_MT_CLIENT_KEY_EXCHANGE;
2701 l2n3(n, d);
2702
2703 s->state = SSL3_ST_CW_KEY_EXCH_B;
2908 /* number of bytes to write */ 2704 /* number of bytes to write */
2909 s->init_num=n+4; 2705 s->init_num = n + 4;
2910 s->init_off=0; 2706 s->init_off = 0;
2911 } 2707 }
2912 2708
2913 /* SSL3_ST_CW_KEY_EXCH_B */ 2709 /* SSL3_ST_CW_KEY_EXCH_B */
2914 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2710 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2915err: 2711err:
2916#ifndef OPENSSL_NO_ECDH 2712#ifndef OPENSSL_NO_ECDH
2917 BN_CTX_free(bn_ctx); 2713 BN_CTX_free(bn_ctx);
2918 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2714 if (encodedPoint != NULL)
2919 if (clnt_ecdh != NULL) 2715 OPENSSL_free(encodedPoint);
2716 if (clnt_ecdh != NULL)
2920 EC_KEY_free(clnt_ecdh); 2717 EC_KEY_free(clnt_ecdh);
2921 EVP_PKEY_free(srvr_pub_pkey); 2718 EVP_PKEY_free(srvr_pub_pkey);
2922#endif 2719#endif
2923 return(-1); 2720 return (-1);
2924 } 2721}
2925 2722
2926int ssl3_send_client_verify(SSL *s) 2723int
2927 { 2724ssl3_send_client_verify(SSL *s)
2928 unsigned char *p,*d; 2725{
2929 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 2726 unsigned char *p, *d;
2727 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
2930 EVP_PKEY *pkey; 2728 EVP_PKEY *pkey;
2931 EVP_PKEY_CTX *pctx=NULL; 2729 EVP_PKEY_CTX *pctx = NULL;
2932 EVP_MD_CTX mctx; 2730 EVP_MD_CTX mctx;
2933 unsigned u=0; 2731 unsigned u = 0;
2934 unsigned long n; 2732 unsigned long n;
2935 int j; 2733 int j;
2936 2734
2937 EVP_MD_CTX_init(&mctx); 2735 EVP_MD_CTX_init(&mctx);
2938 2736
2939 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 2737 if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
2940 { 2738 d = (unsigned char *)s->init_buf->data;
2941 d=(unsigned char *)s->init_buf->data; 2739 p = &(d[4]);
2942 p= &(d[4]); 2740 pkey = s->cert->key->privatekey;
2943 pkey=s->cert->key->privatekey;
2944/* Create context from key and test if sha1 is allowed as digest */ 2741/* Create context from key and test if sha1 is allowed as digest */
2945 pctx = EVP_PKEY_CTX_new(pkey,NULL); 2742 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2946 EVP_PKEY_sign_init(pctx); 2743 EVP_PKEY_sign_init(pctx);
2947 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 2744 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
2948 {
2949 if (TLS1_get_version(s) < TLS1_2_VERSION) 2745 if (TLS1_get_version(s) < TLS1_2_VERSION)
2950 s->method->ssl3_enc->cert_verify_mac(s, 2746 s->method->ssl3_enc->cert_verify_mac(s,
2951 NID_sha1, 2747 NID_sha1,
2952 &(data[MD5_DIGEST_LENGTH])); 2748 &(data[MD5_DIGEST_LENGTH]));
2953 } 2749 } else {
2954 else
2955 {
2956 ERR_clear_error(); 2750 ERR_clear_error();
2957 } 2751 }
2958 /* For TLS v1.2 send signature algorithm and signature 2752 /* For TLS v1.2 send signature algorithm and signature
2959 * using agreed digest and cached handshake records. 2753 * using agreed digest and cached handshake records.
2960 */ 2754 */
2961 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2755 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2962 {
2963 long hdatalen = 0; 2756 long hdatalen = 0;
2964 void *hdata; 2757 void *hdata;
2965 const EVP_MD *md = s->cert->key->digest; 2758 const EVP_MD *md = s->cert->key->digest;
2966 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 2759 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
2967 &hdata); 2760 &hdata);
2968 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) 2761 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {
2969 {
2970 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2762 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2971 ERR_R_INTERNAL_ERROR); 2763 ERR_R_INTERNAL_ERROR);
2972 goto err; 2764 goto err;
2973 } 2765 }
2974 p += 2; 2766 p += 2;
2975#ifdef SSL_DEBUG 2767#ifdef SSL_DEBUG
2976 fprintf(stderr, "Using TLS 1.2 with client alg %s\n", 2768 fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
2977 EVP_MD_name(md)); 2769 EVP_MD_name(md));
2978#endif 2770#endif
2979 if (!EVP_SignInit_ex(&mctx, md, NULL) 2771 if (!EVP_SignInit_ex(&mctx, md, NULL) ||
2980 || !EVP_SignUpdate(&mctx, hdata, hdatalen) 2772 !EVP_SignUpdate(&mctx, hdata, hdatalen) ||
2981 || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) 2773 !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
2982 {
2983 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2774 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2984 ERR_R_EVP_LIB); 2775 ERR_R_EVP_LIB);
2985 goto err; 2776 goto err;
2986 } 2777 }
2987 s2n(u,p); 2778 s2n(u, p);
2988 n = u + 4; 2779 n = u + 4;
2989 if (!ssl3_digest_cached_records(s)) 2780 if (!ssl3_digest_cached_records(s))
2990 goto err; 2781 goto err;
2991 } 2782 } else
2992 else
2993#ifndef OPENSSL_NO_RSA 2783#ifndef OPENSSL_NO_RSA
2994 if (pkey->type == EVP_PKEY_RSA) 2784 if (pkey->type == EVP_PKEY_RSA) {
2995 { 2785 s->method->ssl3_enc->cert_verify_mac(
2996 s->method->ssl3_enc->cert_verify_mac(s, 2786 s, NID_md5, &(data[0]));
2997 NID_md5,
2998 &(data[0]));
2999 if (RSA_sign(NID_md5_sha1, data, 2787 if (RSA_sign(NID_md5_sha1, data,
3000 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 2788 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
3001 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 2789 &u, pkey->pkey.rsa) <= 0 ) {
3002 { 2790 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB);
3003 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
3004 goto err; 2791 goto err;
3005 }
3006 s2n(u,p);
3007 n=u+2;
3008 } 2792 }
3009 else 2793 s2n(u, p);
2794 n = u + 2;
2795 } else
3010#endif 2796#endif
3011#ifndef OPENSSL_NO_DSA 2797#ifndef OPENSSL_NO_DSA
3012 if (pkey->type == EVP_PKEY_DSA) 2798 if (pkey->type == EVP_PKEY_DSA) {
3013 {
3014 if (!DSA_sign(pkey->save_type, 2799 if (!DSA_sign(pkey->save_type,
3015 &(data[MD5_DIGEST_LENGTH]), 2800 &(data[MD5_DIGEST_LENGTH]),
3016 SHA_DIGEST_LENGTH,&(p[2]), 2801 SHA_DIGEST_LENGTH, &(p[2]),
3017 (unsigned int *)&j,pkey->pkey.dsa)) 2802 (unsigned int *)&j, pkey->pkey.dsa)) {
3018 { 2803 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB);
3019 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
3020 goto err; 2804 goto err;
3021 }
3022 s2n(j,p);
3023 n=j+2;
3024 } 2805 }
3025 else 2806 s2n(j, p);
2807 n = j + 2;
2808 } else
3026#endif 2809#endif
3027#ifndef OPENSSL_NO_ECDSA 2810#ifndef OPENSSL_NO_ECDSA
3028 if (pkey->type == EVP_PKEY_EC) 2811 if (pkey->type == EVP_PKEY_EC) {
3029 {
3030 if (!ECDSA_sign(pkey->save_type, 2812 if (!ECDSA_sign(pkey->save_type,
3031 &(data[MD5_DIGEST_LENGTH]), 2813 &(data[MD5_DIGEST_LENGTH]),
3032 SHA_DIGEST_LENGTH,&(p[2]), 2814 SHA_DIGEST_LENGTH, &(p[2]),
3033 (unsigned int *)&j,pkey->pkey.ec)) 2815 (unsigned int *)&j, pkey->pkey.ec)) {
3034 {
3035 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2816 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
3036 ERR_R_ECDSA_LIB); 2817 ERR_R_ECDSA_LIB);
3037 goto err; 2818 goto err;
3038 }
3039 s2n(j,p);
3040 n=j+2;
3041 } 2819 }
3042 else 2820 s2n(j, p);
2821 n = j + 2;
2822 } else
3043#endif 2823#endif
3044 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 2824 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) {
3045 { 2825 unsigned char signbuf[64];
3046 unsigned char signbuf[64]; 2826 int i;
3047 int i; 2827 size_t sigsize = 64;
3048 size_t sigsize=64; 2828 s->method->ssl3_enc->cert_verify_mac(s,
3049 s->method->ssl3_enc->cert_verify_mac(s,
3050 NID_id_GostR3411_94, 2829 NID_id_GostR3411_94,
3051 data); 2830 data);
3052 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 2831 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
3053 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2832 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
3054 ERR_R_INTERNAL_ERROR); 2833 ERR_R_INTERNAL_ERROR);
3055 goto err; 2834 goto err;
3056 } 2835 }
3057 for (i=63,j=0; i>=0; j++, i--) { 2836 for (i = 63, j = 0; i >= 0; j++, i--) {
3058 p[2+j]=signbuf[i]; 2837 p[2 + j] = signbuf[i];
3059 } 2838 }
3060 s2n(j,p); 2839 s2n(j, p);
3061 n=j+2; 2840 n = j + 2;
3062 } 2841 } else {
3063 else 2842 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
3064 {
3065 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
3066 goto err; 2843 goto err;
3067 } 2844 }
3068 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 2845 *(d++) = SSL3_MT_CERTIFICATE_VERIFY;
3069 l2n3(n,d); 2846 l2n3(n, d);
3070 2847
3071 s->state=SSL3_ST_CW_CERT_VRFY_B; 2848 s->state = SSL3_ST_CW_CERT_VRFY_B;
3072 s->init_num=(int)n+4; 2849 s->init_num = (int)n + 4;
3073 s->init_off=0; 2850 s->init_off = 0;
3074 } 2851 }
3075 EVP_MD_CTX_cleanup(&mctx); 2852 EVP_MD_CTX_cleanup(&mctx);
3076 EVP_PKEY_CTX_free(pctx); 2853 EVP_PKEY_CTX_free(pctx);
3077 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2854 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3078err: 2855err:
3079 EVP_MD_CTX_cleanup(&mctx); 2856 EVP_MD_CTX_cleanup(&mctx);
3080 EVP_PKEY_CTX_free(pctx); 2857 EVP_PKEY_CTX_free(pctx);
3081 return(-1); 2858 return (-1);
3082 } 2859}
3083 2860
3084int ssl3_send_client_certificate(SSL *s) 2861int
3085 { 2862ssl3_send_client_certificate(SSL *s)
3086 X509 *x509=NULL; 2863{
3087 EVP_PKEY *pkey=NULL; 2864 X509 *x509 = NULL;
2865 EVP_PKEY *pkey = NULL;
3088 int i; 2866 int i;
3089 unsigned long l; 2867 unsigned long l;
3090 2868
3091 if (s->state == SSL3_ST_CW_CERT_A) 2869 if (s->state == SSL3_ST_CW_CERT_A) {
3092 { 2870 if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
3093 if ((s->cert == NULL) || 2871 (s->cert->key->privatekey == NULL))
3094 (s->cert->key->x509 == NULL) || 2872 s->state = SSL3_ST_CW_CERT_B;
3095 (s->cert->key->privatekey == NULL))
3096 s->state=SSL3_ST_CW_CERT_B;
3097 else 2873 else
3098 s->state=SSL3_ST_CW_CERT_C; 2874 s->state = SSL3_ST_CW_CERT_C;
3099 } 2875 }
3100 2876
3101 /* We need to get a client cert */ 2877 /* We need to get a client cert */
3102 if (s->state == SSL3_ST_CW_CERT_B) 2878 if (s->state == SSL3_ST_CW_CERT_B) {
3103 {
3104 /* If we get an error, we need to 2879 /* If we get an error, we need to
3105 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 2880 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
3106 * We then get retied later */ 2881 * We then get retied later */
3107 i=0; 2882 i = 0;
3108 i = ssl_do_client_cert_cb(s, &x509, &pkey); 2883 i = ssl_do_client_cert_cb(s, &x509, &pkey);
3109 if (i < 0) 2884 if (i < 0) {
3110 { 2885 s->rwstate = SSL_X509_LOOKUP;
3111 s->rwstate=SSL_X509_LOOKUP; 2886 return (-1);
3112 return(-1); 2887 }
3113 } 2888 s->rwstate = SSL_NOTHING;
3114 s->rwstate=SSL_NOTHING; 2889 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
3115 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 2890 s->state = SSL3_ST_CW_CERT_B;
3116 { 2891 if (!SSL_use_certificate(s, x509) ||
3117 s->state=SSL3_ST_CW_CERT_B; 2892 !SSL_use_PrivateKey(s, pkey))
3118 if ( !SSL_use_certificate(s,x509) || 2893 i = 0;
3119 !SSL_use_PrivateKey(s,pkey)) 2894 } else if (i == 1) {
3120 i=0; 2895 i = 0;
3121 } 2896 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3122 else if (i == 1) 2897 }
3123 { 2898
3124 i=0; 2899 if (x509 != NULL)
3125 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 2900 X509_free(x509);
3126 } 2901 if (pkey != NULL)
3127 2902 EVP_PKEY_free(pkey);
3128 if (x509 != NULL) X509_free(x509); 2903 if (i == 0) {
3129 if (pkey != NULL) EVP_PKEY_free(pkey); 2904 if (s->version == SSL3_VERSION) {
3130 if (i == 0) 2905 s->s3->tmp.cert_req = 0;
3131 { 2906 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
3132 if (s->version == SSL3_VERSION) 2907 return (1);
3133 { 2908 } else {
3134 s->s3->tmp.cert_req=0; 2909 s->s3->tmp.cert_req = 2;
3135 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
3136 return(1);
3137 }
3138 else
3139 {
3140 s->s3->tmp.cert_req=2;
3141 }
3142 } 2910 }
2911 }
3143 2912
3144 /* Ok, we have a cert */ 2913 /* Ok, we have a cert */
3145 s->state=SSL3_ST_CW_CERT_C; 2914 s->state = SSL3_ST_CW_CERT_C;
3146 } 2915 }
3147 2916
3148 if (s->state == SSL3_ST_CW_CERT_C) 2917 if (s->state == SSL3_ST_CW_CERT_C) {
3149 { 2918 s->state = SSL3_ST_CW_CERT_D;
3150 s->state=SSL3_ST_CW_CERT_D; 2919 l = ssl3_output_cert_chain(s,
3151 l=ssl3_output_cert_chain(s, 2920 (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
3152 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 2921 s->init_num = (int)l;
3153 s->init_num=(int)l; 2922 s->init_off = 0;
3154 s->init_off=0;
3155 }
3156 /* SSL3_ST_CW_CERT_D */
3157 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3158 } 2923 }
2924 /* SSL3_ST_CW_CERT_D */
2925 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2926}
3159 2927
3160#define has_bits(i,m) (((i)&(m)) == (m)) 2928#define has_bits(i,m) (((i)&(m)) == (m))
3161 2929
3162int ssl3_check_cert_and_algorithm(SSL *s) 2930int
3163 { 2931ssl3_check_cert_and_algorithm(SSL *s)
3164 int i,idx; 2932{
3165 long alg_k,alg_a; 2933 int i, idx;
3166 EVP_PKEY *pkey=NULL; 2934 long alg_k, alg_a;
2935 EVP_PKEY *pkey = NULL;
3167 SESS_CERT *sc; 2936 SESS_CERT *sc;
3168#ifndef OPENSSL_NO_RSA 2937#ifndef OPENSSL_NO_RSA
3169 RSA *rsa; 2938 RSA *rsa;
@@ -3172,138 +2941,120 @@ int ssl3_check_cert_and_algorithm(SSL *s)
3172 DH *dh; 2941 DH *dh;
3173#endif 2942#endif
3174 2943
3175 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2944 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3176 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 2945 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3177 2946
3178 /* we don't have a certificate */ 2947 /* we don't have a certificate */
3179 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 2948 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
3180 return(1); 2949 return (1);
3181 2950
3182 sc=s->session->sess_cert; 2951 sc = s->session->sess_cert;
3183 if (sc == NULL) 2952 if (sc == NULL) {
3184 { 2953 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
3185 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
3186 goto err; 2954 goto err;
3187 } 2955 }
3188 2956
3189#ifndef OPENSSL_NO_RSA 2957#ifndef OPENSSL_NO_RSA
3190 rsa=s->session->sess_cert->peer_rsa_tmp; 2958 rsa = s->session->sess_cert->peer_rsa_tmp;
3191#endif 2959#endif
3192#ifndef OPENSSL_NO_DH 2960#ifndef OPENSSL_NO_DH
3193 dh=s->session->sess_cert->peer_dh_tmp; 2961 dh = s->session->sess_cert->peer_dh_tmp;
3194#endif 2962#endif
3195 2963
3196 /* This is the passed certificate */ 2964 /* This is the passed certificate */
3197 2965
3198 idx=sc->peer_cert_type; 2966 idx = sc->peer_cert_type;
3199#ifndef OPENSSL_NO_ECDH 2967#ifndef OPENSSL_NO_ECDH
3200 if (idx == SSL_PKEY_ECC) 2968 if (idx == SSL_PKEY_ECC) {
3201 {
3202 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 2969 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
3203 s) == 0) 2970 s) == 0)
3204 { /* check failed */ 2971 { /* check failed */
3205 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 2972 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
3206 goto f_err; 2973 goto f_err;
3207 } 2974 } else {
3208 else
3209 {
3210 return 1; 2975 return 1;
3211 }
3212 } 2976 }
2977 }
3213#endif 2978#endif
3214 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 2979 pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
3215 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 2980 i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
3216 EVP_PKEY_free(pkey); 2981 EVP_PKEY_free(pkey);
3217 2982
3218 2983
3219 /* Check that we have a certificate if we require one */ 2984 /* Check that we have a certificate if we require one */
3220 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 2985 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
3221 { 2986 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT);
3222 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
3223 goto f_err; 2987 goto f_err;
3224 } 2988 }
3225#ifndef OPENSSL_NO_DSA 2989#ifndef OPENSSL_NO_DSA
3226 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 2990 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
3227 { 2991 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT);
3228 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
3229 goto f_err; 2992 goto f_err;
3230 } 2993 }
3231#endif 2994#endif
3232#ifndef OPENSSL_NO_RSA 2995#ifndef OPENSSL_NO_RSA
3233 if ((alg_k & SSL_kRSA) && 2996 if ((alg_k & SSL_kRSA) &&
3234 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 2997 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) {
3235 { 2998 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3236 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3237 goto f_err; 2999 goto f_err;
3238 } 3000 }
3239#endif 3001#endif
3240#ifndef OPENSSL_NO_DH 3002#ifndef OPENSSL_NO_DH
3241 if ((alg_k & SSL_kEDH) && 3003 if ((alg_k & SSL_kEDH) &&
3242 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 3004 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
3243 { 3005 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY);
3244 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
3245 goto f_err; 3006 goto f_err;
3246 } 3007 } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) {
3247 else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 3008 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT);
3248 {
3249 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
3250 goto f_err; 3009 goto f_err;
3251 } 3010 }
3252#ifndef OPENSSL_NO_DSA 3011#ifndef OPENSSL_NO_DSA
3253 else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 3012 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
3254 { 3013 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT);
3255 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
3256 goto f_err; 3014 goto f_err;
3257 } 3015 }
3258#endif 3016#endif
3259#endif 3017#endif
3260 3018
3261 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 3019 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
3262 {
3263#ifndef OPENSSL_NO_RSA 3020#ifndef OPENSSL_NO_RSA
3264 if (alg_k & SSL_kRSA) 3021 if (alg_k & SSL_kRSA) {
3265 { 3022 if (rsa == NULL ||
3266 if (rsa == NULL 3023 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3267 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3024 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3268 {
3269 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3270 goto f_err; 3025 goto f_err;
3271 }
3272 } 3026 }
3273 else 3027 } else
3274#endif 3028#endif
3275#ifndef OPENSSL_NO_DH 3029#ifndef OPENSSL_NO_DH
3276 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 3030 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
3277 { 3031 if (dh == NULL ||
3278 if (dh == NULL 3032 DH_size(dh) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3279 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3033 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3280 {
3281 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3282 goto f_err; 3034 goto f_err;
3283 }
3284 } 3035 }
3285 else 3036 } else
3286#endif 3037#endif
3287 { 3038 {
3288 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 3039 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
3289 goto f_err; 3040 goto f_err;
3290 }
3291 } 3041 }
3292 return(1); 3042 }
3043 return (1);
3293f_err: 3044f_err:
3294 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 3045 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
3295err: 3046err:
3296 return(0); 3047 return (0);
3297 } 3048}
3298 3049
3299#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 3050#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
3300int ssl3_send_next_proto(SSL *s) 3051int
3301 { 3052ssl3_send_next_proto(SSL *s)
3053{
3302 unsigned int len, padding_len; 3054 unsigned int len, padding_len;
3303 unsigned char *d; 3055 unsigned char *d;
3304 3056
3305 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) 3057 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {
3306 {
3307 len = s->next_proto_negotiated_len; 3058 len = s->next_proto_negotiated_len;
3308 padding_len = 32 - ((len + 2) % 32); 3059 padding_len = 32 - ((len + 2) % 32);
3309 d = (unsigned char *)s->init_buf->data; 3060 d = (unsigned char *)s->init_buf->data;
@@ -3311,12 +3062,12 @@ int ssl3_send_next_proto(SSL *s)
3311 memcpy(d + 5, s->next_proto_negotiated, len); 3062 memcpy(d + 5, s->next_proto_negotiated, len);
3312 d[5 + len] = padding_len; 3063 d[5 + len] = padding_len;
3313 memset(d + 6 + len, 0, padding_len); 3064 memset(d + 6 + len, 0, padding_len);
3314 *(d++)=SSL3_MT_NEXT_PROTO; 3065 *(d++) = SSL3_MT_NEXT_PROTO;
3315 l2n3(2 + len + padding_len, d); 3066 l2n3(2 + len + padding_len, d);
3316 s->state = SSL3_ST_CW_NEXT_PROTO_B; 3067 s->state = SSL3_ST_CW_NEXT_PROTO_B;
3317 s->init_num = 4 + 2 + len + padding_len; 3068 s->init_num = 4 + 2 + len + padding_len;
3318 s->init_off = 0; 3069 s->init_off = 0;
3319 } 3070 }
3320 3071
3321 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3072 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3322} 3073}
@@ -3328,8 +3079,9 @@ int ssl3_send_next_proto(SSL *s)
3328 */ 3079 */
3329 3080
3330#ifndef OPENSSL_NO_TLSEXT 3081#ifndef OPENSSL_NO_TLSEXT
3331int ssl3_check_finished(SSL *s) 3082int
3332 { 3083ssl3_check_finished(SSL *s)
3084{
3333 int ok; 3085 int ok;
3334 long n; 3086 long n;
3335 /* If we have no ticket it cannot be a resumed session. */ 3087 /* If we have no ticket it cannot be a resumed session. */
@@ -3337,36 +3089,33 @@ int ssl3_check_finished(SSL *s)
3337 return 1; 3089 return 1;
3338 /* this function is called when we really expect a Certificate 3090 /* this function is called when we really expect a Certificate
3339 * message, so permit appropriate message length */ 3091 * message, so permit appropriate message length */
3340 n=s->method->ssl_get_message(s, 3092 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
3341 SSL3_ST_CR_CERT_A, 3093 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
3342 SSL3_ST_CR_CERT_B, 3094 if (!ok)
3343 -1, 3095 return ((int)n);
3344 s->max_cert_list,
3345 &ok);
3346 if (!ok) return((int)n);
3347 s->s3->tmp.reuse_message = 1; 3096 s->s3->tmp.reuse_message = 1;
3348 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 3097 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) ||
3349 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3098 (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
3350 return 2; 3099 return 2;
3351 3100
3352 return 1; 3101 return 1;
3353 } 3102}
3354#endif 3103#endif
3355 3104
3356int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3105int
3357 { 3106ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3107{
3358 int i = 0; 3108 int i = 0;
3359#ifndef OPENSSL_NO_ENGINE 3109#ifndef OPENSSL_NO_ENGINE
3360 if (s->ctx->client_cert_engine) 3110 if (s->ctx->client_cert_engine) {
3361 {
3362 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3111 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3363 SSL_get_client_CA_list(s), 3112 SSL_get_client_CA_list(s),
3364 px509, ppkey, NULL, NULL, NULL); 3113 px509, ppkey, NULL, NULL, NULL);
3365 if (i != 0) 3114 if (i != 0)
3366 return i; 3115 return i;
3367 } 3116 }
3368#endif 3117#endif
3369 if (s->ctx->client_cert_cb) 3118 if (s->ctx->client_cert_cb)
3370 i = s->ctx->client_cert_cb(s,px509,ppkey); 3119 i = s->ctx->client_cert_cb(s, px509, ppkey);
3371 return i; 3120 return i;
3372 } 3121}
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 518dfcd5e2..eeadb160d1 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -171,92 +171,86 @@
171 171
172static const SSL_METHOD *ssl3_get_server_method(int ver); 172static const SSL_METHOD *ssl3_get_server_method(int ver);
173 173
174static const SSL_METHOD *ssl3_get_server_method(int ver) 174static const SSL_METHOD
175 { 175*ssl3_get_server_method(int ver)
176{
176 if (ver == SSL3_VERSION) 177 if (ver == SSL3_VERSION)
177 return(SSLv3_server_method()); 178 return (SSLv3_server_method());
178 else 179 else
179 return(NULL); 180 return (NULL);
180 } 181}
181 182
182#ifndef OPENSSL_NO_SRP 183#ifndef OPENSSL_NO_SRP
183static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) 184static int
184 { 185ssl_check_srp_ext_ClientHello(SSL *s, int *al)
186{
185 int ret = SSL_ERROR_NONE; 187 int ret = SSL_ERROR_NONE;
186 188
187 *al = SSL_AD_UNRECOGNIZED_NAME; 189 *al = SSL_AD_UNRECOGNIZED_NAME;
188 190
189 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 191 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
190 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) 192 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
191 { 193 if (s->srp_ctx.login == NULL) {
192 if(s->srp_ctx.login == NULL)
193 {
194 /* RFC 5054 says SHOULD reject, 194 /* RFC 5054 says SHOULD reject,
195 we do so if There is no srp login name */ 195 we do so if There is no srp login name */
196 ret = SSL3_AL_FATAL; 196 ret = SSL3_AL_FATAL;
197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
198 } 198 } else {
199 else 199 ret = SSL_srp_server_param_with_username(s, al);
200 {
201 ret = SSL_srp_server_param_with_username(s,al);
202 }
203 } 200 }
204 return ret;
205 } 201 }
202 return ret;
203}
206#endif 204#endif
207 205
208IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 206IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
209 ssl3_accept, 207 ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
210 ssl_undefined_function,
211 ssl3_get_server_method)
212 208
213int ssl3_accept(SSL *s) 209int
214 { 210ssl3_accept(SSL *s)
211{
215 BUF_MEM *buf; 212 BUF_MEM *buf;
216 unsigned long alg_k,Time=(unsigned long)time(NULL); 213 unsigned long alg_k, Time = (unsigned long)time(NULL);
217 void (*cb)(const SSL *ssl,int type,int val)=NULL; 214 void (*cb)(const SSL *ssl, int type, int val) = NULL;
218 int ret= -1; 215 int ret = -1;
219 int new_state,state,skip=0; 216 int new_state, state, skip = 0;
220 217
221 RAND_add(&Time,sizeof(Time),0); 218 RAND_add(&Time, sizeof(Time), 0);
222 ERR_clear_error(); 219 ERR_clear_error();
223 errno = 0; 220 errno = 0;
224 221
225 if (s->info_callback != NULL) 222 if (s->info_callback != NULL)
226 cb=s->info_callback; 223 cb = s->info_callback;
227 else if (s->ctx->info_callback != NULL) 224 else if (s->ctx->info_callback != NULL)
228 cb=s->ctx->info_callback; 225 cb = s->ctx->info_callback;
229 226
230 /* init things to blank */ 227 /* init things to blank */
231 s->in_handshake++; 228 s->in_handshake++;
232 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 229 if (!SSL_in_init(s) || SSL_in_before(s))
230 SSL_clear(s);
233 231
234 if (s->cert == NULL) 232 if (s->cert == NULL) {
235 { 233 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
236 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 234 return (-1);
237 return(-1); 235 }
238 }
239 236
240#ifndef OPENSSL_NO_HEARTBEATS 237#ifndef OPENSSL_NO_HEARTBEATS
241 /* If we're awaiting a HeartbeatResponse, pretend we 238 /* If we're awaiting a HeartbeatResponse, pretend we
242 * already got and don't await it anymore, because 239 * already got and don't await it anymore, because
243 * Heartbeats don't make sense during handshakes anyway. 240 * Heartbeats don't make sense during handshakes anyway.
244 */ 241 */
245 if (s->tlsext_hb_pending) 242 if (s->tlsext_hb_pending) {
246 {
247 s->tlsext_hb_pending = 0; 243 s->tlsext_hb_pending = 0;
248 s->tlsext_hb_seq++; 244 s->tlsext_hb_seq++;
249 } 245 }
250#endif 246#endif
251 247
252 for (;;) 248 for (;;) {
253 { 249 state = s->state;
254 state=s->state;
255 250
256 switch (s->state) 251 switch (s->state) {
257 {
258 case SSL_ST_RENEGOTIATE: 252 case SSL_ST_RENEGOTIATE:
259 s->renegotiate=1; 253 s->renegotiate = 1;
260 /* s->state=SSL_ST_ACCEPT; */ 254 /* s->state=SSL_ST_ACCEPT; */
261 255
262 case SSL_ST_BEFORE: 256 case SSL_ST_BEFORE:
@@ -264,146 +258,143 @@ int ssl3_accept(SSL *s)
264 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 258 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
265 case SSL_ST_OK|SSL_ST_ACCEPT: 259 case SSL_ST_OK|SSL_ST_ACCEPT:
266 260
267 s->server=1; 261 s->server = 1;
268 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 262 if (cb != NULL)
263 cb(s, SSL_CB_HANDSHAKE_START, 1);
269 264
270 if ((s->version>>8) != 3) 265 if ((s->version >> 8) != 3) {
271 {
272 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 266 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
273 return -1; 267 return -1;
274 } 268 }
275 s->type=SSL_ST_ACCEPT; 269 s->type = SSL_ST_ACCEPT;
276 270
277 if (s->init_buf == NULL) 271 if (s->init_buf == NULL) {
278 { 272 if ((buf = BUF_MEM_new()) == NULL) {
279 if ((buf=BUF_MEM_new()) == NULL) 273 ret = -1;
280 {
281 ret= -1;
282 goto end; 274 goto end;
283 } 275 }
284 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 276 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
285 { 277 ret = -1;
286 ret= -1;
287 goto end; 278 goto end;
288 }
289 s->init_buf=buf;
290 } 279 }
280 s->init_buf = buf;
281 }
291 282
292 if (!ssl3_setup_buffers(s)) 283 if (!ssl3_setup_buffers(s)) {
293 { 284 ret = -1;
294 ret= -1;
295 goto end; 285 goto end;
296 } 286 }
297 287
298 s->init_num=0; 288 s->init_num = 0;
299 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 289 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
300 290
301 if (s->state != SSL_ST_RENEGOTIATE) 291 if (s->state != SSL_ST_RENEGOTIATE) {
302 {
303 /* Ok, we now need to push on a buffering BIO so that 292 /* Ok, we now need to push on a buffering BIO so that
304 * the output is sent in a way that TCP likes :-) 293 * the output is sent in a way that TCP likes :-)
305 */ 294 */
306 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 295 if (!ssl_init_wbio_buffer(s, 1)) {
307 296 ret = -1;
297 goto end;
298 }
299
308 ssl3_init_finished_mac(s); 300 ssl3_init_finished_mac(s);
309 s->state=SSL3_ST_SR_CLNT_HELLO_A; 301 s->state = SSL3_ST_SR_CLNT_HELLO_A;
310 s->ctx->stats.sess_accept++; 302 s->ctx->stats.sess_accept++;
311 } 303 } else if (!s->s3->send_connection_binding &&
312 else if (!s->s3->send_connection_binding && 304 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
313 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
314 {
315 /* Server attempting to renegotiate with 305 /* Server attempting to renegotiate with
316 * client that doesn't support secure 306 * client that doesn't support secure
317 * renegotiation. 307 * renegotiation.
318 */ 308 */
319 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 309 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
320 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 310 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
321 ret = -1; 311 ret = -1;
322 goto end; 312 goto end;
323 } 313 } else {
324 else
325 {
326 /* s->state == SSL_ST_RENEGOTIATE, 314 /* s->state == SSL_ST_RENEGOTIATE,
327 * we will just send a HelloRequest */ 315 * we will just send a HelloRequest */
328 s->ctx->stats.sess_accept_renegotiate++; 316 s->ctx->stats.sess_accept_renegotiate++;
329 s->state=SSL3_ST_SW_HELLO_REQ_A; 317 s->state = SSL3_ST_SW_HELLO_REQ_A;
330 } 318 }
331 break; 319 break;
332 320
333 case SSL3_ST_SW_HELLO_REQ_A: 321 case SSL3_ST_SW_HELLO_REQ_A:
334 case SSL3_ST_SW_HELLO_REQ_B: 322 case SSL3_ST_SW_HELLO_REQ_B:
335 323
336 s->shutdown=0; 324 s->shutdown = 0;
337 ret=ssl3_send_hello_request(s); 325 ret = ssl3_send_hello_request(s);
338 if (ret <= 0) goto end; 326 if (ret <= 0)
339 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 327 goto end;
340 s->state=SSL3_ST_SW_FLUSH; 328 s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C;
341 s->init_num=0; 329 s->state = SSL3_ST_SW_FLUSH;
330 s->init_num = 0;
342 331
343 ssl3_init_finished_mac(s); 332 ssl3_init_finished_mac(s);
344 break; 333 break;
345 334
346 case SSL3_ST_SW_HELLO_REQ_C: 335 case SSL3_ST_SW_HELLO_REQ_C:
347 s->state=SSL_ST_OK; 336 s->state = SSL_ST_OK;
348 break; 337 break;
349 338
350 case SSL3_ST_SR_CLNT_HELLO_A: 339 case SSL3_ST_SR_CLNT_HELLO_A:
351 case SSL3_ST_SR_CLNT_HELLO_B: 340 case SSL3_ST_SR_CLNT_HELLO_B:
352 case SSL3_ST_SR_CLNT_HELLO_C: 341 case SSL3_ST_SR_CLNT_HELLO_C:
353 342
354 s->shutdown=0; 343 s->shutdown = 0;
355 if (s->rwstate != SSL_X509_LOOKUP) 344 if (s->rwstate != SSL_X509_LOOKUP) {
356 { 345 ret = ssl3_get_client_hello(s);
357 ret=ssl3_get_client_hello(s); 346 if (ret <= 0)
358 if (ret <= 0) goto end; 347 goto end;
359 } 348 }
360#ifndef OPENSSL_NO_SRP 349#ifndef OPENSSL_NO_SRP
361 { 350 {
362 int al; 351 int al;
363 if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0) 352 if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
364 {
365 /* callback indicates firther work to be done */ 353 /* callback indicates firther work to be done */
366 s->rwstate=SSL_X509_LOOKUP; 354 s->rwstate = SSL_X509_LOOKUP;
367 goto end; 355 goto end;
368 } 356 }
369 if (ret != SSL_ERROR_NONE) 357 if (ret != SSL_ERROR_NONE) {
370 { 358 ssl3_send_alert(s, SSL3_AL_FATAL, al);
371 ssl3_send_alert(s,SSL3_AL_FATAL,al); 359
372 /* This is not really an error but the only means to 360 /* This is not really an error but the only means to
373 for a client to detect whether srp is supported. */ 361 for a client to detect whether srp is supported. */
374 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 362 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
375 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); 363 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
376 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 364
377 ret= -1; 365 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
378 goto end; 366
367 ret = -1;
368 goto end;
369
379 } 370 }
380 } 371 }
381#endif 372#endif
382 373
383 s->renegotiate = 2; 374 s->renegotiate = 2;
384 s->state=SSL3_ST_SW_SRVR_HELLO_A; 375 s->state = SSL3_ST_SW_SRVR_HELLO_A;
385 s->init_num=0; 376 s->init_num = 0;
386 break; 377 break;
387 378
388 case SSL3_ST_SW_SRVR_HELLO_A: 379 case SSL3_ST_SW_SRVR_HELLO_A:
389 case SSL3_ST_SW_SRVR_HELLO_B: 380 case SSL3_ST_SW_SRVR_HELLO_B:
390 ret=ssl3_send_server_hello(s); 381 ret = ssl3_send_server_hello(s);
391 if (ret <= 0) goto end; 382 if (ret <= 0)
383 goto end;
392#ifndef OPENSSL_NO_TLSEXT 384#ifndef OPENSSL_NO_TLSEXT
393 if (s->hit) 385 if (s->hit) {
394 {
395 if (s->tlsext_ticket_expected) 386 if (s->tlsext_ticket_expected)
396 s->state=SSL3_ST_SW_SESSION_TICKET_A; 387 s->state = SSL3_ST_SW_SESSION_TICKET_A;
397 else 388 else
398 s->state=SSL3_ST_SW_CHANGE_A; 389 s->state = SSL3_ST_SW_CHANGE_A;
399 } 390 }
400#else 391#else
401 if (s->hit) 392 if (s->hit)
402 s->state=SSL3_ST_SW_CHANGE_A; 393 s->state = SSL3_ST_SW_CHANGE_A;
403#endif 394#endif
404 else 395 else
405 s->state=SSL3_ST_SW_CERT_A; 396 s->state = SSL3_ST_SW_CERT_A;
406 s->init_num=0; 397 s->init_num = 0;
407 break; 398 break;
408 399
409 case SSL3_ST_SW_CERT_A: 400 case SSL3_ST_SW_CERT_A:
@@ -412,29 +403,26 @@ int ssl3_accept(SSL *s)
412 /* normal PSK or KRB5 or SRP */ 403 /* normal PSK or KRB5 or SRP */
413 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 404 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
414 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 405 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
415 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 406 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) {
416 { 407 ret = ssl3_send_server_certificate(s);
417 ret=ssl3_send_server_certificate(s); 408 if (ret <= 0)
418 if (ret <= 0) goto end; 409 goto end;
419#ifndef OPENSSL_NO_TLSEXT 410#ifndef OPENSSL_NO_TLSEXT
420 if (s->tlsext_status_expected) 411 if (s->tlsext_status_expected)
421 s->state=SSL3_ST_SW_CERT_STATUS_A; 412 s->state = SSL3_ST_SW_CERT_STATUS_A;
422 else 413 else
423 s->state=SSL3_ST_SW_KEY_EXCH_A; 414 s->state = SSL3_ST_SW_KEY_EXCH_A;
424 } 415 } else {
425 else
426 {
427 skip = 1; 416 skip = 1;
428 s->state=SSL3_ST_SW_KEY_EXCH_A; 417 s->state = SSL3_ST_SW_KEY_EXCH_A;
429 } 418 }
430#else 419#else
431 } 420 } else
432 else 421 skip = 1;
433 skip=1;
434 422
435 s->state=SSL3_ST_SW_KEY_EXCH_A; 423 s->state = SSL3_ST_SW_KEY_EXCH_A;
436#endif 424#endif
437 s->init_num=0; 425 s->init_num = 0;
438 break; 426 break;
439 427
440 case SSL3_ST_SW_KEY_EXCH_A: 428 case SSL3_ST_SW_KEY_EXCH_A:
@@ -445,16 +433,16 @@ int ssl3_accept(SSL *s)
445 * send_server_key_exchange */ 433 * send_server_key_exchange */
446 if ((s->options & SSL_OP_EPHEMERAL_RSA) 434 if ((s->options & SSL_OP_EPHEMERAL_RSA)
447#ifndef OPENSSL_NO_KRB5 435#ifndef OPENSSL_NO_KRB5
448 && !(alg_k & SSL_kKRB5) 436 && !(alg_k & SSL_kKRB5)
449#endif /* OPENSSL_NO_KRB5 */ 437#endif /* OPENSSL_NO_KRB5 */
450 ) 438 )
451 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 439 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
452 * even when forbidden by protocol specs 440 * even when forbidden by protocol specs
453 * (handshake may fail as clients are not required to 441 * (handshake may fail as clients are not required to
454 * be able to handle this) */ 442 * be able to handle this) */
455 s->s3->tmp.use_rsa_tmp=1; 443 s->s3->tmp.use_rsa_tmp = 1;
456 else 444 else
457 s->s3->tmp.use_rsa_tmp=0; 445 s->s3->tmp.use_rsa_tmp = 0;
458 446
459 447
460 /* only send if a DH key exchange, fortezza or 448 /* only send if a DH key exchange, fortezza or
@@ -475,83 +463,81 @@ int ssl3_accept(SSL *s)
475 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 463 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
476#endif 464#endif
477#ifndef OPENSSL_NO_SRP 465#ifndef OPENSSL_NO_SRP
478 /* SRP: send ServerKeyExchange */ 466 /* SRP: send ServerKeyExchange */
479 || (alg_k & SSL_kSRP) 467 || (alg_k & SSL_kSRP)
480#endif 468#endif
481 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 469 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
482 || (alg_k & SSL_kEECDH) 470 || (alg_k & SSL_kEECDH)
483 || ((alg_k & SSL_kRSA) 471 || ((alg_k & SSL_kRSA)
484 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 472 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
485 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 473 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
486 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 474 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
487 )
488 )
489 )
490 ) 475 )
491 { 476 )
492 ret=ssl3_send_server_key_exchange(s); 477 )
493 if (ret <= 0) goto end; 478 ) {
494 } 479 ret = ssl3_send_server_key_exchange(s);
495 else 480 if (ret <= 0)
496 skip=1; 481 goto end;
482 } else
483 skip = 1;
497 484
498 s->state=SSL3_ST_SW_CERT_REQ_A; 485 s->state = SSL3_ST_SW_CERT_REQ_A;
499 s->init_num=0; 486 s->init_num = 0;
500 break; 487 break;
501 488
502 case SSL3_ST_SW_CERT_REQ_A: 489 case SSL3_ST_SW_CERT_REQ_A:
503 case SSL3_ST_SW_CERT_REQ_B: 490 case SSL3_ST_SW_CERT_REQ_B:
504 if (/* don't request cert unless asked for it: */ 491 if (/* don't request cert unless asked for it: */
505 !(s->verify_mode & SSL_VERIFY_PEER) || 492 !(s->verify_mode & SSL_VERIFY_PEER) ||
506 /* if SSL_VERIFY_CLIENT_ONCE is set, 493 /* if SSL_VERIFY_CLIENT_ONCE is set,
507 * don't request cert during re-negotiation: */ 494 * don't request cert during re-negotiation: */
508 ((s->session->peer != NULL) && 495 ((s->session->peer != NULL) &&
509 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 496 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
510 /* never request cert in anonymous ciphersuites 497 /* never request cert in anonymous ciphersuites
511 * (see section "Certificate request" in SSL 3 drafts 498 * (see section "Certificate request" in SSL 3 drafts
512 * and in RFC 2246): */ 499 * and in RFC 2246): */
513 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 500 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
514 /* ... except when the application insists on verification 501 /* ... except when the application insists on verification
515 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 502 * (against the specs, but s3_clnt.c accepts this for SSL 3) */
516 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 503 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
517 /* never request cert in Kerberos ciphersuites */ 504 /* never request cert in Kerberos ciphersuites */
518 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) 505 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
519 /* With normal PSK Certificates and 506 /* With normal PSK Certificates and
520 * Certificate Requests are omitted */ 507 * Certificate Requests are omitted */
521 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 508 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
522 {
523 /* no cert request */ 509 /* no cert request */
524 skip=1; 510 skip = 1;
525 s->s3->tmp.cert_request=0; 511 s->s3->tmp.cert_request = 0;
526 s->state=SSL3_ST_SW_SRVR_DONE_A; 512 s->state = SSL3_ST_SW_SRVR_DONE_A;
527 if (s->s3->handshake_buffer) 513 if (s->s3->handshake_buffer)
528 if (!ssl3_digest_cached_records(s)) 514 if (!ssl3_digest_cached_records(s))
529 return -1; 515 return -1;
530 } 516 } else {
531 else 517 s->s3->tmp.cert_request = 1;
532 { 518 ret = ssl3_send_certificate_request(s);
533 s->s3->tmp.cert_request=1; 519 if (ret <= 0)
534 ret=ssl3_send_certificate_request(s); 520 goto end;
535 if (ret <= 0) goto end;
536#ifndef NETSCAPE_HANG_BUG 521#ifndef NETSCAPE_HANG_BUG
537 s->state=SSL3_ST_SW_SRVR_DONE_A; 522 s->state = SSL3_ST_SW_SRVR_DONE_A;
538#else 523#else
539 s->state=SSL3_ST_SW_FLUSH; 524 s->state = SSL3_ST_SW_FLUSH;
540 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 525 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
541#endif 526#endif
542 s->init_num=0; 527 s->init_num = 0;
543 } 528 }
544 break; 529 break;
545 530
546 case SSL3_ST_SW_SRVR_DONE_A: 531 case SSL3_ST_SW_SRVR_DONE_A:
547 case SSL3_ST_SW_SRVR_DONE_B: 532 case SSL3_ST_SW_SRVR_DONE_B:
548 ret=ssl3_send_server_done(s); 533 ret = ssl3_send_server_done(s);
549 if (ret <= 0) goto end; 534 if (ret <= 0)
550 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 535 goto end;
551 s->state=SSL3_ST_SW_FLUSH; 536 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
552 s->init_num=0; 537 s->state = SSL3_ST_SW_FLUSH;
538 s->init_num = 0;
553 break; 539 break;
554 540
555 case SSL3_ST_SW_FLUSH: 541 case SSL3_ST_SW_FLUSH:
556 542
557 /* This code originally checked to see if 543 /* This code originally checked to see if
@@ -564,15 +550,14 @@ int ssl3_accept(SSL *s)
564 * unconditionally. 550 * unconditionally.
565 */ 551 */
566 552
567 s->rwstate=SSL_WRITING; 553 s->rwstate = SSL_WRITING;
568 if (BIO_flush(s->wbio) <= 0) 554 if (BIO_flush(s->wbio) <= 0) {
569 { 555 ret = -1;
570 ret= -1;
571 goto end; 556 goto end;
572 } 557 }
573 s->rwstate=SSL_NOTHING; 558 s->rwstate = SSL_NOTHING;
574 559
575 s->state=s->s3->tmp.next_state; 560 s->state = s->s3->tmp.next_state;
576 break; 561 break;
577 562
578 case SSL3_ST_SR_CERT_A: 563 case SSL3_ST_SR_CERT_A:
@@ -584,23 +569,22 @@ int ssl3_accept(SSL *s)
584 if (ret == 2) 569 if (ret == 2)
585 s->state = SSL3_ST_SR_CLNT_HELLO_C; 570 s->state = SSL3_ST_SR_CLNT_HELLO_C;
586 else { 571 else {
587 if (s->s3->tmp.cert_request) 572 if (s->s3->tmp.cert_request) {
588 { 573 ret = ssl3_get_client_certificate(s);
589 ret=ssl3_get_client_certificate(s); 574 if (ret <= 0)
590 if (ret <= 0) goto end; 575 goto end;
591 } 576 }
592 s->init_num=0; 577 s->init_num = 0;
593 s->state=SSL3_ST_SR_KEY_EXCH_A; 578 s->state = SSL3_ST_SR_KEY_EXCH_A;
594 } 579 }
595 break; 580 break;
596 581
597 case SSL3_ST_SR_KEY_EXCH_A: 582 case SSL3_ST_SR_KEY_EXCH_A:
598 case SSL3_ST_SR_KEY_EXCH_B: 583 case SSL3_ST_SR_KEY_EXCH_B:
599 ret=ssl3_get_client_key_exchange(s); 584 ret = ssl3_get_client_key_exchange(s);
600 if (ret <= 0) 585 if (ret <= 0)
601 goto end; 586 goto end;
602 if (ret == 2) 587 if (ret == 2) {
603 {
604 /* For the ECDH ciphersuites when 588 /* For the ECDH ciphersuites when
605 * the client sends its ECDH pub key in 589 * the client sends its ECDH pub key in
606 * a certificate, the CertificateVerify 590 * a certificate, the CertificateVerify
@@ -610,40 +594,35 @@ int ssl3_accept(SSL *s)
610 * for key exchange. 594 * for key exchange.
611 */ 595 */
612#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 596#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
613 s->state=SSL3_ST_SR_FINISHED_A; 597 s->state = SSL3_ST_SR_FINISHED_A;
614#else 598#else
615 if (s->s3->next_proto_neg_seen) 599 if (s->s3->next_proto_neg_seen)
616 s->state=SSL3_ST_SR_NEXT_PROTO_A; 600 s->state = SSL3_ST_SR_NEXT_PROTO_A;
617 else 601 else
618 s->state=SSL3_ST_SR_FINISHED_A; 602 s->state = SSL3_ST_SR_FINISHED_A;
619#endif 603#endif
620 s->init_num = 0; 604 s->init_num = 0;
621 } 605 } else if (TLS1_get_version(s) >= TLS1_2_VERSION) {
622 else if (TLS1_get_version(s) >= TLS1_2_VERSION) 606 s->state = SSL3_ST_SR_CERT_VRFY_A;
623 { 607 s->init_num = 0;
624 s->state=SSL3_ST_SR_CERT_VRFY_A;
625 s->init_num=0;
626 if (!s->session->peer) 608 if (!s->session->peer)
627 break; 609 break;
628 /* For TLS v1.2 freeze the handshake buffer 610 /* For TLS v1.2 freeze the handshake buffer
629 * at this point and digest cached records. 611 * at this point and digest cached records.
630 */ 612 */
631 if (!s->s3->handshake_buffer) 613 if (!s->s3->handshake_buffer) {
632 { 614 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
633 SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR);
634 return -1; 615 return -1;
635 } 616 }
636 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 617 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
637 if (!ssl3_digest_cached_records(s)) 618 if (!ssl3_digest_cached_records(s))
638 return -1; 619 return -1;
639 } 620 } else {
640 else 621 int offset = 0;
641 {
642 int offset=0;
643 int dgst_num; 622 int dgst_num;
644 623
645 s->state=SSL3_ST_SR_CERT_VRFY_A; 624 s->state = SSL3_ST_SR_CERT_VRFY_A;
646 s->init_num=0; 625 s->init_num = 0;
647 626
648 /* We need to get hashes here so if there is 627 /* We need to get hashes here so if there is
649 * a client cert, it can be verified 628 * a client cert, it can be verified
@@ -653,82 +632,85 @@ int ssl3_accept(SSL *s)
653 if (s->s3->handshake_buffer) 632 if (s->s3->handshake_buffer)
654 if (!ssl3_digest_cached_records(s)) 633 if (!ssl3_digest_cached_records(s))
655 return -1; 634 return -1;
656 for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) 635 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++)
657 if (s->s3->handshake_dgst[dgst_num]) 636 if (s->s3->handshake_dgst[dgst_num]) {
658 { 637 int dgst_size;
659 int dgst_size; 638
660 639 s->method->ssl3_enc->cert_verify_mac(s, EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]), &(s->s3->tmp.cert_verify_md[offset]));
661 s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); 640 dgst_size = EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
662 dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); 641 if (dgst_size < 0) {
663 if (dgst_size < 0) 642 ret = -1;
664 { 643 goto end;
665 ret = -1; 644 }
666 goto end; 645 offset += dgst_size;
667 }
668 offset+=dgst_size;
669 }
670 } 646 }
647 }
671 break; 648 break;
672 649
673 case SSL3_ST_SR_CERT_VRFY_A: 650 case SSL3_ST_SR_CERT_VRFY_A:
674 case SSL3_ST_SR_CERT_VRFY_B: 651 case SSL3_ST_SR_CERT_VRFY_B:
675 652
676 /* we should decide if we expected this one */ 653 /* we should decide if we expected this one */
677 ret=ssl3_get_cert_verify(s); 654 ret = ssl3_get_cert_verify(s);
678 if (ret <= 0) goto end; 655 if (ret <= 0)
656 goto end;
679 657
680#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 658#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
681 s->state=SSL3_ST_SR_FINISHED_A; 659 s->state = SSL3_ST_SR_FINISHED_A;
682#else 660#else
683 if (s->s3->next_proto_neg_seen) 661 if (s->s3->next_proto_neg_seen)
684 s->state=SSL3_ST_SR_NEXT_PROTO_A; 662 s->state = SSL3_ST_SR_NEXT_PROTO_A;
685 else 663 else
686 s->state=SSL3_ST_SR_FINISHED_A; 664 s->state = SSL3_ST_SR_FINISHED_A;
687#endif 665#endif
688 s->init_num=0; 666 s->init_num = 0;
689 break; 667 break;
690 668
691#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 669#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
692 case SSL3_ST_SR_NEXT_PROTO_A: 670 case SSL3_ST_SR_NEXT_PROTO_A:
693 case SSL3_ST_SR_NEXT_PROTO_B: 671 case SSL3_ST_SR_NEXT_PROTO_B:
694 ret=ssl3_get_next_proto(s); 672 ret = ssl3_get_next_proto(s);
695 if (ret <= 0) goto end; 673 if (ret <= 0)
674 goto end;
696 s->init_num = 0; 675 s->init_num = 0;
697 s->state=SSL3_ST_SR_FINISHED_A; 676 s->state = SSL3_ST_SR_FINISHED_A;
698 break; 677 break;
699#endif 678#endif
700 679
701 case SSL3_ST_SR_FINISHED_A: 680 case SSL3_ST_SR_FINISHED_A:
702 case SSL3_ST_SR_FINISHED_B: 681 case SSL3_ST_SR_FINISHED_B:
703 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 682 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
704 SSL3_ST_SR_FINISHED_B); 683 SSL3_ST_SR_FINISHED_B);
705 if (ret <= 0) goto end; 684 if (ret <= 0)
685 goto end;
706 if (s->hit) 686 if (s->hit)
707 s->state=SSL_ST_OK; 687 s->state = SSL_ST_OK;
708#ifndef OPENSSL_NO_TLSEXT 688#ifndef OPENSSL_NO_TLSEXT
709 else if (s->tlsext_ticket_expected) 689 else if (s->tlsext_ticket_expected)
710 s->state=SSL3_ST_SW_SESSION_TICKET_A; 690 s->state = SSL3_ST_SW_SESSION_TICKET_A;
711#endif 691#endif
712 else 692 else
713 s->state=SSL3_ST_SW_CHANGE_A; 693 s->state = SSL3_ST_SW_CHANGE_A;
714 s->init_num=0; 694 s->init_num = 0;
715 break; 695 break;
716 696
717#ifndef OPENSSL_NO_TLSEXT 697#ifndef OPENSSL_NO_TLSEXT
718 case SSL3_ST_SW_SESSION_TICKET_A: 698 case SSL3_ST_SW_SESSION_TICKET_A:
719 case SSL3_ST_SW_SESSION_TICKET_B: 699 case SSL3_ST_SW_SESSION_TICKET_B:
720 ret=ssl3_send_newsession_ticket(s); 700 ret = ssl3_send_newsession_ticket(s);
721 if (ret <= 0) goto end; 701 if (ret <= 0)
722 s->state=SSL3_ST_SW_CHANGE_A; 702 goto end;
723 s->init_num=0; 703 s->state = SSL3_ST_SW_CHANGE_A;
704 s->init_num = 0;
724 break; 705 break;
725 706
726 case SSL3_ST_SW_CERT_STATUS_A: 707 case SSL3_ST_SW_CERT_STATUS_A:
727 case SSL3_ST_SW_CERT_STATUS_B: 708 case SSL3_ST_SW_CERT_STATUS_B:
728 ret=ssl3_send_cert_status(s); 709 ret = ssl3_send_cert_status(s);
729 if (ret <= 0) goto end; 710 if (ret <= 0)
730 s->state=SSL3_ST_SW_KEY_EXCH_A; 711 goto end;
731 s->init_num=0; 712 s->state = SSL3_ST_SW_KEY_EXCH_A;
713 s->init_num = 0;
732 break; 714 break;
733 715
734#endif 716#endif
@@ -736,48 +718,49 @@ int ssl3_accept(SSL *s)
736 case SSL3_ST_SW_CHANGE_A: 718 case SSL3_ST_SW_CHANGE_A:
737 case SSL3_ST_SW_CHANGE_B: 719 case SSL3_ST_SW_CHANGE_B:
738 720
739 s->session->cipher=s->s3->tmp.new_cipher; 721 s->session->cipher = s->s3->tmp.new_cipher;
740 if (!s->method->ssl3_enc->setup_key_block(s)) 722 if (!s->method->ssl3_enc->setup_key_block(s)) {
741 { ret= -1; goto end; } 723 ret = -1;
724 goto end;
725 }
742 726
743 ret=ssl3_send_change_cipher_spec(s, 727 ret = ssl3_send_change_cipher_spec(s,
744 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 728 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
745 729
746 if (ret <= 0) goto end; 730 if (ret <= 0)
747 s->state=SSL3_ST_SW_FINISHED_A; 731 goto end;
748 s->init_num=0; 732 s->state = SSL3_ST_SW_FINISHED_A;
733 s->init_num = 0;
749 734
750 if (!s->method->ssl3_enc->change_cipher_state(s, 735 if (!s->method->ssl3_enc->change_cipher_state(
751 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 736 s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
752 { 737 ret = -1;
753 ret= -1;
754 goto end; 738 goto end;
755 } 739 }
756 740
757 break; 741 break;
758 742
759 case SSL3_ST_SW_FINISHED_A: 743 case SSL3_ST_SW_FINISHED_A:
760 case SSL3_ST_SW_FINISHED_B: 744 case SSL3_ST_SW_FINISHED_B:
761 ret=ssl3_send_finished(s, 745 ret = ssl3_send_finished(s,
762 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 746 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
763 s->method->ssl3_enc->server_finished_label, 747 s->method->ssl3_enc->server_finished_label,
764 s->method->ssl3_enc->server_finished_label_len); 748 s->method->ssl3_enc->server_finished_label_len);
765 if (ret <= 0) goto end; 749 if (ret <= 0)
766 s->state=SSL3_ST_SW_FLUSH; 750 goto end;
767 if (s->hit) 751 s->state = SSL3_ST_SW_FLUSH;
768 { 752 if (s->hit) {
769#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 753#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
770 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 754 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
771#else 755#else
772 if (s->s3->next_proto_neg_seen) 756 if (s->s3->next_proto_neg_seen)
773 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; 757 s->s3->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A;
774 else 758 else
775 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 759 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
776#endif 760#endif
777 } 761 } else
778 else 762 s->s3->tmp.next_state = SSL_ST_OK;
779 s->s3->tmp.next_state=SSL_ST_OK; 763 s->init_num = 0;
780 s->init_num=0;
781 break; 764 break;
782 765
783 case SSL_ST_OK: 766 case SSL_ST_OK:
@@ -785,146 +768,143 @@ int ssl3_accept(SSL *s)
785 ssl3_cleanup_key_block(s); 768 ssl3_cleanup_key_block(s);
786 769
787 BUF_MEM_free(s->init_buf); 770 BUF_MEM_free(s->init_buf);
788 s->init_buf=NULL; 771 s->init_buf = NULL;
789 772
790 /* remove buffering on output */ 773 /* remove buffering on output */
791 ssl_free_wbio_buffer(s); 774 ssl_free_wbio_buffer(s);
792 775
793 s->init_num=0; 776 s->init_num = 0;
794 777
795 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ 778 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
796 { 779 {
797 s->renegotiate=0; 780 s->renegotiate = 0;
798 s->new_session=0; 781 s->new_session = 0;
799 782
800 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 783 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
801 784
802 s->ctx->stats.sess_accept_good++; 785 s->ctx->stats.sess_accept_good++;
803 /* s->server=1; */ 786 /* s->server=1; */
804 s->handshake_func=ssl3_accept; 787 s->handshake_func = ssl3_accept;
788
789 if (cb != NULL)
790 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
791 }
805 792
806 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
807 }
808
809 ret = 1; 793 ret = 1;
810 goto end; 794 goto end;
811 /* break; */ 795 /* break; */
812 796
813 default: 797 default:
814 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 798 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE);
815 ret= -1; 799 ret = -1;
816 goto end; 800 goto end;
817 /* break; */ 801 /* break; */
818 } 802 }
819 803
820 if (!s->s3->tmp.reuse_message && !skip) 804 if (!s->s3->tmp.reuse_message && !skip) {
821 { 805 if (s->debug) {
822 if (s->debug) 806 if ((ret = BIO_flush(s->wbio)) <= 0)
823 {
824 if ((ret=BIO_flush(s->wbio)) <= 0)
825 goto end; 807 goto end;
826 } 808 }
827 809
828 810
829 if ((cb != NULL) && (s->state != state)) 811 if ((cb != NULL) && (s->state != state)) {
830 { 812 new_state = s->state;
831 new_state=s->state; 813 s->state = state;
832 s->state=state; 814 cb(s, SSL_CB_ACCEPT_LOOP, 1);
833 cb(s,SSL_CB_ACCEPT_LOOP,1); 815 s->state = new_state;
834 s->state=new_state;
835 }
836 } 816 }
837 skip=0;
838 } 817 }
818 skip = 0;
819 }
839end: 820end:
840 /* BIO_flush(s->wbio); */ 821 /* BIO_flush(s->wbio); */
841 822
842 s->in_handshake--; 823 s->in_handshake--;
843 if (cb != NULL) 824 if (cb != NULL)
844 cb(s,SSL_CB_ACCEPT_EXIT,ret); 825 cb(s, SSL_CB_ACCEPT_EXIT, ret);
845 return(ret); 826 return (ret);
846 } 827}
847 828
848int ssl3_send_hello_request(SSL *s) 829int
849 { 830ssl3_send_hello_request(SSL *s)
831{
850 unsigned char *p; 832 unsigned char *p;
851 833
852 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 834 if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
853 { 835 p = (unsigned char *)s->init_buf->data;
854 p=(unsigned char *)s->init_buf->data; 836 *(p++) = SSL3_MT_HELLO_REQUEST;
855 *(p++)=SSL3_MT_HELLO_REQUEST; 837 *(p++) = 0;
856 *(p++)=0; 838 *(p++) = 0;
857 *(p++)=0; 839 *(p++) = 0;
858 *(p++)=0;
859 840
860 s->state=SSL3_ST_SW_HELLO_REQ_B; 841 s->state = SSL3_ST_SW_HELLO_REQ_B;
861 /* number of bytes to write */ 842 /* number of bytes to write */
862 s->init_num=4; 843 s->init_num = 4;
863 s->init_off=0; 844 s->init_off = 0;
864 } 845 }
865 846
866 /* SSL3_ST_SW_HELLO_REQ_B */ 847 /* SSL3_ST_SW_HELLO_REQ_B */
867 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 848 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
868 } 849}
869 850
870int ssl3_check_client_hello(SSL *s) 851int
871 { 852ssl3_check_client_hello(SSL *s)
853{
872 int ok; 854 int ok;
873 long n; 855 long n;
874 856
875 /* this function is called when we really expect a Certificate message, 857 /* this function is called when we really expect a Certificate message,
876 * so permit appropriate message length */ 858 * so permit appropriate message length */
877 n=s->method->ssl_get_message(s, 859 n = s->method->ssl_get_message(s,
878 SSL3_ST_SR_CERT_A, 860 SSL3_ST_SR_CERT_A,
879 SSL3_ST_SR_CERT_B, 861 SSL3_ST_SR_CERT_B,
880 -1, 862 -1,
881 s->max_cert_list, 863 s->max_cert_list,
882 &ok); 864 &ok);
883 if (!ok) return((int)n); 865 if (!ok)
866 return ((int)n);
884 s->s3->tmp.reuse_message = 1; 867 s->s3->tmp.reuse_message = 1;
885 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 868 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) {
886 {
887 /* We only allow the client to restart the handshake once per 869 /* We only allow the client to restart the handshake once per
888 * negotiation. */ 870 * negotiation. */
889 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) 871 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
890 {
891 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 872 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
892 return -1; 873 return -1;
893 } 874 }
894 /* Throw away what we have done so far in the current handshake, 875 /* Throw away what we have done so far in the current handshake,
895 * which will now be aborted. (A full SSL_clear would be too much.) */ 876 * which will now be aborted. (A full SSL_clear would be too much.) */
896#ifndef OPENSSL_NO_DH 877#ifndef OPENSSL_NO_DH
897 if (s->s3->tmp.dh != NULL) 878 if (s->s3->tmp.dh != NULL) {
898 {
899 DH_free(s->s3->tmp.dh); 879 DH_free(s->s3->tmp.dh);
900 s->s3->tmp.dh = NULL; 880 s->s3->tmp.dh = NULL;
901 } 881 }
902#endif 882#endif
903#ifndef OPENSSL_NO_ECDH 883#ifndef OPENSSL_NO_ECDH
904 if (s->s3->tmp.ecdh != NULL) 884 if (s->s3->tmp.ecdh != NULL) {
905 {
906 EC_KEY_free(s->s3->tmp.ecdh); 885 EC_KEY_free(s->s3->tmp.ecdh);
907 s->s3->tmp.ecdh = NULL; 886 s->s3->tmp.ecdh = NULL;
908 } 887 }
909#endif 888#endif
910 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 889 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
911 return 2; 890 return 2;
912 } 891 }
913 return 1; 892 return 1;
914} 893}
915 894
916int ssl3_get_client_hello(SSL *s) 895int
917 { 896ssl3_get_client_hello(SSL *s)
918 int i,j,ok,al,ret= -1; 897{
898 int i, j, ok, al, ret = -1;
919 unsigned int cookie_len; 899 unsigned int cookie_len;
920 long n; 900 long n;
921 unsigned long id; 901 unsigned long id;
922 unsigned char *p,*d,*q; 902 unsigned char *p, *d, *q;
923 SSL_CIPHER *c; 903 SSL_CIPHER *c;
924#ifndef OPENSSL_NO_COMP 904#ifndef OPENSSL_NO_COMP
925 SSL_COMP *comp=NULL; 905 SSL_COMP *comp = NULL;
926#endif 906#endif
927 STACK_OF(SSL_CIPHER) *ciphers=NULL; 907 STACK_OF(SSL_CIPHER) *ciphers = NULL;
928 908
929 /* We do this so that we will respond with our native type. 909 /* We do this so that we will respond with our native type.
930 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 910 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
@@ -932,65 +912,61 @@ int ssl3_get_client_hello(SSL *s)
932 * If we are SSLv3, we will respond with SSLv3, even if prompted with 912 * If we are SSLv3, we will respond with SSLv3, even if prompted with
933 * TLSv1. 913 * TLSv1.
934 */ 914 */
935 if (s->state == SSL3_ST_SR_CLNT_HELLO_A 915 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) {
936 ) 916 s->state = SSL3_ST_SR_CLNT_HELLO_B;
937 { 917 }
938 s->state=SSL3_ST_SR_CLNT_HELLO_B; 918 s->first_packet = 1;
939 } 919 n = s->method->ssl_get_message(s,
940 s->first_packet=1; 920 SSL3_ST_SR_CLNT_HELLO_B,
941 n=s->method->ssl_get_message(s, 921 SSL3_ST_SR_CLNT_HELLO_C,
942 SSL3_ST_SR_CLNT_HELLO_B, 922 SSL3_MT_CLIENT_HELLO,
943 SSL3_ST_SR_CLNT_HELLO_C, 923 SSL3_RT_MAX_PLAIN_LENGTH,
944 SSL3_MT_CLIENT_HELLO, 924 &ok);
945 SSL3_RT_MAX_PLAIN_LENGTH,
946 &ok);
947 925
948 if (!ok) return((int)n); 926 if (!ok)
949 s->first_packet=0; 927 return ((int)n);
950 d=p=(unsigned char *)s->init_msg; 928 s->first_packet = 0;
929 d = p=(unsigned char *)s->init_msg;
951 930
952 /* use version from inside client hello, not from record header 931 /* use version from inside client hello, not from record header
953 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 932 * (may differ: see RFC 2246, Appendix E, second paragraph) */
954 s->client_version=(((int)p[0])<<8)|(int)p[1]; 933 s->client_version = (((int)p[0]) << 8)|(int)p[1];
955 p+=2; 934 p += 2;
956 935
957 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 936 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
958 (s->version != DTLS1_VERSION && s->client_version < s->version)) 937 (s->version != DTLS1_VERSION && s->client_version < s->version)) {
959 {
960 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 938 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
961 if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 939 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
962 !s->enc_write_ctx && !s->write_hash) 940 !s->enc_write_ctx && !s->write_hash) {
963 {
964 /* similar to ssl3_get_record, send alert using remote version number */ 941 /* similar to ssl3_get_record, send alert using remote version number */
965 s->version = s->client_version; 942 s->version = s->client_version;
966 } 943 }
967 al = SSL_AD_PROTOCOL_VERSION; 944 al = SSL_AD_PROTOCOL_VERSION;
968 goto f_err; 945 goto f_err;
969 } 946 }
970 947
971 /* If we require cookies and this ClientHello doesn't 948 /* If we require cookies and this ClientHello doesn't
972 * contain one, just return since we do not want to 949 * contain one, just return since we do not want to
973 * allocate any memory yet. So check cookie length... 950 * allocate any memory yet. So check cookie length...
974 */ 951 */
975 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) 952 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
976 {
977 unsigned int session_length, cookie_length; 953 unsigned int session_length, cookie_length;
978 954
979 session_length = *(p + SSL3_RANDOM_SIZE); 955 session_length = *(p + SSL3_RANDOM_SIZE);
980 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 956 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
981 957
982 if (cookie_length == 0) 958 if (cookie_length == 0)
983 return 1; 959 return 1;
984 } 960 }
985 961
986 /* load the client random */ 962 /* load the client random */
987 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 963 memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
988 p+=SSL3_RANDOM_SIZE; 964 p += SSL3_RANDOM_SIZE;
989 965
990 /* get the session-id */ 966 /* get the session-id */
991 j= *(p++); 967 j= *(p++);
992 968
993 s->hit=0; 969 s->hit = 0;
994 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation. 970 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
995 * 0.9.7 and later allow this by default, but optionally ignore resumption requests 971 * 0.9.7 and later allow this by default, but optionally ignore resumption requests
996 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 972 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
@@ -1002,31 +978,26 @@ int ssl3_get_client_hello(SSL *s)
1002 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 978 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1003 * setting will be ignored. 979 * setting will be ignored.
1004 */ 980 */
1005 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 981 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1006 { 982 if (!ssl_get_new_session(s, 1))
1007 if (!ssl_get_new_session(s,1))
1008 goto err; 983 goto err;
1009 } 984 } else {
1010 else 985 i = ssl_get_prev_session(s, p, j, d + n);
1011 {
1012 i=ssl_get_prev_session(s, p, j, d + n);
1013 if (i == 1) 986 if (i == 1)
1014 { /* previous session */ 987 { /* previous session */
1015 s->hit=1; 988 s->hit = 1;
1016 } 989 } else if (i == -1)
1017 else if (i == -1)
1018 goto err; 990 goto err;
1019 else /* i == 0 */ 991 else /* i == 0 */
1020 { 992 {
1021 if (!ssl_get_new_session(s,1)) 993 if (!ssl_get_new_session(s, 1))
1022 goto err; 994 goto err;
1023 }
1024 } 995 }
996 }
1025 997
1026 p+=j; 998 p += j;
1027 999
1028 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 1000 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
1029 {
1030 /* cookie stuff */ 1001 /* cookie stuff */
1031 cookie_len = *(p++); 1002 cookie_len = *(p++);
1032 1003
@@ -1035,159 +1006,141 @@ int ssl3_get_client_hello(SSL *s)
1035 * HelloVerify message has not been sent--make sure that it 1006 * HelloVerify message has not been sent--make sure that it
1036 * does not cause an overflow. 1007 * does not cause an overflow.
1037 */ 1008 */
1038 if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 1009 if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
1039 {
1040 /* too much data */ 1010 /* too much data */
1041 al = SSL_AD_DECODE_ERROR; 1011 al = SSL_AD_DECODE_ERROR;
1042 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1012 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
1043 goto f_err; 1013 goto f_err;
1044 } 1014 }
1045 1015
1046 /* verify the cookie if appropriate option is set. */ 1016 /* verify the cookie if appropriate option is set. */
1047 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 1017 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
1048 cookie_len > 0) 1018 cookie_len > 0) {
1049 {
1050 memcpy(s->d1->rcvd_cookie, p, cookie_len); 1019 memcpy(s->d1->rcvd_cookie, p, cookie_len);
1051 1020
1052 if ( s->ctx->app_verify_cookie_cb != NULL) 1021 if (s->ctx->app_verify_cookie_cb != NULL) {
1053 { 1022 if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
1054 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 1023 cookie_len) == 0) {
1055 cookie_len) == 0) 1024 al = SSL_AD_HANDSHAKE_FAILURE;
1056 { 1025 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1057 al=SSL_AD_HANDSHAKE_FAILURE; 1026 SSL_R_COOKIE_MISMATCH);
1058 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1059 SSL_R_COOKIE_MISMATCH);
1060 goto f_err;
1061 }
1062 /* else cookie verification succeeded */
1063 }
1064 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1065 s->d1->cookie_len) != 0) /* default verification */
1066 {
1067 al=SSL_AD_HANDSHAKE_FAILURE;
1068 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1069 SSL_R_COOKIE_MISMATCH);
1070 goto f_err; 1027 goto f_err;
1071 } 1028 }
1029 /* else cookie verification succeeded */
1030 } else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1031 s->d1->cookie_len) != 0) /* default verification */
1032 {
1033 al = SSL_AD_HANDSHAKE_FAILURE;
1034 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1035 SSL_R_COOKIE_MISMATCH);
1036 goto f_err;
1037 }
1072 1038
1073 ret = 2; 1039 ret = 2;
1074 } 1040 }
1075 1041
1076 p += cookie_len; 1042 p += cookie_len;
1077 } 1043 }
1078 1044
1079 n2s(p,i); 1045 n2s(p, i);
1080 if ((i == 0) && (j != 0)) 1046 if ((i == 0) && (j != 0)) {
1081 {
1082 /* we need a cipher if we are not resuming a session */ 1047 /* we need a cipher if we are not resuming a session */
1083 al=SSL_AD_ILLEGAL_PARAMETER; 1048 al = SSL_AD_ILLEGAL_PARAMETER;
1084 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 1049 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
1085 goto f_err; 1050 goto f_err;
1086 } 1051 }
1087 if ((p+i) >= (d+n)) 1052 if ((p + i) >= (d + n)) {
1088 {
1089 /* not enough data */ 1053 /* not enough data */
1090 al=SSL_AD_DECODE_ERROR; 1054 al = SSL_AD_DECODE_ERROR;
1091 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1055 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1092 goto f_err; 1056 goto f_err;
1093 } 1057 }
1094 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 1058 if ((i > 0) &&
1095 == NULL)) 1059 (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL)) {
1096 {
1097 goto err; 1060 goto err;
1098 } 1061 }
1099 p+=i; 1062 p += i;
1100 1063
1101 /* If it is a hit, check that the cipher is in the list */ 1064 /* If it is a hit, check that the cipher is in the list */
1102 if ((s->hit) && (i > 0)) 1065 if ((s->hit) && (i > 0)) {
1103 { 1066 j = 0;
1104 j=0; 1067 id = s->session->cipher->id;
1105 id=s->session->cipher->id;
1106 1068
1107#ifdef CIPHER_DEBUG 1069#ifdef CIPHER_DEBUG
1108 printf("client sent %d ciphers\n",sk_num(ciphers)); 1070 printf("client sent %d ciphers\n", sk_num(ciphers));
1109#endif 1071#endif
1110 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 1072 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1111 { 1073 c = sk_SSL_CIPHER_value(ciphers, i);
1112 c=sk_SSL_CIPHER_value(ciphers,i);
1113#ifdef CIPHER_DEBUG 1074#ifdef CIPHER_DEBUG
1114 printf("client [%2d of %2d]:%s\n", 1075 printf("client [%2d of %2d]:%s\n",
1115 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 1076 i, sk_num(ciphers), SSL_CIPHER_get_name(c));
1116#endif 1077#endif
1117 if (c->id == id) 1078 if (c->id == id) {
1118 { 1079 j = 1;
1119 j=1;
1120 break; 1080 break;
1121 }
1122 } 1081 }
1082 }
1123/* Disabled because it can be used in a ciphersuite downgrade 1083/* Disabled because it can be used in a ciphersuite downgrade
1124 * attack: CVE-2010-4180. 1084 * attack: CVE-2010-4180.
1125 */ 1085 */
1126#if 0 1086#if 0
1127 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 1087 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) {
1128 {
1129 /* Special case as client bug workaround: the previously used cipher may 1088 /* Special case as client bug workaround: the previously used cipher may
1130 * not be in the current list, the client instead might be trying to 1089 * not be in the current list, the client instead might be trying to
1131 * continue using a cipher that before wasn't chosen due to server 1090 * continue using a cipher that before wasn't chosen due to server
1132 * preferences. We'll have to reject the connection if the cipher is not 1091 * preferences. We'll have to reject the connection if the cipher is not
1133 * enabled, though. */ 1092 * enabled, though. */
1134 c = sk_SSL_CIPHER_value(ciphers, 0); 1093 c = sk_SSL_CIPHER_value(ciphers, 0);
1135 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 1094 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
1136 {
1137 s->session->cipher = c; 1095 s->session->cipher = c;
1138 j = 1; 1096 j = 1;
1139 }
1140 } 1097 }
1098 }
1141#endif 1099#endif
1142 if (j == 0) 1100 if (j == 0) {
1143 {
1144 /* we need to have the cipher in the cipher 1101 /* we need to have the cipher in the cipher
1145 * list if we are asked to reuse it */ 1102 * list if we are asked to reuse it */
1146 al=SSL_AD_ILLEGAL_PARAMETER; 1103 al = SSL_AD_ILLEGAL_PARAMETER;
1147 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 1104 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING);
1148 goto f_err; 1105 goto f_err;
1149 }
1150 } 1106 }
1107 }
1151 1108
1152 /* compression */ 1109 /* compression */
1153 i= *(p++); 1110 i= *(p++);
1154 if ((p+i) > (d+n)) 1111 if ((p + i) > (d + n)) {
1155 {
1156 /* not enough data */ 1112 /* not enough data */
1157 al=SSL_AD_DECODE_ERROR; 1113 al = SSL_AD_DECODE_ERROR;
1158 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1114 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1159 goto f_err; 1115 goto f_err;
1160 } 1116 }
1161 q=p; 1117 q = p;
1162 for (j=0; j<i; j++) 1118 for (j = 0; j < i; j++) {
1163 { 1119 if (p[j] == 0)
1164 if (p[j] == 0) break; 1120 break;
1165 } 1121 }
1166 1122
1167 p+=i; 1123 p += i;
1168 if (j >= i) 1124 if (j >= i) {
1169 {
1170 /* no compress */ 1125 /* no compress */
1171 al=SSL_AD_DECODE_ERROR; 1126 al = SSL_AD_DECODE_ERROR;
1172 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 1127 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1173 goto f_err; 1128 goto f_err;
1174 } 1129 }
1175 1130
1176#ifndef OPENSSL_NO_TLSEXT 1131#ifndef OPENSSL_NO_TLSEXT
1177 /* TLS extensions*/ 1132 /* TLS extensions*/
1178 if (s->version >= SSL3_VERSION) 1133 if (s->version >= SSL3_VERSION) {
1179 { 1134 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
1180 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
1181 {
1182 /* 'al' set by ssl_parse_clienthello_tlsext */ 1135 /* 'al' set by ssl_parse_clienthello_tlsext */
1183 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 1136 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1184 goto f_err; 1137 goto f_err;
1185 }
1186 }
1187 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1188 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
1189 goto err;
1190 } 1138 }
1139 }
1140 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1141 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1142 goto err;
1143 }
1191 1144
1192 /* Check if we want to use external pre-shared secret for this 1145 /* Check if we want to use external pre-shared secret for this
1193 * handshake for not reused session only. We need to generate 1146 * handshake for not reused session only. We need to generate
@@ -1195,38 +1148,34 @@ int ssl3_get_client_hello(SSL *s)
1195 * SessionTicket processing to use it in key derivation. */ 1148 * SessionTicket processing to use it in key derivation. */
1196 { 1149 {
1197 unsigned char *pos; 1150 unsigned char *pos;
1198 pos=s->s3->server_random; 1151 pos = s->s3->server_random;
1199 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) 1152 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
1200 { 1153 al = SSL_AD_INTERNAL_ERROR;
1201 al=SSL_AD_INTERNAL_ERROR;
1202 goto f_err; 1154 goto f_err;
1203 } 1155 }
1204 } 1156 }
1205 1157
1206 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) 1158 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1207 { 1159 SSL_CIPHER *pref_cipher = NULL;
1208 SSL_CIPHER *pref_cipher=NULL;
1209 1160
1210 s->session->master_key_length=sizeof(s->session->master_key); 1161 s->session->master_key_length = sizeof(s->session->master_key);
1211 if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, 1162 if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
1212 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) 1163 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) {
1213 { 1164 s->hit = 1;
1214 s->hit=1; 1165 s->session->ciphers = ciphers;
1215 s->session->ciphers=ciphers; 1166 s->session->verify_result = X509_V_OK;
1216 s->session->verify_result=X509_V_OK;
1217 1167
1218 ciphers=NULL; 1168 ciphers = NULL;
1219 1169
1220 /* check if some cipher was preferred by call back */ 1170 /* check if some cipher was preferred by call back */
1221 pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 1171 pref_cipher = pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1222 if (pref_cipher == NULL) 1172 if (pref_cipher == NULL) {
1223 { 1173 al = SSL_AD_HANDSHAKE_FAILURE;
1224 al=SSL_AD_HANDSHAKE_FAILURE; 1174 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1225 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1226 goto f_err; 1175 goto f_err;
1227 } 1176 }
1228 1177
1229 s->session->cipher=pref_cipher; 1178 s->session->cipher = pref_cipher;
1230 1179
1231 if (s->cipher_list) 1180 if (s->cipher_list)
1232 sk_SSL_CIPHER_free(s->cipher_list); 1181 sk_SSL_CIPHER_free(s->cipher_list);
@@ -1236,165 +1185,144 @@ int ssl3_get_client_hello(SSL *s)
1236 1185
1237 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1186 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1238 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1187 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1239 }
1240 } 1188 }
1189 }
1241#endif 1190#endif
1242 1191
1243 /* Worst case, we will use the NULL compression, but if we have other 1192 /* Worst case, we will use the NULL compression, but if we have other
1244 * options, we will now look for them. We have i-1 compression 1193 * options, we will now look for them. We have i-1 compression
1245 * algorithms from the client, starting at q. */ 1194 * algorithms from the client, starting at q. */
1246 s->s3->tmp.new_compression=NULL; 1195 s->s3->tmp.new_compression = NULL;
1247#ifndef OPENSSL_NO_COMP 1196#ifndef OPENSSL_NO_COMP
1248 /* This only happens if we have a cache hit */ 1197 /* This only happens if we have a cache hit */
1249 if (s->session->compress_meth != 0) 1198 if (s->session->compress_meth != 0) {
1250 {
1251 int m, comp_id = s->session->compress_meth; 1199 int m, comp_id = s->session->compress_meth;
1252 /* Perform sanity checks on resumed compression algorithm */ 1200 /* Perform sanity checks on resumed compression algorithm */
1253 /* Can't disable compression */ 1201 /* Can't disable compression */
1254 if (s->options & SSL_OP_NO_COMPRESSION) 1202 if (s->options & SSL_OP_NO_COMPRESSION) {
1255 { 1203 al = SSL_AD_INTERNAL_ERROR;
1256 al=SSL_AD_INTERNAL_ERROR; 1204 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1257 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1258 goto f_err; 1205 goto f_err;
1259 } 1206 }
1260 /* Look for resumed compression method */ 1207 /* Look for resumed compression method */
1261 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) 1208 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
1262 { 1209 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1263 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1210 if (comp_id == comp->id) {
1264 if (comp_id == comp->id) 1211 s->s3->tmp.new_compression = comp;
1265 {
1266 s->s3->tmp.new_compression=comp;
1267 break; 1212 break;
1268 }
1269 } 1213 }
1270 if (s->s3->tmp.new_compression == NULL) 1214 }
1271 { 1215 if (s->s3->tmp.new_compression == NULL) {
1272 al=SSL_AD_INTERNAL_ERROR; 1216 al = SSL_AD_INTERNAL_ERROR;
1273 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM); 1217 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INVALID_COMPRESSION_ALGORITHM);
1274 goto f_err; 1218 goto f_err;
1275 } 1219 }
1276 /* Look for resumed method in compression list */ 1220 /* Look for resumed method in compression list */
1277 for (m = 0; m < i; m++) 1221 for (m = 0; m < i; m++) {
1278 {
1279 if (q[m] == comp_id) 1222 if (q[m] == comp_id)
1280 break; 1223 break;
1281 } 1224 }
1282 if (m >= i) 1225 if (m >= i) {
1283 { 1226 al = SSL_AD_ILLEGAL_PARAMETER;
1284 al=SSL_AD_ILLEGAL_PARAMETER; 1227 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1285 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1286 goto f_err; 1228 goto f_err;
1287 }
1288 } 1229 }
1289 else if (s->hit) 1230 } else if (s->hit)
1290 comp = NULL; 1231 comp = NULL;
1291 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) 1232 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
1292 { /* See if we have a match */ 1233 { /* See if we have a match */
1293 int m,nn,o,v,done=0; 1234 int m, nn, o, v, done = 0;
1294 1235
1295 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1236 nn = sk_SSL_COMP_num(s->ctx->comp_methods);
1296 for (m=0; m<nn; m++) 1237 for (m = 0; m < nn; m++) {
1297 { 1238 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1298 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1239 v = comp->id;
1299 v=comp->id; 1240 for (o = 0; o < i; o++) {
1300 for (o=0; o<i; o++) 1241 if (v == q[o]) {
1301 { 1242 done = 1;
1302 if (v == q[o])
1303 {
1304 done=1;
1305 break; 1243 break;
1306 }
1307 } 1244 }
1308 if (done) break;
1309 } 1245 }
1246 if (done)
1247 break;
1248 }
1310 if (done) 1249 if (done)
1311 s->s3->tmp.new_compression=comp; 1250 s->s3->tmp.new_compression = comp;
1312 else 1251 else
1313 comp=NULL; 1252 comp = NULL;
1314 } 1253 }
1315#else 1254#else
1316 /* If compression is disabled we'd better not try to resume a session 1255 /* If compression is disabled we'd better not try to resume a session
1317 * using compression. 1256 * using compression.
1318 */ 1257 */
1319 if (s->session->compress_meth != 0) 1258 if (s->session->compress_meth != 0) {
1320 { 1259 al = SSL_AD_INTERNAL_ERROR;
1321 al=SSL_AD_INTERNAL_ERROR; 1260 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1322 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1323 goto f_err; 1261 goto f_err;
1324 } 1262 }
1325#endif 1263#endif
1326 1264
1327 /* Given s->session->ciphers and SSL_get_ciphers, we must 1265 /* Given s->session->ciphers and SSL_get_ciphers, we must
1328 * pick a cipher */ 1266 * pick a cipher */
1329 1267
1330 if (!s->hit) 1268 if (!s->hit) {
1331 {
1332#ifdef OPENSSL_NO_COMP 1269#ifdef OPENSSL_NO_COMP
1333 s->session->compress_meth=0; 1270 s->session->compress_meth = 0;
1334#else 1271#else
1335 s->session->compress_meth=(comp == NULL)?0:comp->id; 1272 s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1336#endif 1273#endif
1337 if (s->session->ciphers != NULL) 1274 if (s->session->ciphers != NULL)
1338 sk_SSL_CIPHER_free(s->session->ciphers); 1275 sk_SSL_CIPHER_free(s->session->ciphers);
1339 s->session->ciphers=ciphers; 1276 s->session->ciphers = ciphers;
1340 if (ciphers == NULL) 1277 if (ciphers == NULL) {
1341 { 1278 al = SSL_AD_ILLEGAL_PARAMETER;
1342 al=SSL_AD_ILLEGAL_PARAMETER; 1279 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED);
1343 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
1344 goto f_err; 1280 goto f_err;
1345 } 1281 }
1346 ciphers=NULL; 1282 ciphers = NULL;
1347 c=ssl3_choose_cipher(s,s->session->ciphers, 1283 c = ssl3_choose_cipher(s, s->session->ciphers,
1348 SSL_get_ciphers(s)); 1284 SSL_get_ciphers(s));
1349 1285
1350 if (c == NULL) 1286 if (c == NULL) {
1351 { 1287 al = SSL_AD_HANDSHAKE_FAILURE;
1352 al=SSL_AD_HANDSHAKE_FAILURE; 1288 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1353 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1354 goto f_err; 1289 goto f_err;
1355 }
1356 s->s3->tmp.new_cipher=c;
1357 } 1290 }
1358 else 1291 s->s3->tmp.new_cipher = c;
1359 { 1292 } else {
1360 /* Session-id reuse */ 1293 /* Session-id reuse */
1361#ifdef REUSE_CIPHER_BUG 1294#ifdef REUSE_CIPHER_BUG
1362 STACK_OF(SSL_CIPHER) *sk; 1295 STACK_OF(SSL_CIPHER) *sk;
1363 SSL_CIPHER *nc=NULL; 1296 SSL_CIPHER *nc = NULL;
1364 SSL_CIPHER *ec=NULL; 1297 SSL_CIPHER *ec = NULL;
1365 1298
1366 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1299 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
1367 { 1300 sk = s->session->ciphers;
1368 sk=s->session->ciphers; 1301 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
1369 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1302 c = sk_SSL_CIPHER_value(sk, i);
1370 {
1371 c=sk_SSL_CIPHER_value(sk,i);
1372 if (c->algorithm_enc & SSL_eNULL) 1303 if (c->algorithm_enc & SSL_eNULL)
1373 nc=c; 1304 nc = c;
1374 if (SSL_C_IS_EXPORT(c)) 1305 if (SSL_C_IS_EXPORT(c))
1375 ec=c; 1306 ec = c;
1376 } 1307 }
1377 if (nc != NULL) 1308 if (nc != NULL)
1378 s->s3->tmp.new_cipher=nc; 1309 s->s3->tmp.new_cipher = nc;
1379 else if (ec != NULL) 1310 else if (ec != NULL)
1380 s->s3->tmp.new_cipher=ec; 1311 s->s3->tmp.new_cipher = ec;
1381 else 1312 else
1382 s->s3->tmp.new_cipher=s->session->cipher; 1313 s->s3->tmp.new_cipher = s->session->cipher;
1383 } 1314 } else
1384 else
1385#endif 1315#endif
1386 s->s3->tmp.new_cipher=s->session->cipher; 1316 s->s3->tmp.new_cipher = s->session->cipher;
1387 } 1317 }
1388 1318
1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) 1319 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) {
1390 { 1320 if (!ssl3_digest_cached_records(s)) {
1391 if (!ssl3_digest_cached_records(s))
1392 {
1393 al = SSL_AD_INTERNAL_ERROR; 1321 al = SSL_AD_INTERNAL_ERROR;
1394 goto f_err; 1322 goto f_err;
1395 }
1396 } 1323 }
1397 1324 }
1325
1398 /* we now have the following setup. 1326 /* we now have the following setup.
1399 * client_random 1327 * client_random
1400 * cipher_list - our prefered list of ciphers 1328 * cipher_list - our prefered list of ciphers
@@ -1407,50 +1335,49 @@ int ssl3_get_client_hello(SSL *s)
1407 */ 1335 */
1408 1336
1409 /* Handles TLS extensions that we couldn't check earlier */ 1337 /* Handles TLS extensions that we couldn't check earlier */
1410 if (s->version >= SSL3_VERSION) 1338 if (s->version >= SSL3_VERSION) {
1411 { 1339 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1412 if (ssl_check_clienthello_tlsext_late(s) <= 0)
1413 {
1414 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1340 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1415 goto err; 1341 goto err;
1416 }
1417 } 1342 }
1343 }
1418 1344
1419 if (ret < 0) ret=1; 1345 if (ret < 0)
1420 if (0) 1346 ret = 1;
1421 { 1347 if (0) {
1422f_err: 1348f_err:
1423 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1349 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1424 }
1425err:
1426 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
1427 return(ret);
1428 } 1350 }
1351err:
1352 if (ciphers != NULL)
1353 sk_SSL_CIPHER_free(ciphers);
1354 return (ret);
1355}
1429 1356
1430int ssl3_send_server_hello(SSL *s) 1357int
1431 { 1358ssl3_send_server_hello(SSL *s)
1359{
1432 unsigned char *buf; 1360 unsigned char *buf;
1433 unsigned char *p,*d; 1361 unsigned char *p, *d;
1434 int i,sl; 1362 int i, sl;
1435 unsigned long l; 1363 unsigned long l;
1436 1364
1437 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1365 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
1438 { 1366 buf = (unsigned char *)s->init_buf->data;
1439 buf=(unsigned char *)s->init_buf->data;
1440#ifdef OPENSSL_NO_TLSEXT 1367#ifdef OPENSSL_NO_TLSEXT
1441 p=s->s3->server_random; 1368 p = s->s3->server_random;
1442 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) 1369 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
1443 return -1; 1370 return -1;
1444#endif 1371#endif
1445 /* Do the message type and length last */ 1372 /* Do the message type and length last */
1446 d=p= &(buf[4]); 1373 d = p= &(buf[4]);
1447 1374
1448 *(p++)=s->version>>8; 1375 *(p++) = s->version >> 8;
1449 *(p++)=s->version&0xff; 1376 *(p++) = s->version&0xff;
1450 1377
1451 /* Random stuff */ 1378 /* Random stuff */
1452 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1379 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1453 p+=SSL3_RANDOM_SIZE; 1380 p += SSL3_RANDOM_SIZE;
1454 1381
1455 /* There are several cases for the session ID to send 1382 /* There are several cases for the session ID to send
1456 * back in the server hello: 1383 * back in the server hello:
@@ -1469,317 +1396,287 @@ int ssl3_send_server_hello(SSL *s)
1469 */ 1396 */
1470 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1397 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1471 && !s->hit) 1398 && !s->hit)
1472 s->session->session_id_length=0; 1399 s->session->session_id_length = 0;
1473 1400
1474 sl=s->session->session_id_length; 1401 sl = s->session->session_id_length;
1475 if (sl > (int)sizeof(s->session->session_id)) 1402 if (sl > (int)sizeof(s->session->session_id)) {
1476 {
1477 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1403 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1478 return -1; 1404 return -1;
1479 } 1405 }
1480 *(p++)=sl; 1406 *(p++) = sl;
1481 memcpy(p,s->session->session_id,sl); 1407 memcpy(p, s->session->session_id, sl);
1482 p+=sl; 1408 p += sl;
1483 1409
1484 /* put the cipher */ 1410 /* put the cipher */
1485 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1411 i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
1486 p+=i; 1412 p += i;
1487 1413
1488 /* put the compression method */ 1414 /* put the compression method */
1489#ifdef OPENSSL_NO_COMP 1415#ifdef OPENSSL_NO_COMP
1490 *(p++)=0; 1416 *(p++) = 0;
1491#else 1417#else
1492 if (s->s3->tmp.new_compression == NULL) 1418 if (s->s3->tmp.new_compression == NULL)
1493 *(p++)=0; 1419 *(p++) = 0;
1494 else 1420 else
1495 *(p++)=s->s3->tmp.new_compression->id; 1421 *(p++) = s->s3->tmp.new_compression->id;
1496#endif 1422#endif
1497#ifndef OPENSSL_NO_TLSEXT 1423#ifndef OPENSSL_NO_TLSEXT
1498 if (ssl_prepare_serverhello_tlsext(s) <= 0) 1424 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1499 { 1425 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
1500 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1501 return -1; 1426 return -1;
1502 } 1427 }
1503 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1428 if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
1504 { 1429 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1505 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
1506 return -1; 1430 return -1;
1507 } 1431 }
1508#endif 1432#endif
1509 /* do the header */ 1433 /* do the header */
1510 l=(p-d); 1434 l = (p - d);
1511 d=buf; 1435 d = buf;
1512 *(d++)=SSL3_MT_SERVER_HELLO; 1436 *(d++) = SSL3_MT_SERVER_HELLO;
1513 l2n3(l,d); 1437 l2n3(l, d);
1514 1438
1515 s->state=SSL3_ST_SW_SRVR_HELLO_B; 1439 s->state = SSL3_ST_SW_SRVR_HELLO_B;
1516 /* number of bytes to write */ 1440 /* number of bytes to write */
1517 s->init_num=p-buf; 1441 s->init_num = p - buf;
1518 s->init_off=0; 1442 s->init_off = 0;
1519 } 1443 }
1520 1444
1521 /* SSL3_ST_SW_SRVR_HELLO_B */ 1445 /* SSL3_ST_SW_SRVR_HELLO_B */
1522 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1446 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1523 } 1447}
1524 1448
1525int ssl3_send_server_done(SSL *s) 1449int
1526 { 1450ssl3_send_server_done(SSL *s)
1451{
1527 unsigned char *p; 1452 unsigned char *p;
1528 1453
1529 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1454 if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
1530 { 1455 p = (unsigned char *)s->init_buf->data;
1531 p=(unsigned char *)s->init_buf->data;
1532 1456
1533 /* do the header */ 1457 /* do the header */
1534 *(p++)=SSL3_MT_SERVER_DONE; 1458 *(p++) = SSL3_MT_SERVER_DONE;
1535 *(p++)=0; 1459 *(p++) = 0;
1536 *(p++)=0; 1460 *(p++) = 0;
1537 *(p++)=0; 1461 *(p++) = 0;
1538 1462
1539 s->state=SSL3_ST_SW_SRVR_DONE_B; 1463 s->state = SSL3_ST_SW_SRVR_DONE_B;
1540 /* number of bytes to write */ 1464 /* number of bytes to write */
1541 s->init_num=4; 1465 s->init_num = 4;
1542 s->init_off=0; 1466 s->init_off = 0;
1543 } 1467 }
1544 1468
1545 /* SSL3_ST_SW_SRVR_DONE_B */ 1469 /* SSL3_ST_SW_SRVR_DONE_B */
1546 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1470 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1547 } 1471}
1548 1472
1549int ssl3_send_server_key_exchange(SSL *s) 1473int
1550 { 1474ssl3_send_server_key_exchange(SSL *s)
1475{
1551#ifndef OPENSSL_NO_RSA 1476#ifndef OPENSSL_NO_RSA
1552 unsigned char *q; 1477 unsigned char *q;
1553 int j,num; 1478 int j, num;
1554 RSA *rsa; 1479 RSA *rsa;
1555 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1480 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1556 unsigned int u; 1481 unsigned int u;
1557#endif 1482#endif
1558#ifndef OPENSSL_NO_DH 1483#ifndef OPENSSL_NO_DH
1559 DH *dh=NULL,*dhp; 1484 DH *dh = NULL, *dhp;
1560#endif 1485#endif
1561#ifndef OPENSSL_NO_ECDH 1486#ifndef OPENSSL_NO_ECDH
1562 EC_KEY *ecdh=NULL, *ecdhp; 1487 EC_KEY *ecdh = NULL, *ecdhp;
1563 unsigned char *encodedPoint = NULL; 1488 unsigned char *encodedPoint = NULL;
1564 int encodedlen = 0; 1489 int encodedlen = 0;
1565 int curve_id = 0; 1490 int curve_id = 0;
1566 BN_CTX *bn_ctx = NULL; 1491 BN_CTX *bn_ctx = NULL;
1492
1567#endif 1493#endif
1568 EVP_PKEY *pkey; 1494 EVP_PKEY *pkey;
1569 const EVP_MD *md = NULL; 1495 const EVP_MD *md = NULL;
1570 unsigned char *p,*d; 1496 unsigned char *p, *d;
1571 int al,i; 1497 int al, i;
1572 unsigned long type; 1498 unsigned long type;
1573 int n; 1499 int n;
1574 CERT *cert; 1500 CERT *cert;
1575 BIGNUM *r[4]; 1501 BIGNUM *r[4];
1576 int nr[4],kn; 1502 int nr[4], kn;
1577 BUF_MEM *buf; 1503 BUF_MEM *buf;
1578 EVP_MD_CTX md_ctx; 1504 EVP_MD_CTX md_ctx;
1579 1505
1580 EVP_MD_CTX_init(&md_ctx); 1506 EVP_MD_CTX_init(&md_ctx);
1581 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1507 if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1582 { 1508 type = s->s3->tmp.new_cipher->algorithm_mkey;
1583 type=s->s3->tmp.new_cipher->algorithm_mkey; 1509 cert = s->cert;
1584 cert=s->cert;
1585 1510
1586 buf=s->init_buf; 1511 buf = s->init_buf;
1587 1512
1588 r[0]=r[1]=r[2]=r[3]=NULL; 1513 r[0] = r[1] = r[2] = r[3] = NULL;
1589 n=0; 1514 n = 0;
1590#ifndef OPENSSL_NO_RSA 1515#ifndef OPENSSL_NO_RSA
1591 if (type & SSL_kRSA) 1516 if (type & SSL_kRSA) {
1592 { 1517 rsa = cert->rsa_tmp;
1593 rsa=cert->rsa_tmp; 1518 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
1594 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1519 rsa = s->cert->rsa_tmp_cb(s,
1595 { 1520 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1596 rsa=s->cert->rsa_tmp_cb(s, 1521 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1597 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1522 if (rsa == NULL) {
1598 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1523 al = SSL_AD_HANDSHAKE_FAILURE;
1599 if(rsa == NULL) 1524 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1600 {
1601 al=SSL_AD_HANDSHAKE_FAILURE;
1602 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1603 goto f_err; 1525 goto f_err;
1604 } 1526 }
1605 RSA_up_ref(rsa); 1527 RSA_up_ref(rsa);
1606 cert->rsa_tmp=rsa; 1528 cert->rsa_tmp = rsa;
1607 } 1529 }
1608 if (rsa == NULL) 1530 if (rsa == NULL) {
1609 { 1531 al = SSL_AD_HANDSHAKE_FAILURE;
1610 al=SSL_AD_HANDSHAKE_FAILURE; 1532 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_KEY);
1611 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
1612 goto f_err; 1533 goto f_err;
1613 }
1614 r[0]=rsa->n;
1615 r[1]=rsa->e;
1616 s->s3->tmp.use_rsa_tmp=1;
1617 } 1534 }
1618 else 1535 r[0] = rsa->n;
1536 r[1] = rsa->e;
1537 s->s3->tmp.use_rsa_tmp = 1;
1538 } else
1619#endif 1539#endif
1620#ifndef OPENSSL_NO_DH 1540#ifndef OPENSSL_NO_DH
1621 if (type & SSL_kEDH) 1541 if (type & SSL_kEDH) {
1622 { 1542 dhp = cert->dh_tmp;
1623 dhp=cert->dh_tmp;
1624 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1543 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
1625 dhp=s->cert->dh_tmp_cb(s, 1544 dhp = s->cert->dh_tmp_cb(s,
1626 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1545 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1627 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1546 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1628 if (dhp == NULL) 1547 if (dhp == NULL) {
1629 { 1548 al = SSL_AD_HANDSHAKE_FAILURE;
1630 al=SSL_AD_HANDSHAKE_FAILURE; 1549 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
1631 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1632 goto f_err; 1550 goto f_err;
1633 } 1551 }
1634 1552
1635 if (s->s3->tmp.dh != NULL) 1553 if (s->s3->tmp.dh != NULL) {
1636 {
1637 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1554 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1638 goto err; 1555 goto err;
1639 } 1556 }
1640 1557
1641 if ((dh=DHparams_dup(dhp)) == NULL) 1558 if ((dh = DHparams_dup(dhp)) == NULL) {
1642 { 1559 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1643 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1644 goto err; 1560 goto err;
1645 } 1561 }
1646 1562
1647 s->s3->tmp.dh=dh; 1563 s->s3->tmp.dh = dh;
1648 if ((dhp->pub_key == NULL || 1564 if ((dhp->pub_key == NULL || dhp->priv_key == NULL ||
1649 dhp->priv_key == NULL || 1565 (s->options & SSL_OP_SINGLE_DH_USE))) {
1650 (s->options & SSL_OP_SINGLE_DH_USE))) 1566 if (!DH_generate_key(dh)) {
1651 { 1567 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1652 if(!DH_generate_key(dh)) 1568 ERR_R_DH_LIB);
1653 { 1569 goto err;
1654 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1655 ERR_R_DH_LIB);
1656 goto err;
1657 }
1658 } 1570 }
1659 else 1571 } else {
1660 { 1572 dh->pub_key = BN_dup(dhp->pub_key);
1661 dh->pub_key=BN_dup(dhp->pub_key); 1573 dh->priv_key = BN_dup(dhp->priv_key);
1662 dh->priv_key=BN_dup(dhp->priv_key);
1663 if ((dh->pub_key == NULL) || 1574 if ((dh->pub_key == NULL) ||
1664 (dh->priv_key == NULL)) 1575 (dh->priv_key == NULL)) {
1665 { 1576 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1666 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1667 goto err; 1577 goto err;
1668 }
1669 } 1578 }
1670 r[0]=dh->p;
1671 r[1]=dh->g;
1672 r[2]=dh->pub_key;
1673 } 1579 }
1674 else 1580 r[0] = dh->p;
1581 r[1] = dh->g;
1582 r[2] = dh->pub_key;
1583 } else
1675#endif 1584#endif
1676#ifndef OPENSSL_NO_ECDH 1585#ifndef OPENSSL_NO_ECDH
1677 if (type & SSL_kEECDH) 1586 if (type & SSL_kEECDH) {
1678 {
1679 const EC_GROUP *group; 1587 const EC_GROUP *group;
1680 1588
1681 ecdhp=cert->ecdh_tmp; 1589 ecdhp = cert->ecdh_tmp;
1682 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1590 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) {
1683 { 1591 ecdhp = s->cert->ecdh_tmp_cb(
1684 ecdhp=s->cert->ecdh_tmp_cb(s, 1592 s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1685 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1593 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1686 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1594 }
1687 } 1595 if (ecdhp == NULL) {
1688 if (ecdhp == NULL) 1596 al = SSL_AD_HANDSHAKE_FAILURE;
1689 { 1597 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
1690 al=SSL_AD_HANDSHAKE_FAILURE;
1691 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
1692 goto f_err; 1598 goto f_err;
1693 } 1599 }
1694 1600
1695 if (s->s3->tmp.ecdh != NULL) 1601 if (s->s3->tmp.ecdh != NULL) {
1696 {
1697 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1602 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1698 goto err; 1603 goto err;
1699 } 1604 }
1700 1605
1701 /* Duplicate the ECDH structure. */ 1606 /* Duplicate the ECDH structure. */
1702 if (ecdhp == NULL) 1607 if (ecdhp == NULL) {
1703 { 1608 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1704 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1705 goto err; 1609 goto err;
1706 } 1610 }
1707 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) 1611 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1708 { 1612 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1709 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1710 goto err; 1613 goto err;
1711 } 1614 }
1712 1615
1713 s->s3->tmp.ecdh=ecdh; 1616 s->s3->tmp.ecdh = ecdh;
1714 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1617 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1715 (EC_KEY_get0_private_key(ecdh) == NULL) || 1618 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1716 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1619 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1717 { 1620 if (!EC_KEY_generate_key(ecdh)) {
1718 if(!EC_KEY_generate_key(ecdh)) 1621 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1719 { 1622 goto err;
1720 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1721 goto err;
1722 }
1723 } 1623 }
1624 }
1724 1625
1725 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1626 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1726 (EC_KEY_get0_public_key(ecdh) == NULL) || 1627 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1727 (EC_KEY_get0_private_key(ecdh) == NULL)) 1628 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1728 { 1629 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1729 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1730 goto err; 1630 goto err;
1731 } 1631 }
1732 1632
1733 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1633 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1734 (EC_GROUP_get_degree(group) > 163)) 1634 (EC_GROUP_get_degree(group) > 163)) {
1735 { 1635 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1736 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1737 goto err; 1636 goto err;
1738 } 1637 }
1739 1638
1740 /* XXX: For now, we only support ephemeral ECDH 1639 /* XXX: For now, we only support ephemeral ECDH
1741 * keys over named (not generic) curves. For 1640 * keys over named (not generic) curves. For
1742 * supported named curves, curve_id is non-zero. 1641 * supported named curves, curve_id is non-zero.
1743 */ 1642 */
1744 if ((curve_id = 1643 if ((curve_id = tls1_ec_nid2curve_id(
1745 tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) 1644 EC_GROUP_get_curve_name(group))) == 0) {
1746 == 0) 1645 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1747 {
1748 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1749 goto err; 1646 goto err;
1750 } 1647 }
1751 1648
1752 /* Encode the public key. 1649 /* Encode the public key.
1753 * First check the size of encoding and 1650 * First check the size of encoding and
1754 * allocate memory accordingly. 1651 * allocate memory accordingly.
1755 */ 1652 */
1756 encodedlen = EC_POINT_point2oct(group, 1653 encodedlen = EC_POINT_point2oct(group,
1757 EC_KEY_get0_public_key(ecdh), 1654 EC_KEY_get0_public_key(ecdh),
1758 POINT_CONVERSION_UNCOMPRESSED, 1655 POINT_CONVERSION_UNCOMPRESSED,
1759 NULL, 0, NULL); 1656 NULL, 0, NULL);
1657
1658 encodedPoint = (unsigned char *)
1659 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1760 1660
1761 encodedPoint = (unsigned char *)
1762 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1763 bn_ctx = BN_CTX_new(); 1661 bn_ctx = BN_CTX_new();
1764 if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1662 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1765 { 1663 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1766 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1767 goto err; 1664 goto err;
1768 } 1665 }
1769 1666
1770 1667
1771 encodedlen = EC_POINT_point2oct(group, 1668 encodedlen = EC_POINT_point2oct(group,
1772 EC_KEY_get0_public_key(ecdh), 1669 EC_KEY_get0_public_key(ecdh),
1773 POINT_CONVERSION_UNCOMPRESSED, 1670 POINT_CONVERSION_UNCOMPRESSED,
1774 encodedPoint, encodedlen, bn_ctx); 1671 encodedPoint, encodedlen, bn_ctx);
1775 1672
1776 if (encodedlen == 0) 1673 if (encodedlen == 0) {
1777 { 1674 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1778 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1779 goto err; 1675 goto err;
1780 } 1676 }
1781 1677
1782 BN_CTX_free(bn_ctx); bn_ctx=NULL; 1678 BN_CTX_free(bn_ctx);
1679 bn_ctx = NULL;
1783 1680
1784 /* XXX: For now, we only support named (not 1681 /* XXX: For now, we only support named (not
1785 * generic) curves in ECDH ephemeral key exchanges. 1682 * generic) curves in ECDH ephemeral key exchanges.
@@ -1792,98 +1689,80 @@ int ssl3_send_server_key_exchange(SSL *s)
1792 /* We'll generate the serverKeyExchange message 1689 /* We'll generate the serverKeyExchange message
1793 * explicitly so we can set these to NULLs 1690 * explicitly so we can set these to NULLs
1794 */ 1691 */
1795 r[0]=NULL; 1692 r[0] = NULL;
1796 r[1]=NULL; 1693 r[1] = NULL;
1797 r[2]=NULL; 1694 r[2] = NULL;
1798 r[3]=NULL; 1695 r[3] = NULL;
1799 } 1696 } else
1800 else
1801#endif /* !OPENSSL_NO_ECDH */ 1697#endif /* !OPENSSL_NO_ECDH */
1802#ifndef OPENSSL_NO_PSK 1698#ifndef OPENSSL_NO_PSK
1803 if (type & SSL_kPSK) 1699 if (type & SSL_kPSK) {
1804 { 1700 /* reserve size for record length and PSK identity hint*/
1805 /* reserve size for record length and PSK identity hint*/ 1701 n += 2 + strlen(s->ctx->psk_identity_hint);
1806 n+=2+strlen(s->ctx->psk_identity_hint); 1702 } else
1807 }
1808 else
1809#endif /* !OPENSSL_NO_PSK */ 1703#endif /* !OPENSSL_NO_PSK */
1810#ifndef OPENSSL_NO_SRP 1704#ifndef OPENSSL_NO_SRP
1811 if (type & SSL_kSRP) 1705 if (type & SSL_kSRP) {
1812 { 1706 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
1813 if ((s->srp_ctx.N == NULL) || 1707 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
1814 (s->srp_ctx.g == NULL) || 1708 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM);
1815 (s->srp_ctx.s == NULL) ||
1816 (s->srp_ctx.B == NULL))
1817 {
1818 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_SRP_PARAM);
1819 goto err; 1709 goto err;
1820 }
1821 r[0]=s->srp_ctx.N;
1822 r[1]=s->srp_ctx.g;
1823 r[2]=s->srp_ctx.s;
1824 r[3]=s->srp_ctx.B;
1825 } 1710 }
1826 else 1711 r[0] = s->srp_ctx.N;
1712 r[1] = s->srp_ctx.g;
1713 r[2] = s->srp_ctx.s;
1714 r[3] = s->srp_ctx.B;
1715 } else
1827#endif 1716#endif
1828 { 1717 {
1829 al=SSL_AD_HANDSHAKE_FAILURE; 1718 al = SSL_AD_HANDSHAKE_FAILURE;
1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1719 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1831 goto f_err; 1720 goto f_err;
1832 } 1721 }
1833 for (i=0; i < 4 && r[i] != NULL; i++) 1722 for (i = 0; i < 4 && r[i] != NULL; i++) {
1834 { 1723 nr[i] = BN_num_bytes(r[i]);
1835 nr[i]=BN_num_bytes(r[i]);
1836#ifndef OPENSSL_NO_SRP 1724#ifndef OPENSSL_NO_SRP
1837 if ((i == 2) && (type & SSL_kSRP)) 1725 if ((i == 2) && (type & SSL_kSRP))
1838 n+=1+nr[i]; 1726 n += 1 + nr[i];
1839 else 1727 else
1840#endif 1728#endif
1841 n+=2+nr[i]; 1729 n += 2 + nr[i];
1842 } 1730 }
1843 1731
1844 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1732 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
1845 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 1733 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1846 { 1734 if ((pkey = ssl_get_sign_pkey(
1847 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md)) 1735 s, s->s3->tmp.new_cipher, &md)) == NULL) {
1848 == NULL) 1736 al = SSL_AD_DECODE_ERROR;
1849 {
1850 al=SSL_AD_DECODE_ERROR;
1851 goto f_err; 1737 goto f_err;
1852 }
1853 kn=EVP_PKEY_size(pkey);
1854 }
1855 else
1856 {
1857 pkey=NULL;
1858 kn=0;
1859 } 1738 }
1739 kn = EVP_PKEY_size(pkey);
1740 } else {
1741 pkey = NULL;
1742 kn = 0;
1743 }
1860 1744
1861 if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1745 if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) {
1862 { 1746 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
1863 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1864 goto err; 1747 goto err;
1865 } 1748 }
1866 d=(unsigned char *)s->init_buf->data; 1749 d = (unsigned char *)s->init_buf->data;
1867 p= &(d[4]); 1750 p = &(d[4]);
1868 1751
1869 for (i=0; i < 4 && r[i] != NULL; i++) 1752 for (i = 0; i < 4 && r[i] != NULL; i++) {
1870 {
1871#ifndef OPENSSL_NO_SRP 1753#ifndef OPENSSL_NO_SRP
1872 if ((i == 2) && (type & SSL_kSRP)) 1754 if ((i == 2) && (type & SSL_kSRP)) {
1873 {
1874 *p = nr[i]; 1755 *p = nr[i];
1875 p++; 1756 p++;
1876 } 1757 } else
1877 else
1878#endif 1758#endif
1879 s2n(nr[i],p); 1759 s2n(nr[i], p);
1880 BN_bn2bin(r[i],p); 1760 BN_bn2bin(r[i], p);
1881 p+=nr[i]; 1761 p += nr[i];
1882 } 1762 }
1883 1763
1884#ifndef OPENSSL_NO_ECDH 1764#ifndef OPENSSL_NO_ECDH
1885 if (type & SSL_kEECDH) 1765 if (type & SSL_kEECDH) {
1886 {
1887 /* XXX: For now, we only support named (not generic) curves. 1766 /* XXX: For now, we only support named (not generic) curves.
1888 * In this situation, the serverKeyExchange message has: 1767 * In this situation, the serverKeyExchange message has:
1889 * [1 byte CurveType], [2 byte CurveName] 1768 * [1 byte CurveType], [2 byte CurveName]
@@ -1898,236 +1777,220 @@ int ssl3_send_server_key_exchange(SSL *s)
1898 p += 1; 1777 p += 1;
1899 *p = encodedlen; 1778 *p = encodedlen;
1900 p += 1; 1779 p += 1;
1901 memcpy((unsigned char*)p, 1780 memcpy((unsigned char*)p,
1902 (unsigned char *)encodedPoint, 1781 (unsigned char *)encodedPoint, encodedlen);
1903 encodedlen);
1904 OPENSSL_free(encodedPoint); 1782 OPENSSL_free(encodedPoint);
1905 encodedPoint = NULL; 1783 encodedPoint = NULL;
1906 p += encodedlen; 1784 p += encodedlen;
1907 } 1785 }
1908#endif 1786#endif
1909 1787
1910#ifndef OPENSSL_NO_PSK 1788#ifndef OPENSSL_NO_PSK
1911 if (type & SSL_kPSK) 1789 if (type & SSL_kPSK) {
1912 {
1913 /* copy PSK identity hint */ 1790 /* copy PSK identity hint */
1914 s2n(strlen(s->ctx->psk_identity_hint), p); 1791 s2n(strlen(s->ctx->psk_identity_hint), p);
1792
1915 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); 1793 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
1916 p+=strlen(s->ctx->psk_identity_hint); 1794 p += strlen(s->ctx->psk_identity_hint);
1917 } 1795 }
1918#endif 1796#endif
1919 1797
1920 /* not anonymous */ 1798 /* not anonymous */
1921 if (pkey != NULL) 1799 if (pkey != NULL) {
1922 {
1923 /* n is the length of the params, they start at &(d[4]) 1800 /* n is the length of the params, they start at &(d[4])
1924 * and p points to the space at the end. */ 1801 * and p points to the space at the end. */
1925#ifndef OPENSSL_NO_RSA 1802#ifndef OPENSSL_NO_RSA
1926 if (pkey->type == EVP_PKEY_RSA 1803 if (pkey->type == EVP_PKEY_RSA
1927 && TLS1_get_version(s) < TLS1_2_VERSION) 1804 && TLS1_get_version(s) < TLS1_2_VERSION) {
1928 { 1805 q = md_buf;
1929 q=md_buf; 1806 j = 0;
1930 j=0; 1807 for (num = 2; num > 0; num--) {
1931 for (num=2; num > 0; num--)
1932 {
1933 EVP_MD_CTX_set_flags(&md_ctx, 1808 EVP_MD_CTX_set_flags(&md_ctx,
1934 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1809 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1935 EVP_DigestInit_ex(&md_ctx,(num == 2) 1810 EVP_DigestInit_ex(&md_ctx,
1936 ?s->ctx->md5:s->ctx->sha1, NULL); 1811 (num == 2) ? s->ctx->md5 : s->ctx->sha1, NULL);
1937 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1812 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1938 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1813 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1939 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1814 EVP_DigestUpdate(&md_ctx, &(d[4]), n);
1940 EVP_DigestFinal_ex(&md_ctx,q, 1815 EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i);
1941 (unsigned int *)&i); 1816 q += i;
1942 q+=i; 1817 j += i;
1943 j+=i; 1818 }
1944 }
1945 if (RSA_sign(NID_md5_sha1, md_buf, j, 1819 if (RSA_sign(NID_md5_sha1, md_buf, j,
1946 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1820 &(p[2]), &u, pkey->pkey.rsa) <= 0) {
1947 { 1821 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA);
1948 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1949 goto err; 1822 goto err;
1950 }
1951 s2n(u,p);
1952 n+=u+2;
1953 } 1823 }
1954 else 1824 s2n(u, p);
1825 n += u + 2;
1826 } else
1955#endif 1827#endif
1956 if (md) 1828 if (md) {
1957 {
1958 /* For TLS1.2 and later send signature 1829 /* For TLS1.2 and later send signature
1959 * algorithm */ 1830 * algorithm */
1960 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1831 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1961 { 1832 if (!tls12_get_sigandhash(p, pkey, md)) {
1962 if (!tls12_get_sigandhash(p, pkey, md))
1963 {
1964 /* Should never happen */ 1833 /* Should never happen */
1965 al=SSL_AD_INTERNAL_ERROR; 1834 al = SSL_AD_INTERNAL_ERROR;
1966 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1835 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1967 goto f_err; 1836 goto f_err;
1968 }
1969 p+=2;
1970 } 1837 }
1838 p += 2;
1839 }
1971#ifdef SSL_DEBUG 1840#ifdef SSL_DEBUG
1972 fprintf(stderr, "Using hash %s\n", 1841 fprintf(stderr, "Using hash %s\n",
1973 EVP_MD_name(md)); 1842 EVP_MD_name(md));
1974#endif 1843#endif
1975 EVP_SignInit_ex(&md_ctx, md, NULL); 1844 EVP_SignInit_ex(&md_ctx, md, NULL);
1976 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1845 EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1977 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1846 EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1978 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1847 EVP_SignUpdate(&md_ctx, &(d[4]), n);
1979 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1848 if (!EVP_SignFinal(&md_ctx, &(p[2]),
1980 (unsigned int *)&i,pkey)) 1849 (unsigned int *)&i, pkey)) {
1981 { 1850 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
1982 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_EVP);
1983 goto err; 1851 goto err;
1984 }
1985 s2n(i,p);
1986 n+=i+2;
1987 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1988 n+= 2;
1989 } 1852 }
1990 else 1853 s2n(i, p);
1991 { 1854 n += i + 2;
1855 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1856 n += 2;
1857 } else {
1992 /* Is this error check actually needed? */ 1858 /* Is this error check actually needed? */
1993 al=SSL_AD_HANDSHAKE_FAILURE; 1859 al = SSL_AD_HANDSHAKE_FAILURE;
1994 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1860 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_PKEY_TYPE);
1995 goto f_err; 1861 goto f_err;
1996 }
1997 } 1862 }
1863 }
1998 1864
1999 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 1865 *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
2000 l2n3(n,d); 1866 l2n3(n, d);
2001 1867
2002 /* we should now have things packed up, so lets send 1868 /* we should now have things packed up, so lets send
2003 * it off */ 1869 * it off */
2004 s->init_num=n+4; 1870 s->init_num = n + 4;
2005 s->init_off=0; 1871 s->init_off = 0;
2006 } 1872 }
2007 1873
2008 s->state = SSL3_ST_SW_KEY_EXCH_B; 1874 s->state = SSL3_ST_SW_KEY_EXCH_B;
2009 EVP_MD_CTX_cleanup(&md_ctx); 1875 EVP_MD_CTX_cleanup(&md_ctx);
2010 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1876 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2011f_err: 1877f_err:
2012 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1878 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2013err: 1879err:
2014#ifndef OPENSSL_NO_ECDH 1880#ifndef OPENSSL_NO_ECDH
2015 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1881 if (encodedPoint != NULL)
1882 OPENSSL_free(encodedPoint);
2016 BN_CTX_free(bn_ctx); 1883 BN_CTX_free(bn_ctx);
2017#endif 1884#endif
2018 EVP_MD_CTX_cleanup(&md_ctx); 1885 EVP_MD_CTX_cleanup(&md_ctx);
2019 return(-1); 1886 return (-1);
2020 } 1887}
2021 1888
2022int ssl3_send_certificate_request(SSL *s) 1889int
2023 { 1890ssl3_send_certificate_request(SSL *s)
2024 unsigned char *p,*d; 1891{
2025 int i,j,nl,off,n; 1892 unsigned char *p, *d;
2026 STACK_OF(X509_NAME) *sk=NULL; 1893 int i, j, nl, off, n;
1894 STACK_OF(X509_NAME) *sk = NULL;
2027 X509_NAME *name; 1895 X509_NAME *name;
2028 BUF_MEM *buf; 1896 BUF_MEM *buf;
2029 1897
2030 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1898 if (s->state == SSL3_ST_SW_CERT_REQ_A) {
2031 { 1899 buf = s->init_buf;
2032 buf=s->init_buf;
2033 1900
2034 d=p=(unsigned char *)&(buf->data[4]); 1901 d = p = (unsigned char *)&(buf->data[4]);
2035 1902
2036 /* get the list of acceptable cert types */ 1903 /* get the list of acceptable cert types */
2037 p++; 1904 p++;
2038 n=ssl3_get_req_cert_type(s,p); 1905 n = ssl3_get_req_cert_type(s, p);
2039 d[0]=n; 1906 d[0] = n;
2040 p+=n; 1907 p += n;
2041 n++; 1908 n++;
2042 1909
2043 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1910 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2044 {
2045 nl = tls12_get_req_sig_algs(s, p + 2); 1911 nl = tls12_get_req_sig_algs(s, p + 2);
2046 s2n(nl, p); 1912 s2n(nl, p);
2047 p += nl + 2; 1913 p += nl + 2;
2048 n += nl + 2; 1914 n += nl + 2;
2049 } 1915 }
2050
2051 off=n;
2052 p+=2;
2053 n+=2;
2054 1916
2055 sk=SSL_get_client_CA_list(s); 1917 off = n;
2056 nl=0; 1918 p += 2;
2057 if (sk != NULL) 1919 n += 2;
2058 { 1920
2059 for (i=0; i<sk_X509_NAME_num(sk); i++) 1921 sk = SSL_get_client_CA_list(s);
2060 { 1922 nl = 0;
2061 name=sk_X509_NAME_value(sk,i); 1923 if (sk != NULL) {
2062 j=i2d_X509_NAME(name,NULL); 1924 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2063 if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 1925 name = sk_X509_NAME_value(sk, i);
2064 { 1926 j = i2d_X509_NAME(name, NULL);
2065 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1927 if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) {
1928 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_BUF_LIB);
2066 goto err; 1929 goto err;
2067 } 1930 }
2068 p=(unsigned char *)&(buf->data[4+n]); 1931 p = (unsigned char *)&(buf->data[4 + n]);
2069 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1932 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
2070 { 1933 s2n(j, p);
2071 s2n(j,p); 1934 i2d_X509_NAME(name, &p);
2072 i2d_X509_NAME(name,&p); 1935 n += 2 + j;
2073 n+=2+j; 1936 nl += 2 + j;
2074 nl+=2+j; 1937 } else {
2075 } 1938 d = p;
2076 else 1939 i2d_X509_NAME(name, &p);
2077 { 1940 j -= 2;
2078 d=p; 1941 s2n(j, d);
2079 i2d_X509_NAME(name,&p); 1942 j += 2;
2080 j-=2; s2n(j,d); j+=2; 1943 n += j;
2081 n+=j; 1944 nl += j;
2082 nl+=j;
2083 }
2084 } 1945 }
2085 } 1946 }
1947 }
2086 /* else no CA names */ 1948 /* else no CA names */
2087 p=(unsigned char *)&(buf->data[4+off]); 1949 p = (unsigned char *)&(buf->data[4 + off]);
2088 s2n(nl,p); 1950 s2n(nl, p);
2089 1951
2090 d=(unsigned char *)buf->data; 1952 d = (unsigned char *)buf->data;
2091 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1953 *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
2092 l2n3(n,d); 1954 l2n3(n, d);
2093 1955
2094 /* we should now have things packed up, so lets send 1956 /* we should now have things packed up, so lets send
2095 * it off */ 1957 * it off */
2096 1958
2097 s->init_num=n+4; 1959 s->init_num = n + 4;
2098 s->init_off=0; 1960 s->init_off = 0;
2099#ifdef NETSCAPE_HANG_BUG 1961#ifdef NETSCAPE_HANG_BUG
2100 p=(unsigned char *)s->init_buf->data + s->init_num; 1962 p = (unsigned char *)s->init_buf->data + s->init_num;
2101 1963
2102 /* do the header */ 1964 /* do the header */
2103 *(p++)=SSL3_MT_SERVER_DONE; 1965 *(p++) = SSL3_MT_SERVER_DONE;
2104 *(p++)=0; 1966 *(p++) = 0;
2105 *(p++)=0; 1967 *(p++) = 0;
2106 *(p++)=0; 1968 *(p++) = 0;
2107 s->init_num += 4; 1969 s->init_num += 4;
2108#endif 1970#endif
2109 1971
2110 s->state = SSL3_ST_SW_CERT_REQ_B; 1972 s->state = SSL3_ST_SW_CERT_REQ_B;
2111 } 1973 }
2112 1974
2113 /* SSL3_ST_SW_CERT_REQ_B */ 1975 /* SSL3_ST_SW_CERT_REQ_B */
2114 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1976 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2115err: 1977err:
2116 return(-1); 1978 return (-1);
2117 } 1979}
2118 1980
2119int ssl3_get_client_key_exchange(SSL *s) 1981int
2120 { 1982ssl3_get_client_key_exchange(SSL *s)
2121 int i,al,ok; 1983{
1984 int i, al, ok;
2122 long n; 1985 long n;
2123 unsigned long alg_k; 1986 unsigned long alg_k;
2124 unsigned char *p; 1987 unsigned char *p;
2125#ifndef OPENSSL_NO_RSA 1988#ifndef OPENSSL_NO_RSA
2126 RSA *rsa=NULL; 1989 RSA *rsa = NULL;
2127 EVP_PKEY *pkey=NULL; 1990 EVP_PKEY *pkey = NULL;
2128#endif 1991#endif
2129#ifndef OPENSSL_NO_DH 1992#ifndef OPENSSL_NO_DH
2130 BIGNUM *pub=NULL; 1993 BIGNUM *pub = NULL;
2131 DH *dh_srvr; 1994 DH *dh_srvr;
2132#endif 1995#endif
2133#ifndef OPENSSL_NO_KRB5 1996#ifndef OPENSSL_NO_KRB5
@@ -2138,83 +2001,67 @@ int ssl3_get_client_key_exchange(SSL *s)
2138 EC_KEY *srvr_ecdh = NULL; 2001 EC_KEY *srvr_ecdh = NULL;
2139 EVP_PKEY *clnt_pub_pkey = NULL; 2002 EVP_PKEY *clnt_pub_pkey = NULL;
2140 EC_POINT *clnt_ecpoint = NULL; 2003 EC_POINT *clnt_ecpoint = NULL;
2141 BN_CTX *bn_ctx = NULL; 2004 BN_CTX *bn_ctx = NULL;
2142#endif
2143 2005
2144 n=s->method->ssl_get_message(s, 2006#endif
2145 SSL3_ST_SR_KEY_EXCH_A,
2146 SSL3_ST_SR_KEY_EXCH_B,
2147 SSL3_MT_CLIENT_KEY_EXCHANGE,
2148 2048, /* ??? */
2149 &ok);
2150 2007
2151 if (!ok) return((int)n); 2008 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
2152 p=(unsigned char *)s->init_msg; 2009 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,
2010 2048, /* ??? */ &ok);
2011 if (!ok)
2012 return ((int)n);
2013 p = (unsigned char *)s->init_msg;
2153 2014
2154 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2015 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2155 2016
2156#ifndef OPENSSL_NO_RSA 2017#ifndef OPENSSL_NO_RSA
2157 if (alg_k & SSL_kRSA) 2018 if (alg_k & SSL_kRSA) {
2158 {
2159 /* FIX THIS UP EAY EAY EAY EAY */ 2019 /* FIX THIS UP EAY EAY EAY EAY */
2160 if (s->s3->tmp.use_rsa_tmp) 2020 if (s->s3->tmp.use_rsa_tmp) {
2161 {
2162 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 2021 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
2163 rsa=s->cert->rsa_tmp; 2022 rsa = s->cert->rsa_tmp;
2164 /* Don't do a callback because rsa_tmp should 2023 /* Don't do a callback because rsa_tmp should
2165 * be sent already */ 2024 * be sent already */
2166 if (rsa == NULL) 2025 if (rsa == NULL) {
2167 { 2026 al = SSL_AD_HANDSHAKE_FAILURE;
2168 al=SSL_AD_HANDSHAKE_FAILURE; 2027 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_PKEY);
2169 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
2170 goto f_err; 2028 goto f_err;
2171 2029
2172 }
2173 } 2030 }
2174 else 2031 } else {
2175 { 2032 pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
2176 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 2033 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
2177 if ( (pkey == NULL) || 2034 (pkey->pkey.rsa == NULL)) {
2178 (pkey->type != EVP_PKEY_RSA) || 2035 al = SSL_AD_HANDSHAKE_FAILURE;
2179 (pkey->pkey.rsa == NULL)) 2036 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_RSA_CERTIFICATE);
2180 {
2181 al=SSL_AD_HANDSHAKE_FAILURE;
2182 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
2183 goto f_err; 2037 goto f_err;
2184 }
2185 rsa=pkey->pkey.rsa;
2186 } 2038 }
2039 rsa = pkey->pkey.rsa;
2040 }
2187 2041
2188 /* TLS and [incidentally] DTLS{0xFEFF} */ 2042 /* TLS and [incidentally] DTLS{0xFEFF} */
2189 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) 2043 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
2190 { 2044 n2s(p, i);
2191 n2s(p,i); 2045 if (n != i + 2) {
2192 if (n != i+2) 2046 if (!(s->options & SSL_OP_TLS_D5_BUG)) {
2193 { 2047 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2194 if (!(s->options & SSL_OP_TLS_D5_BUG))
2195 {
2196 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2197 goto err; 2048 goto err;
2198 } 2049 } else
2199 else 2050 p -= 2;
2200 p-=2; 2051 } else
2201 } 2052 n = i;
2202 else 2053 }
2203 n=i;
2204 }
2205 2054
2206 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 2055 i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
2207 2056
2208 al = -1; 2057 al = -1;
2209 2058
2210 if (i != SSL_MAX_MASTER_KEY_LENGTH) 2059 if (i != SSL_MAX_MASTER_KEY_LENGTH) {
2211 { 2060 al = SSL_AD_DECODE_ERROR;
2212 al=SSL_AD_DECODE_ERROR;
2213 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 2061 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
2214 } 2062 }
2215 2063
2216 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) 2064 if ((al == -1) && !((p[0] == (s->client_version >> 8)) && (p[1] == (s->client_version & 0xff)))) {
2217 {
2218 /* The premaster secret must contain the same version number as the 2065 /* The premaster secret must contain the same version number as the
2219 * ClientHello to detect version rollback attacks (strangely, the 2066 * ClientHello to detect version rollback attacks (strangely, the
2220 * protocol does not offer such protection for DH ciphersuites). 2067 * protocol does not offer such protection for DH ciphersuites).
@@ -2223,9 +2070,8 @@ int ssl3_get_client_key_exchange(SSL *s)
2223 * protocol version. 2070 * protocol version.
2224 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 2071 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
2225 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 2072 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
2226 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 2073 (p[0] == (s->version >> 8)) && (p[1] == (s->version & 0xff)))) {
2227 { 2074 al = SSL_AD_DECODE_ERROR;
2228 al=SSL_AD_DECODE_ERROR;
2229 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 2075 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
2230 2076
2231 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 2077 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
@@ -2235,11 +2081,10 @@ int ssl3_get_client_key_exchange(SSL *s)
2235 * made up by the adversary is properly formatted except 2081 * made up by the adversary is properly formatted except
2236 * that the version number is wrong. To avoid such attacks, 2082 * that the version number is wrong. To avoid such attacks,
2237 * we should treat this just like any other decryption error. */ 2083 * we should treat this just like any other decryption error. */
2238 }
2239 } 2084 }
2085 }
2240 2086
2241 if (al != -1) 2087 if (al != -1) {
2242 {
2243 /* Some decryption failure -- use random value instead as countermeasure 2088 /* Some decryption failure -- use random value instead as countermeasure
2244 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 2089 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
2245 * (see RFC 2246, section 7.4.7.1). */ 2090 * (see RFC 2246, section 7.4.7.1). */
@@ -2249,83 +2094,69 @@ int ssl3_get_client_key_exchange(SSL *s)
2249 p[1] = s->client_version & 0xff; 2094 p[1] = s->client_version & 0xff;
2250 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 2095 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
2251 goto err; 2096 goto err;
2252 }
2253
2254 s->session->master_key_length=
2255 s->method->ssl3_enc->generate_master_secret(s,
2256 s->session->master_key,
2257 p,i);
2258 OPENSSL_cleanse(p,i);
2259 } 2097 }
2260 else 2098
2099 s->session->master_key_length =
2100 s->method->ssl3_enc->generate_master_secret(s,
2101 s->session->master_key,
2102 p, i);
2103 OPENSSL_cleanse(p, i);
2104 } else
2261#endif 2105#endif
2262#ifndef OPENSSL_NO_DH 2106#ifndef OPENSSL_NO_DH
2263 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2107 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2264 { 2108 n2s(p, i);
2265 n2s(p,i); 2109 if (n != i + 2) {
2266 if (n != i+2) 2110 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
2267 { 2111 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2268 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
2269 {
2270 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2271 goto err; 2112 goto err;
2272 } 2113 } else {
2273 else 2114 p -= 2;
2274 { 2115 i = (int)n;
2275 p-=2;
2276 i=(int)n;
2277 }
2278 } 2116 }
2117 }
2279 2118
2280 if (n == 0L) /* the parameters are in the cert */ 2119 if (n == 0L) /* the parameters are in the cert */
2281 { 2120 {
2282 al=SSL_AD_HANDSHAKE_FAILURE; 2121 al = SSL_AD_HANDSHAKE_FAILURE;
2283 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 2122 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_DECODE_DH_CERTS);
2284 goto f_err; 2123 goto f_err;
2285 } 2124 } else {
2286 else 2125 if (s->s3->tmp.dh == NULL) {
2287 { 2126 al = SSL_AD_HANDSHAKE_FAILURE;
2288 if (s->s3->tmp.dh == NULL) 2127 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
2289 {
2290 al=SSL_AD_HANDSHAKE_FAILURE;
2291 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
2292 goto f_err; 2128 goto f_err;
2293 } 2129 } else
2294 else 2130 dh_srvr = s->s3->tmp.dh;
2295 dh_srvr=s->s3->tmp.dh; 2131 }
2296 }
2297 2132
2298 pub=BN_bin2bn(p,i,NULL); 2133 pub = BN_bin2bn(p, i, NULL);
2299 if (pub == NULL) 2134 if (pub == NULL) {
2300 { 2135 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2301 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
2302 goto err; 2136 goto err;
2303 } 2137 }
2304 2138
2305 i=DH_compute_key(p,pub,dh_srvr); 2139 i = DH_compute_key(p, pub, dh_srvr);
2306 2140
2307 if (i <= 0) 2141 if (i <= 0) {
2308 { 2142 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2309 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2310 BN_clear_free(pub); 2143 BN_clear_free(pub);
2311 goto err; 2144 goto err;
2312 } 2145 }
2313 2146
2314 DH_free(s->s3->tmp.dh); 2147 DH_free(s->s3->tmp.dh);
2315 s->s3->tmp.dh=NULL; 2148 s->s3->tmp.dh = NULL;
2316 2149
2317 BN_clear_free(pub); 2150 BN_clear_free(pub);
2318 pub=NULL; 2151 pub = NULL;
2319 s->session->master_key_length= 2152 s->session->master_key_length =
2320 s->method->ssl3_enc->generate_master_secret(s, 2153 s->method->ssl3_enc->generate_master_secret(
2321 s->session->master_key,p,i); 2154 s, s->session->master_key, p, i);
2322 OPENSSL_cleanse(p,i); 2155 OPENSSL_cleanse(p, i);
2323 } 2156 } else
2324 else
2325#endif 2157#endif
2326#ifndef OPENSSL_NO_KRB5 2158#ifndef OPENSSL_NO_KRB5
2327 if (alg_k & SSL_kKRB5) 2159 if (alg_k & SSL_kKRB5) {
2328 {
2329 krb5_error_code krb5rc; 2160 krb5_error_code krb5rc;
2330 krb5_data enc_ticket; 2161 krb5_data enc_ticket;
2331 krb5_data authenticator; 2162 krb5_data authenticator;
@@ -2335,100 +2166,94 @@ int ssl3_get_client_key_exchange(SSL *s)
2335 const EVP_CIPHER *enc = NULL; 2166 const EVP_CIPHER *enc = NULL;
2336 unsigned char iv[EVP_MAX_IV_LENGTH]; 2167 unsigned char iv[EVP_MAX_IV_LENGTH];
2337 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2168 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
2338 + EVP_MAX_BLOCK_LENGTH]; 2169 + EVP_MAX_BLOCK_LENGTH];
2339 int padl, outl; 2170 int padl, outl;
2340 krb5_timestamp authtime = 0; 2171 krb5_timestamp authtime = 0;
2341 krb5_ticket_times ttimes; 2172 krb5_ticket_times ttimes;
2342 2173
2343 EVP_CIPHER_CTX_init(&ciph_ctx); 2174 EVP_CIPHER_CTX_init(&ciph_ctx);
2344 2175
2345 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2176 if (!kssl_ctx)
2177 kssl_ctx = kssl_ctx_new();
2346 2178
2347 n2s(p,i); 2179 n2s(p, i);
2348 enc_ticket.length = i; 2180 enc_ticket.length = i;
2349 2181
2350 if (n < (long)(enc_ticket.length + 6)) 2182 if (n < (long)(enc_ticket.length + 6)) {
2351 {
2352 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2183 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2353 SSL_R_DATA_LENGTH_TOO_LONG); 2184 SSL_R_DATA_LENGTH_TOO_LONG);
2354 goto err; 2185 goto err;
2355 } 2186 }
2356 2187
2357 enc_ticket.data = (char *)p; 2188 enc_ticket.data = (char *)p;
2358 p+=enc_ticket.length; 2189 p += enc_ticket.length;
2359 2190
2360 n2s(p,i); 2191 n2s(p, i);
2361 authenticator.length = i; 2192 authenticator.length = i;
2362 2193
2363 if (n < (long)(enc_ticket.length + authenticator.length + 6)) 2194 if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
2364 {
2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2195 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2366 SSL_R_DATA_LENGTH_TOO_LONG); 2196 SSL_R_DATA_LENGTH_TOO_LONG);
2367 goto err; 2197 goto err;
2368 } 2198 }
2369 2199
2370 authenticator.data = (char *)p; 2200 authenticator.data = (char *)p;
2371 p+=authenticator.length; 2201 p += authenticator.length;
2372 2202
2373 n2s(p,i); 2203 n2s(p, i);
2374 enc_pms.length = i; 2204 enc_pms.length = i;
2375 enc_pms.data = (char *)p; 2205 enc_pms.data = (char *)p;
2376 p+=enc_pms.length; 2206 p += enc_pms.length;
2377 2207
2378 /* Note that the length is checked again below, 2208 /* Note that the length is checked again below,
2379 ** after decryption 2209 ** after decryption
2380 */ 2210 */
2381 if(enc_pms.length > sizeof pms) 2211 if (enc_pms.length > sizeof pms) {
2382 {
2383 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2212 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2384 SSL_R_DATA_LENGTH_TOO_LONG); 2213 SSL_R_DATA_LENGTH_TOO_LONG);
2385 goto err; 2214 goto err;
2386 } 2215 }
2387 2216
2388 if (n != (long)(enc_ticket.length + authenticator.length + 2217 if (n != (long)(enc_ticket.length + authenticator.length +
2389 enc_pms.length + 6)) 2218 enc_pms.length + 6)) {
2390 {
2391 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2219 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2392 SSL_R_DATA_LENGTH_TOO_LONG); 2220 SSL_R_DATA_LENGTH_TOO_LONG);
2393 goto err; 2221 goto err;
2394 } 2222 }
2395 2223
2396 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2224 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
2397 &kssl_err)) != 0) 2225 &kssl_err)) != 0) {
2398 {
2399#ifdef KSSL_DEBUG 2226#ifdef KSSL_DEBUG
2400 printf("kssl_sget_tkt rtn %d [%d]\n", 2227 printf("kssl_sget_tkt rtn %d [%d]\n",
2401 krb5rc, kssl_err.reason); 2228 krb5rc, kssl_err.reason);
2402 if (kssl_err.text) 2229 if (kssl_err.text)
2403 printf("kssl_err text= %s\n", kssl_err.text); 2230 printf("kssl_err text= %s\n", kssl_err.text);
2404#endif /* KSSL_DEBUG */ 2231#endif /* KSSL_DEBUG */
2405 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2232 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2406 kssl_err.reason); 2233 kssl_err.reason);
2407 goto err; 2234 goto err;
2408 } 2235 }
2409 2236
2410 /* Note: no authenticator is not considered an error, 2237 /* Note: no authenticator is not considered an error,
2411 ** but will return authtime == 0. 2238 ** but will return authtime == 0.
2412 */ 2239 */
2413 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2240 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
2414 &authtime, &kssl_err)) != 0) 2241 &authtime, &kssl_err)) != 0) {
2415 {
2416#ifdef KSSL_DEBUG 2242#ifdef KSSL_DEBUG
2417 printf("kssl_check_authent rtn %d [%d]\n", 2243 printf("kssl_check_authent rtn %d [%d]\n",
2418 krb5rc, kssl_err.reason); 2244 krb5rc, kssl_err.reason);
2419 if (kssl_err.text) 2245 if (kssl_err.text)
2420 printf("kssl_err text= %s\n", kssl_err.text); 2246 printf("kssl_err text= %s\n", kssl_err.text);
2421#endif /* KSSL_DEBUG */ 2247#endif /* KSSL_DEBUG */
2422 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2248 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2423 kssl_err.reason); 2249 kssl_err.reason);
2424 goto err; 2250 goto err;
2425 } 2251 }
2426 2252
2427 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2253 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
2428 {
2429 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2254 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
2430 goto err; 2255 goto err;
2431 } 2256 }
2432 2257
2433#ifdef KSSL_DEBUG 2258#ifdef KSSL_DEBUG
2434 kssl_ctx_show(kssl_ctx); 2259 kssl_ctx_show(kssl_ctx);
@@ -2436,44 +2261,38 @@ int ssl3_get_client_key_exchange(SSL *s)
2436 2261
2437 enc = kssl_map_enc(kssl_ctx->enctype); 2262 enc = kssl_map_enc(kssl_ctx->enctype);
2438 if (enc == NULL) 2263 if (enc == NULL)
2439 goto err; 2264 goto err;
2440 2265
2441 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2266 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2442 2267
2443 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2268 if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) {
2444 {
2445 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2269 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2446 SSL_R_DECRYPTION_FAILED); 2270 SSL_R_DECRYPTION_FAILED);
2447 goto err; 2271 goto err;
2448 } 2272 }
2449 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2273 if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
2450 (unsigned char *)enc_pms.data, enc_pms.length)) 2274 (unsigned char *)enc_pms.data, enc_pms.length)) {
2451 {
2452 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2275 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2453 SSL_R_DECRYPTION_FAILED); 2276 SSL_R_DECRYPTION_FAILED);
2454 goto err; 2277 goto err;
2455 } 2278 }
2456 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2279 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2457 {
2458 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2280 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2459 SSL_R_DATA_LENGTH_TOO_LONG); 2281 SSL_R_DATA_LENGTH_TOO_LONG);
2460 goto err; 2282 goto err;
2461 } 2283 }
2462 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2284 if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
2463 {
2464 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2285 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2465 SSL_R_DECRYPTION_FAILED); 2286 SSL_R_DECRYPTION_FAILED);
2466 goto err; 2287 goto err;
2467 } 2288 }
2468 outl += padl; 2289 outl += padl;
2469 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2290 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2470 {
2471 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2291 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2472 SSL_R_DATA_LENGTH_TOO_LONG); 2292 SSL_R_DATA_LENGTH_TOO_LONG);
2473 goto err; 2293 goto err;
2474 } 2294 }
2475 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) 2295 if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) {
2476 {
2477 /* The premaster secret must contain the same version number as the 2296 /* The premaster secret must contain the same version number as the
2478 * ClientHello to detect version rollback attacks (strangely, the 2297 * ClientHello to detect version rollback attacks (strangely, the
2479 * protocol does not offer such protection for DH ciphersuites). 2298 * protocol does not offer such protection for DH ciphersuites).
@@ -2482,29 +2301,26 @@ int ssl3_get_client_key_exchange(SSL *s)
2482 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2301 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
2483 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2302 * (Perhaps we should have a separate BUG value for the Kerberos cipher)
2484 */ 2303 */
2485 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2304 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
2486 { 2305 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2487 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2306 SSL_AD_DECODE_ERROR);
2488 SSL_AD_DECODE_ERROR); 2307 goto err;
2489 goto err;
2490 } 2308 }
2491 } 2309 }
2492 2310
2493 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2311 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2494 2312
2495 s->session->master_key_length= 2313 s->session->master_key_length =
2496 s->method->ssl3_enc->generate_master_secret(s, 2314 s->method->ssl3_enc->generate_master_secret(s,
2497 s->session->master_key, pms, outl); 2315 s->session->master_key, pms, outl);
2498 2316
2499 if (kssl_ctx->client_princ) 2317 if (kssl_ctx->client_princ) {
2500 {
2501 size_t len = strlen(kssl_ctx->client_princ); 2318 size_t len = strlen(kssl_ctx->client_princ);
2502 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2319 if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) {
2503 {
2504 s->session->krb5_client_princ_len = len; 2320 s->session->krb5_client_princ_len = len;
2505 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2321 memcpy(s->session->krb5_client_princ, kssl_ctx->client_princ, len);
2506 }
2507 } 2322 }
2323 }
2508 2324
2509 2325
2510 /* Was doing kssl_ctx_free() here, 2326 /* Was doing kssl_ctx_free() here,
@@ -2512,13 +2328,11 @@ int ssl3_get_client_key_exchange(SSL *s)
2512 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2328 ** kssl_ctx = kssl_ctx_free(kssl_ctx);
2513 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2329 ** if (s->kssl_ctx) s->kssl_ctx = NULL;
2514 */ 2330 */
2515 } 2331 } else
2516 else
2517#endif /* OPENSSL_NO_KRB5 */ 2332#endif /* OPENSSL_NO_KRB5 */
2518 2333
2519#ifndef OPENSSL_NO_ECDH 2334#ifndef OPENSSL_NO_ECDH
2520 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2335 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2521 {
2522 int ret = 1; 2336 int ret = 1;
2523 int field_size = 0; 2337 int field_size = 0;
2524 const EC_KEY *tkey; 2338 const EC_KEY *tkey;
@@ -2526,60 +2340,51 @@ int ssl3_get_client_key_exchange(SSL *s)
2526 const BIGNUM *priv_key; 2340 const BIGNUM *priv_key;
2527 2341
2528 /* initialize structures for server's ECDH key pair */ 2342 /* initialize structures for server's ECDH key pair */
2529 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2343 if ((srvr_ecdh = EC_KEY_new()) == NULL) {
2530 {
2531 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2344 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2532 ERR_R_MALLOC_FAILURE); 2345 ERR_R_MALLOC_FAILURE);
2533 goto err; 2346 goto err;
2534 } 2347 }
2535 2348
2536 /* Let's get server private key and group information */ 2349 /* Let's get server private key and group information */
2537 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) 2350 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
2538 {
2539 /* use the certificate */ 2351 /* use the certificate */
2540 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2352 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2541 } 2353 } else {
2542 else
2543 {
2544 /* use the ephermeral values we saved when 2354 /* use the ephermeral values we saved when
2545 * generating the ServerKeyExchange msg. 2355 * generating the ServerKeyExchange msg.
2546 */ 2356 */
2547 tkey = s->s3->tmp.ecdh; 2357 tkey = s->s3->tmp.ecdh;
2548 } 2358 }
2549 2359
2550 group = EC_KEY_get0_group(tkey); 2360 group = EC_KEY_get0_group(tkey);
2551 priv_key = EC_KEY_get0_private_key(tkey); 2361 priv_key = EC_KEY_get0_private_key(tkey);
2552 2362
2553 if (!EC_KEY_set_group(srvr_ecdh, group) || 2363 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2554 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2364 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
2555 {
2556 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2557 ERR_R_EC_LIB); 2366 ERR_R_EC_LIB);
2558 goto err; 2367 goto err;
2559 } 2368 }
2560 2369
2561 /* Let's get client's public key */ 2370 /* Let's get client's public key */
2562 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2371 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
2563 {
2564 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2372 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2565 ERR_R_MALLOC_FAILURE); 2373 ERR_R_MALLOC_FAILURE);
2566 goto err; 2374 goto err;
2567 } 2375 }
2568 2376
2569 if (n == 0L) 2377 if (n == 0L) {
2570 {
2571 /* Client Publickey was in Client Certificate */ 2378 /* Client Publickey was in Client Certificate */
2572 2379
2573 if (alg_k & SSL_kEECDH) 2380 if (alg_k & SSL_kEECDH) {
2574 { 2381 al = SSL_AD_HANDSHAKE_FAILURE;
2575 al=SSL_AD_HANDSHAKE_FAILURE; 2382 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
2576 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2383 goto f_err;
2577 goto f_err; 2384 }
2578 } 2385 if (((clnt_pub_pkey = X509_get_pubkey(
2579 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2386 s->session->peer)) == NULL) ||
2580 == NULL) || 2387 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
2581 (clnt_pub_pkey->type != EVP_PKEY_EC))
2582 {
2583 /* XXX: For now, we do not support client 2388 /* XXX: For now, we do not support client
2584 * authentication using ECDH certificates 2389 * authentication using ECDH certificates
2585 * so this branch (n == 0L) of the code is 2390 * so this branch (n == 0L) of the code is
@@ -2591,771 +2396,680 @@ int ssl3_get_client_key_exchange(SSL *s)
2591 * the two ECDH shares are for the same 2396 * the two ECDH shares are for the same
2592 * group. 2397 * group.
2593 */ 2398 */
2594 al=SSL_AD_HANDSHAKE_FAILURE; 2399 al = SSL_AD_HANDSHAKE_FAILURE;
2595 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2400 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2596 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2401 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2597 goto f_err; 2402 goto f_err;
2598 } 2403 }
2599 2404
2600 if (EC_POINT_copy(clnt_ecpoint, 2405 if (EC_POINT_copy(clnt_ecpoint,
2601 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2406 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) {
2602 {
2603 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2407 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2604 ERR_R_EC_LIB); 2408 ERR_R_EC_LIB);
2605 goto err; 2409 goto err;
2606 }
2607 ret = 2; /* Skip certificate verify processing */
2608 } 2410 }
2609 else 2411 ret = 2; /* Skip certificate verify processing */
2610 { 2412 } else {
2611 /* Get client's public key from encoded point 2413 /* Get client's public key from encoded point
2612 * in the ClientKeyExchange message. 2414 * in the ClientKeyExchange message.
2613 */ 2415 */
2614 if ((bn_ctx = BN_CTX_new()) == NULL) 2416 if ((bn_ctx = BN_CTX_new()) == NULL) {
2615 {
2616 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2417 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2617 ERR_R_MALLOC_FAILURE); 2418 ERR_R_MALLOC_FAILURE);
2618 goto err; 2419 goto err;
2619 } 2420 }
2620 2421
2621 /* Get encoded point length */ 2422 /* Get encoded point length */
2622 i = *p; 2423 i = *p;
2424
2623 p += 1; 2425 p += 1;
2624 if (n != 1 + i) 2426 if (n != 1 + i) {
2625 {
2626 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2427 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2627 ERR_R_EC_LIB); 2428 ERR_R_EC_LIB);
2628 goto err; 2429 goto err;
2629 } 2430 }
2630 if (EC_POINT_oct2point(group, 2431 if (EC_POINT_oct2point(group,
2631 clnt_ecpoint, p, i, bn_ctx) == 0) 2432 clnt_ecpoint, p, i, bn_ctx) == 0) {
2632 {
2633 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2433 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2634 ERR_R_EC_LIB); 2434 ERR_R_EC_LIB);
2635 goto err; 2435 goto err;
2636 } 2436 }
2637 /* p is pointing to somewhere in the buffer 2437 /* p is pointing to somewhere in the buffer
2638 * currently, so set it to the start 2438 * currently, so set it to the start
2639 */ 2439 */
2640 p=(unsigned char *)s->init_buf->data; 2440 p = (unsigned char *)s->init_buf->data;
2641 } 2441 }
2642 2442
2643 /* Compute the shared pre-master secret */ 2443 /* Compute the shared pre-master secret */
2644 field_size = EC_GROUP_get_degree(group); 2444 field_size = EC_GROUP_get_degree(group);
2645 if (field_size <= 0) 2445 if (field_size <= 0) {
2646 { 2446 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2647 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2447 ERR_R_ECDH_LIB);
2648 ERR_R_ECDH_LIB);
2649 goto err; 2448 goto err;
2650 } 2449 }
2651 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2450 i = ECDH_compute_key(p, (field_size + 7)/8, clnt_ecpoint, srvr_ecdh, NULL);
2652 if (i <= 0) 2451 if (i <= 0) {
2653 {
2654 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2452 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2655 ERR_R_ECDH_LIB); 2453 ERR_R_ECDH_LIB);
2656 goto err; 2454 goto err;
2657 } 2455 }
2658 2456
2659 EVP_PKEY_free(clnt_pub_pkey); 2457 EVP_PKEY_free(clnt_pub_pkey);
2660 EC_POINT_free(clnt_ecpoint); 2458 EC_POINT_free(clnt_ecpoint);
2661 EC_KEY_free(srvr_ecdh); 2459 EC_KEY_free(srvr_ecdh);
2662 BN_CTX_free(bn_ctx); 2460 BN_CTX_free(bn_ctx);
2663 EC_KEY_free(s->s3->tmp.ecdh); 2461 EC_KEY_free(s->s3->tmp.ecdh);
2664 s->s3->tmp.ecdh = NULL; 2462 s->s3->tmp.ecdh = NULL;
2463
2665 2464
2666 /* Compute the master secret */ 2465 /* Compute the master secret */
2667 s->session->master_key_length = s->method->ssl3_enc-> \ 2466 s->session->master_key_length = s->method->ssl3_enc-> \
2668 generate_master_secret(s, s->session->master_key, p, i); 2467 generate_master_secret(s, s->session->master_key, p, i);
2669 2468
2670 OPENSSL_cleanse(p, i); 2469 OPENSSL_cleanse(p, i);
2671 return (ret); 2470 return (ret);
2672 } 2471 } else
2673 else
2674#endif 2472#endif
2675#ifndef OPENSSL_NO_PSK 2473#ifndef OPENSSL_NO_PSK
2676 if (alg_k & SSL_kPSK) 2474 if (alg_k & SSL_kPSK) {
2677 { 2475 unsigned char *t = NULL;
2678 unsigned char *t = NULL; 2476 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
2679 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2477 unsigned int pre_ms_len = 0, psk_len = 0;
2680 unsigned int pre_ms_len = 0, psk_len = 0; 2478 int psk_err = 1;
2681 int psk_err = 1; 2479 char tmp_id[PSK_MAX_IDENTITY_LEN + 1];
2682 char tmp_id[PSK_MAX_IDENTITY_LEN+1];
2683 2480
2684 al=SSL_AD_HANDSHAKE_FAILURE; 2481 al = SSL_AD_HANDSHAKE_FAILURE;
2685
2686 n2s(p,i);
2687 if (n != i+2)
2688 {
2689 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2690 SSL_R_LENGTH_MISMATCH);
2691 goto psk_err;
2692 }
2693 if (i > PSK_MAX_IDENTITY_LEN)
2694 {
2695 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2696 SSL_R_DATA_LENGTH_TOO_LONG);
2697 goto psk_err;
2698 }
2699 if (s->psk_server_callback == NULL)
2700 {
2701 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2702 SSL_R_PSK_NO_SERVER_CB);
2703 goto psk_err;
2704 }
2705 2482
2706 /* Create guaranteed NULL-terminated identity 2483 n2s(p, i);
2707 * string for the callback */ 2484 if (n != i + 2) {
2708 memcpy(tmp_id, p, i); 2485 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2709 memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 2486 SSL_R_LENGTH_MISMATCH);
2710 psk_len = s->psk_server_callback(s, tmp_id, 2487 goto psk_err;
2711 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2488 }
2712 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); 2489 if (i > PSK_MAX_IDENTITY_LEN) {
2490 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2491 SSL_R_DATA_LENGTH_TOO_LONG);
2492 goto psk_err;
2493 }
2494 if (s->psk_server_callback == NULL) {
2495 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2496 SSL_R_PSK_NO_SERVER_CB);
2497 goto psk_err;
2498 }
2713 2499
2714 if (psk_len > PSK_MAX_PSK_LEN) 2500 /* Create guaranteed NULL-terminated identity
2715 { 2501 * string for the callback */
2716 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2502 memcpy(tmp_id, p, i);
2717 ERR_R_INTERNAL_ERROR); 2503 memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
2718 goto psk_err; 2504 psk_len = s->psk_server_callback(s, tmp_id,
2719 } 2505 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2720 else if (psk_len == 0) 2506 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
2721 {
2722 /* PSK related to the given identity not found */
2723 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2724 SSL_R_PSK_IDENTITY_NOT_FOUND);
2725 al=SSL_AD_UNKNOWN_PSK_IDENTITY;
2726 goto psk_err;
2727 }
2728 2507
2729 /* create PSK pre_master_secret */ 2508 if (psk_len > PSK_MAX_PSK_LEN) {
2730 pre_ms_len=2+psk_len+2+psk_len; 2509 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2731 t = psk_or_pre_ms; 2510 ERR_R_INTERNAL_ERROR);
2732 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2511 goto psk_err;
2733 s2n(psk_len, t); 2512 } else if (psk_len == 0) {
2734 memset(t, 0, psk_len); 2513 /* PSK related to the given identity not found */
2735 t+=psk_len; 2514 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2736 s2n(psk_len, t); 2515 SSL_R_PSK_IDENTITY_NOT_FOUND);
2737 2516 al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2738 if (s->session->psk_identity != NULL) 2517 goto psk_err;
2739 OPENSSL_free(s->session->psk_identity); 2518 }
2740 s->session->psk_identity = BUF_strdup((char *)p); 2519
2741 if (s->session->psk_identity == NULL) 2520 /* create PSK pre_master_secret */
2742 { 2521 pre_ms_len = 2 + psk_len + 2 + psk_len;
2743 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2522 t = psk_or_pre_ms;
2744 ERR_R_MALLOC_FAILURE); 2523 memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
2745 goto psk_err; 2524 s2n(psk_len, t);
2746 } 2525 memset(t, 0, psk_len);
2526 t += psk_len;
2527 s2n(psk_len, t);
2528
2529 if (s->session->psk_identity != NULL)
2530 OPENSSL_free(s->session->psk_identity);
2531 s->session->psk_identity = BUF_strdup((char *)p);
2532 if (s->session->psk_identity == NULL) {
2533 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2534 ERR_R_MALLOC_FAILURE);
2535 goto psk_err;
2536 }
2747 2537
2748 if (s->session->psk_identity_hint != NULL) 2538 if (s->session->psk_identity_hint != NULL)
2749 OPENSSL_free(s->session->psk_identity_hint); 2539 OPENSSL_free(s->session->psk_identity_hint);
2750 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2540 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2751 if (s->ctx->psk_identity_hint != NULL && 2541 if (s->ctx->psk_identity_hint != NULL &&
2752 s->session->psk_identity_hint == NULL) 2542 s->session->psk_identity_hint == NULL) {
2753 { 2543 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2754 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2544 ERR_R_MALLOC_FAILURE);
2755 ERR_R_MALLOC_FAILURE); 2545 goto psk_err;
2756 goto psk_err; 2546 }
2757 }
2758 2547
2759 s->session->master_key_length= 2548 s->session->master_key_length =
2760 s->method->ssl3_enc->generate_master_secret(s, 2549 s->method->ssl3_enc->generate_master_secret(
2761 s->session->master_key, psk_or_pre_ms, pre_ms_len); 2550 s, s->session->master_key, psk_or_pre_ms, pre_ms_len);
2762 psk_err = 0; 2551 psk_err = 0;
2763 psk_err: 2552 psk_err:
2764 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2553 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2765 if (psk_err != 0) 2554 if (psk_err != 0)
2766 goto f_err; 2555 goto f_err;
2767 } 2556 } else
2768 else
2769#endif 2557#endif
2770#ifndef OPENSSL_NO_SRP 2558#ifndef OPENSSL_NO_SRP
2771 if (alg_k & SSL_kSRP) 2559 if (alg_k & SSL_kSRP) {
2772 { 2560 int param_len;
2773 int param_len;
2774
2775 n2s(p,i);
2776 param_len=i+2;
2777 if (param_len > n)
2778 {
2779 al=SSL_AD_DECODE_ERROR;
2780 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH);
2781 goto f_err;
2782 }
2783 if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL)))
2784 {
2785 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB);
2786 goto err;
2787 }
2788 if (s->session->srp_username != NULL)
2789 OPENSSL_free(s->session->srp_username);
2790 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2791 if (s->session->srp_username == NULL)
2792 {
2793 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2794 ERR_R_MALLOC_FAILURE);
2795 goto err;
2796 }
2797 2561
2798 if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0) 2562 n2s(p, i);
2799 { 2563 param_len = i + 2;
2800 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2564 if (param_len > n) {
2801 goto err; 2565 al = SSL_AD_DECODE_ERROR;
2802 } 2566 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
2567 goto f_err;
2568 }
2569 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
2570 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
2571 goto err;
2572 }
2573 if (s->session->srp_username != NULL)
2574 OPENSSL_free(s->session->srp_username);
2575 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2576 if (s->session->srp_username == NULL) {
2577 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2578 ERR_R_MALLOC_FAILURE);
2579 goto err;
2580 }
2803 2581
2804 p+=i; 2582 if ((s->session->master_key_length = SRP_generate_server_master_secret(s, s->session->master_key)) < 0) {
2805 } 2583 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2806 else 2584 goto err;
2585 }
2586
2587 p += i;
2588 } else
2807#endif /* OPENSSL_NO_SRP */ 2589#endif /* OPENSSL_NO_SRP */
2808 if (alg_k & SSL_kGOST) 2590 if (alg_k & SSL_kGOST) {
2809 { 2591 int ret = 0;
2810 int ret = 0; 2592 EVP_PKEY_CTX *pkey_ctx;
2811 EVP_PKEY_CTX *pkey_ctx; 2593 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
2812 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 2594 unsigned char premaster_secret[32], *start;
2813 unsigned char premaster_secret[32], *start; 2595 size_t outlen = 32, inlen;
2814 size_t outlen=32, inlen; 2596 unsigned long alg_a;
2815 unsigned long alg_a; 2597
2816 2598 /* Get our certificate private key*/
2817 /* Get our certificate private key*/ 2599 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2818 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2600 if (alg_a & SSL_aGOST94)
2819 if (alg_a & SSL_aGOST94) 2601 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
2820 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; 2602 else if (alg_a & SSL_aGOST01)
2821 else if (alg_a & SSL_aGOST01) 2603 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2822 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 2604
2823 2605 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2824 pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); 2606 EVP_PKEY_decrypt_init(pkey_ctx);
2825 EVP_PKEY_decrypt_init(pkey_ctx);
2826 /* If client certificate is present and is of the same type, maybe 2607 /* If client certificate is present and is of the same type, maybe
2827 * use it for key exchange. Don't mind errors from 2608 * use it for key exchange. Don't mind errors from
2828 * EVP_PKEY_derive_set_peer, because it is completely valid to use 2609 * EVP_PKEY_derive_set_peer, because it is completely valid to use
2829 * a client certificate for authorization only. */ 2610 * a client certificate for authorization only. */
2830 client_pub_pkey = X509_get_pubkey(s->session->peer); 2611 client_pub_pkey = X509_get_pubkey(s->session->peer);
2831 if (client_pub_pkey) 2612 if (client_pub_pkey) {
2832 { 2613 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
2833 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 2614 ERR_clear_error();
2834 ERR_clear_error(); 2615 }
2835 } 2616 /* Decrypt session key */
2836 /* Decrypt session key */ 2617 if ((*p != ( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) {
2837 if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) 2618 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2838 { 2619 goto gerr;
2839 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2620 }
2840 goto gerr; 2621 if (p[1] == 0x81) {
2841 } 2622 start = p + 3;
2842 if (p[1] == 0x81) 2623 inlen = p[2];
2843 { 2624 } else if (p[1] < 0x80) {
2844 start = p+3; 2625 start = p + 2;
2845 inlen = p[2]; 2626 inlen = p[1];
2846 } 2627 } else {
2847 else if (p[1] < 0x80) 2628 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2848 { 2629 goto gerr;
2849 start = p+2; 2630 }
2850 inlen = p[1]; 2631 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <=0)
2851 } 2632
2852 else 2633 {
2853 { 2634 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2854 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2635 goto gerr;
2855 goto gerr; 2636 }
2856 } 2637 /* Generate master secret */
2857 if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 2638 s->session->master_key_length =
2858 2639 s->method->ssl3_enc->generate_master_secret(
2859 { 2640 s, s->session->master_key, premaster_secret, 32);
2860 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2641 /* Check if pubkey from client certificate was used */
2861 goto gerr; 2642 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2862 } 2643 ret = 2;
2863 /* Generate master secret */ 2644 else
2864 s->session->master_key_length= 2645 ret = 1;
2865 s->method->ssl3_enc->generate_master_secret(s,
2866 s->session->master_key,premaster_secret,32);
2867 /* Check if pubkey from client certificate was used */
2868 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2869 ret = 2;
2870 else
2871 ret = 1;
2872 gerr: 2646 gerr:
2873 EVP_PKEY_free(client_pub_pkey); 2647 EVP_PKEY_free(client_pub_pkey);
2874 EVP_PKEY_CTX_free(pkey_ctx); 2648 EVP_PKEY_CTX_free(pkey_ctx);
2875 if (ret) 2649 if (ret)
2876 return ret; 2650 return ret;
2877 else
2878 goto err;
2879 }
2880 else 2651 else
2881 { 2652 goto err;
2882 al=SSL_AD_HANDSHAKE_FAILURE; 2653 } else {
2654 al = SSL_AD_HANDSHAKE_FAILURE;
2883 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2655 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2884 SSL_R_UNKNOWN_CIPHER_TYPE); 2656 SSL_R_UNKNOWN_CIPHER_TYPE);
2885 goto f_err; 2657 goto f_err;
2886 } 2658 }
2887 2659
2888 return(1); 2660 return (1);
2889f_err: 2661f_err:
2890 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2662 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2891#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP) 2663#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2892err: 2664err:
2893#endif 2665#endif
2894#ifndef OPENSSL_NO_ECDH 2666#ifndef OPENSSL_NO_ECDH
2895 EVP_PKEY_free(clnt_pub_pkey); 2667 EVP_PKEY_free(clnt_pub_pkey);
2896 EC_POINT_free(clnt_ecpoint); 2668 EC_POINT_free(clnt_ecpoint);
2897 if (srvr_ecdh != NULL) 2669 if (srvr_ecdh != NULL)
2898 EC_KEY_free(srvr_ecdh); 2670 EC_KEY_free(srvr_ecdh);
2899 BN_CTX_free(bn_ctx); 2671 BN_CTX_free(bn_ctx);
2900#endif 2672#endif
2901 return(-1); 2673 return (-1);
2902 } 2674}
2903 2675
2904int ssl3_get_cert_verify(SSL *s) 2676int
2905 { 2677ssl3_get_cert_verify(SSL *s)
2906 EVP_PKEY *pkey=NULL; 2678{
2679 EVP_PKEY *pkey = NULL;
2907 unsigned char *p; 2680 unsigned char *p;
2908 int al,ok,ret=0; 2681 int al, ok, ret = 0;
2909 long n; 2682 long n;
2910 int type=0,i,j; 2683 int type = 0, i, j;
2911 X509 *peer; 2684 X509 *peer;
2912 const EVP_MD *md = NULL; 2685 const EVP_MD *md = NULL;
2913 EVP_MD_CTX mctx; 2686 EVP_MD_CTX mctx;
2914 EVP_MD_CTX_init(&mctx); 2687 EVP_MD_CTX_init(&mctx);
2915 2688
2916 n=s->method->ssl_get_message(s, 2689 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2917 SSL3_ST_SR_CERT_VRFY_A, 2690 SSL3_ST_SR_CERT_VRFY_B, -1,
2918 SSL3_ST_SR_CERT_VRFY_B, 2691 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
2919 -1, 2692 if (!ok)
2920 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ 2693 return ((int)n);
2921 &ok); 2694
2922 2695 if (s->session->peer != NULL) {
2923 if (!ok) return((int)n); 2696 peer = s->session->peer;
2924 2697 pkey = X509_get_pubkey(peer);
2925 if (s->session->peer != NULL) 2698 type = X509_certificate_type(peer, pkey);
2926 { 2699 } else {
2927 peer=s->session->peer; 2700 peer = NULL;
2928 pkey=X509_get_pubkey(peer); 2701 pkey = NULL;
2929 type=X509_certificate_type(peer,pkey); 2702 }
2930 }
2931 else
2932 {
2933 peer=NULL;
2934 pkey=NULL;
2935 }
2936 2703
2937 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2704 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
2938 { 2705 s->s3->tmp.reuse_message = 1;
2939 s->s3->tmp.reuse_message=1; 2706 if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
2940 if ((peer != NULL) && (type & EVP_PKT_SIGN)) 2707 al = SSL_AD_UNEXPECTED_MESSAGE;
2941 { 2708 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE);
2942 al=SSL_AD_UNEXPECTED_MESSAGE;
2943 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
2944 goto f_err; 2709 goto f_err;
2945 }
2946 ret=1;
2947 goto end;
2948 } 2710 }
2711 ret = 1;
2712 goto end;
2713 }
2949 2714
2950 if (peer == NULL) 2715 if (peer == NULL) {
2951 { 2716 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_NO_CLIENT_CERT_RECEIVED);
2952 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 2717 al = SSL_AD_UNEXPECTED_MESSAGE;
2953 al=SSL_AD_UNEXPECTED_MESSAGE;
2954 goto f_err; 2718 goto f_err;
2955 } 2719 }
2956 2720
2957 if (!(type & EVP_PKT_SIGN)) 2721 if (!(type & EVP_PKT_SIGN)) {
2958 { 2722 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2959 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2723 al = SSL_AD_ILLEGAL_PARAMETER;
2960 al=SSL_AD_ILLEGAL_PARAMETER;
2961 goto f_err; 2724 goto f_err;
2962 } 2725 }
2963 2726
2964 if (s->s3->change_cipher_spec) 2727 if (s->s3->change_cipher_spec) {
2965 { 2728 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_CCS_RECEIVED_EARLY);
2966 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2729 al = SSL_AD_UNEXPECTED_MESSAGE;
2967 al=SSL_AD_UNEXPECTED_MESSAGE;
2968 goto f_err; 2730 goto f_err;
2969 } 2731 }
2970 2732
2971 /* we now have a signature that we need to verify */ 2733 /* we now have a signature that we need to verify */
2972 p=(unsigned char *)s->init_msg; 2734 p = (unsigned char *)s->init_msg;
2973 /* Check for broken implementations of GOST ciphersuites */ 2735 /* Check for broken implementations of GOST ciphersuites */
2974 /* If key is GOST and n is exactly 64, it is bare 2736 /* If key is GOST and n is exactly 64, it is bare
2975 * signature without length field */ 2737 * signature without length field */
2976 if (n==64 && (pkey->type==NID_id_GostR3410_94 || 2738 if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
2977 pkey->type == NID_id_GostR3410_2001) ) 2739 pkey->type == NID_id_GostR3410_2001) ) {
2978 { 2740 i = 64;
2979 i=64; 2741 } else {
2980 } 2742 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2981 else
2982 {
2983 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2984 {
2985 int sigalg = tls12_get_sigid(pkey); 2743 int sigalg = tls12_get_sigid(pkey);
2986 /* Should never happen */ 2744 /* Should never happen */
2987 if (sigalg == -1) 2745 if (sigalg == -1) {
2988 { 2746 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
2989 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2747 al = SSL_AD_INTERNAL_ERROR;
2990 al=SSL_AD_INTERNAL_ERROR;
2991 goto f_err; 2748 goto f_err;
2992 } 2749 }
2993 /* Check key type is consistent with signature */ 2750 /* Check key type is consistent with signature */
2994 if (sigalg != (int)p[1]) 2751 if (sigalg != (int)p[1]) {
2995 { 2752 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_TYPE);
2996 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE); 2753 al = SSL_AD_DECODE_ERROR;
2997 al=SSL_AD_DECODE_ERROR;
2998 goto f_err; 2754 goto f_err;
2999 } 2755 }
3000 md = tls12_get_hash(p[0]); 2756 md = tls12_get_hash(p[0]);
3001 if (md == NULL) 2757 if (md == NULL) {
3002 { 2758 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_UNKNOWN_DIGEST);
3003 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST); 2759 al = SSL_AD_DECODE_ERROR;
3004 al=SSL_AD_DECODE_ERROR;
3005 goto f_err; 2760 goto f_err;
3006 } 2761 }
3007#ifdef SSL_DEBUG 2762#ifdef SSL_DEBUG
3008fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 2763 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
3009#endif 2764#endif
3010 p += 2; 2765 p += 2;
3011 n -= 2; 2766 n -= 2;
3012 } 2767 }
3013 n2s(p,i); 2768 n2s(p, i);
3014 n-=2; 2769 n -= 2;
3015 if (i > n) 2770 if (i > n) {
3016 { 2771 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
3017 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2772 al = SSL_AD_DECODE_ERROR;
3018 al=SSL_AD_DECODE_ERROR;
3019 goto f_err; 2773 goto f_err;
3020 }
3021 }
3022 j=EVP_PKEY_size(pkey);
3023 if ((i > j) || (n > j) || (n <= 0))
3024 {
3025 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
3026 al=SSL_AD_DECODE_ERROR;
3027 goto f_err;
3028 } 2774 }
2775 }
2776 j = EVP_PKEY_size(pkey);
2777 if ((i > j) || (n > j) || (n <= 0)) {
2778 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2779 al = SSL_AD_DECODE_ERROR;
2780 goto f_err;
2781 }
3029 2782
3030 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2783 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
3031 {
3032 long hdatalen = 0; 2784 long hdatalen = 0;
3033 void *hdata; 2785 void *hdata;
3034 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 2786 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
3035 if (hdatalen <= 0) 2787 if (hdatalen <= 0) {
3036 {
3037 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 2788 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3038 al=SSL_AD_INTERNAL_ERROR; 2789 al = SSL_AD_INTERNAL_ERROR;
3039 goto f_err; 2790 goto f_err;
3040 } 2791 }
3041#ifdef SSL_DEBUG 2792#ifdef SSL_DEBUG
3042 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n", 2793 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
3043 EVP_MD_name(md)); 2794 EVP_MD_name(md));
3044#endif 2795#endif
3045 if (!EVP_VerifyInit_ex(&mctx, md, NULL) 2796 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
3046 || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) 2797 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
3047 {
3048 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB); 2798 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB);
3049 al=SSL_AD_INTERNAL_ERROR; 2799 al = SSL_AD_INTERNAL_ERROR;
3050 goto f_err; 2800 goto f_err;
3051 } 2801 }
3052 2802
3053 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) 2803 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) {
3054 { 2804 al = SSL_AD_DECRYPT_ERROR;
3055 al=SSL_AD_DECRYPT_ERROR; 2805 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
3056 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_SIGNATURE);
3057 goto f_err; 2806 goto f_err;
3058 }
3059 } 2807 }
3060 else 2808 } else
3061#ifndef OPENSSL_NO_RSA 2809#ifndef OPENSSL_NO_RSA
3062 if (pkey->type == EVP_PKEY_RSA) 2810 if (pkey->type == EVP_PKEY_RSA) {
3063 { 2811 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
3064 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 2812 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
3065 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 2813 pkey->pkey.rsa);
3066 pkey->pkey.rsa); 2814 if (i < 0) {
3067 if (i < 0) 2815 al = SSL_AD_DECRYPT_ERROR;
3068 { 2816 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT);
3069 al=SSL_AD_DECRYPT_ERROR;
3070 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
3071 goto f_err; 2817 goto f_err;
3072 } 2818 }
3073 if (i == 0) 2819 if (i == 0) {
3074 { 2820 al = SSL_AD_DECRYPT_ERROR;
3075 al=SSL_AD_DECRYPT_ERROR; 2821 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE);
3076 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
3077 goto f_err; 2822 goto f_err;
3078 }
3079 } 2823 }
3080 else 2824 } else
3081#endif 2825#endif
3082#ifndef OPENSSL_NO_DSA 2826#ifndef OPENSSL_NO_DSA
3083 if (pkey->type == EVP_PKEY_DSA) 2827 if (pkey->type == EVP_PKEY_DSA) {
3084 { 2828 j = DSA_verify(pkey->save_type,
3085 j=DSA_verify(pkey->save_type, 2829 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
3086 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2830 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
3087 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 2831 if (j <= 0) {
3088 if (j <= 0)
3089 {
3090 /* bad signature */ 2832 /* bad signature */
3091 al=SSL_AD_DECRYPT_ERROR; 2833 al = SSL_AD_DECRYPT_ERROR;
3092 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 2834 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE);
3093 goto f_err; 2835 goto f_err;
3094 }
3095 } 2836 }
3096 else 2837 } else
3097#endif 2838#endif
3098#ifndef OPENSSL_NO_ECDSA 2839#ifndef OPENSSL_NO_ECDSA
3099 if (pkey->type == EVP_PKEY_EC) 2840 if (pkey->type == EVP_PKEY_EC) {
3100 { 2841 j = ECDSA_verify(pkey->save_type,
3101 j=ECDSA_verify(pkey->save_type, 2842 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
3102 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2843 SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec);
3103 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 2844 if (j <= 0) {
3104 if (j <= 0)
3105 {
3106 /* bad signature */ 2845 /* bad signature */
3107 al=SSL_AD_DECRYPT_ERROR; 2846 al = SSL_AD_DECRYPT_ERROR;
3108 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2847 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3109 SSL_R_BAD_ECDSA_SIGNATURE); 2848 SSL_R_BAD_ECDSA_SIGNATURE);
3110 goto f_err; 2849 goto f_err;
3111 }
3112 } 2850 }
3113 else 2851 } else
3114#endif 2852#endif
3115 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 2853 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) {
3116 { unsigned char signature[64]; 2854 unsigned char signature[64];
3117 int idx; 2855 int idx;
3118 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL); 2856 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
3119 EVP_PKEY_verify_init(pctx); 2857 EVP_PKEY_verify_init(pctx);
3120 if (i!=64) { 2858 if (i != 64) {
3121 fprintf(stderr,"GOST signature length is %d",i); 2859 fprintf(stderr, "GOST signature length is %d", i);
3122 } 2860 }
3123 for (idx=0;idx<64;idx++) { 2861 for (idx = 0; idx < 64; idx++) {
3124 signature[63-idx]=p[idx]; 2862 signature[63 - idx] = p[idx];
3125 } 2863 }
3126 j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_verify_md,32); 2864 j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md, 32);
3127 EVP_PKEY_CTX_free(pctx); 2865 EVP_PKEY_CTX_free(pctx);
3128 if (j<=0) 2866 if (j <= 0) {
3129 { 2867 al = SSL_AD_DECRYPT_ERROR;
3130 al=SSL_AD_DECRYPT_ERROR; 2868 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3131 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2869 SSL_R_BAD_ECDSA_SIGNATURE);
3132 SSL_R_BAD_ECDSA_SIGNATURE); 2870 goto f_err;
3133 goto f_err;
3134 }
3135 } 2871 }
3136 else 2872 } else {
3137 { 2873 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3138 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2874 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
3139 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
3140 goto f_err; 2875 goto f_err;
3141 } 2876 }
3142 2877
3143 2878
3144 ret=1; 2879 ret = 1;
3145 if (0) 2880 if (0) {
3146 {
3147f_err: 2881f_err:
3148 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2882 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3149 } 2883 }
3150end: 2884end:
3151 if (s->s3->handshake_buffer) 2885 if (s->s3->handshake_buffer) {
3152 {
3153 BIO_free(s->s3->handshake_buffer); 2886 BIO_free(s->s3->handshake_buffer);
3154 s->s3->handshake_buffer = NULL; 2887 s->s3->handshake_buffer = NULL;
3155 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; 2888 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
3156 } 2889 }
3157 EVP_MD_CTX_cleanup(&mctx); 2890 EVP_MD_CTX_cleanup(&mctx);
3158 EVP_PKEY_free(pkey); 2891 EVP_PKEY_free(pkey);
3159 return(ret); 2892 return (ret);
3160 } 2893}
3161 2894
3162int ssl3_get_client_certificate(SSL *s) 2895int
3163 { 2896ssl3_get_client_certificate(SSL *s)
3164 int i,ok,al,ret= -1; 2897{
3165 X509 *x=NULL; 2898 int i, ok, al, ret = -1;
3166 unsigned long l,nc,llen,n; 2899 X509 *x = NULL;
3167 const unsigned char *p,*q; 2900 unsigned long l, nc, llen, n;
2901 const unsigned char *p, *q;
3168 unsigned char *d; 2902 unsigned char *d;
3169 STACK_OF(X509) *sk=NULL; 2903 STACK_OF(X509) *sk = NULL;
3170 2904
3171 n=s->method->ssl_get_message(s, 2905 n = s->method->ssl_get_message(s,
3172 SSL3_ST_SR_CERT_A, 2906 SSL3_ST_SR_CERT_A,
3173 SSL3_ST_SR_CERT_B, 2907 SSL3_ST_SR_CERT_B,
3174 -1, 2908 -1,
3175 s->max_cert_list, 2909 s->max_cert_list,
3176 &ok); 2910 &ok);
3177 2911
3178 if (!ok) return((int)n); 2912 if (!ok)
2913 return ((int)n);
3179 2914
3180 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 2915 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
3181 { 2916 if ((s->verify_mode & SSL_VERIFY_PEER) &&
3182 if ( (s->verify_mode & SSL_VERIFY_PEER) && 2917 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3183 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2918 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3184 { 2919 al = SSL_AD_HANDSHAKE_FAILURE;
3185 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3186 al=SSL_AD_HANDSHAKE_FAILURE;
3187 goto f_err; 2920 goto f_err;
3188 } 2921 }
3189 /* If tls asked for a client cert, the client must return a 0 list */ 2922 /* If tls asked for a client cert, the client must return a 0 list */
3190 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 2923 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
3191 { 2924 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
3192 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 2925 al = SSL_AD_UNEXPECTED_MESSAGE;
3193 al=SSL_AD_UNEXPECTED_MESSAGE;
3194 goto f_err; 2926 goto f_err;
3195 }
3196 s->s3->tmp.reuse_message=1;
3197 return(1);
3198 } 2927 }
2928 s->s3->tmp.reuse_message = 1;
2929 return (1);
2930 }
3199 2931
3200 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 2932 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
3201 { 2933 al = SSL_AD_UNEXPECTED_MESSAGE;
3202 al=SSL_AD_UNEXPECTED_MESSAGE; 2934 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE);
3203 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
3204 goto f_err; 2935 goto f_err;
3205 } 2936 }
3206 p=d=(unsigned char *)s->init_msg; 2937 p = d = (unsigned char *)s->init_msg;
3207 2938
3208 if ((sk=sk_X509_new_null()) == NULL) 2939 if ((sk = sk_X509_new_null()) == NULL) {
3209 { 2940 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3210 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
3211 goto err; 2941 goto err;
3212 } 2942 }
3213 2943
3214 n2l3(p,llen); 2944 n2l3(p, llen);
3215 if (llen+3 != n) 2945 if (llen + 3 != n) {
3216 { 2946 al = SSL_AD_DECODE_ERROR;
3217 al=SSL_AD_DECODE_ERROR; 2947 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
3218 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
3219 goto f_err; 2948 goto f_err;
3220 } 2949 }
3221 for (nc=0; nc<llen; ) 2950 for (nc = 0; nc < llen;) {
3222 { 2951 n2l3(p, l);
3223 n2l3(p,l); 2952 if ((l + nc + 3) > llen) {
3224 if ((l+nc+3) > llen) 2953 al = SSL_AD_DECODE_ERROR;
3225 { 2954 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
3226 al=SSL_AD_DECODE_ERROR;
3227 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
3228 goto f_err; 2955 goto f_err;
3229 } 2956 }
3230 2957
3231 q=p; 2958 q = p;
3232 x=d2i_X509(NULL,&p,l); 2959 x = d2i_X509(NULL, &p, l);
3233 if (x == NULL) 2960 if (x == NULL) {
3234 { 2961 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
3235 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
3236 goto err; 2962 goto err;
3237 } 2963 }
3238 if (p != (q+l)) 2964 if (p != (q + l)) {
3239 { 2965 al = SSL_AD_DECODE_ERROR;
3240 al=SSL_AD_DECODE_ERROR; 2966 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
3241 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
3242 goto f_err; 2967 goto f_err;
3243 } 2968 }
3244 if (!sk_X509_push(sk,x)) 2969 if (!sk_X509_push(sk, x)) {
3245 { 2970 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3246 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
3247 goto err; 2971 goto err;
3248 }
3249 x=NULL;
3250 nc+=l+3;
3251 } 2972 }
2973 x = NULL;
2974 nc += l + 3;
2975 }
3252 2976
3253 if (sk_X509_num(sk) <= 0) 2977 if (sk_X509_num(sk) <= 0) {
3254 {
3255 /* TLS does not mind 0 certs returned */ 2978 /* TLS does not mind 0 certs returned */
3256 if (s->version == SSL3_VERSION) 2979 if (s->version == SSL3_VERSION) {
3257 { 2980 al = SSL_AD_HANDSHAKE_FAILURE;
3258 al=SSL_AD_HANDSHAKE_FAILURE; 2981 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATES_RETURNED);
3259 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
3260 goto f_err; 2982 goto f_err;
3261 } 2983 }
3262 /* Fail for TLS only if we required a certificate */ 2984 /* Fail for TLS only if we required a certificate */
3263 else if ((s->verify_mode & SSL_VERIFY_PEER) && 2985 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
3264 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2986 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3265 { 2987 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3266 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2988 al = SSL_AD_HANDSHAKE_FAILURE;
3267 al=SSL_AD_HANDSHAKE_FAILURE;
3268 goto f_err; 2989 goto f_err;
3269 } 2990 }
3270 /* No client certificate so digest cached records */ 2991 /* No client certificate so digest cached records */
3271 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) 2992 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
3272 { 2993 al = SSL_AD_INTERNAL_ERROR;
3273 al=SSL_AD_INTERNAL_ERROR;
3274 goto f_err; 2994 goto f_err;
3275 }
3276 } 2995 }
3277 else 2996 } else {
3278 { 2997 i = ssl_verify_cert_chain(s, sk);
3279 i=ssl_verify_cert_chain(s,sk); 2998 if (i <= 0) {
3280 if (i <= 0) 2999 al = ssl_verify_alarm_type(s->verify_result);
3281 { 3000 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATE_RETURNED);
3282 al=ssl_verify_alarm_type(s->verify_result);
3283 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
3284 goto f_err; 3001 goto f_err;
3285 }
3286 } 3002 }
3003 }
3287 3004
3288 if (s->session->peer != NULL) /* This should not be needed */ 3005 if (s->session->peer != NULL) /* This should not be needed */
3289 X509_free(s->session->peer); 3006 X509_free(s->session->peer);
3290 s->session->peer=sk_X509_shift(sk); 3007 s->session->peer = sk_X509_shift(sk);
3291 s->session->verify_result = s->verify_result; 3008 s->session->verify_result = s->verify_result;
3292 3009
3293 /* With the current implementation, sess_cert will always be NULL 3010 /* With the current implementation, sess_cert will always be NULL
3294 * when we arrive here. */ 3011 * when we arrive here. */
3295 if (s->session->sess_cert == NULL) 3012 if (s->session->sess_cert == NULL) {
3296 {
3297 s->session->sess_cert = ssl_sess_cert_new(); 3013 s->session->sess_cert = ssl_sess_cert_new();
3298 if (s->session->sess_cert == NULL) 3014 if (s->session->sess_cert == NULL) {
3299 {
3300 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3015 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3301 goto err; 3016 goto err;
3302 }
3303 } 3017 }
3018 }
3304 if (s->session->sess_cert->cert_chain != NULL) 3019 if (s->session->sess_cert->cert_chain != NULL)
3305 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 3020 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
3306 s->session->sess_cert->cert_chain=sk; 3021 s->session->sess_cert->cert_chain = sk;
3307 /* Inconsistency alert: cert_chain does *not* include the 3022 /* Inconsistency alert: cert_chain does *not* include the
3308 * peer's own certificate, while we do include it in s3_clnt.c */ 3023 * peer's own certificate, while we do include it in s3_clnt.c */
3309 3024
3310 sk=NULL; 3025 sk = NULL;
3311 3026
3312 ret=1; 3027 ret = 1;
3313 if (0) 3028 if (0) {
3314 {
3315f_err: 3029f_err:
3316 ssl3_send_alert(s,SSL3_AL_FATAL,al); 3030 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3317 }
3318err:
3319 if (x != NULL) X509_free(x);
3320 if (sk != NULL) sk_X509_pop_free(sk,X509_free);
3321 return(ret);
3322 } 3031 }
3032err:
3033 if (x != NULL)
3034 X509_free(x);
3035 if (sk != NULL)
3036 sk_X509_pop_free(sk, X509_free);
3037 return (ret);
3038}
3323 3039
3324int ssl3_send_server_certificate(SSL *s) 3040int
3325 { 3041ssl3_send_server_certificate(SSL *s)
3042{
3326 unsigned long l; 3043 unsigned long l;
3327 X509 *x; 3044 X509 *x;
3328 3045
3329 if (s->state == SSL3_ST_SW_CERT_A) 3046 if (s->state == SSL3_ST_SW_CERT_A) {
3330 { 3047 x = ssl_get_server_send_cert(s);
3331 x=ssl_get_server_send_cert(s); 3048 if (x == NULL) {
3332 if (x == NULL)
3333 {
3334 /* VRS: allow null cert if auth == KRB5 */ 3049 /* VRS: allow null cert if auth == KRB5 */
3335 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || 3050 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
3336 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) 3051 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) {
3337 { 3052 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3338 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 3053 return (0);
3339 return(0);
3340 }
3341 } 3054 }
3342
3343 l=ssl3_output_cert_chain(s,x);
3344 s->state=SSL3_ST_SW_CERT_B;
3345 s->init_num=(int)l;
3346 s->init_off=0;
3347 } 3055 }
3348 3056
3349 /* SSL3_ST_SW_CERT_B */ 3057 l = ssl3_output_cert_chain(s, x);
3350 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3058 s->state = SSL3_ST_SW_CERT_B;
3059 s->init_num = (int)l;
3060 s->init_off = 0;
3351 } 3061 }
3352 3062
3063 /* SSL3_ST_SW_CERT_B */
3064 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3065}
3066
3353#ifndef OPENSSL_NO_TLSEXT 3067#ifndef OPENSSL_NO_TLSEXT
3354/* send a new session ticket (not necessarily for a new session) */ 3068/* send a new session ticket (not necessarily for a new session) */
3355int ssl3_send_newsession_ticket(SSL *s) 3069int
3356 { 3070ssl3_send_newsession_ticket(SSL *s)
3357 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 3071{
3358 { 3072 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
3359 unsigned char *p, *senc, *macstart; 3073 unsigned char *p, *senc, *macstart;
3360 const unsigned char *const_p; 3074 const unsigned char *const_p;
3361 int len, slen_full, slen; 3075 int len, slen_full, slen;
@@ -3383,19 +3097,18 @@ int ssl3_send_newsession_ticket(SSL *s)
3383 /* create a fresh copy (not shared with other threads) to clean up */ 3097 /* create a fresh copy (not shared with other threads) to clean up */
3384 const_p = senc; 3098 const_p = senc;
3385 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3099 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3386 if (sess == NULL) 3100 if (sess == NULL) {
3387 {
3388 OPENSSL_free(senc); 3101 OPENSSL_free(senc);
3389 return -1; 3102 return -1;
3390 } 3103 }
3391 sess->session_id_length = 0; /* ID is irrelevant for the ticket */ 3104 sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3392 3105
3393 slen = i2d_SSL_SESSION(sess, NULL); 3106 slen = i2d_SSL_SESSION(sess, NULL);
3394 if (slen > slen_full) /* shouldn't ever happen */ 3107 if (slen > slen_full) /* shouldn't ever happen */
3395 { 3108 {
3396 OPENSSL_free(senc); 3109 OPENSSL_free(senc);
3397 return -1; 3110 return -1;
3398 } 3111 }
3399 p = senc; 3112 p = senc;
3400 i2d_SSL_SESSION(sess, &p); 3113 i2d_SSL_SESSION(sess, &p);
3401 SSL_SESSION_free(sess); 3114 SSL_SESSION_free(sess);
@@ -3409,12 +3122,12 @@ int ssl3_send_newsession_ticket(SSL *s)
3409 */ 3122 */
3410 if (!BUF_MEM_grow(s->init_buf, 3123 if (!BUF_MEM_grow(s->init_buf,
3411 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3124 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3412 EVP_MAX_MD_SIZE + slen)) 3125 EVP_MAX_MD_SIZE + slen))
3413 return -1; 3126 return -1;
3414 3127
3415 p=(unsigned char *)s->init_buf->data; 3128 p = (unsigned char *)s->init_buf->data;
3416 /* do the header */ 3129 /* do the header */
3417 *(p++)=SSL3_MT_NEWSESSION_TICKET; 3130 *(p++) = SSL3_MT_NEWSESSION_TICKET;
3418 /* Skip message length for now */ 3131 /* Skip message length for now */
3419 p += 3; 3132 p += 3;
3420 EVP_CIPHER_CTX_init(&ctx); 3133 EVP_CIPHER_CTX_init(&ctx);
@@ -3423,24 +3136,20 @@ int ssl3_send_newsession_ticket(SSL *s)
3423 * it does all the work otherwise use generated values 3136 * it does all the work otherwise use generated values
3424 * from parent ctx. 3137 * from parent ctx.
3425 */ 3138 */
3426 if (tctx->tlsext_ticket_key_cb) 3139 if (tctx->tlsext_ticket_key_cb) {
3427 {
3428 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3140 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
3429 &hctx, 1) < 0) 3141 &hctx, 1) < 0) {
3430 {
3431 OPENSSL_free(senc); 3142 OPENSSL_free(senc);
3432 return -1; 3143 return -1;
3433 }
3434 } 3144 }
3435 else 3145 } else {
3436 {
3437 RAND_pseudo_bytes(iv, 16); 3146 RAND_pseudo_bytes(iv, 16);
3438 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 3147 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3439 tctx->tlsext_tick_aes_key, iv); 3148 tctx->tlsext_tick_aes_key, iv);
3440 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 3149 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3441 tlsext_tick_md(), NULL); 3150 tlsext_tick_md(), NULL);
3442 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3151 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3443 } 3152 }
3444 3153
3445 /* Ticket lifetime hint (advisory only): 3154 /* Ticket lifetime hint (advisory only):
3446 * We leave this unspecified for resumed session (for simplicity), 3155 * We leave this unspecified for resumed session (for simplicity),
@@ -3472,26 +3181,27 @@ int ssl3_send_newsession_ticket(SSL *s)
3472 /* Now write out lengths: p points to end of data written */ 3181 /* Now write out lengths: p points to end of data written */
3473 /* Total length */ 3182 /* Total length */
3474 len = p - (unsigned char *)s->init_buf->data; 3183 len = p - (unsigned char *)s->init_buf->data;
3475 p=(unsigned char *)s->init_buf->data + 1; 3184 p = (unsigned char *)s->init_buf->data + 1;
3476 l2n3(len - 4, p); /* Message length */ 3185 l2n3(len - 4, p); /* Message length */
3477 p += 4; 3186 p += 4;
3478 s2n(len - 10, p); /* Ticket length */ 3187 s2n(len - 10, p);
3188 /* Ticket length */
3479 3189
3480 /* number of bytes to write */ 3190 /* number of bytes to write */
3481 s->init_num= len; 3191 s->init_num = len;
3482 s->state=SSL3_ST_SW_SESSION_TICKET_B; 3192 s->state = SSL3_ST_SW_SESSION_TICKET_B;
3483 s->init_off=0; 3193 s->init_off = 0;
3484 OPENSSL_free(senc); 3194 OPENSSL_free(senc);
3485 } 3195 }
3486 3196
3487 /* SSL3_ST_SW_SESSION_TICKET_B */ 3197 /* SSL3_ST_SW_SESSION_TICKET_B */
3488 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3198 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3489 } 3199}
3490 3200
3491int ssl3_send_cert_status(SSL *s) 3201int
3492 { 3202ssl3_send_cert_status(SSL *s)
3493 if (s->state == SSL3_ST_SW_CERT_STATUS_A) 3203{
3494 { 3204 if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
3495 unsigned char *p; 3205 unsigned char *p;
3496 /* Grow buffer if need be: the length calculation is as 3206 /* Grow buffer if need be: the length calculation is as
3497 * follows 1 (message type) + 3 (message length) + 3207 * follows 1 (message type) + 3 (message length) +
@@ -3501,33 +3211,34 @@ int ssl3_send_cert_status(SSL *s)
3501 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 3211 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
3502 return -1; 3212 return -1;
3503 3213
3504 p=(unsigned char *)s->init_buf->data; 3214 p = (unsigned char *)s->init_buf->data;
3505 3215
3506 /* do the header */ 3216 /* do the header */
3507 *(p++)=SSL3_MT_CERTIFICATE_STATUS; 3217 *(p++) = SSL3_MT_CERTIFICATE_STATUS;
3508 /* message length */ 3218 /* message length */
3509 l2n3(s->tlsext_ocsp_resplen + 4, p); 3219 l2n3(s->tlsext_ocsp_resplen + 4, p);
3510 /* status type */ 3220 /* status type */
3511 *(p++)= s->tlsext_status_type; 3221 *(p++) = s->tlsext_status_type;
3512 /* length of OCSP response */ 3222 /* length of OCSP response */
3513 l2n3(s->tlsext_ocsp_resplen, p); 3223 l2n3(s->tlsext_ocsp_resplen, p);
3514 /* actual response */ 3224 /* actual response */
3515 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 3225 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
3516 /* number of bytes to write */ 3226 /* number of bytes to write */
3517 s->init_num = 8 + s->tlsext_ocsp_resplen; 3227 s->init_num = 8 + s->tlsext_ocsp_resplen;
3518 s->state=SSL3_ST_SW_CERT_STATUS_B; 3228 s->state = SSL3_ST_SW_CERT_STATUS_B;
3519 s->init_off = 0; 3229 s->init_off = 0;
3520 } 3230 }
3521 3231
3522 /* SSL3_ST_SW_CERT_STATUS_B */ 3232 /* SSL3_ST_SW_CERT_STATUS_B */
3523 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3233 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3524 } 3234}
3525 3235
3526# ifndef OPENSSL_NO_NEXTPROTONEG 3236# ifndef OPENSSL_NO_NEXTPROTONEG
3527/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It 3237/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
3528 * sets the next_proto member in s if found */ 3238 * sets the next_proto member in s if found */
3529int ssl3_get_next_proto(SSL *s) 3239int
3530 { 3240ssl3_get_next_proto(SSL *s)
3241{
3531 int ok; 3242 int ok;
3532 int proto_len, padding_len; 3243 int proto_len, padding_len;
3533 long n; 3244 long n;
@@ -3535,35 +3246,30 @@ int ssl3_get_next_proto(SSL *s)
3535 3246
3536 /* Clients cannot send a NextProtocol message if we didn't see the 3247 /* Clients cannot send a NextProtocol message if we didn't see the
3537 * extension in their ClientHello */ 3248 * extension in their ClientHello */
3538 if (!s->s3->next_proto_neg_seen) 3249 if (!s->s3->next_proto_neg_seen) {
3539 { 3250 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3540 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3541 return -1; 3251 return -1;
3542 } 3252 }
3543
3544 n=s->method->ssl_get_message(s,
3545 SSL3_ST_SR_NEXT_PROTO_A,
3546 SSL3_ST_SR_NEXT_PROTO_B,
3547 SSL3_MT_NEXT_PROTO,
3548 514, /* See the payload format below */
3549 &ok);
3550 3253
3254 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
3255 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
3256 514, /* See the payload format below */ &ok);
3551 if (!ok) 3257 if (!ok)
3552 return((int)n); 3258 return ((int)n);
3553 3259
3554 /* s->state doesn't reflect whether ChangeCipherSpec has been received 3260 /* s->state doesn't reflect whether ChangeCipherSpec has been received
3555 * in this handshake, but s->s3->change_cipher_spec does (will be reset 3261 * in this handshake, but s->s3->change_cipher_spec does (will be reset
3556 * by ssl3_get_finished). */ 3262 * by ssl3_get_finished). */
3557 if (!s->s3->change_cipher_spec) 3263 if (!s->s3->change_cipher_spec) {
3558 { 3264 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3559 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3560 return -1; 3265 return -1;
3561 } 3266 }
3562 3267
3563 if (n < 2) 3268 if (n < 2)
3564 return 0; /* The body must be > 1 bytes long */ 3269 return 0;
3270 /* The body must be > 1 bytes long */
3565 3271
3566 p=(unsigned char *)s->init_msg; 3272 p = (unsigned char *)s->init_msg;
3567 3273
3568 /* The payload looks like: 3274 /* The payload looks like:
3569 * uint8 proto_len; 3275 * uint8 proto_len;
@@ -3579,15 +3285,14 @@ int ssl3_get_next_proto(SSL *s)
3579 return 0; 3285 return 0;
3580 3286
3581 s->next_proto_negotiated = OPENSSL_malloc(proto_len); 3287 s->next_proto_negotiated = OPENSSL_malloc(proto_len);
3582 if (!s->next_proto_negotiated) 3288 if (!s->next_proto_negotiated) {
3583 { 3289 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE);
3584 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
3585 return 0; 3290 return 0;
3586 } 3291 }
3587 memcpy(s->next_proto_negotiated, p + 1, proto_len); 3292 memcpy(s->next_proto_negotiated, p + 1, proto_len);
3588 s->next_proto_negotiated_len = proto_len; 3293 s->next_proto_negotiated_len = proto_len;
3589 3294
3590 return 1; 3295 return 1;
3591 } 3296}
3592# endif 3297# endif
3593#endif 3298#endif
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 64e7be8d67..b9ca6b6f9b 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -168,62 +168,60 @@
168#endif 168#endif
169 169
170static const SSL_METHOD *ssl3_get_client_method(int ver); 170static const SSL_METHOD *ssl3_get_client_method(int ver);
171static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); 171static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
172 172
173static const SSL_METHOD *ssl3_get_client_method(int ver) 173static const SSL_METHOD
174 { 174*ssl3_get_client_method(int ver)
175{
175 if (ver == SSL3_VERSION) 176 if (ver == SSL3_VERSION)
176 return(SSLv3_client_method()); 177 return (SSLv3_client_method());
177 else 178 else
178 return(NULL); 179 return (NULL);
179 } 180}
180 181
181IMPLEMENT_ssl3_meth_func(SSLv3_client_method, 182IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
182 ssl_undefined_function, 183 ssl_undefined_function, ssl3_connect, ssl3_get_client_method)
183 ssl3_connect,
184 ssl3_get_client_method)
185 184
186int ssl3_connect(SSL *s) 185int
187 { 186ssl3_connect(SSL *s)
188 BUF_MEM *buf=NULL; 187{
189 unsigned long Time=(unsigned long)time(NULL); 188 BUF_MEM *buf = NULL;
190 void (*cb)(const SSL *ssl,int type,int val)=NULL; 189 unsigned long Time = (unsigned long)time(NULL);
191 int ret= -1; 190 void (*cb)(const SSL *ssl, int type, int val) = NULL;
192 int new_state,state,skip=0; 191 int ret = -1;
192 int new_state, state, skip = 0;
193 193
194 RAND_add(&Time,sizeof(Time),0); 194 RAND_add(&Time, sizeof(Time), 0);
195 ERR_clear_error(); 195 ERR_clear_error();
196 errno = 0; 196 errno = 0;
197 197
198 if (s->info_callback != NULL) 198 if (s->info_callback != NULL)
199 cb=s->info_callback; 199 cb = s->info_callback;
200 else if (s->ctx->info_callback != NULL) 200 else if (s->ctx->info_callback != NULL)
201 cb=s->ctx->info_callback; 201 cb = s->ctx->info_callback;
202 202
203 s->in_handshake++; 203 s->in_handshake++;
204 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 204 if (!SSL_in_init(s) || SSL_in_before(s))
205 SSL_clear(s);
205 206
206#ifndef OPENSSL_NO_HEARTBEATS 207#ifndef OPENSSL_NO_HEARTBEATS
207 /* If we're awaiting a HeartbeatResponse, pretend we 208 /* If we're awaiting a HeartbeatResponse, pretend we
208 * already got and don't await it anymore, because 209 * already got and don't await it anymore, because
209 * Heartbeats don't make sense during handshakes anyway. 210 * Heartbeats don't make sense during handshakes anyway.
210 */ 211 */
211 if (s->tlsext_hb_pending) 212 if (s->tlsext_hb_pending) {
212 {
213 s->tlsext_hb_pending = 0; 213 s->tlsext_hb_pending = 0;
214 s->tlsext_hb_seq++; 214 s->tlsext_hb_seq++;
215 } 215 }
216#endif 216#endif
217 217
218 for (;;) 218 for (;;) {
219 { 219 state = s->state;
220 state=s->state;
221 220
222 switch(s->state) 221 switch (s->state) {
223 {
224 case SSL_ST_RENEGOTIATE: 222 case SSL_ST_RENEGOTIATE:
225 s->renegotiate=1; 223 s->renegotiate = 1;
226 s->state=SSL_ST_CONNECT; 224 s->state = SSL_ST_CONNECT;
227 s->ctx->stats.sess_connect_renegotiate++; 225 s->ctx->stats.sess_connect_renegotiate++;
228 /* break */ 226 /* break */
229 case SSL_ST_BEFORE: 227 case SSL_ST_BEFORE:
@@ -231,173 +229,172 @@ int ssl3_connect(SSL *s)
231 case SSL_ST_BEFORE|SSL_ST_CONNECT: 229 case SSL_ST_BEFORE|SSL_ST_CONNECT:
232 case SSL_ST_OK|SSL_ST_CONNECT: 230 case SSL_ST_OK|SSL_ST_CONNECT:
233 231
234 s->server=0; 232 s->server = 0;
235 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 233 if (cb != NULL)
234 cb(s, SSL_CB_HANDSHAKE_START, 1);
236 235
237 if ((s->version & 0xff00 ) != 0x0300) 236 if ((s->version & 0xff00 ) != 0x0300) {
238 {
239 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); 237 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
240 ret = -1; 238 ret = -1;
241 goto end; 239 goto end;
242 } 240 }
243 241
244 /* s->version=SSL3_VERSION; */ 242 /* s->version=SSL3_VERSION; */
245 s->type=SSL_ST_CONNECT; 243 s->type = SSL_ST_CONNECT;
246 244
247 if (s->init_buf == NULL) 245 if (s->init_buf == NULL) {
248 { 246 if ((buf = BUF_MEM_new()) == NULL) {
249 if ((buf=BUF_MEM_new()) == NULL) 247 ret = -1;
250 {
251 ret= -1;
252 goto end; 248 goto end;
253 } 249 }
254 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 250 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
255 { 251 ret = -1;
256 ret= -1;
257 goto end; 252 goto end;
258 }
259 s->init_buf=buf;
260 buf=NULL;
261 } 253 }
254 s->init_buf = buf;
255 buf = NULL;
256 }
262 257
263 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 258 if (!ssl3_setup_buffers(s)) {
259 ret = -1;
260 goto end;
261 }
264 262
265 /* setup buffing BIO */ 263 /* setup buffing BIO */
266 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 264 if (!ssl_init_wbio_buffer(s, 0)) {
265 ret = -1;
266 goto end;
267 }
267 268
268 /* don't push the buffering BIO quite yet */ 269 /* don't push the buffering BIO quite yet */
269 270
270 ssl3_init_finished_mac(s); 271 ssl3_init_finished_mac(s);
271 272
272 s->state=SSL3_ST_CW_CLNT_HELLO_A; 273 s->state = SSL3_ST_CW_CLNT_HELLO_A;
273 s->ctx->stats.sess_connect++; 274 s->ctx->stats.sess_connect++;
274 s->init_num=0; 275 s->init_num = 0;
275 break; 276 break;
276 277
277 case SSL3_ST_CW_CLNT_HELLO_A: 278 case SSL3_ST_CW_CLNT_HELLO_A:
278 case SSL3_ST_CW_CLNT_HELLO_B: 279 case SSL3_ST_CW_CLNT_HELLO_B:
279 280
280 s->shutdown=0; 281 s->shutdown = 0;
281 ret=ssl3_client_hello(s); 282 ret = ssl3_client_hello(s);
282 if (ret <= 0) goto end; 283 if (ret <= 0)
283 s->state=SSL3_ST_CR_SRVR_HELLO_A; 284 goto end;
284 s->init_num=0; 285 s->state = SSL3_ST_CR_SRVR_HELLO_A;
286 s->init_num = 0;
285 287
286 /* turn on buffering for the next lot of output */ 288 /* turn on buffering for the next lot of output */
287 if (s->bbio != s->wbio) 289 if (s->bbio != s->wbio)
288 s->wbio=BIO_push(s->bbio,s->wbio); 290 s->wbio = BIO_push(s->bbio, s->wbio);
289 291
290 break; 292 break;
291 293
292 case SSL3_ST_CR_SRVR_HELLO_A: 294 case SSL3_ST_CR_SRVR_HELLO_A:
293 case SSL3_ST_CR_SRVR_HELLO_B: 295 case SSL3_ST_CR_SRVR_HELLO_B:
294 ret=ssl3_get_server_hello(s); 296 ret = ssl3_get_server_hello(s);
295 if (ret <= 0) goto end; 297 if (ret <= 0)
298 goto end;
296 299
297 if (s->hit) 300 if (s->hit) {
298 { 301 s->state = SSL3_ST_CR_FINISHED_A;
299 s->state=SSL3_ST_CR_FINISHED_A;
300#ifndef OPENSSL_NO_TLSEXT 302#ifndef OPENSSL_NO_TLSEXT
301 if (s->tlsext_ticket_expected) 303 if (s->tlsext_ticket_expected) {
302 {
303 /* receive renewed session ticket */ 304 /* receive renewed session ticket */
304 s->state=SSL3_ST_CR_SESSION_TICKET_A; 305 s->state = SSL3_ST_CR_SESSION_TICKET_A;
305 }
306#endif
307 } 306 }
308 else 307#endif
309 s->state=SSL3_ST_CR_CERT_A; 308 } else
310 s->init_num=0; 309 s->state = SSL3_ST_CR_CERT_A;
310 s->init_num = 0;
311 break; 311 break;
312 312
313 case SSL3_ST_CR_CERT_A: 313 case SSL3_ST_CR_CERT_A:
314 case SSL3_ST_CR_CERT_B: 314 case SSL3_ST_CR_CERT_B:
315#ifndef OPENSSL_NO_TLSEXT 315#ifndef OPENSSL_NO_TLSEXT
316 ret=ssl3_check_finished(s); 316 ret = ssl3_check_finished(s);
317 if (ret <= 0) goto end; 317 if (ret <= 0)
318 if (ret == 2) 318 goto end;
319 { 319 if (ret == 2) {
320 s->hit = 1; 320 s->hit = 1;
321 if (s->tlsext_ticket_expected) 321 if (s->tlsext_ticket_expected)
322 s->state=SSL3_ST_CR_SESSION_TICKET_A; 322 s->state = SSL3_ST_CR_SESSION_TICKET_A;
323 else 323 else
324 s->state=SSL3_ST_CR_FINISHED_A; 324 s->state = SSL3_ST_CR_FINISHED_A;
325 s->init_num=0; 325 s->init_num = 0;
326 break; 326 break;
327 } 327 }
328#endif 328#endif
329 /* Check if it is anon DH/ECDH */ 329 /* Check if it is anon DH/ECDH */
330 /* or PSK */ 330 /* or PSK */
331 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 331 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
332 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 332 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
333 { 333 ret = ssl3_get_server_certificate(s);
334 ret=ssl3_get_server_certificate(s); 334 if (ret <= 0)
335 if (ret <= 0) goto end; 335 goto end;
336#ifndef OPENSSL_NO_TLSEXT 336#ifndef OPENSSL_NO_TLSEXT
337 if (s->tlsext_status_expected) 337 if (s->tlsext_status_expected)
338 s->state=SSL3_ST_CR_CERT_STATUS_A; 338 s->state = SSL3_ST_CR_CERT_STATUS_A;
339 else 339 else
340 s->state=SSL3_ST_CR_KEY_EXCH_A; 340 s->state = SSL3_ST_CR_KEY_EXCH_A;
341 } 341 } else {
342 else
343 {
344 skip = 1; 342 skip = 1;
345 s->state=SSL3_ST_CR_KEY_EXCH_A; 343 s->state = SSL3_ST_CR_KEY_EXCH_A;
346 } 344 }
347#else 345#else
348 } 346 } else
349 else 347 skip = 1;
350 skip=1;
351 348
352 s->state=SSL3_ST_CR_KEY_EXCH_A; 349 s->state = SSL3_ST_CR_KEY_EXCH_A;
353#endif 350#endif
354 s->init_num=0; 351 s->init_num = 0;
355 break; 352 break;
356 353
357 case SSL3_ST_CR_KEY_EXCH_A: 354 case SSL3_ST_CR_KEY_EXCH_A:
358 case SSL3_ST_CR_KEY_EXCH_B: 355 case SSL3_ST_CR_KEY_EXCH_B:
359 ret=ssl3_get_key_exchange(s); 356 ret = ssl3_get_key_exchange(s);
360 if (ret <= 0) goto end; 357 if (ret <= 0)
361 s->state=SSL3_ST_CR_CERT_REQ_A; 358 goto end;
362 s->init_num=0; 359 s->state = SSL3_ST_CR_CERT_REQ_A;
360 s->init_num = 0;
363 361
364 /* at this point we check that we have the 362 /* at this point we check that we have the
365 * required stuff from the server */ 363 * required stuff from the server */
366 if (!ssl3_check_cert_and_algorithm(s)) 364 if (!ssl3_check_cert_and_algorithm(s)) {
367 { 365 ret = -1;
368 ret= -1;
369 goto end; 366 goto end;
370 } 367 }
371 break; 368 break;
372 369
373 case SSL3_ST_CR_CERT_REQ_A: 370 case SSL3_ST_CR_CERT_REQ_A:
374 case SSL3_ST_CR_CERT_REQ_B: 371 case SSL3_ST_CR_CERT_REQ_B:
375 ret=ssl3_get_certificate_request(s); 372 ret = ssl3_get_certificate_request(s);
376 if (ret <= 0) goto end; 373 if (ret <= 0)
377 s->state=SSL3_ST_CR_SRVR_DONE_A; 374 goto end;
378 s->init_num=0; 375 s->state = SSL3_ST_CR_SRVR_DONE_A;
376 s->init_num = 0;
379 break; 377 break;
380 378
381 case SSL3_ST_CR_SRVR_DONE_A: 379 case SSL3_ST_CR_SRVR_DONE_A:
382 case SSL3_ST_CR_SRVR_DONE_B: 380 case SSL3_ST_CR_SRVR_DONE_B:
383 ret=ssl3_get_server_done(s); 381 ret = ssl3_get_server_done(s);
384 if (ret <= 0) goto end; 382 if (ret <= 0)
383 goto end;
385#ifndef OPENSSL_NO_SRP 384#ifndef OPENSSL_NO_SRP
386 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) 385 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
387 { 386 if ((ret = SRP_Calc_A_param(s)) <= 0) {
388 if ((ret = SRP_Calc_A_param(s))<=0) 387 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
389 { 388 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
390 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC);
391 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
392 goto end; 389 goto end;
393 }
394 } 390 }
391 }
395#endif 392#endif
396 if (s->s3->tmp.cert_req) 393 if (s->s3->tmp.cert_req)
397 s->state=SSL3_ST_CW_CERT_A; 394 s->state = SSL3_ST_CW_CERT_A;
398 else 395 else
399 s->state=SSL3_ST_CW_KEY_EXCH_A; 396 s->state = SSL3_ST_CW_KEY_EXCH_A;
400 s->init_num=0; 397 s->init_num = 0;
401 398
402 break; 399 break;
403 400
@@ -405,16 +402,18 @@ int ssl3_connect(SSL *s)
405 case SSL3_ST_CW_CERT_B: 402 case SSL3_ST_CW_CERT_B:
406 case SSL3_ST_CW_CERT_C: 403 case SSL3_ST_CW_CERT_C:
407 case SSL3_ST_CW_CERT_D: 404 case SSL3_ST_CW_CERT_D:
408 ret=ssl3_send_client_certificate(s); 405 ret = ssl3_send_client_certificate(s);
409 if (ret <= 0) goto end; 406 if (ret <= 0)
410 s->state=SSL3_ST_CW_KEY_EXCH_A; 407 goto end;
411 s->init_num=0; 408 s->state = SSL3_ST_CW_KEY_EXCH_A;
409 s->init_num = 0;
412 break; 410 break;
413 411
414 case SSL3_ST_CW_KEY_EXCH_A: 412 case SSL3_ST_CW_KEY_EXCH_A:
415 case SSL3_ST_CW_KEY_EXCH_B: 413 case SSL3_ST_CW_KEY_EXCH_B:
416 ret=ssl3_send_client_key_exchange(s); 414 ret = ssl3_send_client_key_exchange(s);
417 if (ret <= 0) goto end; 415 if (ret <= 0)
416 goto end;
418 /* EAY EAY EAY need to check for DH fix cert 417 /* EAY EAY EAY need to check for DH fix cert
419 * sent back */ 418 * sent back */
420 /* For TLS, cert_req is set to 2, so a cert chain 419 /* For TLS, cert_req is set to 2, so a cert chain
@@ -426,170 +425,165 @@ int ssl3_connect(SSL *s)
426 * message when client's ECDH public key is sent 425 * message when client's ECDH public key is sent
427 * inside the client certificate. 426 * inside the client certificate.
428 */ 427 */
429 if (s->s3->tmp.cert_req == 1) 428 if (s->s3->tmp.cert_req == 1) {
430 { 429 s->state = SSL3_ST_CW_CERT_VRFY_A;
431 s->state=SSL3_ST_CW_CERT_VRFY_A; 430 } else {
432 } 431 s->state = SSL3_ST_CW_CHANGE_A;
433 else 432 s->s3->change_cipher_spec = 0;
434 { 433 }
435 s->state=SSL3_ST_CW_CHANGE_A; 434 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
436 s->s3->change_cipher_spec=0; 435 s->state = SSL3_ST_CW_CHANGE_A;
437 } 436 s->s3->change_cipher_spec = 0;
438 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) 437 }
439 {
440 s->state=SSL3_ST_CW_CHANGE_A;
441 s->s3->change_cipher_spec=0;
442 }
443 438
444 s->init_num=0; 439 s->init_num = 0;
445 break; 440 break;
446 441
447 case SSL3_ST_CW_CERT_VRFY_A: 442 case SSL3_ST_CW_CERT_VRFY_A:
448 case SSL3_ST_CW_CERT_VRFY_B: 443 case SSL3_ST_CW_CERT_VRFY_B:
449 ret=ssl3_send_client_verify(s); 444 ret = ssl3_send_client_verify(s);
450 if (ret <= 0) goto end; 445 if (ret <= 0)
451 s->state=SSL3_ST_CW_CHANGE_A; 446 goto end;
452 s->init_num=0; 447 s->state = SSL3_ST_CW_CHANGE_A;
453 s->s3->change_cipher_spec=0; 448 s->init_num = 0;
449 s->s3->change_cipher_spec = 0;
454 break; 450 break;
455 451
456 case SSL3_ST_CW_CHANGE_A: 452 case SSL3_ST_CW_CHANGE_A:
457 case SSL3_ST_CW_CHANGE_B: 453 case SSL3_ST_CW_CHANGE_B:
458 ret=ssl3_send_change_cipher_spec(s, 454 ret = ssl3_send_change_cipher_spec(s,
459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 455 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
460 if (ret <= 0) goto end; 456 if (ret <= 0)
457 goto end;
461 458
462#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 459#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
463 s->state=SSL3_ST_CW_FINISHED_A; 460 s->state = SSL3_ST_CW_FINISHED_A;
464#else 461#else
465 if (s->s3->next_proto_neg_seen) 462 if (s->s3->next_proto_neg_seen)
466 s->state=SSL3_ST_CW_NEXT_PROTO_A; 463 s->state = SSL3_ST_CW_NEXT_PROTO_A;
467 else 464 else
468 s->state=SSL3_ST_CW_FINISHED_A; 465 s->state = SSL3_ST_CW_FINISHED_A;
469#endif 466#endif
470 s->init_num=0; 467 s->init_num = 0;
471 468
472 s->session->cipher=s->s3->tmp.new_cipher; 469 s->session->cipher = s->s3->tmp.new_cipher;
473#ifdef OPENSSL_NO_COMP 470#ifdef OPENSSL_NO_COMP
474 s->session->compress_meth=0; 471 s->session->compress_meth = 0;
475#else 472#else
476 if (s->s3->tmp.new_compression == NULL) 473 if (s->s3->tmp.new_compression == NULL)
477 s->session->compress_meth=0; 474 s->session->compress_meth = 0;
478 else 475 else
479 s->session->compress_meth= 476 s->session->compress_meth =
480 s->s3->tmp.new_compression->id; 477 s->s3->tmp.new_compression->id;
481#endif 478#endif
482 if (!s->method->ssl3_enc->setup_key_block(s)) 479 if (!s->method->ssl3_enc->setup_key_block(s)) {
483 { 480 ret = -1;
484 ret= -1;
485 goto end; 481 goto end;
486 } 482 }
487 483
488 if (!s->method->ssl3_enc->change_cipher_state(s, 484 if (!s->method->ssl3_enc->change_cipher_state(s,
489 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 485 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
490 { 486 ret = -1;
491 ret= -1;
492 goto end; 487 goto end;
493 } 488 }
494 489
495 break; 490 break;
496 491
497#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 492#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
498 case SSL3_ST_CW_NEXT_PROTO_A: 493 case SSL3_ST_CW_NEXT_PROTO_A:
499 case SSL3_ST_CW_NEXT_PROTO_B: 494 case SSL3_ST_CW_NEXT_PROTO_B:
500 ret=ssl3_send_next_proto(s); 495 ret = ssl3_send_next_proto(s);
501 if (ret <= 0) goto end; 496 if (ret <= 0)
502 s->state=SSL3_ST_CW_FINISHED_A; 497 goto end;
498 s->state = SSL3_ST_CW_FINISHED_A;
503 break; 499 break;
504#endif 500#endif
505 501
506 case SSL3_ST_CW_FINISHED_A: 502 case SSL3_ST_CW_FINISHED_A:
507 case SSL3_ST_CW_FINISHED_B: 503 case SSL3_ST_CW_FINISHED_B:
508 ret=ssl3_send_finished(s, 504 ret = ssl3_send_finished(s,
509 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 505 SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
510 s->method->ssl3_enc->client_finished_label, 506 s->method->ssl3_enc->client_finished_label,
511 s->method->ssl3_enc->client_finished_label_len); 507 s->method->ssl3_enc->client_finished_label_len);
512 if (ret <= 0) goto end; 508 if (ret <= 0)
513 s->state=SSL3_ST_CW_FLUSH; 509 goto end;
510 s->state = SSL3_ST_CW_FLUSH;
514 511
515 /* clear flags */ 512 /* clear flags */
516 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 513 s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
517 if (s->hit) 514 if (s->hit) {
518 { 515 s->s3->tmp.next_state = SSL_ST_OK;
519 s->s3->tmp.next_state=SSL_ST_OK; 516 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
520 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 517 s->state = SSL_ST_OK;
521 {
522 s->state=SSL_ST_OK;
523 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 518 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
524 s->s3->delay_buf_pop_ret=0; 519 s->s3->delay_buf_pop_ret = 0;
525 }
526 } 520 }
527 else 521 } else {
528 {
529#ifndef OPENSSL_NO_TLSEXT 522#ifndef OPENSSL_NO_TLSEXT
530 /* Allow NewSessionTicket if ticket expected */ 523 /* Allow NewSessionTicket if ticket expected */
531 if (s->tlsext_ticket_expected) 524 if (s->tlsext_ticket_expected)
532 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 525 s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
533 else 526 else
534#endif 527#endif
535 528
536 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 529 s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
537 } 530 }
538 s->init_num=0; 531 s->init_num = 0;
539 break; 532 break;
540 533
541#ifndef OPENSSL_NO_TLSEXT 534#ifndef OPENSSL_NO_TLSEXT
542 case SSL3_ST_CR_SESSION_TICKET_A: 535 case SSL3_ST_CR_SESSION_TICKET_A:
543 case SSL3_ST_CR_SESSION_TICKET_B: 536 case SSL3_ST_CR_SESSION_TICKET_B:
544 ret=ssl3_get_new_session_ticket(s); 537 ret = ssl3_get_new_session_ticket(s);
545 if (ret <= 0) goto end; 538 if (ret <= 0)
546 s->state=SSL3_ST_CR_FINISHED_A; 539 goto end;
547 s->init_num=0; 540 s->state = SSL3_ST_CR_FINISHED_A;
548 break; 541 s->init_num = 0;
542 break;
549 543
550 case SSL3_ST_CR_CERT_STATUS_A: 544 case SSL3_ST_CR_CERT_STATUS_A:
551 case SSL3_ST_CR_CERT_STATUS_B: 545 case SSL3_ST_CR_CERT_STATUS_B:
552 ret=ssl3_get_cert_status(s); 546 ret = ssl3_get_cert_status(s);
553 if (ret <= 0) goto end; 547 if (ret <= 0)
554 s->state=SSL3_ST_CR_KEY_EXCH_A; 548 goto end;
555 s->init_num=0; 549 s->state = SSL3_ST_CR_KEY_EXCH_A;
556 break; 550 s->init_num = 0;
551 break;
557#endif 552#endif
558 553
559 case SSL3_ST_CR_FINISHED_A: 554 case SSL3_ST_CR_FINISHED_A:
560 case SSL3_ST_CR_FINISHED_B: 555 case SSL3_ST_CR_FINISHED_B:
561 556
562 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 557 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
563 SSL3_ST_CR_FINISHED_B); 558 SSL3_ST_CR_FINISHED_B);
564 if (ret <= 0) goto end; 559 if (ret <= 0)
560 goto end;
565 561
566 if (s->hit) 562 if (s->hit)
567 s->state=SSL3_ST_CW_CHANGE_A; 563 s->state = SSL3_ST_CW_CHANGE_A;
568 else 564 else
569 s->state=SSL_ST_OK; 565 s->state = SSL_ST_OK;
570 s->init_num=0; 566 s->init_num = 0;
571 break; 567 break;
572 568
573 case SSL3_ST_CW_FLUSH: 569 case SSL3_ST_CW_FLUSH:
574 s->rwstate=SSL_WRITING; 570 s->rwstate = SSL_WRITING;
575 if (BIO_flush(s->wbio) <= 0) 571 if (BIO_flush(s->wbio) <= 0) {
576 { 572 ret = -1;
577 ret= -1;
578 goto end; 573 goto end;
579 } 574 }
580 s->rwstate=SSL_NOTHING; 575 s->rwstate = SSL_NOTHING;
581 s->state=s->s3->tmp.next_state; 576 s->state = s->s3->tmp.next_state;
582 break; 577 break;
583 578
584 case SSL_ST_OK: 579 case SSL_ST_OK:
585 /* clean a few things up */ 580 /* clean a few things up */
586 ssl3_cleanup_key_block(s); 581 ssl3_cleanup_key_block(s);
587 582
588 if (s->init_buf != NULL) 583 if (s->init_buf != NULL) {
589 {
590 BUF_MEM_free(s->init_buf); 584 BUF_MEM_free(s->init_buf);
591 s->init_buf=NULL; 585 s->init_buf = NULL;
592 } 586 }
593 587
594 /* If we are not 'joining' the last two packets, 588 /* If we are not 'joining' the last two packets,
595 * remove the buffering now */ 589 * remove the buffering now */
@@ -597,63 +591,63 @@ int ssl3_connect(SSL *s)
597 ssl_free_wbio_buffer(s); 591 ssl_free_wbio_buffer(s);
598 /* else do it later in ssl3_write */ 592 /* else do it later in ssl3_write */
599 593
600 s->init_num=0; 594 s->init_num = 0;
601 s->renegotiate=0; 595 s->renegotiate = 0;
602 s->new_session=0; 596 s->new_session = 0;
603 597
604 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 598 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
605 if (s->hit) s->ctx->stats.sess_hit++; 599 if (s->hit)
600 s->ctx->stats.sess_hit++;
606 601
607 ret=1; 602 ret = 1;
608 /* s->server=0; */ 603 /* s->server=0; */
609 s->handshake_func=ssl3_connect; 604 s->handshake_func = ssl3_connect;
610 s->ctx->stats.sess_connect_good++; 605 s->ctx->stats.sess_connect_good++;
611 606
612 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 607 if (cb != NULL)
608 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
613 609
614 goto end; 610 goto end;
615 /* break; */ 611 /* break; */
616 612
617 default: 613 default:
618 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 614 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_UNKNOWN_STATE);
619 ret= -1; 615 ret = -1;
620 goto end; 616 goto end;
621 /* break; */ 617 /* break; */
622 } 618 }
623 619
624 /* did we do anything */ 620 /* did we do anything */
625 if (!s->s3->tmp.reuse_message && !skip) 621 if (!s->s3->tmp.reuse_message && !skip) {
626 { 622 if (s->debug) {
627 if (s->debug) 623 if ((ret = BIO_flush(s->wbio)) <= 0)
628 {
629 if ((ret=BIO_flush(s->wbio)) <= 0)
630 goto end; 624 goto end;
631 } 625 }
632 626
633 if ((cb != NULL) && (s->state != state)) 627 if ((cb != NULL) && (s->state != state)) {
634 { 628 new_state = s->state;
635 new_state=s->state; 629 s->state = state;
636 s->state=state; 630 cb(s, SSL_CB_CONNECT_LOOP, 1);
637 cb(s,SSL_CB_CONNECT_LOOP,1); 631 s->state = new_state;
638 s->state=new_state;
639 }
640 } 632 }
641 skip=0;
642 } 633 }
634 skip = 0;
635 }
643end: 636end:
644 s->in_handshake--; 637 s->in_handshake--;
645 if (buf != NULL) 638 if (buf != NULL)
646 BUF_MEM_free(buf); 639 BUF_MEM_free(buf);
647 if (cb != NULL) 640 if (cb != NULL)
648 cb(s,SSL_CB_CONNECT_EXIT,ret); 641 cb(s, SSL_CB_CONNECT_EXIT, ret);
649 return(ret); 642 return (ret);
650 } 643}
651 644
652 645
653int ssl3_client_hello(SSL *s) 646int
654 { 647ssl3_client_hello(SSL *s)
648{
655 unsigned char *buf; 649 unsigned char *buf;
656 unsigned char *p,*d; 650 unsigned char *p, *d;
657 int i; 651 int i;
658 unsigned long l; 652 unsigned long l;
659#ifndef OPENSSL_NO_COMP 653#ifndef OPENSSL_NO_COMP
@@ -661,31 +655,29 @@ int ssl3_client_hello(SSL *s)
661 SSL_COMP *comp; 655 SSL_COMP *comp;
662#endif 656#endif
663 657
664 buf=(unsigned char *)s->init_buf->data; 658 buf = (unsigned char *)s->init_buf->data;
665 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 659 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
666 {
667 SSL_SESSION *sess = s->session; 660 SSL_SESSION *sess = s->session;
668 if ((sess == NULL) || 661 if ((sess == NULL) ||
669 (sess->ssl_version != s->version) || 662 (sess->ssl_version != s->version) ||
670#ifdef OPENSSL_NO_TLSEXT 663#ifdef OPENSSL_NO_TLSEXT
671 !sess->session_id_length || 664 !sess->session_id_length ||
672#else 665#else
673 (!sess->session_id_length && !sess->tlsext_tick) || 666 (!sess->session_id_length && !sess->tlsext_tick) ||
674#endif 667#endif
675 (sess->not_resumable)) 668 (sess->not_resumable)) {
676 { 669 if (!ssl_get_new_session(s, 0))
677 if (!ssl_get_new_session(s,0))
678 goto err; 670 goto err;
679 } 671 }
680 /* else use the pre-loaded session */ 672 /* else use the pre-loaded session */
681 673
682 p=s->s3->client_random; 674 p = s->s3->client_random;
683 675
684 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) 676 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
685 goto err; 677 goto err;
686 678
687 /* Do the message type and length last */ 679 /* Do the message type and length last */
688 d=p= &(buf[4]); 680 d = p= &(buf[4]);
689 681
690 /* version indicates the negotiated version: for example from 682 /* version indicates the negotiated version: for example from
691 * an SSLv2/v3 compatible client hello). The client_version 683 * an SSLv2/v3 compatible client hello). The client_version
@@ -717,562 +709,510 @@ int ssl3_client_hello(SSL *s)
717 * the negotiated version. 709 * the negotiated version.
718 */ 710 */
719#if 0 711#if 0
720 *(p++)=s->version>>8; 712 *(p++) = s->version >> 8;
721 *(p++)=s->version&0xff; 713 *(p++) = s->version&0xff;
722 s->client_version=s->version; 714 s->client_version = s->version;
723#else 715#else
724 *(p++)=s->client_version>>8; 716 *(p++) = s->client_version >> 8;
725 *(p++)=s->client_version&0xff; 717 *(p++) = s->client_version&0xff;
726#endif 718#endif
727 719
728 /* Random stuff */ 720 /* Random stuff */
729 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 721 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
730 p+=SSL3_RANDOM_SIZE; 722 p += SSL3_RANDOM_SIZE;
731 723
732 /* Session ID */ 724 /* Session ID */
733 if (s->new_session) 725 if (s->new_session)
734 i=0; 726 i = 0;
735 else 727 else
736 i=s->session->session_id_length; 728 i = s->session->session_id_length;
737 *(p++)=i; 729 *(p++) = i;
738 if (i != 0) 730 if (i != 0) {
739 { 731 if (i > (int)sizeof(s->session->session_id)) {
740 if (i > (int)sizeof(s->session->session_id))
741 {
742 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 732 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
743 goto err; 733 goto err;
744 }
745 memcpy(p,s->session->session_id,i);
746 p+=i;
747 } 734 }
748 735 memcpy(p, s->session->session_id, i);
736 p += i;
737 }
738
749 /* Ciphers supported */ 739 /* Ciphers supported */
750 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 740 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0);
751 if (i == 0) 741 if (i == 0) {
752 { 742 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
753 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
754 goto err; 743 goto err;
755 } 744 }
756#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH 745#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
757 /* Some servers hang if client hello > 256 bytes 746 /* Some servers hang if client hello > 256 bytes
758 * as hack workaround chop number of supported ciphers 747 * as hack workaround chop number of supported ciphers
759 * to keep it well below this if we use TLS v1.2 748 * to keep it well below this if we use TLS v1.2
760 */ 749 */
761 if (TLS1_get_version(s) >= TLS1_2_VERSION 750 if (TLS1_get_version(s) >= TLS1_2_VERSION &&
762 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) 751 i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
763 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; 752 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
764#endif 753#endif
765 s2n(i,p); 754 s2n(i, p);
766 p+=i; 755 p += i;
767 756
768 /* COMPRESSION */ 757 /* COMPRESSION */
769#ifdef OPENSSL_NO_COMP 758#ifdef OPENSSL_NO_COMP
770 *(p++)=1; 759 *(p++) = 1;
771#else 760#else
772 761
773 if ((s->options & SSL_OP_NO_COMPRESSION) 762 if ((s->options & SSL_OP_NO_COMPRESSION) ||
774 || !s->ctx->comp_methods) 763 !s->ctx->comp_methods)
775 j=0; 764 j = 0;
776 else 765 else
777 j=sk_SSL_COMP_num(s->ctx->comp_methods); 766 j = sk_SSL_COMP_num(s->ctx->comp_methods);
778 *(p++)=1+j; 767 *(p++) = 1 + j;
779 for (i=0; i<j; i++) 768 for (i = 0; i < j; i++) {
780 { 769 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
781 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 770 *(p++) = comp->id;
782 *(p++)=comp->id; 771 }
783 }
784#endif 772#endif
785 *(p++)=0; /* Add the NULL method */ 773 *(p++) = 0; /* Add the NULL method */
786 774
787#ifndef OPENSSL_NO_TLSEXT 775#ifndef OPENSSL_NO_TLSEXT
788 /* TLS extensions*/ 776 /* TLS extensions*/
789 if (ssl_prepare_clienthello_tlsext(s) <= 0) 777 if (ssl_prepare_clienthello_tlsext(s) <= 0) {
790 { 778 SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
791 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
792 goto err; 779 goto err;
793 } 780 }
794 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 781 if ((p = ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
795 { 782 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
796 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
797 goto err; 783 goto err;
798 } 784 }
799#endif 785#endif
800
801 l=(p-d);
802 d=buf;
803 *(d++)=SSL3_MT_CLIENT_HELLO;
804 l2n3(l,d);
805 786
806 s->state=SSL3_ST_CW_CLNT_HELLO_B; 787 l = (p - d);
788 d = buf;
789 *(d++) = SSL3_MT_CLIENT_HELLO;
790 l2n3(l, d);
791
792 s->state = SSL3_ST_CW_CLNT_HELLO_B;
807 /* number of bytes to write */ 793 /* number of bytes to write */
808 s->init_num=p-buf; 794 s->init_num = p - buf;
809 s->init_off=0; 795 s->init_off = 0;
810 } 796 }
811 797
812 /* SSL3_ST_CW_CLNT_HELLO_B */ 798 /* SSL3_ST_CW_CLNT_HELLO_B */
813 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 799 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
814err: 800err:
815 return(-1); 801 return (-1);
816 } 802}
817 803
818int ssl3_get_server_hello(SSL *s) 804int
819 { 805ssl3_get_server_hello(SSL *s)
806{
820 STACK_OF(SSL_CIPHER) *sk; 807 STACK_OF(SSL_CIPHER) *sk;
821 const SSL_CIPHER *c; 808 const SSL_CIPHER *c;
822 unsigned char *p,*d; 809 unsigned char *p, *d;
823 int i,al,ok; 810 int i, al, ok;
824 unsigned int j; 811 unsigned int j;
825 long n; 812 long n;
826#ifndef OPENSSL_NO_COMP 813#ifndef OPENSSL_NO_COMP
827 SSL_COMP *comp; 814 SSL_COMP *comp;
828#endif 815#endif
829 816
830 n=s->method->ssl_get_message(s, 817 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
831 SSL3_ST_CR_SRVR_HELLO_A, 818 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok);
832 SSL3_ST_CR_SRVR_HELLO_B,
833 -1,
834 20000, /* ?? */
835 &ok);
836 819
837 if (!ok) return((int)n); 820 if (!ok)
821 return ((int)n);
838 822
839 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 823 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) {
840 { 824 if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
841 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 825 if (s->d1->send_cookie == 0) {
842 {
843 if ( s->d1->send_cookie == 0)
844 {
845 s->s3->tmp.reuse_message = 1; 826 s->s3->tmp.reuse_message = 1;
846 return 1; 827 return 1;
847 } 828 }
848 else /* already sent a cookie */ 829 else /* already sent a cookie */
849 { 830 {
850 al=SSL_AD_UNEXPECTED_MESSAGE; 831 al = SSL_AD_UNEXPECTED_MESSAGE;
851 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 832 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
852 goto f_err; 833 goto f_err;
853 }
854 } 834 }
855 } 835 }
856 836 }
857 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 837
858 { 838 if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) {
859 al=SSL_AD_UNEXPECTED_MESSAGE; 839 al = SSL_AD_UNEXPECTED_MESSAGE;
860 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 840 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_MESSAGE_TYPE);
861 goto f_err; 841 goto f_err;
862 } 842 }
863 843
864 d=p=(unsigned char *)s->init_msg; 844 d = p=(unsigned char *)s->init_msg;
865 845
866 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 846 if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) {
867 { 847 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
868 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 848 s->version = (s->version&0xff00)|p[1];
869 s->version=(s->version&0xff00)|p[1]; 849 al = SSL_AD_PROTOCOL_VERSION;
870 al=SSL_AD_PROTOCOL_VERSION;
871 goto f_err; 850 goto f_err;
872 } 851 }
873 p+=2; 852 p += 2;
874 853
875 /* load the server hello data */ 854 /* load the server hello data */
876 /* load the server random */ 855 /* load the server random */
877 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 856 memcpy(s->s3->server_random, p, SSL3_RANDOM_SIZE);
878 p+=SSL3_RANDOM_SIZE; 857 p += SSL3_RANDOM_SIZE;
879 858
880 /* get the session-id */ 859 /* get the session-id */
881 j= *(p++); 860 j= *(p++);
882 861
883 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 862 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) {
884 { 863 al = SSL_AD_ILLEGAL_PARAMETER;
885 al=SSL_AD_ILLEGAL_PARAMETER; 864 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
886 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
887 goto f_err; 865 goto f_err;
888 } 866 }
889 867
890#ifndef OPENSSL_NO_TLSEXT 868#ifndef OPENSSL_NO_TLSEXT
891 /* check if we want to resume the session based on external pre-shared secret */ 869 /* check if we want to resume the session based on external pre-shared secret */
892 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 870 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
893 { 871 SSL_CIPHER *pref_cipher = NULL;
894 SSL_CIPHER *pref_cipher=NULL; 872 s->session->master_key_length = sizeof(s->session->master_key);
895 s->session->master_key_length=sizeof(s->session->master_key);
896 if (s->tls_session_secret_cb(s, s->session->master_key, 873 if (s->tls_session_secret_cb(s, s->session->master_key,
897 &s->session->master_key_length, 874 &s->session->master_key_length, NULL, &pref_cipher,
898 NULL, &pref_cipher, 875 s->tls_session_secret_cb_arg)) {
899 s->tls_session_secret_cb_arg))
900 {
901 s->session->cipher = pref_cipher ? 876 s->session->cipher = pref_cipher ?
902 pref_cipher : ssl_get_cipher_by_char(s, p+j); 877 pref_cipher : ssl_get_cipher_by_char(s, p + j);
903 }
904 } 878 }
879 }
905#endif /* OPENSSL_NO_TLSEXT */ 880#endif /* OPENSSL_NO_TLSEXT */
906 881
907 if (j != 0 && j == s->session->session_id_length 882 if (j != 0 && j == s->session->session_id_length &&
908 && memcmp(p,s->session->session_id,j) == 0) 883 memcmp(p, s->session->session_id, j) == 0) {
909 { 884 if (s->sid_ctx_length != s->session->sid_ctx_length ||
910 if(s->sid_ctx_length != s->session->sid_ctx_length 885 memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
911 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 886 /* actually a client application bug */
912 { 887 al = SSL_AD_ILLEGAL_PARAMETER;
913 /* actually a client application bug */ 888 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
914 al=SSL_AD_ILLEGAL_PARAMETER; 889 goto f_err;
915 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
916 goto f_err;
917 } 890 }
918 s->hit=1; 891 s->hit = 1;
919 } 892 }
920 else /* a miss or crap from the other end */ 893 else /* a miss or crap from the other end */
921 { 894 {
922 /* If we were trying for session-id reuse, make a new 895 /* If we were trying for session-id reuse, make a new
923 * SSL_SESSION so we don't stuff up other people */ 896 * SSL_SESSION so we don't stuff up other people */
924 s->hit=0; 897 s->hit = 0;
925 if (s->session->session_id_length > 0) 898 if (s->session->session_id_length > 0) {
926 { 899 if (!ssl_get_new_session(s, 0)) {
927 if (!ssl_get_new_session(s,0)) 900 al = SSL_AD_INTERNAL_ERROR;
928 {
929 al=SSL_AD_INTERNAL_ERROR;
930 goto f_err; 901 goto f_err;
931 }
932 } 902 }
933 s->session->session_id_length=j;
934 memcpy(s->session->session_id,p,j); /* j could be 0 */
935 } 903 }
936 p+=j; 904 s->session->session_id_length = j;
937 c=ssl_get_cipher_by_char(s,p); 905 memcpy(s->session->session_id,p,j); /* j could be 0 */
938 if (c == NULL) 906 }
939 { 907 p += j;
908 c = ssl_get_cipher_by_char(s, p);
909 if (c == NULL) {
940 /* unknown cipher */ 910 /* unknown cipher */
941 al=SSL_AD_ILLEGAL_PARAMETER; 911 al = SSL_AD_ILLEGAL_PARAMETER;
942 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 912 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
943 goto f_err; 913 goto f_err;
944 } 914 }
945 /* TLS v1.2 only ciphersuites require v1.2 or later */ 915 /* TLS v1.2 only ciphersuites require v1.2 or later */
946 if ((c->algorithm_ssl & SSL_TLSV1_2) && 916 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
947 (TLS1_get_version(s) < TLS1_2_VERSION)) 917 (TLS1_get_version(s) < TLS1_2_VERSION)) {
948 { 918 al = SSL_AD_ILLEGAL_PARAMETER;
949 al=SSL_AD_ILLEGAL_PARAMETER; 919 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
950 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
951 goto f_err; 920 goto f_err;
952 } 921 }
953 p+=ssl_put_cipher_by_char(s,NULL,NULL); 922 p += ssl_put_cipher_by_char(s, NULL, NULL);
954 923
955 sk=ssl_get_ciphers_by_id(s); 924 sk = ssl_get_ciphers_by_id(s);
956 i=sk_SSL_CIPHER_find(sk,c); 925 i = sk_SSL_CIPHER_find(sk, c);
957 if (i < 0) 926 if (i < 0) {
958 {
959 /* we did not say we would use this cipher */ 927 /* we did not say we would use this cipher */
960 al=SSL_AD_ILLEGAL_PARAMETER; 928 al = SSL_AD_ILLEGAL_PARAMETER;
961 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 929 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
962 goto f_err; 930 goto f_err;
963 } 931 }
964 932
965 /* Depending on the session caching (internal/external), the cipher 933 /* Depending on the session caching (internal/external), the cipher
966 and/or cipher_id values may not be set. Make sure that 934 and/or cipher_id values may not be set. Make sure that
967 cipher_id is set and use it for comparison. */ 935 cipher_id is set and use it for comparison. */
968 if (s->session->cipher) 936 if (s->session->cipher)
969 s->session->cipher_id = s->session->cipher->id; 937 s->session->cipher_id = s->session->cipher->id;
970 if (s->hit && (s->session->cipher_id != c->id)) 938 if (s->hit && (s->session->cipher_id != c->id)) {
971 {
972/* Workaround is now obsolete */ 939/* Workaround is now obsolete */
973#if 0 940#if 0
974 if (!(s->options & 941 if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
975 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
976#endif 942#endif
977 { 943 {
978 al=SSL_AD_ILLEGAL_PARAMETER; 944 al = SSL_AD_ILLEGAL_PARAMETER;
979 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 945 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
980 goto f_err; 946 goto f_err;
981 }
982 } 947 }
983 s->s3->tmp.new_cipher=c; 948 }
949 s->s3->tmp.new_cipher = c;
984 /* Don't digest cached records if TLS v1.2: we may need them for 950 /* Don't digest cached records if TLS v1.2: we may need them for
985 * client authentication. 951 * client authentication.
986 */ 952 */
987 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 953 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) {
988 {
989 al = SSL_AD_INTERNAL_ERROR; 954 al = SSL_AD_INTERNAL_ERROR;
990 goto f_err; 955 goto f_err;
991 } 956 }
992 /* lets get the compression algorithm */ 957 /* lets get the compression algorithm */
993 /* COMPRESSION */ 958 /* COMPRESSION */
994#ifdef OPENSSL_NO_COMP 959#ifdef OPENSSL_NO_COMP
995 if (*(p++) != 0) 960 if (*(p++) != 0) {
996 { 961 al = SSL_AD_ILLEGAL_PARAMETER;
997 al=SSL_AD_ILLEGAL_PARAMETER; 962 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
998 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
999 goto f_err; 963 goto f_err;
1000 } 964 }
1001 /* If compression is disabled we'd better not try to resume a session 965 /* If compression is disabled we'd better not try to resume a session
1002 * using compression. 966 * using compression.
1003 */ 967 */
1004 if (s->session->compress_meth != 0) 968 if (s->session->compress_meth != 0) {
1005 { 969 al = SSL_AD_INTERNAL_ERROR;
1006 al=SSL_AD_INTERNAL_ERROR; 970 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1007 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1008 goto f_err; 971 goto f_err;
1009 } 972 }
1010#else 973#else
1011 j= *(p++); 974 j= *(p++);
1012 if (s->hit && j != s->session->compress_meth) 975 if (s->hit && j != s->session->compress_meth) {
1013 { 976 al = SSL_AD_ILLEGAL_PARAMETER;
1014 al=SSL_AD_ILLEGAL_PARAMETER; 977 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1015 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1016 goto f_err; 978 goto f_err;
1017 } 979 }
1018 if (j == 0) 980 if (j == 0)
1019 comp=NULL; 981 comp = NULL;
1020 else if (s->options & SSL_OP_NO_COMPRESSION) 982 else if (s->options & SSL_OP_NO_COMPRESSION) {
1021 { 983 al = SSL_AD_ILLEGAL_PARAMETER;
1022 al=SSL_AD_ILLEGAL_PARAMETER; 984 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED);
1023 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
1024 goto f_err; 985 goto f_err;
1025 } 986 } else
1026 else 987 comp = ssl3_comp_find(s->ctx->comp_methods, j);
1027 comp=ssl3_comp_find(s->ctx->comp_methods,j); 988
1028 989 if ((j != 0) && (comp == NULL)) {
1029 if ((j != 0) && (comp == NULL)) 990 al = SSL_AD_ILLEGAL_PARAMETER;
1030 { 991 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1031 al=SSL_AD_ILLEGAL_PARAMETER;
1032 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1033 goto f_err; 992 goto f_err;
1034 } 993 } else {
1035 else 994 s->s3->tmp.new_compression = comp;
1036 { 995 }
1037 s->s3->tmp.new_compression=comp;
1038 }
1039#endif 996#endif
1040 997
1041#ifndef OPENSSL_NO_TLSEXT 998#ifndef OPENSSL_NO_TLSEXT
1042 /* TLS extensions*/ 999 /* TLS extensions*/
1043 if (s->version >= SSL3_VERSION) 1000 if (s->version >= SSL3_VERSION) {
1044 { 1001 if (!ssl_parse_serverhello_tlsext(s, &p, d, n, &al)) {
1045 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
1046 {
1047 /* 'al' set by ssl_parse_serverhello_tlsext */ 1002 /* 'al' set by ssl_parse_serverhello_tlsext */
1048 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 1003 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
1049 goto f_err; 1004 goto f_err;
1050 } 1005
1051 if (ssl_check_serverhello_tlsext(s) <= 0)
1052 {
1053 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1054 goto err;
1055 }
1056 } 1006 }
1007 if (ssl_check_serverhello_tlsext(s) <= 0) {
1008 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
1009 goto err;
1010 }
1011 }
1057#endif 1012#endif
1058 1013
1059 if (p != (d+n)) 1014 if (p != (d + n)) {
1060 {
1061 /* wrong packet length */ 1015 /* wrong packet length */
1062 al=SSL_AD_DECODE_ERROR; 1016 al = SSL_AD_DECODE_ERROR;
1063 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 1017 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
1064 goto f_err; 1018 goto f_err;
1065 } 1019 }
1066 1020
1067 return(1); 1021 return (1);
1068f_err: 1022f_err:
1069 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1023 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1070err: 1024err:
1071 return(-1); 1025 return (-1);
1072 } 1026}
1073 1027
1074int ssl3_get_server_certificate(SSL *s) 1028int
1075 { 1029ssl3_get_server_certificate(SSL *s)
1076 int al,i,ok,ret= -1; 1030{
1077 unsigned long n,nc,llen,l; 1031 int al, i, ok, ret = -1;
1078 X509 *x=NULL; 1032 unsigned long n, nc, llen, l;
1079 const unsigned char *q,*p; 1033 X509 *x = NULL;
1034 const unsigned char *q, *p;
1080 unsigned char *d; 1035 unsigned char *d;
1081 STACK_OF(X509) *sk=NULL; 1036 STACK_OF(X509) *sk = NULL;
1082 SESS_CERT *sc; 1037 SESS_CERT *sc;
1083 EVP_PKEY *pkey=NULL; 1038 EVP_PKEY *pkey = NULL;
1084 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 1039 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
1085 1040
1086 n=s->method->ssl_get_message(s, 1041 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
1087 SSL3_ST_CR_CERT_A, 1042 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
1088 SSL3_ST_CR_CERT_B,
1089 -1,
1090 s->max_cert_list,
1091 &ok);
1092 1043
1093 if (!ok) return((int)n); 1044 if (!ok)
1045 return ((int)n);
1094 1046
1095 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) || 1047 if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
1096 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 1048 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
1097 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) 1049 (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE))) {
1098 { 1050 s->s3->tmp.reuse_message = 1;
1099 s->s3->tmp.reuse_message=1; 1051 return (1);
1100 return(1); 1052 }
1101 }
1102 1053
1103 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 1054 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
1104 { 1055 al = SSL_AD_UNEXPECTED_MESSAGE;
1105 al=SSL_AD_UNEXPECTED_MESSAGE; 1056 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE);
1106 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
1107 goto f_err; 1057 goto f_err;
1108 } 1058 }
1109 p=d=(unsigned char *)s->init_msg; 1059 p = d = (unsigned char *)s->init_msg;
1110 1060
1111 if ((sk=sk_X509_new_null()) == NULL) 1061 if ((sk = sk_X509_new_null()) == NULL) {
1112 { 1062 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1113 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1114 goto err; 1063 goto err;
1115 } 1064 }
1116 1065
1117 n2l3(p,llen); 1066 n2l3(p, llen);
1118 if (llen+3 != n) 1067 if (llen + 3 != n) {
1119 { 1068 al = SSL_AD_DECODE_ERROR;
1120 al=SSL_AD_DECODE_ERROR; 1069 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
1121 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
1122 goto f_err; 1070 goto f_err;
1123 } 1071 }
1124 for (nc=0; nc<llen; ) 1072 for (nc = 0; nc < llen; ) {
1125 { 1073 n2l3(p, l);
1126 n2l3(p,l); 1074 if ((l + nc + 3) > llen) {
1127 if ((l+nc+3) > llen) 1075 al = SSL_AD_DECODE_ERROR;
1128 { 1076 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
1129 al=SSL_AD_DECODE_ERROR;
1130 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1131 goto f_err; 1077 goto f_err;
1132 } 1078 }
1133 1079
1134 q=p; 1080 q = p;
1135 x=d2i_X509(NULL,&q,l); 1081 x = d2i_X509(NULL, &q, l);
1136 if (x == NULL) 1082 if (x == NULL) {
1137 { 1083 al = SSL_AD_BAD_CERTIFICATE;
1138 al=SSL_AD_BAD_CERTIFICATE; 1084 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
1139 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
1140 goto f_err; 1085 goto f_err;
1141 } 1086 }
1142 if (q != (p+l)) 1087 if (q != (p + l)) {
1143 { 1088 al = SSL_AD_DECODE_ERROR;
1144 al=SSL_AD_DECODE_ERROR; 1089 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
1145 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1146 goto f_err; 1090 goto f_err;
1147 } 1091 }
1148 if (!sk_X509_push(sk,x)) 1092 if (!sk_X509_push(sk, x)) {
1149 { 1093 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1150 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1151 goto err; 1094 goto err;
1152 }
1153 x=NULL;
1154 nc+=l+3;
1155 p=q;
1156 } 1095 }
1096 x = NULL;
1097 nc += l + 3;
1098 p = q;
1099 }
1157 1100
1158 i=ssl_verify_cert_chain(s,sk); 1101 i = ssl_verify_cert_chain(s, sk);
1159 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1102 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1160#ifndef OPENSSL_NO_KRB5 1103#ifndef OPENSSL_NO_KRB5
1161 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1104 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1162 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1105 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1163#endif /* OPENSSL_NO_KRB5 */ 1106#endif /* OPENSSL_NO_KRB5 */
1164 ) 1107 ) {
1165 { 1108 al = ssl_verify_alarm_type(s->verify_result);
1166 al=ssl_verify_alarm_type(s->verify_result); 1109 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_CERTIFICATE_VERIFY_FAILED);
1167 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 1110 goto f_err;
1168 goto f_err; 1111
1169 } 1112 }
1170 ERR_clear_error(); /* but we keep s->verify_result */ 1113 ERR_clear_error(); /* but we keep s->verify_result */
1171 1114
1172 sc=ssl_sess_cert_new(); 1115 sc = ssl_sess_cert_new();
1173 if (sc == NULL) goto err; 1116 if (sc == NULL)
1117 goto err;
1174 1118
1175 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 1119 if (s->session->sess_cert)
1176 s->session->sess_cert=sc; 1120 ssl_sess_cert_free(s->session->sess_cert);
1121 s->session->sess_cert = sc;
1177 1122
1178 sc->cert_chain=sk; 1123 sc->cert_chain = sk;
1179 /* Inconsistency alert: cert_chain does include the peer's 1124 /* Inconsistency alert: cert_chain does include the peer's
1180 * certificate, which we don't include in s3_srvr.c */ 1125 * certificate, which we don't include in s3_srvr.c */
1181 x=sk_X509_value(sk,0); 1126 x = sk_X509_value(sk, 0);
1182 sk=NULL; 1127 sk = NULL;
1183 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1128 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1184 1129
1185 pkey=X509_get_pubkey(x); 1130 pkey = X509_get_pubkey(x);
1186 1131
1187 /* VRS: allow null cert if auth == KRB5 */ 1132 /* VRS: allow null cert if auth == KRB5 */
1188 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1133 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1189 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1134 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1190 ? 0 : 1; 1135 ? 0 : 1;
1191 1136
1192#ifdef KSSL_DEBUG 1137#ifdef KSSL_DEBUG
1193 printf("pkey,x = %p, %p\n", pkey,x); 1138 printf("pkey, x = %p, %p\n", pkey, x);
1194 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1139 printf("ssl_cert_type(x, pkey) = %d\n", ssl_cert_type(x, pkey));
1195 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1140 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
1196 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1141 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1197#endif /* KSSL_DEBUG */ 1142#endif /* KSSL_DEBUG */
1198 1143
1199 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 1144 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) {
1200 { 1145 x = NULL;
1201 x=NULL; 1146 al = SSL3_AL_FATAL;
1202 al=SSL3_AL_FATAL;
1203 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1147 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1204 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1148 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1205 goto f_err; 1149 goto f_err;
1206 } 1150 }
1207 1151
1208 i=ssl_cert_type(x,pkey); 1152 i = ssl_cert_type(x, pkey);
1209 if (need_cert && i < 0) 1153 if (need_cert && i < 0) {
1210 { 1154 x = NULL;
1211 x=NULL; 1155 al = SSL3_AL_FATAL;
1212 al=SSL3_AL_FATAL;
1213 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1156 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1214 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1157 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1215 goto f_err; 1158 goto f_err;
1216 } 1159 }
1217 1160
1218 if (need_cert) 1161 if (need_cert) {
1219 { 1162 sc->peer_cert_type = i;
1220 sc->peer_cert_type=i; 1163 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1221 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1222 /* Why would the following ever happen? 1164 /* Why would the following ever happen?
1223 * We just created sc a couple of lines ago. */ 1165 * We just created sc a couple of lines ago. */
1224 if (sc->peer_pkeys[i].x509 != NULL) 1166 if (sc->peer_pkeys[i].x509 != NULL)
1225 X509_free(sc->peer_pkeys[i].x509); 1167 X509_free(sc->peer_pkeys[i].x509);
1226 sc->peer_pkeys[i].x509=x; 1168 sc->peer_pkeys[i].x509 = x;
1227 sc->peer_key= &(sc->peer_pkeys[i]); 1169 sc->peer_key = &(sc->peer_pkeys[i]);
1228 1170
1229 if (s->session->peer != NULL) 1171 if (s->session->peer != NULL)
1230 X509_free(s->session->peer); 1172 X509_free(s->session->peer);
1231 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1173 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1232 s->session->peer=x; 1174 s->session->peer = x;
1233 } 1175 } else {
1234 else 1176 sc->peer_cert_type = i;
1235 { 1177 sc->peer_key = NULL;
1236 sc->peer_cert_type=i;
1237 sc->peer_key= NULL;
1238 1178
1239 if (s->session->peer != NULL) 1179 if (s->session->peer != NULL)
1240 X509_free(s->session->peer); 1180 X509_free(s->session->peer);
1241 s->session->peer=NULL; 1181 s->session->peer = NULL;
1242 } 1182 }
1243 s->session->verify_result = s->verify_result; 1183 s->session->verify_result = s->verify_result;
1244 1184
1245 x=NULL; 1185 x = NULL;
1246 ret=1; 1186 ret = 1;
1247 1187
1248 if (0) 1188 if (0) {
1249 {
1250f_err: 1189f_err:
1251 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1190 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1252 } 1191 }
1253err: 1192err:
1254 EVP_PKEY_free(pkey); 1193 EVP_PKEY_free(pkey);
1255 X509_free(x); 1194 X509_free(x);
1256 sk_X509_pop_free(sk,X509_free); 1195 sk_X509_pop_free(sk, X509_free);
1257 return(ret); 1196 return (ret);
1258 } 1197}
1259 1198
1260int ssl3_get_key_exchange(SSL *s) 1199int
1261 { 1200ssl3_get_key_exchange(SSL *s)
1201{
1262#ifndef OPENSSL_NO_RSA 1202#ifndef OPENSSL_NO_RSA
1263 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 1203 unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2];
1264#endif 1204#endif
1265 EVP_MD_CTX md_ctx; 1205 EVP_MD_CTX md_ctx;
1266 unsigned char *param,*p; 1206 unsigned char *param, *p;
1267 int al,i,j,param_len,ok; 1207 int al, i, j, param_len, ok;
1268 long n,alg_k,alg_a; 1208 long n, alg_k, alg_a;
1269 EVP_PKEY *pkey=NULL; 1209 EVP_PKEY *pkey = NULL;
1270 const EVP_MD *md = NULL; 1210 const EVP_MD *md = NULL;
1271#ifndef OPENSSL_NO_RSA 1211#ifndef OPENSSL_NO_RSA
1272 RSA *rsa=NULL; 1212 RSA *rsa = NULL;
1273#endif 1213#endif
1274#ifndef OPENSSL_NO_DH 1214#ifndef OPENSSL_NO_DH
1275 DH *dh=NULL; 1215 DH *dh = NULL;
1276#endif 1216#endif
1277#ifndef OPENSSL_NO_ECDH 1217#ifndef OPENSSL_NO_ECDH
1278 EC_KEY *ecdh = NULL; 1218 EC_KEY *ecdh = NULL;
@@ -1284,336 +1224,291 @@ int ssl3_get_key_exchange(SSL *s)
1284 1224
1285 /* use same message size as in ssl3_get_certificate_request() 1225 /* use same message size as in ssl3_get_certificate_request()
1286 * as ServerKeyExchange message may be skipped */ 1226 * as ServerKeyExchange message may be skipped */
1287 n=s->method->ssl_get_message(s, 1227 n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1288 SSL3_ST_CR_KEY_EXCH_A, 1228 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok);
1289 SSL3_ST_CR_KEY_EXCH_B, 1229 if (!ok)
1290 -1, 1230 return ((int)n);
1291 s->max_cert_list, 1231
1292 &ok); 1232 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1293 if (!ok) return((int)n);
1294
1295 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1296 {
1297#ifndef OPENSSL_NO_PSK 1233#ifndef OPENSSL_NO_PSK
1298 /* In plain PSK ciphersuite, ServerKeyExchange can be 1234 /* In plain PSK ciphersuite, ServerKeyExchange can be
1299 omitted if no identity hint is sent. Set 1235 omitted if no identity hint is sent. Set
1300 session->sess_cert anyway to avoid problems 1236 session->sess_cert anyway to avoid problems
1301 later.*/ 1237 later.*/
1302 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 1238 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) {
1303 { 1239 s->session->sess_cert = ssl_sess_cert_new();
1304 s->session->sess_cert=ssl_sess_cert_new();
1305 if (s->ctx->psk_identity_hint) 1240 if (s->ctx->psk_identity_hint)
1306 OPENSSL_free(s->ctx->psk_identity_hint); 1241 OPENSSL_free(s->ctx->psk_identity_hint);
1307 s->ctx->psk_identity_hint = NULL; 1242 s->ctx->psk_identity_hint = NULL;
1308 }
1309#endif
1310 s->s3->tmp.reuse_message=1;
1311 return(1);
1312 } 1243 }
1244#endif
1245 s->s3->tmp.reuse_message = 1;
1246 return (1);
1247 }
1313 1248
1314 param=p=(unsigned char *)s->init_msg; 1249 param = p = (unsigned char *)s->init_msg;
1315 if (s->session->sess_cert != NULL) 1250 if (s->session->sess_cert != NULL) {
1316 {
1317#ifndef OPENSSL_NO_RSA 1251#ifndef OPENSSL_NO_RSA
1318 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1252 if (s->session->sess_cert->peer_rsa_tmp != NULL) {
1319 {
1320 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1253 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1321 s->session->sess_cert->peer_rsa_tmp=NULL; 1254 s->session->sess_cert->peer_rsa_tmp = NULL;
1322 } 1255 }
1323#endif 1256#endif
1324#ifndef OPENSSL_NO_DH 1257#ifndef OPENSSL_NO_DH
1325 if (s->session->sess_cert->peer_dh_tmp) 1258 if (s->session->sess_cert->peer_dh_tmp) {
1326 {
1327 DH_free(s->session->sess_cert->peer_dh_tmp); 1259 DH_free(s->session->sess_cert->peer_dh_tmp);
1328 s->session->sess_cert->peer_dh_tmp=NULL; 1260 s->session->sess_cert->peer_dh_tmp = NULL;
1329 } 1261 }
1330#endif 1262#endif
1331#ifndef OPENSSL_NO_ECDH 1263#ifndef OPENSSL_NO_ECDH
1332 if (s->session->sess_cert->peer_ecdh_tmp) 1264 if (s->session->sess_cert->peer_ecdh_tmp) {
1333 {
1334 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1265 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1335 s->session->sess_cert->peer_ecdh_tmp=NULL; 1266 s->session->sess_cert->peer_ecdh_tmp = NULL;
1336 }
1337#endif
1338 }
1339 else
1340 {
1341 s->session->sess_cert=ssl_sess_cert_new();
1342 } 1267 }
1268#endif
1269 } else {
1270 s->session->sess_cert = ssl_sess_cert_new();
1271 }
1343 1272
1344 param_len=0; 1273 param_len = 0;
1345 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1274 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1346 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1275 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1347 EVP_MD_CTX_init(&md_ctx); 1276 EVP_MD_CTX_init(&md_ctx);
1348 1277
1349#ifndef OPENSSL_NO_PSK 1278#ifndef OPENSSL_NO_PSK
1350 if (alg_k & SSL_kPSK) 1279 if (alg_k & SSL_kPSK) {
1351 { 1280 char tmp_id_hint[PSK_MAX_IDENTITY_LEN + 1];
1352 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
1353 1281
1354 al=SSL_AD_HANDSHAKE_FAILURE; 1282 al = SSL_AD_HANDSHAKE_FAILURE;
1355 n2s(p,i); 1283 n2s(p, i);
1356 param_len=i+2; 1284 param_len = i + 2;
1357 /* Store PSK identity hint for later use, hint is used 1285 /* Store PSK identity hint for later use, hint is used
1358 * in ssl3_send_client_key_exchange. Assume that the 1286 * in ssl3_send_client_key_exchange. Assume that the
1359 * maximum length of a PSK identity hint can be as 1287 * maximum length of a PSK identity hint can be as
1360 * long as the maximum length of a PSK identity. */ 1288 * long as the maximum length of a PSK identity. */
1361 if (i > PSK_MAX_IDENTITY_LEN) 1289 if (i > PSK_MAX_IDENTITY_LEN) {
1362 {
1363 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1290 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1364 SSL_R_DATA_LENGTH_TOO_LONG); 1291 SSL_R_DATA_LENGTH_TOO_LONG);
1365 goto f_err; 1292 goto f_err;
1366 } 1293 }
1367 if (param_len > n) 1294 if (param_len > n) {
1368 { 1295 al = SSL_AD_DECODE_ERROR;
1369 al=SSL_AD_DECODE_ERROR;
1370 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1296 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1371 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1297 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1372 goto f_err; 1298 goto f_err;
1373 } 1299 }
1374 /* If received PSK identity hint contains NULL 1300 /* If received PSK identity hint contains NULL
1375 * characters, the hint is truncated from the first 1301 * characters, the hint is truncated from the first
1376 * NULL. p may not be ending with NULL, so create a 1302 * NULL. p may not be ending with NULL, so create a
1377 * NULL-terminated string. */ 1303 * NULL-terminated string. */
1378 memcpy(tmp_id_hint, p, i); 1304 memcpy(tmp_id_hint, p, i);
1379 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1305 memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
1380 if (s->ctx->psk_identity_hint != NULL) 1306 if (s->ctx->psk_identity_hint != NULL)
1381 OPENSSL_free(s->ctx->psk_identity_hint); 1307 OPENSSL_free(s->ctx->psk_identity_hint);
1382 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1308 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
1383 if (s->ctx->psk_identity_hint == NULL) 1309 if (s->ctx->psk_identity_hint == NULL) {
1384 {
1385 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1310 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1386 goto f_err; 1311 goto f_err;
1387 }
1388
1389 p+=i;
1390 n-=param_len;
1391 } 1312 }
1392 else 1313
1314 p += i;
1315 n -= param_len;
1316 } else
1393#endif /* !OPENSSL_NO_PSK */ 1317#endif /* !OPENSSL_NO_PSK */
1394#ifndef OPENSSL_NO_SRP 1318#ifndef OPENSSL_NO_SRP
1395 if (alg_k & SSL_kSRP) 1319 if (alg_k & SSL_kSRP) {
1396 { 1320 n2s(p, i);
1397 n2s(p,i); 1321 param_len = i + 2;
1398 param_len=i+2; 1322 if (param_len > n) {
1399 if (param_len > n) 1323 al = SSL_AD_DECODE_ERROR;
1400 { 1324 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);
1401 al=SSL_AD_DECODE_ERROR;
1402 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH);
1403 goto f_err; 1325 goto f_err;
1404 } 1326 }
1405 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL))) 1327 if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
1406 { 1328 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1407 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1408 goto err; 1329 goto err;
1409 } 1330 }
1410 p+=i; 1331 p += i;
1411 1332
1412 n2s(p,i); 1333 n2s(p, i);
1413 param_len+=i+2; 1334 param_len += i + 2;
1414 if (param_len > n) 1335 if (param_len > n) {
1415 { 1336 al = SSL_AD_DECODE_ERROR;
1416 al=SSL_AD_DECODE_ERROR; 1337 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);
1417 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH);
1418 goto f_err; 1338 goto f_err;
1419 } 1339 }
1420 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL))) 1340 if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
1421 { 1341 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1422 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1423 goto err; 1342 goto err;
1424 } 1343 }
1425 p+=i; 1344 p += i;
1426 1345
1427 i = (unsigned int)(p[0]); 1346 i = (unsigned int)(p[0]);
1428 p++; 1347 p++;
1429 param_len+=i+1; 1348 param_len += i + 1;
1430 if (param_len > n) 1349 if (param_len > n) {
1431 { 1350 al = SSL_AD_DECODE_ERROR;
1432 al=SSL_AD_DECODE_ERROR; 1351 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);
1433 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH);
1434 goto f_err; 1352 goto f_err;
1435 } 1353 }
1436 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL))) 1354 if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
1437 { 1355 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1439 goto err; 1356 goto err;
1440 } 1357 }
1441 p+=i; 1358 p += i;
1442 1359
1443 n2s(p,i); 1360 n2s(p, i);
1444 param_len+=i+2; 1361 param_len += i + 2;
1445 if (param_len > n) 1362 if (param_len > n) {
1446 { 1363 al = SSL_AD_DECODE_ERROR;
1447 al=SSL_AD_DECODE_ERROR; 1364 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);
1448 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH);
1449 goto f_err; 1365 goto f_err;
1450 } 1366 }
1451 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL))) 1367 if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
1452 { 1368 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1453 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1454 goto err; 1369 goto err;
1455 } 1370 }
1456 p+=i; 1371 p += i;
1457 n-=param_len; 1372 n -= param_len;
1458 1373
1459/* We must check if there is a certificate */ 1374/* We must check if there is a certificate */
1460#ifndef OPENSSL_NO_RSA 1375#ifndef OPENSSL_NO_RSA
1461 if (alg_a & SSL_aRSA) 1376 if (alg_a & SSL_aRSA)
1462 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1377 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1463#else 1378#else
1464 if (0) 1379 if (0)
1465 ; 1380;
1466#endif 1381#endif
1467#ifndef OPENSSL_NO_DSA 1382#ifndef OPENSSL_NO_DSA
1468 else if (alg_a & SSL_aDSS) 1383 else if (alg_a & SSL_aDSS)
1469 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1384 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1470#endif 1385#endif
1471 } 1386 } else
1472 else
1473#endif /* !OPENSSL_NO_SRP */ 1387#endif /* !OPENSSL_NO_SRP */
1474#ifndef OPENSSL_NO_RSA 1388#ifndef OPENSSL_NO_RSA
1475 if (alg_k & SSL_kRSA) 1389 if (alg_k & SSL_kRSA) {
1476 { 1390 if ((rsa = RSA_new()) == NULL) {
1477 if ((rsa=RSA_new()) == NULL) 1391 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1478 {
1479 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1480 goto err; 1392 goto err;
1481 } 1393 }
1482 n2s(p,i); 1394 n2s(p, i);
1483 param_len=i+2; 1395 param_len = i + 2;
1484 if (param_len > n) 1396 if (param_len > n) {
1485 { 1397 al = SSL_AD_DECODE_ERROR;
1486 al=SSL_AD_DECODE_ERROR; 1398 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_MODULUS_LENGTH);
1487 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1488 goto f_err; 1399 goto f_err;
1489 } 1400 }
1490 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 1401 if (!(rsa->n = BN_bin2bn(p, i, rsa->n))) {
1491 { 1402 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1492 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1493 goto err; 1403 goto err;
1494 } 1404 }
1495 p+=i; 1405 p += i;
1496 1406
1497 n2s(p,i); 1407 n2s(p, i);
1498 param_len+=i+2; 1408 param_len += i + 2;
1499 if (param_len > n) 1409 if (param_len > n) {
1500 { 1410 al = SSL_AD_DECODE_ERROR;
1501 al=SSL_AD_DECODE_ERROR; 1411 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_E_LENGTH);
1502 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1503 goto f_err; 1412 goto f_err;
1504 } 1413 }
1505 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 1414 if (!(rsa->e = BN_bin2bn(p, i, rsa->e))) {
1506 { 1415 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1507 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1508 goto err; 1416 goto err;
1509 } 1417 }
1510 p+=i; 1418 p += i;
1511 n-=param_len; 1419 n -= param_len;
1512 1420
1513 /* this should be because we are using an export cipher */ 1421 /* this should be because we are using an export cipher */
1514 if (alg_a & SSL_aRSA) 1422 if (alg_a & SSL_aRSA)
1515 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1423 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1516 else 1424 else {
1517 { 1425 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1518 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1519 goto err; 1426 goto err;
1520 }
1521 s->session->sess_cert->peer_rsa_tmp=rsa;
1522 rsa=NULL;
1523 } 1427 }
1428 s->session->sess_cert->peer_rsa_tmp = rsa;
1429 rsa = NULL;
1430 }
1524#else /* OPENSSL_NO_RSA */ 1431#else /* OPENSSL_NO_RSA */
1525 if (0) 1432 if (0)
1526 ; 1433;
1527#endif 1434#endif
1528#ifndef OPENSSL_NO_DH 1435#ifndef OPENSSL_NO_DH
1529 else if (alg_k & SSL_kEDH) 1436 else if (alg_k & SSL_kEDH) {
1530 { 1437 if ((dh = DH_new()) == NULL) {
1531 if ((dh=DH_new()) == NULL) 1438 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
1532 {
1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1534 goto err; 1439 goto err;
1535 } 1440 }
1536 n2s(p,i); 1441 n2s(p, i);
1537 param_len=i+2; 1442 param_len = i + 2;
1538 if (param_len > n) 1443 if (param_len > n) {
1539 { 1444 al = SSL_AD_DECODE_ERROR;
1540 al=SSL_AD_DECODE_ERROR; 1445 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
1541 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1542 goto f_err; 1446 goto f_err;
1543 } 1447 }
1544 if (!(dh->p=BN_bin2bn(p,i,NULL))) 1448 if (!(dh->p = BN_bin2bn(p, i, NULL))) {
1545 { 1449 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1546 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1547 goto err; 1450 goto err;
1548 } 1451 }
1549 p+=i; 1452 p += i;
1550 1453
1551 n2s(p,i); 1454 n2s(p, i);
1552 param_len+=i+2; 1455 param_len += i + 2;
1553 if (param_len > n) 1456 if (param_len > n) {
1554 { 1457 al = SSL_AD_DECODE_ERROR;
1555 al=SSL_AD_DECODE_ERROR; 1458 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH);
1556 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1557 goto f_err; 1459 goto f_err;
1558 } 1460 }
1559 if (!(dh->g=BN_bin2bn(p,i,NULL))) 1461 if (!(dh->g = BN_bin2bn(p, i, NULL))) {
1560 { 1462 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1561 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1562 goto err; 1463 goto err;
1563 } 1464 }
1564 p+=i; 1465 p += i;
1565 1466
1566 n2s(p,i); 1467 n2s(p, i);
1567 param_len+=i+2; 1468 param_len += i + 2;
1568 if (param_len > n) 1469 if (param_len > n) {
1569 { 1470 al = SSL_AD_DECODE_ERROR;
1570 al=SSL_AD_DECODE_ERROR; 1471 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1571 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1572 goto f_err; 1472 goto f_err;
1573 } 1473 }
1574 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 1474 if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1575 { 1475 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1576 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1577 goto err; 1476 goto err;
1578 } 1477 }
1579 p+=i; 1478 p += i;
1580 n-=param_len; 1479 n -= param_len;
1581 1480
1582#ifndef OPENSSL_NO_RSA 1481#ifndef OPENSSL_NO_RSA
1583 if (alg_a & SSL_aRSA) 1482 if (alg_a & SSL_aRSA)
1584 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1483 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1585#else 1484#else
1586 if (0) 1485 if (0)
1587 ; 1486;
1588#endif 1487#endif
1589#ifndef OPENSSL_NO_DSA 1488#ifndef OPENSSL_NO_DSA
1590 else if (alg_a & SSL_aDSS) 1489 else if (alg_a & SSL_aDSS)
1591 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1490 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1592#endif 1491#endif
1593 /* else anonymous DH, so no certificate or pkey. */ 1492 /* else anonymous DH, so no certificate or pkey. */
1594 1493
1595 s->session->sess_cert->peer_dh_tmp=dh; 1494 s->session->sess_cert->peer_dh_tmp = dh;
1596 dh=NULL; 1495 dh = NULL;
1597 } 1496 } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
1598 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 1497 al = SSL_AD_ILLEGAL_PARAMETER;
1599 { 1498 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1600 al=SSL_AD_ILLEGAL_PARAMETER;
1601 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1602 goto f_err; 1499 goto f_err;
1603 } 1500 }
1604#endif /* !OPENSSL_NO_DH */ 1501#endif /* !OPENSSL_NO_DH */
1605 1502
1606#ifndef OPENSSL_NO_ECDH 1503#ifndef OPENSSL_NO_ECDH
1607 else if (alg_k & SSL_kEECDH) 1504 else if (alg_k & SSL_kEECDH) {
1608 {
1609 EC_GROUP *ngroup; 1505 EC_GROUP *ngroup;
1610 const EC_GROUP *group; 1506 const EC_GROUP *group;
1611 1507
1612 if ((ecdh=EC_KEY_new()) == NULL) 1508 if ((ecdh = EC_KEY_new()) == NULL) {
1613 { 1509 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1614 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1615 goto err; 1510 goto err;
1616 } 1511 }
1617 1512
1618 /* Extract elliptic curve parameters and the 1513 /* Extract elliptic curve parameters and the
1619 * server's ephemeral ECDH public key. 1514 * server's ephemeral ECDH public key.
@@ -1624,217 +1519,194 @@ int ssl3_get_key_exchange(SSL *s)
1624 /* XXX: For now we only support named (not generic) curves 1519 /* XXX: For now we only support named (not generic) curves
1625 * and the ECParameters in this case is just three bytes. 1520 * and the ECParameters in this case is just three bytes.
1626 */ 1521 */
1627 param_len=3; 1522 param_len = 3;
1628 if ((param_len > n) || 1523 if ((param_len > n) ||
1629 (*p != NAMED_CURVE_TYPE) || 1524 (*p != NAMED_CURVE_TYPE) ||
1630 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 1525 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) {
1631 { 1526 al = SSL_AD_INTERNAL_ERROR;
1632 al=SSL_AD_INTERNAL_ERROR; 1527 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1633 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1634 goto f_err; 1528 goto f_err;
1635 } 1529 }
1636 1530
1637 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1531 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1638 if (ngroup == NULL) 1532 if (ngroup == NULL) {
1639 { 1533 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1640 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1641 goto err; 1534 goto err;
1642 } 1535 }
1643 if (EC_KEY_set_group(ecdh, ngroup) == 0) 1536 if (EC_KEY_set_group(ecdh, ngroup) == 0) {
1644 { 1537 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
1645 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1646 goto err; 1538 goto err;
1647 } 1539 }
1648 EC_GROUP_free(ngroup); 1540 EC_GROUP_free(ngroup);
1649 1541
1650 group = EC_KEY_get0_group(ecdh); 1542 group = EC_KEY_get0_group(ecdh);
1651 1543
1652 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1544 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1653 (EC_GROUP_get_degree(group) > 163)) 1545 (EC_GROUP_get_degree(group) > 163)) {
1654 { 1546 al = SSL_AD_EXPORT_RESTRICTION;
1655 al=SSL_AD_EXPORT_RESTRICTION; 1547 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1656 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1657 goto f_err; 1548 goto f_err;
1658 } 1549 }
1659 1550
1660 p+=3; 1551 p += 3;
1661 1552
1662 /* Next, get the encoded ECPoint */ 1553 /* Next, get the encoded ECPoint */
1663 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1554 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1664 ((bn_ctx = BN_CTX_new()) == NULL)) 1555 ((bn_ctx = BN_CTX_new()) == NULL)) {
1665 { 1556 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1666 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1667 goto err; 1557 goto err;
1668 } 1558 }
1669 1559
1670 encoded_pt_len = *p; /* length of encoded point */ 1560 encoded_pt_len = *p;
1671 p+=1; 1561 /* length of encoded point */
1562 p += 1;
1672 param_len += (1 + encoded_pt_len); 1563 param_len += (1 + encoded_pt_len);
1673 if ((param_len > n) || 1564 if ((param_len > n) ||
1674 (EC_POINT_oct2point(group, srvr_ecpoint, 1565 (EC_POINT_oct2point(group, srvr_ecpoint,
1675 p, encoded_pt_len, bn_ctx) == 0)) 1566 p, encoded_pt_len, bn_ctx) == 0)) {
1676 { 1567 al = SSL_AD_DECODE_ERROR;
1677 al=SSL_AD_DECODE_ERROR; 1568 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
1678 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1679 goto f_err; 1569 goto f_err;
1680 } 1570 }
1681 1571
1682 n-=param_len; 1572 n -= param_len;
1683 p+=encoded_pt_len; 1573 p += encoded_pt_len;
1684 1574
1685 /* The ECC/TLS specification does not mention 1575 /* The ECC/TLS specification does not mention
1686 * the use of DSA to sign ECParameters in the server 1576 * the use of DSA to sign ECParameters in the server
1687 * key exchange message. We do support RSA and ECDSA. 1577 * key exchange message. We do support RSA and ECDSA.
1688 */ 1578 */
1689 if (0) ; 1579 if (0);
1690#ifndef OPENSSL_NO_RSA 1580#ifndef OPENSSL_NO_RSA
1691 else if (alg_a & SSL_aRSA) 1581 else if (alg_a & SSL_aRSA)
1692 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1582 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1693#endif 1583#endif
1694#ifndef OPENSSL_NO_ECDSA 1584#ifndef OPENSSL_NO_ECDSA
1695 else if (alg_a & SSL_aECDSA) 1585 else if (alg_a & SSL_aECDSA)
1696 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1586 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1697#endif 1587#endif
1698 /* else anonymous ECDH, so no certificate or pkey. */ 1588 /* else anonymous ECDH, so no certificate or pkey. */
1699 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1589 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1700 s->session->sess_cert->peer_ecdh_tmp=ecdh; 1590 s->session->sess_cert->peer_ecdh_tmp = ecdh;
1701 ecdh=NULL; 1591 ecdh = NULL;
1702 BN_CTX_free(bn_ctx); 1592 BN_CTX_free(bn_ctx);
1703 bn_ctx = NULL; 1593 bn_ctx = NULL;
1704 EC_POINT_free(srvr_ecpoint); 1594 EC_POINT_free(srvr_ecpoint);
1705 srvr_ecpoint = NULL; 1595 srvr_ecpoint = NULL;
1706 } 1596 } else if (alg_k) {
1707 else if (alg_k) 1597 al = SSL_AD_UNEXPECTED_MESSAGE;
1708 { 1598 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1709 al=SSL_AD_UNEXPECTED_MESSAGE;
1710 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1711 goto f_err; 1599 goto f_err;
1712 } 1600 }
1713#endif /* !OPENSSL_NO_ECDH */ 1601#endif /* !OPENSSL_NO_ECDH */
1714 1602
1715 1603
1716 /* p points to the next byte, there are 'n' bytes left */ 1604 /* p points to the next byte, there are 'n' bytes left */
1717 1605
1718 /* if it was signed, check the signature */ 1606 /* if it was signed, check the signature */
1719 if (pkey != NULL) 1607 if (pkey != NULL) {
1720 { 1608 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1721 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1722 {
1723 int sigalg = tls12_get_sigid(pkey); 1609 int sigalg = tls12_get_sigid(pkey);
1724 /* Should never happen */ 1610 /* Should never happen */
1725 if (sigalg == -1) 1611 if (sigalg == -1) {
1726 { 1612 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1727 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1728 goto err; 1613 goto err;
1729 } 1614 }
1730 /* Check key type is consistent with signature */ 1615 /* Check key type is consistent with signature */
1731 if (sigalg != (int)p[1]) 1616 if (sigalg != (int)p[1]) {
1732 { 1617 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_TYPE);
1733 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE); 1618 al = SSL_AD_DECODE_ERROR;
1734 al=SSL_AD_DECODE_ERROR;
1735 goto f_err; 1619 goto f_err;
1736 } 1620 }
1737 md = tls12_get_hash(p[0]); 1621 md = tls12_get_hash(p[0]);
1738 if (md == NULL) 1622 if (md == NULL) {
1739 { 1623 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNKNOWN_DIGEST);
1740 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST); 1624 al = SSL_AD_DECODE_ERROR;
1741 al=SSL_AD_DECODE_ERROR;
1742 goto f_err; 1625 goto f_err;
1743 } 1626 }
1744#ifdef SSL_DEBUG 1627#ifdef SSL_DEBUG
1745fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 1628 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1746#endif 1629#endif
1747 p += 2; 1630 p += 2;
1748 n -= 2; 1631 n -= 2;
1749 } 1632 } else
1750 else
1751 md = EVP_sha1(); 1633 md = EVP_sha1();
1752
1753 n2s(p,i);
1754 n-=2;
1755 j=EVP_PKEY_size(pkey);
1756 1634
1757 if ((i != n) || (n > j) || (n <= 0)) 1635 n2s(p, i);
1758 { 1636 n -= 2;
1637 j = EVP_PKEY_size(pkey);
1638
1639 if ((i != n) || (n > j) || (n <= 0)) {
1759 /* wrong packet length */ 1640 /* wrong packet length */
1760 al=SSL_AD_DECODE_ERROR; 1641 al = SSL_AD_DECODE_ERROR;
1761 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1642 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH);
1762 goto f_err; 1643 goto f_err;
1763 } 1644 }
1764 1645
1765#ifndef OPENSSL_NO_RSA 1646#ifndef OPENSSL_NO_RSA
1766 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) 1647 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION) {
1767 {
1768 int num; 1648 int num;
1769 1649
1770 j=0; 1650 j = 0;
1771 q=md_buf; 1651 q = md_buf;
1772 for (num=2; num > 0; num--) 1652 for (num = 2; num > 0; num--) {
1773 {
1774 EVP_MD_CTX_set_flags(&md_ctx, 1653 EVP_MD_CTX_set_flags(&md_ctx,
1775 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1654 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1776 EVP_DigestInit_ex(&md_ctx,(num == 2) 1655 EVP_DigestInit_ex(&md_ctx,(num == 2)
1777 ?s->ctx->md5:s->ctx->sha1, NULL); 1656 ?s->ctx->md5 : s->ctx->sha1, NULL);
1778 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1657 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1779 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1658 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1780 EVP_DigestUpdate(&md_ctx,param,param_len); 1659 EVP_DigestUpdate(&md_ctx, param, param_len);
1781 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1660 EVP_DigestFinal_ex(&md_ctx, q,(unsigned int *)&i);
1782 q+=i; 1661 q += i;
1783 j+=i; 1662 j += i;
1784 } 1663 }
1785 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1664 i = RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1786 pkey->pkey.rsa); 1665 pkey->pkey.rsa);
1787 if (i < 0) 1666 if (i < 0) {
1788 { 1667 al = SSL_AD_DECRYPT_ERROR;
1789 al=SSL_AD_DECRYPT_ERROR; 1668 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_DECRYPT);
1790 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1791 goto f_err; 1669 goto f_err;
1792 } 1670 }
1793 if (i == 0) 1671 if (i == 0) {
1794 {
1795 /* bad signature */ 1672 /* bad signature */
1796 al=SSL_AD_DECRYPT_ERROR; 1673 al = SSL_AD_DECRYPT_ERROR;
1797 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1674 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1798 goto f_err; 1675 goto f_err;
1799 }
1800 } 1676 }
1801 else 1677 } else
1802#endif 1678#endif
1803 { 1679 {
1804 EVP_VerifyInit_ex(&md_ctx, md, NULL); 1680 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1805 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1681 EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1806 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1682 EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1807 EVP_VerifyUpdate(&md_ctx,param,param_len); 1683 EVP_VerifyUpdate(&md_ctx, param, param_len);
1808 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1684 if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) {
1809 {
1810 /* bad signature */ 1685 /* bad signature */
1811 al=SSL_AD_DECRYPT_ERROR; 1686 al = SSL_AD_DECRYPT_ERROR;
1812 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1687 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1813 goto f_err; 1688 goto f_err;
1814 }
1815 } 1689 }
1816 } 1690 }
1817 else 1691 } else {
1818 {
1819 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1692 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
1820 /* aNULL or kPSK do not need public keys */ 1693 /* aNULL or kPSK do not need public keys */
1821 { 1694 {
1822 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1695 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1823 goto err; 1696 goto err;
1824 } 1697 }
1825 /* still data left over */ 1698 /* still data left over */
1826 if (n != 0) 1699 if (n != 0) {
1827 { 1700 al = SSL_AD_DECODE_ERROR;
1828 al=SSL_AD_DECODE_ERROR; 1701 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE);
1829 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1830 goto f_err; 1702 goto f_err;
1831 }
1832 } 1703 }
1704 }
1833 EVP_PKEY_free(pkey); 1705 EVP_PKEY_free(pkey);
1834 EVP_MD_CTX_cleanup(&md_ctx); 1706 EVP_MD_CTX_cleanup(&md_ctx);
1835 return(1); 1707 return (1);
1836f_err: 1708f_err:
1837 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1709 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1838err: 1710err:
1839 EVP_PKEY_free(pkey); 1711 EVP_PKEY_free(pkey);
1840#ifndef OPENSSL_NO_RSA 1712#ifndef OPENSSL_NO_RSA
@@ -1852,241 +1724,219 @@ err:
1852 EC_KEY_free(ecdh); 1724 EC_KEY_free(ecdh);
1853#endif 1725#endif
1854 EVP_MD_CTX_cleanup(&md_ctx); 1726 EVP_MD_CTX_cleanup(&md_ctx);
1855 return(-1); 1727 return (-1);
1856 } 1728}
1857 1729
1858int ssl3_get_certificate_request(SSL *s) 1730int
1859 { 1731ssl3_get_certificate_request(SSL *s)
1860 int ok,ret=0; 1732{
1861 unsigned long n,nc,l; 1733 int ok, ret = 0;
1862 unsigned int llen, ctype_num,i; 1734 unsigned long n, nc, l;
1863 X509_NAME *xn=NULL; 1735 unsigned int llen, ctype_num, i;
1864 const unsigned char *p,*q; 1736 X509_NAME *xn = NULL;
1737 const unsigned char *p, *q;
1865 unsigned char *d; 1738 unsigned char *d;
1866 STACK_OF(X509_NAME) *ca_sk=NULL; 1739 STACK_OF(X509_NAME) *ca_sk = NULL;
1867 1740
1868 n=s->method->ssl_get_message(s, 1741 n = s->method->ssl_get_message(s,
1869 SSL3_ST_CR_CERT_REQ_A, 1742 SSL3_ST_CR_CERT_REQ_A,
1870 SSL3_ST_CR_CERT_REQ_B, 1743 SSL3_ST_CR_CERT_REQ_B,
1871 -1, 1744 -1,
1872 s->max_cert_list, 1745 s->max_cert_list,
1873 &ok); 1746 &ok);
1874 1747
1875 if (!ok) return((int)n); 1748 if (!ok)
1749 return ((int)n);
1876 1750
1877 s->s3->tmp.cert_req=0; 1751 s->s3->tmp.cert_req = 0;
1878 1752
1879 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1753 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) {
1880 { 1754 s->s3->tmp.reuse_message = 1;
1881 s->s3->tmp.reuse_message=1;
1882 /* If we get here we don't need any cached handshake records 1755 /* If we get here we don't need any cached handshake records
1883 * as we wont be doing client auth. 1756 * as we wont be doing client auth.
1884 */ 1757 */
1885 if (s->s3->handshake_buffer) 1758 if (s->s3->handshake_buffer) {
1886 {
1887 if (!ssl3_digest_cached_records(s)) 1759 if (!ssl3_digest_cached_records(s))
1888 goto err; 1760 goto err;
1889 }
1890 return(1);
1891 } 1761 }
1762 return (1);
1763 }
1892 1764
1893 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 1765 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1894 { 1766 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1895 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1767 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_WRONG_MESSAGE_TYPE);
1896 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1897 goto err; 1768 goto err;
1898 } 1769 }
1899 1770
1900 /* TLS does not like anon-DH with client cert */ 1771 /* TLS does not like anon-DH with client cert */
1901 if (s->version > SSL3_VERSION) 1772 if (s->version > SSL3_VERSION) {
1902 { 1773 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
1903 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1774 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1904 { 1775 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1905 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1906 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1907 goto err; 1776 goto err;
1908 }
1909 } 1777 }
1778 }
1910 1779
1911 p=d=(unsigned char *)s->init_msg; 1780 p = d=(unsigned char *)s->init_msg;
1912 1781
1913 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 1782 if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1914 { 1783 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1915 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1916 goto err; 1784 goto err;
1917 } 1785 }
1918 1786
1919 /* get the certificate types */ 1787 /* get the certificate types */
1920 ctype_num= *(p++); 1788 ctype_num= *(p++);
1921 if (ctype_num > SSL3_CT_NUMBER) 1789 if (ctype_num > SSL3_CT_NUMBER)
1922 ctype_num=SSL3_CT_NUMBER; 1790 ctype_num = SSL3_CT_NUMBER;
1923 for (i=0; i<ctype_num; i++) 1791 for (i = 0; i < ctype_num; i++)
1924 s->s3->tmp.ctype[i]= p[i]; 1792 s->s3->tmp.ctype[i] = p[i];
1925 p+=ctype_num; 1793 p += ctype_num;
1926 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1794 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1927 {
1928 n2s(p, llen); 1795 n2s(p, llen);
1929 /* Check we have enough room for signature algorithms and 1796 /* Check we have enough room for signature algorithms and
1930 * following length value. 1797 * following length value.
1931 */ 1798 */
1932 if ((unsigned long)(p - d + llen + 2) > n) 1799 if ((unsigned long)(p - d + llen + 2) > n) {
1933 { 1800 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1934 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1801 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_DATA_LENGTH_TOO_LONG);
1935 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG);
1936 goto err; 1802 goto err;
1937 } 1803 }
1938 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) 1804 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen)) {
1939 { 1805 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1940 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1806 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1941 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1942 goto err; 1807 goto err;
1943 }
1944 p += llen;
1945 } 1808 }
1809 p += llen;
1810 }
1946 1811
1947 /* get the CA RDNs */ 1812 /* get the CA RDNs */
1948 n2s(p,llen); 1813 n2s(p, llen);
1949#if 0 1814#if 0
1950{ 1815 {
1951FILE *out; 1816 FILE *out;
1952out=fopen("/tmp/vsign.der","w"); 1817 out = fopen("/tmp/vsign.der", "w");
1953fwrite(p,1,llen,out); 1818 fwrite(p, 1, llen, out);
1954fclose(out); 1819 fclose(out);
1955} 1820 }
1956#endif 1821#endif
1957 1822
1958 if ((unsigned long)(p - d + llen) != n) 1823 if ((unsigned long)(p - d + llen) != n) {
1959 { 1824 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1960 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1825 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
1961 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1962 goto err; 1826 goto err;
1963 } 1827 }
1964 1828
1965 for (nc=0; nc<llen; ) 1829 for (nc = 0; nc < llen; ) {
1966 { 1830 n2s(p, l);
1967 n2s(p,l); 1831 if ((l + nc + 2) > llen) {
1968 if ((l+nc+2) > llen)
1969 {
1970 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1832 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1971 goto cont; /* netscape bugs */ 1833 goto cont; /* netscape bugs */
1972 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1834 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1973 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 1835 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
1974 goto err; 1836 goto err;
1975 } 1837 }
1976 1838
1977 q=p; 1839 q = p;
1978 1840
1979 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 1841 if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
1980 {
1981 /* If netscape tolerance is on, ignore errors */ 1842 /* If netscape tolerance is on, ignore errors */
1982 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1843 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1983 goto cont; 1844 goto cont;
1984 else 1845 else {
1985 { 1846 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1986 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1847 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
1987 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1988 goto err; 1848 goto err;
1989 }
1990 } 1849 }
1850 }
1991 1851
1992 if (q != (p+l)) 1852 if (q != (p + l)) {
1993 { 1853 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1994 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1854 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_LENGTH_MISMATCH);
1995 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1996 goto err; 1855 goto err;
1997 } 1856 }
1998 if (!sk_X509_NAME_push(ca_sk,xn)) 1857 if (!sk_X509_NAME_push(ca_sk, xn)) {
1999 { 1858 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
2000 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
2001 goto err; 1859 goto err;
2002 }
2003
2004 p+=l;
2005 nc+=l+2;
2006 } 1860 }
2007 1861
2008 if (0) 1862 p += l;
2009 { 1863 nc += l + 2;
1864 }
1865
1866 if (0) {
2010cont: 1867cont:
2011 ERR_clear_error(); 1868 ERR_clear_error();
2012 } 1869 }
2013 1870
2014 /* we should setup a certificate to return.... */ 1871 /* we should setup a certificate to return.... */
2015 s->s3->tmp.cert_req=1; 1872 s->s3->tmp.cert_req = 1;
2016 s->s3->tmp.ctype_num=ctype_num; 1873 s->s3->tmp.ctype_num = ctype_num;
2017 if (s->s3->tmp.ca_names != NULL) 1874 if (s->s3->tmp.ca_names != NULL)
2018 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1875 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
2019 s->s3->tmp.ca_names=ca_sk; 1876 s->s3->tmp.ca_names = ca_sk;
2020 ca_sk=NULL; 1877 ca_sk = NULL;
2021 1878
2022 ret=1; 1879 ret = 1;
2023err: 1880err:
2024 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 1881 if (ca_sk != NULL)
2025 return(ret); 1882 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2026 } 1883 return (ret);
1884}
1885
1886static int
1887ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1888{
1889 return (X509_NAME_cmp(*a, *b));
1890}
2027 1891
2028static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
2029 {
2030 return(X509_NAME_cmp(*a,*b));
2031 }
2032#ifndef OPENSSL_NO_TLSEXT 1892#ifndef OPENSSL_NO_TLSEXT
2033int ssl3_get_new_session_ticket(SSL *s) 1893int
2034 { 1894ssl3_get_new_session_ticket(SSL *s)
2035 int ok,al,ret=0, ticklen; 1895{
1896 int ok, al, ret = 0, ticklen;
2036 long n; 1897 long n;
2037 const unsigned char *p; 1898 const unsigned char *p;
2038 unsigned char *d; 1899 unsigned char *d;
2039 1900
2040 n=s->method->ssl_get_message(s, 1901 n = s->method->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
2041 SSL3_ST_CR_SESSION_TICKET_A, 1902 SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok);
2042 SSL3_ST_CR_SESSION_TICKET_B,
2043 -1,
2044 16384,
2045 &ok);
2046
2047 if (!ok) 1903 if (!ok)
2048 return((int)n); 1904 return ((int)n);
2049 1905
2050 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 1906 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) {
2051 { 1907 s->s3->tmp.reuse_message = 1;
2052 s->s3->tmp.reuse_message=1; 1908 return (1);
2053 return(1); 1909 }
2054 } 1910 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) {
2055 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 1911 al = SSL_AD_UNEXPECTED_MESSAGE;
2056 { 1912 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_BAD_MESSAGE_TYPE);
2057 al=SSL_AD_UNEXPECTED_MESSAGE;
2058 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
2059 goto f_err; 1913 goto f_err;
2060 } 1914 }
2061 if (n < 6) 1915 if (n < 6) {
2062 {
2063 /* need at least ticket_lifetime_hint + ticket length */ 1916 /* need at least ticket_lifetime_hint + ticket length */
2064 al = SSL_AD_DECODE_ERROR; 1917 al = SSL_AD_DECODE_ERROR;
2065 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1918 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2066 goto f_err; 1919 goto f_err;
2067 } 1920 }
2068 1921
2069 p=d=(unsigned char *)s->init_msg; 1922 p = d = (unsigned char *)s->init_msg;
2070 n2l(p, s->session->tlsext_tick_lifetime_hint); 1923 n2l(p, s->session->tlsext_tick_lifetime_hint);
2071 n2s(p, ticklen); 1924 n2s(p, ticklen);
2072 /* ticket_lifetime_hint + ticket_length + ticket */ 1925 /* ticket_lifetime_hint + ticket_length + ticket */
2073 if (ticklen + 6 != n) 1926 if (ticklen + 6 != n) {
2074 {
2075 al = SSL_AD_DECODE_ERROR; 1927 al = SSL_AD_DECODE_ERROR;
2076 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1928 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
2077 goto f_err; 1929 goto f_err;
2078 } 1930 }
2079 if (s->session->tlsext_tick) 1931 if (s->session->tlsext_tick) {
2080 {
2081 OPENSSL_free(s->session->tlsext_tick); 1932 OPENSSL_free(s->session->tlsext_tick);
2082 s->session->tlsext_ticklen = 0; 1933 s->session->tlsext_ticklen = 0;
2083 } 1934 }
2084 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 1935 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
2085 if (!s->session->tlsext_tick) 1936 if (!s->session->tlsext_tick) {
2086 { 1937 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
2087 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
2088 goto err; 1938 goto err;
2089 } 1939 }
2090 memcpy(s->session->tlsext_tick, p, ticklen); 1940 memcpy(s->session->tlsext_tick, p, ticklen);
2091 s->session->tlsext_ticklen = ticklen; 1941 s->session->tlsext_ticklen = ticklen;
2092 /* There are two ways to detect a resumed ticket sesion. 1942 /* There are two ways to detect a resumed ticket sesion.
@@ -2105,122 +1955,116 @@ int ssl3_get_new_session_ticket(SSL *s)
2105 * ticket. 1955 * ticket.
2106 */ 1956 */
2107 EVP_Digest(p, ticklen, 1957 EVP_Digest(p, ticklen,
2108 s->session->session_id, &s->session->session_id_length, 1958 s->session->session_id, &s->session->session_id_length,
2109#ifndef OPENSSL_NO_SHA256 1959#ifndef OPENSSL_NO_SHA256
2110 EVP_sha256(), NULL); 1960 EVP_sha256(), NULL);
2111#else 1961#else
2112 EVP_sha1(), NULL); 1962 EVP_sha1(), NULL);
2113#endif 1963#endif
2114 ret=1; 1964 ret = 1;
2115 return(ret); 1965 return (ret);
2116f_err: 1966f_err:
2117 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1967 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2118err: 1968err:
2119 return(-1); 1969 return (-1);
2120 } 1970}
2121 1971
2122int ssl3_get_cert_status(SSL *s) 1972int
2123 { 1973ssl3_get_cert_status(SSL *s)
1974{
2124 int ok, al; 1975 int ok, al;
2125 unsigned long resplen,n; 1976 unsigned long resplen, n;
2126 const unsigned char *p; 1977 const unsigned char *p;
2127 1978
2128 n=s->method->ssl_get_message(s, 1979 n = s->method->ssl_get_message(s,
2129 SSL3_ST_CR_CERT_STATUS_A, 1980 SSL3_ST_CR_CERT_STATUS_A,
2130 SSL3_ST_CR_CERT_STATUS_B, 1981 SSL3_ST_CR_CERT_STATUS_B,
2131 SSL3_MT_CERTIFICATE_STATUS, 1982 SSL3_MT_CERTIFICATE_STATUS,
2132 16384, 1983 16384,
2133 &ok); 1984 &ok);
2134 1985
2135 if (!ok) return((int)n); 1986 if (!ok)
2136 if (n < 4) 1987 return ((int)n);
2137 { 1988 if (n < 4) {
2138 /* need at least status type + length */ 1989 /* need at least status type + length */
2139 al = SSL_AD_DECODE_ERROR; 1990 al = SSL_AD_DECODE_ERROR;
2140 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1991 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2141 goto f_err; 1992 goto f_err;
2142 } 1993 }
2143 p = (unsigned char *)s->init_msg; 1994 p = (unsigned char *)s->init_msg;
2144 if (*p++ != TLSEXT_STATUSTYPE_ocsp) 1995 if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
2145 {
2146 al = SSL_AD_DECODE_ERROR; 1996 al = SSL_AD_DECODE_ERROR;
2147 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 1997 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
2148 goto f_err; 1998 goto f_err;
2149 } 1999 }
2150 n2l3(p, resplen); 2000 n2l3(p, resplen);
2151 if (resplen + 4 != n) 2001 if (resplen + 4 != n) {
2152 {
2153 al = SSL_AD_DECODE_ERROR; 2002 al = SSL_AD_DECODE_ERROR;
2154 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 2003 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
2155 goto f_err; 2004 goto f_err;
2156 } 2005 }
2157 if (s->tlsext_ocsp_resp) 2006 if (s->tlsext_ocsp_resp)
2158 OPENSSL_free(s->tlsext_ocsp_resp); 2007 OPENSSL_free(s->tlsext_ocsp_resp);
2159 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 2008 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
2160 if (!s->tlsext_ocsp_resp) 2009 if (!s->tlsext_ocsp_resp) {
2161 {
2162 al = SSL_AD_INTERNAL_ERROR; 2010 al = SSL_AD_INTERNAL_ERROR;
2163 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2011 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2164 goto f_err; 2012 goto f_err;
2165 } 2013 }
2166 s->tlsext_ocsp_resplen = resplen; 2014 s->tlsext_ocsp_resplen = resplen;
2167 if (s->ctx->tlsext_status_cb) 2015 if (s->ctx->tlsext_status_cb) {
2168 {
2169 int ret; 2016 int ret;
2170 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 2017 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2171 if (ret == 0) 2018 if (ret == 0) {
2172 {
2173 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 2019 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
2174 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 2020 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_INVALID_STATUS_RESPONSE);
2175 goto f_err; 2021 goto f_err;
2176 } 2022 }
2177 if (ret < 0) 2023 if (ret < 0) {
2178 {
2179 al = SSL_AD_INTERNAL_ERROR; 2024 al = SSL_AD_INTERNAL_ERROR;
2180 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 2025 SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
2181 goto f_err; 2026 goto f_err;
2182 }
2183 } 2027 }
2028 }
2184 return 1; 2029 return 1;
2185f_err: 2030f_err:
2186 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2031 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2187 return(-1); 2032 return (-1);
2188 } 2033}
2189#endif 2034#endif
2190 2035
2191int ssl3_get_server_done(SSL *s) 2036int
2192 { 2037ssl3_get_server_done(SSL *s)
2193 int ok,ret=0; 2038{
2039 int ok, ret = 0;
2194 long n; 2040 long n;
2195 2041
2196 n=s->method->ssl_get_message(s, 2042 n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
2197 SSL3_ST_CR_SRVR_DONE_A, 2043 SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
2198 SSL3_ST_CR_SRVR_DONE_B, 2044 30, /* should be very small, like 0 :-) */ &ok);
2199 SSL3_MT_SERVER_DONE,
2200 30, /* should be very small, like 0 :-) */
2201 &ok);
2202 2045
2203 if (!ok) return((int)n); 2046 if (!ok)
2204 if (n > 0) 2047 return ((int)n);
2205 { 2048 if (n > 0) {
2206 /* should contain no data */ 2049 /* should contain no data */
2207 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 2050 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
2208 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 2051 SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
2209 return -1; 2052 return -1;
2210 }
2211 ret=1;
2212 return(ret);
2213 } 2053 }
2054 ret = 1;
2055 return (ret);
2056}
2214 2057
2215 2058
2216int ssl3_send_client_key_exchange(SSL *s) 2059int
2217 { 2060ssl3_send_client_key_exchange(SSL *s)
2218 unsigned char *p,*d; 2061{
2062 unsigned char *p, *d;
2219 int n; 2063 int n;
2220 unsigned long alg_k; 2064 unsigned long alg_k;
2221#ifndef OPENSSL_NO_RSA 2065#ifndef OPENSSL_NO_RSA
2222 unsigned char *q; 2066 unsigned char *q;
2223 EVP_PKEY *pkey=NULL; 2067 EVP_PKEY *pkey = NULL;
2224#endif 2068#endif
2225#ifndef OPENSSL_NO_KRB5 2069#ifndef OPENSSL_NO_KRB5
2226 KSSL_ERR kssl_err; 2070 KSSL_ERR kssl_err;
@@ -2234,77 +2078,73 @@ int ssl3_send_client_key_exchange(SSL *s)
2234 BN_CTX * bn_ctx = NULL; 2078 BN_CTX * bn_ctx = NULL;
2235#endif 2079#endif
2236 2080
2237 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 2081 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
2238 { 2082 d = (unsigned char *)s->init_buf->data;
2239 d=(unsigned char *)s->init_buf->data; 2083 p = &(d[4]);
2240 p= &(d[4]);
2241 2084
2242 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2085 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2243 2086
2244 /* Fool emacs indentation */ 2087 /* Fool emacs indentation */
2245 if (0) {} 2088 if (0) {
2089 }
2246#ifndef OPENSSL_NO_RSA 2090#ifndef OPENSSL_NO_RSA
2247 else if (alg_k & SSL_kRSA) 2091 else if (alg_k & SSL_kRSA) {
2248 {
2249 RSA *rsa; 2092 RSA *rsa;
2250 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2093 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2251 2094
2252 if (s->session->sess_cert->peer_rsa_tmp != NULL) 2095 if (s->session->sess_cert->peer_rsa_tmp != NULL)
2253 rsa=s->session->sess_cert->peer_rsa_tmp; 2096 rsa = s->session->sess_cert->peer_rsa_tmp;
2254 else 2097 else {
2255 { 2098 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2256 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2257 if ((pkey == NULL) || 2099 if ((pkey == NULL) ||
2258 (pkey->type != EVP_PKEY_RSA) || 2100 (pkey->type != EVP_PKEY_RSA) ||
2259 (pkey->pkey.rsa == NULL)) 2101 (pkey->pkey.rsa == NULL)) {
2260 { 2102 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2261 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2262 goto err; 2103 goto err;
2263 }
2264 rsa=pkey->pkey.rsa;
2265 EVP_PKEY_free(pkey);
2266 } 2104 }
2267 2105 rsa = pkey->pkey.rsa;
2268 tmp_buf[0]=s->client_version>>8; 2106 EVP_PKEY_free(pkey);
2269 tmp_buf[1]=s->client_version&0xff; 2107 }
2270 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2108
2271 goto err; 2109 tmp_buf[0] = s->client_version >> 8;
2110 tmp_buf[1] = s->client_version & 0xff;
2111 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2112 goto err;
2272 2113
2273 s->session->master_key_length=sizeof tmp_buf; 2114 s->session->master_key_length = sizeof tmp_buf;
2274 2115
2275 q=p; 2116 q = p;
2276 /* Fix buf for TLS and beyond */ 2117 /* Fix buf for TLS and beyond */
2277 if (s->version > SSL3_VERSION) 2118 if (s->version > SSL3_VERSION)
2278 p+=2; 2119 p += 2;
2279 n=RSA_public_encrypt(sizeof tmp_buf, 2120 n = RSA_public_encrypt(sizeof tmp_buf,
2280 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 2121 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
2281#ifdef PKCS1_CHECK 2122#ifdef PKCS1_CHECK
2282 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 2123 if (s->options & SSL_OP_PKCS1_CHECK_1)
2283 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 2124 p[1]++;
2125 if (s->options & SSL_OP_PKCS1_CHECK_2)
2126 tmp_buf[0] = 0x70;
2284#endif 2127#endif
2285 if (n <= 0) 2128 if (n <= 0) {
2286 { 2129 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
2287 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
2288 goto err; 2130 goto err;
2289 } 2131 }
2290 2132
2291 /* Fix buf for TLS and beyond */ 2133 /* Fix buf for TLS and beyond */
2292 if (s->version > SSL3_VERSION) 2134 if (s->version > SSL3_VERSION) {
2293 { 2135 s2n(n, q);
2294 s2n(n,q); 2136 n += 2;
2295 n+=2;
2296 }
2297
2298 s->session->master_key_length=
2299 s->method->ssl3_enc->generate_master_secret(s,
2300 s->session->master_key,
2301 tmp_buf,sizeof tmp_buf);
2302 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2303 } 2137 }
2138
2139 s->session->master_key_length =
2140 s->method->ssl3_enc->generate_master_secret(
2141 s, s->session->master_key, tmp_buf,
2142 sizeof tmp_buf);
2143 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2144 }
2304#endif 2145#endif
2305#ifndef OPENSSL_NO_KRB5 2146#ifndef OPENSSL_NO_KRB5
2306 else if (alg_k & SSL_kKRB5) 2147 else if (alg_k & SSL_kKRB5) {
2307 {
2308 krb5_error_code krb5rc; 2148 krb5_error_code krb5rc;
2309 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2149 KSSL_CTX *kssl_ctx = s->kssl_ctx;
2310 /* krb5_data krb5_ap_req; */ 2150 /* krb5_data krb5_ap_req; */
@@ -2314,43 +2154,43 @@ int ssl3_send_client_key_exchange(SSL *s)
2314 const EVP_CIPHER *enc = NULL; 2154 const EVP_CIPHER *enc = NULL;
2315 unsigned char iv[EVP_MAX_IV_LENGTH]; 2155 unsigned char iv[EVP_MAX_IV_LENGTH];
2316 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2156 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2317 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 2157 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2318 + EVP_MAX_IV_LENGTH]; 2158 + EVP_MAX_IV_LENGTH];
2319 int padl, outl = sizeof(epms); 2159 int padl, outl = sizeof(epms);
2320 2160
2321 EVP_CIPHER_CTX_init(&ciph_ctx); 2161 EVP_CIPHER_CTX_init(&ciph_ctx);
2322 2162
2323#ifdef KSSL_DEBUG 2163#ifdef KSSL_DEBUG
2324 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2164 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
2325 alg_k, SSL_kKRB5); 2165 alg_k, SSL_kKRB5);
2326#endif /* KSSL_DEBUG */ 2166#endif /* KSSL_DEBUG */
2327 2167
2328 authp = NULL; 2168 authp = NULL;
2329#ifdef KRB5SENDAUTH 2169#ifdef KRB5SENDAUTH
2330 if (KRB5SENDAUTH) authp = &authenticator; 2170 if (KRB5SENDAUTH)
2171 authp = &authenticator;
2331#endif /* KRB5SENDAUTH */ 2172#endif /* KRB5SENDAUTH */
2332 2173
2333 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2174 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket,
2334 &kssl_err); 2175 authp, &kssl_err);
2335 enc = kssl_map_enc(kssl_ctx->enctype); 2176 enc = kssl_map_enc(kssl_ctx->enctype);
2336 if (enc == NULL) 2177 if (enc == NULL)
2337 goto err; 2178 goto err;
2338#ifdef KSSL_DEBUG 2179#ifdef KSSL_DEBUG
2339 { 2180 {
2340 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2181 printf("kssl_cget_tkt rtn %d\n", krb5rc);
2341 if (krb5rc && kssl_err.text) 2182 if (krb5rc && kssl_err.text)
2342 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2183 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
2343 } 2184 }
2344#endif /* KSSL_DEBUG */ 2185#endif /* KSSL_DEBUG */
2345 2186
2346 if (krb5rc) 2187 if (krb5rc) {
2347 { 2188 ssl3_send_alert(s, SSL3_AL_FATAL,
2348 ssl3_send_alert(s,SSL3_AL_FATAL, 2189 SSL_AD_HANDSHAKE_FAILURE);
2349 SSL_AD_HANDSHAKE_FAILURE);
2350 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2190 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2351 kssl_err.reason); 2191 kssl_err.reason);
2352 goto err; 2192 goto err;
2353 } 2193 }
2354 2194
2355 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2195 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
2356 ** in place of RFC 2712 KerberosWrapper, as in: 2196 ** in place of RFC 2712 KerberosWrapper, as in:
@@ -2372,32 +2212,29 @@ int ssl3_send_client_key_exchange(SSL *s)
2372 */ 2212 */
2373 2213
2374 /* KerberosWrapper.Ticket */ 2214 /* KerberosWrapper.Ticket */
2375 s2n(enc_ticket->length,p); 2215 s2n(enc_ticket->length, p);
2376 memcpy(p, enc_ticket->data, enc_ticket->length); 2216 memcpy(p, enc_ticket->data, enc_ticket->length);
2377 p+= enc_ticket->length; 2217 p += enc_ticket->length;
2378 n = enc_ticket->length + 2; 2218 n = enc_ticket->length + 2;
2379 2219
2380 /* KerberosWrapper.Authenticator */ 2220 /* KerberosWrapper.Authenticator */
2381 if (authp && authp->length) 2221 if (authp && authp->length) {
2382 { 2222 s2n(authp->length, p);
2383 s2n(authp->length,p);
2384 memcpy(p, authp->data, authp->length); 2223 memcpy(p, authp->data, authp->length);
2385 p+= authp->length; 2224 p += authp->length;
2386 n+= authp->length + 2; 2225 n += authp->length + 2;
2387 2226
2388 free(authp->data); 2227 free(authp->data);
2389 authp->data = NULL; 2228 authp->data = NULL;
2390 authp->length = 0; 2229 authp->length = 0;
2391 } 2230 } else {
2392 else
2393 {
2394 s2n(0,p);/* null authenticator length */ 2231 s2n(0,p);/* null authenticator length */
2395 n+=2; 2232 n += 2;
2396 } 2233 }
2397 2234
2398 tmp_buf[0]=s->client_version>>8; 2235 tmp_buf[0] = s->client_version >> 8;
2399 tmp_buf[1]=s->client_version&0xff; 2236 tmp_buf[1] = s->client_version&0xff;
2400 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2237 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2401 goto err; 2238 goto err;
2402 2239
2403 /* 20010420 VRS. Tried it this way; failed. 2240 /* 20010420 VRS. Tried it this way; failed.
@@ -2407,104 +2244,97 @@ int ssl3_send_client_key_exchange(SSL *s)
2407 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2244 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2408 */ 2245 */
2409 2246
2410 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2247 memset(iv, 0, sizeof iv);
2411 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2248 /* per RFC 1510 */
2412 kssl_ctx->key,iv); 2249 EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
2413 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2250 kssl_ctx->key, iv);
2414 sizeof tmp_buf); 2251 EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
2415 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2252 sizeof tmp_buf);
2253 EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
2416 outl += padl; 2254 outl += padl;
2417 if (outl > (int)sizeof epms) 2255 if (outl > (int)sizeof epms) {
2418 {
2419 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2256 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2420 goto err; 2257 goto err;
2421 } 2258 }
2422 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2259 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2423 2260
2424 /* KerberosWrapper.EncryptedPreMasterSecret */ 2261 /* KerberosWrapper.EncryptedPreMasterSecret */
2425 s2n(outl,p); 2262 s2n(outl, p);
2426 memcpy(p, epms, outl); 2263 memcpy(p, epms, outl);
2427 p+=outl; 2264 p += outl;
2428 n+=outl + 2; 2265 n += outl + 2;
2429 2266
2430 s->session->master_key_length= 2267 s->session->master_key_length =
2431 s->method->ssl3_enc->generate_master_secret(s, 2268 s->method->ssl3_enc->generate_master_secret(s,
2432 s->session->master_key, 2269 s->session->master_key,
2433 tmp_buf, sizeof tmp_buf); 2270 tmp_buf, sizeof tmp_buf);
2434 2271
2435 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2272 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2436 OPENSSL_cleanse(epms, outl); 2273 OPENSSL_cleanse(epms, outl);
2437 } 2274 }
2438#endif 2275#endif
2439#ifndef OPENSSL_NO_DH 2276#ifndef OPENSSL_NO_DH
2440 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2277 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2441 { 2278 DH *dh_srvr, *dh_clnt;
2442 DH *dh_srvr,*dh_clnt;
2443 2279
2444 if (s->session->sess_cert == NULL) 2280 if (s->session->sess_cert == NULL) {
2445 { 2281 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
2446 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2282 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
2447 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
2448 goto err; 2283 goto err;
2449 } 2284 }
2450 2285
2451 if (s->session->sess_cert->peer_dh_tmp != NULL) 2286 if (s->session->sess_cert->peer_dh_tmp != NULL)
2452 dh_srvr=s->session->sess_cert->peer_dh_tmp; 2287 dh_srvr = s->session->sess_cert->peer_dh_tmp;
2453 else 2288 else {
2454 {
2455 /* we get them from the cert */ 2289 /* we get them from the cert */
2456 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2290 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2457 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2291 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2458 goto err; 2292 goto err;
2459 } 2293 }
2460 2294
2461 /* generate a new random key */ 2295 /* generate a new random key */
2462 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 2296 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
2463 { 2297 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2464 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2465 goto err; 2298 goto err;
2466 } 2299 }
2467 if (!DH_generate_key(dh_clnt)) 2300 if (!DH_generate_key(dh_clnt)) {
2468 { 2301 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2469 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2470 DH_free(dh_clnt); 2302 DH_free(dh_clnt);
2471 goto err; 2303 goto err;
2472 } 2304 }
2473 2305
2474 /* use the 'p' output buffer for the DH key, but 2306 /* use the 'p' output buffer for the DH key, but
2475 * make sure to clear it out afterwards */ 2307 * make sure to clear it out afterwards */
2476 2308
2477 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 2309 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt);
2478 2310
2479 if (n <= 0) 2311 if (n <= 0) {
2480 { 2312 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2481 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2482 DH_free(dh_clnt); 2313 DH_free(dh_clnt);
2483 goto err; 2314 goto err;
2484 } 2315 }
2485 2316
2486 /* generate master key from the result */ 2317 /* generate master key from the result */
2487 s->session->master_key_length= 2318 s->session->master_key_length =
2488 s->method->ssl3_enc->generate_master_secret(s, 2319 s->method->ssl3_enc->generate_master_secret(s,
2489 s->session->master_key,p,n); 2320 s->session->master_key, p, n);
2490 /* clean up */ 2321 /* clean up */
2491 memset(p,0,n); 2322 memset(p, 0, n);
2492 2323
2493 /* send off the data */ 2324 /* send off the data */
2494 n=BN_num_bytes(dh_clnt->pub_key); 2325 n = BN_num_bytes(dh_clnt->pub_key);
2495 s2n(n,p); 2326 s2n(n, p);
2496 BN_bn2bin(dh_clnt->pub_key,p); 2327 BN_bn2bin(dh_clnt->pub_key, p);
2497 n+=2; 2328 n += 2;
2498 2329
2499 DH_free(dh_clnt); 2330 DH_free(dh_clnt);
2500 2331
2501 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2332 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2502 } 2333 }
2503#endif 2334#endif
2504 2335
2505#ifndef OPENSSL_NO_ECDH 2336#ifndef OPENSSL_NO_ECDH
2506 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2337 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2507 {
2508 const EC_GROUP *srvr_group = NULL; 2338 const EC_GROUP *srvr_group = NULL;
2509 EC_KEY *tkey; 2339 EC_KEY *tkey;
2510 int ecdh_clnt_cert = 0; 2340 int ecdh_clnt_cert = 0;
@@ -2515,8 +2345,7 @@ int ssl3_send_client_key_exchange(SSL *s)
2515 * computation as part of client certificate? 2345 * computation as part of client certificate?
2516 * If so, set ecdh_clnt_cert to 1. 2346 * If so, set ecdh_clnt_cert to 1.
2517 */ 2347 */
2518 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 2348 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) {
2519 {
2520 /* XXX: For now, we do not support client 2349 /* XXX: For now, we do not support client
2521 * authentication using ECDH certificates. 2350 * authentication using ECDH certificates.
2522 * To add such support, one needs to add 2351 * To add such support, one needs to add
@@ -2536,52 +2365,44 @@ int ssl3_send_client_key_exchange(SSL *s)
2536 * EVP_PKEY_EC) && ...) 2365 * EVP_PKEY_EC) && ...)
2537 * ecdh_clnt_cert = 1; 2366 * ecdh_clnt_cert = 1;
2538 */ 2367 */
2539 } 2368 }
2540 2369
2541 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2370 if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
2542 {
2543 tkey = s->session->sess_cert->peer_ecdh_tmp; 2371 tkey = s->session->sess_cert->peer_ecdh_tmp;
2544 } 2372 } else {
2545 else
2546 {
2547 /* Get the Server Public Key from Cert */ 2373 /* Get the Server Public Key from Cert */
2548 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2374 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2549 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2375 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2550 if ((srvr_pub_pkey == NULL) || 2376 if ((srvr_pub_pkey == NULL) ||
2551 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2377 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2552 (srvr_pub_pkey->pkey.ec == NULL)) 2378 (srvr_pub_pkey->pkey.ec == NULL)) {
2553 {
2554 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2379 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2555 ERR_R_INTERNAL_ERROR); 2380 ERR_R_INTERNAL_ERROR);
2556 goto err; 2381 goto err;
2557 } 2382 }
2558 2383
2559 tkey = srvr_pub_pkey->pkey.ec; 2384 tkey = srvr_pub_pkey->pkey.ec;
2560 } 2385 }
2561 2386
2562 srvr_group = EC_KEY_get0_group(tkey); 2387 srvr_group = EC_KEY_get0_group(tkey);
2563 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2388 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2564 2389
2565 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2390 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
2566 {
2567 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2391 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2568 ERR_R_INTERNAL_ERROR); 2392 ERR_R_INTERNAL_ERROR);
2569 goto err; 2393 goto err;
2570 } 2394 }
2571 2395
2572 if ((clnt_ecdh=EC_KEY_new()) == NULL) 2396 if ((clnt_ecdh = EC_KEY_new()) == NULL) {
2573 { 2397 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2574 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2575 goto err; 2398 goto err;
2576 } 2399 }
2577 2400
2578 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2401 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
2579 { 2402 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2580 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2581 goto err; 2403 goto err;
2582 } 2404 }
2583 if (ecdh_clnt_cert) 2405 if (ecdh_clnt_cert) {
2584 {
2585 /* Reuse key info from our certificate 2406 /* Reuse key info from our certificate
2586 * We only need our private key to perform 2407 * We only need our private key to perform
2587 * the ECDH computation. 2408 * the ECDH computation.
@@ -2589,581 +2410,529 @@ int ssl3_send_client_key_exchange(SSL *s)
2589 const BIGNUM *priv_key; 2410 const BIGNUM *priv_key;
2590 tkey = s->cert->key->privatekey->pkey.ec; 2411 tkey = s->cert->key->privatekey->pkey.ec;
2591 priv_key = EC_KEY_get0_private_key(tkey); 2412 priv_key = EC_KEY_get0_private_key(tkey);
2592 if (priv_key == NULL) 2413 if (priv_key == NULL) {
2593 { 2414 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2594 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2595 goto err; 2415 goto err;
2596 } 2416 }
2597 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2417 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) {
2598 { 2418 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2599 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2600 goto err; 2419 goto err;
2601 }
2602 } 2420 }
2603 else 2421 } else {
2604 {
2605 /* Generate a new ECDH key pair */ 2422 /* Generate a new ECDH key pair */
2606 if (!(EC_KEY_generate_key(clnt_ecdh))) 2423 if (!(EC_KEY_generate_key(clnt_ecdh))) {
2607 {
2608 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2424 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2609 goto err; 2425 goto err;
2610 }
2611 } 2426 }
2427 }
2612 2428
2613 /* use the 'p' output buffer for the ECDH key, but 2429 /* use the 'p' output buffer for the ECDH key, but
2614 * make sure to clear it out afterwards 2430 * make sure to clear it out afterwards
2615 */ 2431 */
2616 2432
2617 field_size = EC_GROUP_get_degree(srvr_group); 2433 field_size = EC_GROUP_get_degree(srvr_group);
2618 if (field_size <= 0) 2434 if (field_size <= 0) {
2619 { 2435 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2620 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2436 ERR_R_ECDH_LIB);
2621 ERR_R_ECDH_LIB);
2622 goto err; 2437 goto err;
2623 } 2438 }
2624 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2439 n = ECDH_compute_key(p, (field_size + 7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2625 if (n <= 0) 2440 if (n <= 0) {
2626 { 2441 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2627 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2442 ERR_R_ECDH_LIB);
2628 ERR_R_ECDH_LIB);
2629 goto err; 2443 goto err;
2630 } 2444 }
2631 2445
2632 /* generate master key from the result */ 2446 /* generate master key from the result */
2633 s->session->master_key_length = s->method->ssl3_enc \ 2447 s->session->master_key_length = s->method->ssl3_enc \
2634 -> generate_master_secret(s, 2448 -> generate_master_secret(s,
2635 s->session->master_key, 2449 s->session->master_key,
2636 p, n); 2450 p, n);
2637 2451
2638 memset(p, 0, n); /* clean up */ 2452 memset(p, 0, n); /* clean up */
2639 2453
2640 if (ecdh_clnt_cert) 2454 if (ecdh_clnt_cert) {
2641 {
2642 /* Send empty client key exch message */ 2455 /* Send empty client key exch message */
2643 n = 0; 2456 n = 0;
2644 } 2457 } else {
2645 else
2646 {
2647 /* First check the size of encoding and 2458 /* First check the size of encoding and
2648 * allocate memory accordingly. 2459 * allocate memory accordingly.
2649 */ 2460 */
2650 encoded_pt_len = 2461 encoded_pt_len =
2651 EC_POINT_point2oct(srvr_group, 2462 EC_POINT_point2oct(srvr_group,
2652 EC_KEY_get0_public_key(clnt_ecdh), 2463 EC_KEY_get0_public_key(clnt_ecdh),
2653 POINT_CONVERSION_UNCOMPRESSED, 2464 POINT_CONVERSION_UNCOMPRESSED,
2654 NULL, 0, NULL); 2465 NULL, 0, NULL);
2655 2466
2656 encodedPoint = (unsigned char *) 2467 encodedPoint =
2657 OPENSSL_malloc(encoded_pt_len * 2468 (unsigned char *)OPENSSL_malloc(
2658 sizeof(unsigned char)); 2469 encoded_pt_len * sizeof(unsigned char));
2470
2659 bn_ctx = BN_CTX_new(); 2471 bn_ctx = BN_CTX_new();
2660 if ((encodedPoint == NULL) || 2472 if ((encodedPoint == NULL) ||
2661 (bn_ctx == NULL)) 2473 (bn_ctx == NULL)) {
2662 { 2474 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2663 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2664 goto err; 2475 goto err;
2665 } 2476 }
2666 2477
2667 /* Encode the public key */ 2478 /* Encode the public key */
2668 n = EC_POINT_point2oct(srvr_group, 2479 n = EC_POINT_point2oct(srvr_group,
2669 EC_KEY_get0_public_key(clnt_ecdh), 2480 EC_KEY_get0_public_key(clnt_ecdh),
2670 POINT_CONVERSION_UNCOMPRESSED, 2481 POINT_CONVERSION_UNCOMPRESSED,
2671 encodedPoint, encoded_pt_len, bn_ctx); 2482 encodedPoint, encoded_pt_len, bn_ctx);
2672 2483
2673 *p = n; /* length of encoded point */ 2484 *p = n; /* length of encoded point */
2674 /* Encoded point will be copied here */ 2485 /* Encoded point will be copied here */
2675 p += 1; 2486 p += 1;
2487
2676 /* copy the point */ 2488 /* copy the point */
2677 memcpy((unsigned char *)p, encodedPoint, n); 2489 memcpy((unsigned char *)p, encodedPoint, n);
2678 /* increment n to account for length field */ 2490 /* increment n to account for length field */
2679 n += 1; 2491 n += 1;
2680 } 2492
2493 }
2681 2494
2682 /* Free allocated memory */ 2495 /* Free allocated memory */
2683 BN_CTX_free(bn_ctx); 2496 BN_CTX_free(bn_ctx);
2684 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2497 if (encodedPoint != NULL)
2685 if (clnt_ecdh != NULL) 2498 OPENSSL_free(encodedPoint);
2686 EC_KEY_free(clnt_ecdh); 2499 if (clnt_ecdh != NULL)
2500 EC_KEY_free(clnt_ecdh);
2687 EVP_PKEY_free(srvr_pub_pkey); 2501 EVP_PKEY_free(srvr_pub_pkey);
2688 } 2502 }
2689#endif /* !OPENSSL_NO_ECDH */ 2503#endif /* !OPENSSL_NO_ECDH */
2690 else if (alg_k & SSL_kGOST) 2504 else if (alg_k & SSL_kGOST) {
2691 {
2692 /* GOST key exchange message creation */ 2505 /* GOST key exchange message creation */
2693 EVP_PKEY_CTX *pkey_ctx; 2506 EVP_PKEY_CTX *pkey_ctx;
2694 X509 *peer_cert; 2507 X509 *peer_cert;
2508
2695 size_t msglen; 2509 size_t msglen;
2696 unsigned int md_len; 2510 unsigned int md_len;
2697 int keytype; 2511 int keytype;
2698 unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 2512 unsigned char premaster_secret[32], shared_ukm[32], tmp[256];
2699 EVP_MD_CTX *ukm_hash; 2513 EVP_MD_CTX *ukm_hash;
2700 EVP_PKEY *pub_key; 2514 EVP_PKEY *pub_key;
2701 2515
2702 /* Get server sertificate PKEY and create ctx from it */ 2516 /* Get server sertificate PKEY and create ctx from it */
2703 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 2517 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST01)].x509;
2704 if (!peer_cert) 2518 if (!peer_cert)
2705 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 2519 peer_cert = s->session->sess_cert->peer_pkeys[(keytype = SSL_PKEY_GOST94)].x509;
2706 if (!peer_cert) { 2520 if (!peer_cert) {
2707 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2521 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2708 goto err; 2522 goto err;
2709 } 2523 }
2710 2524
2711 pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 2525 pkey_ctx = EVP_PKEY_CTX_new(pub_key = X509_get_pubkey(peer_cert), NULL);
2712 /* If we have send a certificate, and certificate key 2526 /* If we have send a certificate, and certificate key
2713 2527
2714 * parameters match those of server certificate, use 2528 * parameters match those of server certificate, use
2715 * certificate key for key exchange 2529 * certificate key for key exchange
2716 */ 2530 */
2717 2531
2718 /* Otherwise, generate ephemeral key pair */ 2532 /* Otherwise, generate ephemeral key pair */
2719 2533
2720 EVP_PKEY_encrypt_init(pkey_ctx); 2534 EVP_PKEY_encrypt_init(pkey_ctx);
2721 /* Generate session key */ 2535 /* Generate session key */
2722 RAND_bytes(premaster_secret,32); 2536 RAND_bytes(premaster_secret, 32);
2723 /* If we have client certificate, use its secret as peer key */ 2537 /* If we have client certificate, use its secret as peer key */
2724 if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2538 if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2725 if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 2539 if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <=0) {
2726 /* If there was an error - just ignore it. Ephemeral key 2540 /* If there was an error - just ignore it. Ephemeral key
2727 * would be used 2541 * would be used
2728 */ 2542 */
2729 ERR_clear_error(); 2543 ERR_clear_error();
2730 } 2544 }
2731 } 2545 }
2732 /* Compute shared IV and store it in algorithm-specific 2546 /* Compute shared IV and store it in algorithm-specific
2733 * context data */ 2547 * context data */
2734 ukm_hash = EVP_MD_CTX_create(); 2548 ukm_hash = EVP_MD_CTX_create();
2735 EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 2549 EVP_DigestInit(ukm_hash, EVP_get_digestbynid(NID_id_GostR3411_94));
2736 EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 2550 EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE);
2737 EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 2551 EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE);
2738 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2552 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
2739 EVP_MD_CTX_destroy(ukm_hash); 2553 EVP_MD_CTX_destroy(ukm_hash);
2740 if (EVP_PKEY_CTX_ctrl(pkey_ctx,-1,EVP_PKEY_OP_ENCRYPT,EVP_PKEY_CTRL_SET_IV, 2554 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV,
2741 8,shared_ukm)<0) { 2555 8, shared_ukm) < 0) {
2742 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2556 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2743 SSL_R_LIBRARY_BUG); 2557 SSL_R_LIBRARY_BUG);
2744 goto err; 2558 goto err;
2745 } 2559 }
2746 /* Make GOST keytransport blob message */ 2560 /* Make GOST keytransport blob message */
2747 /*Encapsulate it into sequence */ 2561 /*Encapsulate it into sequence */
2748 *(p++)=V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED; 2562 *(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
2749 msglen=255; 2563 msglen = 255;
2750 if (EVP_PKEY_encrypt(pkey_ctx,tmp,&msglen,premaster_secret,32)<0) { 2564 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, 32) < 0) {
2751 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2565 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2752 SSL_R_LIBRARY_BUG); 2566 SSL_R_LIBRARY_BUG);
2753 goto err; 2567 goto err;
2754 } 2568 }
2755 if (msglen >= 0x80) 2569 if (msglen >= 0x80) {
2756 { 2570 *(p++) = 0x81;
2757 *(p++)=0x81; 2571 *(p++) = msglen & 0xff;
2758 *(p++)= msglen & 0xff; 2572 n = msglen + 3;
2759 n=msglen+3; 2573 } else {
2760 } 2574 *(p++) = msglen & 0xff;
2761 else 2575 n = msglen + 2;
2762 { 2576 }
2763 *(p++)= msglen & 0xff;
2764 n=msglen+2;
2765 }
2766 memcpy(p, tmp, msglen); 2577 memcpy(p, tmp, msglen);
2767 /* Check if pubkey from client certificate was used */ 2578 /* Check if pubkey from client certificate was used */
2768 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2579 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) {
2769 {
2770 /* Set flag "skip certificate verify" */ 2580 /* Set flag "skip certificate verify" */
2771 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY; 2581 s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
2772 } 2582 }
2773 EVP_PKEY_CTX_free(pkey_ctx); 2583 EVP_PKEY_CTX_free(pkey_ctx);
2774 s->session->master_key_length= 2584 s->session->master_key_length =
2775 s->method->ssl3_enc->generate_master_secret(s, 2585 s->method->ssl3_enc->generate_master_secret(s,
2776 s->session->master_key,premaster_secret,32); 2586 s->session->master_key, premaster_secret, 32);
2777 EVP_PKEY_free(pub_key); 2587 EVP_PKEY_free(pub_key);
2778 2588
2779 } 2589 }
2780#ifndef OPENSSL_NO_SRP 2590#ifndef OPENSSL_NO_SRP
2781 else if (alg_k & SSL_kSRP) 2591 else if (alg_k & SSL_kSRP) {
2782 { 2592 if (s->srp_ctx.A != NULL) {
2783 if (s->srp_ctx.A != NULL)
2784 {
2785 /* send off the data */ 2593 /* send off the data */
2786 n=BN_num_bytes(s->srp_ctx.A); 2594 n = BN_num_bytes(s->srp_ctx.A);
2787 s2n(n,p); 2595 s2n(n, p);
2788 BN_bn2bin(s->srp_ctx.A,p); 2596 BN_bn2bin(s->srp_ctx.A, p);
2789 n+=2; 2597 n += 2;
2790 } 2598 } else {
2791 else 2599 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2792 {
2793 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2794 goto err; 2600 goto err;
2795 } 2601 }
2796 if (s->session->srp_username != NULL) 2602 if (s->session->srp_username != NULL)
2797 OPENSSL_free(s->session->srp_username); 2603 OPENSSL_free(s->session->srp_username);
2798 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2604 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2799 if (s->session->srp_username == NULL) 2605 if (s->session->srp_username == NULL) {
2800 {
2801 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2606 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2802 ERR_R_MALLOC_FAILURE); 2607 ERR_R_MALLOC_FAILURE);
2803 goto err; 2608 goto err;
2804 } 2609 }
2805 2610
2806 if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0) 2611 if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) {
2807 { 2612 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2808 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2809 goto err; 2613 goto err;
2810 }
2811 } 2614 }
2615 }
2812#endif 2616#endif
2813#ifndef OPENSSL_NO_PSK 2617#ifndef OPENSSL_NO_PSK
2814 else if (alg_k & SSL_kPSK) 2618 else if (alg_k & SSL_kPSK) {
2815 {
2816 char identity[PSK_MAX_IDENTITY_LEN]; 2619 char identity[PSK_MAX_IDENTITY_LEN];
2817 unsigned char *t = NULL; 2620 unsigned char *t = NULL;
2818 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2621 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
2819 unsigned int pre_ms_len = 0, psk_len = 0; 2622 unsigned int pre_ms_len = 0, psk_len = 0;
2820 int psk_err = 1; 2623 int psk_err = 1;
2821 2624
2822 n = 0; 2625 n = 0;
2823 if (s->psk_client_callback == NULL) 2626 if (s->psk_client_callback == NULL) {
2824 {
2825 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2627 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2826 SSL_R_PSK_NO_CLIENT_CB); 2628 SSL_R_PSK_NO_CLIENT_CB);
2827 goto err; 2629 goto err;
2828 } 2630 }
2829 2631
2830 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 2632 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
2831 identity, PSK_MAX_IDENTITY_LEN, 2633 identity, PSK_MAX_IDENTITY_LEN,
2832 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2634 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2833 if (psk_len > PSK_MAX_PSK_LEN) 2635 if (psk_len > PSK_MAX_PSK_LEN) {
2834 {
2835 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2636 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2836 ERR_R_INTERNAL_ERROR); 2637 ERR_R_INTERNAL_ERROR);
2837 goto psk_err; 2638 goto psk_err;
2838 } 2639 } else if (psk_len == 0) {
2839 else if (psk_len == 0)
2840 {
2841 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2640 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2842 SSL_R_PSK_IDENTITY_NOT_FOUND); 2641 SSL_R_PSK_IDENTITY_NOT_FOUND);
2843 goto psk_err; 2642 goto psk_err;
2844 } 2643 }
2845 2644
2846 /* create PSK pre_master_secret */ 2645 /* create PSK pre_master_secret */
2847 pre_ms_len = 2+psk_len+2+psk_len; 2646 pre_ms_len = 2 + psk_len + 2 + psk_len;
2848 t = psk_or_pre_ms; 2647 t = psk_or_pre_ms;
2849 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2648 memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
2850 s2n(psk_len, t); 2649 s2n(psk_len, t);
2851 memset(t, 0, psk_len); 2650 memset(t, 0, psk_len);
2852 t+=psk_len; 2651 t += psk_len;
2853 s2n(psk_len, t); 2652 s2n(psk_len, t);
2854 2653
2855 if (s->session->psk_identity_hint != NULL) 2654 if (s->session->psk_identity_hint != NULL)
2856 OPENSSL_free(s->session->psk_identity_hint); 2655 OPENSSL_free(s->session->psk_identity_hint);
2857 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2656 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2858 if (s->ctx->psk_identity_hint != NULL && 2657 if (s->ctx->psk_identity_hint != NULL &&
2859 s->session->psk_identity_hint == NULL) 2658 s->session->psk_identity_hint == NULL) {
2860 {
2861 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2659 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2862 ERR_R_MALLOC_FAILURE); 2660 ERR_R_MALLOC_FAILURE);
2863 goto psk_err; 2661 goto psk_err;
2864 } 2662 }
2865 2663
2866 if (s->session->psk_identity != NULL) 2664 if (s->session->psk_identity != NULL)
2867 OPENSSL_free(s->session->psk_identity); 2665 OPENSSL_free(s->session->psk_identity);
2868 s->session->psk_identity = BUF_strdup(identity); 2666 s->session->psk_identity = BUF_strdup(identity);
2869 if (s->session->psk_identity == NULL) 2667 if (s->session->psk_identity == NULL) {
2870 {
2871 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2668 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2872 ERR_R_MALLOC_FAILURE); 2669 ERR_R_MALLOC_FAILURE);
2873 goto psk_err; 2670 goto psk_err;
2874 } 2671 }
2875 2672
2876 s->session->master_key_length = 2673 s->session->master_key_length =
2877 s->method->ssl3_enc->generate_master_secret(s, 2674 s->method->ssl3_enc->generate_master_secret(
2878 s->session->master_key, 2675 s, s->session->master_key, psk_or_pre_ms,
2879 psk_or_pre_ms, pre_ms_len); 2676 pre_ms_len);
2677
2880 n = strlen(identity); 2678 n = strlen(identity);
2881 s2n(n, p); 2679 s2n(n, p);
2882 memcpy(p, identity, n); 2680 memcpy(p, identity, n);
2883 n+=2; 2681 n += 2;
2884 psk_err = 0; 2682 psk_err = 0;
2885 psk_err: 2683 psk_err:
2886 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 2684 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
2887 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2685 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2888 if (psk_err != 0) 2686 if (psk_err != 0) {
2889 {
2890 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 2687 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2891 goto err; 2688 goto err;
2892 }
2893 } 2689 }
2690 }
2894#endif 2691#endif
2895 else 2692 else {
2896 {
2897 ssl3_send_alert(s, SSL3_AL_FATAL, 2693 ssl3_send_alert(s, SSL3_AL_FATAL,
2898 SSL_AD_HANDSHAKE_FAILURE); 2694 SSL_AD_HANDSHAKE_FAILURE);
2899 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2695 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2900 ERR_R_INTERNAL_ERROR); 2696 ERR_R_INTERNAL_ERROR);
2901 goto err; 2697 goto err;
2902 } 2698 }
2903
2904 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
2905 l2n3(n,d);
2906 2699
2907 s->state=SSL3_ST_CW_KEY_EXCH_B; 2700 *(d++) = SSL3_MT_CLIENT_KEY_EXCHANGE;
2701 l2n3(n, d);
2702
2703 s->state = SSL3_ST_CW_KEY_EXCH_B;
2908 /* number of bytes to write */ 2704 /* number of bytes to write */
2909 s->init_num=n+4; 2705 s->init_num = n + 4;
2910 s->init_off=0; 2706 s->init_off = 0;
2911 } 2707 }
2912 2708
2913 /* SSL3_ST_CW_KEY_EXCH_B */ 2709 /* SSL3_ST_CW_KEY_EXCH_B */
2914 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2710 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2915err: 2711err:
2916#ifndef OPENSSL_NO_ECDH 2712#ifndef OPENSSL_NO_ECDH
2917 BN_CTX_free(bn_ctx); 2713 BN_CTX_free(bn_ctx);
2918 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2714 if (encodedPoint != NULL)
2919 if (clnt_ecdh != NULL) 2715 OPENSSL_free(encodedPoint);
2716 if (clnt_ecdh != NULL)
2920 EC_KEY_free(clnt_ecdh); 2717 EC_KEY_free(clnt_ecdh);
2921 EVP_PKEY_free(srvr_pub_pkey); 2718 EVP_PKEY_free(srvr_pub_pkey);
2922#endif 2719#endif
2923 return(-1); 2720 return (-1);
2924 } 2721}
2925 2722
2926int ssl3_send_client_verify(SSL *s) 2723int
2927 { 2724ssl3_send_client_verify(SSL *s)
2928 unsigned char *p,*d; 2725{
2929 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 2726 unsigned char *p, *d;
2727 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
2930 EVP_PKEY *pkey; 2728 EVP_PKEY *pkey;
2931 EVP_PKEY_CTX *pctx=NULL; 2729 EVP_PKEY_CTX *pctx = NULL;
2932 EVP_MD_CTX mctx; 2730 EVP_MD_CTX mctx;
2933 unsigned u=0; 2731 unsigned u = 0;
2934 unsigned long n; 2732 unsigned long n;
2935 int j; 2733 int j;
2936 2734
2937 EVP_MD_CTX_init(&mctx); 2735 EVP_MD_CTX_init(&mctx);
2938 2736
2939 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 2737 if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
2940 { 2738 d = (unsigned char *)s->init_buf->data;
2941 d=(unsigned char *)s->init_buf->data; 2739 p = &(d[4]);
2942 p= &(d[4]); 2740 pkey = s->cert->key->privatekey;
2943 pkey=s->cert->key->privatekey;
2944/* Create context from key and test if sha1 is allowed as digest */ 2741/* Create context from key and test if sha1 is allowed as digest */
2945 pctx = EVP_PKEY_CTX_new(pkey,NULL); 2742 pctx = EVP_PKEY_CTX_new(pkey, NULL);
2946 EVP_PKEY_sign_init(pctx); 2743 EVP_PKEY_sign_init(pctx);
2947 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 2744 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
2948 {
2949 if (TLS1_get_version(s) < TLS1_2_VERSION) 2745 if (TLS1_get_version(s) < TLS1_2_VERSION)
2950 s->method->ssl3_enc->cert_verify_mac(s, 2746 s->method->ssl3_enc->cert_verify_mac(s,
2951 NID_sha1, 2747 NID_sha1,
2952 &(data[MD5_DIGEST_LENGTH])); 2748 &(data[MD5_DIGEST_LENGTH]));
2953 } 2749 } else {
2954 else
2955 {
2956 ERR_clear_error(); 2750 ERR_clear_error();
2957 } 2751 }
2958 /* For TLS v1.2 send signature algorithm and signature 2752 /* For TLS v1.2 send signature algorithm and signature
2959 * using agreed digest and cached handshake records. 2753 * using agreed digest and cached handshake records.
2960 */ 2754 */
2961 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2755 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2962 {
2963 long hdatalen = 0; 2756 long hdatalen = 0;
2964 void *hdata; 2757 void *hdata;
2965 const EVP_MD *md = s->cert->key->digest; 2758 const EVP_MD *md = s->cert->key->digest;
2966 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, 2759 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
2967 &hdata); 2760 &hdata);
2968 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) 2761 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md)) {
2969 {
2970 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2762 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2971 ERR_R_INTERNAL_ERROR); 2763 ERR_R_INTERNAL_ERROR);
2972 goto err; 2764 goto err;
2973 } 2765 }
2974 p += 2; 2766 p += 2;
2975#ifdef SSL_DEBUG 2767#ifdef SSL_DEBUG
2976 fprintf(stderr, "Using TLS 1.2 with client alg %s\n", 2768 fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
2977 EVP_MD_name(md)); 2769 EVP_MD_name(md));
2978#endif 2770#endif
2979 if (!EVP_SignInit_ex(&mctx, md, NULL) 2771 if (!EVP_SignInit_ex(&mctx, md, NULL) ||
2980 || !EVP_SignUpdate(&mctx, hdata, hdatalen) 2772 !EVP_SignUpdate(&mctx, hdata, hdatalen) ||
2981 || !EVP_SignFinal(&mctx, p + 2, &u, pkey)) 2773 !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
2982 {
2983 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2774 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2984 ERR_R_EVP_LIB); 2775 ERR_R_EVP_LIB);
2985 goto err; 2776 goto err;
2986 } 2777 }
2987 s2n(u,p); 2778 s2n(u, p);
2988 n = u + 4; 2779 n = u + 4;
2989 if (!ssl3_digest_cached_records(s)) 2780 if (!ssl3_digest_cached_records(s))
2990 goto err; 2781 goto err;
2991 } 2782 } else
2992 else
2993#ifndef OPENSSL_NO_RSA 2783#ifndef OPENSSL_NO_RSA
2994 if (pkey->type == EVP_PKEY_RSA) 2784 if (pkey->type == EVP_PKEY_RSA) {
2995 { 2785 s->method->ssl3_enc->cert_verify_mac(
2996 s->method->ssl3_enc->cert_verify_mac(s, 2786 s, NID_md5, &(data[0]));
2997 NID_md5,
2998 &(data[0]));
2999 if (RSA_sign(NID_md5_sha1, data, 2787 if (RSA_sign(NID_md5_sha1, data,
3000 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 2788 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
3001 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 2789 &u, pkey->pkey.rsa) <= 0 ) {
3002 { 2790 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB);
3003 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
3004 goto err; 2791 goto err;
3005 }
3006 s2n(u,p);
3007 n=u+2;
3008 } 2792 }
3009 else 2793 s2n(u, p);
2794 n = u + 2;
2795 } else
3010#endif 2796#endif
3011#ifndef OPENSSL_NO_DSA 2797#ifndef OPENSSL_NO_DSA
3012 if (pkey->type == EVP_PKEY_DSA) 2798 if (pkey->type == EVP_PKEY_DSA) {
3013 {
3014 if (!DSA_sign(pkey->save_type, 2799 if (!DSA_sign(pkey->save_type,
3015 &(data[MD5_DIGEST_LENGTH]), 2800 &(data[MD5_DIGEST_LENGTH]),
3016 SHA_DIGEST_LENGTH,&(p[2]), 2801 SHA_DIGEST_LENGTH, &(p[2]),
3017 (unsigned int *)&j,pkey->pkey.dsa)) 2802 (unsigned int *)&j, pkey->pkey.dsa)) {
3018 { 2803 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB);
3019 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
3020 goto err; 2804 goto err;
3021 }
3022 s2n(j,p);
3023 n=j+2;
3024 } 2805 }
3025 else 2806 s2n(j, p);
2807 n = j + 2;
2808 } else
3026#endif 2809#endif
3027#ifndef OPENSSL_NO_ECDSA 2810#ifndef OPENSSL_NO_ECDSA
3028 if (pkey->type == EVP_PKEY_EC) 2811 if (pkey->type == EVP_PKEY_EC) {
3029 {
3030 if (!ECDSA_sign(pkey->save_type, 2812 if (!ECDSA_sign(pkey->save_type,
3031 &(data[MD5_DIGEST_LENGTH]), 2813 &(data[MD5_DIGEST_LENGTH]),
3032 SHA_DIGEST_LENGTH,&(p[2]), 2814 SHA_DIGEST_LENGTH, &(p[2]),
3033 (unsigned int *)&j,pkey->pkey.ec)) 2815 (unsigned int *)&j, pkey->pkey.ec)) {
3034 {
3035 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2816 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
3036 ERR_R_ECDSA_LIB); 2817 ERR_R_ECDSA_LIB);
3037 goto err; 2818 goto err;
3038 }
3039 s2n(j,p);
3040 n=j+2;
3041 } 2819 }
3042 else 2820 s2n(j, p);
2821 n = j + 2;
2822 } else
3043#endif 2823#endif
3044 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 2824 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) {
3045 { 2825 unsigned char signbuf[64];
3046 unsigned char signbuf[64]; 2826 int i;
3047 int i; 2827 size_t sigsize = 64;
3048 size_t sigsize=64; 2828 s->method->ssl3_enc->cert_verify_mac(s,
3049 s->method->ssl3_enc->cert_verify_mac(s,
3050 NID_id_GostR3411_94, 2829 NID_id_GostR3411_94,
3051 data); 2830 data);
3052 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { 2831 if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) {
3053 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, 2832 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
3054 ERR_R_INTERNAL_ERROR); 2833 ERR_R_INTERNAL_ERROR);
3055 goto err; 2834 goto err;
3056 } 2835 }
3057 for (i=63,j=0; i>=0; j++, i--) { 2836 for (i = 63, j = 0; i >= 0; j++, i--) {
3058 p[2+j]=signbuf[i]; 2837 p[2 + j] = signbuf[i];
3059 } 2838 }
3060 s2n(j,p); 2839 s2n(j, p);
3061 n=j+2; 2840 n = j + 2;
3062 } 2841 } else {
3063 else 2842 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
3064 {
3065 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
3066 goto err; 2843 goto err;
3067 } 2844 }
3068 *(d++)=SSL3_MT_CERTIFICATE_VERIFY; 2845 *(d++) = SSL3_MT_CERTIFICATE_VERIFY;
3069 l2n3(n,d); 2846 l2n3(n, d);
3070 2847
3071 s->state=SSL3_ST_CW_CERT_VRFY_B; 2848 s->state = SSL3_ST_CW_CERT_VRFY_B;
3072 s->init_num=(int)n+4; 2849 s->init_num = (int)n + 4;
3073 s->init_off=0; 2850 s->init_off = 0;
3074 } 2851 }
3075 EVP_MD_CTX_cleanup(&mctx); 2852 EVP_MD_CTX_cleanup(&mctx);
3076 EVP_PKEY_CTX_free(pctx); 2853 EVP_PKEY_CTX_free(pctx);
3077 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 2854 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3078err: 2855err:
3079 EVP_MD_CTX_cleanup(&mctx); 2856 EVP_MD_CTX_cleanup(&mctx);
3080 EVP_PKEY_CTX_free(pctx); 2857 EVP_PKEY_CTX_free(pctx);
3081 return(-1); 2858 return (-1);
3082 } 2859}
3083 2860
3084int ssl3_send_client_certificate(SSL *s) 2861int
3085 { 2862ssl3_send_client_certificate(SSL *s)
3086 X509 *x509=NULL; 2863{
3087 EVP_PKEY *pkey=NULL; 2864 X509 *x509 = NULL;
2865 EVP_PKEY *pkey = NULL;
3088 int i; 2866 int i;
3089 unsigned long l; 2867 unsigned long l;
3090 2868
3091 if (s->state == SSL3_ST_CW_CERT_A) 2869 if (s->state == SSL3_ST_CW_CERT_A) {
3092 { 2870 if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
3093 if ((s->cert == NULL) || 2871 (s->cert->key->privatekey == NULL))
3094 (s->cert->key->x509 == NULL) || 2872 s->state = SSL3_ST_CW_CERT_B;
3095 (s->cert->key->privatekey == NULL))
3096 s->state=SSL3_ST_CW_CERT_B;
3097 else 2873 else
3098 s->state=SSL3_ST_CW_CERT_C; 2874 s->state = SSL3_ST_CW_CERT_C;
3099 } 2875 }
3100 2876
3101 /* We need to get a client cert */ 2877 /* We need to get a client cert */
3102 if (s->state == SSL3_ST_CW_CERT_B) 2878 if (s->state == SSL3_ST_CW_CERT_B) {
3103 {
3104 /* If we get an error, we need to 2879 /* If we get an error, we need to
3105 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 2880 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
3106 * We then get retied later */ 2881 * We then get retied later */
3107 i=0; 2882 i = 0;
3108 i = ssl_do_client_cert_cb(s, &x509, &pkey); 2883 i = ssl_do_client_cert_cb(s, &x509, &pkey);
3109 if (i < 0) 2884 if (i < 0) {
3110 { 2885 s->rwstate = SSL_X509_LOOKUP;
3111 s->rwstate=SSL_X509_LOOKUP; 2886 return (-1);
3112 return(-1); 2887 }
3113 } 2888 s->rwstate = SSL_NOTHING;
3114 s->rwstate=SSL_NOTHING; 2889 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
3115 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 2890 s->state = SSL3_ST_CW_CERT_B;
3116 { 2891 if (!SSL_use_certificate(s, x509) ||
3117 s->state=SSL3_ST_CW_CERT_B; 2892 !SSL_use_PrivateKey(s, pkey))
3118 if ( !SSL_use_certificate(s,x509) || 2893 i = 0;
3119 !SSL_use_PrivateKey(s,pkey)) 2894 } else if (i == 1) {
3120 i=0; 2895 i = 0;
3121 } 2896 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3122 else if (i == 1) 2897 }
3123 { 2898
3124 i=0; 2899 if (x509 != NULL)
3125 SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 2900 X509_free(x509);
3126 } 2901 if (pkey != NULL)
3127 2902 EVP_PKEY_free(pkey);
3128 if (x509 != NULL) X509_free(x509); 2903 if (i == 0) {
3129 if (pkey != NULL) EVP_PKEY_free(pkey); 2904 if (s->version == SSL3_VERSION) {
3130 if (i == 0) 2905 s->s3->tmp.cert_req = 0;
3131 { 2906 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
3132 if (s->version == SSL3_VERSION) 2907 return (1);
3133 { 2908 } else {
3134 s->s3->tmp.cert_req=0; 2909 s->s3->tmp.cert_req = 2;
3135 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
3136 return(1);
3137 }
3138 else
3139 {
3140 s->s3->tmp.cert_req=2;
3141 }
3142 } 2910 }
2911 }
3143 2912
3144 /* Ok, we have a cert */ 2913 /* Ok, we have a cert */
3145 s->state=SSL3_ST_CW_CERT_C; 2914 s->state = SSL3_ST_CW_CERT_C;
3146 } 2915 }
3147 2916
3148 if (s->state == SSL3_ST_CW_CERT_C) 2917 if (s->state == SSL3_ST_CW_CERT_C) {
3149 { 2918 s->state = SSL3_ST_CW_CERT_D;
3150 s->state=SSL3_ST_CW_CERT_D; 2919 l = ssl3_output_cert_chain(s,
3151 l=ssl3_output_cert_chain(s, 2920 (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
3152 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 2921 s->init_num = (int)l;
3153 s->init_num=(int)l; 2922 s->init_off = 0;
3154 s->init_off=0;
3155 }
3156 /* SSL3_ST_CW_CERT_D */
3157 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3158 } 2923 }
2924 /* SSL3_ST_CW_CERT_D */
2925 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2926}
3159 2927
3160#define has_bits(i,m) (((i)&(m)) == (m)) 2928#define has_bits(i,m) (((i)&(m)) == (m))
3161 2929
3162int ssl3_check_cert_and_algorithm(SSL *s) 2930int
3163 { 2931ssl3_check_cert_and_algorithm(SSL *s)
3164 int i,idx; 2932{
3165 long alg_k,alg_a; 2933 int i, idx;
3166 EVP_PKEY *pkey=NULL; 2934 long alg_k, alg_a;
2935 EVP_PKEY *pkey = NULL;
3167 SESS_CERT *sc; 2936 SESS_CERT *sc;
3168#ifndef OPENSSL_NO_RSA 2937#ifndef OPENSSL_NO_RSA
3169 RSA *rsa; 2938 RSA *rsa;
@@ -3172,138 +2941,120 @@ int ssl3_check_cert_and_algorithm(SSL *s)
3172 DH *dh; 2941 DH *dh;
3173#endif 2942#endif
3174 2943
3175 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2944 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3176 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 2945 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3177 2946
3178 /* we don't have a certificate */ 2947 /* we don't have a certificate */
3179 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) 2948 if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
3180 return(1); 2949 return (1);
3181 2950
3182 sc=s->session->sess_cert; 2951 sc = s->session->sess_cert;
3183 if (sc == NULL) 2952 if (sc == NULL) {
3184 { 2953 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
3185 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
3186 goto err; 2954 goto err;
3187 } 2955 }
3188 2956
3189#ifndef OPENSSL_NO_RSA 2957#ifndef OPENSSL_NO_RSA
3190 rsa=s->session->sess_cert->peer_rsa_tmp; 2958 rsa = s->session->sess_cert->peer_rsa_tmp;
3191#endif 2959#endif
3192#ifndef OPENSSL_NO_DH 2960#ifndef OPENSSL_NO_DH
3193 dh=s->session->sess_cert->peer_dh_tmp; 2961 dh = s->session->sess_cert->peer_dh_tmp;
3194#endif 2962#endif
3195 2963
3196 /* This is the passed certificate */ 2964 /* This is the passed certificate */
3197 2965
3198 idx=sc->peer_cert_type; 2966 idx = sc->peer_cert_type;
3199#ifndef OPENSSL_NO_ECDH 2967#ifndef OPENSSL_NO_ECDH
3200 if (idx == SSL_PKEY_ECC) 2968 if (idx == SSL_PKEY_ECC) {
3201 {
3202 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 2969 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
3203 s) == 0) 2970 s) == 0)
3204 { /* check failed */ 2971 { /* check failed */
3205 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 2972 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
3206 goto f_err; 2973 goto f_err;
3207 } 2974 } else {
3208 else
3209 {
3210 return 1; 2975 return 1;
3211 }
3212 } 2976 }
2977 }
3213#endif 2978#endif
3214 pkey=X509_get_pubkey(sc->peer_pkeys[idx].x509); 2979 pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
3215 i=X509_certificate_type(sc->peer_pkeys[idx].x509,pkey); 2980 i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
3216 EVP_PKEY_free(pkey); 2981 EVP_PKEY_free(pkey);
3217 2982
3218 2983
3219 /* Check that we have a certificate if we require one */ 2984 /* Check that we have a certificate if we require one */
3220 if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN)) 2985 if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
3221 { 2986 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_SIGNING_CERT);
3222 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
3223 goto f_err; 2987 goto f_err;
3224 } 2988 }
3225#ifndef OPENSSL_NO_DSA 2989#ifndef OPENSSL_NO_DSA
3226 else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) 2990 else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
3227 { 2991 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DSA_SIGNING_CERT);
3228 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
3229 goto f_err; 2992 goto f_err;
3230 } 2993 }
3231#endif 2994#endif
3232#ifndef OPENSSL_NO_RSA 2995#ifndef OPENSSL_NO_RSA
3233 if ((alg_k & SSL_kRSA) && 2996 if ((alg_k & SSL_kRSA) &&
3234 !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) 2997 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) {
3235 { 2998 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3236 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3237 goto f_err; 2999 goto f_err;
3238 } 3000 }
3239#endif 3001#endif
3240#ifndef OPENSSL_NO_DH 3002#ifndef OPENSSL_NO_DH
3241 if ((alg_k & SSL_kEDH) && 3003 if ((alg_k & SSL_kEDH) &&
3242 !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) 3004 !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
3243 { 3005 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY);
3244 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
3245 goto f_err; 3006 goto f_err;
3246 } 3007 } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH|EVP_PKS_RSA)) {
3247 else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) 3008 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT);
3248 {
3249 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
3250 goto f_err; 3009 goto f_err;
3251 } 3010 }
3252#ifndef OPENSSL_NO_DSA 3011#ifndef OPENSSL_NO_DSA
3253 else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) 3012 else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH|EVP_PKS_DSA)) {
3254 { 3013 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT);
3255 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
3256 goto f_err; 3014 goto f_err;
3257 } 3015 }
3258#endif 3016#endif
3259#endif 3017#endif
3260 3018
3261 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) 3019 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
3262 {
3263#ifndef OPENSSL_NO_RSA 3020#ifndef OPENSSL_NO_RSA
3264 if (alg_k & SSL_kRSA) 3021 if (alg_k & SSL_kRSA) {
3265 { 3022 if (rsa == NULL ||
3266 if (rsa == NULL 3023 RSA_size(rsa) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3267 || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3024 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3268 {
3269 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
3270 goto f_err; 3025 goto f_err;
3271 }
3272 } 3026 }
3273 else 3027 } else
3274#endif 3028#endif
3275#ifndef OPENSSL_NO_DH 3029#ifndef OPENSSL_NO_DH
3276 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 3030 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
3277 { 3031 if (dh == NULL ||
3278 if (dh == NULL 3032 DH_size(dh) * 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
3279 || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) 3033 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3280 {
3281 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
3282 goto f_err; 3034 goto f_err;
3283 }
3284 } 3035 }
3285 else 3036 } else
3286#endif 3037#endif
3287 { 3038 {
3288 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 3039 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
3289 goto f_err; 3040 goto f_err;
3290 }
3291 } 3041 }
3292 return(1); 3042 }
3043 return (1);
3293f_err: 3044f_err:
3294 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 3045 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
3295err: 3046err:
3296 return(0); 3047 return (0);
3297 } 3048}
3298 3049
3299#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 3050#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
3300int ssl3_send_next_proto(SSL *s) 3051int
3301 { 3052ssl3_send_next_proto(SSL *s)
3053{
3302 unsigned int len, padding_len; 3054 unsigned int len, padding_len;
3303 unsigned char *d; 3055 unsigned char *d;
3304 3056
3305 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) 3057 if (s->state == SSL3_ST_CW_NEXT_PROTO_A) {
3306 {
3307 len = s->next_proto_negotiated_len; 3058 len = s->next_proto_negotiated_len;
3308 padding_len = 32 - ((len + 2) % 32); 3059 padding_len = 32 - ((len + 2) % 32);
3309 d = (unsigned char *)s->init_buf->data; 3060 d = (unsigned char *)s->init_buf->data;
@@ -3311,12 +3062,12 @@ int ssl3_send_next_proto(SSL *s)
3311 memcpy(d + 5, s->next_proto_negotiated, len); 3062 memcpy(d + 5, s->next_proto_negotiated, len);
3312 d[5 + len] = padding_len; 3063 d[5 + len] = padding_len;
3313 memset(d + 6 + len, 0, padding_len); 3064 memset(d + 6 + len, 0, padding_len);
3314 *(d++)=SSL3_MT_NEXT_PROTO; 3065 *(d++) = SSL3_MT_NEXT_PROTO;
3315 l2n3(2 + len + padding_len, d); 3066 l2n3(2 + len + padding_len, d);
3316 s->state = SSL3_ST_CW_NEXT_PROTO_B; 3067 s->state = SSL3_ST_CW_NEXT_PROTO_B;
3317 s->init_num = 4 + 2 + len + padding_len; 3068 s->init_num = 4 + 2 + len + padding_len;
3318 s->init_off = 0; 3069 s->init_off = 0;
3319 } 3070 }
3320 3071
3321 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 3072 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3322} 3073}
@@ -3328,8 +3079,9 @@ int ssl3_send_next_proto(SSL *s)
3328 */ 3079 */
3329 3080
3330#ifndef OPENSSL_NO_TLSEXT 3081#ifndef OPENSSL_NO_TLSEXT
3331int ssl3_check_finished(SSL *s) 3082int
3332 { 3083ssl3_check_finished(SSL *s)
3084{
3333 int ok; 3085 int ok;
3334 long n; 3086 long n;
3335 /* If we have no ticket it cannot be a resumed session. */ 3087 /* If we have no ticket it cannot be a resumed session. */
@@ -3337,36 +3089,33 @@ int ssl3_check_finished(SSL *s)
3337 return 1; 3089 return 1;
3338 /* this function is called when we really expect a Certificate 3090 /* this function is called when we really expect a Certificate
3339 * message, so permit appropriate message length */ 3091 * message, so permit appropriate message length */
3340 n=s->method->ssl_get_message(s, 3092 n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A,
3341 SSL3_ST_CR_CERT_A, 3093 SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok);
3342 SSL3_ST_CR_CERT_B, 3094 if (!ok)
3343 -1, 3095 return ((int)n);
3344 s->max_cert_list,
3345 &ok);
3346 if (!ok) return((int)n);
3347 s->s3->tmp.reuse_message = 1; 3096 s->s3->tmp.reuse_message = 1;
3348 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) 3097 if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) ||
3349 || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) 3098 (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
3350 return 2; 3099 return 2;
3351 3100
3352 return 1; 3101 return 1;
3353 } 3102}
3354#endif 3103#endif
3355 3104
3356int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) 3105int
3357 { 3106ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3107{
3358 int i = 0; 3108 int i = 0;
3359#ifndef OPENSSL_NO_ENGINE 3109#ifndef OPENSSL_NO_ENGINE
3360 if (s->ctx->client_cert_engine) 3110 if (s->ctx->client_cert_engine) {
3361 {
3362 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, 3111 i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3363 SSL_get_client_CA_list(s), 3112 SSL_get_client_CA_list(s),
3364 px509, ppkey, NULL, NULL, NULL); 3113 px509, ppkey, NULL, NULL, NULL);
3365 if (i != 0) 3114 if (i != 0)
3366 return i; 3115 return i;
3367 } 3116 }
3368#endif 3117#endif
3369 if (s->ctx->client_cert_cb) 3118 if (s->ctx->client_cert_cb)
3370 i = s->ctx->client_cert_cb(s,px509,ppkey); 3119 i = s->ctx->client_cert_cb(s, px509, ppkey);
3371 return i; 3120 return i;
3372 } 3121}
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 518dfcd5e2..eeadb160d1 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -171,92 +171,86 @@
171 171
172static const SSL_METHOD *ssl3_get_server_method(int ver); 172static const SSL_METHOD *ssl3_get_server_method(int ver);
173 173
174static const SSL_METHOD *ssl3_get_server_method(int ver) 174static const SSL_METHOD
175 { 175*ssl3_get_server_method(int ver)
176{
176 if (ver == SSL3_VERSION) 177 if (ver == SSL3_VERSION)
177 return(SSLv3_server_method()); 178 return (SSLv3_server_method());
178 else 179 else
179 return(NULL); 180 return (NULL);
180 } 181}
181 182
182#ifndef OPENSSL_NO_SRP 183#ifndef OPENSSL_NO_SRP
183static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) 184static int
184 { 185ssl_check_srp_ext_ClientHello(SSL *s, int *al)
186{
185 int ret = SSL_ERROR_NONE; 187 int ret = SSL_ERROR_NONE;
186 188
187 *al = SSL_AD_UNRECOGNIZED_NAME; 189 *al = SSL_AD_UNRECOGNIZED_NAME;
188 190
189 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && 191 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
190 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) 192 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
191 { 193 if (s->srp_ctx.login == NULL) {
192 if(s->srp_ctx.login == NULL)
193 {
194 /* RFC 5054 says SHOULD reject, 194 /* RFC 5054 says SHOULD reject,
195 we do so if There is no srp login name */ 195 we do so if There is no srp login name */
196 ret = SSL3_AL_FATAL; 196 ret = SSL3_AL_FATAL;
197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
198 } 198 } else {
199 else 199 ret = SSL_srp_server_param_with_username(s, al);
200 {
201 ret = SSL_srp_server_param_with_username(s,al);
202 }
203 } 200 }
204 return ret;
205 } 201 }
202 return ret;
203}
206#endif 204#endif
207 205
208IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 206IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
209 ssl3_accept, 207 ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
210 ssl_undefined_function,
211 ssl3_get_server_method)
212 208
213int ssl3_accept(SSL *s) 209int
214 { 210ssl3_accept(SSL *s)
211{
215 BUF_MEM *buf; 212 BUF_MEM *buf;
216 unsigned long alg_k,Time=(unsigned long)time(NULL); 213 unsigned long alg_k, Time = (unsigned long)time(NULL);
217 void (*cb)(const SSL *ssl,int type,int val)=NULL; 214 void (*cb)(const SSL *ssl, int type, int val) = NULL;
218 int ret= -1; 215 int ret = -1;
219 int new_state,state,skip=0; 216 int new_state, state, skip = 0;
220 217
221 RAND_add(&Time,sizeof(Time),0); 218 RAND_add(&Time, sizeof(Time), 0);
222 ERR_clear_error(); 219 ERR_clear_error();
223 errno = 0; 220 errno = 0;
224 221
225 if (s->info_callback != NULL) 222 if (s->info_callback != NULL)
226 cb=s->info_callback; 223 cb = s->info_callback;
227 else if (s->ctx->info_callback != NULL) 224 else if (s->ctx->info_callback != NULL)
228 cb=s->ctx->info_callback; 225 cb = s->ctx->info_callback;
229 226
230 /* init things to blank */ 227 /* init things to blank */
231 s->in_handshake++; 228 s->in_handshake++;
232 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 229 if (!SSL_in_init(s) || SSL_in_before(s))
230 SSL_clear(s);
233 231
234 if (s->cert == NULL) 232 if (s->cert == NULL) {
235 { 233 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
236 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 234 return (-1);
237 return(-1); 235 }
238 }
239 236
240#ifndef OPENSSL_NO_HEARTBEATS 237#ifndef OPENSSL_NO_HEARTBEATS
241 /* If we're awaiting a HeartbeatResponse, pretend we 238 /* If we're awaiting a HeartbeatResponse, pretend we
242 * already got and don't await it anymore, because 239 * already got and don't await it anymore, because
243 * Heartbeats don't make sense during handshakes anyway. 240 * Heartbeats don't make sense during handshakes anyway.
244 */ 241 */
245 if (s->tlsext_hb_pending) 242 if (s->tlsext_hb_pending) {
246 {
247 s->tlsext_hb_pending = 0; 243 s->tlsext_hb_pending = 0;
248 s->tlsext_hb_seq++; 244 s->tlsext_hb_seq++;
249 } 245 }
250#endif 246#endif
251 247
252 for (;;) 248 for (;;) {
253 { 249 state = s->state;
254 state=s->state;
255 250
256 switch (s->state) 251 switch (s->state) {
257 {
258 case SSL_ST_RENEGOTIATE: 252 case SSL_ST_RENEGOTIATE:
259 s->renegotiate=1; 253 s->renegotiate = 1;
260 /* s->state=SSL_ST_ACCEPT; */ 254 /* s->state=SSL_ST_ACCEPT; */
261 255
262 case SSL_ST_BEFORE: 256 case SSL_ST_BEFORE:
@@ -264,146 +258,143 @@ int ssl3_accept(SSL *s)
264 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 258 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
265 case SSL_ST_OK|SSL_ST_ACCEPT: 259 case SSL_ST_OK|SSL_ST_ACCEPT:
266 260
267 s->server=1; 261 s->server = 1;
268 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 262 if (cb != NULL)
263 cb(s, SSL_CB_HANDSHAKE_START, 1);
269 264
270 if ((s->version>>8) != 3) 265 if ((s->version >> 8) != 3) {
271 {
272 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 266 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
273 return -1; 267 return -1;
274 } 268 }
275 s->type=SSL_ST_ACCEPT; 269 s->type = SSL_ST_ACCEPT;
276 270
277 if (s->init_buf == NULL) 271 if (s->init_buf == NULL) {
278 { 272 if ((buf = BUF_MEM_new()) == NULL) {
279 if ((buf=BUF_MEM_new()) == NULL) 273 ret = -1;
280 {
281 ret= -1;
282 goto end; 274 goto end;
283 } 275 }
284 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 276 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
285 { 277 ret = -1;
286 ret= -1;
287 goto end; 278 goto end;
288 }
289 s->init_buf=buf;
290 } 279 }
280 s->init_buf = buf;
281 }
291 282
292 if (!ssl3_setup_buffers(s)) 283 if (!ssl3_setup_buffers(s)) {
293 { 284 ret = -1;
294 ret= -1;
295 goto end; 285 goto end;
296 } 286 }
297 287
298 s->init_num=0; 288 s->init_num = 0;
299 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 289 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
300 290
301 if (s->state != SSL_ST_RENEGOTIATE) 291 if (s->state != SSL_ST_RENEGOTIATE) {
302 {
303 /* Ok, we now need to push on a buffering BIO so that 292 /* Ok, we now need to push on a buffering BIO so that
304 * the output is sent in a way that TCP likes :-) 293 * the output is sent in a way that TCP likes :-)
305 */ 294 */
306 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 295 if (!ssl_init_wbio_buffer(s, 1)) {
307 296 ret = -1;
297 goto end;
298 }
299
308 ssl3_init_finished_mac(s); 300 ssl3_init_finished_mac(s);
309 s->state=SSL3_ST_SR_CLNT_HELLO_A; 301 s->state = SSL3_ST_SR_CLNT_HELLO_A;
310 s->ctx->stats.sess_accept++; 302 s->ctx->stats.sess_accept++;
311 } 303 } else if (!s->s3->send_connection_binding &&
312 else if (!s->s3->send_connection_binding && 304 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
313 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
314 {
315 /* Server attempting to renegotiate with 305 /* Server attempting to renegotiate with
316 * client that doesn't support secure 306 * client that doesn't support secure
317 * renegotiation. 307 * renegotiation.
318 */ 308 */
319 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 309 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
320 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 310 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
321 ret = -1; 311 ret = -1;
322 goto end; 312 goto end;
323 } 313 } else {
324 else
325 {
326 /* s->state == SSL_ST_RENEGOTIATE, 314 /* s->state == SSL_ST_RENEGOTIATE,
327 * we will just send a HelloRequest */ 315 * we will just send a HelloRequest */
328 s->ctx->stats.sess_accept_renegotiate++; 316 s->ctx->stats.sess_accept_renegotiate++;
329 s->state=SSL3_ST_SW_HELLO_REQ_A; 317 s->state = SSL3_ST_SW_HELLO_REQ_A;
330 } 318 }
331 break; 319 break;
332 320
333 case SSL3_ST_SW_HELLO_REQ_A: 321 case SSL3_ST_SW_HELLO_REQ_A:
334 case SSL3_ST_SW_HELLO_REQ_B: 322 case SSL3_ST_SW_HELLO_REQ_B:
335 323
336 s->shutdown=0; 324 s->shutdown = 0;
337 ret=ssl3_send_hello_request(s); 325 ret = ssl3_send_hello_request(s);
338 if (ret <= 0) goto end; 326 if (ret <= 0)
339 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 327 goto end;
340 s->state=SSL3_ST_SW_FLUSH; 328 s->s3->tmp.next_state = SSL3_ST_SW_HELLO_REQ_C;
341 s->init_num=0; 329 s->state = SSL3_ST_SW_FLUSH;
330 s->init_num = 0;
342 331
343 ssl3_init_finished_mac(s); 332 ssl3_init_finished_mac(s);
344 break; 333 break;
345 334
346 case SSL3_ST_SW_HELLO_REQ_C: 335 case SSL3_ST_SW_HELLO_REQ_C:
347 s->state=SSL_ST_OK; 336 s->state = SSL_ST_OK;
348 break; 337 break;
349 338
350 case SSL3_ST_SR_CLNT_HELLO_A: 339 case SSL3_ST_SR_CLNT_HELLO_A:
351 case SSL3_ST_SR_CLNT_HELLO_B: 340 case SSL3_ST_SR_CLNT_HELLO_B:
352 case SSL3_ST_SR_CLNT_HELLO_C: 341 case SSL3_ST_SR_CLNT_HELLO_C:
353 342
354 s->shutdown=0; 343 s->shutdown = 0;
355 if (s->rwstate != SSL_X509_LOOKUP) 344 if (s->rwstate != SSL_X509_LOOKUP) {
356 { 345 ret = ssl3_get_client_hello(s);
357 ret=ssl3_get_client_hello(s); 346 if (ret <= 0)
358 if (ret <= 0) goto end; 347 goto end;
359 } 348 }
360#ifndef OPENSSL_NO_SRP 349#ifndef OPENSSL_NO_SRP
361 { 350 {
362 int al; 351 int al;
363 if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0) 352 if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
364 {
365 /* callback indicates firther work to be done */ 353 /* callback indicates firther work to be done */
366 s->rwstate=SSL_X509_LOOKUP; 354 s->rwstate = SSL_X509_LOOKUP;
367 goto end; 355 goto end;
368 } 356 }
369 if (ret != SSL_ERROR_NONE) 357 if (ret != SSL_ERROR_NONE) {
370 { 358 ssl3_send_alert(s, SSL3_AL_FATAL, al);
371 ssl3_send_alert(s,SSL3_AL_FATAL,al); 359
372 /* This is not really an error but the only means to 360 /* This is not really an error but the only means to
373 for a client to detect whether srp is supported. */ 361 for a client to detect whether srp is supported. */
374 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 362 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
375 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); 363 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
376 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 364
377 ret= -1; 365 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
378 goto end; 366
367 ret = -1;
368 goto end;
369
379 } 370 }
380 } 371 }
381#endif 372#endif
382 373
383 s->renegotiate = 2; 374 s->renegotiate = 2;
384 s->state=SSL3_ST_SW_SRVR_HELLO_A; 375 s->state = SSL3_ST_SW_SRVR_HELLO_A;
385 s->init_num=0; 376 s->init_num = 0;
386 break; 377 break;
387 378
388 case SSL3_ST_SW_SRVR_HELLO_A: 379 case SSL3_ST_SW_SRVR_HELLO_A:
389 case SSL3_ST_SW_SRVR_HELLO_B: 380 case SSL3_ST_SW_SRVR_HELLO_B:
390 ret=ssl3_send_server_hello(s); 381 ret = ssl3_send_server_hello(s);
391 if (ret <= 0) goto end; 382 if (ret <= 0)
383 goto end;
392#ifndef OPENSSL_NO_TLSEXT 384#ifndef OPENSSL_NO_TLSEXT
393 if (s->hit) 385 if (s->hit) {
394 {
395 if (s->tlsext_ticket_expected) 386 if (s->tlsext_ticket_expected)
396 s->state=SSL3_ST_SW_SESSION_TICKET_A; 387 s->state = SSL3_ST_SW_SESSION_TICKET_A;
397 else 388 else
398 s->state=SSL3_ST_SW_CHANGE_A; 389 s->state = SSL3_ST_SW_CHANGE_A;
399 } 390 }
400#else 391#else
401 if (s->hit) 392 if (s->hit)
402 s->state=SSL3_ST_SW_CHANGE_A; 393 s->state = SSL3_ST_SW_CHANGE_A;
403#endif 394#endif
404 else 395 else
405 s->state=SSL3_ST_SW_CERT_A; 396 s->state = SSL3_ST_SW_CERT_A;
406 s->init_num=0; 397 s->init_num = 0;
407 break; 398 break;
408 399
409 case SSL3_ST_SW_CERT_A: 400 case SSL3_ST_SW_CERT_A:
@@ -412,29 +403,26 @@ int ssl3_accept(SSL *s)
412 /* normal PSK or KRB5 or SRP */ 403 /* normal PSK or KRB5 or SRP */
413 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 404 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
414 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 405 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
415 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 406 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) {
416 { 407 ret = ssl3_send_server_certificate(s);
417 ret=ssl3_send_server_certificate(s); 408 if (ret <= 0)
418 if (ret <= 0) goto end; 409 goto end;
419#ifndef OPENSSL_NO_TLSEXT 410#ifndef OPENSSL_NO_TLSEXT
420 if (s->tlsext_status_expected) 411 if (s->tlsext_status_expected)
421 s->state=SSL3_ST_SW_CERT_STATUS_A; 412 s->state = SSL3_ST_SW_CERT_STATUS_A;
422 else 413 else
423 s->state=SSL3_ST_SW_KEY_EXCH_A; 414 s->state = SSL3_ST_SW_KEY_EXCH_A;
424 } 415 } else {
425 else
426 {
427 skip = 1; 416 skip = 1;
428 s->state=SSL3_ST_SW_KEY_EXCH_A; 417 s->state = SSL3_ST_SW_KEY_EXCH_A;
429 } 418 }
430#else 419#else
431 } 420 } else
432 else 421 skip = 1;
433 skip=1;
434 422
435 s->state=SSL3_ST_SW_KEY_EXCH_A; 423 s->state = SSL3_ST_SW_KEY_EXCH_A;
436#endif 424#endif
437 s->init_num=0; 425 s->init_num = 0;
438 break; 426 break;
439 427
440 case SSL3_ST_SW_KEY_EXCH_A: 428 case SSL3_ST_SW_KEY_EXCH_A:
@@ -445,16 +433,16 @@ int ssl3_accept(SSL *s)
445 * send_server_key_exchange */ 433 * send_server_key_exchange */
446 if ((s->options & SSL_OP_EPHEMERAL_RSA) 434 if ((s->options & SSL_OP_EPHEMERAL_RSA)
447#ifndef OPENSSL_NO_KRB5 435#ifndef OPENSSL_NO_KRB5
448 && !(alg_k & SSL_kKRB5) 436 && !(alg_k & SSL_kKRB5)
449#endif /* OPENSSL_NO_KRB5 */ 437#endif /* OPENSSL_NO_KRB5 */
450 ) 438 )
451 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 439 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
452 * even when forbidden by protocol specs 440 * even when forbidden by protocol specs
453 * (handshake may fail as clients are not required to 441 * (handshake may fail as clients are not required to
454 * be able to handle this) */ 442 * be able to handle this) */
455 s->s3->tmp.use_rsa_tmp=1; 443 s->s3->tmp.use_rsa_tmp = 1;
456 else 444 else
457 s->s3->tmp.use_rsa_tmp=0; 445 s->s3->tmp.use_rsa_tmp = 0;
458 446
459 447
460 /* only send if a DH key exchange, fortezza or 448 /* only send if a DH key exchange, fortezza or
@@ -475,83 +463,81 @@ int ssl3_accept(SSL *s)
475 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 463 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
476#endif 464#endif
477#ifndef OPENSSL_NO_SRP 465#ifndef OPENSSL_NO_SRP
478 /* SRP: send ServerKeyExchange */ 466 /* SRP: send ServerKeyExchange */
479 || (alg_k & SSL_kSRP) 467 || (alg_k & SSL_kSRP)
480#endif 468#endif
481 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 469 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
482 || (alg_k & SSL_kEECDH) 470 || (alg_k & SSL_kEECDH)
483 || ((alg_k & SSL_kRSA) 471 || ((alg_k & SSL_kRSA)
484 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 472 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
485 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 473 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
486 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 474 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
487 )
488 )
489 )
490 ) 475 )
491 { 476 )
492 ret=ssl3_send_server_key_exchange(s); 477 )
493 if (ret <= 0) goto end; 478 ) {
494 } 479 ret = ssl3_send_server_key_exchange(s);
495 else 480 if (ret <= 0)
496 skip=1; 481 goto end;
482 } else
483 skip = 1;
497 484
498 s->state=SSL3_ST_SW_CERT_REQ_A; 485 s->state = SSL3_ST_SW_CERT_REQ_A;
499 s->init_num=0; 486 s->init_num = 0;
500 break; 487 break;
501 488
502 case SSL3_ST_SW_CERT_REQ_A: 489 case SSL3_ST_SW_CERT_REQ_A:
503 case SSL3_ST_SW_CERT_REQ_B: 490 case SSL3_ST_SW_CERT_REQ_B:
504 if (/* don't request cert unless asked for it: */ 491 if (/* don't request cert unless asked for it: */
505 !(s->verify_mode & SSL_VERIFY_PEER) || 492 !(s->verify_mode & SSL_VERIFY_PEER) ||
506 /* if SSL_VERIFY_CLIENT_ONCE is set, 493 /* if SSL_VERIFY_CLIENT_ONCE is set,
507 * don't request cert during re-negotiation: */ 494 * don't request cert during re-negotiation: */
508 ((s->session->peer != NULL) && 495 ((s->session->peer != NULL) &&
509 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 496 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
510 /* never request cert in anonymous ciphersuites 497 /* never request cert in anonymous ciphersuites
511 * (see section "Certificate request" in SSL 3 drafts 498 * (see section "Certificate request" in SSL 3 drafts
512 * and in RFC 2246): */ 499 * and in RFC 2246): */
513 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 500 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
514 /* ... except when the application insists on verification 501 /* ... except when the application insists on verification
515 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 502 * (against the specs, but s3_clnt.c accepts this for SSL 3) */
516 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 503 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
517 /* never request cert in Kerberos ciphersuites */ 504 /* never request cert in Kerberos ciphersuites */
518 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) 505 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
519 /* With normal PSK Certificates and 506 /* With normal PSK Certificates and
520 * Certificate Requests are omitted */ 507 * Certificate Requests are omitted */
521 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 508 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
522 {
523 /* no cert request */ 509 /* no cert request */
524 skip=1; 510 skip = 1;
525 s->s3->tmp.cert_request=0; 511 s->s3->tmp.cert_request = 0;
526 s->state=SSL3_ST_SW_SRVR_DONE_A; 512 s->state = SSL3_ST_SW_SRVR_DONE_A;
527 if (s->s3->handshake_buffer) 513 if (s->s3->handshake_buffer)
528 if (!ssl3_digest_cached_records(s)) 514 if (!ssl3_digest_cached_records(s))
529 return -1; 515 return -1;
530 } 516 } else {
531 else 517 s->s3->tmp.cert_request = 1;
532 { 518 ret = ssl3_send_certificate_request(s);
533 s->s3->tmp.cert_request=1; 519 if (ret <= 0)
534 ret=ssl3_send_certificate_request(s); 520 goto end;
535 if (ret <= 0) goto end;
536#ifndef NETSCAPE_HANG_BUG 521#ifndef NETSCAPE_HANG_BUG
537 s->state=SSL3_ST_SW_SRVR_DONE_A; 522 s->state = SSL3_ST_SW_SRVR_DONE_A;
538#else 523#else
539 s->state=SSL3_ST_SW_FLUSH; 524 s->state = SSL3_ST_SW_FLUSH;
540 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 525 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
541#endif 526#endif
542 s->init_num=0; 527 s->init_num = 0;
543 } 528 }
544 break; 529 break;
545 530
546 case SSL3_ST_SW_SRVR_DONE_A: 531 case SSL3_ST_SW_SRVR_DONE_A:
547 case SSL3_ST_SW_SRVR_DONE_B: 532 case SSL3_ST_SW_SRVR_DONE_B:
548 ret=ssl3_send_server_done(s); 533 ret = ssl3_send_server_done(s);
549 if (ret <= 0) goto end; 534 if (ret <= 0)
550 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 535 goto end;
551 s->state=SSL3_ST_SW_FLUSH; 536 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
552 s->init_num=0; 537 s->state = SSL3_ST_SW_FLUSH;
538 s->init_num = 0;
553 break; 539 break;
554 540
555 case SSL3_ST_SW_FLUSH: 541 case SSL3_ST_SW_FLUSH:
556 542
557 /* This code originally checked to see if 543 /* This code originally checked to see if
@@ -564,15 +550,14 @@ int ssl3_accept(SSL *s)
564 * unconditionally. 550 * unconditionally.
565 */ 551 */
566 552
567 s->rwstate=SSL_WRITING; 553 s->rwstate = SSL_WRITING;
568 if (BIO_flush(s->wbio) <= 0) 554 if (BIO_flush(s->wbio) <= 0) {
569 { 555 ret = -1;
570 ret= -1;
571 goto end; 556 goto end;
572 } 557 }
573 s->rwstate=SSL_NOTHING; 558 s->rwstate = SSL_NOTHING;
574 559
575 s->state=s->s3->tmp.next_state; 560 s->state = s->s3->tmp.next_state;
576 break; 561 break;
577 562
578 case SSL3_ST_SR_CERT_A: 563 case SSL3_ST_SR_CERT_A:
@@ -584,23 +569,22 @@ int ssl3_accept(SSL *s)
584 if (ret == 2) 569 if (ret == 2)
585 s->state = SSL3_ST_SR_CLNT_HELLO_C; 570 s->state = SSL3_ST_SR_CLNT_HELLO_C;
586 else { 571 else {
587 if (s->s3->tmp.cert_request) 572 if (s->s3->tmp.cert_request) {
588 { 573 ret = ssl3_get_client_certificate(s);
589 ret=ssl3_get_client_certificate(s); 574 if (ret <= 0)
590 if (ret <= 0) goto end; 575 goto end;
591 } 576 }
592 s->init_num=0; 577 s->init_num = 0;
593 s->state=SSL3_ST_SR_KEY_EXCH_A; 578 s->state = SSL3_ST_SR_KEY_EXCH_A;
594 } 579 }
595 break; 580 break;
596 581
597 case SSL3_ST_SR_KEY_EXCH_A: 582 case SSL3_ST_SR_KEY_EXCH_A:
598 case SSL3_ST_SR_KEY_EXCH_B: 583 case SSL3_ST_SR_KEY_EXCH_B:
599 ret=ssl3_get_client_key_exchange(s); 584 ret = ssl3_get_client_key_exchange(s);
600 if (ret <= 0) 585 if (ret <= 0)
601 goto end; 586 goto end;
602 if (ret == 2) 587 if (ret == 2) {
603 {
604 /* For the ECDH ciphersuites when 588 /* For the ECDH ciphersuites when
605 * the client sends its ECDH pub key in 589 * the client sends its ECDH pub key in
606 * a certificate, the CertificateVerify 590 * a certificate, the CertificateVerify
@@ -610,40 +594,35 @@ int ssl3_accept(SSL *s)
610 * for key exchange. 594 * for key exchange.
611 */ 595 */
612#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 596#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
613 s->state=SSL3_ST_SR_FINISHED_A; 597 s->state = SSL3_ST_SR_FINISHED_A;
614#else 598#else
615 if (s->s3->next_proto_neg_seen) 599 if (s->s3->next_proto_neg_seen)
616 s->state=SSL3_ST_SR_NEXT_PROTO_A; 600 s->state = SSL3_ST_SR_NEXT_PROTO_A;
617 else 601 else
618 s->state=SSL3_ST_SR_FINISHED_A; 602 s->state = SSL3_ST_SR_FINISHED_A;
619#endif 603#endif
620 s->init_num = 0; 604 s->init_num = 0;
621 } 605 } else if (TLS1_get_version(s) >= TLS1_2_VERSION) {
622 else if (TLS1_get_version(s) >= TLS1_2_VERSION) 606 s->state = SSL3_ST_SR_CERT_VRFY_A;
623 { 607 s->init_num = 0;
624 s->state=SSL3_ST_SR_CERT_VRFY_A;
625 s->init_num=0;
626 if (!s->session->peer) 608 if (!s->session->peer)
627 break; 609 break;
628 /* For TLS v1.2 freeze the handshake buffer 610 /* For TLS v1.2 freeze the handshake buffer
629 * at this point and digest cached records. 611 * at this point and digest cached records.
630 */ 612 */
631 if (!s->s3->handshake_buffer) 613 if (!s->s3->handshake_buffer) {
632 { 614 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
633 SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR);
634 return -1; 615 return -1;
635 } 616 }
636 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 617 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
637 if (!ssl3_digest_cached_records(s)) 618 if (!ssl3_digest_cached_records(s))
638 return -1; 619 return -1;
639 } 620 } else {
640 else 621 int offset = 0;
641 {
642 int offset=0;
643 int dgst_num; 622 int dgst_num;
644 623
645 s->state=SSL3_ST_SR_CERT_VRFY_A; 624 s->state = SSL3_ST_SR_CERT_VRFY_A;
646 s->init_num=0; 625 s->init_num = 0;
647 626
648 /* We need to get hashes here so if there is 627 /* We need to get hashes here so if there is
649 * a client cert, it can be verified 628 * a client cert, it can be verified
@@ -653,82 +632,85 @@ int ssl3_accept(SSL *s)
653 if (s->s3->handshake_buffer) 632 if (s->s3->handshake_buffer)
654 if (!ssl3_digest_cached_records(s)) 633 if (!ssl3_digest_cached_records(s))
655 return -1; 634 return -1;
656 for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) 635 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++)
657 if (s->s3->handshake_dgst[dgst_num]) 636 if (s->s3->handshake_dgst[dgst_num]) {
658 { 637 int dgst_size;
659 int dgst_size; 638
660 639 s->method->ssl3_enc->cert_verify_mac(s, EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]), &(s->s3->tmp.cert_verify_md[offset]));
661 s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); 640 dgst_size = EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
662 dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); 641 if (dgst_size < 0) {
663 if (dgst_size < 0) 642 ret = -1;
664 { 643 goto end;
665 ret = -1; 644 }
666 goto end; 645 offset += dgst_size;
667 }
668 offset+=dgst_size;
669 }
670 } 646 }
647 }
671 break; 648 break;
672 649
673 case SSL3_ST_SR_CERT_VRFY_A: 650 case SSL3_ST_SR_CERT_VRFY_A:
674 case SSL3_ST_SR_CERT_VRFY_B: 651 case SSL3_ST_SR_CERT_VRFY_B:
675 652
676 /* we should decide if we expected this one */ 653 /* we should decide if we expected this one */
677 ret=ssl3_get_cert_verify(s); 654 ret = ssl3_get_cert_verify(s);
678 if (ret <= 0) goto end; 655 if (ret <= 0)
656 goto end;
679 657
680#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 658#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
681 s->state=SSL3_ST_SR_FINISHED_A; 659 s->state = SSL3_ST_SR_FINISHED_A;
682#else 660#else
683 if (s->s3->next_proto_neg_seen) 661 if (s->s3->next_proto_neg_seen)
684 s->state=SSL3_ST_SR_NEXT_PROTO_A; 662 s->state = SSL3_ST_SR_NEXT_PROTO_A;
685 else 663 else
686 s->state=SSL3_ST_SR_FINISHED_A; 664 s->state = SSL3_ST_SR_FINISHED_A;
687#endif 665#endif
688 s->init_num=0; 666 s->init_num = 0;
689 break; 667 break;
690 668
691#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 669#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
692 case SSL3_ST_SR_NEXT_PROTO_A: 670 case SSL3_ST_SR_NEXT_PROTO_A:
693 case SSL3_ST_SR_NEXT_PROTO_B: 671 case SSL3_ST_SR_NEXT_PROTO_B:
694 ret=ssl3_get_next_proto(s); 672 ret = ssl3_get_next_proto(s);
695 if (ret <= 0) goto end; 673 if (ret <= 0)
674 goto end;
696 s->init_num = 0; 675 s->init_num = 0;
697 s->state=SSL3_ST_SR_FINISHED_A; 676 s->state = SSL3_ST_SR_FINISHED_A;
698 break; 677 break;
699#endif 678#endif
700 679
701 case SSL3_ST_SR_FINISHED_A: 680 case SSL3_ST_SR_FINISHED_A:
702 case SSL3_ST_SR_FINISHED_B: 681 case SSL3_ST_SR_FINISHED_B:
703 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 682 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
704 SSL3_ST_SR_FINISHED_B); 683 SSL3_ST_SR_FINISHED_B);
705 if (ret <= 0) goto end; 684 if (ret <= 0)
685 goto end;
706 if (s->hit) 686 if (s->hit)
707 s->state=SSL_ST_OK; 687 s->state = SSL_ST_OK;
708#ifndef OPENSSL_NO_TLSEXT 688#ifndef OPENSSL_NO_TLSEXT
709 else if (s->tlsext_ticket_expected) 689 else if (s->tlsext_ticket_expected)
710 s->state=SSL3_ST_SW_SESSION_TICKET_A; 690 s->state = SSL3_ST_SW_SESSION_TICKET_A;
711#endif 691#endif
712 else 692 else
713 s->state=SSL3_ST_SW_CHANGE_A; 693 s->state = SSL3_ST_SW_CHANGE_A;
714 s->init_num=0; 694 s->init_num = 0;
715 break; 695 break;
716 696
717#ifndef OPENSSL_NO_TLSEXT 697#ifndef OPENSSL_NO_TLSEXT
718 case SSL3_ST_SW_SESSION_TICKET_A: 698 case SSL3_ST_SW_SESSION_TICKET_A:
719 case SSL3_ST_SW_SESSION_TICKET_B: 699 case SSL3_ST_SW_SESSION_TICKET_B:
720 ret=ssl3_send_newsession_ticket(s); 700 ret = ssl3_send_newsession_ticket(s);
721 if (ret <= 0) goto end; 701 if (ret <= 0)
722 s->state=SSL3_ST_SW_CHANGE_A; 702 goto end;
723 s->init_num=0; 703 s->state = SSL3_ST_SW_CHANGE_A;
704 s->init_num = 0;
724 break; 705 break;
725 706
726 case SSL3_ST_SW_CERT_STATUS_A: 707 case SSL3_ST_SW_CERT_STATUS_A:
727 case SSL3_ST_SW_CERT_STATUS_B: 708 case SSL3_ST_SW_CERT_STATUS_B:
728 ret=ssl3_send_cert_status(s); 709 ret = ssl3_send_cert_status(s);
729 if (ret <= 0) goto end; 710 if (ret <= 0)
730 s->state=SSL3_ST_SW_KEY_EXCH_A; 711 goto end;
731 s->init_num=0; 712 s->state = SSL3_ST_SW_KEY_EXCH_A;
713 s->init_num = 0;
732 break; 714 break;
733 715
734#endif 716#endif
@@ -736,48 +718,49 @@ int ssl3_accept(SSL *s)
736 case SSL3_ST_SW_CHANGE_A: 718 case SSL3_ST_SW_CHANGE_A:
737 case SSL3_ST_SW_CHANGE_B: 719 case SSL3_ST_SW_CHANGE_B:
738 720
739 s->session->cipher=s->s3->tmp.new_cipher; 721 s->session->cipher = s->s3->tmp.new_cipher;
740 if (!s->method->ssl3_enc->setup_key_block(s)) 722 if (!s->method->ssl3_enc->setup_key_block(s)) {
741 { ret= -1; goto end; } 723 ret = -1;
724 goto end;
725 }
742 726
743 ret=ssl3_send_change_cipher_spec(s, 727 ret = ssl3_send_change_cipher_spec(s,
744 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 728 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
745 729
746 if (ret <= 0) goto end; 730 if (ret <= 0)
747 s->state=SSL3_ST_SW_FINISHED_A; 731 goto end;
748 s->init_num=0; 732 s->state = SSL3_ST_SW_FINISHED_A;
733 s->init_num = 0;
749 734
750 if (!s->method->ssl3_enc->change_cipher_state(s, 735 if (!s->method->ssl3_enc->change_cipher_state(
751 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 736 s, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
752 { 737 ret = -1;
753 ret= -1;
754 goto end; 738 goto end;
755 } 739 }
756 740
757 break; 741 break;
758 742
759 case SSL3_ST_SW_FINISHED_A: 743 case SSL3_ST_SW_FINISHED_A:
760 case SSL3_ST_SW_FINISHED_B: 744 case SSL3_ST_SW_FINISHED_B:
761 ret=ssl3_send_finished(s, 745 ret = ssl3_send_finished(s,
762 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 746 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
763 s->method->ssl3_enc->server_finished_label, 747 s->method->ssl3_enc->server_finished_label,
764 s->method->ssl3_enc->server_finished_label_len); 748 s->method->ssl3_enc->server_finished_label_len);
765 if (ret <= 0) goto end; 749 if (ret <= 0)
766 s->state=SSL3_ST_SW_FLUSH; 750 goto end;
767 if (s->hit) 751 s->state = SSL3_ST_SW_FLUSH;
768 { 752 if (s->hit) {
769#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 753#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
770 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 754 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
771#else 755#else
772 if (s->s3->next_proto_neg_seen) 756 if (s->s3->next_proto_neg_seen)
773 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; 757 s->s3->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A;
774 else 758 else
775 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 759 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
776#endif 760#endif
777 } 761 } else
778 else 762 s->s3->tmp.next_state = SSL_ST_OK;
779 s->s3->tmp.next_state=SSL_ST_OK; 763 s->init_num = 0;
780 s->init_num=0;
781 break; 764 break;
782 765
783 case SSL_ST_OK: 766 case SSL_ST_OK:
@@ -785,146 +768,143 @@ int ssl3_accept(SSL *s)
785 ssl3_cleanup_key_block(s); 768 ssl3_cleanup_key_block(s);
786 769
787 BUF_MEM_free(s->init_buf); 770 BUF_MEM_free(s->init_buf);
788 s->init_buf=NULL; 771 s->init_buf = NULL;
789 772
790 /* remove buffering on output */ 773 /* remove buffering on output */
791 ssl_free_wbio_buffer(s); 774 ssl_free_wbio_buffer(s);
792 775
793 s->init_num=0; 776 s->init_num = 0;
794 777
795 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ 778 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
796 { 779 {
797 s->renegotiate=0; 780 s->renegotiate = 0;
798 s->new_session=0; 781 s->new_session = 0;
799 782
800 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 783 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
801 784
802 s->ctx->stats.sess_accept_good++; 785 s->ctx->stats.sess_accept_good++;
803 /* s->server=1; */ 786 /* s->server=1; */
804 s->handshake_func=ssl3_accept; 787 s->handshake_func = ssl3_accept;
788
789 if (cb != NULL)
790 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
791 }
805 792
806 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
807 }
808
809 ret = 1; 793 ret = 1;
810 goto end; 794 goto end;
811 /* break; */ 795 /* break; */
812 796
813 default: 797 default:
814 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE); 798 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE);
815 ret= -1; 799 ret = -1;
816 goto end; 800 goto end;
817 /* break; */ 801 /* break; */
818 } 802 }
819 803
820 if (!s->s3->tmp.reuse_message && !skip) 804 if (!s->s3->tmp.reuse_message && !skip) {
821 { 805 if (s->debug) {
822 if (s->debug) 806 if ((ret = BIO_flush(s->wbio)) <= 0)
823 {
824 if ((ret=BIO_flush(s->wbio)) <= 0)
825 goto end; 807 goto end;
826 } 808 }
827 809
828 810
829 if ((cb != NULL) && (s->state != state)) 811 if ((cb != NULL) && (s->state != state)) {
830 { 812 new_state = s->state;
831 new_state=s->state; 813 s->state = state;
832 s->state=state; 814 cb(s, SSL_CB_ACCEPT_LOOP, 1);
833 cb(s,SSL_CB_ACCEPT_LOOP,1); 815 s->state = new_state;
834 s->state=new_state;
835 }
836 } 816 }
837 skip=0;
838 } 817 }
818 skip = 0;
819 }
839end: 820end:
840 /* BIO_flush(s->wbio); */ 821 /* BIO_flush(s->wbio); */
841 822
842 s->in_handshake--; 823 s->in_handshake--;
843 if (cb != NULL) 824 if (cb != NULL)
844 cb(s,SSL_CB_ACCEPT_EXIT,ret); 825 cb(s, SSL_CB_ACCEPT_EXIT, ret);
845 return(ret); 826 return (ret);
846 } 827}
847 828
848int ssl3_send_hello_request(SSL *s) 829int
849 { 830ssl3_send_hello_request(SSL *s)
831{
850 unsigned char *p; 832 unsigned char *p;
851 833
852 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 834 if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
853 { 835 p = (unsigned char *)s->init_buf->data;
854 p=(unsigned char *)s->init_buf->data; 836 *(p++) = SSL3_MT_HELLO_REQUEST;
855 *(p++)=SSL3_MT_HELLO_REQUEST; 837 *(p++) = 0;
856 *(p++)=0; 838 *(p++) = 0;
857 *(p++)=0; 839 *(p++) = 0;
858 *(p++)=0;
859 840
860 s->state=SSL3_ST_SW_HELLO_REQ_B; 841 s->state = SSL3_ST_SW_HELLO_REQ_B;
861 /* number of bytes to write */ 842 /* number of bytes to write */
862 s->init_num=4; 843 s->init_num = 4;
863 s->init_off=0; 844 s->init_off = 0;
864 } 845 }
865 846
866 /* SSL3_ST_SW_HELLO_REQ_B */ 847 /* SSL3_ST_SW_HELLO_REQ_B */
867 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 848 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
868 } 849}
869 850
870int ssl3_check_client_hello(SSL *s) 851int
871 { 852ssl3_check_client_hello(SSL *s)
853{
872 int ok; 854 int ok;
873 long n; 855 long n;
874 856
875 /* this function is called when we really expect a Certificate message, 857 /* this function is called when we really expect a Certificate message,
876 * so permit appropriate message length */ 858 * so permit appropriate message length */
877 n=s->method->ssl_get_message(s, 859 n = s->method->ssl_get_message(s,
878 SSL3_ST_SR_CERT_A, 860 SSL3_ST_SR_CERT_A,
879 SSL3_ST_SR_CERT_B, 861 SSL3_ST_SR_CERT_B,
880 -1, 862 -1,
881 s->max_cert_list, 863 s->max_cert_list,
882 &ok); 864 &ok);
883 if (!ok) return((int)n); 865 if (!ok)
866 return ((int)n);
884 s->s3->tmp.reuse_message = 1; 867 s->s3->tmp.reuse_message = 1;
885 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 868 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) {
886 {
887 /* We only allow the client to restart the handshake once per 869 /* We only allow the client to restart the handshake once per
888 * negotiation. */ 870 * negotiation. */
889 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) 871 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
890 {
891 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 872 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
892 return -1; 873 return -1;
893 } 874 }
894 /* Throw away what we have done so far in the current handshake, 875 /* Throw away what we have done so far in the current handshake,
895 * which will now be aborted. (A full SSL_clear would be too much.) */ 876 * which will now be aborted. (A full SSL_clear would be too much.) */
896#ifndef OPENSSL_NO_DH 877#ifndef OPENSSL_NO_DH
897 if (s->s3->tmp.dh != NULL) 878 if (s->s3->tmp.dh != NULL) {
898 {
899 DH_free(s->s3->tmp.dh); 879 DH_free(s->s3->tmp.dh);
900 s->s3->tmp.dh = NULL; 880 s->s3->tmp.dh = NULL;
901 } 881 }
902#endif 882#endif
903#ifndef OPENSSL_NO_ECDH 883#ifndef OPENSSL_NO_ECDH
904 if (s->s3->tmp.ecdh != NULL) 884 if (s->s3->tmp.ecdh != NULL) {
905 {
906 EC_KEY_free(s->s3->tmp.ecdh); 885 EC_KEY_free(s->s3->tmp.ecdh);
907 s->s3->tmp.ecdh = NULL; 886 s->s3->tmp.ecdh = NULL;
908 } 887 }
909#endif 888#endif
910 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; 889 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
911 return 2; 890 return 2;
912 } 891 }
913 return 1; 892 return 1;
914} 893}
915 894
916int ssl3_get_client_hello(SSL *s) 895int
917 { 896ssl3_get_client_hello(SSL *s)
918 int i,j,ok,al,ret= -1; 897{
898 int i, j, ok, al, ret = -1;
919 unsigned int cookie_len; 899 unsigned int cookie_len;
920 long n; 900 long n;
921 unsigned long id; 901 unsigned long id;
922 unsigned char *p,*d,*q; 902 unsigned char *p, *d, *q;
923 SSL_CIPHER *c; 903 SSL_CIPHER *c;
924#ifndef OPENSSL_NO_COMP 904#ifndef OPENSSL_NO_COMP
925 SSL_COMP *comp=NULL; 905 SSL_COMP *comp = NULL;
926#endif 906#endif
927 STACK_OF(SSL_CIPHER) *ciphers=NULL; 907 STACK_OF(SSL_CIPHER) *ciphers = NULL;
928 908
929 /* We do this so that we will respond with our native type. 909 /* We do this so that we will respond with our native type.
930 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 910 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
@@ -932,65 +912,61 @@ int ssl3_get_client_hello(SSL *s)
932 * If we are SSLv3, we will respond with SSLv3, even if prompted with 912 * If we are SSLv3, we will respond with SSLv3, even if prompted with
933 * TLSv1. 913 * TLSv1.
934 */ 914 */
935 if (s->state == SSL3_ST_SR_CLNT_HELLO_A 915 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) {
936 ) 916 s->state = SSL3_ST_SR_CLNT_HELLO_B;
937 { 917 }
938 s->state=SSL3_ST_SR_CLNT_HELLO_B; 918 s->first_packet = 1;
939 } 919 n = s->method->ssl_get_message(s,
940 s->first_packet=1; 920 SSL3_ST_SR_CLNT_HELLO_B,
941 n=s->method->ssl_get_message(s, 921 SSL3_ST_SR_CLNT_HELLO_C,
942 SSL3_ST_SR_CLNT_HELLO_B, 922 SSL3_MT_CLIENT_HELLO,
943 SSL3_ST_SR_CLNT_HELLO_C, 923 SSL3_RT_MAX_PLAIN_LENGTH,
944 SSL3_MT_CLIENT_HELLO, 924 &ok);
945 SSL3_RT_MAX_PLAIN_LENGTH,
946 &ok);
947 925
948 if (!ok) return((int)n); 926 if (!ok)
949 s->first_packet=0; 927 return ((int)n);
950 d=p=(unsigned char *)s->init_msg; 928 s->first_packet = 0;
929 d = p=(unsigned char *)s->init_msg;
951 930
952 /* use version from inside client hello, not from record header 931 /* use version from inside client hello, not from record header
953 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 932 * (may differ: see RFC 2246, Appendix E, second paragraph) */
954 s->client_version=(((int)p[0])<<8)|(int)p[1]; 933 s->client_version = (((int)p[0]) << 8)|(int)p[1];
955 p+=2; 934 p += 2;
956 935
957 if ((s->version == DTLS1_VERSION && s->client_version > s->version) || 936 if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
958 (s->version != DTLS1_VERSION && s->client_version < s->version)) 937 (s->version != DTLS1_VERSION && s->client_version < s->version)) {
959 {
960 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 938 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
961 if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 939 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
962 !s->enc_write_ctx && !s->write_hash) 940 !s->enc_write_ctx && !s->write_hash) {
963 {
964 /* similar to ssl3_get_record, send alert using remote version number */ 941 /* similar to ssl3_get_record, send alert using remote version number */
965 s->version = s->client_version; 942 s->version = s->client_version;
966 } 943 }
967 al = SSL_AD_PROTOCOL_VERSION; 944 al = SSL_AD_PROTOCOL_VERSION;
968 goto f_err; 945 goto f_err;
969 } 946 }
970 947
971 /* If we require cookies and this ClientHello doesn't 948 /* If we require cookies and this ClientHello doesn't
972 * contain one, just return since we do not want to 949 * contain one, just return since we do not want to
973 * allocate any memory yet. So check cookie length... 950 * allocate any memory yet. So check cookie length...
974 */ 951 */
975 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) 952 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
976 {
977 unsigned int session_length, cookie_length; 953 unsigned int session_length, cookie_length;
978 954
979 session_length = *(p + SSL3_RANDOM_SIZE); 955 session_length = *(p + SSL3_RANDOM_SIZE);
980 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); 956 cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
981 957
982 if (cookie_length == 0) 958 if (cookie_length == 0)
983 return 1; 959 return 1;
984 } 960 }
985 961
986 /* load the client random */ 962 /* load the client random */
987 memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); 963 memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
988 p+=SSL3_RANDOM_SIZE; 964 p += SSL3_RANDOM_SIZE;
989 965
990 /* get the session-id */ 966 /* get the session-id */
991 j= *(p++); 967 j= *(p++);
992 968
993 s->hit=0; 969 s->hit = 0;
994 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation. 970 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
995 * 0.9.7 and later allow this by default, but optionally ignore resumption requests 971 * 0.9.7 and later allow this by default, but optionally ignore resumption requests
996 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 972 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
@@ -1002,31 +978,26 @@ int ssl3_get_client_hello(SSL *s)
1002 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 978 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1003 * setting will be ignored. 979 * setting will be ignored.
1004 */ 980 */
1005 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 981 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1006 { 982 if (!ssl_get_new_session(s, 1))
1007 if (!ssl_get_new_session(s,1))
1008 goto err; 983 goto err;
1009 } 984 } else {
1010 else 985 i = ssl_get_prev_session(s, p, j, d + n);
1011 {
1012 i=ssl_get_prev_session(s, p, j, d + n);
1013 if (i == 1) 986 if (i == 1)
1014 { /* previous session */ 987 { /* previous session */
1015 s->hit=1; 988 s->hit = 1;
1016 } 989 } else if (i == -1)
1017 else if (i == -1)
1018 goto err; 990 goto err;
1019 else /* i == 0 */ 991 else /* i == 0 */
1020 { 992 {
1021 if (!ssl_get_new_session(s,1)) 993 if (!ssl_get_new_session(s, 1))
1022 goto err; 994 goto err;
1023 }
1024 } 995 }
996 }
1025 997
1026 p+=j; 998 p += j;
1027 999
1028 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) 1000 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
1029 {
1030 /* cookie stuff */ 1001 /* cookie stuff */
1031 cookie_len = *(p++); 1002 cookie_len = *(p++);
1032 1003
@@ -1035,159 +1006,141 @@ int ssl3_get_client_hello(SSL *s)
1035 * HelloVerify message has not been sent--make sure that it 1006 * HelloVerify message has not been sent--make sure that it
1036 * does not cause an overflow. 1007 * does not cause an overflow.
1037 */ 1008 */
1038 if ( cookie_len > sizeof(s->d1->rcvd_cookie)) 1009 if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
1039 {
1040 /* too much data */ 1010 /* too much data */
1041 al = SSL_AD_DECODE_ERROR; 1011 al = SSL_AD_DECODE_ERROR;
1042 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1012 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
1043 goto f_err; 1013 goto f_err;
1044 } 1014 }
1045 1015
1046 /* verify the cookie if appropriate option is set. */ 1016 /* verify the cookie if appropriate option is set. */
1047 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && 1017 if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
1048 cookie_len > 0) 1018 cookie_len > 0) {
1049 {
1050 memcpy(s->d1->rcvd_cookie, p, cookie_len); 1019 memcpy(s->d1->rcvd_cookie, p, cookie_len);
1051 1020
1052 if ( s->ctx->app_verify_cookie_cb != NULL) 1021 if (s->ctx->app_verify_cookie_cb != NULL) {
1053 { 1022 if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
1054 if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 1023 cookie_len) == 0) {
1055 cookie_len) == 0) 1024 al = SSL_AD_HANDSHAKE_FAILURE;
1056 { 1025 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1057 al=SSL_AD_HANDSHAKE_FAILURE; 1026 SSL_R_COOKIE_MISMATCH);
1058 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1059 SSL_R_COOKIE_MISMATCH);
1060 goto f_err;
1061 }
1062 /* else cookie verification succeeded */
1063 }
1064 else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1065 s->d1->cookie_len) != 0) /* default verification */
1066 {
1067 al=SSL_AD_HANDSHAKE_FAILURE;
1068 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1069 SSL_R_COOKIE_MISMATCH);
1070 goto f_err; 1027 goto f_err;
1071 } 1028 }
1029 /* else cookie verification succeeded */
1030 } else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1031 s->d1->cookie_len) != 0) /* default verification */
1032 {
1033 al = SSL_AD_HANDSHAKE_FAILURE;
1034 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1035 SSL_R_COOKIE_MISMATCH);
1036 goto f_err;
1037 }
1072 1038
1073 ret = 2; 1039 ret = 2;
1074 } 1040 }
1075 1041
1076 p += cookie_len; 1042 p += cookie_len;
1077 } 1043 }
1078 1044
1079 n2s(p,i); 1045 n2s(p, i);
1080 if ((i == 0) && (j != 0)) 1046 if ((i == 0) && (j != 0)) {
1081 {
1082 /* we need a cipher if we are not resuming a session */ 1047 /* we need a cipher if we are not resuming a session */
1083 al=SSL_AD_ILLEGAL_PARAMETER; 1048 al = SSL_AD_ILLEGAL_PARAMETER;
1084 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); 1049 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
1085 goto f_err; 1050 goto f_err;
1086 } 1051 }
1087 if ((p+i) >= (d+n)) 1052 if ((p + i) >= (d + n)) {
1088 {
1089 /* not enough data */ 1053 /* not enough data */
1090 al=SSL_AD_DECODE_ERROR; 1054 al = SSL_AD_DECODE_ERROR;
1091 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1055 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1092 goto f_err; 1056 goto f_err;
1093 } 1057 }
1094 if ((i > 0) && (ssl_bytes_to_cipher_list(s,p,i,&(ciphers)) 1058 if ((i > 0) &&
1095 == NULL)) 1059 (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL)) {
1096 {
1097 goto err; 1060 goto err;
1098 } 1061 }
1099 p+=i; 1062 p += i;
1100 1063
1101 /* If it is a hit, check that the cipher is in the list */ 1064 /* If it is a hit, check that the cipher is in the list */
1102 if ((s->hit) && (i > 0)) 1065 if ((s->hit) && (i > 0)) {
1103 { 1066 j = 0;
1104 j=0; 1067 id = s->session->cipher->id;
1105 id=s->session->cipher->id;
1106 1068
1107#ifdef CIPHER_DEBUG 1069#ifdef CIPHER_DEBUG
1108 printf("client sent %d ciphers\n",sk_num(ciphers)); 1070 printf("client sent %d ciphers\n", sk_num(ciphers));
1109#endif 1071#endif
1110 for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++) 1072 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1111 { 1073 c = sk_SSL_CIPHER_value(ciphers, i);
1112 c=sk_SSL_CIPHER_value(ciphers,i);
1113#ifdef CIPHER_DEBUG 1074#ifdef CIPHER_DEBUG
1114 printf("client [%2d of %2d]:%s\n", 1075 printf("client [%2d of %2d]:%s\n",
1115 i,sk_num(ciphers),SSL_CIPHER_get_name(c)); 1076 i, sk_num(ciphers), SSL_CIPHER_get_name(c));
1116#endif 1077#endif
1117 if (c->id == id) 1078 if (c->id == id) {
1118 { 1079 j = 1;
1119 j=1;
1120 break; 1080 break;
1121 }
1122 } 1081 }
1082 }
1123/* Disabled because it can be used in a ciphersuite downgrade 1083/* Disabled because it can be used in a ciphersuite downgrade
1124 * attack: CVE-2010-4180. 1084 * attack: CVE-2010-4180.
1125 */ 1085 */
1126#if 0 1086#if 0
1127 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) 1087 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) {
1128 {
1129 /* Special case as client bug workaround: the previously used cipher may 1088 /* Special case as client bug workaround: the previously used cipher may
1130 * not be in the current list, the client instead might be trying to 1089 * not be in the current list, the client instead might be trying to
1131 * continue using a cipher that before wasn't chosen due to server 1090 * continue using a cipher that before wasn't chosen due to server
1132 * preferences. We'll have to reject the connection if the cipher is not 1091 * preferences. We'll have to reject the connection if the cipher is not
1133 * enabled, though. */ 1092 * enabled, though. */
1134 c = sk_SSL_CIPHER_value(ciphers, 0); 1093 c = sk_SSL_CIPHER_value(ciphers, 0);
1135 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) 1094 if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
1136 {
1137 s->session->cipher = c; 1095 s->session->cipher = c;
1138 j = 1; 1096 j = 1;
1139 }
1140 } 1097 }
1098 }
1141#endif 1099#endif
1142 if (j == 0) 1100 if (j == 0) {
1143 {
1144 /* we need to have the cipher in the cipher 1101 /* we need to have the cipher in the cipher
1145 * list if we are asked to reuse it */ 1102 * list if we are asked to reuse it */
1146 al=SSL_AD_ILLEGAL_PARAMETER; 1103 al = SSL_AD_ILLEGAL_PARAMETER;
1147 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); 1104 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING);
1148 goto f_err; 1105 goto f_err;
1149 }
1150 } 1106 }
1107 }
1151 1108
1152 /* compression */ 1109 /* compression */
1153 i= *(p++); 1110 i= *(p++);
1154 if ((p+i) > (d+n)) 1111 if ((p + i) > (d + n)) {
1155 {
1156 /* not enough data */ 1112 /* not enough data */
1157 al=SSL_AD_DECODE_ERROR; 1113 al = SSL_AD_DECODE_ERROR;
1158 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); 1114 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1159 goto f_err; 1115 goto f_err;
1160 } 1116 }
1161 q=p; 1117 q = p;
1162 for (j=0; j<i; j++) 1118 for (j = 0; j < i; j++) {
1163 { 1119 if (p[j] == 0)
1164 if (p[j] == 0) break; 1120 break;
1165 } 1121 }
1166 1122
1167 p+=i; 1123 p += i;
1168 if (j >= i) 1124 if (j >= i) {
1169 {
1170 /* no compress */ 1125 /* no compress */
1171 al=SSL_AD_DECODE_ERROR; 1126 al = SSL_AD_DECODE_ERROR;
1172 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_COMPRESSION_SPECIFIED); 1127 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1173 goto f_err; 1128 goto f_err;
1174 } 1129 }
1175 1130
1176#ifndef OPENSSL_NO_TLSEXT 1131#ifndef OPENSSL_NO_TLSEXT
1177 /* TLS extensions*/ 1132 /* TLS extensions*/
1178 if (s->version >= SSL3_VERSION) 1133 if (s->version >= SSL3_VERSION) {
1179 { 1134 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
1180 if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
1181 {
1182 /* 'al' set by ssl_parse_clienthello_tlsext */ 1135 /* 'al' set by ssl_parse_clienthello_tlsext */
1183 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); 1136 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1184 goto f_err; 1137 goto f_err;
1185 }
1186 }
1187 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1188 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
1189 goto err;
1190 } 1138 }
1139 }
1140 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1141 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1142 goto err;
1143 }
1191 1144
1192 /* Check if we want to use external pre-shared secret for this 1145 /* Check if we want to use external pre-shared secret for this
1193 * handshake for not reused session only. We need to generate 1146 * handshake for not reused session only. We need to generate
@@ -1195,38 +1148,34 @@ int ssl3_get_client_hello(SSL *s)
1195 * SessionTicket processing to use it in key derivation. */ 1148 * SessionTicket processing to use it in key derivation. */
1196 { 1149 {
1197 unsigned char *pos; 1150 unsigned char *pos;
1198 pos=s->s3->server_random; 1151 pos = s->s3->server_random;
1199 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) 1152 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
1200 { 1153 al = SSL_AD_INTERNAL_ERROR;
1201 al=SSL_AD_INTERNAL_ERROR;
1202 goto f_err; 1154 goto f_err;
1203 } 1155 }
1204 } 1156 }
1205 1157
1206 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) 1158 if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1207 { 1159 SSL_CIPHER *pref_cipher = NULL;
1208 SSL_CIPHER *pref_cipher=NULL;
1209 1160
1210 s->session->master_key_length=sizeof(s->session->master_key); 1161 s->session->master_key_length = sizeof(s->session->master_key);
1211 if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, 1162 if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
1212 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) 1163 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) {
1213 { 1164 s->hit = 1;
1214 s->hit=1; 1165 s->session->ciphers = ciphers;
1215 s->session->ciphers=ciphers; 1166 s->session->verify_result = X509_V_OK;
1216 s->session->verify_result=X509_V_OK;
1217 1167
1218 ciphers=NULL; 1168 ciphers = NULL;
1219 1169
1220 /* check if some cipher was preferred by call back */ 1170 /* check if some cipher was preferred by call back */
1221 pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 1171 pref_cipher = pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1222 if (pref_cipher == NULL) 1172 if (pref_cipher == NULL) {
1223 { 1173 al = SSL_AD_HANDSHAKE_FAILURE;
1224 al=SSL_AD_HANDSHAKE_FAILURE; 1174 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1225 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1226 goto f_err; 1175 goto f_err;
1227 } 1176 }
1228 1177
1229 s->session->cipher=pref_cipher; 1178 s->session->cipher = pref_cipher;
1230 1179
1231 if (s->cipher_list) 1180 if (s->cipher_list)
1232 sk_SSL_CIPHER_free(s->cipher_list); 1181 sk_SSL_CIPHER_free(s->cipher_list);
@@ -1236,165 +1185,144 @@ int ssl3_get_client_hello(SSL *s)
1236 1185
1237 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1186 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1238 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1187 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1239 }
1240 } 1188 }
1189 }
1241#endif 1190#endif
1242 1191
1243 /* Worst case, we will use the NULL compression, but if we have other 1192 /* Worst case, we will use the NULL compression, but if we have other
1244 * options, we will now look for them. We have i-1 compression 1193 * options, we will now look for them. We have i-1 compression
1245 * algorithms from the client, starting at q. */ 1194 * algorithms from the client, starting at q. */
1246 s->s3->tmp.new_compression=NULL; 1195 s->s3->tmp.new_compression = NULL;
1247#ifndef OPENSSL_NO_COMP 1196#ifndef OPENSSL_NO_COMP
1248 /* This only happens if we have a cache hit */ 1197 /* This only happens if we have a cache hit */
1249 if (s->session->compress_meth != 0) 1198 if (s->session->compress_meth != 0) {
1250 {
1251 int m, comp_id = s->session->compress_meth; 1199 int m, comp_id = s->session->compress_meth;
1252 /* Perform sanity checks on resumed compression algorithm */ 1200 /* Perform sanity checks on resumed compression algorithm */
1253 /* Can't disable compression */ 1201 /* Can't disable compression */
1254 if (s->options & SSL_OP_NO_COMPRESSION) 1202 if (s->options & SSL_OP_NO_COMPRESSION) {
1255 { 1203 al = SSL_AD_INTERNAL_ERROR;
1256 al=SSL_AD_INTERNAL_ERROR; 1204 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1257 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1258 goto f_err; 1205 goto f_err;
1259 } 1206 }
1260 /* Look for resumed compression method */ 1207 /* Look for resumed compression method */
1261 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) 1208 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
1262 { 1209 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1263 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1210 if (comp_id == comp->id) {
1264 if (comp_id == comp->id) 1211 s->s3->tmp.new_compression = comp;
1265 {
1266 s->s3->tmp.new_compression=comp;
1267 break; 1212 break;
1268 }
1269 } 1213 }
1270 if (s->s3->tmp.new_compression == NULL) 1214 }
1271 { 1215 if (s->s3->tmp.new_compression == NULL) {
1272 al=SSL_AD_INTERNAL_ERROR; 1216 al = SSL_AD_INTERNAL_ERROR;
1273 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM); 1217 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INVALID_COMPRESSION_ALGORITHM);
1274 goto f_err; 1218 goto f_err;
1275 } 1219 }
1276 /* Look for resumed method in compression list */ 1220 /* Look for resumed method in compression list */
1277 for (m = 0; m < i; m++) 1221 for (m = 0; m < i; m++) {
1278 {
1279 if (q[m] == comp_id) 1222 if (q[m] == comp_id)
1280 break; 1223 break;
1281 } 1224 }
1282 if (m >= i) 1225 if (m >= i) {
1283 { 1226 al = SSL_AD_ILLEGAL_PARAMETER;
1284 al=SSL_AD_ILLEGAL_PARAMETER; 1227 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1285 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1286 goto f_err; 1228 goto f_err;
1287 }
1288 } 1229 }
1289 else if (s->hit) 1230 } else if (s->hit)
1290 comp = NULL; 1231 comp = NULL;
1291 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods) 1232 else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
1292 { /* See if we have a match */ 1233 { /* See if we have a match */
1293 int m,nn,o,v,done=0; 1234 int m, nn, o, v, done = 0;
1294 1235
1295 nn=sk_SSL_COMP_num(s->ctx->comp_methods); 1236 nn = sk_SSL_COMP_num(s->ctx->comp_methods);
1296 for (m=0; m<nn; m++) 1237 for (m = 0; m < nn; m++) {
1297 { 1238 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
1298 comp=sk_SSL_COMP_value(s->ctx->comp_methods,m); 1239 v = comp->id;
1299 v=comp->id; 1240 for (o = 0; o < i; o++) {
1300 for (o=0; o<i; o++) 1241 if (v == q[o]) {
1301 { 1242 done = 1;
1302 if (v == q[o])
1303 {
1304 done=1;
1305 break; 1243 break;
1306 }
1307 } 1244 }
1308 if (done) break;
1309 } 1245 }
1246 if (done)
1247 break;
1248 }
1310 if (done) 1249 if (done)
1311 s->s3->tmp.new_compression=comp; 1250 s->s3->tmp.new_compression = comp;
1312 else 1251 else
1313 comp=NULL; 1252 comp = NULL;
1314 } 1253 }
1315#else 1254#else
1316 /* If compression is disabled we'd better not try to resume a session 1255 /* If compression is disabled we'd better not try to resume a session
1317 * using compression. 1256 * using compression.
1318 */ 1257 */
1319 if (s->session->compress_meth != 0) 1258 if (s->session->compress_meth != 0) {
1320 { 1259 al = SSL_AD_INTERNAL_ERROR;
1321 al=SSL_AD_INTERNAL_ERROR; 1260 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1322 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
1323 goto f_err; 1261 goto f_err;
1324 } 1262 }
1325#endif 1263#endif
1326 1264
1327 /* Given s->session->ciphers and SSL_get_ciphers, we must 1265 /* Given s->session->ciphers and SSL_get_ciphers, we must
1328 * pick a cipher */ 1266 * pick a cipher */
1329 1267
1330 if (!s->hit) 1268 if (!s->hit) {
1331 {
1332#ifdef OPENSSL_NO_COMP 1269#ifdef OPENSSL_NO_COMP
1333 s->session->compress_meth=0; 1270 s->session->compress_meth = 0;
1334#else 1271#else
1335 s->session->compress_meth=(comp == NULL)?0:comp->id; 1272 s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1336#endif 1273#endif
1337 if (s->session->ciphers != NULL) 1274 if (s->session->ciphers != NULL)
1338 sk_SSL_CIPHER_free(s->session->ciphers); 1275 sk_SSL_CIPHER_free(s->session->ciphers);
1339 s->session->ciphers=ciphers; 1276 s->session->ciphers = ciphers;
1340 if (ciphers == NULL) 1277 if (ciphers == NULL) {
1341 { 1278 al = SSL_AD_ILLEGAL_PARAMETER;
1342 al=SSL_AD_ILLEGAL_PARAMETER; 1279 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED);
1343 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
1344 goto f_err; 1280 goto f_err;
1345 } 1281 }
1346 ciphers=NULL; 1282 ciphers = NULL;
1347 c=ssl3_choose_cipher(s,s->session->ciphers, 1283 c = ssl3_choose_cipher(s, s->session->ciphers,
1348 SSL_get_ciphers(s)); 1284 SSL_get_ciphers(s));
1349 1285
1350 if (c == NULL) 1286 if (c == NULL) {
1351 { 1287 al = SSL_AD_HANDSHAKE_FAILURE;
1352 al=SSL_AD_HANDSHAKE_FAILURE; 1288 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1353 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
1354 goto f_err; 1289 goto f_err;
1355 }
1356 s->s3->tmp.new_cipher=c;
1357 } 1290 }
1358 else 1291 s->s3->tmp.new_cipher = c;
1359 { 1292 } else {
1360 /* Session-id reuse */ 1293 /* Session-id reuse */
1361#ifdef REUSE_CIPHER_BUG 1294#ifdef REUSE_CIPHER_BUG
1362 STACK_OF(SSL_CIPHER) *sk; 1295 STACK_OF(SSL_CIPHER) *sk;
1363 SSL_CIPHER *nc=NULL; 1296 SSL_CIPHER *nc = NULL;
1364 SSL_CIPHER *ec=NULL; 1297 SSL_CIPHER *ec = NULL;
1365 1298
1366 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) 1299 if (s->options & SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) {
1367 { 1300 sk = s->session->ciphers;
1368 sk=s->session->ciphers; 1301 for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
1369 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1302 c = sk_SSL_CIPHER_value(sk, i);
1370 {
1371 c=sk_SSL_CIPHER_value(sk,i);
1372 if (c->algorithm_enc & SSL_eNULL) 1303 if (c->algorithm_enc & SSL_eNULL)
1373 nc=c; 1304 nc = c;
1374 if (SSL_C_IS_EXPORT(c)) 1305 if (SSL_C_IS_EXPORT(c))
1375 ec=c; 1306 ec = c;
1376 } 1307 }
1377 if (nc != NULL) 1308 if (nc != NULL)
1378 s->s3->tmp.new_cipher=nc; 1309 s->s3->tmp.new_cipher = nc;
1379 else if (ec != NULL) 1310 else if (ec != NULL)
1380 s->s3->tmp.new_cipher=ec; 1311 s->s3->tmp.new_cipher = ec;
1381 else 1312 else
1382 s->s3->tmp.new_cipher=s->session->cipher; 1313 s->s3->tmp.new_cipher = s->session->cipher;
1383 } 1314 } else
1384 else
1385#endif 1315#endif
1386 s->s3->tmp.new_cipher=s->session->cipher; 1316 s->s3->tmp.new_cipher = s->session->cipher;
1387 } 1317 }
1388 1318
1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) 1319 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) {
1390 { 1320 if (!ssl3_digest_cached_records(s)) {
1391 if (!ssl3_digest_cached_records(s))
1392 {
1393 al = SSL_AD_INTERNAL_ERROR; 1321 al = SSL_AD_INTERNAL_ERROR;
1394 goto f_err; 1322 goto f_err;
1395 }
1396 } 1323 }
1397 1324 }
1325
1398 /* we now have the following setup. 1326 /* we now have the following setup.
1399 * client_random 1327 * client_random
1400 * cipher_list - our prefered list of ciphers 1328 * cipher_list - our prefered list of ciphers
@@ -1407,50 +1335,49 @@ int ssl3_get_client_hello(SSL *s)
1407 */ 1335 */
1408 1336
1409 /* Handles TLS extensions that we couldn't check earlier */ 1337 /* Handles TLS extensions that we couldn't check earlier */
1410 if (s->version >= SSL3_VERSION) 1338 if (s->version >= SSL3_VERSION) {
1411 { 1339 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1412 if (ssl_check_clienthello_tlsext_late(s) <= 0)
1413 {
1414 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1340 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1415 goto err; 1341 goto err;
1416 }
1417 } 1342 }
1343 }
1418 1344
1419 if (ret < 0) ret=1; 1345 if (ret < 0)
1420 if (0) 1346 ret = 1;
1421 { 1347 if (0) {
1422f_err: 1348f_err:
1423 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1349 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1424 }
1425err:
1426 if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
1427 return(ret);
1428 } 1350 }
1351err:
1352 if (ciphers != NULL)
1353 sk_SSL_CIPHER_free(ciphers);
1354 return (ret);
1355}
1429 1356
1430int ssl3_send_server_hello(SSL *s) 1357int
1431 { 1358ssl3_send_server_hello(SSL *s)
1359{
1432 unsigned char *buf; 1360 unsigned char *buf;
1433 unsigned char *p,*d; 1361 unsigned char *p, *d;
1434 int i,sl; 1362 int i, sl;
1435 unsigned long l; 1363 unsigned long l;
1436 1364
1437 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1365 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
1438 { 1366 buf = (unsigned char *)s->init_buf->data;
1439 buf=(unsigned char *)s->init_buf->data;
1440#ifdef OPENSSL_NO_TLSEXT 1367#ifdef OPENSSL_NO_TLSEXT
1441 p=s->s3->server_random; 1368 p = s->s3->server_random;
1442 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) 1369 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
1443 return -1; 1370 return -1;
1444#endif 1371#endif
1445 /* Do the message type and length last */ 1372 /* Do the message type and length last */
1446 d=p= &(buf[4]); 1373 d = p= &(buf[4]);
1447 1374
1448 *(p++)=s->version>>8; 1375 *(p++) = s->version >> 8;
1449 *(p++)=s->version&0xff; 1376 *(p++) = s->version&0xff;
1450 1377
1451 /* Random stuff */ 1378 /* Random stuff */
1452 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1379 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1453 p+=SSL3_RANDOM_SIZE; 1380 p += SSL3_RANDOM_SIZE;
1454 1381
1455 /* There are several cases for the session ID to send 1382 /* There are several cases for the session ID to send
1456 * back in the server hello: 1383 * back in the server hello:
@@ -1469,317 +1396,287 @@ int ssl3_send_server_hello(SSL *s)
1469 */ 1396 */
1470 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1397 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1471 && !s->hit) 1398 && !s->hit)
1472 s->session->session_id_length=0; 1399 s->session->session_id_length = 0;
1473 1400
1474 sl=s->session->session_id_length; 1401 sl = s->session->session_id_length;
1475 if (sl > (int)sizeof(s->session->session_id)) 1402 if (sl > (int)sizeof(s->session->session_id)) {
1476 {
1477 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1403 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1478 return -1; 1404 return -1;
1479 } 1405 }
1480 *(p++)=sl; 1406 *(p++) = sl;
1481 memcpy(p,s->session->session_id,sl); 1407 memcpy(p, s->session->session_id, sl);
1482 p+=sl; 1408 p += sl;
1483 1409
1484 /* put the cipher */ 1410 /* put the cipher */
1485 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 1411 i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
1486 p+=i; 1412 p += i;
1487 1413
1488 /* put the compression method */ 1414 /* put the compression method */
1489#ifdef OPENSSL_NO_COMP 1415#ifdef OPENSSL_NO_COMP
1490 *(p++)=0; 1416 *(p++) = 0;
1491#else 1417#else
1492 if (s->s3->tmp.new_compression == NULL) 1418 if (s->s3->tmp.new_compression == NULL)
1493 *(p++)=0; 1419 *(p++) = 0;
1494 else 1420 else
1495 *(p++)=s->s3->tmp.new_compression->id; 1421 *(p++) = s->s3->tmp.new_compression->id;
1496#endif 1422#endif
1497#ifndef OPENSSL_NO_TLSEXT 1423#ifndef OPENSSL_NO_TLSEXT
1498 if (ssl_prepare_serverhello_tlsext(s) <= 0) 1424 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1499 { 1425 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
1500 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
1501 return -1; 1426 return -1;
1502 } 1427 }
1503 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 1428 if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
1504 { 1429 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1505 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
1506 return -1; 1430 return -1;
1507 } 1431 }
1508#endif 1432#endif
1509 /* do the header */ 1433 /* do the header */
1510 l=(p-d); 1434 l = (p - d);
1511 d=buf; 1435 d = buf;
1512 *(d++)=SSL3_MT_SERVER_HELLO; 1436 *(d++) = SSL3_MT_SERVER_HELLO;
1513 l2n3(l,d); 1437 l2n3(l, d);
1514 1438
1515 s->state=SSL3_ST_SW_SRVR_HELLO_B; 1439 s->state = SSL3_ST_SW_SRVR_HELLO_B;
1516 /* number of bytes to write */ 1440 /* number of bytes to write */
1517 s->init_num=p-buf; 1441 s->init_num = p - buf;
1518 s->init_off=0; 1442 s->init_off = 0;
1519 } 1443 }
1520 1444
1521 /* SSL3_ST_SW_SRVR_HELLO_B */ 1445 /* SSL3_ST_SW_SRVR_HELLO_B */
1522 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1446 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1523 } 1447}
1524 1448
1525int ssl3_send_server_done(SSL *s) 1449int
1526 { 1450ssl3_send_server_done(SSL *s)
1451{
1527 unsigned char *p; 1452 unsigned char *p;
1528 1453
1529 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 1454 if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
1530 { 1455 p = (unsigned char *)s->init_buf->data;
1531 p=(unsigned char *)s->init_buf->data;
1532 1456
1533 /* do the header */ 1457 /* do the header */
1534 *(p++)=SSL3_MT_SERVER_DONE; 1458 *(p++) = SSL3_MT_SERVER_DONE;
1535 *(p++)=0; 1459 *(p++) = 0;
1536 *(p++)=0; 1460 *(p++) = 0;
1537 *(p++)=0; 1461 *(p++) = 0;
1538 1462
1539 s->state=SSL3_ST_SW_SRVR_DONE_B; 1463 s->state = SSL3_ST_SW_SRVR_DONE_B;
1540 /* number of bytes to write */ 1464 /* number of bytes to write */
1541 s->init_num=4; 1465 s->init_num = 4;
1542 s->init_off=0; 1466 s->init_off = 0;
1543 } 1467 }
1544 1468
1545 /* SSL3_ST_SW_SRVR_DONE_B */ 1469 /* SSL3_ST_SW_SRVR_DONE_B */
1546 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1470 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
1547 } 1471}
1548 1472
1549int ssl3_send_server_key_exchange(SSL *s) 1473int
1550 { 1474ssl3_send_server_key_exchange(SSL *s)
1475{
1551#ifndef OPENSSL_NO_RSA 1476#ifndef OPENSSL_NO_RSA
1552 unsigned char *q; 1477 unsigned char *q;
1553 int j,num; 1478 int j, num;
1554 RSA *rsa; 1479 RSA *rsa;
1555 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1480 unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1556 unsigned int u; 1481 unsigned int u;
1557#endif 1482#endif
1558#ifndef OPENSSL_NO_DH 1483#ifndef OPENSSL_NO_DH
1559 DH *dh=NULL,*dhp; 1484 DH *dh = NULL, *dhp;
1560#endif 1485#endif
1561#ifndef OPENSSL_NO_ECDH 1486#ifndef OPENSSL_NO_ECDH
1562 EC_KEY *ecdh=NULL, *ecdhp; 1487 EC_KEY *ecdh = NULL, *ecdhp;
1563 unsigned char *encodedPoint = NULL; 1488 unsigned char *encodedPoint = NULL;
1564 int encodedlen = 0; 1489 int encodedlen = 0;
1565 int curve_id = 0; 1490 int curve_id = 0;
1566 BN_CTX *bn_ctx = NULL; 1491 BN_CTX *bn_ctx = NULL;
1492
1567#endif 1493#endif
1568 EVP_PKEY *pkey; 1494 EVP_PKEY *pkey;
1569 const EVP_MD *md = NULL; 1495 const EVP_MD *md = NULL;
1570 unsigned char *p,*d; 1496 unsigned char *p, *d;
1571 int al,i; 1497 int al, i;
1572 unsigned long type; 1498 unsigned long type;
1573 int n; 1499 int n;
1574 CERT *cert; 1500 CERT *cert;
1575 BIGNUM *r[4]; 1501 BIGNUM *r[4];
1576 int nr[4],kn; 1502 int nr[4], kn;
1577 BUF_MEM *buf; 1503 BUF_MEM *buf;
1578 EVP_MD_CTX md_ctx; 1504 EVP_MD_CTX md_ctx;
1579 1505
1580 EVP_MD_CTX_init(&md_ctx); 1506 EVP_MD_CTX_init(&md_ctx);
1581 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 1507 if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1582 { 1508 type = s->s3->tmp.new_cipher->algorithm_mkey;
1583 type=s->s3->tmp.new_cipher->algorithm_mkey; 1509 cert = s->cert;
1584 cert=s->cert;
1585 1510
1586 buf=s->init_buf; 1511 buf = s->init_buf;
1587 1512
1588 r[0]=r[1]=r[2]=r[3]=NULL; 1513 r[0] = r[1] = r[2] = r[3] = NULL;
1589 n=0; 1514 n = 0;
1590#ifndef OPENSSL_NO_RSA 1515#ifndef OPENSSL_NO_RSA
1591 if (type & SSL_kRSA) 1516 if (type & SSL_kRSA) {
1592 { 1517 rsa = cert->rsa_tmp;
1593 rsa=cert->rsa_tmp; 1518 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
1594 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 1519 rsa = s->cert->rsa_tmp_cb(s,
1595 { 1520 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1596 rsa=s->cert->rsa_tmp_cb(s, 1521 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1597 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1522 if (rsa == NULL) {
1598 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1523 al = SSL_AD_HANDSHAKE_FAILURE;
1599 if(rsa == NULL) 1524 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1600 {
1601 al=SSL_AD_HANDSHAKE_FAILURE;
1602 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1603 goto f_err; 1525 goto f_err;
1604 } 1526 }
1605 RSA_up_ref(rsa); 1527 RSA_up_ref(rsa);
1606 cert->rsa_tmp=rsa; 1528 cert->rsa_tmp = rsa;
1607 } 1529 }
1608 if (rsa == NULL) 1530 if (rsa == NULL) {
1609 { 1531 al = SSL_AD_HANDSHAKE_FAILURE;
1610 al=SSL_AD_HANDSHAKE_FAILURE; 1532 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_KEY);
1611 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
1612 goto f_err; 1533 goto f_err;
1613 }
1614 r[0]=rsa->n;
1615 r[1]=rsa->e;
1616 s->s3->tmp.use_rsa_tmp=1;
1617 } 1534 }
1618 else 1535 r[0] = rsa->n;
1536 r[1] = rsa->e;
1537 s->s3->tmp.use_rsa_tmp = 1;
1538 } else
1619#endif 1539#endif
1620#ifndef OPENSSL_NO_DH 1540#ifndef OPENSSL_NO_DH
1621 if (type & SSL_kEDH) 1541 if (type & SSL_kEDH) {
1622 { 1542 dhp = cert->dh_tmp;
1623 dhp=cert->dh_tmp;
1624 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1543 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
1625 dhp=s->cert->dh_tmp_cb(s, 1544 dhp = s->cert->dh_tmp_cb(s,
1626 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1545 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1627 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1546 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1628 if (dhp == NULL) 1547 if (dhp == NULL) {
1629 { 1548 al = SSL_AD_HANDSHAKE_FAILURE;
1630 al=SSL_AD_HANDSHAKE_FAILURE; 1549 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
1631 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
1632 goto f_err; 1550 goto f_err;
1633 } 1551 }
1634 1552
1635 if (s->s3->tmp.dh != NULL) 1553 if (s->s3->tmp.dh != NULL) {
1636 {
1637 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1554 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1638 goto err; 1555 goto err;
1639 } 1556 }
1640 1557
1641 if ((dh=DHparams_dup(dhp)) == NULL) 1558 if ((dh = DHparams_dup(dhp)) == NULL) {
1642 { 1559 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1643 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1644 goto err; 1560 goto err;
1645 } 1561 }
1646 1562
1647 s->s3->tmp.dh=dh; 1563 s->s3->tmp.dh = dh;
1648 if ((dhp->pub_key == NULL || 1564 if ((dhp->pub_key == NULL || dhp->priv_key == NULL ||
1649 dhp->priv_key == NULL || 1565 (s->options & SSL_OP_SINGLE_DH_USE))) {
1650 (s->options & SSL_OP_SINGLE_DH_USE))) 1566 if (!DH_generate_key(dh)) {
1651 { 1567 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1652 if(!DH_generate_key(dh)) 1568 ERR_R_DH_LIB);
1653 { 1569 goto err;
1654 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1655 ERR_R_DH_LIB);
1656 goto err;
1657 }
1658 } 1570 }
1659 else 1571 } else {
1660 { 1572 dh->pub_key = BN_dup(dhp->pub_key);
1661 dh->pub_key=BN_dup(dhp->pub_key); 1573 dh->priv_key = BN_dup(dhp->priv_key);
1662 dh->priv_key=BN_dup(dhp->priv_key);
1663 if ((dh->pub_key == NULL) || 1574 if ((dh->pub_key == NULL) ||
1664 (dh->priv_key == NULL)) 1575 (dh->priv_key == NULL)) {
1665 { 1576 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1666 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
1667 goto err; 1577 goto err;
1668 }
1669 } 1578 }
1670 r[0]=dh->p;
1671 r[1]=dh->g;
1672 r[2]=dh->pub_key;
1673 } 1579 }
1674 else 1580 r[0] = dh->p;
1581 r[1] = dh->g;
1582 r[2] = dh->pub_key;
1583 } else
1675#endif 1584#endif
1676#ifndef OPENSSL_NO_ECDH 1585#ifndef OPENSSL_NO_ECDH
1677 if (type & SSL_kEECDH) 1586 if (type & SSL_kEECDH) {
1678 {
1679 const EC_GROUP *group; 1587 const EC_GROUP *group;
1680 1588
1681 ecdhp=cert->ecdh_tmp; 1589 ecdhp = cert->ecdh_tmp;
1682 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) 1590 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) {
1683 { 1591 ecdhp = s->cert->ecdh_tmp_cb(
1684 ecdhp=s->cert->ecdh_tmp_cb(s, 1592 s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1685 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1593 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1686 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1594 }
1687 } 1595 if (ecdhp == NULL) {
1688 if (ecdhp == NULL) 1596 al = SSL_AD_HANDSHAKE_FAILURE;
1689 { 1597 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
1690 al=SSL_AD_HANDSHAKE_FAILURE;
1691 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
1692 goto f_err; 1598 goto f_err;
1693 } 1599 }
1694 1600
1695 if (s->s3->tmp.ecdh != NULL) 1601 if (s->s3->tmp.ecdh != NULL) {
1696 {
1697 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1602 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1698 goto err; 1603 goto err;
1699 } 1604 }
1700 1605
1701 /* Duplicate the ECDH structure. */ 1606 /* Duplicate the ECDH structure. */
1702 if (ecdhp == NULL) 1607 if (ecdhp == NULL) {
1703 { 1608 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1704 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1705 goto err; 1609 goto err;
1706 } 1610 }
1707 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) 1611 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1708 { 1612 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1709 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1710 goto err; 1613 goto err;
1711 } 1614 }
1712 1615
1713 s->s3->tmp.ecdh=ecdh; 1616 s->s3->tmp.ecdh = ecdh;
1714 if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1617 if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1715 (EC_KEY_get0_private_key(ecdh) == NULL) || 1618 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1716 (s->options & SSL_OP_SINGLE_ECDH_USE)) 1619 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1717 { 1620 if (!EC_KEY_generate_key(ecdh)) {
1718 if(!EC_KEY_generate_key(ecdh)) 1621 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1719 { 1622 goto err;
1720 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1721 goto err;
1722 }
1723 } 1623 }
1624 }
1724 1625
1725 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1626 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1726 (EC_KEY_get0_public_key(ecdh) == NULL) || 1627 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1727 (EC_KEY_get0_private_key(ecdh) == NULL)) 1628 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1728 { 1629 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1729 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1730 goto err; 1630 goto err;
1731 } 1631 }
1732 1632
1733 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1633 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1734 (EC_GROUP_get_degree(group) > 163)) 1634 (EC_GROUP_get_degree(group) > 163)) {
1735 { 1635 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1736 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1737 goto err; 1636 goto err;
1738 } 1637 }
1739 1638
1740 /* XXX: For now, we only support ephemeral ECDH 1639 /* XXX: For now, we only support ephemeral ECDH
1741 * keys over named (not generic) curves. For 1640 * keys over named (not generic) curves. For
1742 * supported named curves, curve_id is non-zero. 1641 * supported named curves, curve_id is non-zero.
1743 */ 1642 */
1744 if ((curve_id = 1643 if ((curve_id = tls1_ec_nid2curve_id(
1745 tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) 1644 EC_GROUP_get_curve_name(group))) == 0) {
1746 == 0) 1645 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1747 {
1748 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1749 goto err; 1646 goto err;
1750 } 1647 }
1751 1648
1752 /* Encode the public key. 1649 /* Encode the public key.
1753 * First check the size of encoding and 1650 * First check the size of encoding and
1754 * allocate memory accordingly. 1651 * allocate memory accordingly.
1755 */ 1652 */
1756 encodedlen = EC_POINT_point2oct(group, 1653 encodedlen = EC_POINT_point2oct(group,
1757 EC_KEY_get0_public_key(ecdh), 1654 EC_KEY_get0_public_key(ecdh),
1758 POINT_CONVERSION_UNCOMPRESSED, 1655 POINT_CONVERSION_UNCOMPRESSED,
1759 NULL, 0, NULL); 1656 NULL, 0, NULL);
1657
1658 encodedPoint = (unsigned char *)
1659 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1760 1660
1761 encodedPoint = (unsigned char *)
1762 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1763 bn_ctx = BN_CTX_new(); 1661 bn_ctx = BN_CTX_new();
1764 if ((encodedPoint == NULL) || (bn_ctx == NULL)) 1662 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1765 { 1663 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1766 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1767 goto err; 1664 goto err;
1768 } 1665 }
1769 1666
1770 1667
1771 encodedlen = EC_POINT_point2oct(group, 1668 encodedlen = EC_POINT_point2oct(group,
1772 EC_KEY_get0_public_key(ecdh), 1669 EC_KEY_get0_public_key(ecdh),
1773 POINT_CONVERSION_UNCOMPRESSED, 1670 POINT_CONVERSION_UNCOMPRESSED,
1774 encodedPoint, encodedlen, bn_ctx); 1671 encodedPoint, encodedlen, bn_ctx);
1775 1672
1776 if (encodedlen == 0) 1673 if (encodedlen == 0) {
1777 { 1674 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1778 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1779 goto err; 1675 goto err;
1780 } 1676 }
1781 1677
1782 BN_CTX_free(bn_ctx); bn_ctx=NULL; 1678 BN_CTX_free(bn_ctx);
1679 bn_ctx = NULL;
1783 1680
1784 /* XXX: For now, we only support named (not 1681 /* XXX: For now, we only support named (not
1785 * generic) curves in ECDH ephemeral key exchanges. 1682 * generic) curves in ECDH ephemeral key exchanges.
@@ -1792,98 +1689,80 @@ int ssl3_send_server_key_exchange(SSL *s)
1792 /* We'll generate the serverKeyExchange message 1689 /* We'll generate the serverKeyExchange message
1793 * explicitly so we can set these to NULLs 1690 * explicitly so we can set these to NULLs
1794 */ 1691 */
1795 r[0]=NULL; 1692 r[0] = NULL;
1796 r[1]=NULL; 1693 r[1] = NULL;
1797 r[2]=NULL; 1694 r[2] = NULL;
1798 r[3]=NULL; 1695 r[3] = NULL;
1799 } 1696 } else
1800 else
1801#endif /* !OPENSSL_NO_ECDH */ 1697#endif /* !OPENSSL_NO_ECDH */
1802#ifndef OPENSSL_NO_PSK 1698#ifndef OPENSSL_NO_PSK
1803 if (type & SSL_kPSK) 1699 if (type & SSL_kPSK) {
1804 { 1700 /* reserve size for record length and PSK identity hint*/
1805 /* reserve size for record length and PSK identity hint*/ 1701 n += 2 + strlen(s->ctx->psk_identity_hint);
1806 n+=2+strlen(s->ctx->psk_identity_hint); 1702 } else
1807 }
1808 else
1809#endif /* !OPENSSL_NO_PSK */ 1703#endif /* !OPENSSL_NO_PSK */
1810#ifndef OPENSSL_NO_SRP 1704#ifndef OPENSSL_NO_SRP
1811 if (type & SSL_kSRP) 1705 if (type & SSL_kSRP) {
1812 { 1706 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
1813 if ((s->srp_ctx.N == NULL) || 1707 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
1814 (s->srp_ctx.g == NULL) || 1708 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM);
1815 (s->srp_ctx.s == NULL) ||
1816 (s->srp_ctx.B == NULL))
1817 {
1818 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_SRP_PARAM);
1819 goto err; 1709 goto err;
1820 }
1821 r[0]=s->srp_ctx.N;
1822 r[1]=s->srp_ctx.g;
1823 r[2]=s->srp_ctx.s;
1824 r[3]=s->srp_ctx.B;
1825 } 1710 }
1826 else 1711 r[0] = s->srp_ctx.N;
1712 r[1] = s->srp_ctx.g;
1713 r[2] = s->srp_ctx.s;
1714 r[3] = s->srp_ctx.B;
1715 } else
1827#endif 1716#endif
1828 { 1717 {
1829 al=SSL_AD_HANDSHAKE_FAILURE; 1718 al = SSL_AD_HANDSHAKE_FAILURE;
1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1719 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1831 goto f_err; 1720 goto f_err;
1832 } 1721 }
1833 for (i=0; i < 4 && r[i] != NULL; i++) 1722 for (i = 0; i < 4 && r[i] != NULL; i++) {
1834 { 1723 nr[i] = BN_num_bytes(r[i]);
1835 nr[i]=BN_num_bytes(r[i]);
1836#ifndef OPENSSL_NO_SRP 1724#ifndef OPENSSL_NO_SRP
1837 if ((i == 2) && (type & SSL_kSRP)) 1725 if ((i == 2) && (type & SSL_kSRP))
1838 n+=1+nr[i]; 1726 n += 1 + nr[i];
1839 else 1727 else
1840#endif 1728#endif
1841 n+=2+nr[i]; 1729 n += 2 + nr[i];
1842 } 1730 }
1843 1731
1844 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1732 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
1845 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 1733 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1846 { 1734 if ((pkey = ssl_get_sign_pkey(
1847 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md)) 1735 s, s->s3->tmp.new_cipher, &md)) == NULL) {
1848 == NULL) 1736 al = SSL_AD_DECODE_ERROR;
1849 {
1850 al=SSL_AD_DECODE_ERROR;
1851 goto f_err; 1737 goto f_err;
1852 }
1853 kn=EVP_PKEY_size(pkey);
1854 }
1855 else
1856 {
1857 pkey=NULL;
1858 kn=0;
1859 } 1738 }
1739 kn = EVP_PKEY_size(pkey);
1740 } else {
1741 pkey = NULL;
1742 kn = 0;
1743 }
1860 1744
1861 if (!BUF_MEM_grow_clean(buf,n+4+kn)) 1745 if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) {
1862 { 1746 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
1863 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1864 goto err; 1747 goto err;
1865 } 1748 }
1866 d=(unsigned char *)s->init_buf->data; 1749 d = (unsigned char *)s->init_buf->data;
1867 p= &(d[4]); 1750 p = &(d[4]);
1868 1751
1869 for (i=0; i < 4 && r[i] != NULL; i++) 1752 for (i = 0; i < 4 && r[i] != NULL; i++) {
1870 {
1871#ifndef OPENSSL_NO_SRP 1753#ifndef OPENSSL_NO_SRP
1872 if ((i == 2) && (type & SSL_kSRP)) 1754 if ((i == 2) && (type & SSL_kSRP)) {
1873 {
1874 *p = nr[i]; 1755 *p = nr[i];
1875 p++; 1756 p++;
1876 } 1757 } else
1877 else
1878#endif 1758#endif
1879 s2n(nr[i],p); 1759 s2n(nr[i], p);
1880 BN_bn2bin(r[i],p); 1760 BN_bn2bin(r[i], p);
1881 p+=nr[i]; 1761 p += nr[i];
1882 } 1762 }
1883 1763
1884#ifndef OPENSSL_NO_ECDH 1764#ifndef OPENSSL_NO_ECDH
1885 if (type & SSL_kEECDH) 1765 if (type & SSL_kEECDH) {
1886 {
1887 /* XXX: For now, we only support named (not generic) curves. 1766 /* XXX: For now, we only support named (not generic) curves.
1888 * In this situation, the serverKeyExchange message has: 1767 * In this situation, the serverKeyExchange message has:
1889 * [1 byte CurveType], [2 byte CurveName] 1768 * [1 byte CurveType], [2 byte CurveName]
@@ -1898,236 +1777,220 @@ int ssl3_send_server_key_exchange(SSL *s)
1898 p += 1; 1777 p += 1;
1899 *p = encodedlen; 1778 *p = encodedlen;
1900 p += 1; 1779 p += 1;
1901 memcpy((unsigned char*)p, 1780 memcpy((unsigned char*)p,
1902 (unsigned char *)encodedPoint, 1781 (unsigned char *)encodedPoint, encodedlen);
1903 encodedlen);
1904 OPENSSL_free(encodedPoint); 1782 OPENSSL_free(encodedPoint);
1905 encodedPoint = NULL; 1783 encodedPoint = NULL;
1906 p += encodedlen; 1784 p += encodedlen;
1907 } 1785 }
1908#endif 1786#endif
1909 1787
1910#ifndef OPENSSL_NO_PSK 1788#ifndef OPENSSL_NO_PSK
1911 if (type & SSL_kPSK) 1789 if (type & SSL_kPSK) {
1912 {
1913 /* copy PSK identity hint */ 1790 /* copy PSK identity hint */
1914 s2n(strlen(s->ctx->psk_identity_hint), p); 1791 s2n(strlen(s->ctx->psk_identity_hint), p);
1792
1915 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); 1793 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
1916 p+=strlen(s->ctx->psk_identity_hint); 1794 p += strlen(s->ctx->psk_identity_hint);
1917 } 1795 }
1918#endif 1796#endif
1919 1797
1920 /* not anonymous */ 1798 /* not anonymous */
1921 if (pkey != NULL) 1799 if (pkey != NULL) {
1922 {
1923 /* n is the length of the params, they start at &(d[4]) 1800 /* n is the length of the params, they start at &(d[4])
1924 * and p points to the space at the end. */ 1801 * and p points to the space at the end. */
1925#ifndef OPENSSL_NO_RSA 1802#ifndef OPENSSL_NO_RSA
1926 if (pkey->type == EVP_PKEY_RSA 1803 if (pkey->type == EVP_PKEY_RSA
1927 && TLS1_get_version(s) < TLS1_2_VERSION) 1804 && TLS1_get_version(s) < TLS1_2_VERSION) {
1928 { 1805 q = md_buf;
1929 q=md_buf; 1806 j = 0;
1930 j=0; 1807 for (num = 2; num > 0; num--) {
1931 for (num=2; num > 0; num--)
1932 {
1933 EVP_MD_CTX_set_flags(&md_ctx, 1808 EVP_MD_CTX_set_flags(&md_ctx,
1934 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1809 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1935 EVP_DigestInit_ex(&md_ctx,(num == 2) 1810 EVP_DigestInit_ex(&md_ctx,
1936 ?s->ctx->md5:s->ctx->sha1, NULL); 1811 (num == 2) ? s->ctx->md5 : s->ctx->sha1, NULL);
1937 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1812 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1938 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1813 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1939 EVP_DigestUpdate(&md_ctx,&(d[4]),n); 1814 EVP_DigestUpdate(&md_ctx, &(d[4]), n);
1940 EVP_DigestFinal_ex(&md_ctx,q, 1815 EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i);
1941 (unsigned int *)&i); 1816 q += i;
1942 q+=i; 1817 j += i;
1943 j+=i; 1818 }
1944 }
1945 if (RSA_sign(NID_md5_sha1, md_buf, j, 1819 if (RSA_sign(NID_md5_sha1, md_buf, j,
1946 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1820 &(p[2]), &u, pkey->pkey.rsa) <= 0) {
1947 { 1821 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA);
1948 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1949 goto err; 1822 goto err;
1950 }
1951 s2n(u,p);
1952 n+=u+2;
1953 } 1823 }
1954 else 1824 s2n(u, p);
1825 n += u + 2;
1826 } else
1955#endif 1827#endif
1956 if (md) 1828 if (md) {
1957 {
1958 /* For TLS1.2 and later send signature 1829 /* For TLS1.2 and later send signature
1959 * algorithm */ 1830 * algorithm */
1960 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1831 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1961 { 1832 if (!tls12_get_sigandhash(p, pkey, md)) {
1962 if (!tls12_get_sigandhash(p, pkey, md))
1963 {
1964 /* Should never happen */ 1833 /* Should never happen */
1965 al=SSL_AD_INTERNAL_ERROR; 1834 al = SSL_AD_INTERNAL_ERROR;
1966 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1835 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1967 goto f_err; 1836 goto f_err;
1968 }
1969 p+=2;
1970 } 1837 }
1838 p += 2;
1839 }
1971#ifdef SSL_DEBUG 1840#ifdef SSL_DEBUG
1972 fprintf(stderr, "Using hash %s\n", 1841 fprintf(stderr, "Using hash %s\n",
1973 EVP_MD_name(md)); 1842 EVP_MD_name(md));
1974#endif 1843#endif
1975 EVP_SignInit_ex(&md_ctx, md, NULL); 1844 EVP_SignInit_ex(&md_ctx, md, NULL);
1976 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1845 EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
1977 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1846 EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
1978 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1847 EVP_SignUpdate(&md_ctx, &(d[4]), n);
1979 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1848 if (!EVP_SignFinal(&md_ctx, &(p[2]),
1980 (unsigned int *)&i,pkey)) 1849 (unsigned int *)&i, pkey)) {
1981 { 1850 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
1982 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_EVP);
1983 goto err; 1851 goto err;
1984 }
1985 s2n(i,p);
1986 n+=i+2;
1987 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1988 n+= 2;
1989 } 1852 }
1990 else 1853 s2n(i, p);
1991 { 1854 n += i + 2;
1855 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1856 n += 2;
1857 } else {
1992 /* Is this error check actually needed? */ 1858 /* Is this error check actually needed? */
1993 al=SSL_AD_HANDSHAKE_FAILURE; 1859 al = SSL_AD_HANDSHAKE_FAILURE;
1994 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1860 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_PKEY_TYPE);
1995 goto f_err; 1861 goto f_err;
1996 }
1997 } 1862 }
1863 }
1998 1864
1999 *(d++)=SSL3_MT_SERVER_KEY_EXCHANGE; 1865 *(d++) = SSL3_MT_SERVER_KEY_EXCHANGE;
2000 l2n3(n,d); 1866 l2n3(n, d);
2001 1867
2002 /* we should now have things packed up, so lets send 1868 /* we should now have things packed up, so lets send
2003 * it off */ 1869 * it off */
2004 s->init_num=n+4; 1870 s->init_num = n + 4;
2005 s->init_off=0; 1871 s->init_off = 0;
2006 } 1872 }
2007 1873
2008 s->state = SSL3_ST_SW_KEY_EXCH_B; 1874 s->state = SSL3_ST_SW_KEY_EXCH_B;
2009 EVP_MD_CTX_cleanup(&md_ctx); 1875 EVP_MD_CTX_cleanup(&md_ctx);
2010 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1876 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2011f_err: 1877f_err:
2012 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1878 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2013err: 1879err:
2014#ifndef OPENSSL_NO_ECDH 1880#ifndef OPENSSL_NO_ECDH
2015 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1881 if (encodedPoint != NULL)
1882 OPENSSL_free(encodedPoint);
2016 BN_CTX_free(bn_ctx); 1883 BN_CTX_free(bn_ctx);
2017#endif 1884#endif
2018 EVP_MD_CTX_cleanup(&md_ctx); 1885 EVP_MD_CTX_cleanup(&md_ctx);
2019 return(-1); 1886 return (-1);
2020 } 1887}
2021 1888
2022int ssl3_send_certificate_request(SSL *s) 1889int
2023 { 1890ssl3_send_certificate_request(SSL *s)
2024 unsigned char *p,*d; 1891{
2025 int i,j,nl,off,n; 1892 unsigned char *p, *d;
2026 STACK_OF(X509_NAME) *sk=NULL; 1893 int i, j, nl, off, n;
1894 STACK_OF(X509_NAME) *sk = NULL;
2027 X509_NAME *name; 1895 X509_NAME *name;
2028 BUF_MEM *buf; 1896 BUF_MEM *buf;
2029 1897
2030 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1898 if (s->state == SSL3_ST_SW_CERT_REQ_A) {
2031 { 1899 buf = s->init_buf;
2032 buf=s->init_buf;
2033 1900
2034 d=p=(unsigned char *)&(buf->data[4]); 1901 d = p = (unsigned char *)&(buf->data[4]);
2035 1902
2036 /* get the list of acceptable cert types */ 1903 /* get the list of acceptable cert types */
2037 p++; 1904 p++;
2038 n=ssl3_get_req_cert_type(s,p); 1905 n = ssl3_get_req_cert_type(s, p);
2039 d[0]=n; 1906 d[0] = n;
2040 p+=n; 1907 p += n;
2041 n++; 1908 n++;
2042 1909
2043 if (TLS1_get_version(s) >= TLS1_2_VERSION) 1910 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2044 {
2045 nl = tls12_get_req_sig_algs(s, p + 2); 1911 nl = tls12_get_req_sig_algs(s, p + 2);
2046 s2n(nl, p); 1912 s2n(nl, p);
2047 p += nl + 2; 1913 p += nl + 2;
2048 n += nl + 2; 1914 n += nl + 2;
2049 } 1915 }
2050
2051 off=n;
2052 p+=2;
2053 n+=2;
2054 1916
2055 sk=SSL_get_client_CA_list(s); 1917 off = n;
2056 nl=0; 1918 p += 2;
2057 if (sk != NULL) 1919 n += 2;
2058 { 1920
2059 for (i=0; i<sk_X509_NAME_num(sk); i++) 1921 sk = SSL_get_client_CA_list(s);
2060 { 1922 nl = 0;
2061 name=sk_X509_NAME_value(sk,i); 1923 if (sk != NULL) {
2062 j=i2d_X509_NAME(name,NULL); 1924 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2063 if (!BUF_MEM_grow_clean(buf,4+n+j+2)) 1925 name = sk_X509_NAME_value(sk, i);
2064 { 1926 j = i2d_X509_NAME(name, NULL);
2065 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1927 if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) {
1928 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_BUF_LIB);
2066 goto err; 1929 goto err;
2067 } 1930 }
2068 p=(unsigned char *)&(buf->data[4+n]); 1931 p = (unsigned char *)&(buf->data[4 + n]);
2069 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1932 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
2070 { 1933 s2n(j, p);
2071 s2n(j,p); 1934 i2d_X509_NAME(name, &p);
2072 i2d_X509_NAME(name,&p); 1935 n += 2 + j;
2073 n+=2+j; 1936 nl += 2 + j;
2074 nl+=2+j; 1937 } else {
2075 } 1938 d = p;
2076 else 1939 i2d_X509_NAME(name, &p);
2077 { 1940 j -= 2;
2078 d=p; 1941 s2n(j, d);
2079 i2d_X509_NAME(name,&p); 1942 j += 2;
2080 j-=2; s2n(j,d); j+=2; 1943 n += j;
2081 n+=j; 1944 nl += j;
2082 nl+=j;
2083 }
2084 } 1945 }
2085 } 1946 }
1947 }
2086 /* else no CA names */ 1948 /* else no CA names */
2087 p=(unsigned char *)&(buf->data[4+off]); 1949 p = (unsigned char *)&(buf->data[4 + off]);
2088 s2n(nl,p); 1950 s2n(nl, p);
2089 1951
2090 d=(unsigned char *)buf->data; 1952 d = (unsigned char *)buf->data;
2091 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1953 *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
2092 l2n3(n,d); 1954 l2n3(n, d);
2093 1955
2094 /* we should now have things packed up, so lets send 1956 /* we should now have things packed up, so lets send
2095 * it off */ 1957 * it off */
2096 1958
2097 s->init_num=n+4; 1959 s->init_num = n + 4;
2098 s->init_off=0; 1960 s->init_off = 0;
2099#ifdef NETSCAPE_HANG_BUG 1961#ifdef NETSCAPE_HANG_BUG
2100 p=(unsigned char *)s->init_buf->data + s->init_num; 1962 p = (unsigned char *)s->init_buf->data + s->init_num;
2101 1963
2102 /* do the header */ 1964 /* do the header */
2103 *(p++)=SSL3_MT_SERVER_DONE; 1965 *(p++) = SSL3_MT_SERVER_DONE;
2104 *(p++)=0; 1966 *(p++) = 0;
2105 *(p++)=0; 1967 *(p++) = 0;
2106 *(p++)=0; 1968 *(p++) = 0;
2107 s->init_num += 4; 1969 s->init_num += 4;
2108#endif 1970#endif
2109 1971
2110 s->state = SSL3_ST_SW_CERT_REQ_B; 1972 s->state = SSL3_ST_SW_CERT_REQ_B;
2111 } 1973 }
2112 1974
2113 /* SSL3_ST_SW_CERT_REQ_B */ 1975 /* SSL3_ST_SW_CERT_REQ_B */
2114 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 1976 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
2115err: 1977err:
2116 return(-1); 1978 return (-1);
2117 } 1979}
2118 1980
2119int ssl3_get_client_key_exchange(SSL *s) 1981int
2120 { 1982ssl3_get_client_key_exchange(SSL *s)
2121 int i,al,ok; 1983{
1984 int i, al, ok;
2122 long n; 1985 long n;
2123 unsigned long alg_k; 1986 unsigned long alg_k;
2124 unsigned char *p; 1987 unsigned char *p;
2125#ifndef OPENSSL_NO_RSA 1988#ifndef OPENSSL_NO_RSA
2126 RSA *rsa=NULL; 1989 RSA *rsa = NULL;
2127 EVP_PKEY *pkey=NULL; 1990 EVP_PKEY *pkey = NULL;
2128#endif 1991#endif
2129#ifndef OPENSSL_NO_DH 1992#ifndef OPENSSL_NO_DH
2130 BIGNUM *pub=NULL; 1993 BIGNUM *pub = NULL;
2131 DH *dh_srvr; 1994 DH *dh_srvr;
2132#endif 1995#endif
2133#ifndef OPENSSL_NO_KRB5 1996#ifndef OPENSSL_NO_KRB5
@@ -2138,83 +2001,67 @@ int ssl3_get_client_key_exchange(SSL *s)
2138 EC_KEY *srvr_ecdh = NULL; 2001 EC_KEY *srvr_ecdh = NULL;
2139 EVP_PKEY *clnt_pub_pkey = NULL; 2002 EVP_PKEY *clnt_pub_pkey = NULL;
2140 EC_POINT *clnt_ecpoint = NULL; 2003 EC_POINT *clnt_ecpoint = NULL;
2141 BN_CTX *bn_ctx = NULL; 2004 BN_CTX *bn_ctx = NULL;
2142#endif
2143 2005
2144 n=s->method->ssl_get_message(s, 2006#endif
2145 SSL3_ST_SR_KEY_EXCH_A,
2146 SSL3_ST_SR_KEY_EXCH_B,
2147 SSL3_MT_CLIENT_KEY_EXCHANGE,
2148 2048, /* ??? */
2149 &ok);
2150 2007
2151 if (!ok) return((int)n); 2008 n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
2152 p=(unsigned char *)s->init_msg; 2009 SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE,
2010 2048, /* ??? */ &ok);
2011 if (!ok)
2012 return ((int)n);
2013 p = (unsigned char *)s->init_msg;
2153 2014
2154 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 2015 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2155 2016
2156#ifndef OPENSSL_NO_RSA 2017#ifndef OPENSSL_NO_RSA
2157 if (alg_k & SSL_kRSA) 2018 if (alg_k & SSL_kRSA) {
2158 {
2159 /* FIX THIS UP EAY EAY EAY EAY */ 2019 /* FIX THIS UP EAY EAY EAY EAY */
2160 if (s->s3->tmp.use_rsa_tmp) 2020 if (s->s3->tmp.use_rsa_tmp) {
2161 {
2162 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL)) 2021 if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
2163 rsa=s->cert->rsa_tmp; 2022 rsa = s->cert->rsa_tmp;
2164 /* Don't do a callback because rsa_tmp should 2023 /* Don't do a callback because rsa_tmp should
2165 * be sent already */ 2024 * be sent already */
2166 if (rsa == NULL) 2025 if (rsa == NULL) {
2167 { 2026 al = SSL_AD_HANDSHAKE_FAILURE;
2168 al=SSL_AD_HANDSHAKE_FAILURE; 2027 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_PKEY);
2169 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_PKEY);
2170 goto f_err; 2028 goto f_err;
2171 2029
2172 }
2173 } 2030 }
2174 else 2031 } else {
2175 { 2032 pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
2176 pkey=s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; 2033 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
2177 if ( (pkey == NULL) || 2034 (pkey->pkey.rsa == NULL)) {
2178 (pkey->type != EVP_PKEY_RSA) || 2035 al = SSL_AD_HANDSHAKE_FAILURE;
2179 (pkey->pkey.rsa == NULL)) 2036 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_RSA_CERTIFICATE);
2180 {
2181 al=SSL_AD_HANDSHAKE_FAILURE;
2182 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
2183 goto f_err; 2037 goto f_err;
2184 }
2185 rsa=pkey->pkey.rsa;
2186 } 2038 }
2039 rsa = pkey->pkey.rsa;
2040 }
2187 2041
2188 /* TLS and [incidentally] DTLS{0xFEFF} */ 2042 /* TLS and [incidentally] DTLS{0xFEFF} */
2189 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) 2043 if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
2190 { 2044 n2s(p, i);
2191 n2s(p,i); 2045 if (n != i + 2) {
2192 if (n != i+2) 2046 if (!(s->options & SSL_OP_TLS_D5_BUG)) {
2193 { 2047 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2194 if (!(s->options & SSL_OP_TLS_D5_BUG))
2195 {
2196 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2197 goto err; 2048 goto err;
2198 } 2049 } else
2199 else 2050 p -= 2;
2200 p-=2; 2051 } else
2201 } 2052 n = i;
2202 else 2053 }
2203 n=i;
2204 }
2205 2054
2206 i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); 2055 i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
2207 2056
2208 al = -1; 2057 al = -1;
2209 2058
2210 if (i != SSL_MAX_MASTER_KEY_LENGTH) 2059 if (i != SSL_MAX_MASTER_KEY_LENGTH) {
2211 { 2060 al = SSL_AD_DECODE_ERROR;
2212 al=SSL_AD_DECODE_ERROR;
2213 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 2061 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
2214 } 2062 }
2215 2063
2216 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) 2064 if ((al == -1) && !((p[0] == (s->client_version >> 8)) && (p[1] == (s->client_version & 0xff)))) {
2217 {
2218 /* The premaster secret must contain the same version number as the 2065 /* The premaster secret must contain the same version number as the
2219 * ClientHello to detect version rollback attacks (strangely, the 2066 * ClientHello to detect version rollback attacks (strangely, the
2220 * protocol does not offer such protection for DH ciphersuites). 2067 * protocol does not offer such protection for DH ciphersuites).
@@ -2223,9 +2070,8 @@ int ssl3_get_client_key_exchange(SSL *s)
2223 * protocol version. 2070 * protocol version.
2224 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 2071 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
2225 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 2072 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
2226 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 2073 (p[0] == (s->version >> 8)) && (p[1] == (s->version & 0xff)))) {
2227 { 2074 al = SSL_AD_DECODE_ERROR;
2228 al=SSL_AD_DECODE_ERROR;
2229 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 2075 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
2230 2076
2231 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 2077 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
@@ -2235,11 +2081,10 @@ int ssl3_get_client_key_exchange(SSL *s)
2235 * made up by the adversary is properly formatted except 2081 * made up by the adversary is properly formatted except
2236 * that the version number is wrong. To avoid such attacks, 2082 * that the version number is wrong. To avoid such attacks,
2237 * we should treat this just like any other decryption error. */ 2083 * we should treat this just like any other decryption error. */
2238 }
2239 } 2084 }
2085 }
2240 2086
2241 if (al != -1) 2087 if (al != -1) {
2242 {
2243 /* Some decryption failure -- use random value instead as countermeasure 2088 /* Some decryption failure -- use random value instead as countermeasure
2244 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 2089 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
2245 * (see RFC 2246, section 7.4.7.1). */ 2090 * (see RFC 2246, section 7.4.7.1). */
@@ -2249,83 +2094,69 @@ int ssl3_get_client_key_exchange(SSL *s)
2249 p[1] = s->client_version & 0xff; 2094 p[1] = s->client_version & 0xff;
2250 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 2095 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
2251 goto err; 2096 goto err;
2252 }
2253
2254 s->session->master_key_length=
2255 s->method->ssl3_enc->generate_master_secret(s,
2256 s->session->master_key,
2257 p,i);
2258 OPENSSL_cleanse(p,i);
2259 } 2097 }
2260 else 2098
2099 s->session->master_key_length =
2100 s->method->ssl3_enc->generate_master_secret(s,
2101 s->session->master_key,
2102 p, i);
2103 OPENSSL_cleanse(p, i);
2104 } else
2261#endif 2105#endif
2262#ifndef OPENSSL_NO_DH 2106#ifndef OPENSSL_NO_DH
2263 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2107 if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
2264 { 2108 n2s(p, i);
2265 n2s(p,i); 2109 if (n != i + 2) {
2266 if (n != i+2) 2110 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
2267 { 2111 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2268 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
2269 {
2270 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2271 goto err; 2112 goto err;
2272 } 2113 } else {
2273 else 2114 p -= 2;
2274 { 2115 i = (int)n;
2275 p-=2;
2276 i=(int)n;
2277 }
2278 } 2116 }
2117 }
2279 2118
2280 if (n == 0L) /* the parameters are in the cert */ 2119 if (n == 0L) /* the parameters are in the cert */
2281 { 2120 {
2282 al=SSL_AD_HANDSHAKE_FAILURE; 2121 al = SSL_AD_HANDSHAKE_FAILURE;
2283 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS); 2122 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_DECODE_DH_CERTS);
2284 goto f_err; 2123 goto f_err;
2285 } 2124 } else {
2286 else 2125 if (s->s3->tmp.dh == NULL) {
2287 { 2126 al = SSL_AD_HANDSHAKE_FAILURE;
2288 if (s->s3->tmp.dh == NULL) 2127 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
2289 {
2290 al=SSL_AD_HANDSHAKE_FAILURE;
2291 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
2292 goto f_err; 2128 goto f_err;
2293 } 2129 } else
2294 else 2130 dh_srvr = s->s3->tmp.dh;
2295 dh_srvr=s->s3->tmp.dh; 2131 }
2296 }
2297 2132
2298 pub=BN_bin2bn(p,i,NULL); 2133 pub = BN_bin2bn(p, i, NULL);
2299 if (pub == NULL) 2134 if (pub == NULL) {
2300 { 2135 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2301 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
2302 goto err; 2136 goto err;
2303 } 2137 }
2304 2138
2305 i=DH_compute_key(p,pub,dh_srvr); 2139 i = DH_compute_key(p, pub, dh_srvr);
2306 2140
2307 if (i <= 0) 2141 if (i <= 0) {
2308 { 2142 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2309 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2310 BN_clear_free(pub); 2143 BN_clear_free(pub);
2311 goto err; 2144 goto err;
2312 } 2145 }
2313 2146
2314 DH_free(s->s3->tmp.dh); 2147 DH_free(s->s3->tmp.dh);
2315 s->s3->tmp.dh=NULL; 2148 s->s3->tmp.dh = NULL;
2316 2149
2317 BN_clear_free(pub); 2150 BN_clear_free(pub);
2318 pub=NULL; 2151 pub = NULL;
2319 s->session->master_key_length= 2152 s->session->master_key_length =
2320 s->method->ssl3_enc->generate_master_secret(s, 2153 s->method->ssl3_enc->generate_master_secret(
2321 s->session->master_key,p,i); 2154 s, s->session->master_key, p, i);
2322 OPENSSL_cleanse(p,i); 2155 OPENSSL_cleanse(p, i);
2323 } 2156 } else
2324 else
2325#endif 2157#endif
2326#ifndef OPENSSL_NO_KRB5 2158#ifndef OPENSSL_NO_KRB5
2327 if (alg_k & SSL_kKRB5) 2159 if (alg_k & SSL_kKRB5) {
2328 {
2329 krb5_error_code krb5rc; 2160 krb5_error_code krb5rc;
2330 krb5_data enc_ticket; 2161 krb5_data enc_ticket;
2331 krb5_data authenticator; 2162 krb5_data authenticator;
@@ -2335,100 +2166,94 @@ int ssl3_get_client_key_exchange(SSL *s)
2335 const EVP_CIPHER *enc = NULL; 2166 const EVP_CIPHER *enc = NULL;
2336 unsigned char iv[EVP_MAX_IV_LENGTH]; 2167 unsigned char iv[EVP_MAX_IV_LENGTH];
2337 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH 2168 unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
2338 + EVP_MAX_BLOCK_LENGTH]; 2169 + EVP_MAX_BLOCK_LENGTH];
2339 int padl, outl; 2170 int padl, outl;
2340 krb5_timestamp authtime = 0; 2171 krb5_timestamp authtime = 0;
2341 krb5_ticket_times ttimes; 2172 krb5_ticket_times ttimes;
2342 2173
2343 EVP_CIPHER_CTX_init(&ciph_ctx); 2174 EVP_CIPHER_CTX_init(&ciph_ctx);
2344 2175
2345 if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); 2176 if (!kssl_ctx)
2177 kssl_ctx = kssl_ctx_new();
2346 2178
2347 n2s(p,i); 2179 n2s(p, i);
2348 enc_ticket.length = i; 2180 enc_ticket.length = i;
2349 2181
2350 if (n < (long)(enc_ticket.length + 6)) 2182 if (n < (long)(enc_ticket.length + 6)) {
2351 {
2352 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2183 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2353 SSL_R_DATA_LENGTH_TOO_LONG); 2184 SSL_R_DATA_LENGTH_TOO_LONG);
2354 goto err; 2185 goto err;
2355 } 2186 }
2356 2187
2357 enc_ticket.data = (char *)p; 2188 enc_ticket.data = (char *)p;
2358 p+=enc_ticket.length; 2189 p += enc_ticket.length;
2359 2190
2360 n2s(p,i); 2191 n2s(p, i);
2361 authenticator.length = i; 2192 authenticator.length = i;
2362 2193
2363 if (n < (long)(enc_ticket.length + authenticator.length + 6)) 2194 if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
2364 {
2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2195 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2366 SSL_R_DATA_LENGTH_TOO_LONG); 2196 SSL_R_DATA_LENGTH_TOO_LONG);
2367 goto err; 2197 goto err;
2368 } 2198 }
2369 2199
2370 authenticator.data = (char *)p; 2200 authenticator.data = (char *)p;
2371 p+=authenticator.length; 2201 p += authenticator.length;
2372 2202
2373 n2s(p,i); 2203 n2s(p, i);
2374 enc_pms.length = i; 2204 enc_pms.length = i;
2375 enc_pms.data = (char *)p; 2205 enc_pms.data = (char *)p;
2376 p+=enc_pms.length; 2206 p += enc_pms.length;
2377 2207
2378 /* Note that the length is checked again below, 2208 /* Note that the length is checked again below,
2379 ** after decryption 2209 ** after decryption
2380 */ 2210 */
2381 if(enc_pms.length > sizeof pms) 2211 if (enc_pms.length > sizeof pms) {
2382 {
2383 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2212 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2384 SSL_R_DATA_LENGTH_TOO_LONG); 2213 SSL_R_DATA_LENGTH_TOO_LONG);
2385 goto err; 2214 goto err;
2386 } 2215 }
2387 2216
2388 if (n != (long)(enc_ticket.length + authenticator.length + 2217 if (n != (long)(enc_ticket.length + authenticator.length +
2389 enc_pms.length + 6)) 2218 enc_pms.length + 6)) {
2390 {
2391 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2219 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2392 SSL_R_DATA_LENGTH_TOO_LONG); 2220 SSL_R_DATA_LENGTH_TOO_LONG);
2393 goto err; 2221 goto err;
2394 } 2222 }
2395 2223
2396 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, 2224 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
2397 &kssl_err)) != 0) 2225 &kssl_err)) != 0) {
2398 {
2399#ifdef KSSL_DEBUG 2226#ifdef KSSL_DEBUG
2400 printf("kssl_sget_tkt rtn %d [%d]\n", 2227 printf("kssl_sget_tkt rtn %d [%d]\n",
2401 krb5rc, kssl_err.reason); 2228 krb5rc, kssl_err.reason);
2402 if (kssl_err.text) 2229 if (kssl_err.text)
2403 printf("kssl_err text= %s\n", kssl_err.text); 2230 printf("kssl_err text= %s\n", kssl_err.text);
2404#endif /* KSSL_DEBUG */ 2231#endif /* KSSL_DEBUG */
2405 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2232 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2406 kssl_err.reason); 2233 kssl_err.reason);
2407 goto err; 2234 goto err;
2408 } 2235 }
2409 2236
2410 /* Note: no authenticator is not considered an error, 2237 /* Note: no authenticator is not considered an error,
2411 ** but will return authtime == 0. 2238 ** but will return authtime == 0.
2412 */ 2239 */
2413 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, 2240 if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
2414 &authtime, &kssl_err)) != 0) 2241 &authtime, &kssl_err)) != 0) {
2415 {
2416#ifdef KSSL_DEBUG 2242#ifdef KSSL_DEBUG
2417 printf("kssl_check_authent rtn %d [%d]\n", 2243 printf("kssl_check_authent rtn %d [%d]\n",
2418 krb5rc, kssl_err.reason); 2244 krb5rc, kssl_err.reason);
2419 if (kssl_err.text) 2245 if (kssl_err.text)
2420 printf("kssl_err text= %s\n", kssl_err.text); 2246 printf("kssl_err text= %s\n", kssl_err.text);
2421#endif /* KSSL_DEBUG */ 2247#endif /* KSSL_DEBUG */
2422 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2248 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2423 kssl_err.reason); 2249 kssl_err.reason);
2424 goto err; 2250 goto err;
2425 } 2251 }
2426 2252
2427 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) 2253 if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
2428 {
2429 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc); 2254 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
2430 goto err; 2255 goto err;
2431 } 2256 }
2432 2257
2433#ifdef KSSL_DEBUG 2258#ifdef KSSL_DEBUG
2434 kssl_ctx_show(kssl_ctx); 2259 kssl_ctx_show(kssl_ctx);
@@ -2436,44 +2261,38 @@ int ssl3_get_client_key_exchange(SSL *s)
2436 2261
2437 enc = kssl_map_enc(kssl_ctx->enctype); 2262 enc = kssl_map_enc(kssl_ctx->enctype);
2438 if (enc == NULL) 2263 if (enc == NULL)
2439 goto err; 2264 goto err;
2440 2265
2441 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2266 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2442 2267
2443 if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) 2268 if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) {
2444 {
2445 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2269 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2446 SSL_R_DECRYPTION_FAILED); 2270 SSL_R_DECRYPTION_FAILED);
2447 goto err; 2271 goto err;
2448 } 2272 }
2449 if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, 2273 if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
2450 (unsigned char *)enc_pms.data, enc_pms.length)) 2274 (unsigned char *)enc_pms.data, enc_pms.length)) {
2451 {
2452 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2275 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2453 SSL_R_DECRYPTION_FAILED); 2276 SSL_R_DECRYPTION_FAILED);
2454 goto err; 2277 goto err;
2455 } 2278 }
2456 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2279 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2457 {
2458 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2280 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2459 SSL_R_DATA_LENGTH_TOO_LONG); 2281 SSL_R_DATA_LENGTH_TOO_LONG);
2460 goto err; 2282 goto err;
2461 } 2283 }
2462 if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) 2284 if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
2463 {
2464 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2285 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2465 SSL_R_DECRYPTION_FAILED); 2286 SSL_R_DECRYPTION_FAILED);
2466 goto err; 2287 goto err;
2467 } 2288 }
2468 outl += padl; 2289 outl += padl;
2469 if (outl > SSL_MAX_MASTER_KEY_LENGTH) 2290 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2470 {
2471 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2291 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2472 SSL_R_DATA_LENGTH_TOO_LONG); 2292 SSL_R_DATA_LENGTH_TOO_LONG);
2473 goto err; 2293 goto err;
2474 } 2294 }
2475 if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff)))) 2295 if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) {
2476 {
2477 /* The premaster secret must contain the same version number as the 2296 /* The premaster secret must contain the same version number as the
2478 * ClientHello to detect version rollback attacks (strangely, the 2297 * ClientHello to detect version rollback attacks (strangely, the
2479 * protocol does not offer such protection for DH ciphersuites). 2298 * protocol does not offer such protection for DH ciphersuites).
@@ -2482,29 +2301,26 @@ int ssl3_get_client_key_exchange(SSL *s)
2482 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2301 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
2483 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2302 * (Perhaps we should have a separate BUG value for the Kerberos cipher)
2484 */ 2303 */
2485 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) 2304 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
2486 { 2305 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2487 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2306 SSL_AD_DECODE_ERROR);
2488 SSL_AD_DECODE_ERROR); 2307 goto err;
2489 goto err;
2490 } 2308 }
2491 } 2309 }
2492 2310
2493 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2311 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2494 2312
2495 s->session->master_key_length= 2313 s->session->master_key_length =
2496 s->method->ssl3_enc->generate_master_secret(s, 2314 s->method->ssl3_enc->generate_master_secret(s,
2497 s->session->master_key, pms, outl); 2315 s->session->master_key, pms, outl);
2498 2316
2499 if (kssl_ctx->client_princ) 2317 if (kssl_ctx->client_princ) {
2500 {
2501 size_t len = strlen(kssl_ctx->client_princ); 2318 size_t len = strlen(kssl_ctx->client_princ);
2502 if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 2319 if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) {
2503 {
2504 s->session->krb5_client_princ_len = len; 2320 s->session->krb5_client_princ_len = len;
2505 memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); 2321 memcpy(s->session->krb5_client_princ, kssl_ctx->client_princ, len);
2506 }
2507 } 2322 }
2323 }
2508 2324
2509 2325
2510 /* Was doing kssl_ctx_free() here, 2326 /* Was doing kssl_ctx_free() here,
@@ -2512,13 +2328,11 @@ int ssl3_get_client_key_exchange(SSL *s)
2512 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2328 ** kssl_ctx = kssl_ctx_free(kssl_ctx);
2513 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2329 ** if (s->kssl_ctx) s->kssl_ctx = NULL;
2514 */ 2330 */
2515 } 2331 } else
2516 else
2517#endif /* OPENSSL_NO_KRB5 */ 2332#endif /* OPENSSL_NO_KRB5 */
2518 2333
2519#ifndef OPENSSL_NO_ECDH 2334#ifndef OPENSSL_NO_ECDH
2520 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2335 if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
2521 {
2522 int ret = 1; 2336 int ret = 1;
2523 int field_size = 0; 2337 int field_size = 0;
2524 const EC_KEY *tkey; 2338 const EC_KEY *tkey;
@@ -2526,60 +2340,51 @@ int ssl3_get_client_key_exchange(SSL *s)
2526 const BIGNUM *priv_key; 2340 const BIGNUM *priv_key;
2527 2341
2528 /* initialize structures for server's ECDH key pair */ 2342 /* initialize structures for server's ECDH key pair */
2529 if ((srvr_ecdh = EC_KEY_new()) == NULL) 2343 if ((srvr_ecdh = EC_KEY_new()) == NULL) {
2530 {
2531 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2344 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2532 ERR_R_MALLOC_FAILURE); 2345 ERR_R_MALLOC_FAILURE);
2533 goto err; 2346 goto err;
2534 } 2347 }
2535 2348
2536 /* Let's get server private key and group information */ 2349 /* Let's get server private key and group information */
2537 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) 2350 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
2538 {
2539 /* use the certificate */ 2351 /* use the certificate */
2540 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2352 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2541 } 2353 } else {
2542 else
2543 {
2544 /* use the ephermeral values we saved when 2354 /* use the ephermeral values we saved when
2545 * generating the ServerKeyExchange msg. 2355 * generating the ServerKeyExchange msg.
2546 */ 2356 */
2547 tkey = s->s3->tmp.ecdh; 2357 tkey = s->s3->tmp.ecdh;
2548 } 2358 }
2549 2359
2550 group = EC_KEY_get0_group(tkey); 2360 group = EC_KEY_get0_group(tkey);
2551 priv_key = EC_KEY_get0_private_key(tkey); 2361 priv_key = EC_KEY_get0_private_key(tkey);
2552 2362
2553 if (!EC_KEY_set_group(srvr_ecdh, group) || 2363 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2554 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) 2364 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
2555 {
2556 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2365 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2557 ERR_R_EC_LIB); 2366 ERR_R_EC_LIB);
2558 goto err; 2367 goto err;
2559 } 2368 }
2560 2369
2561 /* Let's get client's public key */ 2370 /* Let's get client's public key */
2562 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) 2371 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
2563 {
2564 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2372 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2565 ERR_R_MALLOC_FAILURE); 2373 ERR_R_MALLOC_FAILURE);
2566 goto err; 2374 goto err;
2567 } 2375 }
2568 2376
2569 if (n == 0L) 2377 if (n == 0L) {
2570 {
2571 /* Client Publickey was in Client Certificate */ 2378 /* Client Publickey was in Client Certificate */
2572 2379
2573 if (alg_k & SSL_kEECDH) 2380 if (alg_k & SSL_kEECDH) {
2574 { 2381 al = SSL_AD_HANDSHAKE_FAILURE;
2575 al=SSL_AD_HANDSHAKE_FAILURE; 2382 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
2576 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY); 2383 goto f_err;
2577 goto f_err; 2384 }
2578 } 2385 if (((clnt_pub_pkey = X509_get_pubkey(
2579 if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer)) 2386 s->session->peer)) == NULL) ||
2580 == NULL) || 2387 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
2581 (clnt_pub_pkey->type != EVP_PKEY_EC))
2582 {
2583 /* XXX: For now, we do not support client 2388 /* XXX: For now, we do not support client
2584 * authentication using ECDH certificates 2389 * authentication using ECDH certificates
2585 * so this branch (n == 0L) of the code is 2390 * so this branch (n == 0L) of the code is
@@ -2591,771 +2396,680 @@ int ssl3_get_client_key_exchange(SSL *s)
2591 * the two ECDH shares are for the same 2396 * the two ECDH shares are for the same
2592 * group. 2397 * group.
2593 */ 2398 */
2594 al=SSL_AD_HANDSHAKE_FAILURE; 2399 al = SSL_AD_HANDSHAKE_FAILURE;
2595 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2400 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2596 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2401 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2597 goto f_err; 2402 goto f_err;
2598 } 2403 }
2599 2404
2600 if (EC_POINT_copy(clnt_ecpoint, 2405 if (EC_POINT_copy(clnt_ecpoint,
2601 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) 2406 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) {
2602 {
2603 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2407 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2604 ERR_R_EC_LIB); 2408 ERR_R_EC_LIB);
2605 goto err; 2409 goto err;
2606 }
2607 ret = 2; /* Skip certificate verify processing */
2608 } 2410 }
2609 else 2411 ret = 2; /* Skip certificate verify processing */
2610 { 2412 } else {
2611 /* Get client's public key from encoded point 2413 /* Get client's public key from encoded point
2612 * in the ClientKeyExchange message. 2414 * in the ClientKeyExchange message.
2613 */ 2415 */
2614 if ((bn_ctx = BN_CTX_new()) == NULL) 2416 if ((bn_ctx = BN_CTX_new()) == NULL) {
2615 {
2616 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2417 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2617 ERR_R_MALLOC_FAILURE); 2418 ERR_R_MALLOC_FAILURE);
2618 goto err; 2419 goto err;
2619 } 2420 }
2620 2421
2621 /* Get encoded point length */ 2422 /* Get encoded point length */
2622 i = *p; 2423 i = *p;
2424
2623 p += 1; 2425 p += 1;
2624 if (n != 1 + i) 2426 if (n != 1 + i) {
2625 {
2626 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2427 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2627 ERR_R_EC_LIB); 2428 ERR_R_EC_LIB);
2628 goto err; 2429 goto err;
2629 } 2430 }
2630 if (EC_POINT_oct2point(group, 2431 if (EC_POINT_oct2point(group,
2631 clnt_ecpoint, p, i, bn_ctx) == 0) 2432 clnt_ecpoint, p, i, bn_ctx) == 0) {
2632 {
2633 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2433 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2634 ERR_R_EC_LIB); 2434 ERR_R_EC_LIB);
2635 goto err; 2435 goto err;
2636 } 2436 }
2637 /* p is pointing to somewhere in the buffer 2437 /* p is pointing to somewhere in the buffer
2638 * currently, so set it to the start 2438 * currently, so set it to the start
2639 */ 2439 */
2640 p=(unsigned char *)s->init_buf->data; 2440 p = (unsigned char *)s->init_buf->data;
2641 } 2441 }
2642 2442
2643 /* Compute the shared pre-master secret */ 2443 /* Compute the shared pre-master secret */
2644 field_size = EC_GROUP_get_degree(group); 2444 field_size = EC_GROUP_get_degree(group);
2645 if (field_size <= 0) 2445 if (field_size <= 0) {
2646 { 2446 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2647 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2447 ERR_R_ECDH_LIB);
2648 ERR_R_ECDH_LIB);
2649 goto err; 2448 goto err;
2650 } 2449 }
2651 i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2450 i = ECDH_compute_key(p, (field_size + 7)/8, clnt_ecpoint, srvr_ecdh, NULL);
2652 if (i <= 0) 2451 if (i <= 0) {
2653 {
2654 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2452 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2655 ERR_R_ECDH_LIB); 2453 ERR_R_ECDH_LIB);
2656 goto err; 2454 goto err;
2657 } 2455 }
2658 2456
2659 EVP_PKEY_free(clnt_pub_pkey); 2457 EVP_PKEY_free(clnt_pub_pkey);
2660 EC_POINT_free(clnt_ecpoint); 2458 EC_POINT_free(clnt_ecpoint);
2661 EC_KEY_free(srvr_ecdh); 2459 EC_KEY_free(srvr_ecdh);
2662 BN_CTX_free(bn_ctx); 2460 BN_CTX_free(bn_ctx);
2663 EC_KEY_free(s->s3->tmp.ecdh); 2461 EC_KEY_free(s->s3->tmp.ecdh);
2664 s->s3->tmp.ecdh = NULL; 2462 s->s3->tmp.ecdh = NULL;
2463
2665 2464
2666 /* Compute the master secret */ 2465 /* Compute the master secret */
2667 s->session->master_key_length = s->method->ssl3_enc-> \ 2466 s->session->master_key_length = s->method->ssl3_enc-> \
2668 generate_master_secret(s, s->session->master_key, p, i); 2467 generate_master_secret(s, s->session->master_key, p, i);
2669 2468
2670 OPENSSL_cleanse(p, i); 2469 OPENSSL_cleanse(p, i);
2671 return (ret); 2470 return (ret);
2672 } 2471 } else
2673 else
2674#endif 2472#endif
2675#ifndef OPENSSL_NO_PSK 2473#ifndef OPENSSL_NO_PSK
2676 if (alg_k & SSL_kPSK) 2474 if (alg_k & SSL_kPSK) {
2677 { 2475 unsigned char *t = NULL;
2678 unsigned char *t = NULL; 2476 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2 + 4];
2679 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 2477 unsigned int pre_ms_len = 0, psk_len = 0;
2680 unsigned int pre_ms_len = 0, psk_len = 0; 2478 int psk_err = 1;
2681 int psk_err = 1; 2479 char tmp_id[PSK_MAX_IDENTITY_LEN + 1];
2682 char tmp_id[PSK_MAX_IDENTITY_LEN+1];
2683 2480
2684 al=SSL_AD_HANDSHAKE_FAILURE; 2481 al = SSL_AD_HANDSHAKE_FAILURE;
2685
2686 n2s(p,i);
2687 if (n != i+2)
2688 {
2689 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2690 SSL_R_LENGTH_MISMATCH);
2691 goto psk_err;
2692 }
2693 if (i > PSK_MAX_IDENTITY_LEN)
2694 {
2695 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2696 SSL_R_DATA_LENGTH_TOO_LONG);
2697 goto psk_err;
2698 }
2699 if (s->psk_server_callback == NULL)
2700 {
2701 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2702 SSL_R_PSK_NO_SERVER_CB);
2703 goto psk_err;
2704 }
2705 2482
2706 /* Create guaranteed NULL-terminated identity 2483 n2s(p, i);
2707 * string for the callback */ 2484 if (n != i + 2) {
2708 memcpy(tmp_id, p, i); 2485 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2709 memset(tmp_id+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 2486 SSL_R_LENGTH_MISMATCH);
2710 psk_len = s->psk_server_callback(s, tmp_id, 2487 goto psk_err;
2711 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2488 }
2712 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN+1); 2489 if (i > PSK_MAX_IDENTITY_LEN) {
2490 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2491 SSL_R_DATA_LENGTH_TOO_LONG);
2492 goto psk_err;
2493 }
2494 if (s->psk_server_callback == NULL) {
2495 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2496 SSL_R_PSK_NO_SERVER_CB);
2497 goto psk_err;
2498 }
2713 2499
2714 if (psk_len > PSK_MAX_PSK_LEN) 2500 /* Create guaranteed NULL-terminated identity
2715 { 2501 * string for the callback */
2716 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2502 memcpy(tmp_id, p, i);
2717 ERR_R_INTERNAL_ERROR); 2503 memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
2718 goto psk_err; 2504 psk_len = s->psk_server_callback(s, tmp_id,
2719 } 2505 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2720 else if (psk_len == 0) 2506 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
2721 {
2722 /* PSK related to the given identity not found */
2723 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2724 SSL_R_PSK_IDENTITY_NOT_FOUND);
2725 al=SSL_AD_UNKNOWN_PSK_IDENTITY;
2726 goto psk_err;
2727 }
2728 2507
2729 /* create PSK pre_master_secret */ 2508 if (psk_len > PSK_MAX_PSK_LEN) {
2730 pre_ms_len=2+psk_len+2+psk_len; 2509 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2731 t = psk_or_pre_ms; 2510 ERR_R_INTERNAL_ERROR);
2732 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 2511 goto psk_err;
2733 s2n(psk_len, t); 2512 } else if (psk_len == 0) {
2734 memset(t, 0, psk_len); 2513 /* PSK related to the given identity not found */
2735 t+=psk_len; 2514 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2736 s2n(psk_len, t); 2515 SSL_R_PSK_IDENTITY_NOT_FOUND);
2737 2516 al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2738 if (s->session->psk_identity != NULL) 2517 goto psk_err;
2739 OPENSSL_free(s->session->psk_identity); 2518 }
2740 s->session->psk_identity = BUF_strdup((char *)p); 2519
2741 if (s->session->psk_identity == NULL) 2520 /* create PSK pre_master_secret */
2742 { 2521 pre_ms_len = 2 + psk_len + 2 + psk_len;
2743 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2522 t = psk_or_pre_ms;
2744 ERR_R_MALLOC_FAILURE); 2523 memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len);
2745 goto psk_err; 2524 s2n(psk_len, t);
2746 } 2525 memset(t, 0, psk_len);
2526 t += psk_len;
2527 s2n(psk_len, t);
2528
2529 if (s->session->psk_identity != NULL)
2530 OPENSSL_free(s->session->psk_identity);
2531 s->session->psk_identity = BUF_strdup((char *)p);
2532 if (s->session->psk_identity == NULL) {
2533 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2534 ERR_R_MALLOC_FAILURE);
2535 goto psk_err;
2536 }
2747 2537
2748 if (s->session->psk_identity_hint != NULL) 2538 if (s->session->psk_identity_hint != NULL)
2749 OPENSSL_free(s->session->psk_identity_hint); 2539 OPENSSL_free(s->session->psk_identity_hint);
2750 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 2540 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
2751 if (s->ctx->psk_identity_hint != NULL && 2541 if (s->ctx->psk_identity_hint != NULL &&
2752 s->session->psk_identity_hint == NULL) 2542 s->session->psk_identity_hint == NULL) {
2753 { 2543 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2754 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2544 ERR_R_MALLOC_FAILURE);
2755 ERR_R_MALLOC_FAILURE); 2545 goto psk_err;
2756 goto psk_err; 2546 }
2757 }
2758 2547
2759 s->session->master_key_length= 2548 s->session->master_key_length =
2760 s->method->ssl3_enc->generate_master_secret(s, 2549 s->method->ssl3_enc->generate_master_secret(
2761 s->session->master_key, psk_or_pre_ms, pre_ms_len); 2550 s, s->session->master_key, psk_or_pre_ms, pre_ms_len);
2762 psk_err = 0; 2551 psk_err = 0;
2763 psk_err: 2552 psk_err:
2764 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2553 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
2765 if (psk_err != 0) 2554 if (psk_err != 0)
2766 goto f_err; 2555 goto f_err;
2767 } 2556 } else
2768 else
2769#endif 2557#endif
2770#ifndef OPENSSL_NO_SRP 2558#ifndef OPENSSL_NO_SRP
2771 if (alg_k & SSL_kSRP) 2559 if (alg_k & SSL_kSRP) {
2772 { 2560 int param_len;
2773 int param_len;
2774
2775 n2s(p,i);
2776 param_len=i+2;
2777 if (param_len > n)
2778 {
2779 al=SSL_AD_DECODE_ERROR;
2780 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH);
2781 goto f_err;
2782 }
2783 if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL)))
2784 {
2785 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB);
2786 goto err;
2787 }
2788 if (s->session->srp_username != NULL)
2789 OPENSSL_free(s->session->srp_username);
2790 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2791 if (s->session->srp_username == NULL)
2792 {
2793 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2794 ERR_R_MALLOC_FAILURE);
2795 goto err;
2796 }
2797 2561
2798 if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0) 2562 n2s(p, i);
2799 { 2563 param_len = i + 2;
2800 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2564 if (param_len > n) {
2801 goto err; 2565 al = SSL_AD_DECODE_ERROR;
2802 } 2566 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
2567 goto f_err;
2568 }
2569 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
2570 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
2571 goto err;
2572 }
2573 if (s->session->srp_username != NULL)
2574 OPENSSL_free(s->session->srp_username);
2575 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2576 if (s->session->srp_username == NULL) {
2577 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2578 ERR_R_MALLOC_FAILURE);
2579 goto err;
2580 }
2803 2581
2804 p+=i; 2582 if ((s->session->master_key_length = SRP_generate_server_master_secret(s, s->session->master_key)) < 0) {
2805 } 2583 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2806 else 2584 goto err;
2585 }
2586
2587 p += i;
2588 } else
2807#endif /* OPENSSL_NO_SRP */ 2589#endif /* OPENSSL_NO_SRP */
2808 if (alg_k & SSL_kGOST) 2590 if (alg_k & SSL_kGOST) {
2809 { 2591 int ret = 0;
2810 int ret = 0; 2592 EVP_PKEY_CTX *pkey_ctx;
2811 EVP_PKEY_CTX *pkey_ctx; 2593 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
2812 EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; 2594 unsigned char premaster_secret[32], *start;
2813 unsigned char premaster_secret[32], *start; 2595 size_t outlen = 32, inlen;
2814 size_t outlen=32, inlen; 2596 unsigned long alg_a;
2815 unsigned long alg_a; 2597
2816 2598 /* Get our certificate private key*/
2817 /* Get our certificate private key*/ 2599 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2818 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2600 if (alg_a & SSL_aGOST94)
2819 if (alg_a & SSL_aGOST94) 2601 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
2820 pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; 2602 else if (alg_a & SSL_aGOST01)
2821 else if (alg_a & SSL_aGOST01) 2603 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2822 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 2604
2823 2605 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2824 pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); 2606 EVP_PKEY_decrypt_init(pkey_ctx);
2825 EVP_PKEY_decrypt_init(pkey_ctx);
2826 /* If client certificate is present and is of the same type, maybe 2607 /* If client certificate is present and is of the same type, maybe
2827 * use it for key exchange. Don't mind errors from 2608 * use it for key exchange. Don't mind errors from
2828 * EVP_PKEY_derive_set_peer, because it is completely valid to use 2609 * EVP_PKEY_derive_set_peer, because it is completely valid to use
2829 * a client certificate for authorization only. */ 2610 * a client certificate for authorization only. */
2830 client_pub_pkey = X509_get_pubkey(s->session->peer); 2611 client_pub_pkey = X509_get_pubkey(s->session->peer);
2831 if (client_pub_pkey) 2612 if (client_pub_pkey) {
2832 { 2613 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
2833 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 2614 ERR_clear_error();
2834 ERR_clear_error(); 2615 }
2835 } 2616 /* Decrypt session key */
2836 /* Decrypt session key */ 2617 if ((*p != ( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) {
2837 if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) 2618 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2838 { 2619 goto gerr;
2839 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2620 }
2840 goto gerr; 2621 if (p[1] == 0x81) {
2841 } 2622 start = p + 3;
2842 if (p[1] == 0x81) 2623 inlen = p[2];
2843 { 2624 } else if (p[1] < 0x80) {
2844 start = p+3; 2625 start = p + 2;
2845 inlen = p[2]; 2626 inlen = p[1];
2846 } 2627 } else {
2847 else if (p[1] < 0x80) 2628 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2848 { 2629 goto gerr;
2849 start = p+2; 2630 }
2850 inlen = p[1]; 2631 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <=0)
2851 } 2632
2852 else 2633 {
2853 { 2634 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED);
2854 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2635 goto gerr;
2855 goto gerr; 2636 }
2856 } 2637 /* Generate master secret */
2857 if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 2638 s->session->master_key_length =
2858 2639 s->method->ssl3_enc->generate_master_secret(
2859 { 2640 s, s->session->master_key, premaster_secret, 32);
2860 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); 2641 /* Check if pubkey from client certificate was used */
2861 goto gerr; 2642 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2862 } 2643 ret = 2;
2863 /* Generate master secret */ 2644 else
2864 s->session->master_key_length= 2645 ret = 1;
2865 s->method->ssl3_enc->generate_master_secret(s,
2866 s->session->master_key,premaster_secret,32);
2867 /* Check if pubkey from client certificate was used */
2868 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2869 ret = 2;
2870 else
2871 ret = 1;
2872 gerr: 2646 gerr:
2873 EVP_PKEY_free(client_pub_pkey); 2647 EVP_PKEY_free(client_pub_pkey);
2874 EVP_PKEY_CTX_free(pkey_ctx); 2648 EVP_PKEY_CTX_free(pkey_ctx);
2875 if (ret) 2649 if (ret)
2876 return ret; 2650 return ret;
2877 else
2878 goto err;
2879 }
2880 else 2651 else
2881 { 2652 goto err;
2882 al=SSL_AD_HANDSHAKE_FAILURE; 2653 } else {
2654 al = SSL_AD_HANDSHAKE_FAILURE;
2883 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2655 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2884 SSL_R_UNKNOWN_CIPHER_TYPE); 2656 SSL_R_UNKNOWN_CIPHER_TYPE);
2885 goto f_err; 2657 goto f_err;
2886 } 2658 }
2887 2659
2888 return(1); 2660 return (1);
2889f_err: 2661f_err:
2890 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2662 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2891#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP) 2663#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2892err: 2664err:
2893#endif 2665#endif
2894#ifndef OPENSSL_NO_ECDH 2666#ifndef OPENSSL_NO_ECDH
2895 EVP_PKEY_free(clnt_pub_pkey); 2667 EVP_PKEY_free(clnt_pub_pkey);
2896 EC_POINT_free(clnt_ecpoint); 2668 EC_POINT_free(clnt_ecpoint);
2897 if (srvr_ecdh != NULL) 2669 if (srvr_ecdh != NULL)
2898 EC_KEY_free(srvr_ecdh); 2670 EC_KEY_free(srvr_ecdh);
2899 BN_CTX_free(bn_ctx); 2671 BN_CTX_free(bn_ctx);
2900#endif 2672#endif
2901 return(-1); 2673 return (-1);
2902 } 2674}
2903 2675
2904int ssl3_get_cert_verify(SSL *s) 2676int
2905 { 2677ssl3_get_cert_verify(SSL *s)
2906 EVP_PKEY *pkey=NULL; 2678{
2679 EVP_PKEY *pkey = NULL;
2907 unsigned char *p; 2680 unsigned char *p;
2908 int al,ok,ret=0; 2681 int al, ok, ret = 0;
2909 long n; 2682 long n;
2910 int type=0,i,j; 2683 int type = 0, i, j;
2911 X509 *peer; 2684 X509 *peer;
2912 const EVP_MD *md = NULL; 2685 const EVP_MD *md = NULL;
2913 EVP_MD_CTX mctx; 2686 EVP_MD_CTX mctx;
2914 EVP_MD_CTX_init(&mctx); 2687 EVP_MD_CTX_init(&mctx);
2915 2688
2916 n=s->method->ssl_get_message(s, 2689 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A,
2917 SSL3_ST_SR_CERT_VRFY_A, 2690 SSL3_ST_SR_CERT_VRFY_B, -1,
2918 SSL3_ST_SR_CERT_VRFY_B, 2691 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ &ok);
2919 -1, 2692 if (!ok)
2920 516, /* Enough for 4096 bit RSA key with TLS v1.2 */ 2693 return ((int)n);
2921 &ok); 2694
2922 2695 if (s->session->peer != NULL) {
2923 if (!ok) return((int)n); 2696 peer = s->session->peer;
2924 2697 pkey = X509_get_pubkey(peer);
2925 if (s->session->peer != NULL) 2698 type = X509_certificate_type(peer, pkey);
2926 { 2699 } else {
2927 peer=s->session->peer; 2700 peer = NULL;
2928 pkey=X509_get_pubkey(peer); 2701 pkey = NULL;
2929 type=X509_certificate_type(peer,pkey); 2702 }
2930 }
2931 else
2932 {
2933 peer=NULL;
2934 pkey=NULL;
2935 }
2936 2703
2937 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2704 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
2938 { 2705 s->s3->tmp.reuse_message = 1;
2939 s->s3->tmp.reuse_message=1; 2706 if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
2940 if ((peer != NULL) && (type & EVP_PKT_SIGN)) 2707 al = SSL_AD_UNEXPECTED_MESSAGE;
2941 { 2708 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE);
2942 al=SSL_AD_UNEXPECTED_MESSAGE;
2943 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
2944 goto f_err; 2709 goto f_err;
2945 }
2946 ret=1;
2947 goto end;
2948 } 2710 }
2711 ret = 1;
2712 goto end;
2713 }
2949 2714
2950 if (peer == NULL) 2715 if (peer == NULL) {
2951 { 2716 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_NO_CLIENT_CERT_RECEIVED);
2952 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_NO_CLIENT_CERT_RECEIVED); 2717 al = SSL_AD_UNEXPECTED_MESSAGE;
2953 al=SSL_AD_UNEXPECTED_MESSAGE;
2954 goto f_err; 2718 goto f_err;
2955 } 2719 }
2956 2720
2957 if (!(type & EVP_PKT_SIGN)) 2721 if (!(type & EVP_PKT_SIGN)) {
2958 { 2722 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2959 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2723 al = SSL_AD_ILLEGAL_PARAMETER;
2960 al=SSL_AD_ILLEGAL_PARAMETER;
2961 goto f_err; 2724 goto f_err;
2962 } 2725 }
2963 2726
2964 if (s->s3->change_cipher_spec) 2727 if (s->s3->change_cipher_spec) {
2965 { 2728 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_CCS_RECEIVED_EARLY);
2966 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); 2729 al = SSL_AD_UNEXPECTED_MESSAGE;
2967 al=SSL_AD_UNEXPECTED_MESSAGE;
2968 goto f_err; 2730 goto f_err;
2969 } 2731 }
2970 2732
2971 /* we now have a signature that we need to verify */ 2733 /* we now have a signature that we need to verify */
2972 p=(unsigned char *)s->init_msg; 2734 p = (unsigned char *)s->init_msg;
2973 /* Check for broken implementations of GOST ciphersuites */ 2735 /* Check for broken implementations of GOST ciphersuites */
2974 /* If key is GOST and n is exactly 64, it is bare 2736 /* If key is GOST and n is exactly 64, it is bare
2975 * signature without length field */ 2737 * signature without length field */
2976 if (n==64 && (pkey->type==NID_id_GostR3410_94 || 2738 if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
2977 pkey->type == NID_id_GostR3410_2001) ) 2739 pkey->type == NID_id_GostR3410_2001) ) {
2978 { 2740 i = 64;
2979 i=64; 2741 } else {
2980 } 2742 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
2981 else
2982 {
2983 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2984 {
2985 int sigalg = tls12_get_sigid(pkey); 2743 int sigalg = tls12_get_sigid(pkey);
2986 /* Should never happen */ 2744 /* Should never happen */
2987 if (sigalg == -1) 2745 if (sigalg == -1) {
2988 { 2746 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
2989 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2747 al = SSL_AD_INTERNAL_ERROR;
2990 al=SSL_AD_INTERNAL_ERROR;
2991 goto f_err; 2748 goto f_err;
2992 } 2749 }
2993 /* Check key type is consistent with signature */ 2750 /* Check key type is consistent with signature */
2994 if (sigalg != (int)p[1]) 2751 if (sigalg != (int)p[1]) {
2995 { 2752 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_TYPE);
2996 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE); 2753 al = SSL_AD_DECODE_ERROR;
2997 al=SSL_AD_DECODE_ERROR;
2998 goto f_err; 2754 goto f_err;
2999 } 2755 }
3000 md = tls12_get_hash(p[0]); 2756 md = tls12_get_hash(p[0]);
3001 if (md == NULL) 2757 if (md == NULL) {
3002 { 2758 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_UNKNOWN_DIGEST);
3003 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST); 2759 al = SSL_AD_DECODE_ERROR;
3004 al=SSL_AD_DECODE_ERROR;
3005 goto f_err; 2760 goto f_err;
3006 } 2761 }
3007#ifdef SSL_DEBUG 2762#ifdef SSL_DEBUG
3008fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 2763 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
3009#endif 2764#endif
3010 p += 2; 2765 p += 2;
3011 n -= 2; 2766 n -= 2;
3012 } 2767 }
3013 n2s(p,i); 2768 n2s(p, i);
3014 n-=2; 2769 n -= 2;
3015 if (i > n) 2770 if (i > n) {
3016 { 2771 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
3017 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_LENGTH_MISMATCH); 2772 al = SSL_AD_DECODE_ERROR;
3018 al=SSL_AD_DECODE_ERROR;
3019 goto f_err; 2773 goto f_err;
3020 }
3021 }
3022 j=EVP_PKEY_size(pkey);
3023 if ((i > j) || (n > j) || (n <= 0))
3024 {
3025 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_SIZE);
3026 al=SSL_AD_DECODE_ERROR;
3027 goto f_err;
3028 } 2774 }
2775 }
2776 j = EVP_PKEY_size(pkey);
2777 if ((i > j) || (n > j) || (n <= 0)) {
2778 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2779 al = SSL_AD_DECODE_ERROR;
2780 goto f_err;
2781 }
3029 2782
3030 if (TLS1_get_version(s) >= TLS1_2_VERSION) 2783 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
3031 {
3032 long hdatalen = 0; 2784 long hdatalen = 0;
3033 void *hdata; 2785 void *hdata;
3034 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 2786 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
3035 if (hdatalen <= 0) 2787 if (hdatalen <= 0) {
3036 {
3037 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 2788 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3038 al=SSL_AD_INTERNAL_ERROR; 2789 al = SSL_AD_INTERNAL_ERROR;
3039 goto f_err; 2790 goto f_err;
3040 } 2791 }
3041#ifdef SSL_DEBUG 2792#ifdef SSL_DEBUG
3042 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n", 2793 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
3043 EVP_MD_name(md)); 2794 EVP_MD_name(md));
3044#endif 2795#endif
3045 if (!EVP_VerifyInit_ex(&mctx, md, NULL) 2796 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
3046 || !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) 2797 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
3047 {
3048 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB); 2798 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB);
3049 al=SSL_AD_INTERNAL_ERROR; 2799 al = SSL_AD_INTERNAL_ERROR;
3050 goto f_err; 2800 goto f_err;
3051 } 2801 }
3052 2802
3053 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) 2803 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0) {
3054 { 2804 al = SSL_AD_DECRYPT_ERROR;
3055 al=SSL_AD_DECRYPT_ERROR; 2805 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
3056 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_SIGNATURE);
3057 goto f_err; 2806 goto f_err;
3058 }
3059 } 2807 }
3060 else 2808 } else
3061#ifndef OPENSSL_NO_RSA 2809#ifndef OPENSSL_NO_RSA
3062 if (pkey->type == EVP_PKEY_RSA) 2810 if (pkey->type == EVP_PKEY_RSA) {
3063 { 2811 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
3064 i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 2812 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
3065 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i, 2813 pkey->pkey.rsa);
3066 pkey->pkey.rsa); 2814 if (i < 0) {
3067 if (i < 0) 2815 al = SSL_AD_DECRYPT_ERROR;
3068 { 2816 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT);
3069 al=SSL_AD_DECRYPT_ERROR;
3070 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
3071 goto f_err; 2817 goto f_err;
3072 } 2818 }
3073 if (i == 0) 2819 if (i == 0) {
3074 { 2820 al = SSL_AD_DECRYPT_ERROR;
3075 al=SSL_AD_DECRYPT_ERROR; 2821 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE);
3076 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
3077 goto f_err; 2822 goto f_err;
3078 }
3079 } 2823 }
3080 else 2824 } else
3081#endif 2825#endif
3082#ifndef OPENSSL_NO_DSA 2826#ifndef OPENSSL_NO_DSA
3083 if (pkey->type == EVP_PKEY_DSA) 2827 if (pkey->type == EVP_PKEY_DSA) {
3084 { 2828 j = DSA_verify(pkey->save_type,
3085 j=DSA_verify(pkey->save_type, 2829 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
3086 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2830 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
3087 SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa); 2831 if (j <= 0) {
3088 if (j <= 0)
3089 {
3090 /* bad signature */ 2832 /* bad signature */
3091 al=SSL_AD_DECRYPT_ERROR; 2833 al = SSL_AD_DECRYPT_ERROR;
3092 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_DSA_SIGNATURE); 2834 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE);
3093 goto f_err; 2835 goto f_err;
3094 }
3095 } 2836 }
3096 else 2837 } else
3097#endif 2838#endif
3098#ifndef OPENSSL_NO_ECDSA 2839#ifndef OPENSSL_NO_ECDSA
3099 if (pkey->type == EVP_PKEY_EC) 2840 if (pkey->type == EVP_PKEY_EC) {
3100 { 2841 j = ECDSA_verify(pkey->save_type,
3101 j=ECDSA_verify(pkey->save_type, 2842 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
3102 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 2843 SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec);
3103 SHA_DIGEST_LENGTH,p,i,pkey->pkey.ec); 2844 if (j <= 0) {
3104 if (j <= 0)
3105 {
3106 /* bad signature */ 2845 /* bad signature */
3107 al=SSL_AD_DECRYPT_ERROR; 2846 al = SSL_AD_DECRYPT_ERROR;
3108 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2847 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3109 SSL_R_BAD_ECDSA_SIGNATURE); 2848 SSL_R_BAD_ECDSA_SIGNATURE);
3110 goto f_err; 2849 goto f_err;
3111 }
3112 } 2850 }
3113 else 2851 } else
3114#endif 2852#endif
3115 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) 2853 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) {
3116 { unsigned char signature[64]; 2854 unsigned char signature[64];
3117 int idx; 2855 int idx;
3118 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey,NULL); 2856 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
3119 EVP_PKEY_verify_init(pctx); 2857 EVP_PKEY_verify_init(pctx);
3120 if (i!=64) { 2858 if (i != 64) {
3121 fprintf(stderr,"GOST signature length is %d",i); 2859 fprintf(stderr, "GOST signature length is %d", i);
3122 } 2860 }
3123 for (idx=0;idx<64;idx++) { 2861 for (idx = 0; idx < 64; idx++) {
3124 signature[63-idx]=p[idx]; 2862 signature[63 - idx] = p[idx];
3125 } 2863 }
3126 j=EVP_PKEY_verify(pctx,signature,64,s->s3->tmp.cert_verify_md,32); 2864 j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md, 32);
3127 EVP_PKEY_CTX_free(pctx); 2865 EVP_PKEY_CTX_free(pctx);
3128 if (j<=0) 2866 if (j <= 0) {
3129 { 2867 al = SSL_AD_DECRYPT_ERROR;
3130 al=SSL_AD_DECRYPT_ERROR; 2868 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3131 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 2869 SSL_R_BAD_ECDSA_SIGNATURE);
3132 SSL_R_BAD_ECDSA_SIGNATURE); 2870 goto f_err;
3133 goto f_err;
3134 }
3135 } 2871 }
3136 else 2872 } else {
3137 { 2873 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3138 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); 2874 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
3139 al=SSL_AD_UNSUPPORTED_CERTIFICATE;
3140 goto f_err; 2875 goto f_err;
3141 } 2876 }
3142 2877
3143 2878
3144 ret=1; 2879 ret = 1;
3145 if (0) 2880 if (0) {
3146 {
3147f_err: 2881f_err:
3148 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2882 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3149 } 2883 }
3150end: 2884end:
3151 if (s->s3->handshake_buffer) 2885 if (s->s3->handshake_buffer) {
3152 {
3153 BIO_free(s->s3->handshake_buffer); 2886 BIO_free(s->s3->handshake_buffer);
3154 s->s3->handshake_buffer = NULL; 2887 s->s3->handshake_buffer = NULL;
3155 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; 2888 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
3156 } 2889 }
3157 EVP_MD_CTX_cleanup(&mctx); 2890 EVP_MD_CTX_cleanup(&mctx);
3158 EVP_PKEY_free(pkey); 2891 EVP_PKEY_free(pkey);
3159 return(ret); 2892 return (ret);
3160 } 2893}
3161 2894
3162int ssl3_get_client_certificate(SSL *s) 2895int
3163 { 2896ssl3_get_client_certificate(SSL *s)
3164 int i,ok,al,ret= -1; 2897{
3165 X509 *x=NULL; 2898 int i, ok, al, ret = -1;
3166 unsigned long l,nc,llen,n; 2899 X509 *x = NULL;
3167 const unsigned char *p,*q; 2900 unsigned long l, nc, llen, n;
2901 const unsigned char *p, *q;
3168 unsigned char *d; 2902 unsigned char *d;
3169 STACK_OF(X509) *sk=NULL; 2903 STACK_OF(X509) *sk = NULL;
3170 2904
3171 n=s->method->ssl_get_message(s, 2905 n = s->method->ssl_get_message(s,
3172 SSL3_ST_SR_CERT_A, 2906 SSL3_ST_SR_CERT_A,
3173 SSL3_ST_SR_CERT_B, 2907 SSL3_ST_SR_CERT_B,
3174 -1, 2908 -1,
3175 s->max_cert_list, 2909 s->max_cert_list,
3176 &ok); 2910 &ok);
3177 2911
3178 if (!ok) return((int)n); 2912 if (!ok)
2913 return ((int)n);
3179 2914
3180 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) 2915 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
3181 { 2916 if ((s->verify_mode & SSL_VERIFY_PEER) &&
3182 if ( (s->verify_mode & SSL_VERIFY_PEER) && 2917 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3183 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2918 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3184 { 2919 al = SSL_AD_HANDSHAKE_FAILURE;
3185 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3186 al=SSL_AD_HANDSHAKE_FAILURE;
3187 goto f_err; 2920 goto f_err;
3188 } 2921 }
3189 /* If tls asked for a client cert, the client must return a 0 list */ 2922 /* If tls asked for a client cert, the client must return a 0 list */
3190 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) 2923 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
3191 { 2924 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
3192 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 2925 al = SSL_AD_UNEXPECTED_MESSAGE;
3193 al=SSL_AD_UNEXPECTED_MESSAGE;
3194 goto f_err; 2926 goto f_err;
3195 }
3196 s->s3->tmp.reuse_message=1;
3197 return(1);
3198 } 2927 }
2928 s->s3->tmp.reuse_message = 1;
2929 return (1);
2930 }
3199 2931
3200 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 2932 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
3201 { 2933 al = SSL_AD_UNEXPECTED_MESSAGE;
3202 al=SSL_AD_UNEXPECTED_MESSAGE; 2934 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE);
3203 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
3204 goto f_err; 2935 goto f_err;
3205 } 2936 }
3206 p=d=(unsigned char *)s->init_msg; 2937 p = d = (unsigned char *)s->init_msg;
3207 2938
3208 if ((sk=sk_X509_new_null()) == NULL) 2939 if ((sk = sk_X509_new_null()) == NULL) {
3209 { 2940 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3210 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
3211 goto err; 2941 goto err;
3212 } 2942 }
3213 2943
3214 n2l3(p,llen); 2944 n2l3(p, llen);
3215 if (llen+3 != n) 2945 if (llen + 3 != n) {
3216 { 2946 al = SSL_AD_DECODE_ERROR;
3217 al=SSL_AD_DECODE_ERROR; 2947 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
3218 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
3219 goto f_err; 2948 goto f_err;
3220 } 2949 }
3221 for (nc=0; nc<llen; ) 2950 for (nc = 0; nc < llen;) {
3222 { 2951 n2l3(p, l);
3223 n2l3(p,l); 2952 if ((l + nc + 3) > llen) {
3224 if ((l+nc+3) > llen) 2953 al = SSL_AD_DECODE_ERROR;
3225 { 2954 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
3226 al=SSL_AD_DECODE_ERROR;
3227 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
3228 goto f_err; 2955 goto f_err;
3229 } 2956 }
3230 2957
3231 q=p; 2958 q = p;
3232 x=d2i_X509(NULL,&p,l); 2959 x = d2i_X509(NULL, &p, l);
3233 if (x == NULL) 2960 if (x == NULL) {
3234 { 2961 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
3235 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_ASN1_LIB);
3236 goto err; 2962 goto err;
3237 } 2963 }
3238 if (p != (q+l)) 2964 if (p != (q + l)) {
3239 { 2965 al = SSL_AD_DECODE_ERROR;
3240 al=SSL_AD_DECODE_ERROR; 2966 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH);
3241 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
3242 goto f_err; 2967 goto f_err;
3243 } 2968 }
3244 if (!sk_X509_push(sk,x)) 2969 if (!sk_X509_push(sk, x)) {
3245 { 2970 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3246 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,ERR_R_MALLOC_FAILURE);
3247 goto err; 2971 goto err;
3248 }
3249 x=NULL;
3250 nc+=l+3;
3251 } 2972 }
2973 x = NULL;
2974 nc += l + 3;
2975 }
3252 2976
3253 if (sk_X509_num(sk) <= 0) 2977 if (sk_X509_num(sk) <= 0) {
3254 {
3255 /* TLS does not mind 0 certs returned */ 2978 /* TLS does not mind 0 certs returned */
3256 if (s->version == SSL3_VERSION) 2979 if (s->version == SSL3_VERSION) {
3257 { 2980 al = SSL_AD_HANDSHAKE_FAILURE;
3258 al=SSL_AD_HANDSHAKE_FAILURE; 2981 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATES_RETURNED);
3259 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATES_RETURNED);
3260 goto f_err; 2982 goto f_err;
3261 } 2983 }
3262 /* Fail for TLS only if we required a certificate */ 2984 /* Fail for TLS only if we required a certificate */
3263 else if ((s->verify_mode & SSL_VERIFY_PEER) && 2985 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
3264 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 2986 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3265 { 2987 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3266 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2988 al = SSL_AD_HANDSHAKE_FAILURE;
3267 al=SSL_AD_HANDSHAKE_FAILURE;
3268 goto f_err; 2989 goto f_err;
3269 } 2990 }
3270 /* No client certificate so digest cached records */ 2991 /* No client certificate so digest cached records */
3271 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) 2992 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) {
3272 { 2993 al = SSL_AD_INTERNAL_ERROR;
3273 al=SSL_AD_INTERNAL_ERROR;
3274 goto f_err; 2994 goto f_err;
3275 }
3276 } 2995 }
3277 else 2996 } else {
3278 { 2997 i = ssl_verify_cert_chain(s, sk);
3279 i=ssl_verify_cert_chain(s,sk); 2998 if (i <= 0) {
3280 if (i <= 0) 2999 al = ssl_verify_alarm_type(s->verify_result);
3281 { 3000 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATE_RETURNED);
3282 al=ssl_verify_alarm_type(s->verify_result);
3283 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
3284 goto f_err; 3001 goto f_err;
3285 }
3286 } 3002 }
3003 }
3287 3004
3288 if (s->session->peer != NULL) /* This should not be needed */ 3005 if (s->session->peer != NULL) /* This should not be needed */
3289 X509_free(s->session->peer); 3006 X509_free(s->session->peer);
3290 s->session->peer=sk_X509_shift(sk); 3007 s->session->peer = sk_X509_shift(sk);
3291 s->session->verify_result = s->verify_result; 3008 s->session->verify_result = s->verify_result;
3292 3009
3293 /* With the current implementation, sess_cert will always be NULL 3010 /* With the current implementation, sess_cert will always be NULL
3294 * when we arrive here. */ 3011 * when we arrive here. */
3295 if (s->session->sess_cert == NULL) 3012 if (s->session->sess_cert == NULL) {
3296 {
3297 s->session->sess_cert = ssl_sess_cert_new(); 3013 s->session->sess_cert = ssl_sess_cert_new();
3298 if (s->session->sess_cert == NULL) 3014 if (s->session->sess_cert == NULL) {
3299 {
3300 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3015 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
3301 goto err; 3016 goto err;
3302 }
3303 } 3017 }
3018 }
3304 if (s->session->sess_cert->cert_chain != NULL) 3019 if (s->session->sess_cert->cert_chain != NULL)
3305 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); 3020 sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
3306 s->session->sess_cert->cert_chain=sk; 3021 s->session->sess_cert->cert_chain = sk;
3307 /* Inconsistency alert: cert_chain does *not* include the 3022 /* Inconsistency alert: cert_chain does *not* include the
3308 * peer's own certificate, while we do include it in s3_clnt.c */ 3023 * peer's own certificate, while we do include it in s3_clnt.c */
3309 3024
3310 sk=NULL; 3025 sk = NULL;
3311 3026
3312 ret=1; 3027 ret = 1;
3313 if (0) 3028 if (0) {
3314 {
3315f_err: 3029f_err:
3316 ssl3_send_alert(s,SSL3_AL_FATAL,al); 3030 ssl3_send_alert(s, SSL3_AL_FATAL, al);
3317 }
3318err:
3319 if (x != NULL) X509_free(x);
3320 if (sk != NULL) sk_X509_pop_free(sk,X509_free);
3321 return(ret);
3322 } 3031 }
3032err:
3033 if (x != NULL)
3034 X509_free(x);
3035 if (sk != NULL)
3036 sk_X509_pop_free(sk, X509_free);
3037 return (ret);
3038}
3323 3039
3324int ssl3_send_server_certificate(SSL *s) 3040int
3325 { 3041ssl3_send_server_certificate(SSL *s)
3042{
3326 unsigned long l; 3043 unsigned long l;
3327 X509 *x; 3044 X509 *x;
3328 3045
3329 if (s->state == SSL3_ST_SW_CERT_A) 3046 if (s->state == SSL3_ST_SW_CERT_A) {
3330 { 3047 x = ssl_get_server_send_cert(s);
3331 x=ssl_get_server_send_cert(s); 3048 if (x == NULL) {
3332 if (x == NULL)
3333 {
3334 /* VRS: allow null cert if auth == KRB5 */ 3049 /* VRS: allow null cert if auth == KRB5 */
3335 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || 3050 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
3336 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) 3051 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) {
3337 { 3052 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3338 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 3053 return (0);
3339 return(0);
3340 }
3341 } 3054 }
3342
3343 l=ssl3_output_cert_chain(s,x);
3344 s->state=SSL3_ST_SW_CERT_B;
3345 s->init_num=(int)l;
3346 s->init_off=0;
3347 } 3055 }
3348 3056
3349 /* SSL3_ST_SW_CERT_B */ 3057 l = ssl3_output_cert_chain(s, x);
3350 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3058 s->state = SSL3_ST_SW_CERT_B;
3059 s->init_num = (int)l;
3060 s->init_off = 0;
3351 } 3061 }
3352 3062
3063 /* SSL3_ST_SW_CERT_B */
3064 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3065}
3066
3353#ifndef OPENSSL_NO_TLSEXT 3067#ifndef OPENSSL_NO_TLSEXT
3354/* send a new session ticket (not necessarily for a new session) */ 3068/* send a new session ticket (not necessarily for a new session) */
3355int ssl3_send_newsession_ticket(SSL *s) 3069int
3356 { 3070ssl3_send_newsession_ticket(SSL *s)
3357 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 3071{
3358 { 3072 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
3359 unsigned char *p, *senc, *macstart; 3073 unsigned char *p, *senc, *macstart;
3360 const unsigned char *const_p; 3074 const unsigned char *const_p;
3361 int len, slen_full, slen; 3075 int len, slen_full, slen;
@@ -3383,19 +3097,18 @@ int ssl3_send_newsession_ticket(SSL *s)
3383 /* create a fresh copy (not shared with other threads) to clean up */ 3097 /* create a fresh copy (not shared with other threads) to clean up */
3384 const_p = senc; 3098 const_p = senc;
3385 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3099 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3386 if (sess == NULL) 3100 if (sess == NULL) {
3387 {
3388 OPENSSL_free(senc); 3101 OPENSSL_free(senc);
3389 return -1; 3102 return -1;
3390 } 3103 }
3391 sess->session_id_length = 0; /* ID is irrelevant for the ticket */ 3104 sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3392 3105
3393 slen = i2d_SSL_SESSION(sess, NULL); 3106 slen = i2d_SSL_SESSION(sess, NULL);
3394 if (slen > slen_full) /* shouldn't ever happen */ 3107 if (slen > slen_full) /* shouldn't ever happen */
3395 { 3108 {
3396 OPENSSL_free(senc); 3109 OPENSSL_free(senc);
3397 return -1; 3110 return -1;
3398 } 3111 }
3399 p = senc; 3112 p = senc;
3400 i2d_SSL_SESSION(sess, &p); 3113 i2d_SSL_SESSION(sess, &p);
3401 SSL_SESSION_free(sess); 3114 SSL_SESSION_free(sess);
@@ -3409,12 +3122,12 @@ int ssl3_send_newsession_ticket(SSL *s)
3409 */ 3122 */
3410 if (!BUF_MEM_grow(s->init_buf, 3123 if (!BUF_MEM_grow(s->init_buf,
3411 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3124 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3412 EVP_MAX_MD_SIZE + slen)) 3125 EVP_MAX_MD_SIZE + slen))
3413 return -1; 3126 return -1;
3414 3127
3415 p=(unsigned char *)s->init_buf->data; 3128 p = (unsigned char *)s->init_buf->data;
3416 /* do the header */ 3129 /* do the header */
3417 *(p++)=SSL3_MT_NEWSESSION_TICKET; 3130 *(p++) = SSL3_MT_NEWSESSION_TICKET;
3418 /* Skip message length for now */ 3131 /* Skip message length for now */
3419 p += 3; 3132 p += 3;
3420 EVP_CIPHER_CTX_init(&ctx); 3133 EVP_CIPHER_CTX_init(&ctx);
@@ -3423,24 +3136,20 @@ int ssl3_send_newsession_ticket(SSL *s)
3423 * it does all the work otherwise use generated values 3136 * it does all the work otherwise use generated values
3424 * from parent ctx. 3137 * from parent ctx.
3425 */ 3138 */
3426 if (tctx->tlsext_ticket_key_cb) 3139 if (tctx->tlsext_ticket_key_cb) {
3427 {
3428 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 3140 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
3429 &hctx, 1) < 0) 3141 &hctx, 1) < 0) {
3430 {
3431 OPENSSL_free(senc); 3142 OPENSSL_free(senc);
3432 return -1; 3143 return -1;
3433 }
3434 } 3144 }
3435 else 3145 } else {
3436 {
3437 RAND_pseudo_bytes(iv, 16); 3146 RAND_pseudo_bytes(iv, 16);
3438 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 3147 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3439 tctx->tlsext_tick_aes_key, iv); 3148 tctx->tlsext_tick_aes_key, iv);
3440 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 3149 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3441 tlsext_tick_md(), NULL); 3150 tlsext_tick_md(), NULL);
3442 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3151 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3443 } 3152 }
3444 3153
3445 /* Ticket lifetime hint (advisory only): 3154 /* Ticket lifetime hint (advisory only):
3446 * We leave this unspecified for resumed session (for simplicity), 3155 * We leave this unspecified for resumed session (for simplicity),
@@ -3472,26 +3181,27 @@ int ssl3_send_newsession_ticket(SSL *s)
3472 /* Now write out lengths: p points to end of data written */ 3181 /* Now write out lengths: p points to end of data written */
3473 /* Total length */ 3182 /* Total length */
3474 len = p - (unsigned char *)s->init_buf->data; 3183 len = p - (unsigned char *)s->init_buf->data;
3475 p=(unsigned char *)s->init_buf->data + 1; 3184 p = (unsigned char *)s->init_buf->data + 1;
3476 l2n3(len - 4, p); /* Message length */ 3185 l2n3(len - 4, p); /* Message length */
3477 p += 4; 3186 p += 4;
3478 s2n(len - 10, p); /* Ticket length */ 3187 s2n(len - 10, p);
3188 /* Ticket length */
3479 3189
3480 /* number of bytes to write */ 3190 /* number of bytes to write */
3481 s->init_num= len; 3191 s->init_num = len;
3482 s->state=SSL3_ST_SW_SESSION_TICKET_B; 3192 s->state = SSL3_ST_SW_SESSION_TICKET_B;
3483 s->init_off=0; 3193 s->init_off = 0;
3484 OPENSSL_free(senc); 3194 OPENSSL_free(senc);
3485 } 3195 }
3486 3196
3487 /* SSL3_ST_SW_SESSION_TICKET_B */ 3197 /* SSL3_ST_SW_SESSION_TICKET_B */
3488 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3198 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3489 } 3199}
3490 3200
3491int ssl3_send_cert_status(SSL *s) 3201int
3492 { 3202ssl3_send_cert_status(SSL *s)
3493 if (s->state == SSL3_ST_SW_CERT_STATUS_A) 3203{
3494 { 3204 if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
3495 unsigned char *p; 3205 unsigned char *p;
3496 /* Grow buffer if need be: the length calculation is as 3206 /* Grow buffer if need be: the length calculation is as
3497 * follows 1 (message type) + 3 (message length) + 3207 * follows 1 (message type) + 3 (message length) +
@@ -3501,33 +3211,34 @@ int ssl3_send_cert_status(SSL *s)
3501 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) 3211 if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
3502 return -1; 3212 return -1;
3503 3213
3504 p=(unsigned char *)s->init_buf->data; 3214 p = (unsigned char *)s->init_buf->data;
3505 3215
3506 /* do the header */ 3216 /* do the header */
3507 *(p++)=SSL3_MT_CERTIFICATE_STATUS; 3217 *(p++) = SSL3_MT_CERTIFICATE_STATUS;
3508 /* message length */ 3218 /* message length */
3509 l2n3(s->tlsext_ocsp_resplen + 4, p); 3219 l2n3(s->tlsext_ocsp_resplen + 4, p);
3510 /* status type */ 3220 /* status type */
3511 *(p++)= s->tlsext_status_type; 3221 *(p++) = s->tlsext_status_type;
3512 /* length of OCSP response */ 3222 /* length of OCSP response */
3513 l2n3(s->tlsext_ocsp_resplen, p); 3223 l2n3(s->tlsext_ocsp_resplen, p);
3514 /* actual response */ 3224 /* actual response */
3515 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); 3225 memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
3516 /* number of bytes to write */ 3226 /* number of bytes to write */
3517 s->init_num = 8 + s->tlsext_ocsp_resplen; 3227 s->init_num = 8 + s->tlsext_ocsp_resplen;
3518 s->state=SSL3_ST_SW_CERT_STATUS_B; 3228 s->state = SSL3_ST_SW_CERT_STATUS_B;
3519 s->init_off = 0; 3229 s->init_off = 0;
3520 } 3230 }
3521 3231
3522 /* SSL3_ST_SW_CERT_STATUS_B */ 3232 /* SSL3_ST_SW_CERT_STATUS_B */
3523 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3233 return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
3524 } 3234}
3525 3235
3526# ifndef OPENSSL_NO_NEXTPROTONEG 3236# ifndef OPENSSL_NO_NEXTPROTONEG
3527/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It 3237/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
3528 * sets the next_proto member in s if found */ 3238 * sets the next_proto member in s if found */
3529int ssl3_get_next_proto(SSL *s) 3239int
3530 { 3240ssl3_get_next_proto(SSL *s)
3241{
3531 int ok; 3242 int ok;
3532 int proto_len, padding_len; 3243 int proto_len, padding_len;
3533 long n; 3244 long n;
@@ -3535,35 +3246,30 @@ int ssl3_get_next_proto(SSL *s)
3535 3246
3536 /* Clients cannot send a NextProtocol message if we didn't see the 3247 /* Clients cannot send a NextProtocol message if we didn't see the
3537 * extension in their ClientHello */ 3248 * extension in their ClientHello */
3538 if (!s->s3->next_proto_neg_seen) 3249 if (!s->s3->next_proto_neg_seen) {
3539 { 3250 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3540 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3541 return -1; 3251 return -1;
3542 } 3252 }
3543
3544 n=s->method->ssl_get_message(s,
3545 SSL3_ST_SR_NEXT_PROTO_A,
3546 SSL3_ST_SR_NEXT_PROTO_B,
3547 SSL3_MT_NEXT_PROTO,
3548 514, /* See the payload format below */
3549 &ok);
3550 3253
3254 n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
3255 SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
3256 514, /* See the payload format below */ &ok);
3551 if (!ok) 3257 if (!ok)
3552 return((int)n); 3258 return ((int)n);
3553 3259
3554 /* s->state doesn't reflect whether ChangeCipherSpec has been received 3260 /* s->state doesn't reflect whether ChangeCipherSpec has been received
3555 * in this handshake, but s->s3->change_cipher_spec does (will be reset 3261 * in this handshake, but s->s3->change_cipher_spec does (will be reset
3556 * by ssl3_get_finished). */ 3262 * by ssl3_get_finished). */
3557 if (!s->s3->change_cipher_spec) 3263 if (!s->s3->change_cipher_spec) {
3558 { 3264 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3559 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3560 return -1; 3265 return -1;
3561 } 3266 }
3562 3267
3563 if (n < 2) 3268 if (n < 2)
3564 return 0; /* The body must be > 1 bytes long */ 3269 return 0;
3270 /* The body must be > 1 bytes long */
3565 3271
3566 p=(unsigned char *)s->init_msg; 3272 p = (unsigned char *)s->init_msg;
3567 3273
3568 /* The payload looks like: 3274 /* The payload looks like:
3569 * uint8 proto_len; 3275 * uint8 proto_len;
@@ -3579,15 +3285,14 @@ int ssl3_get_next_proto(SSL *s)
3579 return 0; 3285 return 0;
3580 3286
3581 s->next_proto_negotiated = OPENSSL_malloc(proto_len); 3287 s->next_proto_negotiated = OPENSSL_malloc(proto_len);
3582 if (!s->next_proto_negotiated) 3288 if (!s->next_proto_negotiated) {
3583 { 3289 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE);
3584 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
3585 return 0; 3290 return 0;
3586 } 3291 }
3587 memcpy(s->next_proto_negotiated, p + 1, proto_len); 3292 memcpy(s->next_proto_negotiated, p + 1, proto_len);
3588 s->next_proto_negotiated_len = proto_len; 3293 s->next_proto_negotiated_len = proto_len;
3589 3294
3590 return 1; 3295 return 1;
3591 } 3296}
3592# endif 3297# endif
3593#endif 3298#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 00:33:12 +0000