diff options
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 112 | 
1 files changed, 56 insertions, 56 deletions
| diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index d75ceb9d2d..0d3f09728e 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_clnt.c,v 1.161 2017/01/22 07:16:39 beck Exp $ */ | 1 | /* $OpenBSD: s3_clnt.c,v 1.162 2017/01/22 09:02:07 jsing Exp $ */ | 
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 
| 3 | * All rights reserved. | 3 | * All rights reserved. | 
| 4 | * | 4 | * | 
| @@ -293,7 +293,7 @@ ssl3_connect(SSL *s) | |||
| 293 | break; | 293 | break; | 
| 294 | } | 294 | } | 
| 295 | /* Check if it is anon DH/ECDH. */ | 295 | /* Check if it is anon DH/ECDH. */ | 
| 296 | if (!(s->s3->tmp.new_cipher->algorithm_auth & | 296 | if (!(S3I(s)->tmp.new_cipher->algorithm_auth & | 
| 297 | SSL_aNULL)) { | 297 | SSL_aNULL)) { | 
| 298 | ret = ssl3_get_server_certificate(s); | 298 | ret = ssl3_get_server_certificate(s); | 
| 299 | if (ret <= 0) | 299 | if (ret <= 0) | 
| @@ -341,7 +341,7 @@ ssl3_connect(SSL *s) | |||
| 341 | ret = ssl3_get_server_done(s); | 341 | ret = ssl3_get_server_done(s); | 
| 342 | if (ret <= 0) | 342 | if (ret <= 0) | 
| 343 | goto end; | 343 | goto end; | 
| 344 | if (s->s3->tmp.cert_req) | 344 | if (S3I(s)->tmp.cert_req) | 
| 345 | s->state = SSL3_ST_CW_CERT_A; | 345 | s->state = SSL3_ST_CW_CERT_A; | 
| 346 | else | 346 | else | 
| 347 | s->state = SSL3_ST_CW_KEY_EXCH_A; | 347 | s->state = SSL3_ST_CW_KEY_EXCH_A; | 
| @@ -381,15 +381,15 @@ ssl3_connect(SSL *s) | |||
| 381 | * message when client's ECDH public key is sent | 381 | * message when client's ECDH public key is sent | 
| 382 | * inside the client certificate. | 382 | * inside the client certificate. | 
| 383 | */ | 383 | */ | 
| 384 | if (s->s3->tmp.cert_req == 1) { | 384 | if (S3I(s)->tmp.cert_req == 1) { | 
| 385 | s->state = SSL3_ST_CW_CERT_VRFY_A; | 385 | s->state = SSL3_ST_CW_CERT_VRFY_A; | 
| 386 | } else { | 386 | } else { | 
| 387 | s->state = SSL3_ST_CW_CHANGE_A; | 387 | s->state = SSL3_ST_CW_CHANGE_A; | 
| 388 | s->s3->change_cipher_spec = 0; | 388 | S3I(s)->change_cipher_spec = 0; | 
| 389 | } | 389 | } | 
| 390 | if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { | 390 | if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { | 
| 391 | s->state = SSL3_ST_CW_CHANGE_A; | 391 | s->state = SSL3_ST_CW_CHANGE_A; | 
| 392 | s->s3->change_cipher_spec = 0; | 392 | S3I(s)->change_cipher_spec = 0; | 
| 393 | } | 393 | } | 
| 394 | 394 | ||
| 395 | s->init_num = 0; | 395 | s->init_num = 0; | 
| @@ -402,7 +402,7 @@ ssl3_connect(SSL *s) | |||
| 402 | goto end; | 402 | goto end; | 
| 403 | s->state = SSL3_ST_CW_CHANGE_A; | 403 | s->state = SSL3_ST_CW_CHANGE_A; | 
| 404 | s->init_num = 0; | 404 | s->init_num = 0; | 
| 405 | s->s3->change_cipher_spec = 0; | 405 | S3I(s)->change_cipher_spec = 0; | 
| 406 | break; | 406 | break; | 
| 407 | 407 | ||
| 408 | case SSL3_ST_CW_CHANGE_A: | 408 | case SSL3_ST_CW_CHANGE_A: | 
| @@ -412,13 +412,13 @@ ssl3_connect(SSL *s) | |||
| 412 | if (ret <= 0) | 412 | if (ret <= 0) | 
| 413 | goto end; | 413 | goto end; | 
| 414 | 414 | ||
| 415 | if (s->s3->next_proto_neg_seen) | 415 | if (S3I(s)->next_proto_neg_seen) | 
| 416 | s->state = SSL3_ST_CW_NEXT_PROTO_A; | 416 | s->state = SSL3_ST_CW_NEXT_PROTO_A; | 
| 417 | else | 417 | else | 
| 418 | s->state = SSL3_ST_CW_FINISHED_A; | 418 | s->state = SSL3_ST_CW_FINISHED_A; | 
| 419 | s->init_num = 0; | 419 | s->init_num = 0; | 
| 420 | 420 | ||
| 421 | s->session->cipher = s->s3->tmp.new_cipher; | 421 | s->session->cipher = S3I(s)->tmp.new_cipher; | 
| 422 | if (!s->method->ssl3_enc->setup_key_block(s)) { | 422 | if (!s->method->ssl3_enc->setup_key_block(s)) { | 
| 423 | ret = -1; | 423 | ret = -1; | 
| 424 | goto end; | 424 | goto end; | 
| @@ -454,21 +454,21 @@ ssl3_connect(SSL *s) | |||
| 454 | /* clear flags */ | 454 | /* clear flags */ | 
| 455 | s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; | 455 | s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; | 
| 456 | if (s->hit) { | 456 | if (s->hit) { | 
| 457 | s->s3->tmp.next_state = SSL_ST_OK; | 457 | S3I(s)->tmp.next_state = SSL_ST_OK; | 
| 458 | if (s->s3->flags & | 458 | if (s->s3->flags & | 
| 459 | SSL3_FLAGS_DELAY_CLIENT_FINISHED) { | 459 | SSL3_FLAGS_DELAY_CLIENT_FINISHED) { | 
| 460 | s->state = SSL_ST_OK; | 460 | s->state = SSL_ST_OK; | 
| 461 | s->s3->flags|=SSL3_FLAGS_POP_BUFFER; | 461 | s->s3->flags|=SSL3_FLAGS_POP_BUFFER; | 
| 462 | s->s3->delay_buf_pop_ret = 0; | 462 | S3I(s)->delay_buf_pop_ret = 0; | 
| 463 | } | 463 | } | 
| 464 | } else { | 464 | } else { | 
| 465 | /* Allow NewSessionTicket if ticket expected */ | 465 | /* Allow NewSessionTicket if ticket expected */ | 
| 466 | if (s->tlsext_ticket_expected) | 466 | if (s->tlsext_ticket_expected) | 
| 467 | s->s3->tmp.next_state = | 467 | S3I(s)->tmp.next_state = | 
| 468 | SSL3_ST_CR_SESSION_TICKET_A; | 468 | SSL3_ST_CR_SESSION_TICKET_A; | 
| 469 | else | 469 | else | 
| 470 | 470 | ||
| 471 | s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; | 471 | S3I(s)->tmp.next_state = SSL3_ST_CR_FINISHED_A; | 
| 472 | } | 472 | } | 
| 473 | s->init_num = 0; | 473 | s->init_num = 0; | 
| 474 | break; | 474 | break; | 
| @@ -513,7 +513,7 @@ ssl3_connect(SSL *s) | |||
| 513 | goto end; | 513 | goto end; | 
| 514 | } | 514 | } | 
| 515 | s->rwstate = SSL_NOTHING; | 515 | s->rwstate = SSL_NOTHING; | 
| 516 | s->state = s->s3->tmp.next_state; | 516 | s->state = S3I(s)->tmp.next_state; | 
| 517 | break; | 517 | break; | 
| 518 | 518 | ||
| 519 | case SSL_ST_OK: | 519 | case SSL_ST_OK: | 
| @@ -561,7 +561,7 @@ ssl3_connect(SSL *s) | |||
| 561 | } | 561 | } | 
| 562 | 562 | ||
| 563 | /* did we do anything */ | 563 | /* did we do anything */ | 
| 564 | if (!s->s3->tmp.reuse_message && !skip) { | 564 | if (!S3I(s)->tmp.reuse_message && !skip) { | 
| 565 | if (s->debug) { | 565 | if (s->debug) { | 
| 566 | if ((ret = BIO_flush(s->wbio)) <= 0) | 566 | if ((ret = BIO_flush(s->wbio)) <= 0) | 
| 567 | goto end; | 567 | goto end; | 
| @@ -742,9 +742,9 @@ ssl3_get_server_hello(SSL *s) | |||
| 742 | CBS_init(&cbs, s->init_msg, n); | 742 | CBS_init(&cbs, s->init_msg, n); | 
| 743 | 743 | ||
| 744 | if (SSL_IS_DTLS(s)) { | 744 | if (SSL_IS_DTLS(s)) { | 
| 745 | if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { | 745 | if (S3I(s)->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { | 
| 746 | if (D1I(s)->send_cookie == 0) { | 746 | if (D1I(s)->send_cookie == 0) { | 
| 747 | s->s3->tmp.reuse_message = 1; | 747 | S3I(s)->tmp.reuse_message = 1; | 
| 748 | return (1); | 748 | return (1); | 
| 749 | } else { | 749 | } else { | 
| 750 | /* Already sent a cookie. */ | 750 | /* Already sent a cookie. */ | 
| @@ -756,7 +756,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 756 | } | 756 | } | 
| 757 | } | 757 | } | 
| 758 | 758 | ||
| 759 | if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) { | 759 | if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_HELLO) { | 
| 760 | al = SSL_AD_UNEXPECTED_MESSAGE; | 760 | al = SSL_AD_UNEXPECTED_MESSAGE; | 
| 761 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, | 761 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, | 
| 762 | SSL_R_BAD_MESSAGE_TYPE); | 762 | SSL_R_BAD_MESSAGE_TYPE); | 
| @@ -887,13 +887,13 @@ ssl3_get_server_hello(SSL *s) | |||
| 887 | SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); | 887 | SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); | 
| 888 | goto f_err; | 888 | goto f_err; | 
| 889 | } | 889 | } | 
| 890 | s->s3->tmp.new_cipher = cipher; | 890 | S3I(s)->tmp.new_cipher = cipher; | 
| 891 | 891 | ||
| 892 | /* | 892 | /* | 
| 893 | * Don't digest cached records if no sigalgs: we may need them for | 893 | * Don't digest cached records if no sigalgs: we may need them for | 
| 894 | * client authentication. | 894 | * client authentication. | 
| 895 | */ | 895 | */ | 
| 896 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 896 | alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; | 
| 897 | if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) && | 897 | if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) && | 
| 898 | !tls1_digest_cached_records(s)) { | 898 | !tls1_digest_cached_records(s)) { | 
| 899 | al = SSL_AD_INTERNAL_ERROR; | 899 | al = SSL_AD_INTERNAL_ERROR; | 
| @@ -956,12 +956,12 @@ ssl3_get_server_certificate(SSL *s) | |||
| 956 | if (!ok) | 956 | if (!ok) | 
| 957 | return ((int)n); | 957 | return ((int)n); | 
| 958 | 958 | ||
| 959 | if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { | 959 | if (S3I(s)->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) { | 
| 960 | s->s3->tmp.reuse_message = 1; | 960 | S3I(s)->tmp.reuse_message = 1; | 
| 961 | return (1); | 961 | return (1); | 
| 962 | } | 962 | } | 
| 963 | 963 | ||
| 964 | if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { | 964 | if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) { | 
| 965 | al = SSL_AD_UNEXPECTED_MESSAGE; | 965 | al = SSL_AD_UNEXPECTED_MESSAGE; | 
| 966 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, | 966 | SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, | 
| 967 | SSL_R_BAD_MESSAGE_TYPE); | 967 | SSL_R_BAD_MESSAGE_TYPE); | 
| @@ -1113,7 +1113,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) | |||
| 1113 | long alg_a; | 1113 | long alg_a; | 
| 1114 | int al; | 1114 | int al; | 
| 1115 | 1115 | ||
| 1116 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | 1116 | alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; | 
| 1117 | sc = s->session->sess_cert; | 1117 | sc = s->session->sess_cert; | 
| 1118 | 1118 | ||
| 1119 | if (*nn < 0) | 1119 | if (*nn < 0) | 
| @@ -1280,7 +1280,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) | |||
| 1280 | int nid; | 1280 | int nid; | 
| 1281 | int al; | 1281 | int al; | 
| 1282 | 1282 | ||
| 1283 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | 1283 | alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; | 
| 1284 | sc = s->session->sess_cert; | 1284 | sc = s->session->sess_cert; | 
| 1285 | 1285 | ||
| 1286 | if (*nn < 0) | 1286 | if (*nn < 0) | 
| @@ -1366,8 +1366,8 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1366 | const EVP_MD *md = NULL; | 1366 | const EVP_MD *md = NULL; | 
| 1367 | RSA *rsa = NULL; | 1367 | RSA *rsa = NULL; | 
| 1368 | 1368 | ||
| 1369 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 1369 | alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; | 
| 1370 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | 1370 | alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; | 
| 1371 | 1371 | ||
| 1372 | /* | 1372 | /* | 
| 1373 | * Use same message size as in ssl3_get_certificate_request() | 1373 | * Use same message size as in ssl3_get_certificate_request() | 
| @@ -1380,7 +1380,7 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1380 | 1380 | ||
| 1381 | EVP_MD_CTX_init(&md_ctx); | 1381 | EVP_MD_CTX_init(&md_ctx); | 
| 1382 | 1382 | ||
| 1383 | if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { | 1383 | if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { | 
| 1384 | /* | 1384 | /* | 
| 1385 | * Do not skip server key exchange if this cipher suite uses | 1385 | * Do not skip server key exchange if this cipher suite uses | 
| 1386 | * ephemeral keys. | 1386 | * ephemeral keys. | 
| @@ -1392,7 +1392,7 @@ ssl3_get_server_key_exchange(SSL *s) | |||
| 1392 | goto f_err; | 1392 | goto f_err; | 
| 1393 | } | 1393 | } | 
| 1394 | 1394 | ||
| 1395 | s->s3->tmp.reuse_message = 1; | 1395 | S3I(s)->tmp.reuse_message = 1; | 
| 1396 | EVP_MD_CTX_cleanup(&md_ctx); | 1396 | EVP_MD_CTX_cleanup(&md_ctx); | 
| 1397 | return (1); | 1397 | return (1); | 
| 1398 | } | 1398 | } | 
| @@ -1585,22 +1585,22 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1585 | if (!ok) | 1585 | if (!ok) | 
| 1586 | return ((int)n); | 1586 | return ((int)n); | 
| 1587 | 1587 | ||
| 1588 | s->s3->tmp.cert_req = 0; | 1588 | S3I(s)->tmp.cert_req = 0; | 
| 1589 | 1589 | ||
| 1590 | if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) { | 1590 | if (S3I(s)->tmp.message_type == SSL3_MT_SERVER_DONE) { | 
| 1591 | s->s3->tmp.reuse_message = 1; | 1591 | S3I(s)->tmp.reuse_message = 1; | 
| 1592 | /* | 1592 | /* | 
| 1593 | * If we get here we don't need any cached handshake records | 1593 | * If we get here we don't need any cached handshake records | 
| 1594 | * as we wont be doing client auth. | 1594 | * as we wont be doing client auth. | 
| 1595 | */ | 1595 | */ | 
| 1596 | if (s->s3->handshake_buffer) { | 1596 | if (S3I(s)->handshake_buffer) { | 
| 1597 | if (!tls1_digest_cached_records(s)) | 1597 | if (!tls1_digest_cached_records(s)) | 
| 1598 | goto err; | 1598 | goto err; | 
| 1599 | } | 1599 | } | 
| 1600 | return (1); | 1600 | return (1); | 
| 1601 | } | 1601 | } | 
| 1602 | 1602 | ||
| 1603 | if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { | 1603 | if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { | 
| 1604 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | 1604 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | 
| 1605 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | 1605 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | 
| 1606 | SSL_R_WRONG_MESSAGE_TYPE); | 1606 | SSL_R_WRONG_MESSAGE_TYPE); | 
| @@ -1608,7 +1608,7 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1608 | } | 1608 | } | 
| 1609 | 1609 | ||
| 1610 | /* TLS does not like anon-DH with client cert */ | 1610 | /* TLS does not like anon-DH with client cert */ | 
| 1611 | if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) { | 1611 | if (S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL) { | 
| 1612 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | 1612 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | 
| 1613 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | 1613 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | 
| 1614 | SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); | 1614 | SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); | 
| @@ -1632,8 +1632,8 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1632 | if (ctype_num > SSL3_CT_NUMBER) | 1632 | if (ctype_num > SSL3_CT_NUMBER) | 
| 1633 | ctype_num = SSL3_CT_NUMBER; | 1633 | ctype_num = SSL3_CT_NUMBER; | 
| 1634 | if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) || | 1634 | if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) || | 
| 1635 | !CBS_write_bytes(&ctypes, (uint8_t *)s->s3->tmp.ctype, | 1635 | !CBS_write_bytes(&ctypes, (uint8_t *)S3I(s)->tmp.ctype, | 
| 1636 | sizeof(s->s3->tmp.ctype), NULL)) { | 1636 | sizeof(S3I(s)->tmp.ctype), NULL)) { | 
| 1637 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | 1637 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | 
| 1638 | SSL_R_DATA_LENGTH_TOO_LONG); | 1638 | SSL_R_DATA_LENGTH_TOO_LONG); | 
| 1639 | goto err; | 1639 | goto err; | 
| @@ -1722,11 +1722,11 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1722 | } | 1722 | } | 
| 1723 | 1723 | ||
| 1724 | /* we should setup a certificate to return.... */ | 1724 | /* we should setup a certificate to return.... */ | 
| 1725 | s->s3->tmp.cert_req = 1; | 1725 | S3I(s)->tmp.cert_req = 1; | 
| 1726 | s->s3->tmp.ctype_num = ctype_num; | 1726 | S3I(s)->tmp.ctype_num = ctype_num; | 
| 1727 | if (s->s3->tmp.ca_names != NULL) | 1727 | if (S3I(s)->tmp.ca_names != NULL) | 
| 1728 | sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); | 1728 | sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); | 
| 1729 | s->s3->tmp.ca_names = ca_sk; | 1729 | S3I(s)->tmp.ca_names = ca_sk; | 
| 1730 | ca_sk = NULL; | 1730 | ca_sk = NULL; | 
| 1731 | 1731 | ||
| 1732 | ret = 1; | 1732 | ret = 1; | 
| @@ -1761,11 +1761,11 @@ ssl3_get_new_session_ticket(SSL *s) | |||
| 1761 | if (!ok) | 1761 | if (!ok) | 
| 1762 | return ((int)n); | 1762 | return ((int)n); | 
| 1763 | 1763 | ||
| 1764 | if (s->s3->tmp.message_type == SSL3_MT_FINISHED) { | 1764 | if (S3I(s)->tmp.message_type == SSL3_MT_FINISHED) { | 
| 1765 | s->s3->tmp.reuse_message = 1; | 1765 | S3I(s)->tmp.reuse_message = 1; | 
| 1766 | return (1); | 1766 | return (1); | 
| 1767 | } | 1767 | } | 
| 1768 | if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { | 1768 | if (S3I(s)->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) { | 
| 1769 | al = SSL_AD_UNEXPECTED_MESSAGE; | 1769 | al = SSL_AD_UNEXPECTED_MESSAGE; | 
| 1770 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, | 1770 | SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, | 
| 1771 | SSL_R_BAD_MESSAGE_TYPE); | 1771 | SSL_R_BAD_MESSAGE_TYPE); | 
| @@ -2255,7 +2255,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) | |||
| 2255 | /* | 2255 | /* | 
| 2256 | * If we have client certificate, use its secret as peer key. | 2256 | * If we have client certificate, use its secret as peer key. | 
| 2257 | */ | 2257 | */ | 
| 2258 | if (s->s3->tmp.cert_req && s->cert->key->privatekey) { | 2258 | if (S3I(s)->tmp.cert_req && s->cert->key->privatekey) { | 
| 2259 | if (EVP_PKEY_derive_set_peer(pkey_ctx, | 2259 | if (EVP_PKEY_derive_set_peer(pkey_ctx, | 
| 2260 | s->cert->key->privatekey) <=0) { | 2260 | s->cert->key->privatekey) <=0) { | 
| 2261 | /* | 2261 | /* | 
| @@ -2339,7 +2339,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2339 | memset(&cbb, 0, sizeof(cbb)); | 2339 | memset(&cbb, 0, sizeof(cbb)); | 
| 2340 | 2340 | ||
| 2341 | if (s->state == SSL3_ST_CW_KEY_EXCH_A) { | 2341 | if (s->state == SSL3_ST_CW_KEY_EXCH_A) { | 
| 2342 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 2342 | alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; | 
| 2343 | 2343 | ||
| 2344 | if ((sess_cert = s->session->sess_cert) == NULL) { | 2344 | if ((sess_cert = s->session->sess_cert) == NULL) { | 
| 2345 | ssl3_send_alert(s, SSL3_AL_FATAL, | 2345 | ssl3_send_alert(s, SSL3_AL_FATAL, | 
| @@ -2427,7 +2427,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2427 | long hdatalen = 0; | 2427 | long hdatalen = 0; | 
| 2428 | void *hdata; | 2428 | void *hdata; | 
| 2429 | const EVP_MD *md = s->cert->key->digest; | 2429 | const EVP_MD *md = s->cert->key->digest; | 
| 2430 | hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, | 2430 | hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, | 
| 2431 | &hdata); | 2431 | &hdata); | 
| 2432 | if (hdatalen <= 0 || | 2432 | if (hdatalen <= 0 || | 
| 2433 | !tls12_get_sigandhash(p, pkey, md)) { | 2433 | !tls12_get_sigandhash(p, pkey, md)) { | 
| @@ -2491,7 +2491,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2491 | int nid; | 2491 | int nid; | 
| 2492 | size_t sigsize; | 2492 | size_t sigsize; | 
| 2493 | 2493 | ||
| 2494 | hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); | 2494 | hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); | 
| 2495 | if (hdatalen <= 0) { | 2495 | if (hdatalen <= 0) { | 
| 2496 | SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, | 2496 | SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, | 
| 2497 | ERR_R_INTERNAL_ERROR); | 2497 | ERR_R_INTERNAL_ERROR); | 
| @@ -2590,7 +2590,7 @@ ssl3_send_client_certificate(SSL *s) | |||
| 2590 | X509_free(x509); | 2590 | X509_free(x509); | 
| 2591 | EVP_PKEY_free(pkey); | 2591 | EVP_PKEY_free(pkey); | 
| 2592 | if (i == 0) | 2592 | if (i == 0) | 
| 2593 | s->s3->tmp.cert_req = 2; | 2593 | S3I(s)->tmp.cert_req = 2; | 
| 2594 | 2594 | ||
| 2595 | /* Ok, we have a cert */ | 2595 | /* Ok, we have a cert */ | 
| 2596 | s->state = SSL3_ST_CW_CERT_C; | 2596 | s->state = SSL3_ST_CW_CERT_C; | 
| @@ -2601,7 +2601,7 @@ ssl3_send_client_certificate(SSL *s) | |||
| 2601 | SSL3_MT_CERTIFICATE)) | 2601 | SSL3_MT_CERTIFICATE)) | 
| 2602 | goto err; | 2602 | goto err; | 
| 2603 | if (!ssl3_output_cert_chain(s, &client_cert, | 2603 | if (!ssl3_output_cert_chain(s, &client_cert, | 
| 2604 | (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509)) | 2604 | (S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key->x509)) | 
| 2605 | goto err; | 2605 | goto err; | 
| 2606 | if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) | 2606 | if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) | 
| 2607 | goto err; | 2607 | goto err; | 
| @@ -2629,8 +2629,8 @@ ssl3_check_cert_and_algorithm(SSL *s) | |||
| 2629 | SESS_CERT *sc; | 2629 | SESS_CERT *sc; | 
| 2630 | DH *dh; | 2630 | DH *dh; | 
| 2631 | 2631 | ||
| 2632 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 2632 | alg_k = S3I(s)->tmp.new_cipher->algorithm_mkey; | 
| 2633 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | 2633 | alg_a = S3I(s)->tmp.new_cipher->algorithm_auth; | 
| 2634 | 2634 | ||
| 2635 | /* We don't have a certificate. */ | 2635 | /* We don't have a certificate. */ | 
| 2636 | if (alg_a & SSL_aNULL) | 2636 | if (alg_a & SSL_aNULL) | 
| @@ -2740,9 +2740,9 @@ ssl3_check_finished(SSL *s) | |||
| 2740 | SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok); | 2740 | SSL3_ST_CR_CERT_B, -1, s->max_cert_list, &ok); | 
| 2741 | if (!ok) | 2741 | if (!ok) | 
| 2742 | return ((int)n); | 2742 | return ((int)n); | 
| 2743 | s->s3->tmp.reuse_message = 1; | 2743 | S3I(s)->tmp.reuse_message = 1; | 
| 2744 | if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) || | 2744 | if ((S3I(s)->tmp.message_type == SSL3_MT_FINISHED) || | 
| 2745 | (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) | 2745 | (S3I(s)->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) | 
| 2746 | return (2); | 2746 | return (2); | 
| 2747 | 2747 | ||
| 2748 | return (1); | 2748 | return (1); | 
