summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_srvr.c980
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c980
2 files changed, 1238 insertions, 722 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 1f0afc2353..0794a298b1 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -261,7 +261,8 @@ ssl3_accept(SSL *s)
261 ret = -1; 261 ret = -1;
262 goto end; 262 goto end;
263 } 263 }
264 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 264 if (!BUF_MEM_grow(buf,
265 SSL3_RT_MAX_PLAIN_LENGTH)) {
265 ret = -1; 266 ret = -1;
266 goto end; 267 goto end;
267 } 268 }
@@ -277,8 +278,10 @@ ssl3_accept(SSL *s)
277 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 278 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
278 279
279 if (s->state != SSL_ST_RENEGOTIATE) { 280 if (s->state != SSL_ST_RENEGOTIATE) {
280 /* Ok, we now need to push on a buffering BIO so that 281 /*
281 * the output is sent in a way that TCP likes :-) 282 * Ok, we now need to push on a buffering BIO
283 * so that the output is sent in a way that
284 * TCP likes :-)
282 */ 285 */
283 if (!ssl_init_wbio_buffer(s, 1)) { 286 if (!ssl_init_wbio_buffer(s, 1)) {
284 ret = -1; 287 ret = -1;
@@ -289,13 +292,17 @@ ssl3_accept(SSL *s)
289 s->state = SSL3_ST_SR_CLNT_HELLO_A; 292 s->state = SSL3_ST_SR_CLNT_HELLO_A;
290 s->ctx->stats.sess_accept++; 293 s->ctx->stats.sess_accept++;
291 } else if (!s->s3->send_connection_binding && 294 } else if (!s->s3->send_connection_binding &&
292 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 295 !(s->options &
293 /* Server attempting to renegotiate with 296 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
297 /*
298 * Server attempting to renegotiate with
294 * client that doesn't support secure 299 * client that doesn't support secure
295 * renegotiation. 300 * renegotiation.
296 */ 301 */
297 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 302 SSLerr(SSL_F_SSL3_ACCEPT,
298 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 303 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
304 ssl3_send_alert(s, SSL3_AL_FATAL,
305 SSL_AD_HANDSHAKE_FAILURE);
299 ret = -1; 306 ret = -1;
300 goto end; 307 goto end;
301 } else { 308 } else {
@@ -337,18 +344,27 @@ ssl3_accept(SSL *s)
337#ifndef OPENSSL_NO_SRP 344#ifndef OPENSSL_NO_SRP
338 { 345 {
339 int al; 346 int al;
340 if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) { 347 if ((ret =
341 /* callback indicates firther work to be done */ 348 ssl_check_srp_ext_ClientHello(s, &al))
349 < 0) {
350 /*
351 * Callback indicates further work to
352 * be done.
353 */
342 s->rwstate = SSL_X509_LOOKUP; 354 s->rwstate = SSL_X509_LOOKUP;
343 goto end; 355 goto end;
344 } 356 }
345 if (ret != SSL_ERROR_NONE) { 357 if (ret != SSL_ERROR_NONE) {
346 ssl3_send_alert(s, SSL3_AL_FATAL, al); 358 ssl3_send_alert(s, SSL3_AL_FATAL, al);
347 359
348 /* This is not really an error but the only means to 360 /*
349 for a client to detect whether srp is supported. */ 361 * This is not really an error but the
362 * only means for a client to detect
363 * whether srp is supported.
364 */
350 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 365 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
351 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT); 366 SSLerr(SSL_F_SSL3_ACCEPT,
367 SSL_R_CLIENTHELLO_TLSEXT);
352 368
353 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 369 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
354 370
@@ -390,8 +406,10 @@ ssl3_accept(SSL *s)
390 /* Check if it is anon DH or anon ECDH, */ 406 /* Check if it is anon DH or anon ECDH, */
391 /* normal PSK or KRB5 or SRP */ 407 /* normal PSK or KRB5 or SRP */
392 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 408 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
393 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 409 && !(s->s3->tmp.new_cipher->algorithm_mkey &
394 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) { 410 SSL_kPSK)
411 && !(s->s3->tmp.new_cipher->algorithm_auth &
412 SSL_aKRB5)) {
395 ret = ssl3_send_server_certificate(s); 413 ret = ssl3_send_server_certificate(s);
396 if (ret <= 0) 414 if (ret <= 0)
397 goto end; 415 goto end;
@@ -417,17 +435,21 @@ ssl3_accept(SSL *s)
417 case SSL3_ST_SW_KEY_EXCH_B: 435 case SSL3_ST_SW_KEY_EXCH_B:
418 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 436 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
419 437
420 /* clear this, it may get reset by 438 /*
421 * send_server_key_exchange */ 439 * Clear this, it may get reset by
440 * send_server_key_exchange.
441 */
422 if ((s->options & SSL_OP_EPHEMERAL_RSA) 442 if ((s->options & SSL_OP_EPHEMERAL_RSA)
423#ifndef OPENSSL_NO_KRB5 443#ifndef OPENSSL_NO_KRB5
424 && !(alg_k & SSL_kKRB5) 444 && !(alg_k & SSL_kKRB5)
425#endif /* OPENSSL_NO_KRB5 */ 445#endif /* OPENSSL_NO_KRB5 */
426 ) 446 )
427 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 447 /*
428 * even when forbidden by protocol specs 448 * option SSL_OP_EPHEMERAL_RSA sends temporary
429 * (handshake may fail as clients are not required to 449 * RSA key even when forbidden by protocol specs
430 * be able to handle this) */ 450 * (handshake may fail as clients are not
451 * required to be able to handle this)
452 */
431 s->s3->tmp.use_rsa_tmp = 1; 453 s->s3->tmp.use_rsa_tmp = 1;
432 else 454 else
433 s->s3->tmp.use_rsa_tmp = 0; 455 s->s3->tmp.use_rsa_tmp = 0;
@@ -457,13 +479,13 @@ ssl3_accept(SSL *s)
457 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 479 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
458 || (alg_k & SSL_kEECDH) 480 || (alg_k & SSL_kEECDH)
459 || ((alg_k & SSL_kRSA) 481 || ((alg_k & SSL_kRSA)
460 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 482 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
483 NULL
461 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 484 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
462 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 485 && EVP_PKEY_size(
463 ) 486 s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) * 8
464 ) 487 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher
465 ) 488 ))))) {
466 ) {
467 ret = ssl3_send_server_key_exchange(s); 489 ret = ssl3_send_server_key_exchange(s);
468 if (ret <= 0) 490 if (ret <= 0)
469 goto end; 491 goto end;
@@ -476,25 +498,37 @@ ssl3_accept(SSL *s)
476 498
477 case SSL3_ST_SW_CERT_REQ_A: 499 case SSL3_ST_SW_CERT_REQ_A:
478 case SSL3_ST_SW_CERT_REQ_B: 500 case SSL3_ST_SW_CERT_REQ_B:
479 if (/* don't request cert unless asked for it: */ 501 if (/* Don't request cert unless asked for it: */
480 !(s->verify_mode & SSL_VERIFY_PEER) || 502 !(s->verify_mode & SSL_VERIFY_PEER) ||
481 /* if SSL_VERIFY_CLIENT_ONCE is set, 503 /*
482 * don't request cert during re-negotiation: */ 504 * If SSL_VERIFY_CLIENT_ONCE is set,
505 * don't request cert during re-negotiation:
506 */
483 ((s->session->peer != NULL) && 507 ((s->session->peer != NULL) &&
484 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 508 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
485 /* never request cert in anonymous ciphersuites 509 /*
486 * (see section "Certificate request" in SSL 3 drafts 510 * Never request cert in anonymous ciphersuites
487 * and in RFC 2246): */ 511 * (see section "Certificate request" in SSL 3
488 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 512 * drafts and in RFC 2246):
489 /* ... except when the application insists on verification 513 */
490 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 514 ((s->s3->tmp.new_cipher->algorithm_auth &
491 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 515 SSL_aNULL) &&
516 /*
517 * ... except when the application insists on
518 * verification (against the specs, but
519 * s3_clnt.c accepts this for SSL 3)
520 */
521 !(s->verify_mode &
522 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
492 /* never request cert in Kerberos ciphersuites */ 523 /* never request cert in Kerberos ciphersuites */
493 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) 524 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
494 /* With normal PSK Certificates and 525 /*
495 * Certificate Requests are omitted */ 526 * With normal PSK Certificates and
496 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 527 * Certificate Requests are omitted
497 /* no cert request */ 528 */
529 || (s->s3->tmp.new_cipher->algorithm_mkey &
530 SSL_kPSK)) {
531 /* No cert request */
498 skip = 1; 532 skip = 1;
499 s->s3->tmp.cert_request = 0; 533 s->s3->tmp.cert_request = 0;
500 s->state = SSL3_ST_SW_SRVR_DONE_A; 534 s->state = SSL3_ST_SW_SRVR_DONE_A;
@@ -528,7 +562,8 @@ ssl3_accept(SSL *s)
528 562
529 case SSL3_ST_SW_FLUSH: 563 case SSL3_ST_SW_FLUSH:
530 564
531 /* This code originally checked to see if 565 /*
566 * This code originally checked to see if
532 * any data was pending using BIO_CTRL_INFO 567 * any data was pending using BIO_CTRL_INFO
533 * and then flushed. This caused problems 568 * and then flushed. This caused problems
534 * as documented in PR#1939. The proposed 569 * as documented in PR#1939. The proposed
@@ -573,7 +608,8 @@ ssl3_accept(SSL *s)
573 if (ret <= 0) 608 if (ret <= 0)
574 goto end; 609 goto end;
575 if (ret == 2) { 610 if (ret == 2) {
576 /* For the ECDH ciphersuites when 611 /*
612 * For the ECDH ciphersuites when
577 * the client sends its ECDH pub key in 613 * the client sends its ECDH pub key in
578 * a certificate, the CertificateVerify 614 * a certificate, the CertificateVerify
579 * message is not sent. 615 * message is not sent.
@@ -595,11 +631,13 @@ ssl3_accept(SSL *s)
595 s->init_num = 0; 631 s->init_num = 0;
596 if (!s->session->peer) 632 if (!s->session->peer)
597 break; 633 break;
598 /* For TLS v1.2 freeze the handshake buffer 634 /*
635 * For TLS v1.2 freeze the handshake buffer
599 * at this point and digest cached records. 636 * at this point and digest cached records.
600 */ 637 */
601 if (!s->s3->handshake_buffer) { 638 if (!s->s3->handshake_buffer) {
602 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 639 SSLerr(SSL_F_SSL3_ACCEPT,
640 ERR_R_INTERNAL_ERROR);
603 return -1; 641 return -1;
604 } 642 }
605 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 643 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
@@ -612,20 +650,27 @@ ssl3_accept(SSL *s)
612 s->state = SSL3_ST_SR_CERT_VRFY_A; 650 s->state = SSL3_ST_SR_CERT_VRFY_A;
613 s->init_num = 0; 651 s->init_num = 0;
614 652
615 /* We need to get hashes here so if there is 653 /*
654 * We need to get hashes here so if there is
616 * a client cert, it can be verified 655 * a client cert, it can be verified
617 * FIXME - digest processing for CertificateVerify 656 * FIXME - digest processing for
618 * should be generalized. But it is next step 657 * CertificateVerify should be generalized.
658 * But it is next step
619 */ 659 */
620 if (s->s3->handshake_buffer) 660 if (s->s3->handshake_buffer)
621 if (!ssl3_digest_cached_records(s)) 661 if (!ssl3_digest_cached_records(s))
622 return -1; 662 return -1;
623 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++) 663 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST;
664 dgst_num++)
624 if (s->s3->handshake_dgst[dgst_num]) { 665 if (s->s3->handshake_dgst[dgst_num]) {
625 int dgst_size; 666 int dgst_size;
626 667
627 s->method->ssl3_enc->cert_verify_mac(s, EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]), &(s->s3->tmp.cert_verify_md[offset])); 668 s->method->ssl3_enc->cert_verify_mac(s,
628 dgst_size = EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); 669 EVP_MD_CTX_type(
670 s->s3->handshake_dgst[dgst_num]),
671 &(s->s3->tmp.cert_verify_md[offset]));
672 dgst_size = EVP_MD_CTX_size(
673 s->s3->handshake_dgst[dgst_num]);
629 if (dgst_size < 0) { 674 if (dgst_size < 0) {
630 ret = -1; 675 ret = -1;
631 goto end; 676 goto end;
@@ -713,7 +758,7 @@ ssl3_accept(SSL *s)
713 } 758 }
714 759
715 ret = ssl3_send_change_cipher_spec(s, 760 ret = ssl3_send_change_cipher_spec(s,
716 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B); 761 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
717 762
718 if (ret <= 0) 763 if (ret <= 0)
719 goto end; 764 goto end;
@@ -742,9 +787,11 @@ ssl3_accept(SSL *s)
742 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; 787 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
743#else 788#else
744 if (s->s3->next_proto_neg_seen) 789 if (s->s3->next_proto_neg_seen)
745 s->s3->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A; 790 s->s3->tmp.next_state =
791 SSL3_ST_SR_NEXT_PROTO_A;
746 else 792 else
747 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; 793 s->s3->tmp.next_state =
794 SSL3_ST_SR_FINISHED_A;
748#endif 795#endif
749 } else 796 } else
750 s->s3->tmp.next_state = SSL_ST_OK; 797 s->s3->tmp.next_state = SSL_ST_OK;
@@ -763,8 +810,8 @@ ssl3_accept(SSL *s)
763 810
764 s->init_num = 0; 811 s->init_num = 0;
765 812
766 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ 813 /* skipped if we just sent a HelloRequest */
767 { 814 if (s->renegotiate == 2) {
768 s->renegotiate = 0; 815 s->renegotiate = 0;
769 s->new_session = 0; 816 s->new_session = 0;
770 817
@@ -842,26 +889,30 @@ ssl3_check_client_hello(SSL *s)
842 int ok; 889 int ok;
843 long n; 890 long n;
844 891
845 /* this function is called when we really expect a Certificate message, 892 /*
846 * so permit appropriate message length */ 893 * This function is called when we really expect a Certificate message,
847 n = s->method->ssl_get_message(s, 894 * so permit appropriate message length
848 SSL3_ST_SR_CERT_A, 895 */
849 SSL3_ST_SR_CERT_B, 896 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A,
850 -1, 897 SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok);
851 s->max_cert_list,
852 &ok);
853 if (!ok) 898 if (!ok)
854 return ((int)n); 899 return ((int)n);
855 s->s3->tmp.reuse_message = 1; 900 s->s3->tmp.reuse_message = 1;
856 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { 901 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) {
857 /* We only allow the client to restart the handshake once per 902 /*
858 * negotiation. */ 903 * We only allow the client to restart the handshake once per
904 * negotiation.
905 */
859 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) { 906 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
860 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 907 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO,
908 SSL_R_MULTIPLE_SGC_RESTARTS);
861 return -1; 909 return -1;
862 } 910 }
863 /* Throw away what we have done so far in the current handshake, 911 /*
864 * which will now be aborted. (A full SSL_clear would be too much.) */ 912 * Throw away what we have done so far in the current handshake,
913 * which will now be aborted. (A full SSL_clear would be too
914 * much.)
915 */
865#ifndef OPENSSL_NO_DH 916#ifndef OPENSSL_NO_DH
866 if (s->s3->tmp.dh != NULL) { 917 if (s->s3->tmp.dh != NULL) {
867 DH_free(s->s3->tmp.dh); 918 DH_free(s->s3->tmp.dh);
@@ -894,7 +945,8 @@ ssl3_get_client_hello(SSL *s)
894#endif 945#endif
895 STACK_OF(SSL_CIPHER) *ciphers = NULL; 946 STACK_OF(SSL_CIPHER) *ciphers = NULL;
896 947
897 /* We do this so that we will respond with our native type. 948 /*
949 * We do this so that we will respond with our native type.
898 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 950 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
899 * This down switching should be handled by a different method. 951 * This down switching should be handled by a different method.
900 * If we are SSLv3, we will respond with SSLv3, even if prompted with 952 * If we are SSLv3, we will respond with SSLv3, even if prompted with
@@ -916,8 +968,10 @@ ssl3_get_client_hello(SSL *s)
916 s->first_packet = 0; 968 s->first_packet = 0;
917 d = p=(unsigned char *)s->init_msg; 969 d = p=(unsigned char *)s->init_msg;
918 970
919 /* use version from inside client hello, not from record header 971 /*
920 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 972 * Use version from inside client hello, not from record header.
973 * (may differ: see RFC 2246, Appendix E, second paragraph)
974 */
921 s->client_version = (((int)p[0]) << 8)|(int)p[1]; 975 s->client_version = (((int)p[0]) << 8)|(int)p[1];
922 p += 2; 976 p += 2;
923 977
@@ -926,14 +980,18 @@ ssl3_get_client_hello(SSL *s)
926 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 980 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
927 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && 981 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
928 !s->enc_write_ctx && !s->write_hash) { 982 !s->enc_write_ctx && !s->write_hash) {
929 /* similar to ssl3_get_record, send alert using remote version number */ 983 /*
984 * Similar to ssl3_get_record, send alert using remote
985 * version number
986 */
930 s->version = s->client_version; 987 s->version = s->client_version;
931 } 988 }
932 al = SSL_AD_PROTOCOL_VERSION; 989 al = SSL_AD_PROTOCOL_VERSION;
933 goto f_err; 990 goto f_err;
934 } 991 }
935 992
936 /* If we require cookies and this ClientHello doesn't 993 /*
994 * If we require cookies and this ClientHello doesn't
937 * contain one, just return since we do not want to 995 * contain one, just return since we do not want to
938 * allocate any memory yet. So check cookie length... 996 * allocate any memory yet. So check cookie length...
939 */ 997 */
@@ -955,29 +1013,33 @@ ssl3_get_client_hello(SSL *s)
955 j= *(p++); 1013 j= *(p++);
956 1014
957 s->hit = 0; 1015 s->hit = 0;
958 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation. 1016 /*
959 * 0.9.7 and later allow this by default, but optionally ignore resumption requests 1017 * Versions before 0.9.7 always allow clients to resume sessions in
960 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 1018 * renegotiation. 0.9.7 and later allow this by default, but optionally
961 * than a change to default behavior so that applications relying on this for security 1019 * ignore resumption requests with flag
962 * won't even compile against older library versions). 1020 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
1021 * rather than a change to default behavior so that applications
1022 * relying on this for security won't even compile against older
1023 * library versions).
963 * 1024 *
964 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to request 1025 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
965 * renegotiation but not a new session (s->new_session remains unset): for servers, 1026 * to request renegotiation but not a new session (s->new_session
966 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1027 * remains unset): for servers, this essentially just means that the
967 * setting will be ignored. 1028 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
1029 * ignored.
968 */ 1030 */
969 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { 1031 if ((s->new_session && (s->options &
1032 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
970 if (!ssl_get_new_session(s, 1)) 1033 if (!ssl_get_new_session(s, 1))
971 goto err; 1034 goto err;
972 } else { 1035 } else {
973 i = ssl_get_prev_session(s, p, j, d + n); 1036 i = ssl_get_prev_session(s, p, j, d + n);
974 if (i == 1) 1037 if (i == 1) { /* previous session */
975 { /* previous session */
976 s->hit = 1; 1038 s->hit = 1;
977 } else if (i == -1) 1039 } else if (i == -1)
978 goto err; 1040 goto err;
979 else /* i == 0 */ 1041 else {
980 { 1042 /* i == 0 */
981 if (!ssl_get_new_session(s, 1)) 1043 if (!ssl_get_new_session(s, 1))
982 goto err; 1044 goto err;
983 } 1045 }
@@ -997,7 +1059,8 @@ ssl3_get_client_hello(SSL *s)
997 if (cookie_len > sizeof(s->d1->rcvd_cookie)) { 1059 if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
998 /* too much data */ 1060 /* too much data */
999 al = SSL_AD_DECODE_ERROR; 1061 al = SSL_AD_DECODE_ERROR;
1000 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1062 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1063 SSL_R_COOKIE_MISMATCH);
1001 goto f_err; 1064 goto f_err;
1002 } 1065 }
1003 1066
@@ -1007,20 +1070,20 @@ ssl3_get_client_hello(SSL *s)
1007 memcpy(s->d1->rcvd_cookie, p, cookie_len); 1070 memcpy(s->d1->rcvd_cookie, p, cookie_len);
1008 1071
1009 if (s->ctx->app_verify_cookie_cb != NULL) { 1072 if (s->ctx->app_verify_cookie_cb != NULL) {
1010 if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 1073 if (s->ctx->app_verify_cookie_cb(s,
1011 cookie_len) == 0) { 1074 s->d1->rcvd_cookie, cookie_len) == 0) {
1012 al = SSL_AD_HANDSHAKE_FAILURE; 1075 al = SSL_AD_HANDSHAKE_FAILURE;
1013 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1076 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1014 SSL_R_COOKIE_MISMATCH); 1077 SSL_R_COOKIE_MISMATCH);
1015 goto f_err; 1078 goto f_err;
1016 } 1079 }
1017 /* else cookie verification succeeded */ 1080 /* else cookie verification succeeded */
1018 } else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie, 1081 } else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1019 s->d1->cookie_len) != 0) /* default verification */ 1082 s->d1->cookie_len) != 0) {
1020 { 1083 /* default verification */
1021 al = SSL_AD_HANDSHAKE_FAILURE; 1084 al = SSL_AD_HANDSHAKE_FAILURE;
1022 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1085 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1023 SSL_R_COOKIE_MISMATCH); 1086 SSL_R_COOKIE_MISMATCH);
1024 goto f_err; 1087 goto f_err;
1025 } 1088 }
1026 1089
@@ -1068,7 +1131,8 @@ ssl3_get_client_hello(SSL *s)
1068 break; 1131 break;
1069 } 1132 }
1070 } 1133 }
1071/* Disabled because it can be used in a ciphersuite downgrade 1134/*
1135 * Disabled because it can be used in a ciphersuite downgrade
1072 * attack: CVE-2010-4180. 1136 * attack: CVE-2010-4180.
1073 */ 1137 */
1074#if 0 1138#if 0
@@ -1089,7 +1153,8 @@ ssl3_get_client_hello(SSL *s)
1089 /* we need to have the cipher in the cipher 1153 /* we need to have the cipher in the cipher
1090 * list if we are asked to reuse it */ 1154 * list if we are asked to reuse it */
1091 al = SSL_AD_ILLEGAL_PARAMETER; 1155 al = SSL_AD_ILLEGAL_PARAMETER;
1092 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING); 1156 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1157 SSL_R_REQUIRED_CIPHER_MISSING);
1093 goto f_err; 1158 goto f_err;
1094 } 1159 }
1095 } 1160 }
@@ -1112,7 +1177,8 @@ ssl3_get_client_hello(SSL *s)
1112 if (j >= i) { 1177 if (j >= i) {
1113 /* no compress */ 1178 /* no compress */
1114 al = SSL_AD_DECODE_ERROR; 1179 al = SSL_AD_DECODE_ERROR;
1115 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); 1180 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1181 SSL_R_NO_COMPRESSION_SPECIFIED);
1116 goto f_err; 1182 goto f_err;
1117 } 1183 }
1118 1184
@@ -1121,7 +1187,8 @@ ssl3_get_client_hello(SSL *s)
1121 if (s->version >= SSL3_VERSION) { 1187 if (s->version >= SSL3_VERSION) {
1122 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) { 1188 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
1123 /* 'al' set by ssl_parse_clienthello_tlsext */ 1189 /* 'al' set by ssl_parse_clienthello_tlsext */
1124 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); 1190 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1191 SSL_R_PARSE_TLSEXT);
1125 goto f_err; 1192 goto f_err;
1126 } 1193 }
1127 } 1194 }
@@ -1130,10 +1197,12 @@ ssl3_get_client_hello(SSL *s)
1130 goto err; 1197 goto err;
1131 } 1198 }
1132 1199
1133 /* Check if we want to use external pre-shared secret for this 1200 /*
1201 * Check if we want to use external pre-shared secret for this
1134 * handshake for not reused session only. We need to generate 1202 * handshake for not reused session only. We need to generate
1135 * server_random before calling tls_session_secret_cb in order to allow 1203 * server_random before calling tls_session_secret_cb in order to allow
1136 * SessionTicket processing to use it in key derivation. */ 1204 * SessionTicket processing to use it in key derivation.
1205 */
1137 { 1206 {
1138 unsigned char *pos; 1207 unsigned char *pos;
1139 pos = s->s3->server_random; 1208 pos = s->s3->server_random;
@@ -1147,8 +1216,9 @@ ssl3_get_client_hello(SSL *s)
1147 SSL_CIPHER *pref_cipher = NULL; 1216 SSL_CIPHER *pref_cipher = NULL;
1148 1217
1149 s->session->master_key_length = sizeof(s->session->master_key); 1218 s->session->master_key_length = sizeof(s->session->master_key);
1150 if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, 1219 if (s->tls_session_secret_cb(s, s->session->master_key,
1151 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) { 1220 &s->session->master_key_length, ciphers, &pref_cipher,
1221 s->tls_session_secret_cb_arg)) {
1152 s->hit = 1; 1222 s->hit = 1;
1153 s->session->ciphers = ciphers; 1223 s->session->ciphers = ciphers;
1154 s->session->verify_result = X509_V_OK; 1224 s->session->verify_result = X509_V_OK;
@@ -1156,10 +1226,13 @@ ssl3_get_client_hello(SSL *s)
1156 ciphers = NULL; 1226 ciphers = NULL;
1157 1227
1158 /* check if some cipher was preferred by call back */ 1228 /* check if some cipher was preferred by call back */
1159 pref_cipher = pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 1229 pref_cipher = pref_cipher ? pref_cipher :
1230 ssl3_choose_cipher(s, s->session->ciphers,
1231 SSL_get_ciphers(s));
1160 if (pref_cipher == NULL) { 1232 if (pref_cipher == NULL) {
1161 al = SSL_AD_HANDSHAKE_FAILURE; 1233 al = SSL_AD_HANDSHAKE_FAILURE;
1162 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); 1234 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1235 SSL_R_NO_SHARED_CIPHER);
1163 goto f_err; 1236 goto f_err;
1164 } 1237 }
1165 1238
@@ -1172,14 +1245,17 @@ ssl3_get_client_hello(SSL *s)
1172 sk_SSL_CIPHER_free(s->cipher_list_by_id); 1245 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1173 1246
1174 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1247 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1175 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1248 s->cipher_list_by_id =
1249 sk_SSL_CIPHER_dup(s->session->ciphers);
1176 } 1250 }
1177 } 1251 }
1178#endif 1252#endif
1179 1253
1180 /* Worst case, we will use the NULL compression, but if we have other 1254 /*
1255 * Worst case, we will use the NULL compression, but if we have other
1181 * options, we will now look for them. We have i-1 compression 1256 * options, we will now look for them. We have i-1 compression
1182 * algorithms from the client, starting at q. */ 1257 * algorithms from the client, starting at q.
1258 */
1183 s->s3->tmp.new_compression = NULL; 1259 s->s3->tmp.new_compression = NULL;
1184#ifndef OPENSSL_NO_COMP 1260#ifndef OPENSSL_NO_COMP
1185 /* This only happens if we have a cache hit */ 1261 /* This only happens if we have a cache hit */
@@ -1189,7 +1265,8 @@ ssl3_get_client_hello(SSL *s)
1189 /* Can't disable compression */ 1265 /* Can't disable compression */
1190 if (s->options & SSL_OP_NO_COMPRESSION) { 1266 if (s->options & SSL_OP_NO_COMPRESSION) {
1191 al = SSL_AD_INTERNAL_ERROR; 1267 al = SSL_AD_INTERNAL_ERROR;
1192 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); 1268 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1269 SSL_R_INCONSISTENT_COMPRESSION);
1193 goto f_err; 1270 goto f_err;
1194 } 1271 }
1195 /* Look for resumed compression method */ 1272 /* Look for resumed compression method */
@@ -1202,7 +1279,8 @@ ssl3_get_client_hello(SSL *s)
1202 } 1279 }
1203 if (s->s3->tmp.new_compression == NULL) { 1280 if (s->s3->tmp.new_compression == NULL) {
1204 al = SSL_AD_INTERNAL_ERROR; 1281 al = SSL_AD_INTERNAL_ERROR;
1205 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INVALID_COMPRESSION_ALGORITHM); 1282 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1283 SSL_R_INVALID_COMPRESSION_ALGORITHM);
1206 goto f_err; 1284 goto f_err;
1207 } 1285 }
1208 /* Look for resumed method in compression list */ 1286 /* Look for resumed method in compression list */
@@ -1212,7 +1290,8 @@ ssl3_get_client_hello(SSL *s)
1212 } 1290 }
1213 if (m >= i) { 1291 if (m >= i) {
1214 al = SSL_AD_ILLEGAL_PARAMETER; 1292 al = SSL_AD_ILLEGAL_PARAMETER;
1215 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING); 1293 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1294 SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1216 goto f_err; 1295 goto f_err;
1217 } 1296 }
1218 } else if (s->hit) 1297 } else if (s->hit)
@@ -1240,18 +1319,22 @@ ssl3_get_client_hello(SSL *s)
1240 comp = NULL; 1319 comp = NULL;
1241 } 1320 }
1242#else 1321#else
1243 /* If compression is disabled we'd better not try to resume a session 1322 /*
1323 * If compression is disabled we'd better not try to resume a session
1244 * using compression. 1324 * using compression.
1245 */ 1325 */
1246 if (s->session->compress_meth != 0) { 1326 if (s->session->compress_meth != 0) {
1247 al = SSL_AD_INTERNAL_ERROR; 1327 al = SSL_AD_INTERNAL_ERROR;
1248 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); 1328 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1329 SSL_R_INCONSISTENT_COMPRESSION);
1249 goto f_err; 1330 goto f_err;
1250 } 1331 }
1251#endif 1332#endif
1252 1333
1253 /* Given s->session->ciphers and SSL_get_ciphers, we must 1334 /*
1254 * pick a cipher */ 1335 * Given s->session->ciphers and SSL_get_ciphers, we must
1336 * pick a cipher
1337 */
1255 1338
1256 if (!s->hit) { 1339 if (!s->hit) {
1257#ifdef OPENSSL_NO_COMP 1340#ifdef OPENSSL_NO_COMP
@@ -1264,7 +1347,8 @@ ssl3_get_client_hello(SSL *s)
1264 s->session->ciphers = ciphers; 1347 s->session->ciphers = ciphers;
1265 if (ciphers == NULL) { 1348 if (ciphers == NULL) {
1266 al = SSL_AD_ILLEGAL_PARAMETER; 1349 al = SSL_AD_ILLEGAL_PARAMETER;
1267 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED); 1350 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1351 SSL_R_NO_CIPHERS_PASSED);
1268 goto f_err; 1352 goto f_err;
1269 } 1353 }
1270 ciphers = NULL; 1354 ciphers = NULL;
@@ -1273,7 +1357,8 @@ ssl3_get_client_hello(SSL *s)
1273 1357
1274 if (c == NULL) { 1358 if (c == NULL) {
1275 al = SSL_AD_HANDSHAKE_FAILURE; 1359 al = SSL_AD_HANDSHAKE_FAILURE;
1276 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); 1360 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1361 SSL_R_NO_SHARED_CIPHER);
1277 goto f_err; 1362 goto f_err;
1278 } 1363 }
1279 s->s3->tmp.new_cipher = c; 1364 s->s3->tmp.new_cipher = c;
@@ -1304,14 +1389,16 @@ ssl3_get_client_hello(SSL *s)
1304 s->s3->tmp.new_cipher = s->session->cipher; 1389 s->s3->tmp.new_cipher = s->session->cipher;
1305 } 1390 }
1306 1391
1307 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) { 1392 if (TLS1_get_version(s) < TLS1_2_VERSION ||
1393 !(s->verify_mode & SSL_VERIFY_PEER)) {
1308 if (!ssl3_digest_cached_records(s)) { 1394 if (!ssl3_digest_cached_records(s)) {
1309 al = SSL_AD_INTERNAL_ERROR; 1395 al = SSL_AD_INTERNAL_ERROR;
1310 goto f_err; 1396 goto f_err;
1311 } 1397 }
1312 } 1398 }
1313 1399
1314 /* we now have the following setup. 1400 /*
1401 * We now have the following setup.
1315 * client_random 1402 * client_random
1316 * cipher_list - our prefered list of ciphers 1403 * cipher_list - our prefered list of ciphers
1317 * ciphers - the clients prefered list of ciphers 1404 * ciphers - the clients prefered list of ciphers
@@ -1325,7 +1412,8 @@ ssl3_get_client_hello(SSL *s)
1325 /* Handles TLS extensions that we couldn't check earlier */ 1412 /* Handles TLS extensions that we couldn't check earlier */
1326 if (s->version >= SSL3_VERSION) { 1413 if (s->version >= SSL3_VERSION) {
1327 if (ssl_check_clienthello_tlsext_late(s) <= 0) { 1414 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1328 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1415 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1416 SSL_R_CLIENTHELLO_TLSEXT);
1329 goto err; 1417 goto err;
1330 } 1418 }
1331 } 1419 }
@@ -1367,8 +1455,10 @@ ssl3_send_server_hello(SSL *s)
1367 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); 1455 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1368 p += SSL3_RANDOM_SIZE; 1456 p += SSL3_RANDOM_SIZE;
1369 1457
1370 /* There are several cases for the session ID to send 1458 /*
1459 * There are several cases for the session ID to send
1371 * back in the server hello: 1460 * back in the server hello:
1461 *
1372 * - For session reuse from the session cache, 1462 * - For session reuse from the session cache,
1373 * we send back the old session ID. 1463 * we send back the old session ID.
1374 * - If stateless session reuse (using a session ticket) 1464 * - If stateless session reuse (using a session ticket)
@@ -1378,17 +1468,19 @@ ssl3_send_server_hello(SSL *s)
1378 * session ID. 1468 * session ID.
1379 * - However, if we want the new session to be single-use, 1469 * - However, if we want the new session to be single-use,
1380 * we send back a 0-length session ID. 1470 * we send back a 0-length session ID.
1471 *
1381 * s->hit is non-zero in either case of session reuse, 1472 * s->hit is non-zero in either case of session reuse,
1382 * so the following won't overwrite an ID that we're supposed 1473 * so the following won't overwrite an ID that we're supposed
1383 * to send back. 1474 * to send back.
1384 */ 1475 */
1385 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1476 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1386 && !s->hit) 1477 && !s->hit)
1387 s->session->session_id_length = 0; 1478 s->session->session_id_length = 0;
1388 1479
1389 sl = s->session->session_id_length; 1480 sl = s->session->session_id_length;
1390 if (sl > (int)sizeof(s->session->session_id)) { 1481 if (sl > (int)sizeof(s->session->session_id)) {
1391 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1482 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1483 ERR_R_INTERNAL_ERROR);
1392 return -1; 1484 return -1;
1393 } 1485 }
1394 *(p++) = sl; 1486 *(p++) = sl;
@@ -1410,11 +1502,14 @@ ssl3_send_server_hello(SSL *s)
1410#endif 1502#endif
1411#ifndef OPENSSL_NO_TLSEXT 1503#ifndef OPENSSL_NO_TLSEXT
1412 if (ssl_prepare_serverhello_tlsext(s) <= 0) { 1504 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1413 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); 1505 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1506 SSL_R_SERVERHELLO_TLSEXT);
1414 return -1; 1507 return -1;
1415 } 1508 }
1416 if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) { 1509 if ((p = ssl_add_serverhello_tlsext(s, p,
1417 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1510 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
1511 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1512 ERR_R_INTERNAL_ERROR);
1418 return -1; 1513 return -1;
1419 } 1514 }
1420#endif 1515#endif
@@ -1509,7 +1604,9 @@ ssl3_send_server_key_exchange(SSL *s)
1509 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1604 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1510 if (rsa == NULL) { 1605 if (rsa == NULL) {
1511 al = SSL_AD_HANDSHAKE_FAILURE; 1606 al = SSL_AD_HANDSHAKE_FAILURE;
1512 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1607 SSLerr(
1608 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1609 SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1513 goto f_err; 1610 goto f_err;
1514 } 1611 }
1515 RSA_up_ref(rsa); 1612 RSA_up_ref(rsa);
@@ -1517,7 +1614,8 @@ ssl3_send_server_key_exchange(SSL *s)
1517 } 1614 }
1518 if (rsa == NULL) { 1615 if (rsa == NULL) {
1519 al = SSL_AD_HANDSHAKE_FAILURE; 1616 al = SSL_AD_HANDSHAKE_FAILURE;
1520 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_KEY); 1617 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1618 SSL_R_MISSING_TMP_RSA_KEY);
1521 goto f_err; 1619 goto f_err;
1522 } 1620 }
1523 r[0] = rsa->n; 1621 r[0] = rsa->n;
@@ -1534,17 +1632,20 @@ ssl3_send_server_key_exchange(SSL *s)
1534 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1632 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1535 if (dhp == NULL) { 1633 if (dhp == NULL) {
1536 al = SSL_AD_HANDSHAKE_FAILURE; 1634 al = SSL_AD_HANDSHAKE_FAILURE;
1537 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY); 1635 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1636 SSL_R_MISSING_TMP_DH_KEY);
1538 goto f_err; 1637 goto f_err;
1539 } 1638 }
1540 1639
1541 if (s->s3->tmp.dh != NULL) { 1640 if (s->s3->tmp.dh != NULL) {
1542 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1641 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1642 ERR_R_INTERNAL_ERROR);
1543 goto err; 1643 goto err;
1544 } 1644 }
1545 1645
1546 if ((dh = DHparams_dup(dhp)) == NULL) { 1646 if ((dh = DHparams_dup(dhp)) == NULL) {
1547 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); 1647 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1648 ERR_R_DH_LIB);
1548 goto err; 1649 goto err;
1549 } 1650 }
1550 1651
@@ -1552,8 +1653,9 @@ ssl3_send_server_key_exchange(SSL *s)
1552 if ((dhp->pub_key == NULL || dhp->priv_key == NULL || 1653 if ((dhp->pub_key == NULL || dhp->priv_key == NULL ||
1553 (s->options & SSL_OP_SINGLE_DH_USE))) { 1654 (s->options & SSL_OP_SINGLE_DH_USE))) {
1554 if (!DH_generate_key(dh)) { 1655 if (!DH_generate_key(dh)) {
1555 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1656 SSLerr(
1556 ERR_R_DH_LIB); 1657 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1658 ERR_R_DH_LIB);
1557 goto err; 1659 goto err;
1558 } 1660 }
1559 } else { 1661 } else {
@@ -1561,7 +1663,9 @@ ssl3_send_server_key_exchange(SSL *s)
1561 dh->priv_key = BN_dup(dhp->priv_key); 1663 dh->priv_key = BN_dup(dhp->priv_key);
1562 if ((dh->pub_key == NULL) || 1664 if ((dh->pub_key == NULL) ||
1563 (dh->priv_key == NULL)) { 1665 (dh->priv_key == NULL)) {
1564 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); 1666 SSLerr(
1667 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1668 ERR_R_DH_LIB);
1565 goto err; 1669 goto err;
1566 } 1670 }
1567 } 1671 }
@@ -1578,26 +1682,31 @@ ssl3_send_server_key_exchange(SSL *s)
1578 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) { 1682 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) {
1579 ecdhp = s->cert->ecdh_tmp_cb( 1683 ecdhp = s->cert->ecdh_tmp_cb(
1580 s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1684 s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1581 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1685 SSL_C_EXPORT_PKEYLENGTH(
1686 s->s3->tmp.new_cipher));
1582 } 1687 }
1583 if (ecdhp == NULL) { 1688 if (ecdhp == NULL) {
1584 al = SSL_AD_HANDSHAKE_FAILURE; 1689 al = SSL_AD_HANDSHAKE_FAILURE;
1585 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY); 1690 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1691 SSL_R_MISSING_TMP_ECDH_KEY);
1586 goto f_err; 1692 goto f_err;
1587 } 1693 }
1588 1694
1589 if (s->s3->tmp.ecdh != NULL) { 1695 if (s->s3->tmp.ecdh != NULL) {
1590 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1696 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1697 ERR_R_INTERNAL_ERROR);
1591 goto err; 1698 goto err;
1592 } 1699 }
1593 1700
1594 /* Duplicate the ECDH structure. */ 1701 /* Duplicate the ECDH structure. */
1595 if (ecdhp == NULL) { 1702 if (ecdhp == NULL) {
1596 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1703 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1704 ERR_R_ECDH_LIB);
1597 goto err; 1705 goto err;
1598 } 1706 }
1599 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { 1707 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1600 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1708 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1709 ERR_R_ECDH_LIB);
1601 goto err; 1710 goto err;
1602 } 1711 }
1603 1712
@@ -1606,7 +1715,9 @@ ssl3_send_server_key_exchange(SSL *s)
1606 (EC_KEY_get0_private_key(ecdh) == NULL) || 1715 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1607 (s->options & SSL_OP_SINGLE_ECDH_USE)) { 1716 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1608 if (!EC_KEY_generate_key(ecdh)) { 1717 if (!EC_KEY_generate_key(ecdh)) {
1609 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1718 SSLerr(
1719 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1720 ERR_R_ECDH_LIB);
1610 goto err; 1721 goto err;
1611 } 1722 }
1612 } 1723 }
@@ -1614,59 +1725,66 @@ ssl3_send_server_key_exchange(SSL *s)
1614 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1725 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1615 (EC_KEY_get0_public_key(ecdh) == NULL) || 1726 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1616 (EC_KEY_get0_private_key(ecdh) == NULL)) { 1727 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1617 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1728 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1618 goto err; 1729 goto err;
1619 } 1730 }
1620 1731
1621 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1732 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1622 (EC_GROUP_get_degree(group) > 163)) { 1733 (EC_GROUP_get_degree(group) > 163)) {
1623 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1734 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1735 SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1624 goto err; 1736 goto err;
1625 } 1737 }
1626 1738
1627 /* XXX: For now, we only support ephemeral ECDH 1739 /*
1740 * XXX: For now, we only support ephemeral ECDH
1628 * keys over named (not generic) curves. For 1741 * keys over named (not generic) curves. For
1629 * supported named curves, curve_id is non-zero. 1742 * supported named curves, curve_id is non-zero.
1630 */ 1743 */
1631 if ((curve_id = tls1_ec_nid2curve_id( 1744 if ((curve_id = tls1_ec_nid2curve_id(
1632 EC_GROUP_get_curve_name(group))) == 0) { 1745 EC_GROUP_get_curve_name(group))) == 0) {
1633 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1746 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1747 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1634 goto err; 1748 goto err;
1635 } 1749 }
1636 1750
1637 /* Encode the public key. 1751 /*
1752 * Encode the public key.
1638 * First check the size of encoding and 1753 * First check the size of encoding and
1639 * allocate memory accordingly. 1754 * allocate memory accordingly.
1640 */ 1755 */
1641 encodedlen = EC_POINT_point2oct(group, 1756 encodedlen = EC_POINT_point2oct(group,
1642 EC_KEY_get0_public_key(ecdh), 1757 EC_KEY_get0_public_key(ecdh),
1643 POINT_CONVERSION_UNCOMPRESSED, 1758 POINT_CONVERSION_UNCOMPRESSED,
1644 NULL, 0, NULL); 1759 NULL, 0, NULL);
1645 1760
1646 encodedPoint = (unsigned char *) 1761 encodedPoint = (unsigned char *)
1647 OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 1762 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1648 1763
1649 bn_ctx = BN_CTX_new(); 1764 bn_ctx = BN_CTX_new();
1650 if ((encodedPoint == NULL) || (bn_ctx == NULL)) { 1765 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1651 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1766 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1767 ERR_R_MALLOC_FAILURE);
1652 goto err; 1768 goto err;
1653 } 1769 }
1654 1770
1655 1771
1656 encodedlen = EC_POINT_point2oct(group, 1772 encodedlen = EC_POINT_point2oct(group,
1657 EC_KEY_get0_public_key(ecdh), 1773 EC_KEY_get0_public_key(ecdh),
1658 POINT_CONVERSION_UNCOMPRESSED, 1774 POINT_CONVERSION_UNCOMPRESSED,
1659 encodedPoint, encodedlen, bn_ctx); 1775 encodedPoint, encodedlen, bn_ctx);
1660 1776
1661 if (encodedlen == 0) { 1777 if (encodedlen == 0) {
1662 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1778 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1779 ERR_R_ECDH_LIB);
1663 goto err; 1780 goto err;
1664 } 1781 }
1665 1782
1666 BN_CTX_free(bn_ctx); 1783 BN_CTX_free(bn_ctx);
1667 bn_ctx = NULL; 1784 bn_ctx = NULL;
1668 1785
1669 /* XXX: For now, we only support named (not 1786 /*
1787 * XXX: For now, we only support named (not
1670 * generic) curves in ECDH ephemeral key exchanges. 1788 * generic) curves in ECDH ephemeral key exchanges.
1671 * In this situation, we need four additional bytes 1789 * In this situation, we need four additional bytes
1672 * to encode the entire ServerECDHParams 1790 * to encode the entire ServerECDHParams
@@ -1674,7 +1792,8 @@ ssl3_send_server_key_exchange(SSL *s)
1674 */ 1792 */
1675 n = 4 + encodedlen; 1793 n = 4 + encodedlen;
1676 1794
1677 /* We'll generate the serverKeyExchange message 1795 /*
1796 * We'll generate the serverKeyExchange message
1678 * explicitly so we can set these to NULLs 1797 * explicitly so we can set these to NULLs
1679 */ 1798 */
1680 r[0] = NULL; 1799 r[0] = NULL;
@@ -1685,7 +1804,9 @@ ssl3_send_server_key_exchange(SSL *s)
1685#endif /* !OPENSSL_NO_ECDH */ 1804#endif /* !OPENSSL_NO_ECDH */
1686#ifndef OPENSSL_NO_PSK 1805#ifndef OPENSSL_NO_PSK
1687 if (type & SSL_kPSK) { 1806 if (type & SSL_kPSK) {
1688 /* reserve size for record length and PSK identity hint*/ 1807 /*
1808 * Reserve size for record length and PSK identity hint.
1809 */
1689 n += 2 + strlen(s->ctx->psk_identity_hint); 1810 n += 2 + strlen(s->ctx->psk_identity_hint);
1690 } else 1811 } else
1691#endif /* !OPENSSL_NO_PSK */ 1812#endif /* !OPENSSL_NO_PSK */
@@ -1731,7 +1852,8 @@ ssl3_send_server_key_exchange(SSL *s)
1731 } 1852 }
1732 1853
1733 if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) { 1854 if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) {
1734 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF); 1855 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1856 ERR_LIB_BUF);
1735 goto err; 1857 goto err;
1736 } 1858 }
1737 d = (unsigned char *)s->init_buf->data; 1859 d = (unsigned char *)s->init_buf->data;
@@ -1751,7 +1873,9 @@ ssl3_send_server_key_exchange(SSL *s)
1751 1873
1752#ifndef OPENSSL_NO_ECDH 1874#ifndef OPENSSL_NO_ECDH
1753 if (type & SSL_kEECDH) { 1875 if (type & SSL_kEECDH) {
1754 /* XXX: For now, we only support named (not generic) curves. 1876 /*
1877 * XXX: For now, we only support named (not generic)
1878 * curves.
1755 * In this situation, the serverKeyExchange message has: 1879 * In this situation, the serverKeyExchange message has:
1756 * [1 byte CurveType], [2 byte CurveName] 1880 * [1 byte CurveType], [2 byte CurveName]
1757 * [1 byte length of encoded point], followed by 1881 * [1 byte length of encoded point], followed by
@@ -1778,15 +1902,18 @@ ssl3_send_server_key_exchange(SSL *s)
1778 /* copy PSK identity hint */ 1902 /* copy PSK identity hint */
1779 s2n(strlen(s->ctx->psk_identity_hint), p); 1903 s2n(strlen(s->ctx->psk_identity_hint), p);
1780 1904
1781 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); 1905 strncpy((char *)p, s->ctx->psk_identity_hint,
1906 strlen(s->ctx->psk_identity_hint));
1782 p += strlen(s->ctx->psk_identity_hint); 1907 p += strlen(s->ctx->psk_identity_hint);
1783 } 1908 }
1784#endif 1909#endif
1785 1910
1786 /* not anonymous */ 1911 /* not anonymous */
1787 if (pkey != NULL) { 1912 if (pkey != NULL) {
1788 /* n is the length of the params, they start at &(d[4]) 1913 /*
1789 * and p points to the space at the end. */ 1914 * n is the length of the params, they start at &(d[4])
1915 * and p points to the space at the end.
1916 */
1790#ifndef OPENSSL_NO_RSA 1917#ifndef OPENSSL_NO_RSA
1791 if (pkey->type == EVP_PKEY_RSA 1918 if (pkey->type == EVP_PKEY_RSA
1792 && TLS1_get_version(s) < TLS1_2_VERSION) { 1919 && TLS1_get_version(s) < TLS1_2_VERSION) {
@@ -1794,19 +1921,27 @@ ssl3_send_server_key_exchange(SSL *s)
1794 j = 0; 1921 j = 0;
1795 for (num = 2; num > 0; num--) { 1922 for (num = 2; num > 0; num--) {
1796 EVP_MD_CTX_set_flags(&md_ctx, 1923 EVP_MD_CTX_set_flags(&md_ctx,
1797 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1924 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1798 EVP_DigestInit_ex(&md_ctx, 1925 EVP_DigestInit_ex(&md_ctx,
1799 (num == 2) ? s->ctx->md5 : s->ctx->sha1, NULL); 1926 (num == 2) ? s->ctx->md5 :
1800 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 1927 s->ctx->sha1, NULL);
1801 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); 1928 EVP_DigestUpdate(&md_ctx,
1929 &(s->s3->client_random[0]),
1930 SSL3_RANDOM_SIZE);
1931 EVP_DigestUpdate(&md_ctx,
1932 &(s->s3->server_random[0]),
1933 SSL3_RANDOM_SIZE);
1802 EVP_DigestUpdate(&md_ctx, &(d[4]), n); 1934 EVP_DigestUpdate(&md_ctx, &(d[4]), n);
1803 EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i); 1935 EVP_DigestFinal_ex(&md_ctx, q,
1936 (unsigned int *)&i);
1804 q += i; 1937 q += i;
1805 j += i; 1938 j += i;
1806 } 1939 }
1807 if (RSA_sign(NID_md5_sha1, md_buf, j, 1940 if (RSA_sign(NID_md5_sha1, md_buf, j,
1808 &(p[2]), &u, pkey->pkey.rsa) <= 0) { 1941 &(p[2]), &u, pkey->pkey.rsa) <= 0) {
1809 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA); 1942 SSLerr(
1943 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1944 ERR_LIB_RSA);
1810 goto err; 1945 goto err;
1811 } 1946 }
1812 s2n(u, p); 1947 s2n(u, p);
@@ -1814,28 +1949,38 @@ ssl3_send_server_key_exchange(SSL *s)
1814 } else 1949 } else
1815#endif 1950#endif
1816 if (md) { 1951 if (md) {
1817 /* For TLS1.2 and later send signature 1952 /*
1818 * algorithm */ 1953 * For TLS1.2 and later send signature
1954 * algorithm
1955 */
1819 if (TLS1_get_version(s) >= TLS1_2_VERSION) { 1956 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1820 if (!tls12_get_sigandhash(p, pkey, md)) { 1957 if (!tls12_get_sigandhash(p, pkey, md)) {
1821 /* Should never happen */ 1958 /* Should never happen */
1822 al = SSL_AD_INTERNAL_ERROR; 1959 al = SSL_AD_INTERNAL_ERROR;
1823 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1960 SSLerr(
1961 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1962 ERR_R_INTERNAL_ERROR);
1824 goto f_err; 1963 goto f_err;
1825 } 1964 }
1826 p += 2; 1965 p += 2;
1827 } 1966 }
1828#ifdef SSL_DEBUG 1967#ifdef SSL_DEBUG
1829 fprintf(stderr, "Using hash %s\n", 1968 fprintf(stderr, "Using hash %s\n",
1830 EVP_MD_name(md)); 1969 EVP_MD_name(md));
1831#endif 1970#endif
1832 EVP_SignInit_ex(&md_ctx, md, NULL); 1971 EVP_SignInit_ex(&md_ctx, md, NULL);
1833 EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 1972 EVP_SignUpdate(&md_ctx,
1834 EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); 1973 &(s->s3->client_random[0]),
1974 SSL3_RANDOM_SIZE);
1975 EVP_SignUpdate(&md_ctx,
1976 &(s->s3->server_random[0]),
1977 SSL3_RANDOM_SIZE);
1835 EVP_SignUpdate(&md_ctx, &(d[4]), n); 1978 EVP_SignUpdate(&md_ctx, &(d[4]), n);
1836 if (!EVP_SignFinal(&md_ctx, &(p[2]), 1979 if (!EVP_SignFinal(&md_ctx, &(p[2]),
1837 (unsigned int *)&i, pkey)) { 1980 (unsigned int *)&i, pkey)) {
1838 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP); 1981 SSLerr(
1982 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1983 ERR_LIB_EVP);
1839 goto err; 1984 goto err;
1840 } 1985 }
1841 s2n(i, p); 1986 s2n(i, p);
@@ -1845,7 +1990,8 @@ ssl3_send_server_key_exchange(SSL *s)
1845 } else { 1990 } else {
1846 /* Is this error check actually needed? */ 1991 /* Is this error check actually needed? */
1847 al = SSL_AD_HANDSHAKE_FAILURE; 1992 al = SSL_AD_HANDSHAKE_FAILURE;
1848 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_PKEY_TYPE); 1993 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1994 SSL_R_UNKNOWN_PKEY_TYPE);
1849 goto f_err; 1995 goto f_err;
1850 } 1996 }
1851 } 1997 }
@@ -1913,7 +2059,9 @@ ssl3_send_certificate_request(SSL *s)
1913 name = sk_X509_NAME_value(sk, i); 2059 name = sk_X509_NAME_value(sk, i);
1914 j = i2d_X509_NAME(name, NULL); 2060 j = i2d_X509_NAME(name, NULL);
1915 if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) { 2061 if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) {
1916 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_BUF_LIB); 2062 SSLerr(
2063 SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
2064 ERR_R_BUF_LIB);
1917 goto err; 2065 goto err;
1918 } 2066 }
1919 p = (unsigned char *)&(buf->data[4 + n]); 2067 p = (unsigned char *)&(buf->data[4 + n]);
@@ -2012,7 +2160,8 @@ ssl3_get_client_key_exchange(SSL *s)
2012 * be sent already */ 2160 * be sent already */
2013 if (rsa == NULL) { 2161 if (rsa == NULL) {
2014 al = SSL_AD_HANDSHAKE_FAILURE; 2162 al = SSL_AD_HANDSHAKE_FAILURE;
2015 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_PKEY); 2163 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2164 SSL_R_MISSING_TMP_RSA_PKEY);
2016 goto f_err; 2165 goto f_err;
2017 2166
2018 } 2167 }
@@ -2021,7 +2170,8 @@ ssl3_get_client_key_exchange(SSL *s)
2021 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || 2170 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
2022 (pkey->pkey.rsa == NULL)) { 2171 (pkey->pkey.rsa == NULL)) {
2023 al = SSL_AD_HANDSHAKE_FAILURE; 2172 al = SSL_AD_HANDSHAKE_FAILURE;
2024 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_RSA_CERTIFICATE); 2173 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2174 SSL_R_MISSING_RSA_CERTIFICATE);
2025 goto f_err; 2175 goto f_err;
2026 } 2176 }
2027 rsa = pkey->pkey.rsa; 2177 rsa = pkey->pkey.rsa;
@@ -2032,7 +2182,9 @@ ssl3_get_client_key_exchange(SSL *s)
2032 n2s(p, i); 2182 n2s(p, i);
2033 if (n != i + 2) { 2183 if (n != i + 2) {
2034 if (!(s->options & SSL_OP_TLS_D5_BUG)) { 2184 if (!(s->options & SSL_OP_TLS_D5_BUG)) {
2035 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 2185 SSLerr(
2186 SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2187 SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2036 goto err; 2188 goto err;
2037 } else 2189 } else
2038 p -= 2; 2190 p -= 2;
@@ -2049,45 +2201,63 @@ ssl3_get_client_key_exchange(SSL *s)
2049 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 2201 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
2050 } 2202 }
2051 2203
2052 if ((al == -1) && !((p[0] == (s->client_version >> 8)) && (p[1] == (s->client_version & 0xff)))) { 2204 if ((al == -1) && !((p[0] == (s->client_version >> 8)) &&
2053 /* The premaster secret must contain the same version number as the 2205 (p[1] == (s->client_version & 0xff)))) {
2054 * ClientHello to detect version rollback attacks (strangely, the 2206 /*
2055 * protocol does not offer such protection for DH ciphersuites). 2207 * The premaster secret must contain the same version
2056 * However, buggy clients exist that send the negotiated protocol 2208 * number as the ClientHello to detect version rollback
2057 * version instead if the server does not support the requested 2209 * attacks (strangely, the protocol does not offer such
2058 * protocol version. 2210 * protection for DH ciphersuites).
2059 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 2211 * However, buggy clients exist that send the negotiated
2212 * protocol version instead if the server does not
2213 * support the requested protocol version.
2214 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
2215 * clients.
2216 */
2060 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 2217 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
2061 (p[0] == (s->version >> 8)) && (p[1] == (s->version & 0xff)))) { 2218 (p[0] == (s->version >> 8)) &&
2219 (p[1] == (s->version & 0xff)))) {
2062 al = SSL_AD_DECODE_ERROR; 2220 al = SSL_AD_DECODE_ERROR;
2063 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 2221 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
2064 2222
2065 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 2223 /* The Klima-Pokorny-Rosa extension of
2066 * (http://eprint.iacr.org/2003/052/) exploits the version 2224 * Bleichenbacher's attack
2067 * number check as a "bad version oracle" -- an alert would 2225 * (http://eprint.iacr.org/2003/052/) exploits
2068 * reveal that the plaintext corresponding to some ciphertext 2226 * the version number check as a "bad version
2069 * made up by the adversary is properly formatted except 2227 * oracle" -- an alert would reveal that the
2070 * that the version number is wrong. To avoid such attacks, 2228 * plaintext corresponding to some ciphertext
2071 * we should treat this just like any other decryption error. */ 2229 * made up by the adversary is properly
2230 * formatted except that the version number is
2231 * wrong.
2232 * To avoid such attacks, we should treat this
2233 * just like any other decryption error.
2234 */
2072 } 2235 }
2073 } 2236 }
2074 2237
2075 if (al != -1) { 2238 if (al != -1) {
2076 /* Some decryption failure -- use random value instead as countermeasure 2239 /*
2077 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 2240 * Some decryption failure -- use random value instead
2078 * (see RFC 2246, section 7.4.7.1). */ 2241 * as countermeasure against Bleichenbacher's attack
2242 * on PKCS #1 v1.5 RSA padding (see RFC 2246,
2243 * section 7.4.7.1).
2244 */
2079 ERR_clear_error(); 2245 ERR_clear_error();
2080 i = SSL_MAX_MASTER_KEY_LENGTH; 2246 i = SSL_MAX_MASTER_KEY_LENGTH;
2081 p[0] = s->client_version >> 8; 2247 p[0] = s->client_version >> 8;
2082 p[1] = s->client_version & 0xff; 2248 p[1] = s->client_version & 0xff;
2083 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 2249 /*
2250 * Should be RAND_bytes, but we cannot work around a
2251 * failure.
2252 */
2253 if (RAND_pseudo_bytes(p+2, i-2) <= 0)
2084 goto err; 2254 goto err;
2085 } 2255 }
2086 2256
2087 s->session->master_key_length = 2257 s->session->master_key_length =
2088 s->method->ssl3_enc->generate_master_secret(s, 2258 s->method->ssl3_enc->generate_master_secret(s,
2089 s->session->master_key, 2259 s->session->master_key,
2090 p, i); 2260 p, i);
2091 OPENSSL_cleanse(p, i); 2261 OPENSSL_cleanse(p, i);
2092 } else 2262 } else
2093#endif 2263#endif
@@ -2096,7 +2266,8 @@ ssl3_get_client_key_exchange(SSL *s)
2096 n2s(p, i); 2266 n2s(p, i);
2097 if (n != i + 2) { 2267 if (n != i + 2) {
2098 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) { 2268 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
2099 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 2269 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2270 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2100 goto err; 2271 goto err;
2101 } else { 2272 } else {
2102 p -= 2; 2273 p -= 2;
@@ -2104,15 +2275,17 @@ ssl3_get_client_key_exchange(SSL *s)
2104 } 2275 }
2105 } 2276 }
2106 2277
2107 if (n == 0L) /* the parameters are in the cert */ 2278 if (n == 0L) {
2108 { 2279 /* the parameters are in the cert */
2109 al = SSL_AD_HANDSHAKE_FAILURE; 2280 al = SSL_AD_HANDSHAKE_FAILURE;
2110 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_DECODE_DH_CERTS); 2281 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2282 SSL_R_UNABLE_TO_DECODE_DH_CERTS);
2111 goto f_err; 2283 goto f_err;
2112 } else { 2284 } else {
2113 if (s->s3->tmp.dh == NULL) { 2285 if (s->s3->tmp.dh == NULL) {
2114 al = SSL_AD_HANDSHAKE_FAILURE; 2286 al = SSL_AD_HANDSHAKE_FAILURE;
2115 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY); 2287 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2288 SSL_R_MISSING_TMP_DH_KEY);
2116 goto f_err; 2289 goto f_err;
2117 } else 2290 } else
2118 dh_srvr = s->s3->tmp.dh; 2291 dh_srvr = s->s3->tmp.dh;
@@ -2120,14 +2293,16 @@ ssl3_get_client_key_exchange(SSL *s)
2120 2293
2121 pub = BN_bin2bn(p, i, NULL); 2294 pub = BN_bin2bn(p, i, NULL);
2122 if (pub == NULL) { 2295 if (pub == NULL) {
2123 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB); 2296 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2297 SSL_R_BN_LIB);
2124 goto err; 2298 goto err;
2125 } 2299 }
2126 2300
2127 i = DH_compute_key(p, pub, dh_srvr); 2301 i = DH_compute_key(p, pub, dh_srvr);
2128 2302
2129 if (i <= 0) { 2303 if (i <= 0) {
2130 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 2304 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2305 ERR_R_DH_LIB);
2131 BN_clear_free(pub); 2306 BN_clear_free(pub);
2132 goto err; 2307 goto err;
2133 } 2308 }
@@ -2169,7 +2344,7 @@ ssl3_get_client_key_exchange(SSL *s)
2169 2344
2170 if (n < (long)(enc_ticket.length + 6)) { 2345 if (n < (long)(enc_ticket.length + 6)) {
2171 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2346 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2172 SSL_R_DATA_LENGTH_TOO_LONG); 2347 SSL_R_DATA_LENGTH_TOO_LONG);
2173 goto err; 2348 goto err;
2174 } 2349 }
2175 2350
@@ -2181,7 +2356,7 @@ ssl3_get_client_key_exchange(SSL *s)
2181 2356
2182 if (n < (long)(enc_ticket.length + authenticator.length + 6)) { 2357 if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
2183 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2358 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2184 SSL_R_DATA_LENGTH_TOO_LONG); 2359 SSL_R_DATA_LENGTH_TOO_LONG);
2185 goto err; 2360 goto err;
2186 } 2361 }
2187 2362
@@ -2193,19 +2368,20 @@ ssl3_get_client_key_exchange(SSL *s)
2193 enc_pms.data = (char *)p; 2368 enc_pms.data = (char *)p;
2194 p += enc_pms.length; 2369 p += enc_pms.length;
2195 2370
2196 /* Note that the length is checked again below, 2371 /*
2197 ** after decryption 2372 * Note that the length is checked again below,
2198 */ 2373 * after decryption
2374 */
2199 if (enc_pms.length > sizeof pms) { 2375 if (enc_pms.length > sizeof pms) {
2200 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2376 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2201 SSL_R_DATA_LENGTH_TOO_LONG); 2377 SSL_R_DATA_LENGTH_TOO_LONG);
2202 goto err; 2378 goto err;
2203 } 2379 }
2204 2380
2205 if (n != (long)(enc_ticket.length + authenticator.length + 2381 if (n != (long)(enc_ticket.length + authenticator.length +
2206 enc_pms.length + 6)) { 2382 enc_pms.length + 6)) {
2207 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2383 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2208 SSL_R_DATA_LENGTH_TOO_LONG); 2384 SSL_R_DATA_LENGTH_TOO_LONG);
2209 goto err; 2385 goto err;
2210 } 2386 }
2211 2387
@@ -2234,7 +2410,7 @@ ssl3_get_client_key_exchange(SSL *s)
2234 printf("kssl_err text= %s\n", kssl_err.text); 2410 printf("kssl_err text= %s\n", kssl_err.text);
2235#endif /* KSSL_DEBUG */ 2411#endif /* KSSL_DEBUG */
2236 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2412 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2237 kssl_err.reason); 2413 kssl_err.reason);
2238 goto err; 2414 goto err;
2239 } 2415 }
2240 2416
@@ -2253,45 +2429,51 @@ ssl3_get_client_key_exchange(SSL *s)
2253 2429
2254 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2430 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2255 2431
2256 if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) { 2432 if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL,
2433 kssl_ctx->key, iv)) {
2257 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2434 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2258 SSL_R_DECRYPTION_FAILED); 2435 SSL_R_DECRYPTION_FAILED);
2259 goto err; 2436 goto err;
2260 } 2437 }
2261 if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl, 2438 if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
2262 (unsigned char *)enc_pms.data, enc_pms.length)) { 2439 (unsigned char *)enc_pms.data, enc_pms.length)) {
2263 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2440 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2264 SSL_R_DECRYPTION_FAILED); 2441 SSL_R_DECRYPTION_FAILED);
2265 goto err; 2442 goto err;
2266 } 2443 }
2267 if (outl > SSL_MAX_MASTER_KEY_LENGTH) { 2444 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2268 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2445 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2269 SSL_R_DATA_LENGTH_TOO_LONG); 2446 SSL_R_DATA_LENGTH_TOO_LONG);
2270 goto err; 2447 goto err;
2271 } 2448 }
2272 if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) { 2449 if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
2273 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2450 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2274 SSL_R_DECRYPTION_FAILED); 2451 SSL_R_DECRYPTION_FAILED);
2275 goto err; 2452 goto err;
2276 } 2453 }
2277 outl += padl; 2454 outl += padl;
2278 if (outl > SSL_MAX_MASTER_KEY_LENGTH) { 2455 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2279 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2456 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2280 SSL_R_DATA_LENGTH_TOO_LONG); 2457 SSL_R_DATA_LENGTH_TOO_LONG);
2281 goto err; 2458 goto err;
2282 } 2459 }
2283 if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) { 2460 if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) {
2284 /* The premaster secret must contain the same version number as the 2461 /*
2285 * ClientHello to detect version rollback attacks (strangely, the 2462 * The premaster secret must contain the same version
2286 * protocol does not offer such protection for DH ciphersuites). 2463 * number as the ClientHello to detect version rollback
2287 * However, buggy clients exist that send random bytes instead of 2464 * attacks (strangely, the protocol does not offer such
2288 * the protocol version. 2465 * protection for DH ciphersuites).
2289 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2466 * However, buggy clients exist that send random bytes
2290 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2467 * instead of the protocol version.
2291 */ 2468 *
2469 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
2470 * clients.
2471 * (Perhaps we should have a separate BUG value for
2472 * the Kerberos cipher)
2473 */
2292 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) { 2474 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
2293 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2475 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2294 SSL_AD_DECODE_ERROR); 2476 SSL_AD_DECODE_ERROR);
2295 goto err; 2477 goto err;
2296 } 2478 }
2297 } 2479 }
@@ -2300,22 +2482,24 @@ ssl3_get_client_key_exchange(SSL *s)
2300 2482
2301 s->session->master_key_length = 2483 s->session->master_key_length =
2302 s->method->ssl3_enc->generate_master_secret(s, 2484 s->method->ssl3_enc->generate_master_secret(s,
2303 s->session->master_key, pms, outl); 2485 s->session->master_key, pms, outl);
2304 2486
2305 if (kssl_ctx->client_princ) { 2487 if (kssl_ctx->client_princ) {
2306 size_t len = strlen(kssl_ctx->client_princ); 2488 size_t len = strlen(kssl_ctx->client_princ);
2307 if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) { 2489 if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) {
2308 s->session->krb5_client_princ_len = len; 2490 s->session->krb5_client_princ_len = len;
2309 memcpy(s->session->krb5_client_princ, kssl_ctx->client_princ, len); 2491 memcpy(s->session->krb5_client_princ,
2492 kssl_ctx->client_princ, len);
2310 } 2493 }
2311 } 2494 }
2312 2495
2313 2496
2314 /* Was doing kssl_ctx_free() here, 2497 /*
2315 ** but it caused problems for apache. 2498 * Was doing kssl_ctx_free() here, but it caused problems for
2316 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2499 * apache.
2317 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2500 * kssl_ctx = kssl_ctx_free(kssl_ctx);
2318 */ 2501 * if (s->kssl_ctx) s->kssl_ctx = NULL;
2502 */
2319 } else 2503 } else
2320#endif /* OPENSSL_NO_KRB5 */ 2504#endif /* OPENSSL_NO_KRB5 */
2321 2505
@@ -2327,19 +2511,20 @@ ssl3_get_client_key_exchange(SSL *s)
2327 const EC_GROUP *group; 2511 const EC_GROUP *group;
2328 const BIGNUM *priv_key; 2512 const BIGNUM *priv_key;
2329 2513
2330 /* initialize structures for server's ECDH key pair */ 2514 /* Initialize structures for server's ECDH key pair. */
2331 if ((srvr_ecdh = EC_KEY_new()) == NULL) { 2515 if ((srvr_ecdh = EC_KEY_new()) == NULL) {
2332 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2516 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2333 ERR_R_MALLOC_FAILURE); 2517 ERR_R_MALLOC_FAILURE);
2334 goto err; 2518 goto err;
2335 } 2519 }
2336 2520
2337 /* Let's get server private key and group information */ 2521 /* Let's get server private key and group information. */
2338 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { 2522 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
2339 /* use the certificate */ 2523 /* Use the certificate */
2340 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2524 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2341 } else { 2525 } else {
2342 /* use the ephermeral values we saved when 2526 /*
2527 * Use the ephermeral values we saved when
2343 * generating the ServerKeyExchange msg. 2528 * generating the ServerKeyExchange msg.
2344 */ 2529 */
2345 tkey = s->s3->tmp.ecdh; 2530 tkey = s->s3->tmp.ecdh;
@@ -2349,16 +2534,16 @@ ssl3_get_client_key_exchange(SSL *s)
2349 priv_key = EC_KEY_get0_private_key(tkey); 2534 priv_key = EC_KEY_get0_private_key(tkey);
2350 2535
2351 if (!EC_KEY_set_group(srvr_ecdh, group) || 2536 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2352 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) { 2537 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
2353 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2538 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2354 ERR_R_EC_LIB); 2539 ERR_R_EC_LIB);
2355 goto err; 2540 goto err;
2356 } 2541 }
2357 2542
2358 /* Let's get client's public key */ 2543 /* Let's get client's public key */
2359 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) { 2544 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
2360 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2545 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2361 ERR_R_MALLOC_FAILURE); 2546 ERR_R_MALLOC_FAILURE);
2362 goto err; 2547 goto err;
2363 } 2548 }
2364 2549
@@ -2367,13 +2552,15 @@ ssl3_get_client_key_exchange(SSL *s)
2367 2552
2368 if (alg_k & SSL_kEECDH) { 2553 if (alg_k & SSL_kEECDH) {
2369 al = SSL_AD_HANDSHAKE_FAILURE; 2554 al = SSL_AD_HANDSHAKE_FAILURE;
2370 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY); 2555 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2556 SSL_R_MISSING_TMP_ECDH_KEY);
2371 goto f_err; 2557 goto f_err;
2372 } 2558 }
2373 if (((clnt_pub_pkey = X509_get_pubkey( 2559 if (((clnt_pub_pkey = X509_get_pubkey(
2374 s->session->peer)) == NULL) || 2560 s->session->peer)) == NULL) ||
2375 (clnt_pub_pkey->type != EVP_PKEY_EC)) { 2561 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
2376 /* XXX: For now, we do not support client 2562 /*
2563 * XXX: For now, we do not support client
2377 * authentication using ECDH certificates 2564 * authentication using ECDH certificates
2378 * so this branch (n == 0L) of the code is 2565 * so this branch (n == 0L) of the code is
2379 * never executed. When that support is 2566 * never executed. When that support is
@@ -2386,14 +2573,15 @@ ssl3_get_client_key_exchange(SSL *s)
2386 */ 2573 */
2387 al = SSL_AD_HANDSHAKE_FAILURE; 2574 al = SSL_AD_HANDSHAKE_FAILURE;
2388 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2575 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2389 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2576 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2390 goto f_err; 2577 goto f_err;
2391 } 2578 }
2392 2579
2393 if (EC_POINT_copy(clnt_ecpoint, 2580 if (EC_POINT_copy(clnt_ecpoint,
2394 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) { 2581 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec))
2582 == 0) {
2395 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2583 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2396 ERR_R_EC_LIB); 2584 ERR_R_EC_LIB);
2397 goto err; 2585 goto err;
2398 } 2586 }
2399 ret = 2; /* Skip certificate verify processing */ 2587 ret = 2; /* Skip certificate verify processing */
@@ -2403,7 +2591,7 @@ ssl3_get_client_key_exchange(SSL *s)
2403 */ 2591 */
2404 if ((bn_ctx = BN_CTX_new()) == NULL) { 2592 if ((bn_ctx = BN_CTX_new()) == NULL) {
2405 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2593 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2406 ERR_R_MALLOC_FAILURE); 2594 ERR_R_MALLOC_FAILURE);
2407 goto err; 2595 goto err;
2408 } 2596 }
2409 2597
@@ -2413,17 +2601,18 @@ ssl3_get_client_key_exchange(SSL *s)
2413 p += 1; 2601 p += 1;
2414 if (n != 1 + i) { 2602 if (n != 1 + i) {
2415 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2603 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2416 ERR_R_EC_LIB); 2604 ERR_R_EC_LIB);
2417 goto err; 2605 goto err;
2418 } 2606 }
2419 if (EC_POINT_oct2point(group, 2607 if (EC_POINT_oct2point(group,
2420 clnt_ecpoint, p, i, bn_ctx) == 0) { 2608 clnt_ecpoint, p, i, bn_ctx) == 0) {
2421 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2609 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2422 ERR_R_EC_LIB); 2610 ERR_R_EC_LIB);
2423 goto err; 2611 goto err;
2424 } 2612 }
2425 /* p is pointing to somewhere in the buffer 2613 /*
2426 * currently, so set it to the start 2614 * p is pointing to somewhere in the buffer
2615 * currently, so set it to the start.
2427 */ 2616 */
2428 p = (unsigned char *)s->init_buf->data; 2617 p = (unsigned char *)s->init_buf->data;
2429 } 2618 }
@@ -2432,13 +2621,14 @@ ssl3_get_client_key_exchange(SSL *s)
2432 field_size = EC_GROUP_get_degree(group); 2621 field_size = EC_GROUP_get_degree(group);
2433 if (field_size <= 0) { 2622 if (field_size <= 0) {
2434 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2623 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2435 ERR_R_ECDH_LIB); 2624 ERR_R_ECDH_LIB);
2436 goto err; 2625 goto err;
2437 } 2626 }
2438 i = ECDH_compute_key(p, (field_size + 7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2627 i = ECDH_compute_key(p, (field_size + 7)/8, clnt_ecpoint,
2628 srvr_ecdh, NULL);
2439 if (i <= 0) { 2629 if (i <= 0) {
2440 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2630 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2441 ERR_R_ECDH_LIB); 2631 ERR_R_ECDH_LIB);
2442 goto err; 2632 goto err;
2443 } 2633 }
2444 2634
@@ -2471,36 +2661,38 @@ ssl3_get_client_key_exchange(SSL *s)
2471 n2s(p, i); 2661 n2s(p, i);
2472 if (n != i + 2) { 2662 if (n != i + 2) {
2473 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2663 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2474 SSL_R_LENGTH_MISMATCH); 2664 SSL_R_LENGTH_MISMATCH);
2475 goto psk_err; 2665 goto psk_err;
2476 } 2666 }
2477 if (i > PSK_MAX_IDENTITY_LEN) { 2667 if (i > PSK_MAX_IDENTITY_LEN) {
2478 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2668 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2479 SSL_R_DATA_LENGTH_TOO_LONG); 2669 SSL_R_DATA_LENGTH_TOO_LONG);
2480 goto psk_err; 2670 goto psk_err;
2481 } 2671 }
2482 if (s->psk_server_callback == NULL) { 2672 if (s->psk_server_callback == NULL) {
2483 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2673 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2484 SSL_R_PSK_NO_SERVER_CB); 2674 SSL_R_PSK_NO_SERVER_CB);
2485 goto psk_err; 2675 goto psk_err;
2486 } 2676 }
2487 2677
2488 /* Create guaranteed NULL-terminated identity 2678 /*
2489 * string for the callback */ 2679 * Create guaranteed NULL-terminated identity
2680 * string for the callback
2681 */
2490 memcpy(tmp_id, p, i); 2682 memcpy(tmp_id, p, i);
2491 memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); 2683 memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
2492 psk_len = s->psk_server_callback(s, tmp_id, 2684 psk_len = s->psk_server_callback(s, tmp_id,
2493 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2685 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2494 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1); 2686 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
2495 2687
2496 if (psk_len > PSK_MAX_PSK_LEN) { 2688 if (psk_len > PSK_MAX_PSK_LEN) {
2497 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2689 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2498 ERR_R_INTERNAL_ERROR); 2690 ERR_R_INTERNAL_ERROR);
2499 goto psk_err; 2691 goto psk_err;
2500 } else if (psk_len == 0) { 2692 } else if (psk_len == 0) {
2501 /* PSK related to the given identity not found */ 2693 /* PSK related to the given identity not found */
2502 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2694 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2503 SSL_R_PSK_IDENTITY_NOT_FOUND); 2695 SSL_R_PSK_IDENTITY_NOT_FOUND);
2504 al = SSL_AD_UNKNOWN_PSK_IDENTITY; 2696 al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2505 goto psk_err; 2697 goto psk_err;
2506 } 2698 }
@@ -2519,7 +2711,7 @@ ssl3_get_client_key_exchange(SSL *s)
2519 s->session->psk_identity = BUF_strdup((char *)p); 2711 s->session->psk_identity = BUF_strdup((char *)p);
2520 if (s->session->psk_identity == NULL) { 2712 if (s->session->psk_identity == NULL) {
2521 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2713 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2522 ERR_R_MALLOC_FAILURE); 2714 ERR_R_MALLOC_FAILURE);
2523 goto psk_err; 2715 goto psk_err;
2524 } 2716 }
2525 2717
@@ -2529,7 +2721,7 @@ ssl3_get_client_key_exchange(SSL *s)
2529 if (s->ctx->psk_identity_hint != NULL && 2721 if (s->ctx->psk_identity_hint != NULL &&
2530 s->session->psk_identity_hint == NULL) { 2722 s->session->psk_identity_hint == NULL) {
2531 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2723 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2532 ERR_R_MALLOC_FAILURE); 2724 ERR_R_MALLOC_FAILURE);
2533 goto psk_err; 2725 goto psk_err;
2534 } 2726 }
2535 2727
@@ -2551,11 +2743,13 @@ ssl3_get_client_key_exchange(SSL *s)
2551 param_len = i + 2; 2743 param_len = i + 2;
2552 if (param_len > n) { 2744 if (param_len > n) {
2553 al = SSL_AD_DECODE_ERROR; 2745 al = SSL_AD_DECODE_ERROR;
2554 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH); 2746 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2747 SSL_R_BAD_SRP_A_LENGTH);
2555 goto f_err; 2748 goto f_err;
2556 } 2749 }
2557 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) { 2750 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
2558 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB); 2751 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2752 ERR_R_BN_LIB);
2559 goto err; 2753 goto err;
2560 } 2754 }
2561 if (s->session->srp_username != NULL) 2755 if (s->session->srp_username != NULL)
@@ -2563,12 +2757,15 @@ ssl3_get_client_key_exchange(SSL *s)
2563 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2757 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2564 if (s->session->srp_username == NULL) { 2758 if (s->session->srp_username == NULL) {
2565 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2759 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2566 ERR_R_MALLOC_FAILURE); 2760 ERR_R_MALLOC_FAILURE);
2567 goto err; 2761 goto err;
2568 } 2762 }
2569 2763
2570 if ((s->session->master_key_length = SRP_generate_server_master_secret(s, s->session->master_key)) < 0) { 2764 if ((s->session->master_key_length =
2571 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2765 SRP_generate_server_master_secret(s,
2766 s->session->master_key)) < 0) {
2767 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2768 ERR_R_INTERNAL_ERROR);
2572 goto err; 2769 goto err;
2573 } 2770 }
2574 2771
@@ -2592,18 +2789,23 @@ ssl3_get_client_key_exchange(SSL *s)
2592 2789
2593 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); 2790 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2594 EVP_PKEY_decrypt_init(pkey_ctx); 2791 EVP_PKEY_decrypt_init(pkey_ctx);
2595 /* If client certificate is present and is of the same type, maybe 2792 /*
2596 * use it for key exchange. Don't mind errors from 2793 * If client certificate is present and is of the same type,
2597 * EVP_PKEY_derive_set_peer, because it is completely valid to use 2794 * maybe use it for key exchange.
2598 * a client certificate for authorization only. */ 2795 * Don't mind errors from EVP_PKEY_derive_set_peer, because
2796 * it is completely valid to use a client certificate for
2797 * authorization only.
2798 */
2599 client_pub_pkey = X509_get_pubkey(s->session->peer); 2799 client_pub_pkey = X509_get_pubkey(s->session->peer);
2600 if (client_pub_pkey) { 2800 if (client_pub_pkey) {
2601 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 2801 if (EVP_PKEY_derive_set_peer(pkey_ctx,
2802 client_pub_pkey) <= 0)
2602 ERR_clear_error(); 2803 ERR_clear_error();
2603 } 2804 }
2604 /* Decrypt session key */ 2805 /* Decrypt session key */
2605 if ((*p != ( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) { 2806 if ((*p != ( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) {
2606 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); 2807 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2808 SSL_R_DECRYPTION_FAILED);
2607 goto gerr; 2809 goto gerr;
2608 } 2810 }
2609 if (p[1] == 0x81) { 2811 if (p[1] == 0x81) {
@@ -2613,21 +2815,23 @@ ssl3_get_client_key_exchange(SSL *s)
2613 start = p + 2; 2815 start = p + 2;
2614 inlen = p[1]; 2816 inlen = p[1];
2615 } else { 2817 } else {
2616 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); 2818 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2819 SSL_R_DECRYPTION_FAILED);
2617 goto gerr; 2820 goto gerr;
2618 } 2821 }
2619 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <=0) 2822 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
2620 2823 start, inlen) <=0) {
2621 { 2824 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2622 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); 2825 SSL_R_DECRYPTION_FAILED);
2623 goto gerr; 2826 goto gerr;
2624 } 2827 }
2625 /* Generate master secret */ 2828 /* Generate master secret */
2626 s->session->master_key_length = 2829 s->session->master_key_length =
2627 s->method->ssl3_enc->generate_master_secret( 2830 s->method->ssl3_enc->generate_master_secret(
2628 s, s->session->master_key, premaster_secret, 32); 2831 s, s->session->master_key, premaster_secret, 32);
2629 /* Check if pubkey from client certificate was used */ 2832 /* Check if pubkey from client certificate was used */
2630 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2833 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1,
2834 EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2631 ret = 2; 2835 ret = 2;
2632 else 2836 else
2633 ret = 1; 2837 ret = 1;
@@ -2693,7 +2897,8 @@ ssl3_get_cert_verify(SSL *s)
2693 s->s3->tmp.reuse_message = 1; 2897 s->s3->tmp.reuse_message = 1;
2694 if ((peer != NULL) && (type & EVP_PKT_SIGN)) { 2898 if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
2695 al = SSL_AD_UNEXPECTED_MESSAGE; 2899 al = SSL_AD_UNEXPECTED_MESSAGE;
2696 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE); 2900 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2901 SSL_R_MISSING_VERIFY_MESSAGE);
2697 goto f_err; 2902 goto f_err;
2698 } 2903 }
2699 ret = 1; 2904 ret = 1;
@@ -2701,28 +2906,34 @@ ssl3_get_cert_verify(SSL *s)
2701 } 2906 }
2702 2907
2703 if (peer == NULL) { 2908 if (peer == NULL) {
2704 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_NO_CLIENT_CERT_RECEIVED); 2909 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2910 SSL_R_NO_CLIENT_CERT_RECEIVED);
2705 al = SSL_AD_UNEXPECTED_MESSAGE; 2911 al = SSL_AD_UNEXPECTED_MESSAGE;
2706 goto f_err; 2912 goto f_err;
2707 } 2913 }
2708 2914
2709 if (!(type & EVP_PKT_SIGN)) { 2915 if (!(type & EVP_PKT_SIGN)) {
2710 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2916 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2917 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2711 al = SSL_AD_ILLEGAL_PARAMETER; 2918 al = SSL_AD_ILLEGAL_PARAMETER;
2712 goto f_err; 2919 goto f_err;
2713 } 2920 }
2714 2921
2715 if (s->s3->change_cipher_spec) { 2922 if (s->s3->change_cipher_spec) {
2716 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_CCS_RECEIVED_EARLY); 2923 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2924 SSL_R_CCS_RECEIVED_EARLY);
2717 al = SSL_AD_UNEXPECTED_MESSAGE; 2925 al = SSL_AD_UNEXPECTED_MESSAGE;
2718 goto f_err; 2926 goto f_err;
2719 } 2927 }
2720 2928
2721 /* we now have a signature that we need to verify */ 2929 /* we now have a signature that we need to verify */
2722 p = (unsigned char *)s->init_msg; 2930 p = (unsigned char *)s->init_msg;
2723 /* Check for broken implementations of GOST ciphersuites */ 2931 /*
2724 /* If key is GOST and n is exactly 64, it is bare 2932 * Check for broken implementations of GOST ciphersuites.
2725 * signature without length field */ 2933 *
2934 * If key is GOST and n is exactly 64, it is a bare
2935 * signature without length field.
2936 */
2726 if (n == 64 && (pkey->type == NID_id_GostR3410_94 || 2937 if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
2727 pkey->type == NID_id_GostR3410_2001) ) { 2938 pkey->type == NID_id_GostR3410_2001) ) {
2728 i = 64; 2939 i = 64;
@@ -2731,24 +2942,28 @@ ssl3_get_cert_verify(SSL *s)
2731 int sigalg = tls12_get_sigid(pkey); 2942 int sigalg = tls12_get_sigid(pkey);
2732 /* Should never happen */ 2943 /* Should never happen */
2733 if (sigalg == -1) { 2944 if (sigalg == -1) {
2734 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 2945 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2946 ERR_R_INTERNAL_ERROR);
2735 al = SSL_AD_INTERNAL_ERROR; 2947 al = SSL_AD_INTERNAL_ERROR;
2736 goto f_err; 2948 goto f_err;
2737 } 2949 }
2738 /* Check key type is consistent with signature */ 2950 /* Check key type is consistent with signature */
2739 if (sigalg != (int)p[1]) { 2951 if (sigalg != (int)p[1]) {
2740 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_TYPE); 2952 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2953 SSL_R_WRONG_SIGNATURE_TYPE);
2741 al = SSL_AD_DECODE_ERROR; 2954 al = SSL_AD_DECODE_ERROR;
2742 goto f_err; 2955 goto f_err;
2743 } 2956 }
2744 md = tls12_get_hash(p[0]); 2957 md = tls12_get_hash(p[0]);
2745 if (md == NULL) { 2958 if (md == NULL) {
2746 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_UNKNOWN_DIGEST); 2959 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2960 SSL_R_UNKNOWN_DIGEST);
2747 al = SSL_AD_DECODE_ERROR; 2961 al = SSL_AD_DECODE_ERROR;
2748 goto f_err; 2962 goto f_err;
2749 } 2963 }
2750#ifdef SSL_DEBUG 2964#ifdef SSL_DEBUG
2751 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 2965 fprintf(stderr, "USING TLSv1.2 HASH %s\n",
2966 EVP_MD_name(md));
2752#endif 2967#endif
2753 p += 2; 2968 p += 2;
2754 n -= 2; 2969 n -= 2;
@@ -2756,7 +2971,8 @@ ssl3_get_cert_verify(SSL *s)
2756 n2s(p, i); 2971 n2s(p, i);
2757 n -= 2; 2972 n -= 2;
2758 if (i > n) { 2973 if (i > n) {
2759 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); 2974 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2975 SSL_R_LENGTH_MISMATCH);
2760 al = SSL_AD_DECODE_ERROR; 2976 al = SSL_AD_DECODE_ERROR;
2761 goto f_err; 2977 goto f_err;
2762 } 2978 }
@@ -2773,13 +2989,14 @@ ssl3_get_cert_verify(SSL *s)
2773 void *hdata; 2989 void *hdata;
2774 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 2990 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
2775 if (hdatalen <= 0) { 2991 if (hdatalen <= 0) {
2776 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 2992 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2993 ERR_R_INTERNAL_ERROR);
2777 al = SSL_AD_INTERNAL_ERROR; 2994 al = SSL_AD_INTERNAL_ERROR;
2778 goto f_err; 2995 goto f_err;
2779 } 2996 }
2780#ifdef SSL_DEBUG 2997#ifdef SSL_DEBUG
2781 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n", 2998 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
2782 EVP_MD_name(md)); 2999 EVP_MD_name(md));
2783#endif 3000#endif
2784 if (!EVP_VerifyInit_ex(&mctx, md, NULL) || 3001 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
2785 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) { 3002 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
@@ -2797,16 +3014,18 @@ ssl3_get_cert_verify(SSL *s)
2797#ifndef OPENSSL_NO_RSA 3014#ifndef OPENSSL_NO_RSA
2798 if (pkey->type == EVP_PKEY_RSA) { 3015 if (pkey->type == EVP_PKEY_RSA) {
2799 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 3016 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
2800 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i, 3017 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
2801 pkey->pkey.rsa); 3018 pkey->pkey.rsa);
2802 if (i < 0) { 3019 if (i < 0) {
2803 al = SSL_AD_DECRYPT_ERROR; 3020 al = SSL_AD_DECRYPT_ERROR;
2804 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT); 3021 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3022 SSL_R_BAD_RSA_DECRYPT);
2805 goto f_err; 3023 goto f_err;
2806 } 3024 }
2807 if (i == 0) { 3025 if (i == 0) {
2808 al = SSL_AD_DECRYPT_ERROR; 3026 al = SSL_AD_DECRYPT_ERROR;
2809 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE); 3027 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3028 SSL_R_BAD_RSA_SIGNATURE);
2810 goto f_err; 3029 goto f_err;
2811 } 3030 }
2812 } else 3031 } else
@@ -2814,12 +3033,13 @@ ssl3_get_cert_verify(SSL *s)
2814#ifndef OPENSSL_NO_DSA 3033#ifndef OPENSSL_NO_DSA
2815 if (pkey->type == EVP_PKEY_DSA) { 3034 if (pkey->type == EVP_PKEY_DSA) {
2816 j = DSA_verify(pkey->save_type, 3035 j = DSA_verify(pkey->save_type,
2817 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3036 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2818 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa); 3037 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
2819 if (j <= 0) { 3038 if (j <= 0) {
2820 /* bad signature */ 3039 /* bad signature */
2821 al = SSL_AD_DECRYPT_ERROR; 3040 al = SSL_AD_DECRYPT_ERROR;
2822 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE); 3041 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3042 SSL_R_BAD_DSA_SIGNATURE);
2823 goto f_err; 3043 goto f_err;
2824 } 3044 }
2825 } else 3045 } else
@@ -2833,12 +3053,13 @@ ssl3_get_cert_verify(SSL *s)
2833 /* bad signature */ 3053 /* bad signature */
2834 al = SSL_AD_DECRYPT_ERROR; 3054 al = SSL_AD_DECRYPT_ERROR;
2835 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 3055 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2836 SSL_R_BAD_ECDSA_SIGNATURE); 3056 SSL_R_BAD_ECDSA_SIGNATURE);
2837 goto f_err; 3057 goto f_err;
2838 } 3058 }
2839 } else 3059 } else
2840#endif 3060#endif
2841 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) { 3061 if (pkey->type == NID_id_GostR3410_94 ||
3062 pkey->type == NID_id_GostR3410_2001) {
2842 unsigned char signature[64]; 3063 unsigned char signature[64];
2843 int idx; 3064 int idx;
2844 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL); 3065 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
@@ -2849,12 +3070,13 @@ ssl3_get_cert_verify(SSL *s)
2849 for (idx = 0; idx < 64; idx++) { 3070 for (idx = 0; idx < 64; idx++) {
2850 signature[63 - idx] = p[idx]; 3071 signature[63 - idx] = p[idx];
2851 } 3072 }
2852 j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md, 32); 3073 j = EVP_PKEY_verify(pctx, signature, 64,
3074 s->s3->tmp.cert_verify_md, 32);
2853 EVP_PKEY_CTX_free(pctx); 3075 EVP_PKEY_CTX_free(pctx);
2854 if (j <= 0) { 3076 if (j <= 0) {
2855 al = SSL_AD_DECRYPT_ERROR; 3077 al = SSL_AD_DECRYPT_ERROR;
2856 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 3078 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2857 SSL_R_BAD_ECDSA_SIGNATURE); 3079 SSL_R_BAD_ECDSA_SIGNATURE);
2858 goto f_err; 3080 goto f_err;
2859 } 3081 }
2860 } else { 3082 } else {
@@ -2890,26 +3112,28 @@ ssl3_get_client_certificate(SSL *s)
2890 unsigned char *d; 3112 unsigned char *d;
2891 STACK_OF(X509) *sk = NULL; 3113 STACK_OF(X509) *sk = NULL;
2892 3114
2893 n = s->method->ssl_get_message(s, 3115 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B,
2894 SSL3_ST_SR_CERT_A, 3116 -1, s->max_cert_list, &ok);
2895 SSL3_ST_SR_CERT_B,
2896 -1,
2897 s->max_cert_list,
2898 &ok);
2899 3117
2900 if (!ok) 3118 if (!ok)
2901 return ((int)n); 3119 return ((int)n);
2902 3120
2903 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { 3121 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
2904 if ((s->verify_mode & SSL_VERIFY_PEER) && 3122 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2905 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 3123 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2906 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3124 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3125 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2907 al = SSL_AD_HANDSHAKE_FAILURE; 3126 al = SSL_AD_HANDSHAKE_FAILURE;
2908 goto f_err; 3127 goto f_err;
2909 } 3128 }
2910 /* If tls asked for a client cert, the client must return a 0 list */ 3129 /*
3130 * If tls asked for a client cert,
3131 * the client must return a 0 list.
3132 */
2911 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) { 3133 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
2912 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 3134 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3135 SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
3136 );
2913 al = SSL_AD_UNEXPECTED_MESSAGE; 3137 al = SSL_AD_UNEXPECTED_MESSAGE;
2914 goto f_err; 3138 goto f_err;
2915 } 3139 }
@@ -2919,43 +3143,50 @@ ssl3_get_client_certificate(SSL *s)
2919 3143
2920 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { 3144 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
2921 al = SSL_AD_UNEXPECTED_MESSAGE; 3145 al = SSL_AD_UNEXPECTED_MESSAGE;
2922 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE); 3146 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3147 SSL_R_WRONG_MESSAGE_TYPE);
2923 goto f_err; 3148 goto f_err;
2924 } 3149 }
2925 p = d = (unsigned char *)s->init_msg; 3150 p = d = (unsigned char *)s->init_msg;
2926 3151
2927 if ((sk = sk_X509_new_null()) == NULL) { 3152 if ((sk = sk_X509_new_null()) == NULL) {
2928 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3153 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3154 ERR_R_MALLOC_FAILURE);
2929 goto err; 3155 goto err;
2930 } 3156 }
2931 3157
2932 n2l3(p, llen); 3158 n2l3(p, llen);
2933 if (llen + 3 != n) { 3159 if (llen + 3 != n) {
2934 al = SSL_AD_DECODE_ERROR; 3160 al = SSL_AD_DECODE_ERROR;
2935 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH); 3161 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3162 SSL_R_LENGTH_MISMATCH);
2936 goto f_err; 3163 goto f_err;
2937 } 3164 }
2938 for (nc = 0; nc < llen;) { 3165 for (nc = 0; nc < llen;) {
2939 n2l3(p, l); 3166 n2l3(p, l);
2940 if ((l + nc + 3) > llen) { 3167 if ((l + nc + 3) > llen) {
2941 al = SSL_AD_DECODE_ERROR; 3168 al = SSL_AD_DECODE_ERROR;
2942 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH); 3169 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3170 SSL_R_CERT_LENGTH_MISMATCH);
2943 goto f_err; 3171 goto f_err;
2944 } 3172 }
2945 3173
2946 q = p; 3174 q = p;
2947 x = d2i_X509(NULL, &p, l); 3175 x = d2i_X509(NULL, &p, l);
2948 if (x == NULL) { 3176 if (x == NULL) {
2949 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); 3177 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3178 ERR_R_ASN1_LIB);
2950 goto err; 3179 goto err;
2951 } 3180 }
2952 if (p != (q + l)) { 3181 if (p != (q + l)) {
2953 al = SSL_AD_DECODE_ERROR; 3182 al = SSL_AD_DECODE_ERROR;
2954 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH); 3183 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3184 SSL_R_CERT_LENGTH_MISMATCH);
2955 goto f_err; 3185 goto f_err;
2956 } 3186 }
2957 if (!sk_X509_push(sk, x)) { 3187 if (!sk_X509_push(sk, x)) {
2958 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3188 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3189 ERR_R_MALLOC_FAILURE);
2959 goto err; 3190 goto err;
2960 } 3191 }
2961 x = NULL; 3192 x = NULL;
@@ -2966,13 +3197,15 @@ ssl3_get_client_certificate(SSL *s)
2966 /* TLS does not mind 0 certs returned */ 3197 /* TLS does not mind 0 certs returned */
2967 if (s->version == SSL3_VERSION) { 3198 if (s->version == SSL3_VERSION) {
2968 al = SSL_AD_HANDSHAKE_FAILURE; 3199 al = SSL_AD_HANDSHAKE_FAILURE;
2969 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATES_RETURNED); 3200 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3201 SSL_R_NO_CERTIFICATES_RETURNED);
2970 goto f_err; 3202 goto f_err;
2971 } 3203 }
2972 /* Fail for TLS only if we required a certificate */ 3204 /* Fail for TLS only if we required a certificate */
2973 else if ((s->verify_mode & SSL_VERIFY_PEER) && 3205 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
2974 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 3206 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2975 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3207 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3208 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2976 al = SSL_AD_HANDSHAKE_FAILURE; 3209 al = SSL_AD_HANDSHAKE_FAILURE;
2977 goto f_err; 3210 goto f_err;
2978 } 3211 }
@@ -2985,7 +3218,8 @@ ssl3_get_client_certificate(SSL *s)
2985 i = ssl_verify_cert_chain(s, sk); 3218 i = ssl_verify_cert_chain(s, sk);
2986 if (i <= 0) { 3219 if (i <= 0) {
2987 al = ssl_verify_alarm_type(s->verify_result); 3220 al = ssl_verify_alarm_type(s->verify_result);
2988 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATE_RETURNED); 3221 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3222 SSL_R_NO_CERTIFICATE_RETURNED);
2989 goto f_err; 3223 goto f_err;
2990 } 3224 }
2991 } 3225 }
@@ -3000,7 +3234,8 @@ ssl3_get_client_certificate(SSL *s)
3000 if (s->session->sess_cert == NULL) { 3234 if (s->session->sess_cert == NULL) {
3001 s->session->sess_cert = ssl_sess_cert_new(); 3235 s->session->sess_cert = ssl_sess_cert_new();
3002 if (s->session->sess_cert == NULL) { 3236 if (s->session->sess_cert == NULL) {
3003 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3237 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3238 ERR_R_MALLOC_FAILURE);
3004 goto err; 3239 goto err;
3005 } 3240 }
3006 } 3241 }
@@ -3035,9 +3270,12 @@ ssl3_send_server_certificate(SSL *s)
3035 x = ssl_get_server_send_cert(s); 3270 x = ssl_get_server_send_cert(s);
3036 if (x == NULL) { 3271 if (x == NULL) {
3037 /* VRS: allow null cert if auth == KRB5 */ 3272 /* VRS: allow null cert if auth == KRB5 */
3038 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || 3273 if ((s->s3->tmp.new_cipher->algorithm_auth !=
3039 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) { 3274 SSL_aKRB5) ||
3040 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3275 (s->s3->tmp.new_cipher->algorithm_mkey &
3276 SSL_kKRB5)) {
3277 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
3278 ERR_R_INTERNAL_ERROR);
3041 return (0); 3279 return (0);
3042 } 3280 }
3043 } 3281 }
@@ -3071,7 +3309,8 @@ ssl3_send_newsession_ticket(SSL *s)
3071 3309
3072 /* get session encoding length */ 3310 /* get session encoding length */
3073 slen_full = i2d_SSL_SESSION(s->session, NULL); 3311 slen_full = i2d_SSL_SESSION(s->session, NULL);
3074 /* Some length values are 16 bits, so forget it if session is 3312 /*
3313 * Some length values are 16 bits, so forget it if session is
3075 * too long 3314 * too long
3076 */ 3315 */
3077 if (slen_full > 0xFF00) 3316 if (slen_full > 0xFF00)
@@ -3082,18 +3321,23 @@ ssl3_send_newsession_ticket(SSL *s)
3082 p = senc; 3321 p = senc;
3083 i2d_SSL_SESSION(s->session, &p); 3322 i2d_SSL_SESSION(s->session, &p);
3084 3323
3085 /* create a fresh copy (not shared with other threads) to clean up */ 3324 /*
3325 * Create a fresh copy (not shared with other threads) to
3326 * clean up
3327 */
3086 const_p = senc; 3328 const_p = senc;
3087 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3329 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3088 if (sess == NULL) { 3330 if (sess == NULL) {
3089 OPENSSL_free(senc); 3331 OPENSSL_free(senc);
3090 return -1; 3332 return -1;
3091 } 3333 }
3092 sess->session_id_length = 0; /* ID is irrelevant for the ticket */ 3334
3335 /* ID is irrelevant for the ticket */
3336 sess->session_id_length = 0;
3093 3337
3094 slen = i2d_SSL_SESSION(sess, NULL); 3338 slen = i2d_SSL_SESSION(sess, NULL);
3095 if (slen > slen_full) /* shouldn't ever happen */ 3339 if (slen > slen_full) {
3096 { 3340 /* shouldn't ever happen */
3097 OPENSSL_free(senc); 3341 OPENSSL_free(senc);
3098 return -1; 3342 return -1;
3099 } 3343 }
@@ -3101,7 +3345,8 @@ ssl3_send_newsession_ticket(SSL *s)
3101 i2d_SSL_SESSION(sess, &p); 3345 i2d_SSL_SESSION(sess, &p);
3102 SSL_SESSION_free(sess); 3346 SSL_SESSION_free(sess);
3103 3347
3104 /* Grow buffer if need be: the length calculation is as 3348 /*
3349 * Grow buffer if need be: the length calculation is as
3105 * follows 1 (size of message name) + 3 (message length 3350 * follows 1 (size of message name) + 3 (message length
3106 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 3351 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
3107 * 16 (key name) + max_iv_len (iv length) + 3352 * 16 (key name) + max_iv_len (iv length) +
@@ -3109,9 +3354,9 @@ ssl3_send_newsession_ticket(SSL *s)
3109 * length) + max_md_size (HMAC). 3354 * length) + max_md_size (HMAC).
3110 */ 3355 */
3111 if (!BUF_MEM_grow(s->init_buf, 3356 if (!BUF_MEM_grow(s->init_buf,
3112 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3357 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3113 EVP_MAX_MD_SIZE + slen)) 3358 EVP_MAX_MD_SIZE + slen))
3114 return -1; 3359 return -1;
3115 3360
3116 p = (unsigned char *)s->init_buf->data; 3361 p = (unsigned char *)s->init_buf->data;
3117 /* do the header */ 3362 /* do the header */
@@ -3120,7 +3365,8 @@ ssl3_send_newsession_ticket(SSL *s)
3120 p += 3; 3365 p += 3;
3121 EVP_CIPHER_CTX_init(&ctx); 3366 EVP_CIPHER_CTX_init(&ctx);
3122 HMAC_CTX_init(&hctx); 3367 HMAC_CTX_init(&hctx);
3123 /* Initialize HMAC and cipher contexts. If callback present 3368 /*
3369 * Initialize HMAC and cipher contexts. If callback present
3124 * it does all the work otherwise use generated values 3370 * it does all the work otherwise use generated values
3125 * from parent ctx. 3371 * from parent ctx.
3126 */ 3372 */
@@ -3139,10 +3385,12 @@ ssl3_send_newsession_ticket(SSL *s)
3139 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3385 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3140 } 3386 }
3141 3387
3142 /* Ticket lifetime hint (advisory only): 3388 /*
3143 * We leave this unspecified for resumed session (for simplicity), 3389 * Ticket lifetime hint (advisory only):
3144 * and guess that tickets for new sessions will live as long 3390 * We leave this unspecified for resumed session
3145 * as their sessions. */ 3391 * (for simplicity), and guess that tickets for new
3392 * sessions will live as long as their sessions.
3393 */
3146 l2n(s->hit ? 0 : s->session->timeout, p); 3394 l2n(s->hit ? 0 : s->session->timeout, p);
3147 3395
3148 /* Skip ticket length for now */ 3396 /* Skip ticket length for now */
@@ -3191,7 +3439,8 @@ ssl3_send_cert_status(SSL *s)
3191{ 3439{
3192 if (s->state == SSL3_ST_SW_CERT_STATUS_A) { 3440 if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
3193 unsigned char *p; 3441 unsigned char *p;
3194 /* Grow buffer if need be: the length calculation is as 3442 /*
3443 * Grow buffer if need be: the length calculation is as
3195 * follows 1 (message type) + 3 (message length) + 3444 * follows 1 (message type) + 3 (message length) +
3196 * 1 (ocsp response type) + 3 (ocsp response length) 3445 * 1 (ocsp response type) + 3 (ocsp response length)
3197 * + (ocsp response) 3446 * + (ocsp response)
@@ -3222,8 +3471,10 @@ ssl3_send_cert_status(SSL *s)
3222} 3471}
3223 3472
3224# ifndef OPENSSL_NO_NEXTPROTONEG 3473# ifndef OPENSSL_NO_NEXTPROTONEG
3225/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It 3474/*
3226 * sets the next_proto member in s if found */ 3475 * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
3476 * It sets the next_proto member in s if found
3477 */
3227int 3478int
3228ssl3_get_next_proto(SSL *s) 3479ssl3_get_next_proto(SSL *s)
3229{ 3480{
@@ -3232,10 +3483,13 @@ ssl3_get_next_proto(SSL *s)
3232 long n; 3483 long n;
3233 const unsigned char *p; 3484 const unsigned char *p;
3234 3485
3235 /* Clients cannot send a NextProtocol message if we didn't see the 3486 /*
3236 * extension in their ClientHello */ 3487 * Clients cannot send a NextProtocol message if we didn't see the
3488 * extension in their ClientHello
3489 */
3237 if (!s->s3->next_proto_neg_seen) { 3490 if (!s->s3->next_proto_neg_seen) {
3238 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); 3491 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3492 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3239 return -1; 3493 return -1;
3240 } 3494 }
3241 3495
@@ -3245,11 +3499,14 @@ ssl3_get_next_proto(SSL *s)
3245 if (!ok) 3499 if (!ok)
3246 return ((int)n); 3500 return ((int)n);
3247 3501
3248 /* s->state doesn't reflect whether ChangeCipherSpec has been received 3502 /*
3503 * s->state doesn't reflect whether ChangeCipherSpec has been received
3249 * in this handshake, but s->s3->change_cipher_spec does (will be reset 3504 * in this handshake, but s->s3->change_cipher_spec does (will be reset
3250 * by ssl3_get_finished). */ 3505 * by ssl3_get_finished).
3506 */
3251 if (!s->s3->change_cipher_spec) { 3507 if (!s->s3->change_cipher_spec) {
3252 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); 3508 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3509 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3253 return -1; 3510 return -1;
3254 } 3511 }
3255 3512
@@ -3259,7 +3516,8 @@ ssl3_get_next_proto(SSL *s)
3259 3516
3260 p = (unsigned char *)s->init_msg; 3517 p = (unsigned char *)s->init_msg;
3261 3518
3262 /* The payload looks like: 3519 /*
3520 * The payload looks like:
3263 * uint8 proto_len; 3521 * uint8 proto_len;
3264 * uint8 proto[proto_len]; 3522 * uint8 proto[proto_len];
3265 * uint8 padding_len; 3523 * uint8 padding_len;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 1f0afc2353..0794a298b1 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -261,7 +261,8 @@ ssl3_accept(SSL *s)
261 ret = -1; 261 ret = -1;
262 goto end; 262 goto end;
263 } 263 }
264 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 264 if (!BUF_MEM_grow(buf,
265 SSL3_RT_MAX_PLAIN_LENGTH)) {
265 ret = -1; 266 ret = -1;
266 goto end; 267 goto end;
267 } 268 }
@@ -277,8 +278,10 @@ ssl3_accept(SSL *s)
277 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; 278 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
278 279
279 if (s->state != SSL_ST_RENEGOTIATE) { 280 if (s->state != SSL_ST_RENEGOTIATE) {
280 /* Ok, we now need to push on a buffering BIO so that 281 /*
281 * the output is sent in a way that TCP likes :-) 282 * Ok, we now need to push on a buffering BIO
283 * so that the output is sent in a way that
284 * TCP likes :-)
282 */ 285 */
283 if (!ssl_init_wbio_buffer(s, 1)) { 286 if (!ssl_init_wbio_buffer(s, 1)) {
284 ret = -1; 287 ret = -1;
@@ -289,13 +292,17 @@ ssl3_accept(SSL *s)
289 s->state = SSL3_ST_SR_CLNT_HELLO_A; 292 s->state = SSL3_ST_SR_CLNT_HELLO_A;
290 s->ctx->stats.sess_accept++; 293 s->ctx->stats.sess_accept++;
291 } else if (!s->s3->send_connection_binding && 294 } else if (!s->s3->send_connection_binding &&
292 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 295 !(s->options &
293 /* Server attempting to renegotiate with 296 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
297 /*
298 * Server attempting to renegotiate with
294 * client that doesn't support secure 299 * client that doesn't support secure
295 * renegotiation. 300 * renegotiation.
296 */ 301 */
297 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 302 SSLerr(SSL_F_SSL3_ACCEPT,
298 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 303 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
304 ssl3_send_alert(s, SSL3_AL_FATAL,
305 SSL_AD_HANDSHAKE_FAILURE);
299 ret = -1; 306 ret = -1;
300 goto end; 307 goto end;
301 } else { 308 } else {
@@ -337,18 +344,27 @@ ssl3_accept(SSL *s)
337#ifndef OPENSSL_NO_SRP 344#ifndef OPENSSL_NO_SRP
338 { 345 {
339 int al; 346 int al;
340 if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) { 347 if ((ret =
341 /* callback indicates firther work to be done */ 348 ssl_check_srp_ext_ClientHello(s, &al))
349 < 0) {
350 /*
351 * Callback indicates further work to
352 * be done.
353 */
342 s->rwstate = SSL_X509_LOOKUP; 354 s->rwstate = SSL_X509_LOOKUP;
343 goto end; 355 goto end;
344 } 356 }
345 if (ret != SSL_ERROR_NONE) { 357 if (ret != SSL_ERROR_NONE) {
346 ssl3_send_alert(s, SSL3_AL_FATAL, al); 358 ssl3_send_alert(s, SSL3_AL_FATAL, al);
347 359
348 /* This is not really an error but the only means to 360 /*
349 for a client to detect whether srp is supported. */ 361 * This is not really an error but the
362 * only means for a client to detect
363 * whether srp is supported.
364 */
350 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) 365 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
351 SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT); 366 SSLerr(SSL_F_SSL3_ACCEPT,
367 SSL_R_CLIENTHELLO_TLSEXT);
352 368
353 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 369 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
354 370
@@ -390,8 +406,10 @@ ssl3_accept(SSL *s)
390 /* Check if it is anon DH or anon ECDH, */ 406 /* Check if it is anon DH or anon ECDH, */
391 /* normal PSK or KRB5 or SRP */ 407 /* normal PSK or KRB5 or SRP */
392 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 408 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
393 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 409 && !(s->s3->tmp.new_cipher->algorithm_mkey &
394 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) { 410 SSL_kPSK)
411 && !(s->s3->tmp.new_cipher->algorithm_auth &
412 SSL_aKRB5)) {
395 ret = ssl3_send_server_certificate(s); 413 ret = ssl3_send_server_certificate(s);
396 if (ret <= 0) 414 if (ret <= 0)
397 goto end; 415 goto end;
@@ -417,17 +435,21 @@ ssl3_accept(SSL *s)
417 case SSL3_ST_SW_KEY_EXCH_B: 435 case SSL3_ST_SW_KEY_EXCH_B:
418 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 436 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
419 437
420 /* clear this, it may get reset by 438 /*
421 * send_server_key_exchange */ 439 * Clear this, it may get reset by
440 * send_server_key_exchange.
441 */
422 if ((s->options & SSL_OP_EPHEMERAL_RSA) 442 if ((s->options & SSL_OP_EPHEMERAL_RSA)
423#ifndef OPENSSL_NO_KRB5 443#ifndef OPENSSL_NO_KRB5
424 && !(alg_k & SSL_kKRB5) 444 && !(alg_k & SSL_kKRB5)
425#endif /* OPENSSL_NO_KRB5 */ 445#endif /* OPENSSL_NO_KRB5 */
426 ) 446 )
427 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 447 /*
428 * even when forbidden by protocol specs 448 * option SSL_OP_EPHEMERAL_RSA sends temporary
429 * (handshake may fail as clients are not required to 449 * RSA key even when forbidden by protocol specs
430 * be able to handle this) */ 450 * (handshake may fail as clients are not
451 * required to be able to handle this)
452 */
431 s->s3->tmp.use_rsa_tmp = 1; 453 s->s3->tmp.use_rsa_tmp = 1;
432 else 454 else
433 s->s3->tmp.use_rsa_tmp = 0; 455 s->s3->tmp.use_rsa_tmp = 0;
@@ -457,13 +479,13 @@ ssl3_accept(SSL *s)
457 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 479 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
458 || (alg_k & SSL_kEECDH) 480 || (alg_k & SSL_kEECDH)
459 || ((alg_k & SSL_kRSA) 481 || ((alg_k & SSL_kRSA)
460 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 482 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
483 NULL
461 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 484 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
462 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 485 && EVP_PKEY_size(
463 ) 486 s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) * 8
464 ) 487 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher
465 ) 488 ))))) {
466 ) {
467 ret = ssl3_send_server_key_exchange(s); 489 ret = ssl3_send_server_key_exchange(s);
468 if (ret <= 0) 490 if (ret <= 0)
469 goto end; 491 goto end;
@@ -476,25 +498,37 @@ ssl3_accept(SSL *s)
476 498
477 case SSL3_ST_SW_CERT_REQ_A: 499 case SSL3_ST_SW_CERT_REQ_A:
478 case SSL3_ST_SW_CERT_REQ_B: 500 case SSL3_ST_SW_CERT_REQ_B:
479 if (/* don't request cert unless asked for it: */ 501 if (/* Don't request cert unless asked for it: */
480 !(s->verify_mode & SSL_VERIFY_PEER) || 502 !(s->verify_mode & SSL_VERIFY_PEER) ||
481 /* if SSL_VERIFY_CLIENT_ONCE is set, 503 /*
482 * don't request cert during re-negotiation: */ 504 * If SSL_VERIFY_CLIENT_ONCE is set,
505 * don't request cert during re-negotiation:
506 */
483 ((s->session->peer != NULL) && 507 ((s->session->peer != NULL) &&
484 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 508 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
485 /* never request cert in anonymous ciphersuites 509 /*
486 * (see section "Certificate request" in SSL 3 drafts 510 * Never request cert in anonymous ciphersuites
487 * and in RFC 2246): */ 511 * (see section "Certificate request" in SSL 3
488 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 512 * drafts and in RFC 2246):
489 /* ... except when the application insists on verification 513 */
490 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 514 ((s->s3->tmp.new_cipher->algorithm_auth &
491 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 515 SSL_aNULL) &&
516 /*
517 * ... except when the application insists on
518 * verification (against the specs, but
519 * s3_clnt.c accepts this for SSL 3)
520 */
521 !(s->verify_mode &
522 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
492 /* never request cert in Kerberos ciphersuites */ 523 /* never request cert in Kerberos ciphersuites */
493 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) 524 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
494 /* With normal PSK Certificates and 525 /*
495 * Certificate Requests are omitted */ 526 * With normal PSK Certificates and
496 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 527 * Certificate Requests are omitted
497 /* no cert request */ 528 */
529 || (s->s3->tmp.new_cipher->algorithm_mkey &
530 SSL_kPSK)) {
531 /* No cert request */
498 skip = 1; 532 skip = 1;
499 s->s3->tmp.cert_request = 0; 533 s->s3->tmp.cert_request = 0;
500 s->state = SSL3_ST_SW_SRVR_DONE_A; 534 s->state = SSL3_ST_SW_SRVR_DONE_A;
@@ -528,7 +562,8 @@ ssl3_accept(SSL *s)
528 562
529 case SSL3_ST_SW_FLUSH: 563 case SSL3_ST_SW_FLUSH:
530 564
531 /* This code originally checked to see if 565 /*
566 * This code originally checked to see if
532 * any data was pending using BIO_CTRL_INFO 567 * any data was pending using BIO_CTRL_INFO
533 * and then flushed. This caused problems 568 * and then flushed. This caused problems
534 * as documented in PR#1939. The proposed 569 * as documented in PR#1939. The proposed
@@ -573,7 +608,8 @@ ssl3_accept(SSL *s)
573 if (ret <= 0) 608 if (ret <= 0)
574 goto end; 609 goto end;
575 if (ret == 2) { 610 if (ret == 2) {
576 /* For the ECDH ciphersuites when 611 /*
612 * For the ECDH ciphersuites when
577 * the client sends its ECDH pub key in 613 * the client sends its ECDH pub key in
578 * a certificate, the CertificateVerify 614 * a certificate, the CertificateVerify
579 * message is not sent. 615 * message is not sent.
@@ -595,11 +631,13 @@ ssl3_accept(SSL *s)
595 s->init_num = 0; 631 s->init_num = 0;
596 if (!s->session->peer) 632 if (!s->session->peer)
597 break; 633 break;
598 /* For TLS v1.2 freeze the handshake buffer 634 /*
635 * For TLS v1.2 freeze the handshake buffer
599 * at this point and digest cached records. 636 * at this point and digest cached records.
600 */ 637 */
601 if (!s->s3->handshake_buffer) { 638 if (!s->s3->handshake_buffer) {
602 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); 639 SSLerr(SSL_F_SSL3_ACCEPT,
640 ERR_R_INTERNAL_ERROR);
603 return -1; 641 return -1;
604 } 642 }
605 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; 643 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
@@ -612,20 +650,27 @@ ssl3_accept(SSL *s)
612 s->state = SSL3_ST_SR_CERT_VRFY_A; 650 s->state = SSL3_ST_SR_CERT_VRFY_A;
613 s->init_num = 0; 651 s->init_num = 0;
614 652
615 /* We need to get hashes here so if there is 653 /*
654 * We need to get hashes here so if there is
616 * a client cert, it can be verified 655 * a client cert, it can be verified
617 * FIXME - digest processing for CertificateVerify 656 * FIXME - digest processing for
618 * should be generalized. But it is next step 657 * CertificateVerify should be generalized.
658 * But it is next step
619 */ 659 */
620 if (s->s3->handshake_buffer) 660 if (s->s3->handshake_buffer)
621 if (!ssl3_digest_cached_records(s)) 661 if (!ssl3_digest_cached_records(s))
622 return -1; 662 return -1;
623 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++) 663 for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST;
664 dgst_num++)
624 if (s->s3->handshake_dgst[dgst_num]) { 665 if (s->s3->handshake_dgst[dgst_num]) {
625 int dgst_size; 666 int dgst_size;
626 667
627 s->method->ssl3_enc->cert_verify_mac(s, EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]), &(s->s3->tmp.cert_verify_md[offset])); 668 s->method->ssl3_enc->cert_verify_mac(s,
628 dgst_size = EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); 669 EVP_MD_CTX_type(
670 s->s3->handshake_dgst[dgst_num]),
671 &(s->s3->tmp.cert_verify_md[offset]));
672 dgst_size = EVP_MD_CTX_size(
673 s->s3->handshake_dgst[dgst_num]);
629 if (dgst_size < 0) { 674 if (dgst_size < 0) {
630 ret = -1; 675 ret = -1;
631 goto end; 676 goto end;
@@ -713,7 +758,7 @@ ssl3_accept(SSL *s)
713 } 758 }
714 759
715 ret = ssl3_send_change_cipher_spec(s, 760 ret = ssl3_send_change_cipher_spec(s,
716 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B); 761 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
717 762
718 if (ret <= 0) 763 if (ret <= 0)
719 goto end; 764 goto end;
@@ -742,9 +787,11 @@ ssl3_accept(SSL *s)
742 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; 787 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
743#else 788#else
744 if (s->s3->next_proto_neg_seen) 789 if (s->s3->next_proto_neg_seen)
745 s->s3->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A; 790 s->s3->tmp.next_state =
791 SSL3_ST_SR_NEXT_PROTO_A;
746 else 792 else
747 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; 793 s->s3->tmp.next_state =
794 SSL3_ST_SR_FINISHED_A;
748#endif 795#endif
749 } else 796 } else
750 s->s3->tmp.next_state = SSL_ST_OK; 797 s->s3->tmp.next_state = SSL_ST_OK;
@@ -763,8 +810,8 @@ ssl3_accept(SSL *s)
763 810
764 s->init_num = 0; 811 s->init_num = 0;
765 812
766 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ 813 /* skipped if we just sent a HelloRequest */
767 { 814 if (s->renegotiate == 2) {
768 s->renegotiate = 0; 815 s->renegotiate = 0;
769 s->new_session = 0; 816 s->new_session = 0;
770 817
@@ -842,26 +889,30 @@ ssl3_check_client_hello(SSL *s)
842 int ok; 889 int ok;
843 long n; 890 long n;
844 891
845 /* this function is called when we really expect a Certificate message, 892 /*
846 * so permit appropriate message length */ 893 * This function is called when we really expect a Certificate message,
847 n = s->method->ssl_get_message(s, 894 * so permit appropriate message length
848 SSL3_ST_SR_CERT_A, 895 */
849 SSL3_ST_SR_CERT_B, 896 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A,
850 -1, 897 SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok);
851 s->max_cert_list,
852 &ok);
853 if (!ok) 898 if (!ok)
854 return ((int)n); 899 return ((int)n);
855 s->s3->tmp.reuse_message = 1; 900 s->s3->tmp.reuse_message = 1;
856 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { 901 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) {
857 /* We only allow the client to restart the handshake once per 902 /*
858 * negotiation. */ 903 * We only allow the client to restart the handshake once per
904 * negotiation.
905 */
859 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) { 906 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
860 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS); 907 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO,
908 SSL_R_MULTIPLE_SGC_RESTARTS);
861 return -1; 909 return -1;
862 } 910 }
863 /* Throw away what we have done so far in the current handshake, 911 /*
864 * which will now be aborted. (A full SSL_clear would be too much.) */ 912 * Throw away what we have done so far in the current handshake,
913 * which will now be aborted. (A full SSL_clear would be too
914 * much.)
915 */
865#ifndef OPENSSL_NO_DH 916#ifndef OPENSSL_NO_DH
866 if (s->s3->tmp.dh != NULL) { 917 if (s->s3->tmp.dh != NULL) {
867 DH_free(s->s3->tmp.dh); 918 DH_free(s->s3->tmp.dh);
@@ -894,7 +945,8 @@ ssl3_get_client_hello(SSL *s)
894#endif 945#endif
895 STACK_OF(SSL_CIPHER) *ciphers = NULL; 946 STACK_OF(SSL_CIPHER) *ciphers = NULL;
896 947
897 /* We do this so that we will respond with our native type. 948 /*
949 * We do this so that we will respond with our native type.
898 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, 950 * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
899 * This down switching should be handled by a different method. 951 * This down switching should be handled by a different method.
900 * If we are SSLv3, we will respond with SSLv3, even if prompted with 952 * If we are SSLv3, we will respond with SSLv3, even if prompted with
@@ -916,8 +968,10 @@ ssl3_get_client_hello(SSL *s)
916 s->first_packet = 0; 968 s->first_packet = 0;
917 d = p=(unsigned char *)s->init_msg; 969 d = p=(unsigned char *)s->init_msg;
918 970
919 /* use version from inside client hello, not from record header 971 /*
920 * (may differ: see RFC 2246, Appendix E, second paragraph) */ 972 * Use version from inside client hello, not from record header.
973 * (may differ: see RFC 2246, Appendix E, second paragraph)
974 */
921 s->client_version = (((int)p[0]) << 8)|(int)p[1]; 975 s->client_version = (((int)p[0]) << 8)|(int)p[1];
922 p += 2; 976 p += 2;
923 977
@@ -926,14 +980,18 @@ ssl3_get_client_hello(SSL *s)
926 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 980 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
927 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && 981 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
928 !s->enc_write_ctx && !s->write_hash) { 982 !s->enc_write_ctx && !s->write_hash) {
929 /* similar to ssl3_get_record, send alert using remote version number */ 983 /*
984 * Similar to ssl3_get_record, send alert using remote
985 * version number
986 */
930 s->version = s->client_version; 987 s->version = s->client_version;
931 } 988 }
932 al = SSL_AD_PROTOCOL_VERSION; 989 al = SSL_AD_PROTOCOL_VERSION;
933 goto f_err; 990 goto f_err;
934 } 991 }
935 992
936 /* If we require cookies and this ClientHello doesn't 993 /*
994 * If we require cookies and this ClientHello doesn't
937 * contain one, just return since we do not want to 995 * contain one, just return since we do not want to
938 * allocate any memory yet. So check cookie length... 996 * allocate any memory yet. So check cookie length...
939 */ 997 */
@@ -955,29 +1013,33 @@ ssl3_get_client_hello(SSL *s)
955 j= *(p++); 1013 j= *(p++);
956 1014
957 s->hit = 0; 1015 s->hit = 0;
958 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation. 1016 /*
959 * 0.9.7 and later allow this by default, but optionally ignore resumption requests 1017 * Versions before 0.9.7 always allow clients to resume sessions in
960 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather 1018 * renegotiation. 0.9.7 and later allow this by default, but optionally
961 * than a change to default behavior so that applications relying on this for security 1019 * ignore resumption requests with flag
962 * won't even compile against older library versions). 1020 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag
1021 * rather than a change to default behavior so that applications
1022 * relying on this for security won't even compile against older
1023 * library versions).
963 * 1024 *
964 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to request 1025 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated()
965 * renegotiation but not a new session (s->new_session remains unset): for servers, 1026 * to request renegotiation but not a new session (s->new_session
966 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 1027 * remains unset): for servers, this essentially just means that the
967 * setting will be ignored. 1028 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
1029 * ignored.
968 */ 1030 */
969 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { 1031 if ((s->new_session && (s->options &
1032 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
970 if (!ssl_get_new_session(s, 1)) 1033 if (!ssl_get_new_session(s, 1))
971 goto err; 1034 goto err;
972 } else { 1035 } else {
973 i = ssl_get_prev_session(s, p, j, d + n); 1036 i = ssl_get_prev_session(s, p, j, d + n);
974 if (i == 1) 1037 if (i == 1) { /* previous session */
975 { /* previous session */
976 s->hit = 1; 1038 s->hit = 1;
977 } else if (i == -1) 1039 } else if (i == -1)
978 goto err; 1040 goto err;
979 else /* i == 0 */ 1041 else {
980 { 1042 /* i == 0 */
981 if (!ssl_get_new_session(s, 1)) 1043 if (!ssl_get_new_session(s, 1))
982 goto err; 1044 goto err;
983 } 1045 }
@@ -997,7 +1059,8 @@ ssl3_get_client_hello(SSL *s)
997 if (cookie_len > sizeof(s->d1->rcvd_cookie)) { 1059 if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
998 /* too much data */ 1060 /* too much data */
999 al = SSL_AD_DECODE_ERROR; 1061 al = SSL_AD_DECODE_ERROR;
1000 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); 1062 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1063 SSL_R_COOKIE_MISMATCH);
1001 goto f_err; 1064 goto f_err;
1002 } 1065 }
1003 1066
@@ -1007,20 +1070,20 @@ ssl3_get_client_hello(SSL *s)
1007 memcpy(s->d1->rcvd_cookie, p, cookie_len); 1070 memcpy(s->d1->rcvd_cookie, p, cookie_len);
1008 1071
1009 if (s->ctx->app_verify_cookie_cb != NULL) { 1072 if (s->ctx->app_verify_cookie_cb != NULL) {
1010 if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, 1073 if (s->ctx->app_verify_cookie_cb(s,
1011 cookie_len) == 0) { 1074 s->d1->rcvd_cookie, cookie_len) == 0) {
1012 al = SSL_AD_HANDSHAKE_FAILURE; 1075 al = SSL_AD_HANDSHAKE_FAILURE;
1013 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1076 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1014 SSL_R_COOKIE_MISMATCH); 1077 SSL_R_COOKIE_MISMATCH);
1015 goto f_err; 1078 goto f_err;
1016 } 1079 }
1017 /* else cookie verification succeeded */ 1080 /* else cookie verification succeeded */
1018 } else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie, 1081 } else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
1019 s->d1->cookie_len) != 0) /* default verification */ 1082 s->d1->cookie_len) != 0) {
1020 { 1083 /* default verification */
1021 al = SSL_AD_HANDSHAKE_FAILURE; 1084 al = SSL_AD_HANDSHAKE_FAILURE;
1022 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 1085 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1023 SSL_R_COOKIE_MISMATCH); 1086 SSL_R_COOKIE_MISMATCH);
1024 goto f_err; 1087 goto f_err;
1025 } 1088 }
1026 1089
@@ -1068,7 +1131,8 @@ ssl3_get_client_hello(SSL *s)
1068 break; 1131 break;
1069 } 1132 }
1070 } 1133 }
1071/* Disabled because it can be used in a ciphersuite downgrade 1134/*
1135 * Disabled because it can be used in a ciphersuite downgrade
1072 * attack: CVE-2010-4180. 1136 * attack: CVE-2010-4180.
1073 */ 1137 */
1074#if 0 1138#if 0
@@ -1089,7 +1153,8 @@ ssl3_get_client_hello(SSL *s)
1089 /* we need to have the cipher in the cipher 1153 /* we need to have the cipher in the cipher
1090 * list if we are asked to reuse it */ 1154 * list if we are asked to reuse it */
1091 al = SSL_AD_ILLEGAL_PARAMETER; 1155 al = SSL_AD_ILLEGAL_PARAMETER;
1092 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING); 1156 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1157 SSL_R_REQUIRED_CIPHER_MISSING);
1093 goto f_err; 1158 goto f_err;
1094 } 1159 }
1095 } 1160 }
@@ -1112,7 +1177,8 @@ ssl3_get_client_hello(SSL *s)
1112 if (j >= i) { 1177 if (j >= i) {
1113 /* no compress */ 1178 /* no compress */
1114 al = SSL_AD_DECODE_ERROR; 1179 al = SSL_AD_DECODE_ERROR;
1115 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); 1180 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1181 SSL_R_NO_COMPRESSION_SPECIFIED);
1116 goto f_err; 1182 goto f_err;
1117 } 1183 }
1118 1184
@@ -1121,7 +1187,8 @@ ssl3_get_client_hello(SSL *s)
1121 if (s->version >= SSL3_VERSION) { 1187 if (s->version >= SSL3_VERSION) {
1122 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) { 1188 if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
1123 /* 'al' set by ssl_parse_clienthello_tlsext */ 1189 /* 'al' set by ssl_parse_clienthello_tlsext */
1124 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); 1190 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1191 SSL_R_PARSE_TLSEXT);
1125 goto f_err; 1192 goto f_err;
1126 } 1193 }
1127 } 1194 }
@@ -1130,10 +1197,12 @@ ssl3_get_client_hello(SSL *s)
1130 goto err; 1197 goto err;
1131 } 1198 }
1132 1199
1133 /* Check if we want to use external pre-shared secret for this 1200 /*
1201 * Check if we want to use external pre-shared secret for this
1134 * handshake for not reused session only. We need to generate 1202 * handshake for not reused session only. We need to generate
1135 * server_random before calling tls_session_secret_cb in order to allow 1203 * server_random before calling tls_session_secret_cb in order to allow
1136 * SessionTicket processing to use it in key derivation. */ 1204 * SessionTicket processing to use it in key derivation.
1205 */
1137 { 1206 {
1138 unsigned char *pos; 1207 unsigned char *pos;
1139 pos = s->s3->server_random; 1208 pos = s->s3->server_random;
@@ -1147,8 +1216,9 @@ ssl3_get_client_hello(SSL *s)
1147 SSL_CIPHER *pref_cipher = NULL; 1216 SSL_CIPHER *pref_cipher = NULL;
1148 1217
1149 s->session->master_key_length = sizeof(s->session->master_key); 1218 s->session->master_key_length = sizeof(s->session->master_key);
1150 if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, 1219 if (s->tls_session_secret_cb(s, s->session->master_key,
1151 ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) { 1220 &s->session->master_key_length, ciphers, &pref_cipher,
1221 s->tls_session_secret_cb_arg)) {
1152 s->hit = 1; 1222 s->hit = 1;
1153 s->session->ciphers = ciphers; 1223 s->session->ciphers = ciphers;
1154 s->session->verify_result = X509_V_OK; 1224 s->session->verify_result = X509_V_OK;
@@ -1156,10 +1226,13 @@ ssl3_get_client_hello(SSL *s)
1156 ciphers = NULL; 1226 ciphers = NULL;
1157 1227
1158 /* check if some cipher was preferred by call back */ 1228 /* check if some cipher was preferred by call back */
1159 pref_cipher = pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); 1229 pref_cipher = pref_cipher ? pref_cipher :
1230 ssl3_choose_cipher(s, s->session->ciphers,
1231 SSL_get_ciphers(s));
1160 if (pref_cipher == NULL) { 1232 if (pref_cipher == NULL) {
1161 al = SSL_AD_HANDSHAKE_FAILURE; 1233 al = SSL_AD_HANDSHAKE_FAILURE;
1162 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); 1234 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1235 SSL_R_NO_SHARED_CIPHER);
1163 goto f_err; 1236 goto f_err;
1164 } 1237 }
1165 1238
@@ -1172,14 +1245,17 @@ ssl3_get_client_hello(SSL *s)
1172 sk_SSL_CIPHER_free(s->cipher_list_by_id); 1245 sk_SSL_CIPHER_free(s->cipher_list_by_id);
1173 1246
1174 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); 1247 s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1175 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); 1248 s->cipher_list_by_id =
1249 sk_SSL_CIPHER_dup(s->session->ciphers);
1176 } 1250 }
1177 } 1251 }
1178#endif 1252#endif
1179 1253
1180 /* Worst case, we will use the NULL compression, but if we have other 1254 /*
1255 * Worst case, we will use the NULL compression, but if we have other
1181 * options, we will now look for them. We have i-1 compression 1256 * options, we will now look for them. We have i-1 compression
1182 * algorithms from the client, starting at q. */ 1257 * algorithms from the client, starting at q.
1258 */
1183 s->s3->tmp.new_compression = NULL; 1259 s->s3->tmp.new_compression = NULL;
1184#ifndef OPENSSL_NO_COMP 1260#ifndef OPENSSL_NO_COMP
1185 /* This only happens if we have a cache hit */ 1261 /* This only happens if we have a cache hit */
@@ -1189,7 +1265,8 @@ ssl3_get_client_hello(SSL *s)
1189 /* Can't disable compression */ 1265 /* Can't disable compression */
1190 if (s->options & SSL_OP_NO_COMPRESSION) { 1266 if (s->options & SSL_OP_NO_COMPRESSION) {
1191 al = SSL_AD_INTERNAL_ERROR; 1267 al = SSL_AD_INTERNAL_ERROR;
1192 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); 1268 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1269 SSL_R_INCONSISTENT_COMPRESSION);
1193 goto f_err; 1270 goto f_err;
1194 } 1271 }
1195 /* Look for resumed compression method */ 1272 /* Look for resumed compression method */
@@ -1202,7 +1279,8 @@ ssl3_get_client_hello(SSL *s)
1202 } 1279 }
1203 if (s->s3->tmp.new_compression == NULL) { 1280 if (s->s3->tmp.new_compression == NULL) {
1204 al = SSL_AD_INTERNAL_ERROR; 1281 al = SSL_AD_INTERNAL_ERROR;
1205 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INVALID_COMPRESSION_ALGORITHM); 1282 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1283 SSL_R_INVALID_COMPRESSION_ALGORITHM);
1206 goto f_err; 1284 goto f_err;
1207 } 1285 }
1208 /* Look for resumed method in compression list */ 1286 /* Look for resumed method in compression list */
@@ -1212,7 +1290,8 @@ ssl3_get_client_hello(SSL *s)
1212 } 1290 }
1213 if (m >= i) { 1291 if (m >= i) {
1214 al = SSL_AD_ILLEGAL_PARAMETER; 1292 al = SSL_AD_ILLEGAL_PARAMETER;
1215 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING); 1293 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1294 SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
1216 goto f_err; 1295 goto f_err;
1217 } 1296 }
1218 } else if (s->hit) 1297 } else if (s->hit)
@@ -1240,18 +1319,22 @@ ssl3_get_client_hello(SSL *s)
1240 comp = NULL; 1319 comp = NULL;
1241 } 1320 }
1242#else 1321#else
1243 /* If compression is disabled we'd better not try to resume a session 1322 /*
1323 * If compression is disabled we'd better not try to resume a session
1244 * using compression. 1324 * using compression.
1245 */ 1325 */
1246 if (s->session->compress_meth != 0) { 1326 if (s->session->compress_meth != 0) {
1247 al = SSL_AD_INTERNAL_ERROR; 1327 al = SSL_AD_INTERNAL_ERROR;
1248 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION); 1328 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1329 SSL_R_INCONSISTENT_COMPRESSION);
1249 goto f_err; 1330 goto f_err;
1250 } 1331 }
1251#endif 1332#endif
1252 1333
1253 /* Given s->session->ciphers and SSL_get_ciphers, we must 1334 /*
1254 * pick a cipher */ 1335 * Given s->session->ciphers and SSL_get_ciphers, we must
1336 * pick a cipher
1337 */
1255 1338
1256 if (!s->hit) { 1339 if (!s->hit) {
1257#ifdef OPENSSL_NO_COMP 1340#ifdef OPENSSL_NO_COMP
@@ -1264,7 +1347,8 @@ ssl3_get_client_hello(SSL *s)
1264 s->session->ciphers = ciphers; 1347 s->session->ciphers = ciphers;
1265 if (ciphers == NULL) { 1348 if (ciphers == NULL) {
1266 al = SSL_AD_ILLEGAL_PARAMETER; 1349 al = SSL_AD_ILLEGAL_PARAMETER;
1267 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED); 1350 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1351 SSL_R_NO_CIPHERS_PASSED);
1268 goto f_err; 1352 goto f_err;
1269 } 1353 }
1270 ciphers = NULL; 1354 ciphers = NULL;
@@ -1273,7 +1357,8 @@ ssl3_get_client_hello(SSL *s)
1273 1357
1274 if (c == NULL) { 1358 if (c == NULL) {
1275 al = SSL_AD_HANDSHAKE_FAILURE; 1359 al = SSL_AD_HANDSHAKE_FAILURE;
1276 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); 1360 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1361 SSL_R_NO_SHARED_CIPHER);
1277 goto f_err; 1362 goto f_err;
1278 } 1363 }
1279 s->s3->tmp.new_cipher = c; 1364 s->s3->tmp.new_cipher = c;
@@ -1304,14 +1389,16 @@ ssl3_get_client_hello(SSL *s)
1304 s->s3->tmp.new_cipher = s->session->cipher; 1389 s->s3->tmp.new_cipher = s->session->cipher;
1305 } 1390 }
1306 1391
1307 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) { 1392 if (TLS1_get_version(s) < TLS1_2_VERSION ||
1393 !(s->verify_mode & SSL_VERIFY_PEER)) {
1308 if (!ssl3_digest_cached_records(s)) { 1394 if (!ssl3_digest_cached_records(s)) {
1309 al = SSL_AD_INTERNAL_ERROR; 1395 al = SSL_AD_INTERNAL_ERROR;
1310 goto f_err; 1396 goto f_err;
1311 } 1397 }
1312 } 1398 }
1313 1399
1314 /* we now have the following setup. 1400 /*
1401 * We now have the following setup.
1315 * client_random 1402 * client_random
1316 * cipher_list - our prefered list of ciphers 1403 * cipher_list - our prefered list of ciphers
1317 * ciphers - the clients prefered list of ciphers 1404 * ciphers - the clients prefered list of ciphers
@@ -1325,7 +1412,8 @@ ssl3_get_client_hello(SSL *s)
1325 /* Handles TLS extensions that we couldn't check earlier */ 1412 /* Handles TLS extensions that we couldn't check earlier */
1326 if (s->version >= SSL3_VERSION) { 1413 if (s->version >= SSL3_VERSION) {
1327 if (ssl_check_clienthello_tlsext_late(s) <= 0) { 1414 if (ssl_check_clienthello_tlsext_late(s) <= 0) {
1328 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 1415 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
1416 SSL_R_CLIENTHELLO_TLSEXT);
1329 goto err; 1417 goto err;
1330 } 1418 }
1331 } 1419 }
@@ -1367,8 +1455,10 @@ ssl3_send_server_hello(SSL *s)
1367 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); 1455 memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
1368 p += SSL3_RANDOM_SIZE; 1456 p += SSL3_RANDOM_SIZE;
1369 1457
1370 /* There are several cases for the session ID to send 1458 /*
1459 * There are several cases for the session ID to send
1371 * back in the server hello: 1460 * back in the server hello:
1461 *
1372 * - For session reuse from the session cache, 1462 * - For session reuse from the session cache,
1373 * we send back the old session ID. 1463 * we send back the old session ID.
1374 * - If stateless session reuse (using a session ticket) 1464 * - If stateless session reuse (using a session ticket)
@@ -1378,17 +1468,19 @@ ssl3_send_server_hello(SSL *s)
1378 * session ID. 1468 * session ID.
1379 * - However, if we want the new session to be single-use, 1469 * - However, if we want the new session to be single-use,
1380 * we send back a 0-length session ID. 1470 * we send back a 0-length session ID.
1471 *
1381 * s->hit is non-zero in either case of session reuse, 1472 * s->hit is non-zero in either case of session reuse,
1382 * so the following won't overwrite an ID that we're supposed 1473 * so the following won't overwrite an ID that we're supposed
1383 * to send back. 1474 * to send back.
1384 */ 1475 */
1385 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1476 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1386 && !s->hit) 1477 && !s->hit)
1387 s->session->session_id_length = 0; 1478 s->session->session_id_length = 0;
1388 1479
1389 sl = s->session->session_id_length; 1480 sl = s->session->session_id_length;
1390 if (sl > (int)sizeof(s->session->session_id)) { 1481 if (sl > (int)sizeof(s->session->session_id)) {
1391 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1482 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1483 ERR_R_INTERNAL_ERROR);
1392 return -1; 1484 return -1;
1393 } 1485 }
1394 *(p++) = sl; 1486 *(p++) = sl;
@@ -1410,11 +1502,14 @@ ssl3_send_server_hello(SSL *s)
1410#endif 1502#endif
1411#ifndef OPENSSL_NO_TLSEXT 1503#ifndef OPENSSL_NO_TLSEXT
1412 if (ssl_prepare_serverhello_tlsext(s) <= 0) { 1504 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1413 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); 1505 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1506 SSL_R_SERVERHELLO_TLSEXT);
1414 return -1; 1507 return -1;
1415 } 1508 }
1416 if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) { 1509 if ((p = ssl_add_serverhello_tlsext(s, p,
1417 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1510 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
1511 SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
1512 ERR_R_INTERNAL_ERROR);
1418 return -1; 1513 return -1;
1419 } 1514 }
1420#endif 1515#endif
@@ -1509,7 +1604,9 @@ ssl3_send_server_key_exchange(SSL *s)
1509 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1604 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1510 if (rsa == NULL) { 1605 if (rsa == NULL) {
1511 al = SSL_AD_HANDSHAKE_FAILURE; 1606 al = SSL_AD_HANDSHAKE_FAILURE;
1512 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1607 SSLerr(
1608 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1609 SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1513 goto f_err; 1610 goto f_err;
1514 } 1611 }
1515 RSA_up_ref(rsa); 1612 RSA_up_ref(rsa);
@@ -1517,7 +1614,8 @@ ssl3_send_server_key_exchange(SSL *s)
1517 } 1614 }
1518 if (rsa == NULL) { 1615 if (rsa == NULL) {
1519 al = SSL_AD_HANDSHAKE_FAILURE; 1616 al = SSL_AD_HANDSHAKE_FAILURE;
1520 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_KEY); 1617 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1618 SSL_R_MISSING_TMP_RSA_KEY);
1521 goto f_err; 1619 goto f_err;
1522 } 1620 }
1523 r[0] = rsa->n; 1621 r[0] = rsa->n;
@@ -1534,17 +1632,20 @@ ssl3_send_server_key_exchange(SSL *s)
1534 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1632 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1535 if (dhp == NULL) { 1633 if (dhp == NULL) {
1536 al = SSL_AD_HANDSHAKE_FAILURE; 1634 al = SSL_AD_HANDSHAKE_FAILURE;
1537 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY); 1635 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1636 SSL_R_MISSING_TMP_DH_KEY);
1538 goto f_err; 1637 goto f_err;
1539 } 1638 }
1540 1639
1541 if (s->s3->tmp.dh != NULL) { 1640 if (s->s3->tmp.dh != NULL) {
1542 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1641 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1642 ERR_R_INTERNAL_ERROR);
1543 goto err; 1643 goto err;
1544 } 1644 }
1545 1645
1546 if ((dh = DHparams_dup(dhp)) == NULL) { 1646 if ((dh = DHparams_dup(dhp)) == NULL) {
1547 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); 1647 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1648 ERR_R_DH_LIB);
1548 goto err; 1649 goto err;
1549 } 1650 }
1550 1651
@@ -1552,8 +1653,9 @@ ssl3_send_server_key_exchange(SSL *s)
1552 if ((dhp->pub_key == NULL || dhp->priv_key == NULL || 1653 if ((dhp->pub_key == NULL || dhp->priv_key == NULL ||
1553 (s->options & SSL_OP_SINGLE_DH_USE))) { 1654 (s->options & SSL_OP_SINGLE_DH_USE))) {
1554 if (!DH_generate_key(dh)) { 1655 if (!DH_generate_key(dh)) {
1555 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, 1656 SSLerr(
1556 ERR_R_DH_LIB); 1657 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1658 ERR_R_DH_LIB);
1557 goto err; 1659 goto err;
1558 } 1660 }
1559 } else { 1661 } else {
@@ -1561,7 +1663,9 @@ ssl3_send_server_key_exchange(SSL *s)
1561 dh->priv_key = BN_dup(dhp->priv_key); 1663 dh->priv_key = BN_dup(dhp->priv_key);
1562 if ((dh->pub_key == NULL) || 1664 if ((dh->pub_key == NULL) ||
1563 (dh->priv_key == NULL)) { 1665 (dh->priv_key == NULL)) {
1564 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); 1666 SSLerr(
1667 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1668 ERR_R_DH_LIB);
1565 goto err; 1669 goto err;
1566 } 1670 }
1567 } 1671 }
@@ -1578,26 +1682,31 @@ ssl3_send_server_key_exchange(SSL *s)
1578 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) { 1682 if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) {
1579 ecdhp = s->cert->ecdh_tmp_cb( 1683 ecdhp = s->cert->ecdh_tmp_cb(
1580 s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 1684 s, SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1581 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 1685 SSL_C_EXPORT_PKEYLENGTH(
1686 s->s3->tmp.new_cipher));
1582 } 1687 }
1583 if (ecdhp == NULL) { 1688 if (ecdhp == NULL) {
1584 al = SSL_AD_HANDSHAKE_FAILURE; 1689 al = SSL_AD_HANDSHAKE_FAILURE;
1585 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY); 1690 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1691 SSL_R_MISSING_TMP_ECDH_KEY);
1586 goto f_err; 1692 goto f_err;
1587 } 1693 }
1588 1694
1589 if (s->s3->tmp.ecdh != NULL) { 1695 if (s->s3->tmp.ecdh != NULL) {
1590 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1696 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1697 ERR_R_INTERNAL_ERROR);
1591 goto err; 1698 goto err;
1592 } 1699 }
1593 1700
1594 /* Duplicate the ECDH structure. */ 1701 /* Duplicate the ECDH structure. */
1595 if (ecdhp == NULL) { 1702 if (ecdhp == NULL) {
1596 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1703 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1704 ERR_R_ECDH_LIB);
1597 goto err; 1705 goto err;
1598 } 1706 }
1599 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { 1707 if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1600 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1708 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1709 ERR_R_ECDH_LIB);
1601 goto err; 1710 goto err;
1602 } 1711 }
1603 1712
@@ -1606,7 +1715,9 @@ ssl3_send_server_key_exchange(SSL *s)
1606 (EC_KEY_get0_private_key(ecdh) == NULL) || 1715 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1607 (s->options & SSL_OP_SINGLE_ECDH_USE)) { 1716 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1608 if (!EC_KEY_generate_key(ecdh)) { 1717 if (!EC_KEY_generate_key(ecdh)) {
1609 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1718 SSLerr(
1719 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1720 ERR_R_ECDH_LIB);
1610 goto err; 1721 goto err;
1611 } 1722 }
1612 } 1723 }
@@ -1614,59 +1725,66 @@ ssl3_send_server_key_exchange(SSL *s)
1614 if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1725 if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1615 (EC_KEY_get0_public_key(ecdh) == NULL) || 1726 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1616 (EC_KEY_get0_private_key(ecdh) == NULL)) { 1727 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1617 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1728 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1618 goto err; 1729 goto err;
1619 } 1730 }
1620 1731
1621 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1732 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1622 (EC_GROUP_get_degree(group) > 163)) { 1733 (EC_GROUP_get_degree(group) > 163)) {
1623 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1734 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1735 SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1624 goto err; 1736 goto err;
1625 } 1737 }
1626 1738
1627 /* XXX: For now, we only support ephemeral ECDH 1739 /*
1740 * XXX: For now, we only support ephemeral ECDH
1628 * keys over named (not generic) curves. For 1741 * keys over named (not generic) curves. For
1629 * supported named curves, curve_id is non-zero. 1742 * supported named curves, curve_id is non-zero.
1630 */ 1743 */
1631 if ((curve_id = tls1_ec_nid2curve_id( 1744 if ((curve_id = tls1_ec_nid2curve_id(
1632 EC_GROUP_get_curve_name(group))) == 0) { 1745 EC_GROUP_get_curve_name(group))) == 0) {
1633 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1746 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1747 SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1634 goto err; 1748 goto err;
1635 } 1749 }
1636 1750
1637 /* Encode the public key. 1751 /*
1752 * Encode the public key.
1638 * First check the size of encoding and 1753 * First check the size of encoding and
1639 * allocate memory accordingly. 1754 * allocate memory accordingly.
1640 */ 1755 */
1641 encodedlen = EC_POINT_point2oct(group, 1756 encodedlen = EC_POINT_point2oct(group,
1642 EC_KEY_get0_public_key(ecdh), 1757 EC_KEY_get0_public_key(ecdh),
1643 POINT_CONVERSION_UNCOMPRESSED, 1758 POINT_CONVERSION_UNCOMPRESSED,
1644 NULL, 0, NULL); 1759 NULL, 0, NULL);
1645 1760
1646 encodedPoint = (unsigned char *) 1761 encodedPoint = (unsigned char *)
1647 OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 1762 OPENSSL_malloc(encodedlen*sizeof(unsigned char));
1648 1763
1649 bn_ctx = BN_CTX_new(); 1764 bn_ctx = BN_CTX_new();
1650 if ((encodedPoint == NULL) || (bn_ctx == NULL)) { 1765 if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1651 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1766 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1767 ERR_R_MALLOC_FAILURE);
1652 goto err; 1768 goto err;
1653 } 1769 }
1654 1770
1655 1771
1656 encodedlen = EC_POINT_point2oct(group, 1772 encodedlen = EC_POINT_point2oct(group,
1657 EC_KEY_get0_public_key(ecdh), 1773 EC_KEY_get0_public_key(ecdh),
1658 POINT_CONVERSION_UNCOMPRESSED, 1774 POINT_CONVERSION_UNCOMPRESSED,
1659 encodedPoint, encodedlen, bn_ctx); 1775 encodedPoint, encodedlen, bn_ctx);
1660 1776
1661 if (encodedlen == 0) { 1777 if (encodedlen == 0) {
1662 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1778 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1779 ERR_R_ECDH_LIB);
1663 goto err; 1780 goto err;
1664 } 1781 }
1665 1782
1666 BN_CTX_free(bn_ctx); 1783 BN_CTX_free(bn_ctx);
1667 bn_ctx = NULL; 1784 bn_ctx = NULL;
1668 1785
1669 /* XXX: For now, we only support named (not 1786 /*
1787 * XXX: For now, we only support named (not
1670 * generic) curves in ECDH ephemeral key exchanges. 1788 * generic) curves in ECDH ephemeral key exchanges.
1671 * In this situation, we need four additional bytes 1789 * In this situation, we need four additional bytes
1672 * to encode the entire ServerECDHParams 1790 * to encode the entire ServerECDHParams
@@ -1674,7 +1792,8 @@ ssl3_send_server_key_exchange(SSL *s)
1674 */ 1792 */
1675 n = 4 + encodedlen; 1793 n = 4 + encodedlen;
1676 1794
1677 /* We'll generate the serverKeyExchange message 1795 /*
1796 * We'll generate the serverKeyExchange message
1678 * explicitly so we can set these to NULLs 1797 * explicitly so we can set these to NULLs
1679 */ 1798 */
1680 r[0] = NULL; 1799 r[0] = NULL;
@@ -1685,7 +1804,9 @@ ssl3_send_server_key_exchange(SSL *s)
1685#endif /* !OPENSSL_NO_ECDH */ 1804#endif /* !OPENSSL_NO_ECDH */
1686#ifndef OPENSSL_NO_PSK 1805#ifndef OPENSSL_NO_PSK
1687 if (type & SSL_kPSK) { 1806 if (type & SSL_kPSK) {
1688 /* reserve size for record length and PSK identity hint*/ 1807 /*
1808 * Reserve size for record length and PSK identity hint.
1809 */
1689 n += 2 + strlen(s->ctx->psk_identity_hint); 1810 n += 2 + strlen(s->ctx->psk_identity_hint);
1690 } else 1811 } else
1691#endif /* !OPENSSL_NO_PSK */ 1812#endif /* !OPENSSL_NO_PSK */
@@ -1731,7 +1852,8 @@ ssl3_send_server_key_exchange(SSL *s)
1731 } 1852 }
1732 1853
1733 if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) { 1854 if (!BUF_MEM_grow_clean(buf, n + 4 + kn)) {
1734 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF); 1855 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1856 ERR_LIB_BUF);
1735 goto err; 1857 goto err;
1736 } 1858 }
1737 d = (unsigned char *)s->init_buf->data; 1859 d = (unsigned char *)s->init_buf->data;
@@ -1751,7 +1873,9 @@ ssl3_send_server_key_exchange(SSL *s)
1751 1873
1752#ifndef OPENSSL_NO_ECDH 1874#ifndef OPENSSL_NO_ECDH
1753 if (type & SSL_kEECDH) { 1875 if (type & SSL_kEECDH) {
1754 /* XXX: For now, we only support named (not generic) curves. 1876 /*
1877 * XXX: For now, we only support named (not generic)
1878 * curves.
1755 * In this situation, the serverKeyExchange message has: 1879 * In this situation, the serverKeyExchange message has:
1756 * [1 byte CurveType], [2 byte CurveName] 1880 * [1 byte CurveType], [2 byte CurveName]
1757 * [1 byte length of encoded point], followed by 1881 * [1 byte length of encoded point], followed by
@@ -1778,15 +1902,18 @@ ssl3_send_server_key_exchange(SSL *s)
1778 /* copy PSK identity hint */ 1902 /* copy PSK identity hint */
1779 s2n(strlen(s->ctx->psk_identity_hint), p); 1903 s2n(strlen(s->ctx->psk_identity_hint), p);
1780 1904
1781 strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint)); 1905 strncpy((char *)p, s->ctx->psk_identity_hint,
1906 strlen(s->ctx->psk_identity_hint));
1782 p += strlen(s->ctx->psk_identity_hint); 1907 p += strlen(s->ctx->psk_identity_hint);
1783 } 1908 }
1784#endif 1909#endif
1785 1910
1786 /* not anonymous */ 1911 /* not anonymous */
1787 if (pkey != NULL) { 1912 if (pkey != NULL) {
1788 /* n is the length of the params, they start at &(d[4]) 1913 /*
1789 * and p points to the space at the end. */ 1914 * n is the length of the params, they start at &(d[4])
1915 * and p points to the space at the end.
1916 */
1790#ifndef OPENSSL_NO_RSA 1917#ifndef OPENSSL_NO_RSA
1791 if (pkey->type == EVP_PKEY_RSA 1918 if (pkey->type == EVP_PKEY_RSA
1792 && TLS1_get_version(s) < TLS1_2_VERSION) { 1919 && TLS1_get_version(s) < TLS1_2_VERSION) {
@@ -1794,19 +1921,27 @@ ssl3_send_server_key_exchange(SSL *s)
1794 j = 0; 1921 j = 0;
1795 for (num = 2; num > 0; num--) { 1922 for (num = 2; num > 0; num--) {
1796 EVP_MD_CTX_set_flags(&md_ctx, 1923 EVP_MD_CTX_set_flags(&md_ctx,
1797 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 1924 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1798 EVP_DigestInit_ex(&md_ctx, 1925 EVP_DigestInit_ex(&md_ctx,
1799 (num == 2) ? s->ctx->md5 : s->ctx->sha1, NULL); 1926 (num == 2) ? s->ctx->md5 :
1800 EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 1927 s->ctx->sha1, NULL);
1801 EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); 1928 EVP_DigestUpdate(&md_ctx,
1929 &(s->s3->client_random[0]),
1930 SSL3_RANDOM_SIZE);
1931 EVP_DigestUpdate(&md_ctx,
1932 &(s->s3->server_random[0]),
1933 SSL3_RANDOM_SIZE);
1802 EVP_DigestUpdate(&md_ctx, &(d[4]), n); 1934 EVP_DigestUpdate(&md_ctx, &(d[4]), n);
1803 EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i); 1935 EVP_DigestFinal_ex(&md_ctx, q,
1936 (unsigned int *)&i);
1804 q += i; 1937 q += i;
1805 j += i; 1938 j += i;
1806 } 1939 }
1807 if (RSA_sign(NID_md5_sha1, md_buf, j, 1940 if (RSA_sign(NID_md5_sha1, md_buf, j,
1808 &(p[2]), &u, pkey->pkey.rsa) <= 0) { 1941 &(p[2]), &u, pkey->pkey.rsa) <= 0) {
1809 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA); 1942 SSLerr(
1943 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1944 ERR_LIB_RSA);
1810 goto err; 1945 goto err;
1811 } 1946 }
1812 s2n(u, p); 1947 s2n(u, p);
@@ -1814,28 +1949,38 @@ ssl3_send_server_key_exchange(SSL *s)
1814 } else 1949 } else
1815#endif 1950#endif
1816 if (md) { 1951 if (md) {
1817 /* For TLS1.2 and later send signature 1952 /*
1818 * algorithm */ 1953 * For TLS1.2 and later send signature
1954 * algorithm
1955 */
1819 if (TLS1_get_version(s) >= TLS1_2_VERSION) { 1956 if (TLS1_get_version(s) >= TLS1_2_VERSION) {
1820 if (!tls12_get_sigandhash(p, pkey, md)) { 1957 if (!tls12_get_sigandhash(p, pkey, md)) {
1821 /* Should never happen */ 1958 /* Should never happen */
1822 al = SSL_AD_INTERNAL_ERROR; 1959 al = SSL_AD_INTERNAL_ERROR;
1823 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1960 SSLerr(
1961 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1962 ERR_R_INTERNAL_ERROR);
1824 goto f_err; 1963 goto f_err;
1825 } 1964 }
1826 p += 2; 1965 p += 2;
1827 } 1966 }
1828#ifdef SSL_DEBUG 1967#ifdef SSL_DEBUG
1829 fprintf(stderr, "Using hash %s\n", 1968 fprintf(stderr, "Using hash %s\n",
1830 EVP_MD_name(md)); 1969 EVP_MD_name(md));
1831#endif 1970#endif
1832 EVP_SignInit_ex(&md_ctx, md, NULL); 1971 EVP_SignInit_ex(&md_ctx, md, NULL);
1833 EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 1972 EVP_SignUpdate(&md_ctx,
1834 EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); 1973 &(s->s3->client_random[0]),
1974 SSL3_RANDOM_SIZE);
1975 EVP_SignUpdate(&md_ctx,
1976 &(s->s3->server_random[0]),
1977 SSL3_RANDOM_SIZE);
1835 EVP_SignUpdate(&md_ctx, &(d[4]), n); 1978 EVP_SignUpdate(&md_ctx, &(d[4]), n);
1836 if (!EVP_SignFinal(&md_ctx, &(p[2]), 1979 if (!EVP_SignFinal(&md_ctx, &(p[2]),
1837 (unsigned int *)&i, pkey)) { 1980 (unsigned int *)&i, pkey)) {
1838 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP); 1981 SSLerr(
1982 SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1983 ERR_LIB_EVP);
1839 goto err; 1984 goto err;
1840 } 1985 }
1841 s2n(i, p); 1986 s2n(i, p);
@@ -1845,7 +1990,8 @@ ssl3_send_server_key_exchange(SSL *s)
1845 } else { 1990 } else {
1846 /* Is this error check actually needed? */ 1991 /* Is this error check actually needed? */
1847 al = SSL_AD_HANDSHAKE_FAILURE; 1992 al = SSL_AD_HANDSHAKE_FAILURE;
1848 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_PKEY_TYPE); 1993 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1994 SSL_R_UNKNOWN_PKEY_TYPE);
1849 goto f_err; 1995 goto f_err;
1850 } 1996 }
1851 } 1997 }
@@ -1913,7 +2059,9 @@ ssl3_send_certificate_request(SSL *s)
1913 name = sk_X509_NAME_value(sk, i); 2059 name = sk_X509_NAME_value(sk, i);
1914 j = i2d_X509_NAME(name, NULL); 2060 j = i2d_X509_NAME(name, NULL);
1915 if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) { 2061 if (!BUF_MEM_grow_clean(buf, 4 + n + j + 2)) {
1916 SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_BUF_LIB); 2062 SSLerr(
2063 SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
2064 ERR_R_BUF_LIB);
1917 goto err; 2065 goto err;
1918 } 2066 }
1919 p = (unsigned char *)&(buf->data[4 + n]); 2067 p = (unsigned char *)&(buf->data[4 + n]);
@@ -2012,7 +2160,8 @@ ssl3_get_client_key_exchange(SSL *s)
2012 * be sent already */ 2160 * be sent already */
2013 if (rsa == NULL) { 2161 if (rsa == NULL) {
2014 al = SSL_AD_HANDSHAKE_FAILURE; 2162 al = SSL_AD_HANDSHAKE_FAILURE;
2015 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_RSA_PKEY); 2163 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2164 SSL_R_MISSING_TMP_RSA_PKEY);
2016 goto f_err; 2165 goto f_err;
2017 2166
2018 } 2167 }
@@ -2021,7 +2170,8 @@ ssl3_get_client_key_exchange(SSL *s)
2021 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || 2170 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
2022 (pkey->pkey.rsa == NULL)) { 2171 (pkey->pkey.rsa == NULL)) {
2023 al = SSL_AD_HANDSHAKE_FAILURE; 2172 al = SSL_AD_HANDSHAKE_FAILURE;
2024 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_RSA_CERTIFICATE); 2173 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2174 SSL_R_MISSING_RSA_CERTIFICATE);
2025 goto f_err; 2175 goto f_err;
2026 } 2176 }
2027 rsa = pkey->pkey.rsa; 2177 rsa = pkey->pkey.rsa;
@@ -2032,7 +2182,9 @@ ssl3_get_client_key_exchange(SSL *s)
2032 n2s(p, i); 2182 n2s(p, i);
2033 if (n != i + 2) { 2183 if (n != i + 2) {
2034 if (!(s->options & SSL_OP_TLS_D5_BUG)) { 2184 if (!(s->options & SSL_OP_TLS_D5_BUG)) {
2035 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); 2185 SSLerr(
2186 SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2187 SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
2036 goto err; 2188 goto err;
2037 } else 2189 } else
2038 p -= 2; 2190 p -= 2;
@@ -2049,45 +2201,63 @@ ssl3_get_client_key_exchange(SSL *s)
2049 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ 2201 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
2050 } 2202 }
2051 2203
2052 if ((al == -1) && !((p[0] == (s->client_version >> 8)) && (p[1] == (s->client_version & 0xff)))) { 2204 if ((al == -1) && !((p[0] == (s->client_version >> 8)) &&
2053 /* The premaster secret must contain the same version number as the 2205 (p[1] == (s->client_version & 0xff)))) {
2054 * ClientHello to detect version rollback attacks (strangely, the 2206 /*
2055 * protocol does not offer such protection for DH ciphersuites). 2207 * The premaster secret must contain the same version
2056 * However, buggy clients exist that send the negotiated protocol 2208 * number as the ClientHello to detect version rollback
2057 * version instead if the server does not support the requested 2209 * attacks (strangely, the protocol does not offer such
2058 * protocol version. 2210 * protection for DH ciphersuites).
2059 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */ 2211 * However, buggy clients exist that send the negotiated
2212 * protocol version instead if the server does not
2213 * support the requested protocol version.
2214 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
2215 * clients.
2216 */
2060 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && 2217 if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
2061 (p[0] == (s->version >> 8)) && (p[1] == (s->version & 0xff)))) { 2218 (p[0] == (s->version >> 8)) &&
2219 (p[1] == (s->version & 0xff)))) {
2062 al = SSL_AD_DECODE_ERROR; 2220 al = SSL_AD_DECODE_ERROR;
2063 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ 2221 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
2064 2222
2065 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack 2223 /* The Klima-Pokorny-Rosa extension of
2066 * (http://eprint.iacr.org/2003/052/) exploits the version 2224 * Bleichenbacher's attack
2067 * number check as a "bad version oracle" -- an alert would 2225 * (http://eprint.iacr.org/2003/052/) exploits
2068 * reveal that the plaintext corresponding to some ciphertext 2226 * the version number check as a "bad version
2069 * made up by the adversary is properly formatted except 2227 * oracle" -- an alert would reveal that the
2070 * that the version number is wrong. To avoid such attacks, 2228 * plaintext corresponding to some ciphertext
2071 * we should treat this just like any other decryption error. */ 2229 * made up by the adversary is properly
2230 * formatted except that the version number is
2231 * wrong.
2232 * To avoid such attacks, we should treat this
2233 * just like any other decryption error.
2234 */
2072 } 2235 }
2073 } 2236 }
2074 2237
2075 if (al != -1) { 2238 if (al != -1) {
2076 /* Some decryption failure -- use random value instead as countermeasure 2239 /*
2077 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 2240 * Some decryption failure -- use random value instead
2078 * (see RFC 2246, section 7.4.7.1). */ 2241 * as countermeasure against Bleichenbacher's attack
2242 * on PKCS #1 v1.5 RSA padding (see RFC 2246,
2243 * section 7.4.7.1).
2244 */
2079 ERR_clear_error(); 2245 ERR_clear_error();
2080 i = SSL_MAX_MASTER_KEY_LENGTH; 2246 i = SSL_MAX_MASTER_KEY_LENGTH;
2081 p[0] = s->client_version >> 8; 2247 p[0] = s->client_version >> 8;
2082 p[1] = s->client_version & 0xff; 2248 p[1] = s->client_version & 0xff;
2083 if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ 2249 /*
2250 * Should be RAND_bytes, but we cannot work around a
2251 * failure.
2252 */
2253 if (RAND_pseudo_bytes(p+2, i-2) <= 0)
2084 goto err; 2254 goto err;
2085 } 2255 }
2086 2256
2087 s->session->master_key_length = 2257 s->session->master_key_length =
2088 s->method->ssl3_enc->generate_master_secret(s, 2258 s->method->ssl3_enc->generate_master_secret(s,
2089 s->session->master_key, 2259 s->session->master_key,
2090 p, i); 2260 p, i);
2091 OPENSSL_cleanse(p, i); 2261 OPENSSL_cleanse(p, i);
2092 } else 2262 } else
2093#endif 2263#endif
@@ -2096,7 +2266,8 @@ ssl3_get_client_key_exchange(SSL *s)
2096 n2s(p, i); 2266 n2s(p, i);
2097 if (n != i + 2) { 2267 if (n != i + 2) {
2098 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) { 2268 if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
2099 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); 2269 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2270 SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
2100 goto err; 2271 goto err;
2101 } else { 2272 } else {
2102 p -= 2; 2273 p -= 2;
@@ -2104,15 +2275,17 @@ ssl3_get_client_key_exchange(SSL *s)
2104 } 2275 }
2105 } 2276 }
2106 2277
2107 if (n == 0L) /* the parameters are in the cert */ 2278 if (n == 0L) {
2108 { 2279 /* the parameters are in the cert */
2109 al = SSL_AD_HANDSHAKE_FAILURE; 2280 al = SSL_AD_HANDSHAKE_FAILURE;
2110 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNABLE_TO_DECODE_DH_CERTS); 2281 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2282 SSL_R_UNABLE_TO_DECODE_DH_CERTS);
2111 goto f_err; 2283 goto f_err;
2112 } else { 2284 } else {
2113 if (s->s3->tmp.dh == NULL) { 2285 if (s->s3->tmp.dh == NULL) {
2114 al = SSL_AD_HANDSHAKE_FAILURE; 2286 al = SSL_AD_HANDSHAKE_FAILURE;
2115 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY); 2287 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2288 SSL_R_MISSING_TMP_DH_KEY);
2116 goto f_err; 2289 goto f_err;
2117 } else 2290 } else
2118 dh_srvr = s->s3->tmp.dh; 2291 dh_srvr = s->s3->tmp.dh;
@@ -2120,14 +2293,16 @@ ssl3_get_client_key_exchange(SSL *s)
2120 2293
2121 pub = BN_bin2bn(p, i, NULL); 2294 pub = BN_bin2bn(p, i, NULL);
2122 if (pub == NULL) { 2295 if (pub == NULL) {
2123 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB); 2296 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2297 SSL_R_BN_LIB);
2124 goto err; 2298 goto err;
2125 } 2299 }
2126 2300
2127 i = DH_compute_key(p, pub, dh_srvr); 2301 i = DH_compute_key(p, pub, dh_srvr);
2128 2302
2129 if (i <= 0) { 2303 if (i <= 0) {
2130 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 2304 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2305 ERR_R_DH_LIB);
2131 BN_clear_free(pub); 2306 BN_clear_free(pub);
2132 goto err; 2307 goto err;
2133 } 2308 }
@@ -2169,7 +2344,7 @@ ssl3_get_client_key_exchange(SSL *s)
2169 2344
2170 if (n < (long)(enc_ticket.length + 6)) { 2345 if (n < (long)(enc_ticket.length + 6)) {
2171 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2346 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2172 SSL_R_DATA_LENGTH_TOO_LONG); 2347 SSL_R_DATA_LENGTH_TOO_LONG);
2173 goto err; 2348 goto err;
2174 } 2349 }
2175 2350
@@ -2181,7 +2356,7 @@ ssl3_get_client_key_exchange(SSL *s)
2181 2356
2182 if (n < (long)(enc_ticket.length + authenticator.length + 6)) { 2357 if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
2183 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2358 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2184 SSL_R_DATA_LENGTH_TOO_LONG); 2359 SSL_R_DATA_LENGTH_TOO_LONG);
2185 goto err; 2360 goto err;
2186 } 2361 }
2187 2362
@@ -2193,19 +2368,20 @@ ssl3_get_client_key_exchange(SSL *s)
2193 enc_pms.data = (char *)p; 2368 enc_pms.data = (char *)p;
2194 p += enc_pms.length; 2369 p += enc_pms.length;
2195 2370
2196 /* Note that the length is checked again below, 2371 /*
2197 ** after decryption 2372 * Note that the length is checked again below,
2198 */ 2373 * after decryption
2374 */
2199 if (enc_pms.length > sizeof pms) { 2375 if (enc_pms.length > sizeof pms) {
2200 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2376 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2201 SSL_R_DATA_LENGTH_TOO_LONG); 2377 SSL_R_DATA_LENGTH_TOO_LONG);
2202 goto err; 2378 goto err;
2203 } 2379 }
2204 2380
2205 if (n != (long)(enc_ticket.length + authenticator.length + 2381 if (n != (long)(enc_ticket.length + authenticator.length +
2206 enc_pms.length + 6)) { 2382 enc_pms.length + 6)) {
2207 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2383 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2208 SSL_R_DATA_LENGTH_TOO_LONG); 2384 SSL_R_DATA_LENGTH_TOO_LONG);
2209 goto err; 2385 goto err;
2210 } 2386 }
2211 2387
@@ -2234,7 +2410,7 @@ ssl3_get_client_key_exchange(SSL *s)
2234 printf("kssl_err text= %s\n", kssl_err.text); 2410 printf("kssl_err text= %s\n", kssl_err.text);
2235#endif /* KSSL_DEBUG */ 2411#endif /* KSSL_DEBUG */
2236 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2412 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2237 kssl_err.reason); 2413 kssl_err.reason);
2238 goto err; 2414 goto err;
2239 } 2415 }
2240 2416
@@ -2253,45 +2429,51 @@ ssl3_get_client_key_exchange(SSL *s)
2253 2429
2254 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2430 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2255 2431
2256 if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) { 2432 if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL,
2433 kssl_ctx->key, iv)) {
2257 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2434 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2258 SSL_R_DECRYPTION_FAILED); 2435 SSL_R_DECRYPTION_FAILED);
2259 goto err; 2436 goto err;
2260 } 2437 }
2261 if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl, 2438 if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
2262 (unsigned char *)enc_pms.data, enc_pms.length)) { 2439 (unsigned char *)enc_pms.data, enc_pms.length)) {
2263 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2440 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2264 SSL_R_DECRYPTION_FAILED); 2441 SSL_R_DECRYPTION_FAILED);
2265 goto err; 2442 goto err;
2266 } 2443 }
2267 if (outl > SSL_MAX_MASTER_KEY_LENGTH) { 2444 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2268 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2445 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2269 SSL_R_DATA_LENGTH_TOO_LONG); 2446 SSL_R_DATA_LENGTH_TOO_LONG);
2270 goto err; 2447 goto err;
2271 } 2448 }
2272 if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) { 2449 if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
2273 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2450 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2274 SSL_R_DECRYPTION_FAILED); 2451 SSL_R_DECRYPTION_FAILED);
2275 goto err; 2452 goto err;
2276 } 2453 }
2277 outl += padl; 2454 outl += padl;
2278 if (outl > SSL_MAX_MASTER_KEY_LENGTH) { 2455 if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
2279 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2456 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2280 SSL_R_DATA_LENGTH_TOO_LONG); 2457 SSL_R_DATA_LENGTH_TOO_LONG);
2281 goto err; 2458 goto err;
2282 } 2459 }
2283 if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) { 2460 if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) {
2284 /* The premaster secret must contain the same version number as the 2461 /*
2285 * ClientHello to detect version rollback attacks (strangely, the 2462 * The premaster secret must contain the same version
2286 * protocol does not offer such protection for DH ciphersuites). 2463 * number as the ClientHello to detect version rollback
2287 * However, buggy clients exist that send random bytes instead of 2464 * attacks (strangely, the protocol does not offer such
2288 * the protocol version. 2465 * protection for DH ciphersuites).
2289 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 2466 * However, buggy clients exist that send random bytes
2290 * (Perhaps we should have a separate BUG value for the Kerberos cipher) 2467 * instead of the protocol version.
2291 */ 2468 *
2469 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
2470 * clients.
2471 * (Perhaps we should have a separate BUG value for
2472 * the Kerberos cipher)
2473 */
2292 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) { 2474 if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
2293 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2475 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2294 SSL_AD_DECODE_ERROR); 2476 SSL_AD_DECODE_ERROR);
2295 goto err; 2477 goto err;
2296 } 2478 }
2297 } 2479 }
@@ -2300,22 +2482,24 @@ ssl3_get_client_key_exchange(SSL *s)
2300 2482
2301 s->session->master_key_length = 2483 s->session->master_key_length =
2302 s->method->ssl3_enc->generate_master_secret(s, 2484 s->method->ssl3_enc->generate_master_secret(s,
2303 s->session->master_key, pms, outl); 2485 s->session->master_key, pms, outl);
2304 2486
2305 if (kssl_ctx->client_princ) { 2487 if (kssl_ctx->client_princ) {
2306 size_t len = strlen(kssl_ctx->client_princ); 2488 size_t len = strlen(kssl_ctx->client_princ);
2307 if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) { 2489 if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) {
2308 s->session->krb5_client_princ_len = len; 2490 s->session->krb5_client_princ_len = len;
2309 memcpy(s->session->krb5_client_princ, kssl_ctx->client_princ, len); 2491 memcpy(s->session->krb5_client_princ,
2492 kssl_ctx->client_princ, len);
2310 } 2493 }
2311 } 2494 }
2312 2495
2313 2496
2314 /* Was doing kssl_ctx_free() here, 2497 /*
2315 ** but it caused problems for apache. 2498 * Was doing kssl_ctx_free() here, but it caused problems for
2316 ** kssl_ctx = kssl_ctx_free(kssl_ctx); 2499 * apache.
2317 ** if (s->kssl_ctx) s->kssl_ctx = NULL; 2500 * kssl_ctx = kssl_ctx_free(kssl_ctx);
2318 */ 2501 * if (s->kssl_ctx) s->kssl_ctx = NULL;
2502 */
2319 } else 2503 } else
2320#endif /* OPENSSL_NO_KRB5 */ 2504#endif /* OPENSSL_NO_KRB5 */
2321 2505
@@ -2327,19 +2511,20 @@ ssl3_get_client_key_exchange(SSL *s)
2327 const EC_GROUP *group; 2511 const EC_GROUP *group;
2328 const BIGNUM *priv_key; 2512 const BIGNUM *priv_key;
2329 2513
2330 /* initialize structures for server's ECDH key pair */ 2514 /* Initialize structures for server's ECDH key pair. */
2331 if ((srvr_ecdh = EC_KEY_new()) == NULL) { 2515 if ((srvr_ecdh = EC_KEY_new()) == NULL) {
2332 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2516 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2333 ERR_R_MALLOC_FAILURE); 2517 ERR_R_MALLOC_FAILURE);
2334 goto err; 2518 goto err;
2335 } 2519 }
2336 2520
2337 /* Let's get server private key and group information */ 2521 /* Let's get server private key and group information. */
2338 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { 2522 if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
2339 /* use the certificate */ 2523 /* Use the certificate */
2340 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; 2524 tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
2341 } else { 2525 } else {
2342 /* use the ephermeral values we saved when 2526 /*
2527 * Use the ephermeral values we saved when
2343 * generating the ServerKeyExchange msg. 2528 * generating the ServerKeyExchange msg.
2344 */ 2529 */
2345 tkey = s->s3->tmp.ecdh; 2530 tkey = s->s3->tmp.ecdh;
@@ -2349,16 +2534,16 @@ ssl3_get_client_key_exchange(SSL *s)
2349 priv_key = EC_KEY_get0_private_key(tkey); 2534 priv_key = EC_KEY_get0_private_key(tkey);
2350 2535
2351 if (!EC_KEY_set_group(srvr_ecdh, group) || 2536 if (!EC_KEY_set_group(srvr_ecdh, group) ||
2352 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) { 2537 !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
2353 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2538 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2354 ERR_R_EC_LIB); 2539 ERR_R_EC_LIB);
2355 goto err; 2540 goto err;
2356 } 2541 }
2357 2542
2358 /* Let's get client's public key */ 2543 /* Let's get client's public key */
2359 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) { 2544 if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
2360 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2545 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2361 ERR_R_MALLOC_FAILURE); 2546 ERR_R_MALLOC_FAILURE);
2362 goto err; 2547 goto err;
2363 } 2548 }
2364 2549
@@ -2367,13 +2552,15 @@ ssl3_get_client_key_exchange(SSL *s)
2367 2552
2368 if (alg_k & SSL_kEECDH) { 2553 if (alg_k & SSL_kEECDH) {
2369 al = SSL_AD_HANDSHAKE_FAILURE; 2554 al = SSL_AD_HANDSHAKE_FAILURE;
2370 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY); 2555 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2556 SSL_R_MISSING_TMP_ECDH_KEY);
2371 goto f_err; 2557 goto f_err;
2372 } 2558 }
2373 if (((clnt_pub_pkey = X509_get_pubkey( 2559 if (((clnt_pub_pkey = X509_get_pubkey(
2374 s->session->peer)) == NULL) || 2560 s->session->peer)) == NULL) ||
2375 (clnt_pub_pkey->type != EVP_PKEY_EC)) { 2561 (clnt_pub_pkey->type != EVP_PKEY_EC)) {
2376 /* XXX: For now, we do not support client 2562 /*
2563 * XXX: For now, we do not support client
2377 * authentication using ECDH certificates 2564 * authentication using ECDH certificates
2378 * so this branch (n == 0L) of the code is 2565 * so this branch (n == 0L) of the code is
2379 * never executed. When that support is 2566 * never executed. When that support is
@@ -2386,14 +2573,15 @@ ssl3_get_client_key_exchange(SSL *s)
2386 */ 2573 */
2387 al = SSL_AD_HANDSHAKE_FAILURE; 2574 al = SSL_AD_HANDSHAKE_FAILURE;
2388 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2575 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2389 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); 2576 SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
2390 goto f_err; 2577 goto f_err;
2391 } 2578 }
2392 2579
2393 if (EC_POINT_copy(clnt_ecpoint, 2580 if (EC_POINT_copy(clnt_ecpoint,
2394 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0) { 2581 EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec))
2582 == 0) {
2395 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2583 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2396 ERR_R_EC_LIB); 2584 ERR_R_EC_LIB);
2397 goto err; 2585 goto err;
2398 } 2586 }
2399 ret = 2; /* Skip certificate verify processing */ 2587 ret = 2; /* Skip certificate verify processing */
@@ -2403,7 +2591,7 @@ ssl3_get_client_key_exchange(SSL *s)
2403 */ 2591 */
2404 if ((bn_ctx = BN_CTX_new()) == NULL) { 2592 if ((bn_ctx = BN_CTX_new()) == NULL) {
2405 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2593 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2406 ERR_R_MALLOC_FAILURE); 2594 ERR_R_MALLOC_FAILURE);
2407 goto err; 2595 goto err;
2408 } 2596 }
2409 2597
@@ -2413,17 +2601,18 @@ ssl3_get_client_key_exchange(SSL *s)
2413 p += 1; 2601 p += 1;
2414 if (n != 1 + i) { 2602 if (n != 1 + i) {
2415 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2603 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2416 ERR_R_EC_LIB); 2604 ERR_R_EC_LIB);
2417 goto err; 2605 goto err;
2418 } 2606 }
2419 if (EC_POINT_oct2point(group, 2607 if (EC_POINT_oct2point(group,
2420 clnt_ecpoint, p, i, bn_ctx) == 0) { 2608 clnt_ecpoint, p, i, bn_ctx) == 0) {
2421 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2609 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2422 ERR_R_EC_LIB); 2610 ERR_R_EC_LIB);
2423 goto err; 2611 goto err;
2424 } 2612 }
2425 /* p is pointing to somewhere in the buffer 2613 /*
2426 * currently, so set it to the start 2614 * p is pointing to somewhere in the buffer
2615 * currently, so set it to the start.
2427 */ 2616 */
2428 p = (unsigned char *)s->init_buf->data; 2617 p = (unsigned char *)s->init_buf->data;
2429 } 2618 }
@@ -2432,13 +2621,14 @@ ssl3_get_client_key_exchange(SSL *s)
2432 field_size = EC_GROUP_get_degree(group); 2621 field_size = EC_GROUP_get_degree(group);
2433 if (field_size <= 0) { 2622 if (field_size <= 0) {
2434 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2623 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2435 ERR_R_ECDH_LIB); 2624 ERR_R_ECDH_LIB);
2436 goto err; 2625 goto err;
2437 } 2626 }
2438 i = ECDH_compute_key(p, (field_size + 7)/8, clnt_ecpoint, srvr_ecdh, NULL); 2627 i = ECDH_compute_key(p, (field_size + 7)/8, clnt_ecpoint,
2628 srvr_ecdh, NULL);
2439 if (i <= 0) { 2629 if (i <= 0) {
2440 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2630 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2441 ERR_R_ECDH_LIB); 2631 ERR_R_ECDH_LIB);
2442 goto err; 2632 goto err;
2443 } 2633 }
2444 2634
@@ -2471,36 +2661,38 @@ ssl3_get_client_key_exchange(SSL *s)
2471 n2s(p, i); 2661 n2s(p, i);
2472 if (n != i + 2) { 2662 if (n != i + 2) {
2473 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2663 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2474 SSL_R_LENGTH_MISMATCH); 2664 SSL_R_LENGTH_MISMATCH);
2475 goto psk_err; 2665 goto psk_err;
2476 } 2666 }
2477 if (i > PSK_MAX_IDENTITY_LEN) { 2667 if (i > PSK_MAX_IDENTITY_LEN) {
2478 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2668 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2479 SSL_R_DATA_LENGTH_TOO_LONG); 2669 SSL_R_DATA_LENGTH_TOO_LONG);
2480 goto psk_err; 2670 goto psk_err;
2481 } 2671 }
2482 if (s->psk_server_callback == NULL) { 2672 if (s->psk_server_callback == NULL) {
2483 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2673 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2484 SSL_R_PSK_NO_SERVER_CB); 2674 SSL_R_PSK_NO_SERVER_CB);
2485 goto psk_err; 2675 goto psk_err;
2486 } 2676 }
2487 2677
2488 /* Create guaranteed NULL-terminated identity 2678 /*
2489 * string for the callback */ 2679 * Create guaranteed NULL-terminated identity
2680 * string for the callback
2681 */
2490 memcpy(tmp_id, p, i); 2682 memcpy(tmp_id, p, i);
2491 memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); 2683 memset(tmp_id + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
2492 psk_len = s->psk_server_callback(s, tmp_id, 2684 psk_len = s->psk_server_callback(s, tmp_id,
2493 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 2685 psk_or_pre_ms, sizeof(psk_or_pre_ms));
2494 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1); 2686 OPENSSL_cleanse(tmp_id, PSK_MAX_IDENTITY_LEN + 1);
2495 2687
2496 if (psk_len > PSK_MAX_PSK_LEN) { 2688 if (psk_len > PSK_MAX_PSK_LEN) {
2497 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2689 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2498 ERR_R_INTERNAL_ERROR); 2690 ERR_R_INTERNAL_ERROR);
2499 goto psk_err; 2691 goto psk_err;
2500 } else if (psk_len == 0) { 2692 } else if (psk_len == 0) {
2501 /* PSK related to the given identity not found */ 2693 /* PSK related to the given identity not found */
2502 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2694 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2503 SSL_R_PSK_IDENTITY_NOT_FOUND); 2695 SSL_R_PSK_IDENTITY_NOT_FOUND);
2504 al = SSL_AD_UNKNOWN_PSK_IDENTITY; 2696 al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2505 goto psk_err; 2697 goto psk_err;
2506 } 2698 }
@@ -2519,7 +2711,7 @@ ssl3_get_client_key_exchange(SSL *s)
2519 s->session->psk_identity = BUF_strdup((char *)p); 2711 s->session->psk_identity = BUF_strdup((char *)p);
2520 if (s->session->psk_identity == NULL) { 2712 if (s->session->psk_identity == NULL) {
2521 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2713 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2522 ERR_R_MALLOC_FAILURE); 2714 ERR_R_MALLOC_FAILURE);
2523 goto psk_err; 2715 goto psk_err;
2524 } 2716 }
2525 2717
@@ -2529,7 +2721,7 @@ ssl3_get_client_key_exchange(SSL *s)
2529 if (s->ctx->psk_identity_hint != NULL && 2721 if (s->ctx->psk_identity_hint != NULL &&
2530 s->session->psk_identity_hint == NULL) { 2722 s->session->psk_identity_hint == NULL) {
2531 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2723 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2532 ERR_R_MALLOC_FAILURE); 2724 ERR_R_MALLOC_FAILURE);
2533 goto psk_err; 2725 goto psk_err;
2534 } 2726 }
2535 2727
@@ -2551,11 +2743,13 @@ ssl3_get_client_key_exchange(SSL *s)
2551 param_len = i + 2; 2743 param_len = i + 2;
2552 if (param_len > n) { 2744 if (param_len > n) {
2553 al = SSL_AD_DECODE_ERROR; 2745 al = SSL_AD_DECODE_ERROR;
2554 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH); 2746 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2747 SSL_R_BAD_SRP_A_LENGTH);
2555 goto f_err; 2748 goto f_err;
2556 } 2749 }
2557 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) { 2750 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
2558 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB); 2751 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2752 ERR_R_BN_LIB);
2559 goto err; 2753 goto err;
2560 } 2754 }
2561 if (s->session->srp_username != NULL) 2755 if (s->session->srp_username != NULL)
@@ -2563,12 +2757,15 @@ ssl3_get_client_key_exchange(SSL *s)
2563 s->session->srp_username = BUF_strdup(s->srp_ctx.login); 2757 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2564 if (s->session->srp_username == NULL) { 2758 if (s->session->srp_username == NULL) {
2565 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, 2759 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2566 ERR_R_MALLOC_FAILURE); 2760 ERR_R_MALLOC_FAILURE);
2567 goto err; 2761 goto err;
2568 } 2762 }
2569 2763
2570 if ((s->session->master_key_length = SRP_generate_server_master_secret(s, s->session->master_key)) < 0) { 2764 if ((s->session->master_key_length =
2571 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2765 SRP_generate_server_master_secret(s,
2766 s->session->master_key)) < 0) {
2767 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2768 ERR_R_INTERNAL_ERROR);
2572 goto err; 2769 goto err;
2573 } 2770 }
2574 2771
@@ -2592,18 +2789,23 @@ ssl3_get_client_key_exchange(SSL *s)
2592 2789
2593 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); 2790 pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2594 EVP_PKEY_decrypt_init(pkey_ctx); 2791 EVP_PKEY_decrypt_init(pkey_ctx);
2595 /* If client certificate is present and is of the same type, maybe 2792 /*
2596 * use it for key exchange. Don't mind errors from 2793 * If client certificate is present and is of the same type,
2597 * EVP_PKEY_derive_set_peer, because it is completely valid to use 2794 * maybe use it for key exchange.
2598 * a client certificate for authorization only. */ 2795 * Don't mind errors from EVP_PKEY_derive_set_peer, because
2796 * it is completely valid to use a client certificate for
2797 * authorization only.
2798 */
2599 client_pub_pkey = X509_get_pubkey(s->session->peer); 2799 client_pub_pkey = X509_get_pubkey(s->session->peer);
2600 if (client_pub_pkey) { 2800 if (client_pub_pkey) {
2601 if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) 2801 if (EVP_PKEY_derive_set_peer(pkey_ctx,
2802 client_pub_pkey) <= 0)
2602 ERR_clear_error(); 2803 ERR_clear_error();
2603 } 2804 }
2604 /* Decrypt session key */ 2805 /* Decrypt session key */
2605 if ((*p != ( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) { 2806 if ((*p != ( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) {
2606 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); 2807 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2808 SSL_R_DECRYPTION_FAILED);
2607 goto gerr; 2809 goto gerr;
2608 } 2810 }
2609 if (p[1] == 0x81) { 2811 if (p[1] == 0x81) {
@@ -2613,21 +2815,23 @@ ssl3_get_client_key_exchange(SSL *s)
2613 start = p + 2; 2815 start = p + 2;
2614 inlen = p[1]; 2816 inlen = p[1];
2615 } else { 2817 } else {
2616 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); 2818 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2819 SSL_R_DECRYPTION_FAILED);
2617 goto gerr; 2820 goto gerr;
2618 } 2821 }
2619 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, inlen) <=0) 2822 if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
2620 2823 start, inlen) <=0) {
2621 { 2824 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2622 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); 2825 SSL_R_DECRYPTION_FAILED);
2623 goto gerr; 2826 goto gerr;
2624 } 2827 }
2625 /* Generate master secret */ 2828 /* Generate master secret */
2626 s->session->master_key_length = 2829 s->session->master_key_length =
2627 s->method->ssl3_enc->generate_master_secret( 2830 s->method->ssl3_enc->generate_master_secret(
2628 s, s->session->master_key, premaster_secret, 32); 2831 s, s->session->master_key, premaster_secret, 32);
2629 /* Check if pubkey from client certificate was used */ 2832 /* Check if pubkey from client certificate was used */
2630 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) 2833 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1,
2834 EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2631 ret = 2; 2835 ret = 2;
2632 else 2836 else
2633 ret = 1; 2837 ret = 1;
@@ -2693,7 +2897,8 @@ ssl3_get_cert_verify(SSL *s)
2693 s->s3->tmp.reuse_message = 1; 2897 s->s3->tmp.reuse_message = 1;
2694 if ((peer != NULL) && (type & EVP_PKT_SIGN)) { 2898 if ((peer != NULL) && (type & EVP_PKT_SIGN)) {
2695 al = SSL_AD_UNEXPECTED_MESSAGE; 2899 al = SSL_AD_UNEXPECTED_MESSAGE;
2696 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE); 2900 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2901 SSL_R_MISSING_VERIFY_MESSAGE);
2697 goto f_err; 2902 goto f_err;
2698 } 2903 }
2699 ret = 1; 2904 ret = 1;
@@ -2701,28 +2906,34 @@ ssl3_get_cert_verify(SSL *s)
2701 } 2906 }
2702 2907
2703 if (peer == NULL) { 2908 if (peer == NULL) {
2704 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_NO_CLIENT_CERT_RECEIVED); 2909 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2910 SSL_R_NO_CLIENT_CERT_RECEIVED);
2705 al = SSL_AD_UNEXPECTED_MESSAGE; 2911 al = SSL_AD_UNEXPECTED_MESSAGE;
2706 goto f_err; 2912 goto f_err;
2707 } 2913 }
2708 2914
2709 if (!(type & EVP_PKT_SIGN)) { 2915 if (!(type & EVP_PKT_SIGN)) {
2710 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE); 2916 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2917 SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
2711 al = SSL_AD_ILLEGAL_PARAMETER; 2918 al = SSL_AD_ILLEGAL_PARAMETER;
2712 goto f_err; 2919 goto f_err;
2713 } 2920 }
2714 2921
2715 if (s->s3->change_cipher_spec) { 2922 if (s->s3->change_cipher_spec) {
2716 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_CCS_RECEIVED_EARLY); 2923 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2924 SSL_R_CCS_RECEIVED_EARLY);
2717 al = SSL_AD_UNEXPECTED_MESSAGE; 2925 al = SSL_AD_UNEXPECTED_MESSAGE;
2718 goto f_err; 2926 goto f_err;
2719 } 2927 }
2720 2928
2721 /* we now have a signature that we need to verify */ 2929 /* we now have a signature that we need to verify */
2722 p = (unsigned char *)s->init_msg; 2930 p = (unsigned char *)s->init_msg;
2723 /* Check for broken implementations of GOST ciphersuites */ 2931 /*
2724 /* If key is GOST and n is exactly 64, it is bare 2932 * Check for broken implementations of GOST ciphersuites.
2725 * signature without length field */ 2933 *
2934 * If key is GOST and n is exactly 64, it is a bare
2935 * signature without length field.
2936 */
2726 if (n == 64 && (pkey->type == NID_id_GostR3410_94 || 2937 if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
2727 pkey->type == NID_id_GostR3410_2001) ) { 2938 pkey->type == NID_id_GostR3410_2001) ) {
2728 i = 64; 2939 i = 64;
@@ -2731,24 +2942,28 @@ ssl3_get_cert_verify(SSL *s)
2731 int sigalg = tls12_get_sigid(pkey); 2942 int sigalg = tls12_get_sigid(pkey);
2732 /* Should never happen */ 2943 /* Should never happen */
2733 if (sigalg == -1) { 2944 if (sigalg == -1) {
2734 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 2945 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2946 ERR_R_INTERNAL_ERROR);
2735 al = SSL_AD_INTERNAL_ERROR; 2947 al = SSL_AD_INTERNAL_ERROR;
2736 goto f_err; 2948 goto f_err;
2737 } 2949 }
2738 /* Check key type is consistent with signature */ 2950 /* Check key type is consistent with signature */
2739 if (sigalg != (int)p[1]) { 2951 if (sigalg != (int)p[1]) {
2740 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_TYPE); 2952 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2953 SSL_R_WRONG_SIGNATURE_TYPE);
2741 al = SSL_AD_DECODE_ERROR; 2954 al = SSL_AD_DECODE_ERROR;
2742 goto f_err; 2955 goto f_err;
2743 } 2956 }
2744 md = tls12_get_hash(p[0]); 2957 md = tls12_get_hash(p[0]);
2745 if (md == NULL) { 2958 if (md == NULL) {
2746 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_UNKNOWN_DIGEST); 2959 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2960 SSL_R_UNKNOWN_DIGEST);
2747 al = SSL_AD_DECODE_ERROR; 2961 al = SSL_AD_DECODE_ERROR;
2748 goto f_err; 2962 goto f_err;
2749 } 2963 }
2750#ifdef SSL_DEBUG 2964#ifdef SSL_DEBUG
2751 fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); 2965 fprintf(stderr, "USING TLSv1.2 HASH %s\n",
2966 EVP_MD_name(md));
2752#endif 2967#endif
2753 p += 2; 2968 p += 2;
2754 n -= 2; 2969 n -= 2;
@@ -2756,7 +2971,8 @@ ssl3_get_cert_verify(SSL *s)
2756 n2s(p, i); 2971 n2s(p, i);
2757 n -= 2; 2972 n -= 2;
2758 if (i > n) { 2973 if (i > n) {
2759 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); 2974 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2975 SSL_R_LENGTH_MISMATCH);
2760 al = SSL_AD_DECODE_ERROR; 2976 al = SSL_AD_DECODE_ERROR;
2761 goto f_err; 2977 goto f_err;
2762 } 2978 }
@@ -2773,13 +2989,14 @@ ssl3_get_cert_verify(SSL *s)
2773 void *hdata; 2989 void *hdata;
2774 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 2990 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
2775 if (hdatalen <= 0) { 2991 if (hdatalen <= 0) {
2776 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR); 2992 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2993 ERR_R_INTERNAL_ERROR);
2777 al = SSL_AD_INTERNAL_ERROR; 2994 al = SSL_AD_INTERNAL_ERROR;
2778 goto f_err; 2995 goto f_err;
2779 } 2996 }
2780#ifdef SSL_DEBUG 2997#ifdef SSL_DEBUG
2781 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n", 2998 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
2782 EVP_MD_name(md)); 2999 EVP_MD_name(md));
2783#endif 3000#endif
2784 if (!EVP_VerifyInit_ex(&mctx, md, NULL) || 3001 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
2785 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) { 3002 !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
@@ -2797,16 +3014,18 @@ ssl3_get_cert_verify(SSL *s)
2797#ifndef OPENSSL_NO_RSA 3014#ifndef OPENSSL_NO_RSA
2798 if (pkey->type == EVP_PKEY_RSA) { 3015 if (pkey->type == EVP_PKEY_RSA) {
2799 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, 3016 i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
2800 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i, 3017 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
2801 pkey->pkey.rsa); 3018 pkey->pkey.rsa);
2802 if (i < 0) { 3019 if (i < 0) {
2803 al = SSL_AD_DECRYPT_ERROR; 3020 al = SSL_AD_DECRYPT_ERROR;
2804 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_DECRYPT); 3021 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3022 SSL_R_BAD_RSA_DECRYPT);
2805 goto f_err; 3023 goto f_err;
2806 } 3024 }
2807 if (i == 0) { 3025 if (i == 0) {
2808 al = SSL_AD_DECRYPT_ERROR; 3026 al = SSL_AD_DECRYPT_ERROR;
2809 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_RSA_SIGNATURE); 3027 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3028 SSL_R_BAD_RSA_SIGNATURE);
2810 goto f_err; 3029 goto f_err;
2811 } 3030 }
2812 } else 3031 } else
@@ -2814,12 +3033,13 @@ ssl3_get_cert_verify(SSL *s)
2814#ifndef OPENSSL_NO_DSA 3033#ifndef OPENSSL_NO_DSA
2815 if (pkey->type == EVP_PKEY_DSA) { 3034 if (pkey->type == EVP_PKEY_DSA) {
2816 j = DSA_verify(pkey->save_type, 3035 j = DSA_verify(pkey->save_type,
2817 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), 3036 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
2818 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa); 3037 SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
2819 if (j <= 0) { 3038 if (j <= 0) {
2820 /* bad signature */ 3039 /* bad signature */
2821 al = SSL_AD_DECRYPT_ERROR; 3040 al = SSL_AD_DECRYPT_ERROR;
2822 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_DSA_SIGNATURE); 3041 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
3042 SSL_R_BAD_DSA_SIGNATURE);
2823 goto f_err; 3043 goto f_err;
2824 } 3044 }
2825 } else 3045 } else
@@ -2833,12 +3053,13 @@ ssl3_get_cert_verify(SSL *s)
2833 /* bad signature */ 3053 /* bad signature */
2834 al = SSL_AD_DECRYPT_ERROR; 3054 al = SSL_AD_DECRYPT_ERROR;
2835 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 3055 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2836 SSL_R_BAD_ECDSA_SIGNATURE); 3056 SSL_R_BAD_ECDSA_SIGNATURE);
2837 goto f_err; 3057 goto f_err;
2838 } 3058 }
2839 } else 3059 } else
2840#endif 3060#endif
2841 if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) { 3061 if (pkey->type == NID_id_GostR3410_94 ||
3062 pkey->type == NID_id_GostR3410_2001) {
2842 unsigned char signature[64]; 3063 unsigned char signature[64];
2843 int idx; 3064 int idx;
2844 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL); 3065 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
@@ -2849,12 +3070,13 @@ ssl3_get_cert_verify(SSL *s)
2849 for (idx = 0; idx < 64; idx++) { 3070 for (idx = 0; idx < 64; idx++) {
2850 signature[63 - idx] = p[idx]; 3071 signature[63 - idx] = p[idx];
2851 } 3072 }
2852 j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md, 32); 3073 j = EVP_PKEY_verify(pctx, signature, 64,
3074 s->s3->tmp.cert_verify_md, 32);
2853 EVP_PKEY_CTX_free(pctx); 3075 EVP_PKEY_CTX_free(pctx);
2854 if (j <= 0) { 3076 if (j <= 0) {
2855 al = SSL_AD_DECRYPT_ERROR; 3077 al = SSL_AD_DECRYPT_ERROR;
2856 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, 3078 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
2857 SSL_R_BAD_ECDSA_SIGNATURE); 3079 SSL_R_BAD_ECDSA_SIGNATURE);
2858 goto f_err; 3080 goto f_err;
2859 } 3081 }
2860 } else { 3082 } else {
@@ -2890,26 +3112,28 @@ ssl3_get_client_certificate(SSL *s)
2890 unsigned char *d; 3112 unsigned char *d;
2891 STACK_OF(X509) *sk = NULL; 3113 STACK_OF(X509) *sk = NULL;
2892 3114
2893 n = s->method->ssl_get_message(s, 3115 n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B,
2894 SSL3_ST_SR_CERT_A, 3116 -1, s->max_cert_list, &ok);
2895 SSL3_ST_SR_CERT_B,
2896 -1,
2897 s->max_cert_list,
2898 &ok);
2899 3117
2900 if (!ok) 3118 if (!ok)
2901 return ((int)n); 3119 return ((int)n);
2902 3120
2903 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { 3121 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
2904 if ((s->verify_mode & SSL_VERIFY_PEER) && 3122 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2905 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 3123 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2906 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3124 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3125 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2907 al = SSL_AD_HANDSHAKE_FAILURE; 3126 al = SSL_AD_HANDSHAKE_FAILURE;
2908 goto f_err; 3127 goto f_err;
2909 } 3128 }
2910 /* If tls asked for a client cert, the client must return a 0 list */ 3129 /*
3130 * If tls asked for a client cert,
3131 * the client must return a 0 list.
3132 */
2911 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) { 3133 if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request) {
2912 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); 3134 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3135 SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
3136 );
2913 al = SSL_AD_UNEXPECTED_MESSAGE; 3137 al = SSL_AD_UNEXPECTED_MESSAGE;
2914 goto f_err; 3138 goto f_err;
2915 } 3139 }
@@ -2919,43 +3143,50 @@ ssl3_get_client_certificate(SSL *s)
2919 3143
2920 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) { 3144 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) {
2921 al = SSL_AD_UNEXPECTED_MESSAGE; 3145 al = SSL_AD_UNEXPECTED_MESSAGE;
2922 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE); 3146 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3147 SSL_R_WRONG_MESSAGE_TYPE);
2923 goto f_err; 3148 goto f_err;
2924 } 3149 }
2925 p = d = (unsigned char *)s->init_msg; 3150 p = d = (unsigned char *)s->init_msg;
2926 3151
2927 if ((sk = sk_X509_new_null()) == NULL) { 3152 if ((sk = sk_X509_new_null()) == NULL) {
2928 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3153 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3154 ERR_R_MALLOC_FAILURE);
2929 goto err; 3155 goto err;
2930 } 3156 }
2931 3157
2932 n2l3(p, llen); 3158 n2l3(p, llen);
2933 if (llen + 3 != n) { 3159 if (llen + 3 != n) {
2934 al = SSL_AD_DECODE_ERROR; 3160 al = SSL_AD_DECODE_ERROR;
2935 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH); 3161 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3162 SSL_R_LENGTH_MISMATCH);
2936 goto f_err; 3163 goto f_err;
2937 } 3164 }
2938 for (nc = 0; nc < llen;) { 3165 for (nc = 0; nc < llen;) {
2939 n2l3(p, l); 3166 n2l3(p, l);
2940 if ((l + nc + 3) > llen) { 3167 if ((l + nc + 3) > llen) {
2941 al = SSL_AD_DECODE_ERROR; 3168 al = SSL_AD_DECODE_ERROR;
2942 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH); 3169 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3170 SSL_R_CERT_LENGTH_MISMATCH);
2943 goto f_err; 3171 goto f_err;
2944 } 3172 }
2945 3173
2946 q = p; 3174 q = p;
2947 x = d2i_X509(NULL, &p, l); 3175 x = d2i_X509(NULL, &p, l);
2948 if (x == NULL) { 3176 if (x == NULL) {
2949 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); 3177 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3178 ERR_R_ASN1_LIB);
2950 goto err; 3179 goto err;
2951 } 3180 }
2952 if (p != (q + l)) { 3181 if (p != (q + l)) {
2953 al = SSL_AD_DECODE_ERROR; 3182 al = SSL_AD_DECODE_ERROR;
2954 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH); 3183 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3184 SSL_R_CERT_LENGTH_MISMATCH);
2955 goto f_err; 3185 goto f_err;
2956 } 3186 }
2957 if (!sk_X509_push(sk, x)) { 3187 if (!sk_X509_push(sk, x)) {
2958 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3188 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3189 ERR_R_MALLOC_FAILURE);
2959 goto err; 3190 goto err;
2960 } 3191 }
2961 x = NULL; 3192 x = NULL;
@@ -2966,13 +3197,15 @@ ssl3_get_client_certificate(SSL *s)
2966 /* TLS does not mind 0 certs returned */ 3197 /* TLS does not mind 0 certs returned */
2967 if (s->version == SSL3_VERSION) { 3198 if (s->version == SSL3_VERSION) {
2968 al = SSL_AD_HANDSHAKE_FAILURE; 3199 al = SSL_AD_HANDSHAKE_FAILURE;
2969 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATES_RETURNED); 3200 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3201 SSL_R_NO_CERTIFICATES_RETURNED);
2970 goto f_err; 3202 goto f_err;
2971 } 3203 }
2972 /* Fail for TLS only if we required a certificate */ 3204 /* Fail for TLS only if we required a certificate */
2973 else if ((s->verify_mode & SSL_VERIFY_PEER) && 3205 else if ((s->verify_mode & SSL_VERIFY_PEER) &&
2974 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 3206 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2975 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 3207 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3208 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
2976 al = SSL_AD_HANDSHAKE_FAILURE; 3209 al = SSL_AD_HANDSHAKE_FAILURE;
2977 goto f_err; 3210 goto f_err;
2978 } 3211 }
@@ -2985,7 +3218,8 @@ ssl3_get_client_certificate(SSL *s)
2985 i = ssl_verify_cert_chain(s, sk); 3218 i = ssl_verify_cert_chain(s, sk);
2986 if (i <= 0) { 3219 if (i <= 0) {
2987 al = ssl_verify_alarm_type(s->verify_result); 3220 al = ssl_verify_alarm_type(s->verify_result);
2988 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_NO_CERTIFICATE_RETURNED); 3221 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3222 SSL_R_NO_CERTIFICATE_RETURNED);
2989 goto f_err; 3223 goto f_err;
2990 } 3224 }
2991 } 3225 }
@@ -3000,7 +3234,8 @@ ssl3_get_client_certificate(SSL *s)
3000 if (s->session->sess_cert == NULL) { 3234 if (s->session->sess_cert == NULL) {
3001 s->session->sess_cert = ssl_sess_cert_new(); 3235 s->session->sess_cert = ssl_sess_cert_new();
3002 if (s->session->sess_cert == NULL) { 3236 if (s->session->sess_cert == NULL) {
3003 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); 3237 SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
3238 ERR_R_MALLOC_FAILURE);
3004 goto err; 3239 goto err;
3005 } 3240 }
3006 } 3241 }
@@ -3035,9 +3270,12 @@ ssl3_send_server_certificate(SSL *s)
3035 x = ssl_get_server_send_cert(s); 3270 x = ssl_get_server_send_cert(s);
3036 if (x == NULL) { 3271 if (x == NULL) {
3037 /* VRS: allow null cert if auth == KRB5 */ 3272 /* VRS: allow null cert if auth == KRB5 */
3038 if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) || 3273 if ((s->s3->tmp.new_cipher->algorithm_auth !=
3039 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) { 3274 SSL_aKRB5) ||
3040 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); 3275 (s->s3->tmp.new_cipher->algorithm_mkey &
3276 SSL_kKRB5)) {
3277 SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
3278 ERR_R_INTERNAL_ERROR);
3041 return (0); 3279 return (0);
3042 } 3280 }
3043 } 3281 }
@@ -3071,7 +3309,8 @@ ssl3_send_newsession_ticket(SSL *s)
3071 3309
3072 /* get session encoding length */ 3310 /* get session encoding length */
3073 slen_full = i2d_SSL_SESSION(s->session, NULL); 3311 slen_full = i2d_SSL_SESSION(s->session, NULL);
3074 /* Some length values are 16 bits, so forget it if session is 3312 /*
3313 * Some length values are 16 bits, so forget it if session is
3075 * too long 3314 * too long
3076 */ 3315 */
3077 if (slen_full > 0xFF00) 3316 if (slen_full > 0xFF00)
@@ -3082,18 +3321,23 @@ ssl3_send_newsession_ticket(SSL *s)
3082 p = senc; 3321 p = senc;
3083 i2d_SSL_SESSION(s->session, &p); 3322 i2d_SSL_SESSION(s->session, &p);
3084 3323
3085 /* create a fresh copy (not shared with other threads) to clean up */ 3324 /*
3325 * Create a fresh copy (not shared with other threads) to
3326 * clean up
3327 */
3086 const_p = senc; 3328 const_p = senc;
3087 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); 3329 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3088 if (sess == NULL) { 3330 if (sess == NULL) {
3089 OPENSSL_free(senc); 3331 OPENSSL_free(senc);
3090 return -1; 3332 return -1;
3091 } 3333 }
3092 sess->session_id_length = 0; /* ID is irrelevant for the ticket */ 3334
3335 /* ID is irrelevant for the ticket */
3336 sess->session_id_length = 0;
3093 3337
3094 slen = i2d_SSL_SESSION(sess, NULL); 3338 slen = i2d_SSL_SESSION(sess, NULL);
3095 if (slen > slen_full) /* shouldn't ever happen */ 3339 if (slen > slen_full) {
3096 { 3340 /* shouldn't ever happen */
3097 OPENSSL_free(senc); 3341 OPENSSL_free(senc);
3098 return -1; 3342 return -1;
3099 } 3343 }
@@ -3101,7 +3345,8 @@ ssl3_send_newsession_ticket(SSL *s)
3101 i2d_SSL_SESSION(sess, &p); 3345 i2d_SSL_SESSION(sess, &p);
3102 SSL_SESSION_free(sess); 3346 SSL_SESSION_free(sess);
3103 3347
3104 /* Grow buffer if need be: the length calculation is as 3348 /*
3349 * Grow buffer if need be: the length calculation is as
3105 * follows 1 (size of message name) + 3 (message length 3350 * follows 1 (size of message name) + 3 (message length
3106 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 3351 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
3107 * 16 (key name) + max_iv_len (iv length) + 3352 * 16 (key name) + max_iv_len (iv length) +
@@ -3109,9 +3354,9 @@ ssl3_send_newsession_ticket(SSL *s)
3109 * length) + max_md_size (HMAC). 3354 * length) + max_md_size (HMAC).
3110 */ 3355 */
3111 if (!BUF_MEM_grow(s->init_buf, 3356 if (!BUF_MEM_grow(s->init_buf,
3112 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3357 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3113 EVP_MAX_MD_SIZE + slen)) 3358 EVP_MAX_MD_SIZE + slen))
3114 return -1; 3359 return -1;
3115 3360
3116 p = (unsigned char *)s->init_buf->data; 3361 p = (unsigned char *)s->init_buf->data;
3117 /* do the header */ 3362 /* do the header */
@@ -3120,7 +3365,8 @@ ssl3_send_newsession_ticket(SSL *s)
3120 p += 3; 3365 p += 3;
3121 EVP_CIPHER_CTX_init(&ctx); 3366 EVP_CIPHER_CTX_init(&ctx);
3122 HMAC_CTX_init(&hctx); 3367 HMAC_CTX_init(&hctx);
3123 /* Initialize HMAC and cipher contexts. If callback present 3368 /*
3369 * Initialize HMAC and cipher contexts. If callback present
3124 * it does all the work otherwise use generated values 3370 * it does all the work otherwise use generated values
3125 * from parent ctx. 3371 * from parent ctx.
3126 */ 3372 */
@@ -3139,10 +3385,12 @@ ssl3_send_newsession_ticket(SSL *s)
3139 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3385 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3140 } 3386 }
3141 3387
3142 /* Ticket lifetime hint (advisory only): 3388 /*
3143 * We leave this unspecified for resumed session (for simplicity), 3389 * Ticket lifetime hint (advisory only):
3144 * and guess that tickets for new sessions will live as long 3390 * We leave this unspecified for resumed session
3145 * as their sessions. */ 3391 * (for simplicity), and guess that tickets for new
3392 * sessions will live as long as their sessions.
3393 */
3146 l2n(s->hit ? 0 : s->session->timeout, p); 3394 l2n(s->hit ? 0 : s->session->timeout, p);
3147 3395
3148 /* Skip ticket length for now */ 3396 /* Skip ticket length for now */
@@ -3191,7 +3439,8 @@ ssl3_send_cert_status(SSL *s)
3191{ 3439{
3192 if (s->state == SSL3_ST_SW_CERT_STATUS_A) { 3440 if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
3193 unsigned char *p; 3441 unsigned char *p;
3194 /* Grow buffer if need be: the length calculation is as 3442 /*
3443 * Grow buffer if need be: the length calculation is as
3195 * follows 1 (message type) + 3 (message length) + 3444 * follows 1 (message type) + 3 (message length) +
3196 * 1 (ocsp response type) + 3 (ocsp response length) 3445 * 1 (ocsp response type) + 3 (ocsp response length)
3197 * + (ocsp response) 3446 * + (ocsp response)
@@ -3222,8 +3471,10 @@ ssl3_send_cert_status(SSL *s)
3222} 3471}
3223 3472
3224# ifndef OPENSSL_NO_NEXTPROTONEG 3473# ifndef OPENSSL_NO_NEXTPROTONEG
3225/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It 3474/*
3226 * sets the next_proto member in s if found */ 3475 * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
3476 * It sets the next_proto member in s if found
3477 */
3227int 3478int
3228ssl3_get_next_proto(SSL *s) 3479ssl3_get_next_proto(SSL *s)
3229{ 3480{
@@ -3232,10 +3483,13 @@ ssl3_get_next_proto(SSL *s)
3232 long n; 3483 long n;
3233 const unsigned char *p; 3484 const unsigned char *p;
3234 3485
3235 /* Clients cannot send a NextProtocol message if we didn't see the 3486 /*
3236 * extension in their ClientHello */ 3487 * Clients cannot send a NextProtocol message if we didn't see the
3488 * extension in their ClientHello
3489 */
3237 if (!s->s3->next_proto_neg_seen) { 3490 if (!s->s3->next_proto_neg_seen) {
3238 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); 3491 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3492 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3239 return -1; 3493 return -1;
3240 } 3494 }
3241 3495
@@ -3245,11 +3499,14 @@ ssl3_get_next_proto(SSL *s)
3245 if (!ok) 3499 if (!ok)
3246 return ((int)n); 3500 return ((int)n);
3247 3501
3248 /* s->state doesn't reflect whether ChangeCipherSpec has been received 3502 /*
3503 * s->state doesn't reflect whether ChangeCipherSpec has been received
3249 * in this handshake, but s->s3->change_cipher_spec does (will be reset 3504 * in this handshake, but s->s3->change_cipher_spec does (will be reset
3250 * by ssl3_get_finished). */ 3505 * by ssl3_get_finished).
3506 */
3251 if (!s->s3->change_cipher_spec) { 3507 if (!s->s3->change_cipher_spec) {
3252 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); 3508 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
3509 SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3253 return -1; 3510 return -1;
3254 } 3511 }
3255 3512
@@ -3259,7 +3516,8 @@ ssl3_get_next_proto(SSL *s)
3259 3516
3260 p = (unsigned char *)s->init_msg; 3517 p = (unsigned char *)s->init_msg;
3261 3518
3262 /* The payload looks like: 3519 /*
3520 * The payload looks like:
3263 * uint8 proto_len; 3521 * uint8 proto_len;
3264 * uint8 proto[proto_len]; 3522 * uint8 proto[proto_len];
3265 * uint8 padding_len; 3523 * uint8 padding_len;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-12 06:17:42 +0000