1 files changed, 256 insertions, 205 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index d7cd37dec8..e9db8e27c2 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.139 2016/10/19 16:38:40 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.140 2016/11/03 13:20:35 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1091,6 +1091,246 @@ err:
        return (ret);
 }
+static int
+ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
+{
+        BN_CTX *bn_ctx = NULL;
+        SESS_CERT *sc = NULL;
+        DH *dh = NULL;
+        int al, i, param_len;
+        unsigned char *p;
+        long alg_a, n;
+        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+        n = *nn;
+        p = *pp;
+        sc = s->session->sess_cert;
+        if ((dh = DH_new()) == NULL) {
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
+                goto err;
+        }
+        if (2 > n)
+                goto truncated;
+        n2s(p, i);
+        param_len = i + 2;
+        if (param_len > n) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
+                goto f_err;
+        }
+        if (!(dh->p = BN_bin2bn(p, i, NULL))) {
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                goto err;
+        }
+        p += i;
+        if (param_len + 2 > n)
+                goto truncated;
+        n2s(p, i);
+        param_len += i + 2;
+        if (param_len > n) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH);
+                goto f_err;
+        }
+        if (!(dh->g = BN_bin2bn(p, i, NULL))) {
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                goto err;
+        }
+        p += i;
+        if (param_len + 2 > n)
+                goto truncated;
+        n2s(p, i);
+        param_len += i + 2;
+        if (param_len > n) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                    SSL_R_BAD_DH_PUB_KEY_LENGTH);
+                goto f_err;
+        }
+        if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                goto err;
+        }
+        p += i;
+        n -= param_len;
+        /*
+         * Check the strength of the DH key just constructed.
+         * Discard keys weaker than 1024 bits.
+         */
+        if (DH_size(dh) < 1024 / 8) {
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
+                goto err;
+        }
+        if (alg_a & SSL_aRSA)
+                *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+        else if (alg_a & SSL_aDSS)
+                *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
+        else 
+                /* XXX - Anonymous DH, so no certificate or pkey. */
+                *pkey = NULL;
+        sc->peer_dh_tmp = dh;
+        *nn = n;
+        *pp = p;
+        return (1);
+ truncated:
+        al = SSL_AD_DECODE_ERROR;
+        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
+ f_err:
+        ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ err:
+        DH_free(dh);
+        BN_CTX_free(bn_ctx);
+        return (-1);
+}
+static int
+ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
+{
+        EC_POINT *srvr_ecpoint = NULL;
+        EC_KEY *ecdh = NULL;
+        BN_CTX *bn_ctx = NULL;
+        const EC_GROUP *group;
+        EC_GROUP *ngroup;
+        SESS_CERT *sc;
+        unsigned char *p;
+        int al, param_len;
+        long alg_a, n;
+        int curve_nid = 0;
+        int encoded_pt_len = 0;
+        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+        n = *nn;
+        p = *pp;
+        sc = s->session->sess_cert;
+        if ((ecdh = EC_KEY_new()) == NULL) {
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+        /*
+         * Extract elliptic curve parameters and the server's ephemeral ECDH
+         * public key. Keep accumulating lengths of various components in
+         * param_len and make sure it never exceeds n.
+         */
+        /*
+         * XXX: For now we only support named (not generic) curves
+         * and the ECParameters in this case is just three bytes.
+         */
+        param_len = 3;
+        if (param_len > n) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
+                goto f_err;
+        }
+        /*
+         * Check curve is one of our preferences, if not server has
+         * sent an invalid curve.
+         */
+        if (tls1_check_curve(s, p, param_len) != 1) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
+                goto f_err;
+        }
+        if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) {
+                al = SSL_AD_INTERNAL_ERROR;
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                    SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
+                goto f_err;
+        }
+        ngroup = EC_GROUP_new_by_curve_name(curve_nid);
+        if (ngroup == NULL) {
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
+                goto err;
+        }
+        if (EC_KEY_set_group(ecdh, ngroup) == 0) {
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
+                goto err;
+        }
+        EC_GROUP_free(ngroup);
+        group = EC_KEY_get0_group(ecdh);
+        p += 3;
+        /* Next, get the encoded ECPoint */
+        if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
+            ((bn_ctx = BN_CTX_new()) == NULL)) {
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+        if (param_len + 1 > n)
+                goto truncated;
+        encoded_pt_len = *p;
+        /* length of encoded point */
+        p += 1;
+        param_len += (1 + encoded_pt_len);
+        if ((param_len > n) || (EC_POINT_oct2point(group, srvr_ecpoint,
+            p, encoded_pt_len, bn_ctx) == 0)) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
+                goto f_err;
+        }
+        n -= param_len;
+        p += encoded_pt_len;
+        /*
+         * The ECC/TLS specification does not mention the use of DSA to sign
+         * ECParameters in the server key exchange message. We do support RSA
+         * and ECDSA.
+         */
+        if (alg_a & SSL_aRSA)
+                *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+        else if (alg_a & SSL_aECDSA)
+                *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_ECC].x509);
+        else
+                /* XXX - Anonymous ECDH, so no certificate or pkey. */
+                *pkey = NULL;
+        EC_KEY_set_public_key(ecdh, srvr_ecpoint);
+        sc->peer_ecdh_tmp = ecdh;
+        BN_CTX_free(bn_ctx);
+        EC_POINT_free(srvr_ecpoint);
+        *nn = n;
+        *pp = p;
+        return (1);
+ truncated:
+        al = SSL_AD_DECODE_ERROR;
+        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
+ f_err:
+        ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ err:
+        BN_CTX_free(bn_ctx);
+        EC_POINT_free(srvr_ecpoint);
+        EC_KEY_free(ecdh);
+        return (-1);
+}
 int
 ssl3_get_key_exchange(SSL *s)
 {
@@ -1102,12 +1342,6 @@ ssl3_get_key_exchange(SSL *s)
        EVP_PKEY        *pkey = NULL;
        const            EVP_MD *md = NULL;
        RSA             *rsa = NULL;
-        DH              *dh = NULL;
-        EC_KEY          *ecdh = NULL;
-        BN_CTX          *bn_ctx = NULL;
-        EC_POINT        *srvr_ecpoint = NULL;
-        int              curve_nid = 0;
-        int              encoded_pt_len = 0;
        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -1153,206 +1387,21 @@ ssl3_get_key_exchange(SSL *s)
        }
        param = p = (unsigned char *)s->init_msg;
-        param_len = 0;
+        param_len = n;
        if (alg_k & SSL_kDHE) {
-                if ((dh = DH_new()) == NULL) {
+                if (ssl3_get_server_kex_dhe(s, &pkey, &p, &n) != 1)
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_DH_LIB);
-                        goto err;
-                }
-                if (2 > n)
-                        goto truncated;
-                n2s(p, i);
-                param_len = i + 2;
-                if (param_len > n) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_BAD_DH_P_LENGTH);
-                        goto f_err;
-                }
-                if (!(dh->p = BN_bin2bn(p, i, NULL))) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_BN_LIB);
-                        goto err;
-                }
-                p += i;
-                if (param_len + 2 > n)
-                        goto truncated;
-                n2s(p, i);
-                param_len += i + 2;
-                if (param_len > n) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_BAD_DH_G_LENGTH);
-                        goto f_err;
-                }
-                if (!(dh->g = BN_bin2bn(p, i, NULL))) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_BN_LIB);
                        goto err;
-                }
-                p += i;
-                if (param_len + 2 > n)
-                        goto truncated;
-                n2s(p, i);
-                param_len += i + 2;
-                if (param_len > n) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_BAD_DH_PUB_KEY_LENGTH);
-                        goto f_err;
-                }
-                if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_BN_LIB);
-                        goto err;
-                }
-                p += i;
-                n -= param_len;
-                /*
-                 * Check the strength of the DH key just constructed.
-                 * Discard keys weaker than 1024 bits.
-                 */
-                if (DH_size(dh) < 1024 / 8) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_BAD_DH_P_LENGTH);
-                        goto err;
-                }
-                if (alg_a & SSL_aRSA)
-                        pkey = X509_get_pubkey(
-                            s->session->sess_cert->peer_pkeys[
-                            SSL_PKEY_RSA_ENC].x509);
-                else if (alg_a & SSL_aDSS)
-                        pkey = X509_get_pubkey(
-                            s->session->sess_cert->peer_pkeys[
-                            SSL_PKEY_DSA_SIGN].x509);
-                /* else anonymous DH, so no certificate or pkey. */
-                s->session->sess_cert->peer_dh_tmp = dh;
-                dh = NULL;
        } else if (alg_k & SSL_kECDHE) {
-                const EC_GROUP *group;
+                if (ssl3_get_server_kex_ecdhe(s, &pkey, &p, &n) != 1)
-                EC_GROUP *ngroup;
-                if ((ecdh = EC_KEY_new()) == NULL) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_MALLOC_FAILURE);
-                        goto err;
-                }
-                /*
-                 * Extract elliptic curve parameters and the
-                 * server's ephemeral ECDH public key.
-                 * Keep accumulating lengths of various components in
-                 * param_len and make sure it never exceeds n.
-                 */
-                /*
-                 * XXX: For now we only support named (not generic) curves
-                 * and the ECParameters in this case is just three bytes.
-                 */
-                param_len = 3;
-                if (param_len > n) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_LENGTH_TOO_SHORT);
-                        goto f_err;
-                }
-                /*
-                 * Check curve is one of our preferences, if not server has
-                 * sent an invalid curve.
-                 */
-                if (tls1_check_curve(s, p, param_len) != 1) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
-                        goto f_err;
-                }
-                if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) {
-                        al = SSL_AD_INTERNAL_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
-                        goto f_err;
-                }
-                ngroup = EC_GROUP_new_by_curve_name(curve_nid);
-                if (ngroup == NULL) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_EC_LIB);
-                        goto err;
-                }
-                if (EC_KEY_set_group(ecdh, ngroup) == 0) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_EC_LIB);
-                        goto err;
-                }
-                EC_GROUP_free(ngroup);
-                group = EC_KEY_get0_group(ecdh);
-                p += 3;
-                /* Next, get the encoded ECPoint */
-                if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
-                    ((bn_ctx = BN_CTX_new()) == NULL)) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_MALLOC_FAILURE);
                        goto err;
-                }
+        } else if (alg_k != 0) {
-                if (param_len + 1 > n)
-                        goto truncated;
-                encoded_pt_len = *p;
-                /* length of encoded point */
-                p += 1;
-                param_len += (1 + encoded_pt_len);
-                if ((param_len > n) || (EC_POINT_oct2point(group, srvr_ecpoint,
-                    p, encoded_pt_len, bn_ctx) == 0)) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_BAD_ECPOINT);
-                        goto f_err;
-                }
-                n -= param_len;
-                p += encoded_pt_len;
-                /*
-                 * The ECC/TLS specification does not mention the use
-                 * of DSA to sign ECParameters in the server key
-                 * exchange message. We do support RSA and ECDSA.
-                 */
-                if (alg_a & SSL_aRSA)
-                        pkey = X509_get_pubkey(
-                            s->session->sess_cert->peer_pkeys[
-                            SSL_PKEY_RSA_ENC].x509);
-                else if (alg_a & SSL_aECDSA)
-                        pkey = X509_get_pubkey(
-                            s->session->sess_cert->peer_pkeys[
-                            SSL_PKEY_ECC].x509);
-                /* Else anonymous ECDH, so no certificate or pkey. */
-                EC_KEY_set_public_key(ecdh, srvr_ecpoint);
-                s->session->sess_cert->peer_ecdh_tmp = ecdh;
-                ecdh = NULL;
-                BN_CTX_free(bn_ctx);
-                bn_ctx = NULL;
-                EC_POINT_free(srvr_ecpoint);
-                srvr_ecpoint = NULL;
-        } else if (alg_k) {
                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
-                    SSL_R_UNEXPECTED_MESSAGE);
                        goto f_err;
        }
-        /* p points to the next byte, there are 'n' bytes left */
+        param_len = param_len - n;
        /* if it was signed, check the signature */
        if (pkey != NULL) {
@@ -1471,23 +1520,25 @@ ssl3_get_key_exchange(SSL *s)
                        goto f_err;
                }
        }
        EVP_PKEY_free(pkey);
        EVP_MD_CTX_cleanup(&md_ctx);
        return (1);
-truncated:
+ truncated:
        /* wrong packet length */
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
-f_err:
+ f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
-err:
+ err:
        EVP_PKEY_free(pkey);
        RSA_free(rsa);
-        DH_free(dh);
-        BN_CTX_free(bn_ctx);
-        EC_POINT_free(srvr_ecpoint);
-        EC_KEY_free(ecdh);
        EVP_MD_CTX_cleanup(&md_ctx);
        return (-1);
 }

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index d7cd37dec8..e9db8e27c2 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.139 2016/10/19 16:38:40 jsing Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.140 2016/11/03 13:20:35 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1091,6 +1091,246 @@ err:
1091	return (ret);	1091	return (ret);
1092	}	1092	}
1093		1093
		1094	static int
		1095	ssl3_get_server_kex_dhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)
		1096	{
		1097	BN_CTX *bn_ctx = NULL;
		1098	SESS_CERT *sc = NULL;
		1099	DH *dh = NULL;
		1100	int al, i, param_len;
		1101	unsigned char *p;
		1102	long alg_a, n;
		1103
		1104	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
		1105	n = *nn;
		1106	p = *pp;
		1107	sc = s->session->sess_cert;
		1108
		1109	if ((dh = DH_new()) == NULL) {
		1110	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
		1111	goto err;
		1112	}
		1113	if (2 > n)
		1114	goto truncated;
		1115	n2s(p, i);
		1116	param_len = i + 2;
		1117	if (param_len > n) {
		1118	al = SSL_AD_DECODE_ERROR;
		1119	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
		1120	goto f_err;
		1121	}
		1122	if (!(dh->p = BN_bin2bn(p, i, NULL))) {
		1123	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		1124	goto err;
		1125	}
		1126	p += i;
		1127
		1128	if (param_len + 2 > n)
		1129	goto truncated;
		1130	n2s(p, i);
		1131	param_len += i + 2;
		1132	if (param_len > n) {
		1133	al = SSL_AD_DECODE_ERROR;
		1134	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH);
		1135	goto f_err;
		1136	}
		1137	if (!(dh->g = BN_bin2bn(p, i, NULL))) {
		1138	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		1139	goto err;
		1140	}
		1141	p += i;
		1142
		1143	if (param_len + 2 > n)
		1144	goto truncated;
		1145	n2s(p, i);
		1146	param_len += i + 2;
		1147	if (param_len > n) {
		1148	al = SSL_AD_DECODE_ERROR;
		1149	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
		1150	SSL_R_BAD_DH_PUB_KEY_LENGTH);
		1151	goto f_err;
		1152	}
		1153	if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
		1154	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		1155	goto err;
		1156	}
		1157	p += i;
		1158	n -= param_len;
		1159
		1160	/*
		1161	* Check the strength of the DH key just constructed.
		1162	* Discard keys weaker than 1024 bits.
		1163	*/
		1164	if (DH_size(dh) < 1024 / 8) {
		1165	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
		1166	goto err;
		1167	}
		1168
		1169	if (alg_a & SSL_aRSA)
		1170	*pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
		1171	else if (alg_a & SSL_aDSS)
		1172	*pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
		1173	else
		1174	/* XXX - Anonymous DH, so no certificate or pkey. */
		1175	*pkey = NULL;
		1176
		1177	sc->peer_dh_tmp = dh;
		1178
		1179	*nn = n;
		1180	*pp = p;
		1181
		1182	return (1);
		1183
		1184	truncated:
		1185	al = SSL_AD_DECODE_ERROR;
		1186	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
		1187
		1188	f_err:
		1189	ssl3_send_alert(s, SSL3_AL_FATAL, al);
		1190
		1191	err:
		1192	DH_free(dh);
		1193	BN_CTX_free(bn_ctx);
		1194
		1195	return (-1);
		1196	}
		1197
		1198	static int
		1199	ssl3_get_server_kex_ecdhe(SSL s, EVP_PKEY pkey, unsigned char pp, long nn)
		1200	{
		1201	EC_POINT *srvr_ecpoint = NULL;
		1202	EC_KEY *ecdh = NULL;
		1203	BN_CTX *bn_ctx = NULL;
		1204	const EC_GROUP *group;
		1205	EC_GROUP *ngroup;
		1206	SESS_CERT *sc;
		1207	unsigned char *p;
		1208	int al, param_len;
		1209	long alg_a, n;
		1210	int curve_nid = 0;
		1211	int encoded_pt_len = 0;
		1212
		1213	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
		1214	n = *nn;
		1215	p = *pp;
		1216	sc = s->session->sess_cert;
		1217
		1218	if ((ecdh = EC_KEY_new()) == NULL) {
		1219	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
		1220	goto err;
		1221	}
		1222
		1223	/*
		1224	* Extract elliptic curve parameters and the server's ephemeral ECDH
		1225	* public key. Keep accumulating lengths of various components in
		1226	* param_len and make sure it never exceeds n.
		1227	*/
		1228
		1229	/*
		1230	* XXX: For now we only support named (not generic) curves
		1231	* and the ECParameters in this case is just three bytes.
		1232	*/
		1233	param_len = 3;
		1234	if (param_len > n) {
		1235	al = SSL_AD_DECODE_ERROR;
		1236	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
		1237	goto f_err;
		1238	}
		1239
		1240	/*
		1241	* Check curve is one of our preferences, if not server has
		1242	* sent an invalid curve.
		1243	*/
		1244	if (tls1_check_curve(s, p, param_len) != 1) {
		1245	al = SSL_AD_DECODE_ERROR;
		1246	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
		1247	goto f_err;
		1248	}
		1249
		1250	if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) {
		1251	al = SSL_AD_INTERNAL_ERROR;
		1252	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
		1253	SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
		1254	goto f_err;
		1255	}
		1256
		1257	ngroup = EC_GROUP_new_by_curve_name(curve_nid);
		1258	if (ngroup == NULL) {
		1259	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
		1260	goto err;
		1261	}
		1262	if (EC_KEY_set_group(ecdh, ngroup) == 0) {
		1263	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
		1264	goto err;
		1265	}
		1266	EC_GROUP_free(ngroup);
		1267
		1268	group = EC_KEY_get0_group(ecdh);
		1269
		1270	p += 3;
		1271
		1272	/* Next, get the encoded ECPoint */
		1273	if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) \|\|
		1274	((bn_ctx = BN_CTX_new()) == NULL)) {
		1275	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
		1276	goto err;
		1277	}
		1278
		1279	if (param_len + 1 > n)
		1280	goto truncated;
		1281	encoded_pt_len = *p;
		1282	/* length of encoded point */
		1283	p += 1;
		1284	param_len += (1 + encoded_pt_len);
		1285	if ((param_len > n) \|\| (EC_POINT_oct2point(group, srvr_ecpoint,
		1286	p, encoded_pt_len, bn_ctx) == 0)) {
		1287	al = SSL_AD_DECODE_ERROR;
		1288	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
		1289	goto f_err;
		1290	}
		1291
		1292	n -= param_len;
		1293	p += encoded_pt_len;
		1294
		1295	/*
		1296	* The ECC/TLS specification does not mention the use of DSA to sign
		1297	* ECParameters in the server key exchange message. We do support RSA
		1298	* and ECDSA.
		1299	*/
		1300	if (alg_a & SSL_aRSA)
		1301	*pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
		1302	else if (alg_a & SSL_aECDSA)
		1303	*pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_ECC].x509);
		1304	else
		1305	/* XXX - Anonymous ECDH, so no certificate or pkey. */
		1306	*pkey = NULL;
		1307
		1308	EC_KEY_set_public_key(ecdh, srvr_ecpoint);
		1309	sc->peer_ecdh_tmp = ecdh;
		1310
		1311	BN_CTX_free(bn_ctx);
		1312	EC_POINT_free(srvr_ecpoint);
		1313
		1314	*nn = n;
		1315	*pp = p;
		1316
		1317	return (1);
		1318
		1319	truncated:
		1320	al = SSL_AD_DECODE_ERROR;
		1321	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
		1322
		1323	f_err:
		1324	ssl3_send_alert(s, SSL3_AL_FATAL, al);
		1325
		1326	err:
		1327	BN_CTX_free(bn_ctx);
		1328	EC_POINT_free(srvr_ecpoint);
		1329	EC_KEY_free(ecdh);
		1330
		1331	return (-1);
		1332	}
		1333
1094	int	1334	int
1095	ssl3_get_key_exchange(SSL *s)	1335	ssl3_get_key_exchange(SSL *s)
1096	{	1336	{
@@ -1102,12 +1342,6 @@ ssl3_get_key_exchange(SSL *s)
1102	EVP_PKEY *pkey = NULL;	1342	EVP_PKEY *pkey = NULL;
1103	const EVP_MD *md = NULL;	1343	const EVP_MD *md = NULL;
1104	RSA *rsa = NULL;	1344	RSA *rsa = NULL;
1105	DH *dh = NULL;
1106	EC_KEY *ecdh = NULL;
1107	BN_CTX *bn_ctx = NULL;
1108	EC_POINT *srvr_ecpoint = NULL;
1109	int curve_nid = 0;
1110	int encoded_pt_len = 0;
1111		1345
1112	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;	1346	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1113	alg_a = s->s3->tmp.new_cipher->algorithm_auth;	1347	alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -1153,206 +1387,21 @@ ssl3_get_key_exchange(SSL *s)
1153	}	1387	}
1154		1388
1155	param = p = (unsigned char *)s->init_msg;	1389	param = p = (unsigned char *)s->init_msg;
1156	param_len = 0;	1390	param_len = n;
1157		1391
1158	if (alg_k & SSL_kDHE) {	1392	if (alg_k & SSL_kDHE) {
1159	if ((dh = DH_new()) == NULL) {	1393	if (ssl3_get_server_kex_dhe(s, &pkey, &p, &n) != 1)
1160	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1161	ERR_R_DH_LIB);
1162	goto err;
1163	}
1164	if (2 > n)
1165	goto truncated;
1166	n2s(p, i);
1167	param_len = i + 2;
1168	if (param_len > n) {
1169	al = SSL_AD_DECODE_ERROR;
1170	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1171	SSL_R_BAD_DH_P_LENGTH);
1172	goto f_err;
1173	}
1174	if (!(dh->p = BN_bin2bn(p, i, NULL))) {
1175	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1176	ERR_R_BN_LIB);
1177	goto err;
1178	}
1179	p += i;
1180
1181	if (param_len + 2 > n)
1182	goto truncated;
1183	n2s(p, i);
1184	param_len += i + 2;
1185	if (param_len > n) {
1186	al = SSL_AD_DECODE_ERROR;
1187	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1188	SSL_R_BAD_DH_G_LENGTH);
1189	goto f_err;
1190	}
1191	if (!(dh->g = BN_bin2bn(p, i, NULL))) {
1192	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1193	ERR_R_BN_LIB);
1194	goto err;	1394	goto err;
1195	}
1196	p += i;
1197
1198	if (param_len + 2 > n)
1199	goto truncated;
1200	n2s(p, i);
1201	param_len += i + 2;
1202	if (param_len > n) {
1203	al = SSL_AD_DECODE_ERROR;
1204	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1205	SSL_R_BAD_DH_PUB_KEY_LENGTH);
1206	goto f_err;
1207	}
1208	if (!(dh->pub_key = BN_bin2bn(p, i, NULL))) {
1209	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1210	ERR_R_BN_LIB);
1211	goto err;
1212	}
1213	p += i;
1214	n -= param_len;
1215
1216	/*
1217	* Check the strength of the DH key just constructed.
1218	* Discard keys weaker than 1024 bits.
1219	*/
1220
1221	if (DH_size(dh) < 1024 / 8) {
1222	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1223	SSL_R_BAD_DH_P_LENGTH);
1224	goto err;
1225	}
1226
1227	if (alg_a & SSL_aRSA)
1228	pkey = X509_get_pubkey(
1229	s->session->sess_cert->peer_pkeys[
1230	SSL_PKEY_RSA_ENC].x509);
1231	else if (alg_a & SSL_aDSS)
1232	pkey = X509_get_pubkey(
1233	s->session->sess_cert->peer_pkeys[
1234	SSL_PKEY_DSA_SIGN].x509);
1235	/* else anonymous DH, so no certificate or pkey. */
1236
1237	s->session->sess_cert->peer_dh_tmp = dh;
1238	dh = NULL;
1239	} else if (alg_k & SSL_kECDHE) {	1395	} else if (alg_k & SSL_kECDHE) {
1240	const EC_GROUP *group;	1396	if (ssl3_get_server_kex_ecdhe(s, &pkey, &p, &n) != 1)
1241	EC_GROUP *ngroup;
1242
1243	if ((ecdh = EC_KEY_new()) == NULL) {
1244	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1245	ERR_R_MALLOC_FAILURE);
1246	goto err;
1247	}
1248
1249	/*
1250	* Extract elliptic curve parameters and the
1251	* server's ephemeral ECDH public key.
1252	* Keep accumulating lengths of various components in
1253	* param_len and make sure it never exceeds n.
1254	*/
1255
1256	/*
1257	* XXX: For now we only support named (not generic) curves
1258	* and the ECParameters in this case is just three bytes.
1259	*/
1260	param_len = 3;
1261	if (param_len > n) {
1262	al = SSL_AD_DECODE_ERROR;
1263	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1264	SSL_R_LENGTH_TOO_SHORT);
1265	goto f_err;
1266	}
1267
1268	/*
1269	* Check curve is one of our preferences, if not server has
1270	* sent an invalid curve.
1271	*/
1272	if (tls1_check_curve(s, p, param_len) != 1) {
1273	al = SSL_AD_DECODE_ERROR;
1274	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
1275	goto f_err;
1276	}
1277
1278	if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) {
1279	al = SSL_AD_INTERNAL_ERROR;
1280	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1281	SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1282	goto f_err;
1283	}
1284
1285	ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1286	if (ngroup == NULL) {
1287	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1288	ERR_R_EC_LIB);
1289	goto err;
1290	}
1291	if (EC_KEY_set_group(ecdh, ngroup) == 0) {
1292	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1293	ERR_R_EC_LIB);
1294	goto err;
1295	}
1296	EC_GROUP_free(ngroup);
1297
1298	group = EC_KEY_get0_group(ecdh);
1299
1300	p += 3;
1301
1302	/* Next, get the encoded ECPoint */
1303	if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) \|\|
1304	((bn_ctx = BN_CTX_new()) == NULL)) {
1305	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1306	ERR_R_MALLOC_FAILURE);
1307	goto err;	1397	goto err;
1308	}	1398	} else if (alg_k != 0) {
1309
1310	if (param_len + 1 > n)
1311	goto truncated;
1312	encoded_pt_len = *p;
1313	/* length of encoded point */
1314	p += 1;
1315	param_len += (1 + encoded_pt_len);
1316	if ((param_len > n) \|\| (EC_POINT_oct2point(group, srvr_ecpoint,
1317	p, encoded_pt_len, bn_ctx) == 0)) {
1318	al = SSL_AD_DECODE_ERROR;
1319	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1320	SSL_R_BAD_ECPOINT);
1321	goto f_err;
1322	}
1323
1324	n -= param_len;
1325	p += encoded_pt_len;
1326
1327	/*
1328	* The ECC/TLS specification does not mention the use
1329	* of DSA to sign ECParameters in the server key
1330	* exchange message. We do support RSA and ECDSA.
1331	*/
1332	if (alg_a & SSL_aRSA)
1333	pkey = X509_get_pubkey(
1334	s->session->sess_cert->peer_pkeys[
1335	SSL_PKEY_RSA_ENC].x509);
1336	else if (alg_a & SSL_aECDSA)
1337	pkey = X509_get_pubkey(
1338	s->session->sess_cert->peer_pkeys[
1339	SSL_PKEY_ECC].x509);
1340	/* Else anonymous ECDH, so no certificate or pkey. */
1341	EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1342	s->session->sess_cert->peer_ecdh_tmp = ecdh;
1343	ecdh = NULL;
1344	BN_CTX_free(bn_ctx);
1345	bn_ctx = NULL;
1346	EC_POINT_free(srvr_ecpoint);
1347	srvr_ecpoint = NULL;
1348	} else if (alg_k) {
1349	al = SSL_AD_UNEXPECTED_MESSAGE;	1399	al = SSL_AD_UNEXPECTED_MESSAGE;
1350	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,	1400	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1351	SSL_R_UNEXPECTED_MESSAGE);
1352	goto f_err;	1401	goto f_err;
1353	}	1402	}
1354		1403
1355	/* p points to the next byte, there are 'n' bytes left */	1404	param_len = param_len - n;
1356		1405
1357	/* if it was signed, check the signature */	1406	/* if it was signed, check the signature */
1358	if (pkey != NULL) {	1407	if (pkey != NULL) {
@@ -1471,23 +1520,25 @@ ssl3_get_key_exchange(SSL *s)
1471	goto f_err;	1520	goto f_err;
1472	}	1521	}
1473	}	1522	}
		1523
1474	EVP_PKEY_free(pkey);	1524	EVP_PKEY_free(pkey);
1475	EVP_MD_CTX_cleanup(&md_ctx);	1525	EVP_MD_CTX_cleanup(&md_ctx);
		1526
1476	return (1);	1527	return (1);
1477	truncated:	1528
		1529	truncated:
1478	/* wrong packet length */	1530	/* wrong packet length */
1479	al = SSL_AD_DECODE_ERROR;	1531	al = SSL_AD_DECODE_ERROR;
1480	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);	1532	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
1481	f_err:	1533
		1534	f_err:
1482	ssl3_send_alert(s, SSL3_AL_FATAL, al);	1535	ssl3_send_alert(s, SSL3_AL_FATAL, al);
1483	err:	1536
		1537	err:
1484	EVP_PKEY_free(pkey);	1538	EVP_PKEY_free(pkey);
1485	RSA_free(rsa);	1539	RSA_free(rsa);
1486	DH_free(dh);
1487	BN_CTX_free(bn_ctx);
1488	EC_POINT_free(srvr_ecpoint);
1489	EC_KEY_free(ecdh);
1490	EVP_MD_CTX_cleanup(&md_ctx);	1540	EVP_MD_CTX_cleanup(&md_ctx);
		1541
1491	return (-1);	1542	return (-1);
1492	}	1543	}
1493		1544