Tue Aug 10 11:01:01 2010 UTC ()
fix a double free() in error case, see the thread
"openssl-1.0.0a and glibc detected sthg ;)" in openssl-dev.
I was getting a SEGV with the example posted there.


(drochner)
diff -r1.1.1.2 -r1.2 src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c
cvs diff -r1.1.1.2 -r1.2 src/crypto/external/bsd/openssl/dist/ssl/Attic/s3_clnt.c (switch to unified diff)

--- src/crypto/external/bsd/openssl/dist/ssl/Attic/s3_clnt.c 2009/12/26 23:34:23 1.1.1.2
+++ src/crypto/external/bsd/openssl/dist/ssl/Attic/s3_clnt.c 2010/08/10 11:01:00 1.2
@@ -493,1998 +493,1999 @@ int ssl3_connect(SSL *s) @@ -493,1998 +493,1999 @@ int ssl3_connect(SSL *s)
493 ret=ssl3_get_new_session_ticket(s); 493 ret=ssl3_get_new_session_ticket(s);
494 if (ret <= 0) goto end; 494 if (ret <= 0) goto end;
495 s->state=SSL3_ST_CR_FINISHED_A; 495 s->state=SSL3_ST_CR_FINISHED_A;
496 s->init_num=0; 496 s->init_num=0;
497 break; 497 break;
498 498
499 case SSL3_ST_CR_CERT_STATUS_A: 499 case SSL3_ST_CR_CERT_STATUS_A:
500 case SSL3_ST_CR_CERT_STATUS_B: 500 case SSL3_ST_CR_CERT_STATUS_B:
501 ret=ssl3_get_cert_status(s); 501 ret=ssl3_get_cert_status(s);
502 if (ret <= 0) goto end; 502 if (ret <= 0) goto end;
503 s->state=SSL3_ST_CR_KEY_EXCH_A; 503 s->state=SSL3_ST_CR_KEY_EXCH_A;
504 s->init_num=0; 504 s->init_num=0;
505 break; 505 break;
506#endif 506#endif
507 507
508 case SSL3_ST_CR_FINISHED_A: 508 case SSL3_ST_CR_FINISHED_A:
509 case SSL3_ST_CR_FINISHED_B: 509 case SSL3_ST_CR_FINISHED_B:
510 510
511 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 511 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
512 SSL3_ST_CR_FINISHED_B); 512 SSL3_ST_CR_FINISHED_B);
513 if (ret <= 0) goto end; 513 if (ret <= 0) goto end;
514 514
515 if (s->hit) 515 if (s->hit)
516 s->state=SSL3_ST_CW_CHANGE_A; 516 s->state=SSL3_ST_CW_CHANGE_A;
517 else 517 else
518 s->state=SSL_ST_OK; 518 s->state=SSL_ST_OK;
519 s->init_num=0; 519 s->init_num=0;
520 break; 520 break;
521 521
522 case SSL3_ST_CW_FLUSH: 522 case SSL3_ST_CW_FLUSH:
523 /* number of bytes to be flushed */ 523 /* number of bytes to be flushed */
524 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 524 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
525 if (num1 > 0) 525 if (num1 > 0)
526 { 526 {
527 s->rwstate=SSL_WRITING; 527 s->rwstate=SSL_WRITING;
528 num1=BIO_flush(s->wbio); 528 num1=BIO_flush(s->wbio);
529 if (num1 <= 0) { ret= -1; goto end; } 529 if (num1 <= 0) { ret= -1; goto end; }
530 s->rwstate=SSL_NOTHING; 530 s->rwstate=SSL_NOTHING;
531 } 531 }
532 532
533 s->state=s->s3->tmp.next_state; 533 s->state=s->s3->tmp.next_state;
534 break; 534 break;
535 535
536 case SSL_ST_OK: 536 case SSL_ST_OK:
537 /* clean a few things up */ 537 /* clean a few things up */
538 ssl3_cleanup_key_block(s); 538 ssl3_cleanup_key_block(s);
539 539
540 if (s->init_buf != NULL) 540 if (s->init_buf != NULL)
541 { 541 {
542 BUF_MEM_free(s->init_buf); 542 BUF_MEM_free(s->init_buf);
543 s->init_buf=NULL; 543 s->init_buf=NULL;
544 } 544 }
545 545
546 /* If we are not 'joining' the last two packets, 546 /* If we are not 'joining' the last two packets,
547 * remove the buffering now */ 547 * remove the buffering now */
548 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 548 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
549 ssl_free_wbio_buffer(s); 549 ssl_free_wbio_buffer(s);
550 /* else do it later in ssl3_write */ 550 /* else do it later in ssl3_write */
551 551
552 s->init_num=0; 552 s->init_num=0;
553 s->new_session=0; 553 s->new_session=0;
554 554
555 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 555 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
556 if (s->hit) s->ctx->stats.sess_hit++; 556 if (s->hit) s->ctx->stats.sess_hit++;
557 557
558 ret=1; 558 ret=1;
559 /* s->server=0; */ 559 /* s->server=0; */
560 s->handshake_func=ssl3_connect; 560 s->handshake_func=ssl3_connect;
561 s->ctx->stats.sess_connect_good++; 561 s->ctx->stats.sess_connect_good++;
562 562
563 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 563 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
564 564
565 goto end; 565 goto end;
566 /* break; */ 566 /* break; */
567  567
568 default: 568 default:
569 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); 569 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
570 ret= -1; 570 ret= -1;
571 goto end; 571 goto end;
572 /* break; */ 572 /* break; */
573 } 573 }
574 574
575 /* did we do anything */ 575 /* did we do anything */
576 if (!s->s3->tmp.reuse_message && !skip) 576 if (!s->s3->tmp.reuse_message && !skip)
577 { 577 {
578 if (s->debug) 578 if (s->debug)
579 { 579 {
580 if ((ret=BIO_flush(s->wbio)) <= 0) 580 if ((ret=BIO_flush(s->wbio)) <= 0)
581 goto end; 581 goto end;
582 } 582 }
583 583
584 if ((cb != NULL) && (s->state != state)) 584 if ((cb != NULL) && (s->state != state))
585 { 585 {
586 new_state=s->state; 586 new_state=s->state;
587 s->state=state; 587 s->state=state;
588 cb(s,SSL_CB_CONNECT_LOOP,1); 588 cb(s,SSL_CB_CONNECT_LOOP,1);
589 s->state=new_state; 589 s->state=new_state;
590 } 590 }
591 } 591 }
592 skip=0; 592 skip=0;
593 } 593 }
594end: 594end:
595 s->in_handshake--; 595 s->in_handshake--;
596 if (buf != NULL) 596 if (buf != NULL)
597 BUF_MEM_free(buf); 597 BUF_MEM_free(buf);
598 if (cb != NULL) 598 if (cb != NULL)
599 cb(s,SSL_CB_CONNECT_EXIT,ret); 599 cb(s,SSL_CB_CONNECT_EXIT,ret);
600 return(ret); 600 return(ret);
601 } 601 }
602 602
603 603
604int ssl3_client_hello(SSL *s) 604int ssl3_client_hello(SSL *s)
605 { 605 {
606 unsigned char *buf; 606 unsigned char *buf;
607 unsigned char *p,*d; 607 unsigned char *p,*d;
608 int i; 608 int i;
609 unsigned long Time,l; 609 unsigned long Time,l;
610#ifndef OPENSSL_NO_COMP 610#ifndef OPENSSL_NO_COMP
611 int j; 611 int j;
612 SSL_COMP *comp; 612 SSL_COMP *comp;
613#endif 613#endif
614 614
615 buf=(unsigned char *)s->init_buf->data; 615 buf=(unsigned char *)s->init_buf->data;
616 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 616 if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
617 { 617 {
618 SSL_SESSION *sess = s->session; 618 SSL_SESSION *sess = s->session;
619 if ((sess == NULL) || 619 if ((sess == NULL) ||
620 (sess->ssl_version != s->version) || 620 (sess->ssl_version != s->version) ||
621#ifdef OPENSSL_NO_TLSEXT 621#ifdef OPENSSL_NO_TLSEXT
622 !sess->session_id_length || 622 !sess->session_id_length ||
623#else 623#else
624 (!sess->session_id_length && !sess->tlsext_tick) || 624 (!sess->session_id_length && !sess->tlsext_tick) ||
625#endif 625#endif
626 (sess->not_resumable)) 626 (sess->not_resumable))
627 { 627 {
628 if (!ssl_get_new_session(s,0)) 628 if (!ssl_get_new_session(s,0))
629 goto err; 629 goto err;
630 } 630 }
631 /* else use the pre-loaded session */ 631 /* else use the pre-loaded session */
632 632
633 p=s->s3->client_random; 633 p=s->s3->client_random;
634 Time=(unsigned long)time(NULL); /* Time */ 634 Time=(unsigned long)time(NULL); /* Time */
635 l2n(Time,p); 635 l2n(Time,p);
636 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 636 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
637 goto err; 637 goto err;
638 638
639 /* Do the message type and length last */ 639 /* Do the message type and length last */
640 d=p= &(buf[4]); 640 d=p= &(buf[4]);
641 641
642 *(p++)=s->version>>8; 642 *(p++)=s->version>>8;
643 *(p++)=s->version&0xff; 643 *(p++)=s->version&0xff;
644 s->client_version=s->version; 644 s->client_version=s->version;
645 645
646 /* Random stuff */ 646 /* Random stuff */
647 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 647 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
648 p+=SSL3_RANDOM_SIZE; 648 p+=SSL3_RANDOM_SIZE;
649 649
650 /* Session ID */ 650 /* Session ID */
651 if (s->new_session) 651 if (s->new_session)
652 i=0; 652 i=0;
653 else 653 else
654 i=s->session->session_id_length; 654 i=s->session->session_id_length;
655 *(p++)=i; 655 *(p++)=i;
656 if (i != 0) 656 if (i != 0)
657 { 657 {
658 if (i > (int)sizeof(s->session->session_id)) 658 if (i > (int)sizeof(s->session->session_id))
659 { 659 {
660 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 660 SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
661 goto err; 661 goto err;
662 } 662 }
663 memcpy(p,s->session->session_id,i); 663 memcpy(p,s->session->session_id,i);
664 p+=i; 664 p+=i;
665 } 665 }
666  666
667 /* Ciphers supported */ 667 /* Ciphers supported */
668 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 668 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
669 if (i == 0) 669 if (i == 0)
670 { 670 {
671 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 671 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
672 goto err; 672 goto err;
673 } 673 }
674 s2n(i,p); 674 s2n(i,p);
675 p+=i; 675 p+=i;
676 676
677 /* COMPRESSION */ 677 /* COMPRESSION */
678#ifdef OPENSSL_NO_COMP 678#ifdef OPENSSL_NO_COMP
679 *(p++)=1; 679 *(p++)=1;
680#else 680#else
681 681
682 if ((s->options & SSL_OP_NO_COMPRESSION) 682 if ((s->options & SSL_OP_NO_COMPRESSION)
683 || !s->ctx->comp_methods) 683 || !s->ctx->comp_methods)
684 j=0; 684 j=0;
685 else 685 else
686 j=sk_SSL_COMP_num(s->ctx->comp_methods); 686 j=sk_SSL_COMP_num(s->ctx->comp_methods);
687 *(p++)=1+j; 687 *(p++)=1+j;
688 for (i=0; i<j; i++) 688 for (i=0; i<j; i++)
689 { 689 {
690 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 690 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
691 *(p++)=comp->id; 691 *(p++)=comp->id;
692 } 692 }
693#endif 693#endif
694 *(p++)=0; /* Add the NULL method */ 694 *(p++)=0; /* Add the NULL method */
695 695
696#ifndef OPENSSL_NO_TLSEXT 696#ifndef OPENSSL_NO_TLSEXT
697 /* TLS extensions*/ 697 /* TLS extensions*/
698 if (ssl_prepare_clienthello_tlsext(s) <= 0) 698 if (ssl_prepare_clienthello_tlsext(s) <= 0)
699 { 699 {
700 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 700 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
701 goto err; 701 goto err;
702 } 702 }
703 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 703 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
704 { 704 {
705 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 705 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
706 goto err; 706 goto err;
707 } 707 }
708#endif 708#endif
709  709
710 l=(p-d); 710 l=(p-d);
711 d=buf; 711 d=buf;
712 *(d++)=SSL3_MT_CLIENT_HELLO; 712 *(d++)=SSL3_MT_CLIENT_HELLO;
713 l2n3(l,d); 713 l2n3(l,d);
714 714
715 s->state=SSL3_ST_CW_CLNT_HELLO_B; 715 s->state=SSL3_ST_CW_CLNT_HELLO_B;
716 /* number of bytes to write */ 716 /* number of bytes to write */
717 s->init_num=p-buf; 717 s->init_num=p-buf;
718 s->init_off=0; 718 s->init_off=0;
719 } 719 }
720 720
721 /* SSL3_ST_CW_CLNT_HELLO_B */ 721 /* SSL3_ST_CW_CLNT_HELLO_B */
722 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 722 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
723err: 723err:
724 return(-1); 724 return(-1);
725 } 725 }
726 726
727int ssl3_get_server_hello(SSL *s) 727int ssl3_get_server_hello(SSL *s)
728 { 728 {
729 STACK_OF(SSL_CIPHER) *sk; 729 STACK_OF(SSL_CIPHER) *sk;
730 const SSL_CIPHER *c; 730 const SSL_CIPHER *c;
731 unsigned char *p,*d; 731 unsigned char *p,*d;
732 int i,al,ok; 732 int i,al,ok;
733 unsigned int j; 733 unsigned int j;
734 long n; 734 long n;
735#ifndef OPENSSL_NO_COMP 735#ifndef OPENSSL_NO_COMP
736 SSL_COMP *comp; 736 SSL_COMP *comp;
737#endif 737#endif
738 738
739 n=s->method->ssl_get_message(s, 739 n=s->method->ssl_get_message(s,
740 SSL3_ST_CR_SRVR_HELLO_A, 740 SSL3_ST_CR_SRVR_HELLO_A,
741 SSL3_ST_CR_SRVR_HELLO_B, 741 SSL3_ST_CR_SRVR_HELLO_B,
742 -1, 742 -1,
743 20000, /* ?? */ 743 20000, /* ?? */
744 &ok); 744 &ok);
745 745
746 if (!ok) return((int)n); 746 if (!ok) return((int)n);
747 747
748 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) 748 if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
749 { 749 {
750 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) 750 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
751 { 751 {
752 if ( s->d1->send_cookie == 0) 752 if ( s->d1->send_cookie == 0)
753 { 753 {
754 s->s3->tmp.reuse_message = 1; 754 s->s3->tmp.reuse_message = 1;
755 return 1; 755 return 1;
756 } 756 }
757 else /* already sent a cookie */ 757 else /* already sent a cookie */
758 { 758 {
759 al=SSL_AD_UNEXPECTED_MESSAGE; 759 al=SSL_AD_UNEXPECTED_MESSAGE;
760 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 760 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
761 goto f_err; 761 goto f_err;
762 } 762 }
763 } 763 }
764 } 764 }
765  765
766 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO) 766 if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
767 { 767 {
768 al=SSL_AD_UNEXPECTED_MESSAGE; 768 al=SSL_AD_UNEXPECTED_MESSAGE;
769 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE); 769 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
770 goto f_err; 770 goto f_err;
771 } 771 }
772 772
773 d=p=(unsigned char *)s->init_msg; 773 d=p=(unsigned char *)s->init_msg;
774 774
775 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) 775 if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
776 { 776 {
777 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION); 777 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
778 s->version=(s->version&0xff00)|p[1]; 778 s->version=(s->version&0xff00)|p[1];
779 al=SSL_AD_PROTOCOL_VERSION; 779 al=SSL_AD_PROTOCOL_VERSION;
780 goto f_err; 780 goto f_err;
781 } 781 }
782 p+=2; 782 p+=2;
783 783
784 /* load the server hello data */ 784 /* load the server hello data */
785 /* load the server random */ 785 /* load the server random */
786 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE); 786 memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
787 p+=SSL3_RANDOM_SIZE; 787 p+=SSL3_RANDOM_SIZE;
788 788
789 /* get the session-id */ 789 /* get the session-id */
790 j= *(p++); 790 j= *(p++);
791 791
792 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) 792 if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
793 { 793 {
794 al=SSL_AD_ILLEGAL_PARAMETER; 794 al=SSL_AD_ILLEGAL_PARAMETER;
795 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); 795 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
796 goto f_err; 796 goto f_err;
797 } 797 }
798 798
799#ifndef OPENSSL_NO_TLSEXT 799#ifndef OPENSSL_NO_TLSEXT
800 /* check if we want to resume the session based on external pre-shared secret */ 800 /* check if we want to resume the session based on external pre-shared secret */
801 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) 801 if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
802 { 802 {
803 SSL_CIPHER *pref_cipher=NULL; 803 SSL_CIPHER *pref_cipher=NULL;
804 s->session->master_key_length=sizeof(s->session->master_key); 804 s->session->master_key_length=sizeof(s->session->master_key);
805 if (s->tls_session_secret_cb(s, s->session->master_key, 805 if (s->tls_session_secret_cb(s, s->session->master_key,
806 &s->session->master_key_length, 806 &s->session->master_key_length,
807 NULL, &pref_cipher, 807 NULL, &pref_cipher,
808 s->tls_session_secret_cb_arg)) 808 s->tls_session_secret_cb_arg))
809 { 809 {
810 s->session->cipher = pref_cipher ? 810 s->session->cipher = pref_cipher ?
811 pref_cipher : ssl_get_cipher_by_char(s, p+j); 811 pref_cipher : ssl_get_cipher_by_char(s, p+j);
812 } 812 }
813 } 813 }
814#endif /* OPENSSL_NO_TLSEXT */ 814#endif /* OPENSSL_NO_TLSEXT */
815 815
816 if (j != 0 && j == s->session->session_id_length 816 if (j != 0 && j == s->session->session_id_length
817 && memcmp(p,s->session->session_id,j) == 0) 817 && memcmp(p,s->session->session_id,j) == 0)
818 { 818 {
819 if(s->sid_ctx_length != s->session->sid_ctx_length 819 if(s->sid_ctx_length != s->session->sid_ctx_length
820 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) 820 || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
821 { 821 {
822 /* actually a client application bug */ 822 /* actually a client application bug */
823 al=SSL_AD_ILLEGAL_PARAMETER; 823 al=SSL_AD_ILLEGAL_PARAMETER;
824 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 824 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
825 goto f_err; 825 goto f_err;
826 } 826 }
827 s->hit=1; 827 s->hit=1;
828 } 828 }
829 else /* a miss or crap from the other end */ 829 else /* a miss or crap from the other end */
830 { 830 {
831 /* If we were trying for session-id reuse, make a new 831 /* If we were trying for session-id reuse, make a new
832 * SSL_SESSION so we don't stuff up other people */ 832 * SSL_SESSION so we don't stuff up other people */
833 s->hit=0; 833 s->hit=0;
834 if (s->session->session_id_length > 0) 834 if (s->session->session_id_length > 0)
835 { 835 {
836 if (!ssl_get_new_session(s,0)) 836 if (!ssl_get_new_session(s,0))
837 { 837 {
838 al=SSL_AD_INTERNAL_ERROR; 838 al=SSL_AD_INTERNAL_ERROR;
839 goto f_err; 839 goto f_err;
840 } 840 }
841 } 841 }
842 s->session->session_id_length=j; 842 s->session->session_id_length=j;
843 memcpy(s->session->session_id,p,j); /* j could be 0 */ 843 memcpy(s->session->session_id,p,j); /* j could be 0 */
844 } 844 }
845 p+=j; 845 p+=j;
846 c=ssl_get_cipher_by_char(s,p); 846 c=ssl_get_cipher_by_char(s,p);
847 if (c == NULL) 847 if (c == NULL)
848 { 848 {
849 /* unknown cipher */ 849 /* unknown cipher */
850 al=SSL_AD_ILLEGAL_PARAMETER; 850 al=SSL_AD_ILLEGAL_PARAMETER;
851 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 851 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
852 goto f_err; 852 goto f_err;
853 } 853 }
854 p+=ssl_put_cipher_by_char(s,NULL,NULL); 854 p+=ssl_put_cipher_by_char(s,NULL,NULL);
855 855
856 sk=ssl_get_ciphers_by_id(s); 856 sk=ssl_get_ciphers_by_id(s);
857 i=sk_SSL_CIPHER_find(sk,c); 857 i=sk_SSL_CIPHER_find(sk,c);
858 if (i < 0) 858 if (i < 0)
859 { 859 {
860 /* we did not say we would use this cipher */ 860 /* we did not say we would use this cipher */
861 al=SSL_AD_ILLEGAL_PARAMETER; 861 al=SSL_AD_ILLEGAL_PARAMETER;
862 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); 862 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
863 goto f_err; 863 goto f_err;
864 } 864 }
865 865
866 /* Depending on the session caching (internal/external), the cipher 866 /* Depending on the session caching (internal/external), the cipher
867 and/or cipher_id values may not be set. Make sure that 867 and/or cipher_id values may not be set. Make sure that
868 cipher_id is set and use it for comparison. */ 868 cipher_id is set and use it for comparison. */
869 if (s->session->cipher) 869 if (s->session->cipher)
870 s->session->cipher_id = s->session->cipher->id; 870 s->session->cipher_id = s->session->cipher->id;
871 if (s->hit && (s->session->cipher_id != c->id)) 871 if (s->hit && (s->session->cipher_id != c->id))
872 { 872 {
873 if (!(s->options & 873 if (!(s->options &
874 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) 874 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
875 { 875 {
876 al=SSL_AD_ILLEGAL_PARAMETER; 876 al=SSL_AD_ILLEGAL_PARAMETER;
877 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); 877 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
878 goto f_err; 878 goto f_err;
879 } 879 }
880 } 880 }
881 s->s3->tmp.new_cipher=c; 881 s->s3->tmp.new_cipher=c;
882 if (!ssl3_digest_cached_records(s)) 882 if (!ssl3_digest_cached_records(s))
883 goto f_err; 883 goto f_err;
884 884
885 /* lets get the compression algorithm */ 885 /* lets get the compression algorithm */
886 /* COMPRESSION */ 886 /* COMPRESSION */
887#ifdef OPENSSL_NO_COMP 887#ifdef OPENSSL_NO_COMP
888 if (*(p++) != 0) 888 if (*(p++) != 0)
889 { 889 {
890 al=SSL_AD_ILLEGAL_PARAMETER; 890 al=SSL_AD_ILLEGAL_PARAMETER;
891 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 891 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
892 goto f_err; 892 goto f_err;
893 } 893 }
894#else 894#else
895 j= *(p++); 895 j= *(p++);
896 if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION)) 896 if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))
897 comp=NULL; 897 comp=NULL;
898 else 898 else
899 comp=ssl3_comp_find(s->ctx->comp_methods,j); 899 comp=ssl3_comp_find(s->ctx->comp_methods,j);
900  900
901 if ((j != 0) && (comp == NULL)) 901 if ((j != 0) && (comp == NULL))
902 { 902 {
903 al=SSL_AD_ILLEGAL_PARAMETER; 903 al=SSL_AD_ILLEGAL_PARAMETER;
904 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); 904 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
905 goto f_err; 905 goto f_err;
906 } 906 }
907 else 907 else
908 { 908 {
909 s->s3->tmp.new_compression=comp; 909 s->s3->tmp.new_compression=comp;
910 } 910 }
911#endif 911#endif
912 912
913#ifndef OPENSSL_NO_TLSEXT 913#ifndef OPENSSL_NO_TLSEXT
914 /* TLS extensions*/ 914 /* TLS extensions*/
915 if (s->version >= SSL3_VERSION) 915 if (s->version >= SSL3_VERSION)
916 { 916 {
917 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al)) 917 if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
918 { 918 {
919 /* 'al' set by ssl_parse_serverhello_tlsext */ 919 /* 'al' set by ssl_parse_serverhello_tlsext */
920 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); 920 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
921 goto f_err;  921 goto f_err;
922 } 922 }
923 if (ssl_check_serverhello_tlsext(s) <= 0) 923 if (ssl_check_serverhello_tlsext(s) <= 0)
924 { 924 {
925 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT); 925 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
926 goto err; 926 goto err;
927 } 927 }
928 } 928 }
929#endif 929#endif
930 930
931 if (p != (d+n)) 931 if (p != (d+n))
932 { 932 {
933 /* wrong packet length */ 933 /* wrong packet length */
934 al=SSL_AD_DECODE_ERROR; 934 al=SSL_AD_DECODE_ERROR;
935 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 935 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
936 goto err; 936 goto err;
937 } 937 }
938 938
939 return(1); 939 return(1);
940f_err: 940f_err:
941 ssl3_send_alert(s,SSL3_AL_FATAL,al); 941 ssl3_send_alert(s,SSL3_AL_FATAL,al);
942err: 942err:
943 return(-1); 943 return(-1);
944 } 944 }
945 945
946int ssl3_get_server_certificate(SSL *s) 946int ssl3_get_server_certificate(SSL *s)
947 { 947 {
948 int al,i,ok,ret= -1; 948 int al,i,ok,ret= -1;
949 unsigned long n,nc,llen,l; 949 unsigned long n,nc,llen,l;
950 X509 *x=NULL; 950 X509 *x=NULL;
951 const unsigned char *q,*p; 951 const unsigned char *q,*p;
952 unsigned char *d; 952 unsigned char *d;
953 STACK_OF(X509) *sk=NULL; 953 STACK_OF(X509) *sk=NULL;
954 SESS_CERT *sc; 954 SESS_CERT *sc;
955 EVP_PKEY *pkey=NULL; 955 EVP_PKEY *pkey=NULL;
956 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ 956 int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
957 957
958 n=s->method->ssl_get_message(s, 958 n=s->method->ssl_get_message(s,
959 SSL3_ST_CR_CERT_A, 959 SSL3_ST_CR_CERT_A,
960 SSL3_ST_CR_CERT_B, 960 SSL3_ST_CR_CERT_B,
961 -1, 961 -1,
962 s->max_cert_list, 962 s->max_cert_list,
963 &ok); 963 &ok);
964 964
965 if (!ok) return((int)n); 965 if (!ok) return((int)n);
966 966
967 if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) 967 if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
968 { 968 {
969 s->s3->tmp.reuse_message=1; 969 s->s3->tmp.reuse_message=1;
970 return(1); 970 return(1);
971 } 971 }
972 972
973 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE) 973 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
974 { 974 {
975 al=SSL_AD_UNEXPECTED_MESSAGE; 975 al=SSL_AD_UNEXPECTED_MESSAGE;
976 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); 976 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
977 goto f_err; 977 goto f_err;
978 } 978 }
979 p=d=(unsigned char *)s->init_msg; 979 p=d=(unsigned char *)s->init_msg;
980 980
981 if ((sk=sk_X509_new_null()) == NULL) 981 if ((sk=sk_X509_new_null()) == NULL)
982 { 982 {
983 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 983 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
984 goto err; 984 goto err;
985 } 985 }
986 986
987 n2l3(p,llen); 987 n2l3(p,llen);
988 if (llen+3 != n) 988 if (llen+3 != n)
989 { 989 {
990 al=SSL_AD_DECODE_ERROR; 990 al=SSL_AD_DECODE_ERROR;
991 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH); 991 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_LENGTH_MISMATCH);
992 goto f_err; 992 goto f_err;
993 } 993 }
994 for (nc=0; nc<llen; ) 994 for (nc=0; nc<llen; )
995 { 995 {
996 n2l3(p,l); 996 n2l3(p,l);
997 if ((l+nc+3) > llen) 997 if ((l+nc+3) > llen)
998 { 998 {
999 al=SSL_AD_DECODE_ERROR; 999 al=SSL_AD_DECODE_ERROR;
1000 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1000 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1001 goto f_err; 1001 goto f_err;
1002 } 1002 }
1003 1003
1004 q=p; 1004 q=p;
1005 x=d2i_X509(NULL,&q,l); 1005 x=d2i_X509(NULL,&q,l);
1006 if (x == NULL) 1006 if (x == NULL)
1007 { 1007 {
1008 al=SSL_AD_BAD_CERTIFICATE; 1008 al=SSL_AD_BAD_CERTIFICATE;
1009 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB); 1009 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_ASN1_LIB);
1010 goto f_err; 1010 goto f_err;
1011 } 1011 }
1012 if (q != (p+l)) 1012 if (q != (p+l))
1013 { 1013 {
1014 al=SSL_AD_DECODE_ERROR; 1014 al=SSL_AD_DECODE_ERROR;
1015 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH); 1015 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
1016 goto f_err; 1016 goto f_err;
1017 } 1017 }
1018 if (!sk_X509_push(sk,x)) 1018 if (!sk_X509_push(sk,x))
1019 { 1019 {
1020 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE); 1020 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,ERR_R_MALLOC_FAILURE);
1021 goto err; 1021 goto err;
1022 } 1022 }
1023 x=NULL; 1023 x=NULL;
1024 nc+=l+3; 1024 nc+=l+3;
1025 p=q; 1025 p=q;
1026 } 1026 }
1027 1027
1028 i=ssl_verify_cert_chain(s,sk); 1028 i=ssl_verify_cert_chain(s,sk);
1029 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) 1029 if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1030#ifndef OPENSSL_NO_KRB5 1030#ifndef OPENSSL_NO_KRB5
1031 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1031 && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1032 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1032 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1033#endif /* OPENSSL_NO_KRB5 */ 1033#endif /* OPENSSL_NO_KRB5 */
1034 ) 1034 )
1035 { 1035 {
1036 al=ssl_verify_alarm_type(s->verify_result); 1036 al=ssl_verify_alarm_type(s->verify_result);
1037 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); 1037 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
1038 goto f_err;  1038 goto f_err;
1039 } 1039 }
1040 ERR_clear_error(); /* but we keep s->verify_result */ 1040 ERR_clear_error(); /* but we keep s->verify_result */
1041 1041
1042 sc=ssl_sess_cert_new(); 1042 sc=ssl_sess_cert_new();
1043 if (sc == NULL) goto err; 1043 if (sc == NULL) goto err;
1044 1044
1045 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert); 1045 if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
1046 s->session->sess_cert=sc; 1046 s->session->sess_cert=sc;
1047 1047
1048 sc->cert_chain=sk; 1048 sc->cert_chain=sk;
1049 /* Inconsistency alert: cert_chain does include the peer's 1049 /* Inconsistency alert: cert_chain does include the peer's
1050 * certificate, which we don't include in s3_srvr.c */ 1050 * certificate, which we don't include in s3_srvr.c */
1051 x=sk_X509_value(sk,0); 1051 x=sk_X509_value(sk,0);
1052 sk=NULL; 1052 sk=NULL;
1053 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ 1053 /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
1054 1054
1055 pkey=X509_get_pubkey(x); 1055 pkey=X509_get_pubkey(x);
1056 1056
1057 /* VRS: allow null cert if auth == KRB5 */ 1057 /* VRS: allow null cert if auth == KRB5 */
1058 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) && 1058 need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1059 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 1059 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1060 ? 0 : 1; 1060 ? 0 : 1;
1061 1061
1062#ifdef KSSL_DEBUG 1062#ifdef KSSL_DEBUG
1063 printf("pkey,x = %p, %p\n", pkey,x); 1063 printf("pkey,x = %p, %p\n", pkey,x);
1064 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); 1064 printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
1065 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name, 1065 printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
1066 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert); 1066 s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
1067#endif /* KSSL_DEBUG */ 1067#endif /* KSSL_DEBUG */
1068 1068
1069 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) 1069 if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
1070 { 1070 {
1071 x=NULL; 1071 x=NULL;
1072 al=SSL3_AL_FATAL; 1072 al=SSL3_AL_FATAL;
1073 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1073 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1074 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); 1074 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1075 goto f_err; 1075 goto f_err;
1076 } 1076 }
1077 1077
1078 i=ssl_cert_type(x,pkey); 1078 i=ssl_cert_type(x,pkey);
1079 if (need_cert && i < 0) 1079 if (need_cert && i < 0)
1080 { 1080 {
1081 x=NULL; 1081 x=NULL;
1082 al=SSL3_AL_FATAL; 1082 al=SSL3_AL_FATAL;
1083 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, 1083 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1084 SSL_R_UNKNOWN_CERTIFICATE_TYPE); 1084 SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1085 goto f_err; 1085 goto f_err;
1086 } 1086 }
1087 1087
1088 if (need_cert) 1088 if (need_cert)
1089 { 1089 {
1090 sc->peer_cert_type=i; 1090 sc->peer_cert_type=i;
1091 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1091 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1092 /* Why would the following ever happen? 1092 /* Why would the following ever happen?
1093 * We just created sc a couple of lines ago. */ 1093 * We just created sc a couple of lines ago. */
1094 if (sc->peer_pkeys[i].x509 != NULL) 1094 if (sc->peer_pkeys[i].x509 != NULL)
1095 X509_free(sc->peer_pkeys[i].x509); 1095 X509_free(sc->peer_pkeys[i].x509);
1096 sc->peer_pkeys[i].x509=x; 1096 sc->peer_pkeys[i].x509=x;
1097 sc->peer_key= &(sc->peer_pkeys[i]); 1097 sc->peer_key= &(sc->peer_pkeys[i]);
1098 1098
1099 if (s->session->peer != NULL) 1099 if (s->session->peer != NULL)
1100 X509_free(s->session->peer); 1100 X509_free(s->session->peer);
1101 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); 1101 CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
1102 s->session->peer=x; 1102 s->session->peer=x;
1103 } 1103 }
1104 else 1104 else
1105 { 1105 {
1106 sc->peer_cert_type=i; 1106 sc->peer_cert_type=i;
1107 sc->peer_key= NULL; 1107 sc->peer_key= NULL;
1108 1108
1109 if (s->session->peer != NULL) 1109 if (s->session->peer != NULL)
1110 X509_free(s->session->peer); 1110 X509_free(s->session->peer);
1111 s->session->peer=NULL; 1111 s->session->peer=NULL;
1112 } 1112 }
1113 s->session->verify_result = s->verify_result; 1113 s->session->verify_result = s->verify_result;
1114 1114
1115 x=NULL; 1115 x=NULL;
1116 ret=1; 1116 ret=1;
1117 1117
1118 if (0) 1118 if (0)
1119 { 1119 {
1120f_err: 1120f_err:
1121 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1121 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1122 } 1122 }
1123err: 1123err:
1124 EVP_PKEY_free(pkey); 1124 EVP_PKEY_free(pkey);
1125 X509_free(x); 1125 X509_free(x);
1126 sk_X509_pop_free(sk,X509_free); 1126 sk_X509_pop_free(sk,X509_free);
1127 return(ret); 1127 return(ret);
1128 } 1128 }
1129 1129
1130int ssl3_get_key_exchange(SSL *s) 1130int ssl3_get_key_exchange(SSL *s)
1131 { 1131 {
1132#ifndef OPENSSL_NO_RSA 1132#ifndef OPENSSL_NO_RSA
1133 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; 1133 unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
1134#endif 1134#endif
1135 EVP_MD_CTX md_ctx; 1135 EVP_MD_CTX md_ctx;
1136 unsigned char *param,*p; 1136 unsigned char *param,*p;
1137 int al,i,j,param_len,ok; 1137 int al,i,j,param_len,ok;
1138 long n,alg_k,alg_a; 1138 long n,alg_k,alg_a;
1139 EVP_PKEY *pkey=NULL; 1139 EVP_PKEY *pkey=NULL;
1140#ifndef OPENSSL_NO_RSA 1140#ifndef OPENSSL_NO_RSA
1141 RSA *rsa=NULL; 1141 RSA *rsa=NULL;
1142#endif 1142#endif
1143#ifndef OPENSSL_NO_DH 1143#ifndef OPENSSL_NO_DH
1144 DH *dh=NULL; 1144 DH *dh=NULL;
1145#endif 1145#endif
1146#ifndef OPENSSL_NO_ECDH 1146#ifndef OPENSSL_NO_ECDH
1147 EC_KEY *ecdh = NULL; 1147 EC_KEY *ecdh = NULL;
1148 BN_CTX *bn_ctx = NULL; 1148 BN_CTX *bn_ctx = NULL;
1149 EC_POINT *srvr_ecpoint = NULL; 1149 EC_POINT *srvr_ecpoint = NULL;
1150 int curve_nid = 0; 1150 int curve_nid = 0;
1151 int encoded_pt_len = 0; 1151 int encoded_pt_len = 0;
1152#endif 1152#endif
1153 1153
1154 /* use same message size as in ssl3_get_certificate_request() 1154 /* use same message size as in ssl3_get_certificate_request()
1155 * as ServerKeyExchange message may be skipped */ 1155 * as ServerKeyExchange message may be skipped */
1156 n=s->method->ssl_get_message(s, 1156 n=s->method->ssl_get_message(s,
1157 SSL3_ST_CR_KEY_EXCH_A, 1157 SSL3_ST_CR_KEY_EXCH_A,
1158 SSL3_ST_CR_KEY_EXCH_B, 1158 SSL3_ST_CR_KEY_EXCH_B,
1159 -1, 1159 -1,
1160 s->max_cert_list, 1160 s->max_cert_list,
1161 &ok); 1161 &ok);
1162 if (!ok) return((int)n); 1162 if (!ok) return((int)n);
1163 1163
1164 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) 1164 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
1165 { 1165 {
1166#ifndef OPENSSL_NO_PSK 1166#ifndef OPENSSL_NO_PSK
1167 /* In plain PSK ciphersuite, ServerKeyExchange can be 1167 /* In plain PSK ciphersuite, ServerKeyExchange can be
1168 omitted if no identity hint is sent. Set 1168 omitted if no identity hint is sent. Set
1169 session->sess_cert anyway to avoid problems 1169 session->sess_cert anyway to avoid problems
1170 later.*/ 1170 later.*/
1171 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 1171 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
1172 { 1172 {
1173 s->session->sess_cert=ssl_sess_cert_new(); 1173 s->session->sess_cert=ssl_sess_cert_new();
1174 if (s->ctx->psk_identity_hint) 1174 if (s->ctx->psk_identity_hint)
1175 OPENSSL_free(s->ctx->psk_identity_hint); 1175 OPENSSL_free(s->ctx->psk_identity_hint);
1176 s->ctx->psk_identity_hint = NULL; 1176 s->ctx->psk_identity_hint = NULL;
1177 } 1177 }
1178#endif 1178#endif
1179 s->s3->tmp.reuse_message=1; 1179 s->s3->tmp.reuse_message=1;
1180 return(1); 1180 return(1);
1181 } 1181 }
1182 1182
1183 param=p=(unsigned char *)s->init_msg; 1183 param=p=(unsigned char *)s->init_msg;
1184 if (s->session->sess_cert != NULL) 1184 if (s->session->sess_cert != NULL)
1185 { 1185 {
1186#ifndef OPENSSL_NO_RSA 1186#ifndef OPENSSL_NO_RSA
1187 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1187 if (s->session->sess_cert->peer_rsa_tmp != NULL)
1188 { 1188 {
1189 RSA_free(s->session->sess_cert->peer_rsa_tmp); 1189 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1190 s->session->sess_cert->peer_rsa_tmp=NULL; 1190 s->session->sess_cert->peer_rsa_tmp=NULL;
1191 } 1191 }
1192#endif 1192#endif
1193#ifndef OPENSSL_NO_DH 1193#ifndef OPENSSL_NO_DH
1194 if (s->session->sess_cert->peer_dh_tmp) 1194 if (s->session->sess_cert->peer_dh_tmp)
1195 { 1195 {
1196 DH_free(s->session->sess_cert->peer_dh_tmp); 1196 DH_free(s->session->sess_cert->peer_dh_tmp);
1197 s->session->sess_cert->peer_dh_tmp=NULL; 1197 s->session->sess_cert->peer_dh_tmp=NULL;
1198 } 1198 }
1199#endif 1199#endif
1200#ifndef OPENSSL_NO_ECDH 1200#ifndef OPENSSL_NO_ECDH
1201 if (s->session->sess_cert->peer_ecdh_tmp) 1201 if (s->session->sess_cert->peer_ecdh_tmp)
1202 { 1202 {
1203 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp); 1203 EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
1204 s->session->sess_cert->peer_ecdh_tmp=NULL; 1204 s->session->sess_cert->peer_ecdh_tmp=NULL;
1205 } 1205 }
1206#endif 1206#endif
1207 } 1207 }
1208 else 1208 else
1209 { 1209 {
1210 s->session->sess_cert=ssl_sess_cert_new(); 1210 s->session->sess_cert=ssl_sess_cert_new();
1211 } 1211 }
1212 1212
1213 param_len=0; 1213 param_len=0;
1214 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1214 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1215 alg_a=s->s3->tmp.new_cipher->algorithm_auth; 1215 alg_a=s->s3->tmp.new_cipher->algorithm_auth;
1216 EVP_MD_CTX_init(&md_ctx); 1216 EVP_MD_CTX_init(&md_ctx);
1217 1217
1218#ifndef OPENSSL_NO_PSK 1218#ifndef OPENSSL_NO_PSK
1219 if (alg_k & SSL_kPSK) 1219 if (alg_k & SSL_kPSK)
1220 { 1220 {
1221 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; 1221 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
1222 1222
1223 al=SSL_AD_HANDSHAKE_FAILURE; 1223 al=SSL_AD_HANDSHAKE_FAILURE;
1224 n2s(p,i); 1224 n2s(p,i);
1225 param_len=i+2; 1225 param_len=i+2;
1226 /* Store PSK identity hint for later use, hint is used 1226 /* Store PSK identity hint for later use, hint is used
1227 * in ssl3_send_client_key_exchange. Assume that the 1227 * in ssl3_send_client_key_exchange. Assume that the
1228 * maximum length of a PSK identity hint can be as 1228 * maximum length of a PSK identity hint can be as
1229 * long as the maximum length of a PSK identity. */ 1229 * long as the maximum length of a PSK identity. */
1230 if (i > PSK_MAX_IDENTITY_LEN) 1230 if (i > PSK_MAX_IDENTITY_LEN)
1231 { 1231 {
1232 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1232 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1233 SSL_R_DATA_LENGTH_TOO_LONG); 1233 SSL_R_DATA_LENGTH_TOO_LONG);
1234 goto f_err; 1234 goto f_err;
1235 } 1235 }
1236 if (param_len > n) 1236 if (param_len > n)
1237 { 1237 {
1238 al=SSL_AD_DECODE_ERROR; 1238 al=SSL_AD_DECODE_ERROR;
1239 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1239 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1240 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); 1240 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
1241 goto f_err; 1241 goto f_err;
1242 } 1242 }
1243 /* If received PSK identity hint contains NULL 1243 /* If received PSK identity hint contains NULL
1244 * characters, the hint is truncated from the first 1244 * characters, the hint is truncated from the first
1245 * NULL. p may not be ending with NULL, so create a 1245 * NULL. p may not be ending with NULL, so create a
1246 * NULL-terminated string. */ 1246 * NULL-terminated string. */
1247 memcpy(tmp_id_hint, p, i); 1247 memcpy(tmp_id_hint, p, i);
1248 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); 1248 memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
1249 if (s->ctx->psk_identity_hint != NULL) 1249 if (s->ctx->psk_identity_hint != NULL)
1250 OPENSSL_free(s->ctx->psk_identity_hint); 1250 OPENSSL_free(s->ctx->psk_identity_hint);
1251 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); 1251 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
1252 if (s->ctx->psk_identity_hint == NULL) 1252 if (s->ctx->psk_identity_hint == NULL)
1253 { 1253 {
1254 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); 1254 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
1255 goto f_err; 1255 goto f_err;
1256 }  1256 }
1257 1257
1258 p+=i; 1258 p+=i;
1259 n-=param_len; 1259 n-=param_len;
1260 } 1260 }
1261 else 1261 else
1262#endif /* !OPENSSL_NO_PSK */ 1262#endif /* !OPENSSL_NO_PSK */
1263#ifndef OPENSSL_NO_RSA 1263#ifndef OPENSSL_NO_RSA
1264 if (alg_k & SSL_kRSA) 1264 if (alg_k & SSL_kRSA)
1265 { 1265 {
1266 if ((rsa=RSA_new()) == NULL) 1266 if ((rsa=RSA_new()) == NULL)
1267 { 1267 {
1268 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1268 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1269 goto err; 1269 goto err;
1270 } 1270 }
1271 n2s(p,i); 1271 n2s(p,i);
1272 param_len=i+2; 1272 param_len=i+2;
1273 if (param_len > n) 1273 if (param_len > n)
1274 { 1274 {
1275 al=SSL_AD_DECODE_ERROR; 1275 al=SSL_AD_DECODE_ERROR;
1276 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH); 1276 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
1277 goto f_err; 1277 goto f_err;
1278 } 1278 }
1279 if (!(rsa->n=BN_bin2bn(p,i,rsa->n))) 1279 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
1280 { 1280 {
1281 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1281 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1282 goto err; 1282 goto err;
1283 } 1283 }
1284 p+=i; 1284 p+=i;
1285 1285
1286 n2s(p,i); 1286 n2s(p,i);
1287 param_len+=i+2; 1287 param_len+=i+2;
1288 if (param_len > n) 1288 if (param_len > n)
1289 { 1289 {
1290 al=SSL_AD_DECODE_ERROR; 1290 al=SSL_AD_DECODE_ERROR;
1291 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH); 1291 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
1292 goto f_err; 1292 goto f_err;
1293 } 1293 }
1294 if (!(rsa->e=BN_bin2bn(p,i,rsa->e))) 1294 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
1295 { 1295 {
1296 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1296 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1297 goto err; 1297 goto err;
1298 } 1298 }
1299 p+=i; 1299 p+=i;
1300 n-=param_len; 1300 n-=param_len;
1301 1301
1302 /* this should be because we are using an export cipher */ 1302 /* this should be because we are using an export cipher */
1303 if (alg_a & SSL_aRSA) 1303 if (alg_a & SSL_aRSA)
1304 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1304 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1305 else 1305 else
1306 { 1306 {
1307 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1307 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1308 goto err; 1308 goto err;
1309 } 1309 }
1310 s->session->sess_cert->peer_rsa_tmp=rsa; 1310 s->session->sess_cert->peer_rsa_tmp=rsa;
1311 rsa=NULL; 1311 rsa=NULL;
1312 } 1312 }
1313#else /* OPENSSL_NO_RSA */ 1313#else /* OPENSSL_NO_RSA */
1314 if (0) 1314 if (0)
1315 ; 1315 ;
1316#endif 1316#endif
1317#ifndef OPENSSL_NO_DH 1317#ifndef OPENSSL_NO_DH
1318 else if (alg_k & SSL_kEDH) 1318 else if (alg_k & SSL_kEDH)
1319 { 1319 {
1320 if ((dh=DH_new()) == NULL) 1320 if ((dh=DH_new()) == NULL)
1321 { 1321 {
1322 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB); 1322 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
1323 goto err; 1323 goto err;
1324 } 1324 }
1325 n2s(p,i); 1325 n2s(p,i);
1326 param_len=i+2; 1326 param_len=i+2;
1327 if (param_len > n) 1327 if (param_len > n)
1328 { 1328 {
1329 al=SSL_AD_DECODE_ERROR; 1329 al=SSL_AD_DECODE_ERROR;
1330 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH); 1330 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
1331 goto f_err; 1331 goto f_err;
1332 } 1332 }
1333 if (!(dh->p=BN_bin2bn(p,i,NULL))) 1333 if (!(dh->p=BN_bin2bn(p,i,NULL)))
1334 { 1334 {
1335 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1335 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1336 goto err; 1336 goto err;
1337 } 1337 }
1338 p+=i; 1338 p+=i;
1339 1339
1340 n2s(p,i); 1340 n2s(p,i);
1341 param_len+=i+2; 1341 param_len+=i+2;
1342 if (param_len > n) 1342 if (param_len > n)
1343 { 1343 {
1344 al=SSL_AD_DECODE_ERROR; 1344 al=SSL_AD_DECODE_ERROR;
1345 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH); 1345 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
1346 goto f_err; 1346 goto f_err;
1347 } 1347 }
1348 if (!(dh->g=BN_bin2bn(p,i,NULL))) 1348 if (!(dh->g=BN_bin2bn(p,i,NULL)))
1349 { 1349 {
1350 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1350 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1351 goto err; 1351 goto err;
1352 } 1352 }
1353 p+=i; 1353 p+=i;
1354 1354
1355 n2s(p,i); 1355 n2s(p,i);
1356 param_len+=i+2; 1356 param_len+=i+2;
1357 if (param_len > n) 1357 if (param_len > n)
1358 { 1358 {
1359 al=SSL_AD_DECODE_ERROR; 1359 al=SSL_AD_DECODE_ERROR;
1360 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH); 1360 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
1361 goto f_err; 1361 goto f_err;
1362 } 1362 }
1363 if (!(dh->pub_key=BN_bin2bn(p,i,NULL))) 1363 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
1364 { 1364 {
1365 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB); 1365 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1366 goto err; 1366 goto err;
1367 } 1367 }
1368 p+=i; 1368 p+=i;
1369 n-=param_len; 1369 n-=param_len;
1370 1370
1371#ifndef OPENSSL_NO_RSA 1371#ifndef OPENSSL_NO_RSA
1372 if (alg_a & SSL_aRSA) 1372 if (alg_a & SSL_aRSA)
1373 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1373 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1374#else 1374#else
1375 if (0) 1375 if (0)
1376 ; 1376 ;
1377#endif 1377#endif
1378#ifndef OPENSSL_NO_DSA 1378#ifndef OPENSSL_NO_DSA
1379 else if (alg_a & SSL_aDSS) 1379 else if (alg_a & SSL_aDSS)
1380 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); 1380 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1381#endif 1381#endif
1382 /* else anonymous DH, so no certificate or pkey. */ 1382 /* else anonymous DH, so no certificate or pkey. */
1383 1383
1384 s->session->sess_cert->peer_dh_tmp=dh; 1384 s->session->sess_cert->peer_dh_tmp=dh;
1385 dh=NULL; 1385 dh=NULL;
1386 } 1386 }
1387 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) 1387 else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd))
1388 { 1388 {
1389 al=SSL_AD_ILLEGAL_PARAMETER; 1389 al=SSL_AD_ILLEGAL_PARAMETER;
1390 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); 1390 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
1391 goto f_err; 1391 goto f_err;
1392 } 1392 }
1393#endif /* !OPENSSL_NO_DH */ 1393#endif /* !OPENSSL_NO_DH */
1394 1394
1395#ifndef OPENSSL_NO_ECDH 1395#ifndef OPENSSL_NO_ECDH
1396 else if (alg_k & SSL_kEECDH) 1396 else if (alg_k & SSL_kEECDH)
1397 { 1397 {
1398 EC_GROUP *ngroup; 1398 EC_GROUP *ngroup;
1399 const EC_GROUP *group; 1399 const EC_GROUP *group;
1400 1400
1401 if ((ecdh=EC_KEY_new()) == NULL) 1401 if ((ecdh=EC_KEY_new()) == NULL)
1402 { 1402 {
1403 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1403 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1404 goto err; 1404 goto err;
1405 } 1405 }
1406 1406
1407 /* Extract elliptic curve parameters and the 1407 /* Extract elliptic curve parameters and the
1408 * server's ephemeral ECDH public key. 1408 * server's ephemeral ECDH public key.
1409 * Keep accumulating lengths of various components in 1409 * Keep accumulating lengths of various components in
1410 * param_len and make sure it never exceeds n. 1410 * param_len and make sure it never exceeds n.
1411 */ 1411 */
1412 1412
1413 /* XXX: For now we only support named (not generic) curves 1413 /* XXX: For now we only support named (not generic) curves
1414 * and the ECParameters in this case is just three bytes. 1414 * and the ECParameters in this case is just three bytes.
1415 */ 1415 */
1416 param_len=3; 1416 param_len=3;
1417 if ((param_len > n) || 1417 if ((param_len > n) ||
1418 (*p != NAMED_CURVE_TYPE) ||  1418 (*p != NAMED_CURVE_TYPE) ||
1419 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0))  1419 ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0))
1420 { 1420 {
1421 al=SSL_AD_INTERNAL_ERROR; 1421 al=SSL_AD_INTERNAL_ERROR;
1422 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 1422 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
1423 goto f_err; 1423 goto f_err;
1424 } 1424 }
1425 1425
1426 ngroup = EC_GROUP_new_by_curve_name(curve_nid); 1426 ngroup = EC_GROUP_new_by_curve_name(curve_nid);
1427 if (ngroup == NULL) 1427 if (ngroup == NULL)
1428 { 1428 {
1429 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1429 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1430 goto err; 1430 goto err;
1431 } 1431 }
1432 if (EC_KEY_set_group(ecdh, ngroup) == 0) 1432 if (EC_KEY_set_group(ecdh, ngroup) == 0)
1433 { 1433 {
1434 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB); 1434 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
1435 goto err; 1435 goto err;
1436 } 1436 }
1437 EC_GROUP_free(ngroup); 1437 EC_GROUP_free(ngroup);
1438 1438
1439 group = EC_KEY_get0_group(ecdh); 1439 group = EC_KEY_get0_group(ecdh);
1440 1440
1441 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1441 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1442 (EC_GROUP_get_degree(group) > 163)) 1442 (EC_GROUP_get_degree(group) > 163))
1443 { 1443 {
1444 al=SSL_AD_EXPORT_RESTRICTION; 1444 al=SSL_AD_EXPORT_RESTRICTION;
1445 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1445 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1446 goto f_err; 1446 goto f_err;
1447 } 1447 }
1448 1448
1449 p+=3; 1449 p+=3;
1450 1450
1451 /* Next, get the encoded ECPoint */ 1451 /* Next, get the encoded ECPoint */
1452 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || 1452 if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
1453 ((bn_ctx = BN_CTX_new()) == NULL)) 1453 ((bn_ctx = BN_CTX_new()) == NULL))
1454 { 1454 {
1455 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1455 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1456 goto err; 1456 goto err;
1457 } 1457 }
1458 1458
1459 encoded_pt_len = *p; /* length of encoded point */ 1459 encoded_pt_len = *p; /* length of encoded point */
1460 p+=1; 1460 p+=1;
1461 param_len += (1 + encoded_pt_len); 1461 param_len += (1 + encoded_pt_len);
1462 if ((param_len > n) || 1462 if ((param_len > n) ||
1463 (EC_POINT_oct2point(group, srvr_ecpoint,  1463 (EC_POINT_oct2point(group, srvr_ecpoint,
1464 p, encoded_pt_len, bn_ctx) == 0)) 1464 p, encoded_pt_len, bn_ctx) == 0))
1465 { 1465 {
1466 al=SSL_AD_DECODE_ERROR; 1466 al=SSL_AD_DECODE_ERROR;
1467 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT); 1467 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
1468 goto f_err; 1468 goto f_err;
1469 } 1469 }
1470 1470
1471 n-=param_len; 1471 n-=param_len;
1472 p+=encoded_pt_len; 1472 p+=encoded_pt_len;
1473 1473
1474 /* The ECC/TLS specification does not mention 1474 /* The ECC/TLS specification does not mention
1475 * the use of DSA to sign ECParameters in the server 1475 * the use of DSA to sign ECParameters in the server
1476 * key exchange message. We do support RSA and ECDSA. 1476 * key exchange message. We do support RSA and ECDSA.
1477 */ 1477 */
1478 if (0) ; 1478 if (0) ;
1479#ifndef OPENSSL_NO_RSA 1479#ifndef OPENSSL_NO_RSA
1480 else if (alg_a & SSL_aRSA) 1480 else if (alg_a & SSL_aRSA)
1481 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 1481 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1482#endif 1482#endif
1483#ifndef OPENSSL_NO_ECDSA 1483#ifndef OPENSSL_NO_ECDSA
1484 else if (alg_a & SSL_aECDSA) 1484 else if (alg_a & SSL_aECDSA)
1485 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1485 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
1486#endif 1486#endif
1487 /* else anonymous ECDH, so no certificate or pkey. */ 1487 /* else anonymous ECDH, so no certificate or pkey. */
1488 EC_KEY_set_public_key(ecdh, srvr_ecpoint); 1488 EC_KEY_set_public_key(ecdh, srvr_ecpoint);
1489 s->session->sess_cert->peer_ecdh_tmp=ecdh; 1489 s->session->sess_cert->peer_ecdh_tmp=ecdh;
1490 ecdh=NULL; 1490 ecdh=NULL;
1491 BN_CTX_free(bn_ctx); 1491 BN_CTX_free(bn_ctx);
 1492 bn_ctx = NULL;
1492 EC_POINT_free(srvr_ecpoint); 1493 EC_POINT_free(srvr_ecpoint);
1493 srvr_ecpoint = NULL; 1494 srvr_ecpoint = NULL;
1494 } 1495 }
1495 else if (alg_k) 1496 else if (alg_k)
1496 { 1497 {
1497 al=SSL_AD_UNEXPECTED_MESSAGE; 1498 al=SSL_AD_UNEXPECTED_MESSAGE;
1498 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 1499 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
1499 goto f_err; 1500 goto f_err;
1500 } 1501 }
1501#endif /* !OPENSSL_NO_ECDH */ 1502#endif /* !OPENSSL_NO_ECDH */
1502 1503
1503 1504
1504 /* p points to the next byte, there are 'n' bytes left */ 1505 /* p points to the next byte, there are 'n' bytes left */
1505 1506
1506 /* if it was signed, check the signature */ 1507 /* if it was signed, check the signature */
1507 if (pkey != NULL) 1508 if (pkey != NULL)
1508 { 1509 {
1509 n2s(p,i); 1510 n2s(p,i);
1510 n-=2; 1511 n-=2;
1511 j=EVP_PKEY_size(pkey); 1512 j=EVP_PKEY_size(pkey);
1512 1513
1513 if ((i != n) || (n > j) || (n <= 0)) 1514 if ((i != n) || (n > j) || (n <= 0))
1514 { 1515 {
1515 /* wrong packet length */ 1516 /* wrong packet length */
1516 al=SSL_AD_DECODE_ERROR; 1517 al=SSL_AD_DECODE_ERROR;
1517 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); 1518 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
1518 goto f_err; 1519 goto f_err;
1519 } 1520 }
1520 1521
1521#ifndef OPENSSL_NO_RSA 1522#ifndef OPENSSL_NO_RSA
1522 if (pkey->type == EVP_PKEY_RSA) 1523 if (pkey->type == EVP_PKEY_RSA)
1523 { 1524 {
1524 int num; 1525 int num;
1525 1526
1526 j=0; 1527 j=0;
1527 q=md_buf; 1528 q=md_buf;
1528 for (num=2; num > 0; num--) 1529 for (num=2; num > 0; num--)
1529 { 1530 {
1530 EVP_DigestInit_ex(&md_ctx,(num == 2) 1531 EVP_DigestInit_ex(&md_ctx,(num == 2)
1531 ?s->ctx->md5:s->ctx->sha1, NULL); 1532 ?s->ctx->md5:s->ctx->sha1, NULL);
1532 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1533 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1533 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1534 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1534 EVP_DigestUpdate(&md_ctx,param,param_len); 1535 EVP_DigestUpdate(&md_ctx,param,param_len);
1535 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); 1536 EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
1536 q+=i; 1537 q+=i;
1537 j+=i; 1538 j+=i;
1538 } 1539 }
1539 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n, 1540 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1540 pkey->pkey.rsa); 1541 pkey->pkey.rsa);
1541 if (i < 0) 1542 if (i < 0)
1542 { 1543 {
1543 al=SSL_AD_DECRYPT_ERROR; 1544 al=SSL_AD_DECRYPT_ERROR;
1544 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 1545 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1545 goto f_err; 1546 goto f_err;
1546 } 1547 }
1547 if (i == 0) 1548 if (i == 0)
1548 { 1549 {
1549 /* bad signature */ 1550 /* bad signature */
1550 al=SSL_AD_DECRYPT_ERROR; 1551 al=SSL_AD_DECRYPT_ERROR;
1551 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1552 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1552 goto f_err; 1553 goto f_err;
1553 } 1554 }
1554 } 1555 }
1555 else 1556 else
1556#endif 1557#endif
1557#ifndef OPENSSL_NO_DSA 1558#ifndef OPENSSL_NO_DSA
1558 if (pkey->type == EVP_PKEY_DSA) 1559 if (pkey->type == EVP_PKEY_DSA)
1559 { 1560 {
1560 /* lets do DSS */ 1561 /* lets do DSS */
1561 EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL); 1562 EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1562 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1563 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1563 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1564 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1564 EVP_VerifyUpdate(&md_ctx,param,param_len); 1565 EVP_VerifyUpdate(&md_ctx,param,param_len);
1565 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1566 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1566 { 1567 {
1567 /* bad signature */ 1568 /* bad signature */
1568 al=SSL_AD_DECRYPT_ERROR; 1569 al=SSL_AD_DECRYPT_ERROR;
1569 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1570 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1570 goto f_err; 1571 goto f_err;
1571 } 1572 }
1572 } 1573 }
1573 else 1574 else
1574#endif 1575#endif
1575#ifndef OPENSSL_NO_ECDSA 1576#ifndef OPENSSL_NO_ECDSA
1576 if (pkey->type == EVP_PKEY_EC) 1577 if (pkey->type == EVP_PKEY_EC)
1577 { 1578 {
1578 /* let's do ECDSA */ 1579 /* let's do ECDSA */
1579 EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1580 EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1580 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1581 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1581 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1582 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1582 EVP_VerifyUpdate(&md_ctx,param,param_len); 1583 EVP_VerifyUpdate(&md_ctx,param,param_len);
1583 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) 1584 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1584 { 1585 {
1585 /* bad signature */ 1586 /* bad signature */
1586 al=SSL_AD_DECRYPT_ERROR; 1587 al=SSL_AD_DECRYPT_ERROR;
1587 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE); 1588 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1588 goto f_err; 1589 goto f_err;
1589 } 1590 }
1590 } 1591 }
1591 else 1592 else
1592#endif 1593#endif
1593 { 1594 {
1594 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1595 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1595 goto err; 1596 goto err;
1596 } 1597 }
1597 } 1598 }
1598 else 1599 else
1599 { 1600 {
1600 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) 1601 if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
1601 /* aNULL or kPSK do not need public keys */ 1602 /* aNULL or kPSK do not need public keys */
1602 { 1603 {
1603 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1604 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1604 goto err; 1605 goto err;
1605 } 1606 }
1606 /* still data left over */ 1607 /* still data left over */
1607 if (n != 0) 1608 if (n != 0)
1608 { 1609 {
1609 al=SSL_AD_DECODE_ERROR; 1610 al=SSL_AD_DECODE_ERROR;
1610 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE); 1611 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
1611 goto f_err; 1612 goto f_err;
1612 } 1613 }
1613 } 1614 }
1614 EVP_PKEY_free(pkey); 1615 EVP_PKEY_free(pkey);
1615 EVP_MD_CTX_cleanup(&md_ctx); 1616 EVP_MD_CTX_cleanup(&md_ctx);
1616 return(1); 1617 return(1);
1617f_err: 1618f_err:
1618 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1619 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1619err: 1620err:
1620 EVP_PKEY_free(pkey); 1621 EVP_PKEY_free(pkey);
1621#ifndef OPENSSL_NO_RSA 1622#ifndef OPENSSL_NO_RSA
1622 if (rsa != NULL) 1623 if (rsa != NULL)
1623 RSA_free(rsa); 1624 RSA_free(rsa);
1624#endif 1625#endif
1625#ifndef OPENSSL_NO_DH 1626#ifndef OPENSSL_NO_DH
1626 if (dh != NULL) 1627 if (dh != NULL)
1627 DH_free(dh); 1628 DH_free(dh);
1628#endif 1629#endif
1629#ifndef OPENSSL_NO_ECDH 1630#ifndef OPENSSL_NO_ECDH
1630 BN_CTX_free(bn_ctx); 1631 BN_CTX_free(bn_ctx);
1631 EC_POINT_free(srvr_ecpoint); 1632 EC_POINT_free(srvr_ecpoint);
1632 if (ecdh != NULL) 1633 if (ecdh != NULL)
1633 EC_KEY_free(ecdh); 1634 EC_KEY_free(ecdh);
1634#endif 1635#endif
1635 EVP_MD_CTX_cleanup(&md_ctx); 1636 EVP_MD_CTX_cleanup(&md_ctx);
1636 return(-1); 1637 return(-1);
1637 } 1638 }
1638 1639
1639int ssl3_get_certificate_request(SSL *s) 1640int ssl3_get_certificate_request(SSL *s)
1640 { 1641 {
1641 int ok,ret=0; 1642 int ok,ret=0;
1642 unsigned long n,nc,l; 1643 unsigned long n,nc,l;
1643 unsigned int llen,ctype_num,i; 1644 unsigned int llen,ctype_num,i;
1644 X509_NAME *xn=NULL; 1645 X509_NAME *xn=NULL;
1645 const unsigned char *p,*q; 1646 const unsigned char *p,*q;
1646 unsigned char *d; 1647 unsigned char *d;
1647 STACK_OF(X509_NAME) *ca_sk=NULL; 1648 STACK_OF(X509_NAME) *ca_sk=NULL;
1648 1649
1649 n=s->method->ssl_get_message(s, 1650 n=s->method->ssl_get_message(s,
1650 SSL3_ST_CR_CERT_REQ_A, 1651 SSL3_ST_CR_CERT_REQ_A,
1651 SSL3_ST_CR_CERT_REQ_B, 1652 SSL3_ST_CR_CERT_REQ_B,
1652 -1, 1653 -1,
1653 s->max_cert_list, 1654 s->max_cert_list,
1654 &ok); 1655 &ok);
1655 1656
1656 if (!ok) return((int)n); 1657 if (!ok) return((int)n);
1657 1658
1658 s->s3->tmp.cert_req=0; 1659 s->s3->tmp.cert_req=0;
1659 1660
1660 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1661 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1661 { 1662 {
1662 s->s3->tmp.reuse_message=1; 1663 s->s3->tmp.reuse_message=1;
1663 return(1); 1664 return(1);
1664 } 1665 }
1665 1666
1666 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) 1667 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST)
1667 { 1668 {
1668 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1669 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1669 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE); 1670 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_WRONG_MESSAGE_TYPE);
1670 goto err; 1671 goto err;
1671 } 1672 }
1672 1673
1673 /* TLS does not like anon-DH with client cert */ 1674 /* TLS does not like anon-DH with client cert */
1674 if (s->version > SSL3_VERSION) 1675 if (s->version > SSL3_VERSION)
1675 { 1676 {
1676 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1677 if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1677 { 1678 {
1678 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1679 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
1679 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER); 1680 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1680 goto err; 1681 goto err;
1681 } 1682 }
1682 } 1683 }
1683 1684
1684 p=d=(unsigned char *)s->init_msg; 1685 p=d=(unsigned char *)s->init_msg;
1685 1686
1686 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) 1687 if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
1687 { 1688 {
1688 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 1689 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1689 goto err; 1690 goto err;
1690 } 1691 }
1691 1692
1692 /* get the certificate types */ 1693 /* get the certificate types */
1693 ctype_num= *(p++); 1694 ctype_num= *(p++);
1694 if (ctype_num > SSL3_CT_NUMBER) 1695 if (ctype_num > SSL3_CT_NUMBER)
1695 ctype_num=SSL3_CT_NUMBER; 1696 ctype_num=SSL3_CT_NUMBER;
1696 for (i=0; i<ctype_num; i++) 1697 for (i=0; i<ctype_num; i++)
1697 s->s3->tmp.ctype[i]= p[i]; 1698 s->s3->tmp.ctype[i]= p[i];
1698 p+=ctype_num; 1699 p+=ctype_num;
1699 1700
1700 /* get the CA RDNs */ 1701 /* get the CA RDNs */
1701 n2s(p,llen); 1702 n2s(p,llen);
1702#if 0 1703#if 0
1703{ 1704{
1704FILE *out; 1705FILE *out;
1705out=fopen("/tmp/vsign.der","w"); 1706out=fopen("/tmp/vsign.der","w");
1706fwrite(p,1,llen,out); 1707fwrite(p,1,llen,out);
1707fclose(out); 1708fclose(out);
1708} 1709}
1709#endif 1710#endif
1710 1711
1711 if ((llen+ctype_num+2+1) != n) 1712 if ((llen+ctype_num+2+1) != n)
1712 { 1713 {
1713 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1714 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1714 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 1715 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
1715 goto err; 1716 goto err;
1716 } 1717 }
1717 1718
1718 for (nc=0; nc<llen; ) 1719 for (nc=0; nc<llen; )
1719 { 1720 {
1720 n2s(p,l); 1721 n2s(p,l);
1721 if ((l+nc+2) > llen) 1722 if ((l+nc+2) > llen)
1722 { 1723 {
1723 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1724 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1724 goto cont; /* netscape bugs */ 1725 goto cont; /* netscape bugs */
1725 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1726 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1726 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG); 1727 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_TOO_LONG);
1727 goto err; 1728 goto err;
1728 } 1729 }
1729 1730
1730 q=p; 1731 q=p;
1731 1732
1732 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 1733 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1733 { 1734 {
1734 /* If netscape tolerance is on, ignore errors */ 1735 /* If netscape tolerance is on, ignore errors */
1735 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1736 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1736 goto cont; 1737 goto cont;
1737 else 1738 else
1738 { 1739 {
1739 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1740 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1740 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB); 1741 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_ASN1_LIB);
1741 goto err; 1742 goto err;
1742 } 1743 }
1743 } 1744 }
1744 1745
1745 if (q != (p+l)) 1746 if (q != (p+l))
1746 { 1747 {
1747 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1748 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1748 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH); 1749 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_CA_DN_LENGTH_MISMATCH);
1749 goto err; 1750 goto err;
1750 } 1751 }
1751 if (!sk_X509_NAME_push(ca_sk,xn)) 1752 if (!sk_X509_NAME_push(ca_sk,xn))
1752 { 1753 {
1753 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE); 1754 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
1754 goto err; 1755 goto err;
1755 } 1756 }
1756 1757
1757 p+=l; 1758 p+=l;
1758 nc+=l+2; 1759 nc+=l+2;
1759 } 1760 }
1760 1761
1761 if (0) 1762 if (0)
1762 { 1763 {
1763cont: 1764cont:
1764 ERR_clear_error(); 1765 ERR_clear_error();
1765 } 1766 }
1766 1767
1767 /* we should setup a certificate to return.... */ 1768 /* we should setup a certificate to return.... */
1768 s->s3->tmp.cert_req=1; 1769 s->s3->tmp.cert_req=1;
1769 s->s3->tmp.ctype_num=ctype_num; 1770 s->s3->tmp.ctype_num=ctype_num;
1770 if (s->s3->tmp.ca_names != NULL) 1771 if (s->s3->tmp.ca_names != NULL)
1771 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1772 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
1772 s->s3->tmp.ca_names=ca_sk; 1773 s->s3->tmp.ca_names=ca_sk;
1773 ca_sk=NULL; 1774 ca_sk=NULL;
1774 1775
1775 ret=1; 1776 ret=1;
1776err: 1777err:
1777 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free); 1778 if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
1778 return(ret); 1779 return(ret);
1779 } 1780 }
1780 1781
1781static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) 1782static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
1782 { 1783 {
1783 return(X509_NAME_cmp(*a,*b)); 1784 return(X509_NAME_cmp(*a,*b));
1784 } 1785 }
1785#ifndef OPENSSL_NO_TLSEXT 1786#ifndef OPENSSL_NO_TLSEXT
1786int ssl3_get_new_session_ticket(SSL *s) 1787int ssl3_get_new_session_ticket(SSL *s)
1787 { 1788 {
1788 int ok,al,ret=0, ticklen; 1789 int ok,al,ret=0, ticklen;
1789 long n; 1790 long n;
1790 const unsigned char *p; 1791 const unsigned char *p;
1791 unsigned char *d; 1792 unsigned char *d;
1792 1793
1793 n=s->method->ssl_get_message(s, 1794 n=s->method->ssl_get_message(s,
1794 SSL3_ST_CR_SESSION_TICKET_A, 1795 SSL3_ST_CR_SESSION_TICKET_A,
1795 SSL3_ST_CR_SESSION_TICKET_B, 1796 SSL3_ST_CR_SESSION_TICKET_B,
1796 -1, 1797 -1,
1797 16384, 1798 16384,
1798 &ok); 1799 &ok);
1799 1800
1800 if (!ok) 1801 if (!ok)
1801 return((int)n); 1802 return((int)n);
1802 1803
1803 if (s->s3->tmp.message_type == SSL3_MT_FINISHED) 1804 if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
1804 { 1805 {
1805 s->s3->tmp.reuse_message=1; 1806 s->s3->tmp.reuse_message=1;
1806 return(1); 1807 return(1);
1807 } 1808 }
1808 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) 1809 if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET)
1809 { 1810 {
1810 al=SSL_AD_UNEXPECTED_MESSAGE; 1811 al=SSL_AD_UNEXPECTED_MESSAGE;
1811 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE); 1812 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
1812 goto f_err; 1813 goto f_err;
1813 } 1814 }
1814 if (n < 6) 1815 if (n < 6)
1815 { 1816 {
1816 /* need at least ticket_lifetime_hint + ticket length */ 1817 /* need at least ticket_lifetime_hint + ticket length */
1817 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1818 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1818 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1819 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1819 goto f_err; 1820 goto f_err;
1820 } 1821 }
1821 1822
1822 p=d=(unsigned char *)s->init_msg; 1823 p=d=(unsigned char *)s->init_msg;
1823 n2l(p, s->session->tlsext_tick_lifetime_hint); 1824 n2l(p, s->session->tlsext_tick_lifetime_hint);
1824 n2s(p, ticklen); 1825 n2s(p, ticklen);
1825 /* ticket_lifetime_hint + ticket_length + ticket */ 1826 /* ticket_lifetime_hint + ticket_length + ticket */
1826 if (ticklen + 6 != n) 1827 if (ticklen + 6 != n)
1827 { 1828 {
1828 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1829 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
1829 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1830 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1830 goto f_err; 1831 goto f_err;
1831 } 1832 }
1832 if (s->session->tlsext_tick) 1833 if (s->session->tlsext_tick)
1833 { 1834 {
1834 OPENSSL_free(s->session->tlsext_tick); 1835 OPENSSL_free(s->session->tlsext_tick);
1835 s->session->tlsext_ticklen = 0; 1836 s->session->tlsext_ticklen = 0;
1836 } 1837 }
1837 s->session->tlsext_tick = OPENSSL_malloc(ticklen); 1838 s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1838 if (!s->session->tlsext_tick) 1839 if (!s->session->tlsext_tick)
1839 { 1840 {
1840 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE); 1841 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,ERR_R_MALLOC_FAILURE);
1841 goto err; 1842 goto err;
1842 } 1843 }
1843 memcpy(s->session->tlsext_tick, p, ticklen); 1844 memcpy(s->session->tlsext_tick, p, ticklen);
1844 s->session->tlsext_ticklen = ticklen; 1845 s->session->tlsext_ticklen = ticklen;
1845 /* There are two ways to detect a resumed ticket sesion. 1846 /* There are two ways to detect a resumed ticket sesion.
1846 * One is to set an appropriate session ID and then the server 1847 * One is to set an appropriate session ID and then the server
1847 * must return a match in ServerHello. This allows the normal 1848 * must return a match in ServerHello. This allows the normal
1848 * client session ID matching to work and we know much  1849 * client session ID matching to work and we know much
1849 * earlier that the ticket has been accepted. 1850 * earlier that the ticket has been accepted.
1850 *  1851 *
1851 * The other way is to set zero length session ID when the 1852 * The other way is to set zero length session ID when the
1852 * ticket is presented and rely on the handshake to determine 1853 * ticket is presented and rely on the handshake to determine
1853 * session resumption. 1854 * session resumption.
1854 * 1855 *
1855 * We choose the former approach because this fits in with 1856 * We choose the former approach because this fits in with
1856 * assumptions elsewhere in OpenSSL. The session ID is set 1857 * assumptions elsewhere in OpenSSL. The session ID is set
1857 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the 1858 * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the
1858 * ticket. 1859 * ticket.
1859 */  1860 */
1860 EVP_Digest(p, ticklen, 1861 EVP_Digest(p, ticklen,
1861 s->session->session_id, &s->session->session_id_length, 1862 s->session->session_id, &s->session->session_id_length,
1862#ifndef OPENSSL_NO_SHA256 1863#ifndef OPENSSL_NO_SHA256
1863 EVP_sha256(), NULL); 1864 EVP_sha256(), NULL);
1864#else 1865#else
1865 EVP_sha1(), NULL); 1866 EVP_sha1(), NULL);
1866#endif 1867#endif
1867 ret=1; 1868 ret=1;
1868 return(ret); 1869 return(ret);
1869f_err: 1870f_err:
1870 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1871 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1871err: 1872err:
1872 return(-1); 1873 return(-1);
1873 } 1874 }
1874 1875
1875int ssl3_get_cert_status(SSL *s) 1876int ssl3_get_cert_status(SSL *s)
1876 { 1877 {
1877 int ok, al; 1878 int ok, al;
1878 unsigned long resplen,n; 1879 unsigned long resplen,n;
1879 const unsigned char *p; 1880 const unsigned char *p;
1880 1881
1881 n=s->method->ssl_get_message(s, 1882 n=s->method->ssl_get_message(s,
1882 SSL3_ST_CR_CERT_STATUS_A, 1883 SSL3_ST_CR_CERT_STATUS_A,
1883 SSL3_ST_CR_CERT_STATUS_B, 1884 SSL3_ST_CR_CERT_STATUS_B,
1884 SSL3_MT_CERTIFICATE_STATUS, 1885 SSL3_MT_CERTIFICATE_STATUS,
1885 16384, 1886 16384,
1886 &ok); 1887 &ok);
1887 1888
1888 if (!ok) return((int)n); 1889 if (!ok) return((int)n);
1889 if (n < 4) 1890 if (n < 4)
1890 { 1891 {
1891 /* need at least status type + length */ 1892 /* need at least status type + length */
1892 al = SSL_AD_DECODE_ERROR; 1893 al = SSL_AD_DECODE_ERROR;
1893 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1894 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1894 goto f_err; 1895 goto f_err;
1895 } 1896 }
1896 p = (unsigned char *)s->init_msg; 1897 p = (unsigned char *)s->init_msg;
1897 if (*p++ != TLSEXT_STATUSTYPE_ocsp) 1898 if (*p++ != TLSEXT_STATUSTYPE_ocsp)
1898 { 1899 {
1899 al = SSL_AD_DECODE_ERROR; 1900 al = SSL_AD_DECODE_ERROR;
1900 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE); 1901 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_UNSUPPORTED_STATUS_TYPE);
1901 goto f_err; 1902 goto f_err;
1902 } 1903 }
1903 n2l3(p, resplen); 1904 n2l3(p, resplen);
1904 if (resplen + 4 != n) 1905 if (resplen + 4 != n)
1905 { 1906 {
1906 al = SSL_AD_DECODE_ERROR; 1907 al = SSL_AD_DECODE_ERROR;
1907 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); 1908 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH);
1908 goto f_err; 1909 goto f_err;
1909 } 1910 }
1910 if (s->tlsext_ocsp_resp) 1911 if (s->tlsext_ocsp_resp)
1911 OPENSSL_free(s->tlsext_ocsp_resp); 1912 OPENSSL_free(s->tlsext_ocsp_resp);
1912 s->tlsext_ocsp_resp = BUF_memdup(p, resplen); 1913 s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
1913 if (!s->tlsext_ocsp_resp) 1914 if (!s->tlsext_ocsp_resp)
1914 { 1915 {
1915 al = SSL_AD_INTERNAL_ERROR; 1916 al = SSL_AD_INTERNAL_ERROR;
1916 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 1917 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
1917 goto f_err; 1918 goto f_err;
1918 } 1919 }
1919 s->tlsext_ocsp_resplen = resplen; 1920 s->tlsext_ocsp_resplen = resplen;
1920 if (s->ctx->tlsext_status_cb) 1921 if (s->ctx->tlsext_status_cb)
1921 { 1922 {
1922 int ret; 1923 int ret;
1923 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); 1924 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1924 if (ret == 0) 1925 if (ret == 0)
1925 { 1926 {
1926 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 1927 al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
1927 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE); 1928 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_INVALID_STATUS_RESPONSE);
1928 goto f_err; 1929 goto f_err;
1929 } 1930 }
1930 if (ret < 0) 1931 if (ret < 0)
1931 { 1932 {
1932 al = SSL_AD_INTERNAL_ERROR; 1933 al = SSL_AD_INTERNAL_ERROR;
1933 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE); 1934 SSLerr(SSL_F_SSL3_GET_CERT_STATUS,ERR_R_MALLOC_FAILURE);
1934 goto f_err; 1935 goto f_err;
1935 } 1936 }
1936 } 1937 }
1937 return 1; 1938 return 1;
1938f_err: 1939f_err:
1939 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1940 ssl3_send_alert(s,SSL3_AL_FATAL,al);
1940 return(-1); 1941 return(-1);
1941 } 1942 }
1942#endif 1943#endif
1943 1944
1944int ssl3_get_server_done(SSL *s) 1945int ssl3_get_server_done(SSL *s)
1945 { 1946 {
1946 int ok,ret=0; 1947 int ok,ret=0;
1947 long n; 1948 long n;
1948 1949
1949 n=s->method->ssl_get_message(s, 1950 n=s->method->ssl_get_message(s,
1950 SSL3_ST_CR_SRVR_DONE_A, 1951 SSL3_ST_CR_SRVR_DONE_A,
1951 SSL3_ST_CR_SRVR_DONE_B, 1952 SSL3_ST_CR_SRVR_DONE_B,
1952 SSL3_MT_SERVER_DONE, 1953 SSL3_MT_SERVER_DONE,
1953 30, /* should be very small, like 0 :-) */ 1954 30, /* should be very small, like 0 :-) */
1954 &ok); 1955 &ok);
1955 1956
1956 if (!ok) return((int)n); 1957 if (!ok) return((int)n);
1957 if (n > 0) 1958 if (n > 0)
1958 { 1959 {
1959 /* should contain no data */ 1960 /* should contain no data */
1960 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1961 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1961 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH); 1962 SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
1962 return -1; 1963 return -1;
1963 } 1964 }
1964 ret=1; 1965 ret=1;
1965 return(ret); 1966 return(ret);
1966 } 1967 }
1967 1968
1968 1969
1969int ssl3_send_client_key_exchange(SSL *s) 1970int ssl3_send_client_key_exchange(SSL *s)
1970 { 1971 {
1971 unsigned char *p,*d; 1972 unsigned char *p,*d;
1972 int n; 1973 int n;
1973 unsigned long alg_k; 1974 unsigned long alg_k;
1974#ifndef OPENSSL_NO_RSA 1975#ifndef OPENSSL_NO_RSA
1975 unsigned char *q; 1976 unsigned char *q;
1976 EVP_PKEY *pkey=NULL; 1977 EVP_PKEY *pkey=NULL;
1977#endif 1978#endif
1978#ifndef OPENSSL_NO_KRB5 1979#ifndef OPENSSL_NO_KRB5
1979 KSSL_ERR kssl_err; 1980 KSSL_ERR kssl_err;
1980#endif /* OPENSSL_NO_KRB5 */ 1981#endif /* OPENSSL_NO_KRB5 */
1981#ifndef OPENSSL_NO_ECDH 1982#ifndef OPENSSL_NO_ECDH
1982 EC_KEY *clnt_ecdh = NULL; 1983 EC_KEY *clnt_ecdh = NULL;
1983 const EC_POINT *srvr_ecpoint = NULL; 1984 const EC_POINT *srvr_ecpoint = NULL;
1984 EVP_PKEY *srvr_pub_pkey = NULL; 1985 EVP_PKEY *srvr_pub_pkey = NULL;
1985 unsigned char *encodedPoint = NULL; 1986 unsigned char *encodedPoint = NULL;
1986 int encoded_pt_len = 0; 1987 int encoded_pt_len = 0;
1987 BN_CTX * bn_ctx = NULL; 1988 BN_CTX * bn_ctx = NULL;
1988#endif 1989#endif
1989 1990
1990 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 1991 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
1991 { 1992 {
1992 d=(unsigned char *)s->init_buf->data; 1993 d=(unsigned char *)s->init_buf->data;
1993 p= &(d[4]); 1994 p= &(d[4]);
1994 1995
1995 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 1996 alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1996 1997
1997 /* Fool emacs indentation */ 1998 /* Fool emacs indentation */
1998 if (0) {} 1999 if (0) {}
1999#ifndef OPENSSL_NO_RSA 2000#ifndef OPENSSL_NO_RSA
2000 else if (alg_k & SSL_kRSA) 2001 else if (alg_k & SSL_kRSA)
2001 { 2002 {
2002 RSA *rsa; 2003 RSA *rsa;
2003 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2004 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2004 2005
2005 if (s->session->sess_cert->peer_rsa_tmp != NULL) 2006 if (s->session->sess_cert->peer_rsa_tmp != NULL)
2006 rsa=s->session->sess_cert->peer_rsa_tmp; 2007 rsa=s->session->sess_cert->peer_rsa_tmp;
2007 else 2008 else
2008 { 2009 {
2009 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 2010 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
2010 if ((pkey == NULL) || 2011 if ((pkey == NULL) ||
2011 (pkey->type != EVP_PKEY_RSA) || 2012 (pkey->type != EVP_PKEY_RSA) ||
2012 (pkey->pkey.rsa == NULL)) 2013 (pkey->pkey.rsa == NULL))
2013 { 2014 {
2014 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 2015 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2015 goto err; 2016 goto err;
2016 } 2017 }
2017 rsa=pkey->pkey.rsa; 2018 rsa=pkey->pkey.rsa;
2018 EVP_PKEY_free(pkey); 2019 EVP_PKEY_free(pkey);
2019 } 2020 }
2020  2021
2021 tmp_buf[0]=s->client_version>>8; 2022 tmp_buf[0]=s->client_version>>8;
2022 tmp_buf[1]=s->client_version&0xff; 2023 tmp_buf[1]=s->client_version&0xff;
2023 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2024 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2024 goto err; 2025 goto err;
2025 2026
2026 s->session->master_key_length=sizeof tmp_buf; 2027 s->session->master_key_length=sizeof tmp_buf;
2027 2028
2028 q=p; 2029 q=p;
2029 /* Fix buf for TLS and beyond */ 2030 /* Fix buf for TLS and beyond */
2030 if (s->version > SSL3_VERSION) 2031 if (s->version > SSL3_VERSION)
2031 p+=2; 2032 p+=2;
2032 n=RSA_public_encrypt(sizeof tmp_buf, 2033 n=RSA_public_encrypt(sizeof tmp_buf,
2033 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 2034 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
2034#ifdef PKCS1_CHECK 2035#ifdef PKCS1_CHECK
2035 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 2036 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
2036 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 2037 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
2037#endif 2038#endif
2038 if (n <= 0) 2039 if (n <= 0)
2039 { 2040 {
2040 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 2041 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
2041 goto err; 2042 goto err;
2042 } 2043 }
2043 2044
2044 /* Fix buf for TLS and beyond */ 2045 /* Fix buf for TLS and beyond */
2045 if (s->version > SSL3_VERSION) 2046 if (s->version > SSL3_VERSION)
2046 { 2047 {
2047 s2n(n,q); 2048 s2n(n,q);
2048 n+=2; 2049 n+=2;
2049 } 2050 }
2050 2051
2051 s->session->master_key_length= 2052 s->session->master_key_length=
2052 s->method->ssl3_enc->generate_master_secret(s, 2053 s->method->ssl3_enc->generate_master_secret(s,
2053 s->session->master_key, 2054 s->session->master_key,
2054 tmp_buf,sizeof tmp_buf); 2055 tmp_buf,sizeof tmp_buf);
2055 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); 2056 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
2056 } 2057 }
2057#endif 2058#endif
2058#ifndef OPENSSL_NO_KRB5 2059#ifndef OPENSSL_NO_KRB5
2059 else if (alg_k & SSL_kKRB5) 2060 else if (alg_k & SSL_kKRB5)
2060 { 2061 {
2061 krb5_error_code krb5rc; 2062 krb5_error_code krb5rc;
2062 KSSL_CTX *kssl_ctx = s->kssl_ctx; 2063 KSSL_CTX *kssl_ctx = s->kssl_ctx;
2063 /* krb5_data krb5_ap_req; */ 2064 /* krb5_data krb5_ap_req; */
2064 krb5_data *enc_ticket; 2065 krb5_data *enc_ticket;
2065 krb5_data authenticator, *authp = NULL; 2066 krb5_data authenticator, *authp = NULL;
2066 EVP_CIPHER_CTX ciph_ctx; 2067 EVP_CIPHER_CTX ciph_ctx;
2067 const EVP_CIPHER *enc = NULL; 2068 const EVP_CIPHER *enc = NULL;
2068 unsigned char iv[EVP_MAX_IV_LENGTH]; 2069 unsigned char iv[EVP_MAX_IV_LENGTH];
2069 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 2070 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2070 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH  2071 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2071 + EVP_MAX_IV_LENGTH]; 2072 + EVP_MAX_IV_LENGTH];
2072 int padl, outl = sizeof(epms); 2073 int padl, outl = sizeof(epms);
2073 2074
2074 EVP_CIPHER_CTX_init(&ciph_ctx); 2075 EVP_CIPHER_CTX_init(&ciph_ctx);
2075 2076
2076#ifdef KSSL_DEBUG 2077#ifdef KSSL_DEBUG
2077 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 2078 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
2078 alg_k, SSL_kKRB5); 2079 alg_k, SSL_kKRB5);
2079#endif /* KSSL_DEBUG */ 2080#endif /* KSSL_DEBUG */
2080 2081
2081 authp = NULL; 2082 authp = NULL;
2082#ifdef KRB5SENDAUTH 2083#ifdef KRB5SENDAUTH
2083 if (KRB5SENDAUTH) authp = &authenticator; 2084 if (KRB5SENDAUTH) authp = &authenticator;
2084#endif /* KRB5SENDAUTH */ 2085#endif /* KRB5SENDAUTH */
2085 2086
2086 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 2087 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
2087 &kssl_err); 2088 &kssl_err);
2088 enc = kssl_map_enc(kssl_ctx->enctype); 2089 enc = kssl_map_enc(kssl_ctx->enctype);
2089 if (enc == NULL) 2090 if (enc == NULL)
2090 goto err; 2091 goto err;
2091#ifdef KSSL_DEBUG 2092#ifdef KSSL_DEBUG
2092 { 2093 {
2093 printf("kssl_cget_tkt rtn %d\n", krb5rc); 2094 printf("kssl_cget_tkt rtn %d\n", krb5rc);
2094 if (krb5rc && kssl_err.text) 2095 if (krb5rc && kssl_err.text)
2095 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 2096 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
2096 } 2097 }
2097#endif /* KSSL_DEBUG */ 2098#endif /* KSSL_DEBUG */
2098 2099
2099 if (krb5rc) 2100 if (krb5rc)
2100 { 2101 {
2101 ssl3_send_alert(s,SSL3_AL_FATAL, 2102 ssl3_send_alert(s,SSL3_AL_FATAL,
2102 SSL_AD_HANDSHAKE_FAILURE); 2103 SSL_AD_HANDSHAKE_FAILURE);
2103 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2104 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2104 kssl_err.reason); 2105 kssl_err.reason);
2105 goto err; 2106 goto err;
2106 } 2107 }
2107 2108
2108 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 2109 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
2109 ** in place of RFC 2712 KerberosWrapper, as in: 2110 ** in place of RFC 2712 KerberosWrapper, as in:
2110 ** 2111 **
2111 ** Send ticket (copy to *p, set n = length) 2112 ** Send ticket (copy to *p, set n = length)
2112 ** n = krb5_ap_req.length; 2113 ** n = krb5_ap_req.length;
2113 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 2114 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
2114 ** if (krb5_ap_req.data)  2115 ** if (krb5_ap_req.data)
2115 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 2116 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
2116 ** 2117 **
2117 ** Now using real RFC 2712 KerberosWrapper 2118 ** Now using real RFC 2712 KerberosWrapper
2118 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 2119 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
2119 ** Note: 2712 "opaque" types are here replaced 2120 ** Note: 2712 "opaque" types are here replaced
2120 ** with a 2-byte length followed by the value. 2121 ** with a 2-byte length followed by the value.
2121 ** Example: 2122 ** Example:
2122 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 2123 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
2123 ** Where "xx xx" = length bytes. Shown here with 2124 ** Where "xx xx" = length bytes. Shown here with
2124 ** optional authenticator omitted. 2125 ** optional authenticator omitted.
2125 */ 2126 */
2126 2127
2127 /* KerberosWrapper.Ticket */ 2128 /* KerberosWrapper.Ticket */
2128 s2n(enc_ticket->length,p); 2129 s2n(enc_ticket->length,p);
2129 memcpy(p, enc_ticket->data, enc_ticket->length); 2130 memcpy(p, enc_ticket->data, enc_ticket->length);
2130 p+= enc_ticket->length; 2131 p+= enc_ticket->length;
2131 n = enc_ticket->length + 2; 2132 n = enc_ticket->length + 2;
2132 2133
2133 /* KerberosWrapper.Authenticator */ 2134 /* KerberosWrapper.Authenticator */
2134 if (authp && authp->length)  2135 if (authp && authp->length)
2135 { 2136 {
2136 s2n(authp->length,p); 2137 s2n(authp->length,p);
2137 memcpy(p, authp->data, authp->length); 2138 memcpy(p, authp->data, authp->length);
2138 p+= authp->length; 2139 p+= authp->length;
2139 n+= authp->length + 2; 2140 n+= authp->length + 2;
2140  2141
2141 free(authp->data); 2142 free(authp->data);
2142 authp->data = NULL; 2143 authp->data = NULL;
2143 authp->length = 0; 2144 authp->length = 0;
2144 } 2145 }
2145 else 2146 else
2146 { 2147 {
2147 s2n(0,p);/* null authenticator length */ 2148 s2n(0,p);/* null authenticator length */
2148 n+=2; 2149 n+=2;
2149 } 2150 }
2150  2151
2151 tmp_buf[0]=s->client_version>>8; 2152 tmp_buf[0]=s->client_version>>8;
2152 tmp_buf[1]=s->client_version&0xff; 2153 tmp_buf[1]=s->client_version&0xff;
2153 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 2154 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
2154 goto err; 2155 goto err;
2155 2156
2156 /* 20010420 VRS. Tried it this way; failed. 2157 /* 20010420 VRS. Tried it this way; failed.
2157 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 2158 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
2158 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 2159 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
2159 ** kssl_ctx->length); 2160 ** kssl_ctx->length);
2160 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 2161 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2161 */ 2162 */
2162 2163
2163 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2164 memset(iv, 0, sizeof iv); /* per RFC 1510 */
2164 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 2165 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
2165 kssl_ctx->key,iv); 2166 kssl_ctx->key,iv);
2166 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 2167 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
2167 sizeof tmp_buf); 2168 sizeof tmp_buf);
2168 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 2169 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
2169 outl += padl; 2170 outl += padl;
2170 if (outl > (int)sizeof epms) 2171 if (outl > (int)sizeof epms)
2171 { 2172 {
2172 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 2173 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2173 goto err; 2174 goto err;
2174 } 2175 }
2175 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2176 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2176 2177
2177 /* KerberosWrapper.EncryptedPreMasterSecret */ 2178 /* KerberosWrapper.EncryptedPreMasterSecret */
2178 s2n(outl,p); 2179 s2n(outl,p);
2179 memcpy(p, epms, outl); 2180 memcpy(p, epms, outl);
2180 p+=outl; 2181 p+=outl;
2181 n+=outl + 2; 2182 n+=outl + 2;
2182 2183
2183 s->session->master_key_length= 2184 s->session->master_key_length=
2184 s->method->ssl3_enc->generate_master_secret(s, 2185 s->method->ssl3_enc->generate_master_secret(s,
2185 s->session->master_key, 2186 s->session->master_key,
2186 tmp_buf, sizeof tmp_buf); 2187 tmp_buf, sizeof tmp_buf);
2187 2188
2188 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 2189 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2189 OPENSSL_cleanse(epms, outl); 2190 OPENSSL_cleanse(epms, outl);
2190 } 2191 }
2191#endif 2192#endif
2192#ifndef OPENSSL_NO_DH 2193#ifndef OPENSSL_NO_DH
2193 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 2194 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
2194 { 2195 {
2195 DH *dh_srvr,*dh_clnt; 2196 DH *dh_srvr,*dh_clnt;
2196 2197
2197 if (s->session->sess_cert == NULL)  2198 if (s->session->sess_cert == NULL)
2198 { 2199 {
2199 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 2200 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
2200 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 2201 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
2201 goto err; 2202 goto err;
2202 } 2203 }
2203 2204
2204 if (s->session->sess_cert->peer_dh_tmp != NULL) 2205 if (s->session->sess_cert->peer_dh_tmp != NULL)
2205 dh_srvr=s->session->sess_cert->peer_dh_tmp; 2206 dh_srvr=s->session->sess_cert->peer_dh_tmp;
2206 else 2207 else
2207 { 2208 {
2208 /* we get them from the cert */ 2209 /* we get them from the cert */
2209 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 2210 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
2210 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 2211 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
2211 goto err; 2212 goto err;
2212 } 2213 }
2213  2214
2214 /* generate a new random key */ 2215 /* generate a new random key */
2215 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 2216 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
2216 { 2217 {
2217 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2218 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2218 goto err; 2219 goto err;
2219 } 2220 }
2220 if (!DH_generate_key(dh_clnt)) 2221 if (!DH_generate_key(dh_clnt))
2221 { 2222 {
2222 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2223 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2223 goto err; 2224 goto err;
2224 } 2225 }
2225 2226
2226 /* use the 'p' output buffer for the DH key, but 2227 /* use the 'p' output buffer for the DH key, but
2227 * make sure to clear it out afterwards */ 2228 * make sure to clear it out afterwards */
2228 2229
2229 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 2230 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
2230 2231
2231 if (n <= 0) 2232 if (n <= 0)
2232 { 2233 {
2233 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2234 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2234 goto err; 2235 goto err;
2235 } 2236 }
2236 2237
2237 /* generate master key from the result */ 2238 /* generate master key from the result */
2238 s->session->master_key_length= 2239 s->session->master_key_length=
2239 s->method->ssl3_enc->generate_master_secret(s, 2240 s->method->ssl3_enc->generate_master_secret(s,
2240 s->session->master_key,p,n); 2241 s->session->master_key,p,n);
2241 /* clean up */ 2242 /* clean up */
2242 memset(p,0,n); 2243 memset(p,0,n);
2243 2244
2244 /* send off the data */ 2245 /* send off the data */
2245 n=BN_num_bytes(dh_clnt->pub_key); 2246 n=BN_num_bytes(dh_clnt->pub_key);
2246 s2n(n,p); 2247 s2n(n,p);
2247 BN_bn2bin(dh_clnt->pub_key,p); 2248 BN_bn2bin(dh_clnt->pub_key,p);
2248 n+=2; 2249 n+=2;
2249 2250
2250 DH_free(dh_clnt); 2251 DH_free(dh_clnt);
2251 2252
2252 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 2253 /* perhaps clean things up a bit EAY EAY EAY EAY*/
2253 } 2254 }
2254#endif 2255#endif
2255 2256
2256#ifndef OPENSSL_NO_ECDH  2257#ifndef OPENSSL_NO_ECDH
2257 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 2258 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
2258 { 2259 {
2259 const EC_GROUP *srvr_group = NULL; 2260 const EC_GROUP *srvr_group = NULL;
2260 EC_KEY *tkey; 2261 EC_KEY *tkey;
2261 int ecdh_clnt_cert = 0; 2262 int ecdh_clnt_cert = 0;
2262 int field_size = 0; 2263 int field_size = 0;
2263 2264
2264 /* Did we send out the client's 2265 /* Did we send out the client's
2265 * ECDH share for use in premaster 2266 * ECDH share for use in premaster
2266 * computation as part of client certificate? 2267 * computation as part of client certificate?
2267 * If so, set ecdh_clnt_cert to 1. 2268 * If so, set ecdh_clnt_cert to 1.
2268 */ 2269 */
2269 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))  2270 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
2270 { 2271 {
2271 /* XXX: For now, we do not support client 2272 /* XXX: For now, we do not support client
2272 * authentication using ECDH certificates. 2273 * authentication using ECDH certificates.
2273 * To add such support, one needs to add 2274 * To add such support, one needs to add
2274 * code that checks for appropriate  2275 * code that checks for appropriate
2275 * conditions and sets ecdh_clnt_cert to 1. 2276 * conditions and sets ecdh_clnt_cert to 1.
2276 * For example, the cert have an ECC 2277 * For example, the cert have an ECC
2277 * key on the same curve as the server's 2278 * key on the same curve as the server's
2278 * and the key should be authorized for 2279 * and the key should be authorized for
2279 * key agreement. 2280 * key agreement.
2280 * 2281 *
2281 * One also needs to add code in ssl3_connect 2282 * One also needs to add code in ssl3_connect
2282 * to skip sending the certificate verify 2283 * to skip sending the certificate verify
2283 * message. 2284 * message.
2284 * 2285 *
2285 * if ((s->cert->key->privatekey != NULL) && 2286 * if ((s->cert->key->privatekey != NULL) &&
2286 * (s->cert->key->privatekey->type == 2287 * (s->cert->key->privatekey->type ==
2287 * EVP_PKEY_EC) && ...) 2288 * EVP_PKEY_EC) && ...)
2288 * ecdh_clnt_cert = 1; 2289 * ecdh_clnt_cert = 1;
2289 */ 2290 */
2290 } 2291 }
2291 2292
2292 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 2293 if (s->session->sess_cert->peer_ecdh_tmp != NULL)
2293 { 2294 {
2294 tkey = s->session->sess_cert->peer_ecdh_tmp; 2295 tkey = s->session->sess_cert->peer_ecdh_tmp;
2295 } 2296 }
2296 else 2297 else
2297 { 2298 {
2298 /* Get the Server Public Key from Cert */ 2299 /* Get the Server Public Key from Cert */
2299 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 2300 srvr_pub_pkey = X509_get_pubkey(s->session-> \
2300 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 2301 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
2301 if ((srvr_pub_pkey == NULL) || 2302 if ((srvr_pub_pkey == NULL) ||
2302 (srvr_pub_pkey->type != EVP_PKEY_EC) || 2303 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
2303 (srvr_pub_pkey->pkey.ec == NULL)) 2304 (srvr_pub_pkey->pkey.ec == NULL))
2304 { 2305 {
2305 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2306 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2306 ERR_R_INTERNAL_ERROR); 2307 ERR_R_INTERNAL_ERROR);
2307 goto err; 2308 goto err;
2308 } 2309 }
2309 2310
2310 tkey = srvr_pub_pkey->pkey.ec; 2311 tkey = srvr_pub_pkey->pkey.ec;
2311 } 2312 }
2312 2313
2313 srvr_group = EC_KEY_get0_group(tkey); 2314 srvr_group = EC_KEY_get0_group(tkey);
2314 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 2315 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
2315 2316
2316 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 2317 if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
2317 { 2318 {
2318 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 2319 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2319 ERR_R_INTERNAL_ERROR); 2320 ERR_R_INTERNAL_ERROR);
2320 goto err; 2321 goto err;
2321 } 2322 }
2322 2323
2323 if ((clnt_ecdh=EC_KEY_new()) == NULL)  2324 if ((clnt_ecdh=EC_KEY_new()) == NULL)
2324 { 2325 {
2325 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2326 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2326 goto err; 2327 goto err;
2327 } 2328 }
2328 2329
2329 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 2330 if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
2330 { 2331 {
2331 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2332 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2332 goto err; 2333 goto err;
2333 } 2334 }
2334 if (ecdh_clnt_cert)  2335 if (ecdh_clnt_cert)
2335 {  2336 {
2336 /* Reuse key info from our certificate 2337 /* Reuse key info from our certificate
2337 * We only need our private key to perform 2338 * We only need our private key to perform
2338 * the ECDH computation. 2339 * the ECDH computation.
2339 */ 2340 */
2340 const BIGNUM *priv_key; 2341 const BIGNUM *priv_key;
2341 tkey = s->cert->key->privatekey->pkey.ec; 2342 tkey = s->cert->key->privatekey->pkey.ec;
2342 priv_key = EC_KEY_get0_private_key(tkey); 2343 priv_key = EC_KEY_get0_private_key(tkey);
2343 if (priv_key == NULL) 2344 if (priv_key == NULL)
2344 { 2345 {
2345 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2346 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2346 goto err; 2347 goto err;
2347 } 2348 }
2348 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 2349 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
2349 { 2350 {
2350 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 2351 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
2351 goto err; 2352 goto err;
2352 } 2353 }
2353 } 2354 }
2354 else  2355 else
2355 { 2356 {
2356 /* Generate a new ECDH key pair */ 2357 /* Generate a new ECDH key pair */
2357 if (!(EC_KEY_generate_key(clnt_ecdh))) 2358 if (!(EC_KEY_generate_key(clnt_ecdh)))
2358 { 2359 {
2359 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 2360 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
2360 goto err; 2361 goto err;
2361 } 2362 }
2362 } 2363 }
2363 2364
2364 /* use the 'p' output buffer for the ECDH key, but 2365 /* use the 'p' output buffer for the ECDH key, but
2365 * make sure to clear it out afterwards 2366 * make sure to clear it out afterwards
2366 */ 2367 */
2367 2368
2368 field_size = EC_GROUP_get_degree(srvr_group); 2369 field_size = EC_GROUP_get_degree(srvr_group);
2369 if (field_size <= 0) 2370 if (field_size <= 0)
2370 { 2371 {
2371 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,  2372 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2372 ERR_R_ECDH_LIB); 2373 ERR_R_ECDH_LIB);
2373 goto err; 2374 goto err;
2374 } 2375 }
2375 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 2376 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
2376 if (n <= 0) 2377 if (n <= 0)
2377 { 2378 {
2378 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,  2379 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2379 ERR_R_ECDH_LIB); 2380 ERR_R_ECDH_LIB);
2380 goto err; 2381 goto err;
2381 } 2382 }
2382 2383
2383 /* generate master key from the result */ 2384 /* generate master key from the result */
2384 s->session->master_key_length = s->method->ssl3_enc \ 2385 s->session->master_key_length = s->method->ssl3_enc \
2385 -> generate_master_secret(s,  2386 -> generate_master_secret(s,
2386 s->session->master_key, 2387 s->session->master_key,
2387 p, n); 2388 p, n);
2388 2389
2389 memset(p, 0, n); /* clean up */ 2390 memset(p, 0, n); /* clean up */
2390 2391
2391 if (ecdh_clnt_cert)  2392 if (ecdh_clnt_cert)
2392 { 2393 {
2393 /* Send empty client key exch message */ 2394 /* Send empty client key exch message */
2394 n = 0; 2395 n = 0;
2395 } 2396 }
2396 else  2397 else
2397 { 2398 {
2398 /* First check the size of encoding and 2399 /* First check the size of encoding and
2399 * allocate memory accordingly. 2400 * allocate memory accordingly.
2400 */ 2401 */
2401 encoded_pt_len =  2402 encoded_pt_len =
2402 EC_POINT_point2oct(srvr_group,  2403 EC_POINT_point2oct(srvr_group,
2403 EC_KEY_get0_public_key(clnt_ecdh),  2404 EC_KEY_get0_public_key(clnt_ecdh),
2404 POINT_CONVERSION_UNCOMPRESSED,  2405 POINT_CONVERSION_UNCOMPRESSED,
2405 NULL, 0, NULL); 2406 NULL, 0, NULL);
2406 2407
2407 encodedPoint = (unsigned char *)  2408 encodedPoint = (unsigned char *)
2408 OPENSSL_malloc(encoded_pt_len *  2409 OPENSSL_malloc(encoded_pt_len *
2409 sizeof(unsigned char));  2410 sizeof(unsigned char));
2410 bn_ctx = BN_CTX_new(); 2411 bn_ctx = BN_CTX_new();
2411 if ((encodedPoint == NULL) ||  2412 if ((encodedPoint == NULL) ||
2412 (bn_ctx == NULL))  2413 (bn_ctx == NULL))
2413 { 2414 {
2414 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 2415 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
2415 goto err; 2416 goto err;
2416 } 2417 }
2417 2418
2418 /* Encode the public key */ 2419 /* Encode the public key */
2419 n = EC_POINT_point2oct(srvr_group,  2420 n = EC_POINT_point2oct(srvr_group,
2420 EC_KEY_get0_public_key(clnt_ecdh),  2421 EC_KEY_get0_public_key(clnt_ecdh),
2421 POINT_CONVERSION_UNCOMPRESSED,  2422 POINT_CONVERSION_UNCOMPRESSED,
2422 encodedPoint, encoded_pt_len, bn_ctx); 2423 encodedPoint, encoded_pt_len, bn_ctx);
2423 2424
2424 *p = n; /* length of encoded point */ 2425 *p = n; /* length of encoded point */
2425 /* Encoded point will be copied here */ 2426 /* Encoded point will be copied here */
2426 p += 1;  2427 p += 1;
2427 /* copy the point */ 2428 /* copy the point */
2428 memcpy((unsigned char *)p, encodedPoint, n); 2429 memcpy((unsigned char *)p, encodedPoint, n);
2429 /* increment n to account for length field */ 2430 /* increment n to account for length field */
2430 n += 1;  2431 n += 1;
2431 } 2432 }
2432 2433
2433 /* Free allocated memory */ 2434 /* Free allocated memory */
2434 BN_CTX_free(bn_ctx); 2435 BN_CTX_free(bn_ctx);
2435 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 2436 if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
2436 if (clnt_ecdh != NULL)  2437 if (clnt_ecdh != NULL)
2437 EC_KEY_free(clnt_ecdh); 2438 EC_KEY_free(clnt_ecdh);
2438 EVP_PKEY_free(srvr_pub_pkey); 2439 EVP_PKEY_free(srvr_pub_pkey);
2439 } 2440 }
2440#endif /* !OPENSSL_NO_ECDH */ 2441#endif /* !OPENSSL_NO_ECDH */
2441 else if (alg_k & SSL_kGOST)  2442 else if (alg_k & SSL_kGOST)
2442 { 2443 {
2443 /* GOST key exchange message creation */ 2444 /* GOST key exchange message creation */
2444 EVP_PKEY_CTX *pkey_ctx; 2445 EVP_PKEY_CTX *pkey_ctx;
2445 X509 *peer_cert;  2446 X509 *peer_cert;
2446 size_t msglen; 2447 size_t msglen;
2447 unsigned int md_len; 2448 unsigned int md_len;
2448 int keytype; 2449 int keytype;
2449 unsigned char premaster_secret[32],shared_ukm[32], tmp[256]; 2450 unsigned char premaster_secret[32],shared_ukm[32], tmp[256];
2450 EVP_MD_CTX *ukm_hash; 2451 EVP_MD_CTX *ukm_hash;
2451 EVP_PKEY *pub_key; 2452 EVP_PKEY *pub_key;
2452 2453
2453 /* Get server sertificate PKEY and create ctx from it */ 2454 /* Get server sertificate PKEY and create ctx from it */
2454 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509; 2455 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST01)].x509;
2455 if (!peer_cert)  2456 if (!peer_cert)
2456 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509; 2457 peer_cert=s->session->sess_cert->peer_pkeys[(keytype=SSL_PKEY_GOST94)].x509;
2457 if (!peer_cert) { 2458 if (!peer_cert) {
2458 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); 2459 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
2459 goto err; 2460 goto err;
2460 }  2461 }
2461  2462
2462 pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL); 2463 pkey_ctx=EVP_PKEY_CTX_new(pub_key=X509_get_pubkey(peer_cert),NULL);
2463 /* If we have send a certificate, and certificate key 2464 /* If we have send a certificate, and certificate key
2464 2465
2465 * parameters match those of server certificate, use 2466 * parameters match those of server certificate, use
2466 * certificate key for key exchange 2467 * certificate key for key exchange
2467 */ 2468 */
2468 2469
2469 /* Otherwise, generate ephemeral key pair */ 2470 /* Otherwise, generate ephemeral key pair */
2470  2471
2471 EVP_PKEY_encrypt_init(pkey_ctx); 2472 EVP_PKEY_encrypt_init(pkey_ctx);
2472 /* Generate session key */  2473 /* Generate session key */
2473 RAND_bytes(premaster_secret,32); 2474 RAND_bytes(premaster_secret,32);
2474 /* If we have client certificate, use its secret as peer key */ 2475 /* If we have client certificate, use its secret as peer key */
2475 if (s->s3->tmp.cert_req && s->cert->key->privatekey) { 2476 if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
2476 if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) { 2477 if (EVP_PKEY_derive_set_peer(pkey_ctx,s->cert->key->privatekey) <=0) {
2477 /* If there was an error - just ignore it. Ephemeral key 2478 /* If there was an error - just ignore it. Ephemeral key
2478 * would be used 2479 * would be used
2479 */ 2480 */
2480 ERR_clear_error(); 2481 ERR_clear_error();
2481 } 2482 }
2482 }  2483 }
2483 /* Compute shared IV and store it in algorithm-specific 2484 /* Compute shared IV and store it in algorithm-specific
2484 * context data */ 2485 * context data */
2485 ukm_hash = EVP_MD_CTX_create(); 2486 ukm_hash = EVP_MD_CTX_create();
2486 EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94)); 2487 EVP_DigestInit(ukm_hash,EVP_get_digestbynid(NID_id_GostR3411_94));
2487 EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE); 2488 EVP_DigestUpdate(ukm_hash,s->s3->client_random,SSL3_RANDOM_SIZE);
2488 EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE); 2489 EVP_DigestUpdate(ukm_hash,s->s3->server_random,SSL3_RANDOM_SIZE);
2489 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); 2490 EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
2490 EVP_MD_CTX_destroy(ukm_hash); 2491 EVP_MD_CTX_destroy(ukm_hash);