#endif
static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
+#ifndef OPENSSL_NO_TLSEXT
+static int ssl3_check_finished(SSL *s);
+#endif
#ifndef OPENSSL_NO_SSL3_METHOD
static const SSL_METHOD *ssl3_get_client_method(int ver)
if ((s->version & 0xff00) != 0x0300) {
SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
+ s->state = SSL_ST_ERR;
ret = -1;
goto end;
}
if (s->init_buf == NULL) {
if ((buf = BUF_MEM_new()) == NULL) {
ret = -1;
+ s->state = SSL_ST_ERR;
goto end;
}
if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
ret = -1;
+ s->state = SSL_ST_ERR;
goto end;
}
s->init_buf = buf;
/* setup buffing BIO */
if (!ssl_init_wbio_buffer(s, 0)) {
ret = -1;
+ s->state = SSL_ST_ERR;
goto end;
}
break;
case SSL3_ST_CR_CERT_A:
case SSL3_ST_CR_CERT_B:
+#ifndef OPENSSL_NO_TLSEXT
+ /* Noop (ret = 0) for everything but EAP-FAST. */
+ ret = ssl3_check_finished(s);
+ if (ret < 0)
+ goto end;
+ if (ret == 1) {
+ s->hit = 1;
+ s->state = SSL3_ST_CR_FINISHED_A;
+ s->init_num = 0;
+ break;
+ }
+#endif
/* Check if it is anon DH/ECDH, SRP auth */
/* or PSK */
if (!
*/
if (!ssl3_check_cert_and_algorithm(s)) {
ret = -1;
+ s->state = SSL_ST_ERR;
goto end;
}
break;
if ((ret = SRP_Calc_A_param(s)) <= 0) {
SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ s->state = SSL_ST_ERR;
goto end;
}
}
#endif
if (!s->method->ssl3_enc->setup_key_block(s)) {
ret = -1;
+ s->state = SSL_ST_ERR;
goto end;
}
SSL3_CHANGE_CIPHER_CLIENT_WRITE))
{
ret = -1;
+ s->state = SSL_ST_ERR;
goto end;
}
case SSL3_ST_CR_FINISHED_A:
case SSL3_ST_CR_FINISHED_B:
- s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ if (!s->s3->change_cipher_spec)
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
SSL3_ST_CR_FINISHED_B);
if (ret <= 0)
goto end;
/* break; */
+ case SSL_ST_ERR:
default:
SSLerr(SSL_F_SSL3_CONNECT, SSL_R_UNKNOWN_STATE);
ret = -1;
buf = (unsigned char *)s->init_buf->data;
if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
SSL_SESSION *sess = s->session;
- if ((sess == NULL) ||
- (sess->ssl_version != s->version) ||
- !sess->session_id_length || (sess->not_resumable)) {
+ if ((sess == NULL) || (sess->ssl_version != s->version) ||
+#ifdef OPENSSL_NO_TLSEXT
+ !sess->session_id_length ||
+#else
+ /*
+ * In the case of EAP-FAST, we can have a pre-shared
+ * "ticket" without a session ID.
+ */
+ (!sess->session_id_length && !sess->tlsext_tick) ||
+#endif
+ (sess->not_resumable)) {
if (!ssl_get_new_session(s, 0))
goto err;
}
} else
i = 1;
- if (i)
- ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random));
+ if (i && ssl_fill_hello_random(s, 0, p,
+ sizeof(s->s3->client_random)) <= 0)
+ goto err;
/* Do the message type and length last */
d = p = ssl_handshake_start(s);
- /*-
- * version indicates the negotiated version: for example from
- * an SSLv2/v3 compatible client hello). The client_version
- * field is the maximum version we permit and it is also
- * used in RSA encrypted premaster secrets. Some servers can
- * choke if we initially report a higher version then
- * renegotiate to a lower one in the premaster secret. This
- * didn't happen with TLS 1.0 as most servers supported it
- * but it can with TLS 1.1 or later if the server only supports
- * 1.0.
- *
- * Possible scenario with previous logic:
- * 1. Client hello indicates TLS 1.2
- * 2. Server hello says TLS 1.0
- * 3. RSA encrypted premaster secret uses 1.2.
- * 4. Handhaked proceeds using TLS 1.0.
- * 5. Server sends hello request to renegotiate.
- * 6. Client hello indicates TLS v1.0 as we now
- * know that is maximum server supports.
- * 7. Server chokes on RSA encrypted premaster secret
- * containing version 1.0.
- *
- * For interoperability it should be OK to always use the
- * maximum version we support in client hello and then rely
- * on the checking of version to ensure the servers isn't
- * being inconsistent: for example initially negotiating with
- * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
- * client_version in client hello and not resetting it to
- * the negotiated version.
- */
+ /*-
+ * version indicates the negotiated version: for example from
+ * an SSLv2/v3 compatible client hello). The client_version
+ * field is the maximum version we permit and it is also
+ * used in RSA encrypted premaster secrets. Some servers can
+ * choke if we initially report a higher version then
+ * renegotiate to a lower one in the premaster secret. This
+ * didn't happen with TLS 1.0 as most servers supported it
+ * but it can with TLS 1.1 or later if the server only supports
+ * 1.0.
+ *
+ * Possible scenario with previous logic:
+ * 1. Client hello indicates TLS 1.2
+ * 2. Server hello says TLS 1.0
+ * 3. RSA encrypted premaster secret uses 1.2.
+ * 4. Handhaked proceeds using TLS 1.0.
+ * 5. Server sends hello request to renegotiate.
+ * 6. Client hello indicates TLS v1.0 as we now
+ * know that is maximum server supports.
+ * 7. Server chokes on RSA encrypted premaster secret
+ * containing version 1.0.
+ *
+ * For interoperability it should be OK to always use the
+ * maximum version we support in client hello and then rely
+ * on the checking of version to ensure the servers isn't
+ * being inconsistent: for example initially negotiating with
+ * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
+ * client_version in client hello and not resetting it to
+ * the negotiated version.
+ */
#if 0
*(p++) = s->version >> 8;
*(p++) = s->version & 0xff;
/* SSL3_ST_CW_CLNT_HELLO_B */
return ssl_do_write(s);
err:
+ s->state = SSL_ST_ERR;
return (-1);
}
}
#ifndef OPENSSL_NO_TLSEXT
/*
- * check if we want to resume the session based on external pre-shared
- * secret
+ * Check if we can resume the session based on external pre-shared secret.
+ * EAP-FAST (RFC 4851) supports two types of session resumption.
+ * Resumption based on server-side state works with session IDs.
+ * Resumption based on pre-shared Protected Access Credentials (PACs)
+ * works by overriding the SessionTicket extension at the application
+ * layer, and does not send a session ID. (We do not know whether EAP-FAST
+ * servers would honour the session ID.) Therefore, the session ID alone
+ * is not a reliable indicator of session resumption, so we first check if
+ * we can resume, and later peek at the next handshake message to see if the
+ * server wants to resume.
*/
- if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb &&
+ s->session->tlsext_tick) {
SSL_CIPHER *pref_cipher = NULL;
s->session->master_key_length = sizeof(s->session->master_key);
if (s->tls_session_secret_cb(s, s->session->master_key,
s->tls_session_secret_cb_arg)) {
s->session->cipher = pref_cipher ?
pref_cipher : ssl_get_cipher_by_char(s, p + j);
- s->hit = 1;
+ } else {
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
}
}
#endif /* OPENSSL_NO_TLSEXT */
- if (!s->hit && j != 0 && j == s->session->session_id_length
+ if (j != 0 && j == s->session->session_id_length
&& memcmp(p, s->session->session_id, j) == 0) {
if (s->sid_ctx_length != s->session->sid_ctx_length
|| memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
goto f_err;
}
s->hit = 1;
- }
- /* a miss or crap from the other end */
- if (!s->hit) {
+ } else {
/*
- * If we were trying for session-id reuse, make a new SSL_SESSION so
- * we don't stuff up other people
+ * If we were trying for session-id reuse but the server
+ * didn't echo the ID, make a new SSL_SESSION.
+ * In the case of EAP-FAST and PAC, we do not send a session ID,
+ * so the PAC-based session secret is always preserved. It'll be
+ * overwritten if the server refuses resumption.
*/
if (s->session->session_id_length > 0) {
if (!ssl_get_new_session(s, 0)) {
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
+ s->state = SSL_ST_ERR;
return (-1);
}
if (0) {
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
- }
err:
+ s->state = SSL_ST_ERR;
+ }
+
EVP_PKEY_free(pkey);
X509_free(x);
sk_X509_pop_free(sk, X509_free);
EC_KEY_free(ecdh);
#endif
EVP_MD_CTX_cleanup(&md_ctx);
+ s->state = SSL_ST_ERR;
return (-1);
}
ca_sk = NULL;
ret = 1;
+ goto done;
err:
+ s->state = SSL_ST_ERR;
+ done:
if (ca_sk != NULL)
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
return (ret);
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
+ s->state = SSL_ST_ERR;
return (-1);
}
return 1;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ s->state = SSL_ST_ERR;
return (-1);
}
#endif
/* should contain no data */
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
+ s->state = SSL_ST_ERR;
return -1;
}
ret = 1;
return (ret);
}
+#ifndef OPENSSL_NO_DH
+static DH *get_server_static_dh_key(SESS_CERT *scert)
+{
+ DH *dh_srvr = NULL;
+ EVP_PKEY *spkey = NULL;
+ int idx = scert->peer_cert_type;
+
+ if (idx >= 0)
+ spkey = X509_get_pubkey(scert->peer_pkeys[idx].x509);
+ if (spkey) {
+ dh_srvr = EVP_PKEY_get1_DH(spkey);
+ EVP_PKEY_free(spkey);
+ }
+ if (dh_srvr == NULL)
+ SSLerr(SSL_F_GET_SERVER_STATIC_DH_KEY, ERR_R_INTERNAL_ERROR);
+ return dh_srvr;
+}
+#endif
+
int ssl3_send_client_key_exchange(SSL *s)
{
unsigned char *p;
goto err;
}
- /*-
- * 20010406 VRS - Earlier versions used KRB5 AP_REQ
- * in place of RFC 2712 KerberosWrapper, as in:
- *
- * Send ticket (copy to *p, set n = length)
- * n = krb5_ap_req.length;
- * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
- * if (krb5_ap_req.data)
- * kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
- *
- * Now using real RFC 2712 KerberosWrapper
- * (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
- * Note: 2712 "opaque" types are here replaced
- * with a 2-byte length followed by the value.
- * Example:
- * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
- * Where "xx xx" = length bytes. Shown here with
- * optional authenticator omitted.
- */
+ /*-
+ * 20010406 VRS - Earlier versions used KRB5 AP_REQ
+ * in place of RFC 2712 KerberosWrapper, as in:
+ *
+ * Send ticket (copy to *p, set n = length)
+ * n = krb5_ap_req.length;
+ * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
+ * if (krb5_ap_req.data)
+ * kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
+ *
+ * Now using real RFC 2712 KerberosWrapper
+ * (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
+ * Note: 2712 "opaque" types are here replaced
+ * with a 2-byte length followed by the value.
+ * Example:
+ * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
+ * Where "xx xx" = length bytes. Shown here with
+ * optional authenticator omitted.
+ */
/* KerberosWrapper.Ticket */
s2n(enc_ticket->length, p);
if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
goto err;
- /*-
- * 20010420 VRS. Tried it this way; failed.
- * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
- * EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
- * kssl_ctx->length);
- * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
- */
+ /*-
+ * 20010420 VRS. Tried it this way; failed.
+ * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
+ * EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
+ * kssl_ctx->length);
+ * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
+ */
memset(iv, 0, sizeof iv); /* per RFC 1510 */
EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv);
goto err;
}
- if (scert->peer_dh_tmp != NULL)
+ if (scert->peer_dh_tmp != NULL) {
dh_srvr = scert->peer_dh_tmp;
- else {
- /* we get them from the cert */
- int idx = scert->peer_cert_type;
- EVP_PKEY *spkey = NULL;
- dh_srvr = NULL;
- if (idx >= 0)
- spkey = X509_get_pubkey(scert->peer_pkeys[idx].x509);
- if (spkey) {
- dh_srvr = EVP_PKEY_get1_DH(spkey);
- EVP_PKEY_free(spkey);
- }
- if (dh_srvr == NULL) {
- SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
- ERR_R_INTERNAL_ERROR);
+ } else {
+ dh_srvr = get_server_static_dh_key(scert);
+ if (dh_srvr == NULL)
goto err;
- }
}
+
if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
/* Use client certificate key */
EVP_PKEY *clkey = s->cert->key->privatekey;
* ecdh_clnt_cert to 1.
*/
if ((alg_k & (SSL_kECDHr | SSL_kECDHe)) && (s->cert != NULL)) {
- /*-
- * XXX: For now, we do not support client
- * authentication using ECDH certificates.
- * To add such support, one needs to add
- * code that checks for appropriate
- * conditions and sets ecdh_clnt_cert to 1.
- * For example, the cert have an ECC
- * key on the same curve as the server's
- * and the key should be authorized for
- * key agreement.
- *
- * One also needs to add code in ssl3_connect
- * to skip sending the certificate verify
- * message.
- *
- * if ((s->cert->key->privatekey != NULL) &&
- * (s->cert->key->privatekey->type ==
- * EVP_PKEY_EC) && ...)
- * ecdh_clnt_cert = 1;
- */
+ /*-
+ * XXX: For now, we do not support client
+ * authentication using ECDH certificates.
+ * To add such support, one needs to add
+ * code that checks for appropriate
+ * conditions and sets ecdh_clnt_cert to 1.
+ * For example, the cert have an ECC
+ * key on the same curve as the server's
+ * and the key should be authorized for
+ * key agreement.
+ *
+ * One also needs to add code in ssl3_connect
+ * to skip sending the certificate verify
+ * message.
+ *
+ * if ((s->cert->key->privatekey != NULL) &&
+ * (s->cert->key->privatekey->type ==
+ * EVP_PKEY_EC) && ...)
+ * ecdh_clnt_cert = 1;
+ */
}
if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
EVP_PKEY_encrypt_init(pkey_ctx);
/* Generate session key */
- RAND_bytes(premaster_secret, 32);
+ if (RAND_bytes(premaster_secret, 32) <= 0) {
+ EVP_PKEY_CTX_free(pkey_ctx);
+ goto err;
+ }
/*
* If we have client certificate, use its secret as peer key
*/
EC_KEY_free(clnt_ecdh);
EVP_PKEY_free(srvr_pub_pkey);
#endif
+ s->state = SSL_ST_ERR;
return (-1);
}
err:
EVP_MD_CTX_cleanup(&mctx);
EVP_PKEY_CTX_free(pctx);
+ s->state = SSL_ST_ERR;
return (-1);
}
}
if (i == 0) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ s->state = SSL_ST_ERR;
return 0;
}
s->rwstate = SSL_NOTHING;
2) ? NULL : s->cert->key)) {
SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ s->state = SSL_ST_ERR;
return 0;
}
}
int i, idx;
long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
+ int pkey_bits;
SESS_CERT *sc;
#ifndef OPENSSL_NO_RSA
RSA *rsa;
}
#endif
pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);
+ pkey_bits = EVP_PKEY_bits(pkey);
i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);
EVP_PKEY_free(pkey);
}
#endif
#ifndef OPENSSL_NO_DH
- if ((alg_k & SSL_kEDH) &&
- !(has_bits(i, EVP_PK_DH | EVP_PKT_EXCH) || (dh != NULL))) {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY);
+ if ((alg_k & SSL_kEDH) && dh == NULL) {
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
goto f_err;
- } else if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
+ }
+ if ((alg_k & SSL_kDHr) && !SSL_USE_SIGALGS(s) &&
!has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_DH_RSA_CERT);
goto f_err;
}
# ifndef OPENSSL_NO_DSA
- else if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
- !has_bits(i, EVP_PK_DH | EVP_PKS_DSA)) {
+ if ((alg_k & SSL_kDHd) && !SSL_USE_SIGALGS(s) &&
+ !has_bits(i, EVP_PK_DH | EVP_PKS_DSA)) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_DH_DSA_CERT);
goto f_err;
}
# endif
-#endif
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) {
+ if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
+ int dh_size;
+ if (alg_k & SSL_kDHE) {
+ dh_size = BN_num_bits(dh->p);
+ } else {
+ DH *dh_srvr = get_server_static_dh_key(sc);
+ if (dh_srvr == NULL)
+ goto f_err;
+ dh_size = BN_num_bits(dh_srvr->p);
+ DH_free(dh_srvr);
+ }
+
+ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
+ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
+ goto f_err;
+ }
+ }
+#endif /* !OPENSSL_NO_DH */
+
+ if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
+ pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
#ifndef OPENSSL_NO_RSA
if (alg_k & SSL_kRSA) {
if (rsa == NULL
return (0);
}
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#ifndef OPENSSL_NO_TLSEXT
+/*
+ * Normally, we can tell if the server is resuming the session from
+ * the session ID. EAP-FAST (RFC 4851), however, relies on the next server
+ * message after the ServerHello to determine if the server is resuming.
+ * Therefore, we allow EAP-FAST to peek ahead.
+ * ssl3_check_finished returns 1 if we are resuming from an external
+ * pre-shared secret, we have a "ticket" and the next server handshake message
+ * is Finished; and 0 otherwise. It returns -1 upon an error.
+ */
+static int ssl3_check_finished(SSL *s)
+{
+ int ok = 0;
+
+ if (s->version < TLS1_VERSION || !s->tls_session_secret_cb ||
+ !s->session->tlsext_tick)
+ return 0;
+
+ /* Need to permit this temporarily, in case the next message is Finished. */
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ /*
+ * This function is called when we might get a Certificate message instead,
+ * so permit appropriate message length.
+ * We ignore the return value as we're only interested in the message type
+ * and not its length.
+ */
+ s->method->ssl_get_message(s,
+ SSL3_ST_CR_CERT_A,
+ SSL3_ST_CR_CERT_B,
+ -1, s->max_cert_list, &ok);
+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+
+ if (!ok)
+ return -1;
+
+ s->s3->tmp.reuse_message = 1;
+
+ if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
+ return 1;
+
+ /* If we're not done, then the CCS arrived early and we should bail. */
+ if (s->s3->change_cipher_spec) {
+ SSLerr(SSL_F_SSL3_CHECK_FINISHED, SSL_R_CCS_RECEIVED_EARLY);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+ return -1;
+ }
+
+ return 0;
+}
+
+# ifndef OPENSSL_NO_NEXTPROTONEG
int ssl3_send_next_proto(SSL *s)
{
unsigned int len, padding_len;
return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
}
-#endif /* !OPENSSL_NO_TLSEXT &&
- * !OPENSSL_NO_NEXTPROTONEG */
+#endif /* !OPENSSL_NO_NEXTPROTONEG */
+#endif /* !OPENSSL_NO_TLSEXT */
int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
{