Implement Supported Elliptic Curves Extension.

[openssl.git] / ssl / s3_clnt.c

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e6a83fb5b66991d0272dc527321fbba9c3e4faa6..1b9b586f96fc9dc2d8ff7ed44a1b9d08bdc0f4f9 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -121,6 +121,32 @@
  * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
  *
  */
+/* ====================================================================
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * The portions of the attached software ("Contribution") is developed by
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
+ * license.
+ *
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+ * support (see RFC 4279) to OpenSSL.
+ *
+ * No patent licenses or other rights except those expressly stated in
+ * the OpenSSL open source license shall be deemed granted or received
+ * expressly, by implication, estoppel, or otherwise.
+ *
+ * No assurances are provided by Nokia that the Contribution does not
+ * infringe the patent or other intellectual property rights of any third
+ * party or that the license provides you with all the necessary rights
+ * to make use of the Contribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
 
 #include <stdio.h>
 #include "ssl_locl.h"
@@ -130,28 +156,19 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
+#ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
+#endif
 #include <openssl/bn.h>
 
-static SSL_METHOD *ssl3_get_client_method(int ver);
-static int ssl3_client_hello(SSL *s);
-static int ssl3_get_server_hello(SSL *s);
-static int ssl3_get_certificate_request(SSL *s);
+static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
-static int ssl3_get_server_done(SSL *s);
-static int ssl3_send_client_verify(SSL *s);
-static int ssl3_send_client_certificate(SSL *s);
-static int ssl3_send_client_key_exchange(SSL *s);
-static int ssl3_get_key_exchange(SSL *s);
-static int ssl3_get_server_certificate(SSL *s);
-static int ssl3_check_cert_and_algorithm(SSL *s);
 
 #ifndef OPENSSL_NO_ECDH
-static int curve_id2nid(int curve_id);
 int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
 #endif
 
-static SSL_METHOD *ssl3_get_client_method(int ver)
+static const SSL_METHOD *ssl3_get_client_method(int ver)
        {
        if (ver == SSL3_VERSION)
                return(SSLv3_client_method());
@@ -159,33 +176,15 @@ static SSL_METHOD *ssl3_get_client_method(int ver)
                return(NULL);
        }
 
-SSL_METHOD *SSLv3_client_method(void)
-       {
-       static int init=1;
-       static SSL_METHOD SSLv3_client_data;
-
-       if (init)
-               {
-               CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-               if (init)
-                       {
-                       memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
-                               sizeof(SSL_METHOD));
-                       SSLv3_client_data.ssl_connect=ssl3_connect;
-                       SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
-                       init=0;
-                       }
-
-               CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-               }
-       return(&SSLv3_client_data);
-       }
+IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
+                       ssl_undefined_function,
+                       ssl3_connect,
+                       ssl3_get_client_method)
 
 int ssl3_connect(SSL *s)
        {
        BUF_MEM *buf=NULL;
-       unsigned long Time=time(NULL),l;
+       unsigned long Time=(unsigned long)time(NULL),l;
        long num1;
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        int ret= -1;
@@ -281,6 +280,7 @@ int ssl3_connect(SSL *s)
                case SSL3_ST_CR_SRVR_HELLO_B:
                        ret=ssl3_get_server_hello(s);
                        if (ret <= 0) goto end;
+
                        if (s->hit)
                                s->state=SSL3_ST_CR_FINISHED_A;
                        else
@@ -291,7 +291,9 @@ int ssl3_connect(SSL *s)
                case SSL3_ST_CR_CERT_A:
                case SSL3_ST_CR_CERT_B:
                        /* Check if it is anon DH/ECDH */
-                       if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+                       /* or PSK */
+                       if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
+                               && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
                                {
                                ret=ssl3_get_server_certificate(s);
                                if (ret <= 0) goto end;
@@ -395,11 +397,15 @@ int ssl3_connect(SSL *s)
                        s->init_num=0;
 
                        s->session->cipher=s->s3->tmp.new_cipher;
+#ifdef OPENSSL_NO_COMP
+                       s->session->compress_meth=0;
+#else
                        if (s->s3->tmp.new_compression == NULL)
                                s->session->compress_meth=0;
                        else
                                s->session->compress_meth=
                                        s->s3->tmp.new_compression->id;
+#endif
                        if (!s->method->ssl3_enc->setup_key_block(s))
                                {
                                ret= -1;
@@ -539,13 +545,16 @@ end:
        }
 
 
-static int ssl3_client_hello(SSL *s)
+int ssl3_client_hello(SSL *s)
        {
        unsigned char *buf;
        unsigned char *p,*d;
-       int i,j;
+       int i;
        unsigned long Time,l;
+#ifndef OPENSSL_NO_COMP
+       int j;
        SSL_COMP *comp;
+#endif
 
        buf=(unsigned char *)s->init_buf->data;
        if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
@@ -560,9 +569,10 @@ static int ssl3_client_hello(SSL *s)
                /* else use the pre-loaded session */
 
                p=s->s3->client_random;
-               Time=time(NULL);                        /* Time */
+               Time=(unsigned long)time(NULL);                 /* Time */
                l2n(Time,p);
-               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
+               if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+                       goto err;
 
                /* Do the message type and length last */
                d=p= &(buf[4]);
@@ -593,7 +603,7 @@ static int ssl3_client_hello(SSL *s)
                        }
                
                /* Ciphers supported */
-               i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
+               i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
                if (i == 0)
                        {
                        SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
@@ -603,7 +613,12 @@ static int ssl3_client_hello(SSL *s)
                p+=i;
 
                /* COMPRESSION */
-               if (s->ctx->comp_methods == NULL)
+#ifdef OPENSSL_NO_COMP
+               *(p++)=1;
+#else
+
+               if ((s->options & SSL_OP_NO_COMPRESSION)
+                                       || !s->ctx->comp_methods)
                        j=0;
                else
                        j=sk_SSL_COMP_num(s->ctx->comp_methods);
@@ -613,7 +628,20 @@ static int ssl3_client_hello(SSL *s)
                        comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
                        *(p++)=comp->id;
                        }
+#endif
                *(p++)=0; /* Add the NULL method */
+#ifndef OPENSSL_NO_TLSEXT
+               if (ssl_prepare_clienthello_tlsext(s) <= 0)
+                       {
+                       SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
+                       goto err;
+                       }
+               if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+                       {
+                       SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
+                       goto err;
+                       }
+#endif
                
                l=(p-d);
                d=buf;
@@ -632,7 +660,7 @@ err:
        return(-1);
        }
 
-static int ssl3_get_server_hello(SSL *s)
+int ssl3_get_server_hello(SSL *s)
        {
        STACK_OF(SSL_CIPHER) *sk;
        SSL_CIPHER *c;
@@ -640,16 +668,44 @@ static int ssl3_get_server_hello(SSL *s)
        int i,al,ok;
        unsigned int j;
        long n;
+#ifndef OPENSSL_NO_COMP
        SSL_COMP *comp;
+#endif
 
-       n=ssl3_get_message(s,
+       n=s->method->ssl_get_message(s,
                SSL3_ST_CR_SRVR_HELLO_A,
                SSL3_ST_CR_SRVR_HELLO_B,
-               SSL3_MT_SERVER_HELLO,
+               -1,
                300, /* ?? */
                &ok);
 
        if (!ok) return((int)n);
+
+       if ( SSL_version(s) == DTLS1_VERSION)
+               {
+               if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
+                       {
+                       if ( s->d1->send_cookie == 0)
+                               {
+                               s->s3->tmp.reuse_message = 1;
+                               return 1;
+                               }
+                       else /* already sent a cookie */
+                               {
+                               al=SSL_AD_UNEXPECTED_MESSAGE;
+                               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
+                               goto f_err;
+                               }
+                       }
+               }
+       
+       if ( s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO)
+               {
+               al=SSL_AD_UNEXPECTED_MESSAGE;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_MESSAGE_TYPE);
+               goto f_err;
+               }
+
        d=p=(unsigned char *)s->init_msg;
 
        if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
@@ -745,8 +801,16 @@ static int ssl3_get_server_hello(SSL *s)
 
        /* lets get the compression algorithm */
        /* COMPRESSION */
+#ifdef OPENSSL_NO_COMP
+       if (*(p++) != 0)
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
+               goto f_err;
+               }
+#else
        j= *(p++);
-       if (j == 0)
+       if ((j == 0) || (s->options & SSL_OP_NO_COMPRESSION))
                comp=NULL;
        else
                comp=ssl3_comp_find(s->ctx->comp_methods,j);
@@ -761,6 +825,24 @@ static int ssl3_get_server_hello(SSL *s)
                {
                s->s3->tmp.new_compression=comp;
                }
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+       /* TLS extensions*/
+       if (s->version > SSL3_VERSION)
+               {
+               if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
+                       {
+                       /* 'al' set by ssl_parse_serverhello_tlsext */
+                       SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
+                       goto f_err; 
+                       }
+               if (ssl_check_serverhello_tlsext(s) <= 0)
+                       {
+                       SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLSEXT);
+                               goto err;
+                       }
+               }
+#endif
 
        if (p != (d+n))
                {
@@ -777,7 +859,7 @@ err:
        return(-1);
        }
 
-static int ssl3_get_server_certificate(SSL *s)
+int ssl3_get_server_certificate(SSL *s)
        {
        int al,i,ok,ret= -1;
        unsigned long n,nc,llen,l;
@@ -789,7 +871,7 @@ static int ssl3_get_server_certificate(SSL *s)
        EVP_PKEY *pkey=NULL;
        int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
 
-       n=ssl3_get_message(s,
+       n=s->method->ssl_get_message(s,
                SSL3_ST_CR_CERT_A,
                SSL3_ST_CR_CERT_B,
                -1,
@@ -961,7 +1043,7 @@ err:
        return(ret);
        }
 
-static int ssl3_get_key_exchange(SSL *s)
+int ssl3_get_key_exchange(SSL *s)
        {
 #ifndef OPENSSL_NO_RSA
        unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
@@ -987,23 +1069,34 @@ static int ssl3_get_key_exchange(SSL *s)
 
        /* use same message size as in ssl3_get_certificate_request()
         * as ServerKeyExchange message may be skipped */
-       n=ssl3_get_message(s,
+       n=s->method->ssl_get_message(s,
                SSL3_ST_CR_KEY_EXCH_A,
                SSL3_ST_CR_KEY_EXCH_B,
                -1,
                s->max_cert_list,
                &ok);
-
        if (!ok) return((int)n);
 
        if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
                {
+#ifndef OPENSSL_NO_PSK
+               /* In plain PSK ciphersuite, ServerKeyExchange can be
+                  omitted if no identity hint is sent. Set
+                  session->sess_cert anyway to avoid problems
+                  later.*/
+                if (s->s3->tmp.new_cipher->algorithms & SSL_kPSK)
+                       {
+                       s->session->sess_cert=ssl_sess_cert_new();
+                       if (s->ctx->psk_identity_hint)
+                               OPENSSL_free(s->ctx->psk_identity_hint);
+                       s->ctx->psk_identity_hint = NULL;
+                       }
+#endif
                s->s3->tmp.reuse_message=1;
                return(1);
                }
 
        param=p=(unsigned char *)s->init_msg;
-
        if (s->session->sess_cert != NULL)
                {
 #ifndef OPENSSL_NO_RSA
@@ -1037,6 +1130,51 @@ static int ssl3_get_key_exchange(SSL *s)
        alg=s->s3->tmp.new_cipher->algorithms;
        EVP_MD_CTX_init(&md_ctx);
 
+#ifndef OPENSSL_NO_PSK
+       if (alg & SSL_kPSK)
+               {
+               char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
+
+               al=SSL_AD_HANDSHAKE_FAILURE;
+               n2s(p,i);
+               param_len=i+2;
+               /* Store PSK identity hint for later use, hint is used
+                * in ssl3_send_client_key_exchange.  Assume that the
+                * maximum length of a PSK identity hint can be as
+                * long as the maximum length of a PSK identity. */
+               if (i > PSK_MAX_IDENTITY_LEN)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_DATA_LENGTH_TOO_LONG);
+                       goto f_err;
+                       }
+               if (param_len > n)
+                       {
+                       al=SSL_AD_DECODE_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
+                       goto f_err;
+                       }
+               /* If received PSK identity hint contains NULL
+                * characters, the hint is truncated from the first
+                * NULL. p may not be ending with NULL, so create a
+                * NULL-terminated string. */
+               memcpy(tmp_id_hint, p, i);
+               memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
+               if (s->ctx->psk_identity_hint != NULL)
+                       OPENSSL_free(s->ctx->psk_identity_hint);
+               s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
+               if (s->ctx->psk_identity_hint == NULL)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+                       goto f_err;
+                       }           
+
+               p+=i;
+               n-=param_len;
+               }
+       else
+#endif /* !OPENSSL_NO_PSK */
 #ifndef OPENSSL_NO_RSA
        if (alg & SSL_kRSA)
                {
@@ -1172,6 +1310,9 @@ static int ssl3_get_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_ECDH
        else if (alg & SSL_kECDHE)
                {
+               EC_GROUP *ngroup;
+               const EC_GROUP *group;
+
                if ((ecdh=EC_KEY_new()) == NULL)
                        {
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
@@ -1185,36 +1326,45 @@ static int ssl3_get_key_exchange(SSL *s)
                 */
 
                /* XXX: For now we only support named (not generic) curves
-                * and the ECParameters in this case is just two bytes.
+                * and the ECParameters in this case is just three bytes.
                 */
-               param_len=2;
+               param_len=3;
                if ((param_len > n) ||
                    (*p != NAMED_CURVE_TYPE) || 
-                   ((curve_nid = curve_id2nid(*(p + 1))) == 0)) 
+                   ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 
                        {
                        al=SSL_AD_INTERNAL_ERROR;
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
                        goto f_err;
                        }
 
-               if (!(ecdh->group=EC_GROUP_new_by_nid(curve_nid)))
+               ngroup = EC_GROUP_new_by_curve_name(curve_nid);
+               if (ngroup == NULL)
                        {
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
                        goto err;
                        }
+               if (EC_KEY_set_group(ecdh, ngroup) == 0)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_EC_LIB);
+                       goto err;
+                       }
+               EC_GROUP_free(ngroup);
+
+               group = EC_KEY_get0_group(ecdh);
 
                if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
-                   (EC_GROUP_get_degree(ecdh->group) > 163))
+                   (EC_GROUP_get_degree(group) > 163))
                        {
                        al=SSL_AD_EXPORT_RESTRICTION;
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
                        goto f_err;
                        }
 
-               p+=2;
+               p+=3;
 
                /* Next, get the encoded ECPoint */
-               if (((srvr_ecpoint = EC_POINT_new(ecdh->group)) == NULL) ||
+               if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
                    ((bn_ctx = BN_CTX_new()) == NULL))
                        {
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
@@ -1225,7 +1375,7 @@ static int ssl3_get_key_exchange(SSL *s)
                p+=1;
                param_len += (1 + encoded_pt_len);
                if ((param_len > n) ||
-                   (EC_POINT_oct2point(ecdh->group, srvr_ecpoint, 
+                   (EC_POINT_oct2point(group, srvr_ecpoint, 
                        p, encoded_pt_len, bn_ctx) == 0))
                        {
                        al=SSL_AD_DECODE_ERROR;
@@ -1250,10 +1400,11 @@ static int ssl3_get_key_exchange(SSL *s)
                        pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
 #endif
                /* else anonymous ECDH, so no certificate or pkey. */
-               ecdh->pub_key = srvr_ecpoint;
+               EC_KEY_set_public_key(ecdh, srvr_ecpoint);
                s->session->sess_cert->peer_ecdh_tmp=ecdh;
                ecdh=NULL;
                BN_CTX_free(bn_ctx);
+               EC_POINT_free(srvr_ecpoint);
                srvr_ecpoint = NULL;
                }
        else if (alg & SSL_kECDH)
@@ -1367,12 +1518,13 @@ static int ssl3_get_key_exchange(SSL *s)
                }
        else
                {
-               /* still data left over */
-               if (!(alg & SSL_aNULL))
+               if (!(alg & SSL_aNULL) && !(alg & SSL_kPSK))
+                       /* aNULL or kPSK do not need public keys */
                        {
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
                        goto err;
                        }
+               /* still data left over */
                if (n != 0)
                        {
                        al=SSL_AD_DECODE_ERROR;
@@ -1405,7 +1557,7 @@ err:
        return(-1);
        }
 
-static int ssl3_get_certificate_request(SSL *s)
+int ssl3_get_certificate_request(SSL *s)
        {
        int ok,ret=0;
        unsigned long n,nc,l;
@@ -1415,7 +1567,7 @@ static int ssl3_get_certificate_request(SSL *s)
        unsigned char *d;
        STACK_OF(X509_NAME) *ca_sk=NULL;
 
-       n=ssl3_get_message(s,
+       n=s->method->ssl_get_message(s,
                SSL3_ST_CR_CERT_REQ_A,
                SSL3_ST_CR_CERT_REQ_B,
                -1,
@@ -1553,12 +1705,12 @@ static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
        return(X509_NAME_cmp(*a,*b));
        }
 
-static int ssl3_get_server_done(SSL *s)
+int ssl3_get_server_done(SSL *s)
        {
        int ok,ret=0;
        long n;
 
-       n=ssl3_get_message(s,
+       n=s->method->ssl_get_message(s,
                SSL3_ST_CR_SRVR_DONE_A,
                SSL3_ST_CR_SRVR_DONE_B,
                SSL3_MT_SERVER_DONE,
@@ -1578,21 +1730,7 @@ static int ssl3_get_server_done(SSL *s)
        }
 
 
-static const int KDF1_SHA1_len = 20;
-static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
-       {
-#ifndef OPENSSL_NO_SHA
-       if (*outlen < SHA_DIGEST_LENGTH)
-               return NULL;
-       else
-               *outlen = SHA_DIGEST_LENGTH;
-       return SHA1(in, inlen, out);
-#else
-       return NULL;
-#endif
-       }
-
-static int ssl3_send_client_key_exchange(SSL *s)
+int ssl3_send_client_key_exchange(SSL *s)
        {
        unsigned char *p,*d;
        int n;
@@ -1606,7 +1744,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
 #endif /* OPENSSL_NO_KRB5 */
 #ifndef OPENSSL_NO_ECDH
        EC_KEY *clnt_ecdh = NULL;
-       EC_POINT *srvr_ecpoint = NULL;
+       const EC_POINT *srvr_ecpoint = NULL;
        EVP_PKEY *srvr_pub_pkey = NULL;
        unsigned char *encodedPoint = NULL;
        int encoded_pt_len = 0;
@@ -1873,7 +2011,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_ECDH 
                else if ((l & SSL_kECDH) || (l & SSL_kECDHE))
                        {
-                       EC_GROUP *srvr_group = NULL;
+                       const EC_GROUP *srvr_group = NULL;
+                       EC_KEY *tkey;
                        int ecdh_clnt_cert = 0;
                        int field_size = 0;
 
@@ -1907,10 +2046,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
 
                        if (s->session->sess_cert->peer_ecdh_tmp != NULL)
                                {
-                               srvr_group = s->session->sess_cert-> \
-                                   peer_ecdh_tmp->group;
-                               srvr_ecpoint = s->session->sess_cert-> \
-                                   peer_ecdh_tmp->pub_key;
+                               tkey = s->session->sess_cert->peer_ecdh_tmp;
                                }
                        else
                                {
@@ -1919,18 +2055,19 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                    sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
                                if ((srvr_pub_pkey == NULL) ||
                                    (srvr_pub_pkey->type != EVP_PKEY_EC) ||
-                                   (srvr_pub_pkey->pkey.eckey == NULL))
+                                   (srvr_pub_pkey->pkey.ec == NULL))
                                        {
                                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
                                            ERR_R_INTERNAL_ERROR);
                                        goto err;
                                        }
 
-                               srvr_group = srvr_pub_pkey->pkey.eckey->group;
-                               srvr_ecpoint = 
-                                   srvr_pub_pkey->pkey.eckey->pub_key;
+                               tkey = srvr_pub_pkey->pkey.ec;
                                }
 
+                       srvr_group   = EC_KEY_get0_group(tkey);
+                       srvr_ecpoint = EC_KEY_get0_public_key(tkey);
+
                        if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
                                {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
@@ -1944,15 +2081,30 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                goto err;
                                }
 
-                       clnt_ecdh->group = srvr_group;
+                       if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
+                               {
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
+                               goto err;
+                               }
                        if (ecdh_clnt_cert) 
                                { 
                                /* Reuse key info from our certificate
                                 * We only need our private key to perform
                                 * the ECDH computation.
                                 */
-                               clnt_ecdh->priv_key = BN_dup(s->cert->key-> \
-                                   privatekey->pkey.eckey->priv_key);
+                               const BIGNUM *priv_key;
+                               tkey = s->cert->key->privatekey->pkey.ec;
+                               priv_key = EC_KEY_get0_private_key(tkey);
+                               if (priv_key == NULL)
+                                       {
+                                       SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+                                       goto err;
+                                       }
+                               if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
+                                       {
+                                       SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
+                                       goto err;
+                                       }
                                }
                        else 
                                {
@@ -1968,21 +2120,14 @@ static int ssl3_send_client_key_exchange(SSL *s)
                         * make sure to clear it out afterwards
                         */
 
-                       field_size = EC_GROUP_get_degree(clnt_ecdh->group);
+                       field_size = EC_GROUP_get_degree(srvr_group);
                        if (field_size <= 0)
                                {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
                                       ERR_R_ECDH_LIB);
                                goto err;
                                }
-                       /* If field size is not more than 24 octets, then use SHA-1 hash of result;
-                        * otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt;
-                        * this is new with this version of the Internet Draft).
-                        */
-                       if (field_size <= 24 * 8)
-                               n=ECDH_compute_key(p, KDF1_SHA1_len, srvr_ecpoint, clnt_ecdh, KDF1_SHA1);
-                       else
-                               n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
+                       n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
                        if (n <= 0)
                                {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, 
@@ -2009,8 +2154,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                 * allocate memory accordingly.
                                 */
                                encoded_pt_len = 
-                                   EC_POINT_point2oct(clnt_ecdh->group, 
-                                       clnt_ecdh->pub_key, 
+                                   EC_POINT_point2oct(srvr_group, 
+                                       EC_KEY_get0_public_key(clnt_ecdh), 
                                        POINT_CONVERSION_UNCOMPRESSED, 
                                        NULL, 0, NULL);
 
@@ -2026,8 +2171,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                        }
 
                                /* Encode the public key */
-                               n = EC_POINT_point2oct(clnt_ecdh->group, 
-                                   clnt_ecdh->pub_key, 
+                               n = EC_POINT_point2oct(srvr_group, 
+                                   EC_KEY_get0_public_key(clnt_ecdh), 
                                    POINT_CONVERSION_UNCOMPRESSED, 
                                    encodedPoint, encoded_pt_len, bn_ctx);
 
@@ -2044,14 +2189,92 @@ static int ssl3_send_client_key_exchange(SSL *s)
                        BN_CTX_free(bn_ctx);
                        if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
                        if (clnt_ecdh != NULL) 
-                               {
-                                /* group is shared */
-                                clnt_ecdh->group = NULL; 
                                 EC_KEY_free(clnt_ecdh);
-                               }
                        EVP_PKEY_free(srvr_pub_pkey);
                        }
 #endif /* !OPENSSL_NO_ECDH */
+#ifndef OPENSSL_NO_PSK
+               else if (l & SSL_kPSK)
+                       {
+                       char identity[PSK_MAX_IDENTITY_LEN];
+                       unsigned char *t = NULL;
+                       unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
+                       unsigned int pre_ms_len = 0, psk_len = 0;
+                       int psk_err = 1;
+
+                       n = 0;
+                       if (s->psk_client_callback == NULL)
+                               {
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                       SSL_R_PSK_NO_CLIENT_CB);
+                               goto err;
+                               }
+
+                       psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
+                               identity, PSK_MAX_IDENTITY_LEN,
+                               psk_or_pre_ms, sizeof(psk_or_pre_ms));
+                       if (psk_len > PSK_MAX_PSK_LEN)
+                               {
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                       ERR_R_INTERNAL_ERROR);
+                               goto psk_err;
+                               }
+                       else if (psk_len == 0)
+                               {
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                       SSL_R_PSK_IDENTITY_NOT_FOUND);
+                               goto psk_err;
+                               }
+
+                       /* create PSK pre_master_secret */
+                       pre_ms_len = 2+psk_len+2+psk_len;
+                       t = psk_or_pre_ms;
+                       memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
+                       s2n(psk_len, t);
+                       memset(t, 0, psk_len);
+                       t+=psk_len;
+                       s2n(psk_len, t);
+
+                       if (s->session->psk_identity_hint != NULL)
+                               OPENSSL_free(s->session->psk_identity_hint);
+                       s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
+                       if (s->ctx->psk_identity_hint != NULL &&
+                               s->session->psk_identity_hint == NULL)
+                               {
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                       ERR_R_MALLOC_FAILURE);
+                               goto psk_err;
+                               }
+
+                       if (s->session->psk_identity != NULL)
+                               OPENSSL_free(s->session->psk_identity);
+                       s->session->psk_identity = BUF_strdup(identity);
+                       if (s->session->psk_identity == NULL)
+                               {
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                       ERR_R_MALLOC_FAILURE);
+                               goto psk_err;
+                               }
+
+                       s->session->master_key_length =
+                               s->method->ssl3_enc->generate_master_secret(s,
+                                       s->session->master_key,
+                                       psk_or_pre_ms, pre_ms_len); 
+                       n = strlen(identity);
+                       s2n(n, p);
+                       memcpy(p, identity, n);
+                       n+=2;
+                       psk_err = 0;
+               psk_err:
+                       OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
+                       OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));  
+                       if (psk_err != 0)
+                               {
+                               ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+                               goto err;
+                               }
+                       }
+#endif
                else
                        {
                        ssl3_send_alert(s, SSL3_AL_FATAL,
@@ -2077,17 +2300,13 @@ err:
        BN_CTX_free(bn_ctx);
        if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
        if (clnt_ecdh != NULL) 
-               {
-               /* group is shared */
-               clnt_ecdh->group = NULL; 
                EC_KEY_free(clnt_ecdh);
-               }
        EVP_PKEY_free(srvr_pub_pkey);
 #endif
        return(-1);
        }
 
-static int ssl3_send_client_verify(SSL *s)
+int ssl3_send_client_verify(SSL *s)
        {
        unsigned char *p,*d;
        unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
@@ -2096,7 +2315,7 @@ static int ssl3_send_client_verify(SSL *s)
        unsigned u=0;
 #endif
        unsigned long n;
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
        int j;
 #endif
 
@@ -2148,7 +2367,7 @@ static int ssl3_send_client_verify(SSL *s)
                        if (!ECDSA_sign(pkey->save_type,
                                &(data[MD5_DIGEST_LENGTH]),
                                SHA_DIGEST_LENGTH,&(p[2]),
-                               (unsigned int *)&j,pkey->pkey.eckey))
+                               (unsigned int *)&j,pkey->pkey.ec))
                                {
                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
                                    ERR_R_ECDSA_LIB);
@@ -2175,7 +2394,7 @@ err:
        return(-1);
        }
 
-static int ssl3_send_client_certificate(SSL *s)
+int ssl3_send_client_certificate(SSL *s)
        {
        X509 *x509=NULL;
        EVP_PKEY *pkey=NULL;
@@ -2254,7 +2473,7 @@ static int ssl3_send_client_certificate(SSL *s)
 
 #define has_bits(i,m)  (((i)&(m)) == (m))
 
-static int ssl3_check_cert_and_algorithm(SSL *s)
+int ssl3_check_cert_and_algorithm(SSL *s)
        {
        int i,idx;
        long algs;
@@ -2268,7 +2487,6 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
 #endif
 
        sc=s->session->sess_cert;
-
        if (sc == NULL)
                {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
@@ -2278,7 +2496,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
        algs=s->s3->tmp.new_cipher->algorithms;
 
        /* we don't have a certificate */
-       if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
+       if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5|SSL_kPSK))
                return(1);
 
 #ifndef OPENSSL_NO_RSA
@@ -2390,46 +2608,3 @@ f_err:
 err:
        return(0);
        }
-
-
-#ifndef OPENSSL_NO_ECDH
-/* This is the complement of nid2curve_id in s3_srvr.c. */
-static int curve_id2nid(int curve_id)
-{
-       /* ECC curves from draft-ietf-tls-ecc-01.txt (Mar 15, 2001)
-        * (no changes in draft-ietf-tls-ecc-03.txt [June 2003]) */
-       static int nid_list[26] =
-       {
-               0,
-               NID_sect163k1, /* sect163k1 (1) */
-               NID_sect163r1, /* sect163r1 (2) */
-               NID_sect163r2, /* sect163r2 (3) */
-               NID_sect193r1, /* sect193r1 (4) */ 
-               NID_sect193r2, /* sect193r2 (5) */ 
-               NID_sect233k1, /* sect233k1 (6) */
-               NID_sect233r1, /* sect233r1 (7) */ 
-               NID_sect239k1, /* sect239k1 (8) */ 
-               NID_sect283k1, /* sect283k1 (9) */
-               NID_sect283r1, /* sect283r1 (10) */ 
-               NID_sect409k1, /* sect409k1 (11) */ 
-               NID_sect409r1, /* sect409r1 (12) */
-               NID_sect571k1, /* sect571k1 (13) */ 
-               NID_sect571r1, /* sect571r1 (14) */ 
-               NID_secp160k1, /* secp160k1 (15) */
-               NID_secp160r1, /* secp160r1 (16) */ 
-               NID_secp160r2, /* secp160r2 (17) */ 
-               NID_secp192k1, /* secp192k1 (18) */
-               NID_X9_62_prime192v1, /* secp192r1 (19) */ 
-               NID_secp224k1, /* secp224k1 (20) */ 
-               NID_secp224r1, /* secp224r1 (21) */
-               NID_secp256k1, /* secp256k1 (22) */ 
-               NID_X9_62_prime256v1, /* secp256r1 (23) */ 
-               NID_secp384r1, /* secp384r1 (24) */
-               NID_secp521r1  /* secp521r1 (25) */     
-       };
-       
-       if ((curve_id < 1) || (curve_id > 25)) return 0;
-
-       return nid_list[curve_id];
-}
-#endif