Set s->hit when resuming from external pre-shared secret.

[openssl.git] / ssl / s3_clnt.c
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index a6b3c01afa18ae7c26e87f45296131cc4e092dd3..3a3b2a335287a5474adbc8d56aa2e06afa42fc9c 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -167,9 +167,9 @@
  #include <openssl/engine.h>
  #endif
  
  #include <openssl/engine.h>
  #endif
  
-static const SSL_METHOD *ssl3_get_client_method(int ver);
  static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
  
  static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
  
+#ifndef OPENSSL_NO_SSL3_METHOD
  static const SSL_METHOD *ssl3_get_client_method(int ver)
         {
         if (ver == SSL3_VERSION)
  static const SSL_METHOD *ssl3_get_client_method(int ver)
         {
         if (ver == SSL3_VERSION)
@@ -182,6 +182,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
                         ssl_undefined_function,
                         ssl3_connect,
                         ssl3_get_client_method)
                         ssl_undefined_function,
                         ssl3_connect,
                         ssl3_get_client_method)
+#endif
  
  int ssl3_connect(SSL *s)
         {
  
  int ssl3_connect(SSL *s)
         {
@@ -326,9 +327,9 @@ int ssl3_connect(SSL *s)
                                 break;
                                 }
  #endif
                                 break;
                                 }
  #endif
-                       /* Check if it is anon DH/ECDH */
+                       /* Check if it is anon DH/ECDH, SRP auth */
                         /* or PSK */
                         /* or PSK */
-                       if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
+                       if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) &&
                             !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                                 {
                                 ret=ssl3_get_server_certificate(s);
                             !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                                 {
                                 ret=ssl3_get_server_certificate(s);
@@ -510,6 +511,7 @@ int ssl3_connect(SSL *s)
                                 s->method->ssl3_enc->client_finished_label,
                                 s->method->ssl3_enc->client_finished_label_len);
                         if (ret <= 0) goto end;
                                 s->method->ssl3_enc->client_finished_label,
                                 s->method->ssl3_enc->client_finished_label_len);
                         if (ret <= 0) goto end;
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                         s->state=SSL3_ST_CW_FLUSH;
  
                         /* clear flags */
                         s->state=SSL3_ST_CW_FLUSH;
  
                         /* clear flags */
@@ -559,6 +561,7 @@ int ssl3_connect(SSL *s)
                 case SSL3_ST_CR_FINISHED_A:
                 case SSL3_ST_CR_FINISHED_B:
  
                 case SSL3_ST_CR_FINISHED_A:
                 case SSL3_ST_CR_FINISHED_B:
  
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                         ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
                                 SSL3_ST_CR_FINISHED_B);
                         if (ret <= 0) goto end;
                         ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
                                 SSL3_ST_CR_FINISHED_B);
                         if (ret <= 0) goto end;
@@ -877,6 +880,8 @@ int ssl3_get_server_hello(SSL *s)
         memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
         p+=SSL3_RANDOM_SIZE;
  
         memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
         p+=SSL3_RANDOM_SIZE;
  
+       s->hit = 0;
+
         /* get the session-id */
         j= *(p++);
  
         /* get the session-id */
         j= *(p++);
  
@@ -900,11 +905,13 @@ int ssl3_get_server_hello(SSL *s)
                         {
                         s->session->cipher = pref_cipher ?
                                 pref_cipher : ssl_get_cipher_by_char(s, p+j);
                         {
                         s->session->cipher = pref_cipher ?
                                 pref_cipher : ssl_get_cipher_by_char(s, p+j);
+                       s->hit = 1;
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                         }
                 }
  #endif /* OPENSSL_NO_TLSEXT */
  
                         }
                 }
  #endif /* OPENSSL_NO_TLSEXT */
  
-       if (j != 0 && j == s->session->session_id_length
+       if (!s->hit && j != 0 && j == s->session->session_id_length
             && memcmp(p,s->session->session_id,j) == 0)
             {
             if(s->sid_ctx_length != s->session->sid_ctx_length
             && memcmp(p,s->session->session_id,j) == 0)
             {
             if(s->sid_ctx_length != s->session->sid_ctx_length
@@ -915,13 +922,14 @@ int ssl3_get_server_hello(SSL *s)
                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
                 goto f_err;
                 }
                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
                 goto f_err;
                 }
+           s->s3->flags |= SSL3_FLAGS_CCS_OK;
             s->hit=1;
             }
             s->hit=1;
             }
-       else    /* a miss or crap from the other end */
+       /* a miss or crap from the other end */
+       if (!s->hit)
                 {
                 /* If we were trying for session-id reuse, make a new
                  * SSL_SESSION so we don't stuff up other people */
                 {
                 /* If we were trying for session-id reuse, make a new
                  * SSL_SESSION so we don't stuff up other people */
-               s->hit=0;
                 if (s->session->session_id_length > 0)
                         {
                         if (!ssl_get_new_session(s,0))
                 if (s->session->session_id_length > 0)
                         {
                         if (!ssl_get_new_session(s,0))
@@ -950,6 +958,15 @@ int ssl3_get_server_hello(SSL *s)
                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
                 goto f_err;
                 }
                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
                 goto f_err;
                 }
+#ifndef OPENSSL_NO_SRP
+       if (((c->algorithm_mkey & SSL_kSRP) || (c->algorithm_auth & SSL_aSRP)) &&
+                   !(s->srp_ctx.srp_Mask & SSL_kSRP))
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
+               goto f_err;
+               }
+#endif /* OPENSSL_NO_SRP */
         p+=ssl_put_cipher_by_char(s,NULL,NULL);
  
         sk=ssl_get_ciphers_by_id(s);
         p+=ssl_put_cipher_by_char(s,NULL,NULL);
  
         sk=ssl_get_ciphers_by_id(s);
@@ -1264,8 +1281,8 @@ int ssl3_get_key_exchange(SSL *s)
  #endif
         EVP_MD_CTX md_ctx;
         unsigned char *param,*p;
  #endif
         EVP_MD_CTX md_ctx;
         unsigned char *param,*p;
-       int al,i,j,param_len,ok;
-       long n,alg_k,alg_a;
+       int al,j,ok;
+       long i,param_len,n,alg_k,alg_a;
         EVP_PKEY *pkey=NULL;
         const EVP_MD *md = NULL;
  #ifndef OPENSSL_NO_RSA
         EVP_PKEY *pkey=NULL;
         const EVP_MD *md = NULL;
  #ifndef OPENSSL_NO_RSA
@@ -1341,36 +1358,48 @@ int ssl3_get_key_exchange(SSL *s)
                 s->session->sess_cert=ssl_sess_cert_new();
                 }
  
                 s->session->sess_cert=ssl_sess_cert_new();
                 }
  
+       /* Total length of the parameters including the length prefix */
         param_len=0;
         param_len=0;
+
         alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
         alg_a=s->s3->tmp.new_cipher->algorithm_auth;
         EVP_MD_CTX_init(&md_ctx);
  
         alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
         alg_a=s->s3->tmp.new_cipher->algorithm_auth;
         EVP_MD_CTX_init(&md_ctx);
  
+       al=SSL_AD_DECODE_ERROR;
+
  #ifndef OPENSSL_NO_PSK
         if (alg_k & SSL_kPSK)
                 {
                 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
  
  #ifndef OPENSSL_NO_PSK
         if (alg_k & SSL_kPSK)
                 {
                 char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
  
-               al=SSL_AD_HANDSHAKE_FAILURE;
+               param_len = 2;
+               if (param_len > n)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
                 n2s(p,i);
                 n2s(p,i);
-               param_len=i+2;
+
                 /* Store PSK identity hint for later use, hint is used
                  * in ssl3_send_client_key_exchange.  Assume that the
                  * maximum length of a PSK identity hint can be as
                  * long as the maximum length of a PSK identity. */
                 if (i > PSK_MAX_IDENTITY_LEN)
                         {
                 /* Store PSK identity hint for later use, hint is used
                  * in ssl3_send_client_key_exchange.  Assume that the
                  * maximum length of a PSK identity hint can be as
                  * long as the maximum length of a PSK identity. */
                 if (i > PSK_MAX_IDENTITY_LEN)
                         {
+                       al=SSL_AD_HANDSHAKE_FAILURE;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
                                 SSL_R_DATA_LENGTH_TOO_LONG);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
                                 SSL_R_DATA_LENGTH_TOO_LONG);
                         goto f_err;
                         }
-               if (param_len > n)
+               if (i > n - param_len)
                         {
                         {
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
                                 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
                                 SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 /* If received PSK identity hint contains NULL
                  * characters, the hint is truncated from the first
                  * NULL. p may not be ending with NULL, so create a
                 /* If received PSK identity hint contains NULL
                  * characters, the hint is truncated from the first
                  * NULL. p may not be ending with NULL, so create a
@@ -1382,6 +1411,7 @@ int ssl3_get_key_exchange(SSL *s)
                 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
                 if (s->ctx->psk_identity_hint == NULL)
                         {
                 s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
                 if (s->ctx->psk_identity_hint == NULL)
                         {
+                       al=SSL_AD_HANDSHAKE_FAILURE;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
                         goto f_err;
                         }          
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
                         goto f_err;
                         }          
@@ -1394,14 +1424,22 @@ int ssl3_get_key_exchange(SSL *s)
  #ifndef OPENSSL_NO_SRP
         if (alg_k & SSL_kSRP)
                 {
  #ifndef OPENSSL_NO_SRP
         if (alg_k & SSL_kSRP)
                 {
-               n2s(p,i);
-               param_len=i+2;
+               param_len = 2;
                 if (param_len > n)
                         {
                 if (param_len > n)
                         {
-                       al=SSL_AD_DECODE_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               n2s(p,i);
+
+               if (i > n - param_len)
+                       {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
                 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
@@ -1409,14 +1447,24 @@ int ssl3_get_key_exchange(SSL *s)
                         }
                 p+=i;
  
                         }
                 p+=i;
  
+
+               if (2 > n - param_len)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               param_len += 2;
+
                 n2s(p,i);
                 n2s(p,i);
-               param_len+=i+2;
-               if (param_len > n)
+
+               if (i > n - param_len)
                         {
                         {
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
                 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
@@ -1424,15 +1472,25 @@ int ssl3_get_key_exchange(SSL *s)
                         }
                 p+=i;
  
                         }
                 p+=i;
  
+
+               if (1 > n - param_len)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               param_len += 1;
+
                 i = (unsigned int)(p[0]);
                 p++;
                 i = (unsigned int)(p[0]);
                 p++;
-               param_len+=i+1;
-               if (param_len > n)
+
+               if (i > n - param_len)
                         {
                         {
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
                 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
@@ -1440,14 +1498,23 @@ int ssl3_get_key_exchange(SSL *s)
                         }
                 p+=i;
  
                         }
                 p+=i;
  
+               if (2 > n - param_len)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               param_len += 2;
+
                 n2s(p,i);
                 n2s(p,i);
-               param_len+=i+2;
-               if (param_len > n)
+
+               if (i > n - param_len)
                         {
                         {
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
                 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
@@ -1456,6 +1523,12 @@ int ssl3_get_key_exchange(SSL *s)
                 p+=i;
                 n-=param_len;
  
                 p+=i;
                 n-=param_len;
  
+               if (!srp_verify_server_param(s, &al))
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_PARAMETERS);
+                       goto f_err;
+                       }
+
  /* We must check if there is a certificate */
  #ifndef OPENSSL_NO_RSA
                 if (alg_a & SSL_aRSA)
  /* We must check if there is a certificate */
  #ifndef OPENSSL_NO_RSA
                 if (alg_a & SSL_aRSA)
@@ -1479,14 +1552,23 @@ int ssl3_get_key_exchange(SSL *s)
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
                         goto err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
                         goto err;
                         }
-               n2s(p,i);
-               param_len=i+2;
+
+               param_len = 2;
                 if (param_len > n)
                         {
                 if (param_len > n)
                         {
-                       al=SSL_AD_DECODE_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               n2s(p,i);
+
+               if (i > n - param_len)
+                       {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_MODULUS_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
                 if (!(rsa->n=BN_bin2bn(p,i,rsa->n)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
@@ -1494,14 +1576,23 @@ int ssl3_get_key_exchange(SSL *s)
                         }
                 p+=i;
  
                         }
                 p+=i;
  
+               if (2 > n - param_len)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               param_len += 2;
+
                 n2s(p,i);
                 n2s(p,i);
-               param_len+=i+2;
-               if (param_len > n)
+
+               if (i > n - param_len)
                         {
                         {
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_E_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
                 if (!(rsa->e=BN_bin2bn(p,i,rsa->e)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
@@ -1533,14 +1624,23 @@ int ssl3_get_key_exchange(SSL *s)
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
                         goto err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_DH_LIB);
                         goto err;
                         }
-               n2s(p,i);
-               param_len=i+2;
+
+               param_len = 2;
                 if (param_len > n)
                         {
                 if (param_len > n)
                         {
-                       al=SSL_AD_DECODE_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               n2s(p,i);
+
+               if (i > n - param_len)
+                       {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_P_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 if (!(dh->p=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
                 if (!(dh->p=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
@@ -1548,14 +1648,23 @@ int ssl3_get_key_exchange(SSL *s)
                         }
                 p+=i;
  
                         }
                 p+=i;
  
+               if (2 > n - param_len)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               param_len += 2;
+
                 n2s(p,i);
                 n2s(p,i);
-               param_len+=i+2;
-               if (param_len > n)
+
+               if (i > n - param_len)
                         {
                         {
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_G_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 if (!(dh->g=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
                 if (!(dh->g=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
@@ -1563,14 +1672,23 @@ int ssl3_get_key_exchange(SSL *s)
                         }
                 p+=i;
  
                         }
                 p+=i;
  
+               if (2 > n - param_len)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+               param_len += 2;
+
                 n2s(p,i);
                 n2s(p,i);
-               param_len+=i+2;
-               if (param_len > n)
+
+               if (i > n - param_len)
                         {
                         {
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_DH_PUB_KEY_LENGTH);
                         goto f_err;
                         }
+               param_len += i;
+
                 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
                 if (!(dh->pub_key=BN_bin2bn(p,i,NULL)))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
@@ -1622,12 +1740,19 @@ int ssl3_get_key_exchange(SSL *s)
                  */
  
                 /* XXX: For now we only support named (not generic) curves
                  */
  
                 /* XXX: For now we only support named (not generic) curves
-                * and the ECParameters in this case is just three bytes.
+                * and the ECParameters in this case is just three bytes. We
+                * also need one byte for the length of the encoded point
                  */
                  */
-               param_len=3;
-               if ((param_len > n) ||
-                   (*p != NAMED_CURVE_TYPE) || 
-                   ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 
+               param_len=4;
+               if (param_len > n)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
+
+               if ((*p != NAMED_CURVE_TYPE) || 
+                   ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0))
                         {
                         al=SSL_AD_INTERNAL_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
                         {
                         al=SSL_AD_INTERNAL_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
@@ -1669,15 +1794,15 @@ int ssl3_get_key_exchange(SSL *s)
  
                 encoded_pt_len = *p;  /* length of encoded point */
                 p+=1;
  
                 encoded_pt_len = *p;  /* length of encoded point */
                 p+=1;
-               param_len += (1 + encoded_pt_len);
-               if ((param_len > n) ||
+
+               if ((encoded_pt_len > n - param_len) ||
                     (EC_POINT_oct2point(group, srvr_ecpoint, 
                         p, encoded_pt_len, bn_ctx) == 0))
                         {
                     (EC_POINT_oct2point(group, srvr_ecpoint, 
                         p, encoded_pt_len, bn_ctx) == 0))
                         {
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_ECPOINT);
                         goto f_err;
                         }
+               param_len += encoded_pt_len;
  
                 n-=param_len;
                 p+=encoded_pt_len;
  
                 n-=param_len;
                 p+=encoded_pt_len;
@@ -1720,7 +1845,15 @@ int ssl3_get_key_exchange(SSL *s)
                 {
                 if (TLS1_get_version(s) >= TLS1_2_VERSION)
                         {
                 {
                 if (TLS1_get_version(s) >= TLS1_2_VERSION)
                         {
-                       int sigalg = tls12_get_sigid(pkey);
+                       int sigalg;
+                       if (2 > n)
+                               {
+                               SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                                       SSL_R_LENGTH_TOO_SHORT);
+                               goto f_err;
+                               }
+
+                       sigalg = tls12_get_sigid(pkey);
                         /* Should never happen */
                         if (sigalg == -1)
                                 {
                         /* Should never happen */
                         if (sigalg == -1)
                                 {
@@ -1738,7 +1871,6 @@ int ssl3_get_key_exchange(SSL *s)
                         if (md == NULL)
                                 {
                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST);
                         if (md == NULL)
                                 {
                                 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST);
-                               al=SSL_AD_DECODE_ERROR;
                                 goto f_err;
                                 }
  #ifdef SSL_DEBUG
                                 goto f_err;
                                 }
  #ifdef SSL_DEBUG
@@ -1749,15 +1881,21 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                         }
                 else
                         md = EVP_sha1();
                         }
                 else
                         md = EVP_sha1();
-                       
+
+               if (2 > n)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                               SSL_R_LENGTH_TOO_SHORT);
+                       goto f_err;
+                       }
                 n2s(p,i);
                 n-=2;
                 j=EVP_PKEY_size(pkey);
  
                 n2s(p,i);
                 n-=2;
                 j=EVP_PKEY_size(pkey);
  
+               /* Check signature length. If n is 0 then signature is empty */
                 if ((i != n) || (n > j) || (n <= 0))
                         {
                         /* wrong packet length */
                 if ((i != n) || (n > j) || (n <= 0))
                         {
                         /* wrong packet length */
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH);
                         goto f_err;
                         }
@@ -1766,6 +1904,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)
                         {
                         int num;
                 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)
                         {
                         int num;
+                       unsigned int size;
  
                         j=0;
                         q=md_buf;
  
                         j=0;
                         q=md_buf;
@@ -1778,9 +1917,9 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
                                 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
                                 EVP_DigestUpdate(&md_ctx,param,param_len);
                                 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
                                 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
                                 EVP_DigestUpdate(&md_ctx,param,param_len);
-                               EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
-                               q+=i;
-                               j+=i;
+                               EVP_DigestFinal_ex(&md_ctx,q,&size);
+                               q+=size;
+                               j+=size;
                                 }
                         i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
                                                                 pkey->pkey.rsa);
                                 }
                         i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
                                                                 pkey->pkey.rsa);
@@ -1816,8 +1955,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                 }
         else
                 {
                 }
         else
                 {
-               if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
-                       /* aNULL or kPSK do not need public keys */
+               /* aNULL, aSRP or kPSK do not need public keys */
+               if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK))
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
                         goto err;
                         {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
                         goto err;
@@ -1825,7 +1964,6 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                 /* still data left over */
                 if (n != 0)
                         {
                 /* still data left over */
                 if (n != 0)
                         {
-                       al=SSL_AD_DECODE_ERROR;
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
                         goto f_err;
                         }
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_EXTRA_DATA_IN_MESSAGE);
                         goto f_err;
                         }
@@ -2089,7 +2227,7 @@ int ssl3_get_new_session_ticket(SSL *s)
                 }
         memcpy(s->session->tlsext_tick, p, ticklen);
         s->session->tlsext_ticklen = ticklen;
                 }
         memcpy(s->session->tlsext_tick, p, ticklen);
         s->session->tlsext_ticklen = ticklen;
-       /* There are two ways to detect a resumed ticket sesion.
+       /* There are two ways to detect a resumed ticket session.
          * One is to set an appropriate session ID and then the server
          * must return a match in ServerHello. This allows the normal
          * client session ID matching to work and we know much 
          * One is to set an appropriate session ID and then the server
          * must return a match in ServerHello. This allows the normal
          * client session ID matching to work and we know much 
@@ -2249,6 +2387,13 @@ int ssl3_send_client_key_exchange(SSL *s)
                         RSA *rsa;
                         unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
  
                         RSA *rsa;
                         unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
  
+                       if (s->session->sess_cert == NULL)
+                               {
+                               /* We should always have a server certificate with SSL_kRSA. */
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+                               goto err;
+                               }
+
                         if (s->session->sess_cert->peer_rsa_tmp != NULL)
                                 rsa=s->session->sess_cert->peer_rsa_tmp;
                         else
                         if (s->session->sess_cert->peer_rsa_tmp != NULL)
                                 rsa=s->session->sess_cert->peer_rsa_tmp;
                         else
@@ -2510,6 +2655,13 @@ int ssl3_send_client_key_exchange(SSL *s)
                         int ecdh_clnt_cert = 0;
                         int field_size = 0;
  
                         int ecdh_clnt_cert = 0;
                         int field_size = 0;
  
+                       if (s->session->sess_cert == NULL) 
+                               {
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+                               goto err;
+                               }
+
                         /* Did we send out the client's
                          * ECDH share for use in premaster
                          * computation as part of client certificate?
                         /* Did we send out the client's
                          * ECDH share for use in premaster
                          * computation as part of client certificate?
@@ -2813,7 +2965,11 @@ int ssl3_send_client_key_exchange(SSL *s)
  #ifndef OPENSSL_NO_PSK
                 else if (alg_k & SSL_kPSK)
                         {
  #ifndef OPENSSL_NO_PSK
                 else if (alg_k & SSL_kPSK)
                         {
-                       char identity[PSK_MAX_IDENTITY_LEN];
+                       /* The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes
+                        * to return a \0-terminated identity. The last byte
+                        * is for us for simulating strnlen. */
+                       char identity[PSK_MAX_IDENTITY_LEN + 2];
+                       size_t identity_len;
                         unsigned char *t = NULL;
                         unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
                         unsigned int pre_ms_len = 0, psk_len = 0;
                         unsigned char *t = NULL;
                         unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
                         unsigned int pre_ms_len = 0, psk_len = 0;
@@ -2827,8 +2983,9 @@ int ssl3_send_client_key_exchange(SSL *s)
                                 goto err;
                                 }
  
                                 goto err;
                                 }
  
+                       memset(identity, 0, sizeof(identity));
                         psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
                         psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
-                               identity, PSK_MAX_IDENTITY_LEN,
+                               identity, sizeof(identity) - 1,
                                 psk_or_pre_ms, sizeof(psk_or_pre_ms));
                         if (psk_len > PSK_MAX_PSK_LEN)
                                 {
                                 psk_or_pre_ms, sizeof(psk_or_pre_ms));
                         if (psk_len > PSK_MAX_PSK_LEN)
                                 {
@@ -2842,7 +2999,14 @@ int ssl3_send_client_key_exchange(SSL *s)
                                         SSL_R_PSK_IDENTITY_NOT_FOUND);
                                 goto psk_err;
                                 }
                                         SSL_R_PSK_IDENTITY_NOT_FOUND);
                                 goto psk_err;
                                 }
-
+                       identity[PSK_MAX_IDENTITY_LEN + 1] = '\0';
+                       identity_len = strlen(identity);
+                       if (identity_len > PSK_MAX_IDENTITY_LEN)
+                               {
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                       ERR_R_INTERNAL_ERROR);
+                               goto psk_err;
+                               }
                         /* create PSK pre_master_secret */
                         pre_ms_len = 2+psk_len+2+psk_len;
                         t = psk_or_pre_ms;
                         /* create PSK pre_master_secret */
                         pre_ms_len = 2+psk_len+2+psk_len;
                         t = psk_or_pre_ms;
@@ -2876,14 +3040,13 @@ int ssl3_send_client_key_exchange(SSL *s)
                         s->session->master_key_length =
                                 s->method->ssl3_enc->generate_master_secret(s,
                                         s->session->master_key,
                         s->session->master_key_length =
                                 s->method->ssl3_enc->generate_master_secret(s,
                                         s->session->master_key,
-                                       psk_or_pre_ms, pre_ms_len); 
-                       n = strlen(identity);
-                       s2n(n, p);
-                       memcpy(p, identity, n);
-                       n+=2;
+                                       psk_or_pre_ms, pre_ms_len);
+                       s2n(identity_len, p);
+                       memcpy(p, identity, identity_len);
+                       n = 2 + identity_len;
                         psk_err = 0;
                 psk_err:
                         psk_err = 0;
                 psk_err:
-                       OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
+                       OPENSSL_cleanse(identity, sizeof(identity));
                         OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
                         if (psk_err != 0)
                                 {
                         OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
                         if (psk_err != 0)
                                 {