Fix compilation on windows for record layer
[openssl.git] / ssl / s3_clnt.c
index 5e2b543..6da1258 100644 (file)
@@ -197,8 +197,10 @@ int ssl3_connect(SSL *s)
         cb = s->ctx->info_callback;
 
     s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s))
-        SSL_clear(s);
+    if (!SSL_in_init(s) || SSL_in_before(s)) {
+        if(!SSL_clear(s))
+            return -1;
+    }
 
 #ifndef OPENSSL_NO_HEARTBEATS
     /*
@@ -719,8 +721,9 @@ int ssl3_client_hello(SSL *s)
         } else
             i = 1;
 
-        if (i)
-            ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random));
+        if (i && ssl_fill_hello_random(s, 0, p,
+                                       sizeof(s->s3->client_random)) <= 0)
+            goto err;
 
         /* Do the message type and length last */
         d = p = ssl_handshake_start(s);
@@ -755,14 +758,8 @@ int ssl3_client_hello(SSL *s)
          * client_version in client hello and not resetting it to
          * the negotiated version.
          */
-#if 0
-        *(p++) = s->version >> 8;
-        *(p++) = s->version & 0xff;
-        s->client_version = s->version;
-#else
         *(p++) = s->client_version >> 8;
         *(p++) = s->client_version & 0xff;
-#endif
 
         /* Random stuff */
         memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
@@ -846,7 +843,11 @@ int ssl3_client_hello(SSL *s)
 #endif
 
         l = p - d;
-        ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l);
+        if(!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) {
+            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+            SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
         s->state = SSL3_ST_CW_CLNT_HELLO_B;
     }
 
@@ -1036,16 +1037,10 @@ int ssl3_get_server_hello(SSL *s)
     if (s->session->cipher)
         s->session->cipher_id = s->session->cipher->id;
     if (s->hit && (s->session->cipher_id != c->id)) {
-/* Workaround is now obsolete */
-#if 0
-        if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
-#endif
-        {
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                   SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
-            goto f_err;
-        }
+        al = SSL_AD_ILLEGAL_PARAMETER;
+        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+               SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
+        goto f_err;
     }
     s->s3->tmp.new_cipher = c;
     /*
@@ -1332,7 +1327,7 @@ int ssl3_get_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_DH
     DH *dh = NULL;
 #endif
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
     EC_KEY *ecdh = NULL;
     BN_CTX *bn_ctx = NULL;
     EC_POINT *srvr_ecpoint = NULL;
@@ -1385,22 +1380,16 @@ int ssl3_get_key_exchange(SSL *s)
     param = p = (unsigned char *)s->init_msg;
     if (s->session->sess_cert != NULL) {
 #ifndef OPENSSL_NO_RSA
-        if (s->session->sess_cert->peer_rsa_tmp != NULL) {
-            RSA_free(s->session->sess_cert->peer_rsa_tmp);
-            s->session->sess_cert->peer_rsa_tmp = NULL;
-        }
+        RSA_free(s->session->sess_cert->peer_rsa_tmp);
+        s->session->sess_cert->peer_rsa_tmp = NULL;
 #endif
 #ifndef OPENSSL_NO_DH
-        if (s->session->sess_cert->peer_dh_tmp) {
-            DH_free(s->session->sess_cert->peer_dh_tmp);
-            s->session->sess_cert->peer_dh_tmp = NULL;
-        }
+        DH_free(s->session->sess_cert->peer_dh_tmp);
+        s->session->sess_cert->peer_dh_tmp = NULL;
 #endif
-#ifndef OPENSSL_NO_ECDH
-        if (s->session->sess_cert->peer_ecdh_tmp) {
-            EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
-            s->session->sess_cert->peer_ecdh_tmp = NULL;
-        }
+#ifndef OPENSSL_NO_EC
+        EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
+        s->session->sess_cert->peer_ecdh_tmp = NULL;
 #endif
     } else {
         s->session->sess_cert = ssl_sess_cert_new();
@@ -1727,15 +1716,10 @@ int ssl3_get_key_exchange(SSL *s)
 
         s->session->sess_cert->peer_dh_tmp = dh;
         dh = NULL;
-    } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
-        al = SSL_AD_ILLEGAL_PARAMETER;
-        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-               SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
-        goto f_err;
     }
 #endif                          /* !OPENSSL_NO_DH */
 
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
     else if (alg_k & SSL_kECDHE) {
         EC_GROUP *ngroup;
         const EC_GROUP *group;
@@ -1833,7 +1817,7 @@ int ssl3_get_key_exchange(SSL *s)
                 X509_get_pubkey(s->session->
                                 sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
 # endif
-# ifndef OPENSSL_NO_ECDSA
+# ifndef OPENSSL_NO_EC
         else if (alg_a & SSL_aECDSA)
             pkey =
                 X509_get_pubkey(s->session->
@@ -1852,7 +1836,7 @@ int ssl3_get_key_exchange(SSL *s)
         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
         goto f_err;
     }
-#endif                          /* !OPENSSL_NO_ECDH */
+#endif                          /* !OPENSSL_NO_EC */
 
     /* p points to the next byte, there are 'n' bytes left */
 
@@ -1965,18 +1949,15 @@ int ssl3_get_key_exchange(SSL *s)
  err:
     EVP_PKEY_free(pkey);
 #ifndef OPENSSL_NO_RSA
-    if (rsa != NULL)
-        RSA_free(rsa);
+    RSA_free(rsa);
 #endif
 #ifndef OPENSSL_NO_DH
-    if (dh != NULL)
-        DH_free(dh);
+    DH_free(dh);
 #endif
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
     BN_CTX_free(bn_ctx);
     EC_POINT_free(srvr_ecpoint);
-    if (ecdh != NULL)
-        EC_KEY_free(ecdh);
+    EC_KEY_free(ecdh);
 #endif
     EVP_MD_CTX_cleanup(&md_ctx);
     return (-1);
@@ -2091,14 +2072,6 @@ int ssl3_get_certificate_request(SSL *s)
 
     /* get the CA RDNs */
     n2s(p, llen);
-#if 0
-    {
-        FILE *out;
-        out = fopen("/tmp/vsign.der", "w");
-        fwrite(p, 1, llen, out);
-        fclose(out);
-    }
-#endif
 
     if ((unsigned long)(p - d + llen) != n) {
         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -2109,8 +2082,6 @@ int ssl3_get_certificate_request(SSL *s)
     for (nc = 0; nc < llen;) {
         n2s(p, l);
         if ((l + nc + 2) > llen) {
-            if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
-                goto cont;      /* netscape bugs */
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
             goto err;
@@ -2119,14 +2090,9 @@ int ssl3_get_certificate_request(SSL *s)
         q = p;
 
         if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
-            /* If netscape tolerance is on, ignore errors */
-            if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
-                goto cont;
-            else {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
-                goto err;
-            }
+            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
+            goto err;
         }
 
         if (q != (p + l)) {
@@ -2144,11 +2110,6 @@ int ssl3_get_certificate_request(SSL *s)
         nc += l + 2;
     }
 
-    if (0) {
- cont:
-        ERR_clear_error();
-    }
-
     /* we should setup a certificate to return.... */
     s->s3->tmp.cert_req = 1;
     s->s3->tmp.ctype_num = ctype_num;
@@ -2330,7 +2291,7 @@ int ssl3_send_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_KRB5
     KSSL_ERR kssl_err;
 #endif                          /* OPENSSL_NO_KRB5 */
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
     EC_KEY *clnt_ecdh = NULL;
     const EC_POINT *srvr_ecpoint = NULL;
     EVP_PKEY *srvr_pub_pkey = NULL;
@@ -2611,6 +2572,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                 DH_free(dh_clnt);
                 goto err;
             }
+            pmslen = n;
 
             if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
                 n = 0;
@@ -2628,7 +2590,7 @@ int ssl3_send_client_key_exchange(SSL *s)
         }
 #endif
 
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
         else if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)) {
             const EC_GROUP *srvr_group = NULL;
             EC_KEY *tkey;
@@ -2795,11 +2757,10 @@ int ssl3_send_client_key_exchange(SSL *s)
             BN_CTX_free(bn_ctx);
             if (encodedPoint != NULL)
                 OPENSSL_free(encodedPoint);
-            if (clnt_ecdh != NULL)
-                EC_KEY_free(clnt_ecdh);
+            EC_KEY_free(clnt_ecdh);
             EVP_PKEY_free(srvr_pub_pkey);
         }
-#endif                          /* !OPENSSL_NO_ECDH */
+#endif                          /* !OPENSSL_NO_EC */
         else if (alg_k & SSL_kGOST) {
             /* GOST key exchange message creation */
             EVP_PKEY_CTX *pkey_ctx;
@@ -2845,7 +2806,12 @@ int ssl3_send_client_key_exchange(SSL *s)
 
             EVP_PKEY_encrypt_init(pkey_ctx);
             /* Generate session key */
-            RAND_bytes(pms, pmslen);
+            if (RAND_bytes(pms, pmslen) <= 0) {
+                EVP_PKEY_CTX_free(pkey_ctx);
+                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                       ERR_R_INTERNAL_ERROR);
+                goto err;
+            };
             /*
              * If we have client certificate, use its secret as peer key
              */
@@ -3026,7 +2992,12 @@ int ssl3_send_client_key_exchange(SSL *s)
             goto err;
         }
 
-        ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n);
+        if(!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n)) {
+            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+            SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+
         s->state = SSL3_ST_CW_KEY_EXCH_B;
     }
 
@@ -3074,6 +3045,11 @@ int ssl3_send_client_key_exchange(SSL *s)
         OPENSSL_cleanse(pms, pmslen);
         OPENSSL_free(pms);
         s->cert->pms = NULL;
+        if(s->session->master_key_length < 0) {
+            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+            SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
     }
     return n;
  memerr:
@@ -3085,12 +3061,11 @@ int ssl3_send_client_key_exchange(SSL *s)
         OPENSSL_free(pms);
         s->cert->pms = NULL;
     }
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
     BN_CTX_free(bn_ctx);
     if (encodedPoint != NULL)
         OPENSSL_free(encodedPoint);
-    if (clnt_ecdh != NULL)
-        EC_KEY_free(clnt_ecdh);
+    EC_KEY_free(clnt_ecdh);
     EVP_PKEY_free(srvr_pub_pkey);
 #endif
     return (-1);
@@ -3187,7 +3162,7 @@ int ssl3_send_client_verify(SSL *s)
             n = j + 2;
         } else
 #endif
-#ifndef OPENSSL_NO_ECDSA
+#ifndef OPENSSL_NO_EC
         if (pkey->type == EVP_PKEY_EC) {
             if (!ECDSA_sign(pkey->save_type,
                             &(data[MD5_DIGEST_LENGTH]),
@@ -3220,7 +3195,10 @@ int ssl3_send_client_verify(SSL *s)
             SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
             goto err;
         }
-        ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n);
+        if(!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) {
+            SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
         s->state = SSL3_ST_CW_CERT_VRFY_B;
     }
     EVP_MD_CTX_cleanup(&mctx);
@@ -3396,7 +3374,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     /* This is the passed certificate */
 
     idx = sc->peer_cert_type;
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
     if (idx == SSL_PKEY_ECC) {
         if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, s) == 0) {
             /* check failed */