Use #error in openssl/srp.h

[openssl.git] / ssl / s3_srvr.c
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c

index ee66a5af0bb5e02a52e1fd95f94f7cdfecb08e38..4ee45eb57f6071992bd84859ddfd2450ce27316e 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -151,8 +151,7 @@
  
  #include <stdio.h>
  #include "ssl_locl.h"
-#include "kssl_lcl.h"
-#include "../crypto/constant_time_locl.h"
+#include "internal/constant_time_locl.h"
  #include <openssl/buffer.h>
  #include <openssl/rand.h>
  #include <openssl/objects.h>
@@ -163,9 +162,6 @@
  # include <openssl/dh.h>
  #endif
  #include <openssl/bn.h>
-#ifndef OPENSSL_NO_KRB5
-# include <openssl/krb5_asn.h>
-#endif
  #include <openssl/md5.h>
  
  #ifndef OPENSSL_NO_SSL3_METHOD
@@ -226,13 +222,11 @@ int ssl3_accept(SSL *s)
  
      /* init things to blank */
      s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s))
-        SSL_clear(s);
-
-    if (s->cert == NULL) {
-        SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
-        return (-1);
+    if (!SSL_in_init(s) || SSL_in_before(s)) {
+        if (!SSL_clear(s))
+            return -1;
      }
+
  #ifndef OPENSSL_NO_HEARTBEATS
      /*
       * If we're awaiting a HeartbeatResponse, pretend we already got and
@@ -264,6 +258,7 @@ int ssl3_accept(SSL *s)
  
              if ((s->version >> 8) != 3) {
                  SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
+                s->state = SSL_ST_ERR;
                  return -1;
              }
  
@@ -277,11 +272,13 @@ int ssl3_accept(SSL *s)
              if (s->init_buf == NULL) {
                  if ((buf = BUF_MEM_new()) == NULL) {
                      ret = -1;
+                    s->state = SSL_ST_ERR;
                      goto end;
                  }
                  if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
                      BUF_MEM_free(buf);
                      ret = -1;
+                    s->state = SSL_ST_ERR;
                      goto end;
                  }
                  s->init_buf = buf;
@@ -289,6 +286,7 @@ int ssl3_accept(SSL *s)
  
              if (!ssl3_setup_buffers(s)) {
                  ret = -1;
+                s->state = SSL_ST_ERR;
                  goto end;
              }
  
@@ -307,6 +305,7 @@ int ssl3_accept(SSL *s)
                   */
                  if (!ssl_init_wbio_buffer(s, 1)) {
                      ret = -1;
+                    s->state = SSL_ST_ERR;
                      goto end;
                  }
  
@@ -324,6 +323,7 @@ int ssl3_accept(SSL *s)
                         SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                  ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                  ret = -1;
+                s->state = SSL_ST_ERR;
                  goto end;
              } else {
                  /*
@@ -382,6 +382,7 @@ int ssl3_accept(SSL *s)
                          SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
                      ret = SSL_TLSEXT_ERR_ALERT_FATAL;
                      ret = -1;
+                    s->state = SSL_ST_ERR;
                      goto end;
                  }
              }
@@ -416,11 +417,10 @@ int ssl3_accept(SSL *s)
          case SSL3_ST_SW_CERT_A:
          case SSL3_ST_SW_CERT_B:
              /* Check if it is anon DH or anon ECDH, */
-            /* normal PSK or KRB5 or SRP */
+            /* normal PSK or SRP */
              if (!
                  (s->s3->tmp.
-                 new_cipher->algorithm_auth & (SSL_aNULL | SSL_aKRB5 |
-                                               SSL_aSRP))
+                 new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
  && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
                  ret = ssl3_send_server_certificate(s);
                  if (ret <= 0)
@@ -511,16 +511,12 @@ int ssl3_accept(SSL *s)
                      * RFC 2246):
                      */
                     ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
-                    /*
-                     * ... except when the application insists on
-                     * verification (against the specs, but s3_clnt.c accepts
-                     * this for SSL 3)
-                     */
-                    !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
                     /*
-                    * never request cert in Kerberos ciphersuites
+                    * ... except when the application insists on
+                    * verification (against the specs, but s3_clnt.c accepts
+                    * this for SSL 3)
                      */
-                   (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) ||
+                   !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
                     /* don't request certificate for SRP auth */
                     (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
                     /*
@@ -532,9 +528,12 @@ int ssl3_accept(SSL *s)
                  skip = 1;
                  s->s3->tmp.cert_request = 0;
                  s->state = SSL3_ST_SW_SRVR_DONE_A;
-                if (s->s3->handshake_buffer)
-                    if (!ssl3_digest_cached_records(s))
+                if (s->s3->handshake_buffer) {
+                    if (!ssl3_digest_cached_records(s)) {
+                        s->state = SSL_ST_ERR;
                          return -1;
+                    }
+                }
              } else {
                  s->s3->tmp.cert_request = 1;
                  ret = ssl3_send_certificate_request(s);
@@ -615,6 +614,7 @@ int ssl3_accept(SSL *s)
                      break;
                  if (!s->s3->handshake_buffer) {
                      SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
+                    s->state = SSL_ST_ERR;
                      return -1;
                  }
                  /*
@@ -623,8 +623,10 @@ int ssl3_accept(SSL *s)
                   */
                  if (!(s->s3->flags & SSL_SESS_FLAG_EXTMS)) {
                      s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
-                    if (!ssl3_digest_cached_records(s))
+                    if (!ssl3_digest_cached_records(s)) {
+                        s->state = SSL_ST_ERR;
                          return -1;
+                    }
                  }
              } else {
                  int offset = 0;
@@ -639,9 +641,12 @@ int ssl3_accept(SSL *s)
                   * CertificateVerify should be generalized. But it is next
                   * step
                   */
-                if (s->s3->handshake_buffer)
-                    if (!ssl3_digest_cached_records(s))
+                if (s->s3->handshake_buffer) {
+                    if (!ssl3_digest_cached_records(s)) {
+                        s->state = SSL_ST_ERR;
                          return -1;
+                    }
+                }
                  for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++)
                      if (s->s3->handshake_dgst[dgst_num]) {
                          int dgst_size;
@@ -657,6 +662,7 @@ int ssl3_accept(SSL *s)
                          dgst_size =
                              EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
                          if (dgst_size < 0) {
+                            s->state = SSL_ST_ERR;
                              ret = -1;
                              goto end;
                          }
@@ -667,15 +673,6 @@ int ssl3_accept(SSL *s)
  
          case SSL3_ST_SR_CERT_VRFY_A:
          case SSL3_ST_SR_CERT_VRFY_B:
-            /*
-             * This *should* be the first time we enable CCS, but be
-             * extra careful about surrounding code changes. We need
-             * to set this here because we don't know if we're
-             * expecting a CertificateVerify or not.
-             */
-            if (!s->s3->change_cipher_spec)
-                s->s3->flags |= SSL3_FLAGS_CCS_OK;
-            /* we should decide if we expected this one */
              ret = ssl3_get_cert_verify(s);
              if (ret <= 0)
                  goto end;
@@ -695,11 +692,10 @@ int ssl3_accept(SSL *s)
          case SSL3_ST_SR_NEXT_PROTO_A:
          case SSL3_ST_SR_NEXT_PROTO_B:
              /*
-             * Enable CCS for resumed handshakes with NPN.
-             * In a full handshake with NPN, we end up here through
-             * SSL3_ST_SR_CERT_VRFY_B, where SSL3_FLAGS_CCS_OK was
-             * already set. Receiving a CCS clears the flag, so make
-             * sure not to re-enable it to ban duplicates.
+             * Enable CCS for NPN. Receiving a CCS clears the flag, so make
+             * sure not to re-enable it to ban duplicates. This *should* be the
+             * first time we have received one - but we check anyway to be
+             * cautious.
               * s->s3->change_cipher_spec is set when a CCS is
               * processed in s3_pkt.c, and remains set until
               * the client's Finished message is read.
@@ -718,10 +714,8 @@ int ssl3_accept(SSL *s)
          case SSL3_ST_SR_FINISHED_A:
          case SSL3_ST_SR_FINISHED_B:
              /*
-             * Enable CCS for resumed handshakes without NPN.
-             * In a full handshake, we end up here through
-             * SSL3_ST_SR_CERT_VRFY_B, where SSL3_FLAGS_CCS_OK was
-             * already set. Receiving a CCS clears the flag, so make
+             * Enable CCS for handshakes without NPN. In NPN the CCS flag has
+             * already been set. Receiving a CCS clears the flag, so make
               * sure not to re-enable it to ban duplicates.
               * s->s3->change_cipher_spec is set when a CCS is
               * processed in s3_pkt.c, and remains set until
@@ -771,6 +765,7 @@ int ssl3_accept(SSL *s)
              s->session->cipher = s->s3->tmp.new_cipher;
              if (!s->method->ssl3_enc->setup_key_block(s)) {
                  ret = -1;
+                s->state = SSL_ST_ERR;
                  goto end;
              }
  
@@ -787,6 +782,7 @@ int ssl3_accept(SSL *s)
                                                            SSL3_CHANGE_CIPHER_SERVER_WRITE))
              {
                  ret = -1;
+                s->state = SSL_ST_ERR;
                  goto end;
              }
  
@@ -849,6 +845,7 @@ int ssl3_accept(SSL *s)
              goto end;
              /* break; */
  
+        case SSL_ST_ERR:
          default:
              SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE);
              ret = -1;
@@ -884,7 +881,10 @@ int ssl3_send_hello_request(SSL *s)
  {
  
      if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
-        ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0);
+        if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
+            SSLerr(SSL_F_SSL3_SEND_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
+            return -1;
+        }
          s->state = SSL3_ST_SW_HELLO_REQ_B;
      }
  
@@ -930,6 +930,16 @@ int ssl3_get_client_hello(SSL *s)
      s->first_packet = 0;
      d = p = (unsigned char *)s->init_msg;
  
+    /*
+     * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte
+     * for session id length
+     */
+    if (n < 2 + SSL3_RANDOM_SIZE + 1) {
+        al = SSL_AD_DECODE_ERROR;
+        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+        goto f_err;
+    }
+
      /*
       * use version from inside client hello, not from record header (may
       * differ: see RFC 2246, Appendix E, second paragraph)
@@ -962,6 +972,12 @@ int ssl3_get_client_hello(SSL *s)
          unsigned int session_length, cookie_length;
  
          session_length = *(p + SSL3_RANDOM_SIZE);
+
+        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+            goto f_err;
+        }
          cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
  
          if (cookie_length == 0)
@@ -975,6 +991,12 @@ int ssl3_get_client_hello(SSL *s)
      /* get the session-id */
      j = *(p++);
  
+    if (p + j > d + n) {
+        al = SSL_AD_DECODE_ERROR;
+        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+        goto f_err;
+    }
+
      s->hit = 0;
      /*
       * Versions before 0.9.7 always allow clients to resume sessions in
@@ -1019,8 +1041,19 @@ int ssl3_get_client_hello(SSL *s)
  
      if (SSL_IS_DTLS(s)) {
          /* cookie stuff */
+        if (p + 1 > d + n) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+            goto f_err;
+        }
          cookie_len = *(p++);
  
+        if (p + cookie_len > d + n) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+            goto f_err;
+        }
+
          /*
           * The ClientHello may contain a cookie even if the
           * HelloVerify message has not been sent--make sure that it
@@ -1086,27 +1119,33 @@ int ssl3_get_client_hello(SSL *s)
          }
      }
  
+    if (p + 2 > d + n) {
+        al = SSL_AD_DECODE_ERROR;
+        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+        goto f_err;
+    }
      n2s(p, i);
-    if ((i == 0) && (j != 0)) {
-        /* we need a cipher if we are not resuming a session */
+
+    if (i == 0) {
          al = SSL_AD_ILLEGAL_PARAMETER;
          SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
          goto f_err;
      }
-    if ((p + i) >= (d + n)) {
+
+    /* i bytes of cipher data + 1 byte for compression length later */
+    if ((p + i + 1) > (d + n)) {
          /* not enough data */
          al = SSL_AD_DECODE_ERROR;
          SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
          goto f_err;
      }
-    if ((i > 0) && (ssl_bytes_to_cipher_list(s, p, i, &(ciphers))
-                    == NULL)) {
+    if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) {
          goto err;
      }
      p += i;
  
      /* If it is a hit, check that the cipher is in the list */
-    if ((s->hit) && (i > 0)) {
+    if (s->hit) {
          j = 0;
          id = s->session->cipher->id;
  
@@ -1232,14 +1271,9 @@ int ssl3_get_client_hello(SSL *s)
              }
  
              s->session->cipher = pref_cipher;
-
-            if (s->cipher_list)
-                sk_SSL_CIPHER_free(s->cipher_list);
-
-            if (s->cipher_list_by_id)
-                sk_SSL_CIPHER_free(s->cipher_list_by_id);
-
+            sk_SSL_CIPHER_free(s->cipher_list);
              s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+            sk_SSL_CIPHER_free(s->cipher_list_by_id);
              s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
          }
      }
@@ -1331,12 +1365,11 @@ int ssl3_get_client_hello(SSL *s)
  #else
          s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
  #endif
-        if (s->session->ciphers != NULL)
-            sk_SSL_CIPHER_free(s->session->ciphers);
+        sk_SSL_CIPHER_free(s->session->ciphers);
          s->session->ciphers = ciphers;
          if (ciphers == NULL) {
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED);
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
              goto f_err;
          }
          ciphers = NULL;
@@ -1410,10 +1443,11 @@ int ssl3_get_client_hello(SSL *s)
      if (0) {
   f_err:
          ssl3_send_alert(s, SSL3_AL_FATAL, al);
-    }
   err:
-    if (ciphers != NULL)
-        sk_SSL_CIPHER_free(ciphers);
+        s->state = SSL_ST_ERR;
+    }
+
+    sk_SSL_CIPHER_free(ciphers);
      return ret < 0 ? -1 : ret;
  }
  
@@ -1429,8 +1463,10 @@ int ssl3_send_server_hello(SSL *s)
          buf = (unsigned char *)s->init_buf->data;
  #ifdef OPENSSL_NO_TLSEXT
          p = s->s3->server_random;
-        if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
+        if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) {
+            s->state = SSL_ST_ERR;
              return -1;
+        }
  #endif
          /* Do the message type and length last */
          d = p = ssl_handshake_start(s);
@@ -1466,6 +1502,7 @@ int ssl3_send_server_hello(SSL *s)
          sl = s->session->session_id_length;
          if (sl > (int)sizeof(s->session->session_id)) {
              SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+            s->state = SSL_ST_ERR;
              return -1;
          }
          *(p++) = sl;
@@ -1488,6 +1525,7 @@ int ssl3_send_server_hello(SSL *s)
  #ifndef OPENSSL_NO_TLSEXT
          if (ssl_prepare_serverhello_tlsext(s) <= 0) {
              SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
+            s->state = SSL_ST_ERR;
              return -1;
          }
          if ((p =
@@ -1495,12 +1533,16 @@ int ssl3_send_server_hello(SSL *s)
                                          &al)) == NULL) {
              ssl3_send_alert(s, SSL3_AL_FATAL, al);
              SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+            s->state = SSL_ST_ERR;
              return -1;
          }
  #endif
          /* do the header */
          l = (p - d);
-        ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l);
+        if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
+            SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+            return -1;
+        }
          s->state = SSL3_ST_SW_SRVR_HELLO_B;
      }
  
@@ -1512,7 +1554,10 @@ int ssl3_send_server_done(SSL *s)
  {
  
      if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
-        ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0);
+        if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
+            SSLerr(SSL_F_SSL3_SEND_SERVER_DONE, ERR_R_INTERNAL_ERROR);
+            return -1;
+        }
          s->state = SSL3_ST_SW_SRVR_DONE_B;
      }
  
@@ -1869,8 +1914,7 @@ int ssl3_send_server_key_exchange(SSL *s)
              p += 1;
              *p = encodedlen;
              p += 1;
-            memcpy((unsigned char *)p,
-                   (unsigned char *)encodedPoint, encodedlen);
+            memcpy(p, encodedPoint, encodedlen);
              OPENSSL_free(encodedPoint);
              encodedPoint = NULL;
              p += encodedlen;
@@ -1959,7 +2003,11 @@ int ssl3_send_server_key_exchange(SSL *s)
              }
          }
  
-        ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n);
+        if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
+            al = SSL_AD_HANDSHAKE_FAILURE;
+            SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
      }
  
      s->state = SSL3_ST_SW_KEY_EXCH_B;
@@ -1968,12 +2016,12 @@ int ssl3_send_server_key_exchange(SSL *s)
   f_err:
      ssl3_send_alert(s, SSL3_AL_FATAL, al);
   err:
-#ifndef OPENSSL_NO_ECDH
-    if (encodedPoint != NULL)
-        OPENSSL_free(encodedPoint);
+#ifndef OPENSSL_NO_EC
+    OPENSSL_free(encodedPoint);
      BN_CTX_free(bn_ctx);
  #endif
      EVP_MD_CTX_cleanup(&md_ctx);
+    s->state = SSL_ST_ERR;
      return (-1);
  }
  
@@ -2037,7 +2085,10 @@ int ssl3_send_certificate_request(SSL *s)
          p = ssl_handshake_start(s) + off;
          s2n(nl, p);
  
-        ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n);
+        if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
+            SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
+            return -1;
+        }
  
          s->state = SSL3_ST_SW_CERT_REQ_B;
      }
@@ -2045,6 +2096,7 @@ int ssl3_send_certificate_request(SSL *s)
      /* SSL3_ST_SW_CERT_REQ_B */
      return ssl_do_write(s);
   err:
+    s->state = SSL_ST_ERR;
      return (-1);
  }
  
@@ -2062,11 +2114,8 @@ int ssl3_get_client_key_exchange(SSL *s)
      BIGNUM *pub = NULL;
      DH *dh_srvr, *dh_clnt = NULL;
  #endif
-#ifndef OPENSSL_NO_KRB5
-    KSSL_ERR kssl_err;
-#endif                          /* OPENSSL_NO_KRB5 */
  
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
      EC_KEY *srvr_ecdh = NULL;
      EVP_PKEY *clnt_pub_pkey = NULL;
      EC_POINT *clnt_ecpoint = NULL;
@@ -2154,10 +2203,7 @@ int ssl3_get_client_key_exchange(SSL *s)
           * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
           */
  
-        /*
-         * should be RAND_bytes, but we cannot work around a failure.
-         */
-        if (RAND_pseudo_bytes(rand_premaster_secret,
+        if (RAND_bytes(rand_premaster_secret,
                                sizeof(rand_premaster_secret)) <= 0)
              goto err;
          decrypt_len =
@@ -2227,16 +2273,28 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                          sizeof
                                                          (rand_premaster_secret));
          OPENSSL_cleanse(p, sizeof(rand_premaster_secret));
+        if (s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
      } else
  #endif
  #ifndef OPENSSL_NO_DH
      if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
          int idx = -1;
          EVP_PKEY *skey = NULL;
-        if (n)
+        if (n > 1) {
              n2s(p, i);
-        else
+        } else {
+            if (alg_k & SSL_kDHE) {
+                al = SSL_AD_HANDSHAKE_FAILURE;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                       SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
+                goto f_err;
+            }
              i = 0;
+        }
          if (n && n != i + 2) {
              if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
                  SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2312,190 +2370,17 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                          session->master_key,
                                                          p, i);
          OPENSSL_cleanse(p, i);
+        if (s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
          if (dh_clnt)
              return 2;
      } else
  #endif
-#ifndef OPENSSL_NO_KRB5
-    if (alg_k & SSL_kKRB5) {
-        krb5_error_code krb5rc;
-        krb5_data enc_ticket;
-        krb5_data authenticator;
-        krb5_data enc_pms;
-        KSSL_CTX *kssl_ctx = s->kssl_ctx;
-        EVP_CIPHER_CTX ciph_ctx;
-        const EVP_CIPHER *enc = NULL;
-        unsigned char iv[EVP_MAX_IV_LENGTH];
-        unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH + EVP_MAX_BLOCK_LENGTH];
-        int padl, outl;
-        krb5_timestamp authtime = 0;
-        krb5_ticket_times ttimes;
-
-        EVP_CIPHER_CTX_init(&ciph_ctx);
-
-        if (!kssl_ctx)
-            kssl_ctx = kssl_ctx_new();
-
-        n2s(p, i);
-        enc_ticket.length = i;
-
-        if (n < (long)(enc_ticket.length + 6)) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_DATA_LENGTH_TOO_LONG);
-            goto err;
-        }
-
-        enc_ticket.data = (char *)p;
-        p += enc_ticket.length;
-
-        n2s(p, i);
-        authenticator.length = i;
-
-        if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_DATA_LENGTH_TOO_LONG);
-            goto err;
-        }
-
-        authenticator.data = (char *)p;
-        p += authenticator.length;
-
-        n2s(p, i);
-        enc_pms.length = i;
-        enc_pms.data = (char *)p;
-        p += enc_pms.length;
-
-        /*
-         * Note that the length is checked again below, ** after decryption
-         */
-        if (enc_pms.length > sizeof pms) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_DATA_LENGTH_TOO_LONG);
-            goto err;
-        }
-
-        if (n != (long)(enc_ticket.length + authenticator.length +
-                        enc_pms.length + 6)) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_DATA_LENGTH_TOO_LONG);
-            goto err;
-        }
-
-        if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
-                                    &kssl_err)) != 0) {
-# ifdef KSSL_DEBUG
-            fprintf(stderr, "kssl_sget_tkt rtn %d [%d]\n",
-                    krb5rc, kssl_err.reason);
-            if (kssl_err.text)
-                fprintf(stderr, "kssl_err text= %s\n", kssl_err.text);
-# endif                         /* KSSL_DEBUG */
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, kssl_err.reason);
-            goto err;
-        }
  
-        /*
-         * Note: no authenticator is not considered an error, ** but will
-         * return authtime == 0.
-         */
-        if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
-                                         &authtime, &kssl_err)) != 0) {
-# ifdef KSSL_DEBUG
-            fprintf(stderr, "kssl_check_authent rtn %d [%d]\n",
-                    krb5rc, kssl_err.reason);
-            if (kssl_err.text)
-                fprintf(stderr, "kssl_err text= %s\n", kssl_err.text);
-# endif                         /* KSSL_DEBUG */
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, kssl_err.reason);
-            goto err;
-        }
-
-        if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
-            goto err;
-        }
-# ifdef KSSL_DEBUG
-        kssl_ctx_show(kssl_ctx);
-# endif                         /* KSSL_DEBUG */
-
-        enc = kssl_map_enc(kssl_ctx->enctype);
-        if (enc == NULL)
-            goto err;
-
-        memset(iv, 0, sizeof iv); /* per RFC 1510 */
-
-        if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv)) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_DECRYPTION_FAILED);
-            goto err;
-        }
-        if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
-                               (unsigned char *)enc_pms.data, enc_pms.length))
-        {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_DECRYPTION_FAILED);
-            goto err;
-        }
-        if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_DATA_LENGTH_TOO_LONG);
-            goto err;
-        }
-        if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_DECRYPTION_FAILED);
-            goto err;
-        }
-        outl += padl;
-        if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_DATA_LENGTH_TOO_LONG);
-            goto err;
-        }
-        if (!((pms[0] == (s->client_version >> 8))
-              && (pms[1] == (s->client_version & 0xff)))) {
-            /*
-             * The premaster secret must contain the same version number as
-             * the ClientHello to detect version rollback attacks (strangely,
-             * the protocol does not offer such protection for DH
-             * ciphersuites). However, buggy clients exist that send random
-             * bytes instead of the protocol version. If
-             * SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
-             * (Perhaps we should have a separate BUG value for the Kerberos
-             * cipher)
-             */
-            if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                       SSL_AD_DECODE_ERROR);
-                goto err;
-            }
-        }
-
-        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
-        s->session->master_key_length =
-            s->method->ssl3_enc->generate_master_secret(s,
-                                                        s->
-                                                        session->master_key,
-                                                        pms, outl);
-
-        if (kssl_ctx->client_princ) {
-            size_t len = strlen(kssl_ctx->client_princ);
-            if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH) {
-                s->session->krb5_client_princ_len = len;
-                memcpy(s->session->krb5_client_princ, kssl_ctx->client_princ,
-                       len);
-            }
-        }
-
-        /*- Was doing kssl_ctx_free() here,
-         *  but it caused problems for apache.
-         *  kssl_ctx = kssl_ctx_free(kssl_ctx);
-         *  if (s->kssl_ctx)  s->kssl_ctx = NULL;
-         */
-    } else
-#endif                          /* OPENSSL_NO_KRB5 */
-
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
      if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)) {
          int ret = 1;
          int field_size = 0;
@@ -2625,6 +2510,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                          p, i);
  
          OPENSSL_cleanse(p, i);
+        if (s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
          return (ret);
      } else
  #endif
@@ -2686,16 +2576,14 @@ int ssl3_get_client_key_exchange(SSL *s)
          t += psk_len;
          s2n(psk_len, t);
  
-        if (s->session->psk_identity != NULL)
-            OPENSSL_free(s->session->psk_identity);
+        OPENSSL_free(s->session->psk_identity);
          s->session->psk_identity = BUF_strdup((char *)p);
          if (s->session->psk_identity == NULL) {
              SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
              goto psk_err;
          }
  
-        if (s->session->psk_identity_hint != NULL)
-            OPENSSL_free(s->session->psk_identity_hint);
+        OPENSSL_free(s->session->psk_identity_hint);
          s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
          if (s->ctx->psk_identity_hint != NULL &&
              s->session->psk_identity_hint == NULL) {
@@ -2709,6 +2597,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                          session->master_key,
                                                          psk_or_pre_ms,
                                                          pre_ms_len);
+        if (s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto psk_err;
+        }
          psk_err = 0;
   psk_err:
          OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
@@ -2728,7 +2621,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                     SSL_R_BAD_SRP_A_LENGTH);
              goto f_err;
          }
-        if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
+        if ((s->srp_ctx.A = BN_bin2bn(p, i, NULL)) == NULL) {
              SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
              goto err;
          }
@@ -2739,8 +2632,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                     SSL_R_BAD_SRP_PARAMETERS);
              goto f_err;
          }
-        if (s->session->srp_username != NULL)
-            OPENSSL_free(s->session->srp_username);
+        OPENSSL_free(s->session->srp_username);
          s->session->srp_username = BUF_strdup(s->srp_ctx.login);
          if (s->session->srp_username == NULL) {
              SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
@@ -2810,6 +2702,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                                          s->
                                                          session->master_key,
                                                          premaster_secret, 32);
+        if (s->session->master_key_length < 0) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
          /* Check if pubkey from client certificate was used */
          if (EVP_PKEY_CTX_ctrl
              (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
@@ -2821,8 +2718,7 @@ int ssl3_get_client_key_exchange(SSL *s)
          EVP_PKEY_CTX_free(pkey_ctx);
          if (ret)
              return ret;
-        else
-            goto err;
+        goto err;
      } else {
          al = SSL_AD_HANDSHAKE_FAILURE;
          SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
@@ -2832,16 +2728,16 @@ int ssl3_get_client_key_exchange(SSL *s)
      return (1);
   f_err:
      ssl3_send_alert(s, SSL3_AL_FATAL, al);
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SRP)
   err:
  #endif
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
      EVP_PKEY_free(clnt_pub_pkey);
      EC_POINT_free(clnt_ecpoint);
-    if (srvr_ecdh != NULL)
-        EC_KEY_free(srvr_ecdh);
+    EC_KEY_free(srvr_ecdh);
      BN_CTX_free(bn_ctx);
  #endif
+    s->state = SSL_ST_ERR;
      return (-1);
  }
  
@@ -2857,39 +2753,31 @@ int ssl3_get_cert_verify(SSL *s)
      EVP_MD_CTX mctx;
      EVP_MD_CTX_init(&mctx);
  
+    /*
+     * We should only process a CertificateVerify message if we have received
+     * a Certificate from the client. If so then |s->session->peer| will be non
+     * NULL. In some instances a CertificateVerify message is not required even
+     * if the peer has sent a Certificate (e.g. such as in the case of static
+     * DH). In that case the ClientKeyExchange processing will skip the
+     * CertificateVerify state so we should not arrive here.
+     */
+    if (s->session->peer == NULL) {
+        ret = 1;
+        goto end;
+    }
+
      n = s->method->ssl_get_message(s,
                                     SSL3_ST_SR_CERT_VRFY_A,
                                     SSL3_ST_SR_CERT_VRFY_B,
-                                   -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok);
+                                   SSL3_MT_CERTIFICATE_VERIFY,
+                                   SSL3_RT_MAX_PLAIN_LENGTH, &ok);
  
      if (!ok)
          return ((int)n);
  
-    if (s->session->peer != NULL) {
-        peer = s->session->peer;
-        pkey = X509_get_pubkey(peer);
-        type = X509_certificate_type(peer, pkey);
-    } else {
-        peer = NULL;
-        pkey = NULL;
-    }
-
-    if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
-        s->s3->tmp.reuse_message = 1;
-        if (peer != NULL) {
-            al = SSL_AD_UNEXPECTED_MESSAGE;
-            SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE);
-            goto f_err;
-        }
-        ret = 1;
-        goto end;
-    }
-
-    if (peer == NULL) {
-        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_NO_CLIENT_CERT_RECEIVED);
-        al = SSL_AD_UNEXPECTED_MESSAGE;
-        goto f_err;
-    }
+    peer = s->session->peer;
+    pkey = X509_get_pubkey(peer);
+    type = X509_certificate_type(peer, pkey);
  
      if (!(type & EVP_PKT_SIGN)) {
          SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
@@ -2898,12 +2786,6 @@ int ssl3_get_cert_verify(SSL *s)
          goto f_err;
      }
  
-    if (s->s3->change_cipher_spec) {
-        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_CCS_RECEIVED_EARLY);
-        al = SSL_AD_UNEXPECTED_MESSAGE;
-        goto f_err;
-    }
-
      /* we now have a signature that we need to verify */
      p = (unsigned char *)s->init_msg;
      /* Check for broken implementations of GOST ciphersuites */
@@ -3044,13 +2926,12 @@ int ssl3_get_cert_verify(SSL *s)
      if (0) {
   f_err:
          ssl3_send_alert(s, SSL3_AL_FATAL, al);
+        s->state = SSL_ST_ERR;
      }
   end:
-    if (s->s3->handshake_buffer) {
-        BIO_free(s->s3->handshake_buffer);
-        s->s3->handshake_buffer = NULL;
-        s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
-    }
+    BIO_free(s->s3->handshake_buffer);
+    s->s3->handshake_buffer = NULL;
+    s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
      EVP_MD_CTX_cleanup(&mctx);
      EVP_PKEY_free(pkey);
      return (ret);
@@ -3103,7 +2984,7 @@ int ssl3_get_client_certificate(SSL *s)
  
      if ((sk = sk_X509_new_null()) == NULL) {
          SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-        goto err;
+        goto done;
      }
  
      n2l3(p, llen);
@@ -3125,7 +3006,7 @@ int ssl3_get_client_certificate(SSL *s)
          x = d2i_X509(NULL, &p, l);
          if (x == NULL) {
              SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
-            goto err;
+            goto done;
          }
          if (p != (q + l)) {
              al = SSL_AD_DECODE_ERROR;
@@ -3135,7 +3016,7 @@ int ssl3_get_client_certificate(SSL *s)
          }
          if (!sk_X509_push(sk, x)) {
              SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-            goto err;
+            goto done;
          }
          x = NULL;
          nc += l + 3;
@@ -3186,8 +3067,7 @@ int ssl3_get_client_certificate(SSL *s)
          EVP_PKEY_free(pkey);
      }
  
-    if (s->session->peer != NULL) /* This should not be needed */
-        X509_free(s->session->peer);
+    X509_free(s->session->peer);
      s->session->peer = sk_X509_shift(sk);
      s->session->verify_result = s->verify_result;
  
@@ -3199,29 +3079,25 @@ int ssl3_get_client_certificate(SSL *s)
          s->session->sess_cert = ssl_sess_cert_new();
          if (s->session->sess_cert == NULL) {
              SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-            goto err;
+            goto done;
          }
      }
-    if (s->session->sess_cert->cert_chain != NULL)
-        sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
+    sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
      s->session->sess_cert->cert_chain = sk;
      /*
       * Inconsistency alert: cert_chain does *not* include the peer's own
       * certificate, while we do include it in s3_clnt.c
       */
-
      sk = NULL;
-
      ret = 1;
-    if (0) {
+    goto done;
+
   f_err:
-        ssl3_send_alert(s, SSL3_AL_FATAL, al);
-    }
- err:
-    if (x != NULL)
-        X509_free(x);
-    if (sk != NULL)
-        sk_X509_pop_free(sk, X509_free);
+    ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ done:
+    s->state = SSL_ST_ERR;
+    X509_free(x);
+    sk_X509_pop_free(sk, X509_free);
      return (ret);
  }
  
@@ -3232,17 +3108,14 @@ int ssl3_send_server_certificate(SSL *s)
      if (s->state == SSL3_ST_SW_CERT_A) {
          cpk = ssl_get_server_send_pkey(s);
          if (cpk == NULL) {
-            /* VRS: allow null cert if auth == KRB5 */
-            if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
-                (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
-                       ERR_R_INTERNAL_ERROR);
-                return (0);
-            }
+            SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+            s->state = SSL_ST_ERR;
+            return (0);
          }
  
          if (!ssl3_output_cert_chain(s, cpk)) {
              SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+            s->state = SSL_ST_ERR;
              return (0);
          }
          s->state = SSL3_ST_SW_CERT_B;
@@ -3276,11 +3149,15 @@ int ssl3_send_newsession_ticket(SSL *s)
           * Some length values are 16 bits, so forget it if session is too
           * long
           */
-        if (slen_full == 0 || slen_full > 0xFF00)
+        if (slen_full == 0 || slen_full > 0xFF00) {
+            s->state = SSL_ST_ERR;
              return -1;
+        }
          senc = OPENSSL_malloc(slen_full);
-        if (!senc)
+        if (!senc) {
+            s->state = SSL_ST_ERR;
              return -1;
+        }
  
          EVP_CIPHER_CTX_init(&ctx);
          HMAC_CTX_init(&hctx);
@@ -3380,10 +3257,11 @@ int ssl3_send_newsession_ticket(SSL *s)
          /* Now write out lengths: p points to end of data written */
          /* Total length */
          len = p - ssl_handshake_start(s);
-        ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len);
          /* Skip ticket lifetime hint */
          p = ssl_handshake_start(s) + 4;
          s2n(len - 6, p);
+        if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
+            goto err;
          s->state = SSL3_ST_SW_SESSION_TICKET_B;
          OPENSSL_free(senc);
      }
@@ -3391,10 +3269,10 @@ int ssl3_send_newsession_ticket(SSL *s)
      /* SSL3_ST_SW_SESSION_TICKET_B */
      return ssl_do_write(s);
   err:
-    if (senc)
-        OPENSSL_free(senc);
+    OPENSSL_free(senc);
      EVP_CIPHER_CTX_cleanup(&ctx);
      HMAC_CTX_cleanup(&hctx);
+    s->state = SSL_ST_ERR;
      return -1;
  }
  
@@ -3408,8 +3286,10 @@ int ssl3_send_cert_status(SSL *s)
           * 1 (ocsp response type) + 3 (ocsp response length)
           * + (ocsp response)
           */
-        if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
+        if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
+            s->state = SSL_ST_ERR;
              return -1;
+        }
  
          p = (unsigned char *)s->init_buf->data;
  
@@ -3452,6 +3332,7 @@ int ssl3_get_next_proto(SSL *s)
      if (!s->s3->next_proto_neg_seen) {
          SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
                 SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
+        s->state = SSL_ST_ERR;
          return -1;
      }
  
@@ -3471,11 +3352,14 @@ int ssl3_get_next_proto(SSL *s)
       */
      if (!s->s3->change_cipher_spec) {
          SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
+        s->state = SSL_ST_ERR;
          return -1;
      }
  
-    if (n < 2)
+    if (n < 2) {
+        s->state = SSL_ST_ERR;
          return 0;               /* The body must be > 1 bytes long */
+    }
  
      p = (unsigned char *)s->init_msg;
  
@@ -3487,15 +3371,20 @@ int ssl3_get_next_proto(SSL *s)
       *   uint8 padding[padding_len];
       */
      proto_len = p[0];
-    if (proto_len + 2 > s->init_num)
+    if (proto_len + 2 > s->init_num) {
+        s->state = SSL_ST_ERR;
          return 0;
+    }
      padding_len = p[proto_len + 1];
-    if (proto_len + padding_len + 2 != s->init_num)
+    if (proto_len + padding_len + 2 != s->init_num) {
+        s->state = SSL_ST_ERR;
          return 0;
+    }
  
      s->next_proto_negotiated = OPENSSL_malloc(proto_len);
      if (!s->next_proto_negotiated) {
          SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE);
+        s->state = SSL_ST_ERR;
          return 0;
      }
      memcpy(s->next_proto_negotiated, p + 1, proto_len);