For VMS, implement the possibility to choose 64-bit pointers with
[openssl.git] / ssl / s3_srvr.c
index d732764..871909e 100644 (file)
 #define NETSCAPE_HANG_BUG
 
 #include <stdio.h>
+#include <openssl/crypto.h>
 #include "ssl_locl.h"
 #include "kssl_lcl.h"
 #include <openssl/buffer.h>
@@ -179,6 +180,31 @@ static const SSL_METHOD *ssl3_get_server_method(int ver)
                return(NULL);
        }
 
+#ifndef OPENSSL_NO_SRP
+static int SSL_check_srp_ext_ClientHello(SSL *s,int *ad)
+       {
+       int ret = SSL_ERROR_NONE;
+
+       *ad = SSL_AD_UNRECOGNIZED_NAME;
+
+       if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
+           (s->srp_ctx.TLS_ext_srp_username_callback != NULL))
+               {
+               if(s->srp_ctx.login == NULL)
+                       {
+                       /* There isn't any srp login extension !!! */
+                       ret = SSL3_AL_WARNING;
+                       *ad = SSL_AD_MISSING_SRP_USERNAME;
+                       }
+               else
+                       {
+                       ret = SSL_srp_server_param_with_username(s,ad);
+                       }
+               }
+       return ret;
+       }
+#endif
+
 IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
                        ssl3_accept,
                        ssl_undefined_function,
@@ -189,9 +215,11 @@ int ssl3_accept(SSL *s)
        BUF_MEM *buf;
        unsigned long alg_k,Time=(unsigned long)time(NULL);
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       long num1;
        int ret= -1;
        int new_state,state,skip=0;
+#ifndef OPENSSL_NO_SRP
+       int srp_no_username =0;
+#endif
 
        RAND_add(&Time,sizeof(Time),0);
        ERR_clear_error();
@@ -219,7 +247,7 @@ int ssl3_accept(SSL *s)
                switch (s->state)
                        {
                case SSL_ST_RENEGOTIATE:
-                       s->new_session=1;
+                       s->renegotiate=1;
                        /* s->state=SSL_ST_ACCEPT; */
 
                case SSL_ST_BEFORE:
@@ -271,6 +299,18 @@ int ssl3_accept(SSL *s)
                                s->state=SSL3_ST_SR_CLNT_HELLO_A;
                                s->ctx->stats.sess_accept++;
                                }
+                       else if (!s->s3->send_connection_binding &&
+                               !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+                               {
+                               /* Server attempting to renegotiate with
+                                * client that doesn't support secure
+                                * renegotiation.
+                                */
+                               SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+                               ret = -1;
+                               goto end;
+                               }
                        else
                                {
                                /* s->state == SSL_ST_RENEGOTIATE,
@@ -300,12 +340,39 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SR_CLNT_HELLO_A:
                case SSL3_ST_SR_CLNT_HELLO_B:
                case SSL3_ST_SR_CLNT_HELLO_C:
+#ifndef OPENSSL_NO_SRP
+               case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME:
+#endif
 
                        s->shutdown=0;
                        ret=ssl3_get_client_hello(s);
                        if (ret <= 0) goto end;
+#ifndef OPENSSL_NO_SRP
+                       {
+                       int extension_error = 0,al;
+
+                       if ((al = SSL_check_srp_ext_ClientHello(s,&extension_error)) != SSL_ERROR_NONE)
+                               {
+                               ssl3_send_alert(s,al,extension_error);
+                               if (extension_error == SSL_AD_MISSING_SRP_USERNAME)
+                                       {
+                                       if (srp_no_username) goto end;
+                                       ERR_clear_error();
+                                       srp_no_username = 1;
+                                       s->state=SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME;
+                                       if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+                                       if ((ret=BIO_flush(s->wbio)) <= 0) goto end;
+                                       s->init_num=0;
+                                       break;
+                                       }
+                               ret = -1;
+                               SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
+                               goto end;
+                               }
+                       }
+#endif
                        
-                       s->new_session = 2;
+                       s->renegotiate = 2;
                        s->state=SSL3_ST_SW_SRVR_HELLO_A;
                        s->init_num=0;
                        break;
@@ -334,7 +401,7 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SW_CERT_A:
                case SSL3_ST_SW_CERT_B:
                        /* Check if it is anon DH or anon ECDH, */
-                       /* normal PSK or KRB5 */
+                       /* normal PSK or KRB5 or SRP */
                        if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
                                && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
                                && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
@@ -398,6 +465,10 @@ int ssl3_accept(SSL *s)
                         * hint if provided */
 #ifndef OPENSSL_NO_PSK
                            || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
+#endif
+#ifndef OPENSSL_NO_SRP
+                           /* SRP: send ServerKeyExchange */
+                           || (alg_k & SSL_kSRP)
 #endif
                            || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
                            || (alg_k & SSL_kEECDH)
@@ -471,15 +542,24 @@ int ssl3_accept(SSL *s)
                        break;
                
                case SSL3_ST_SW_FLUSH:
-                       /* number of bytes to be flushed */
-                       num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-                       if (num1 > 0)
+
+                       /* This code originally checked to see if
+                        * any data was pending using BIO_CTRL_INFO
+                        * and then flushed. This caused problems
+                        * as documented in PR#1939. The proposed
+                        * fix doesn't completely resolve this issue
+                        * as buggy implementations of BIO_CTRL_PENDING
+                        * still exist. So instead we just flush
+                        * unconditionally.
+                        */
+
+                       s->rwstate=SSL_WRITING;
+                       if (BIO_flush(s->wbio) <= 0)
                                {
-                               s->rwstate=SSL_WRITING;
-                               num1=BIO_flush(s->wbio);
-                               if (num1 <= 0) { ret= -1; goto end; }
-                               s->rwstate=SSL_NOTHING;
+                               ret= -1;
+                               goto end;
                                }
+                       s->rwstate=SSL_NOTHING;
 
                        s->state=s->s3->tmp.next_state;
                        break;
@@ -514,8 +594,18 @@ int ssl3_accept(SSL *s)
                                 * the client sends its ECDH pub key in
                                 * a certificate, the CertificateVerify
                                 * message is not sent.
+                                * Also for GOST ciphersuites when
+                                * the client uses its key from the certificate
+                                * for key exchange.
                                 */
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
                                s->state=SSL3_ST_SR_FINISHED_A;
+#else
+                               if (s->s3->next_proto_neg_seen)
+                                       s->state=SSL3_ST_SR_NEXT_PROTO_A;
+                               else
+                                       s->state=SSL3_ST_SR_FINISHED_A;
+#endif
                                s->init_num = 0;
                                }
                        else
@@ -558,10 +648,27 @@ int ssl3_accept(SSL *s)
                        ret=ssl3_get_cert_verify(s);
                        if (ret <= 0) goto end;
 
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
                        s->state=SSL3_ST_SR_FINISHED_A;
+#else
+                       if (s->s3->next_proto_neg_seen)
+                               s->state=SSL3_ST_SR_NEXT_PROTO_A;
+                       else
+                               s->state=SSL3_ST_SR_FINISHED_A;
+#endif
                        s->init_num=0;
                        break;
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+               case SSL3_ST_SR_NEXT_PROTO_A:
+               case SSL3_ST_SR_NEXT_PROTO_B:
+                       ret=ssl3_get_next_proto(s);
+                       if (ret <= 0) goto end;
+                       s->init_num = 0;
+                       s->state=SSL3_ST_SR_FINISHED_A;
+                       break;
+#endif
+
                case SSL3_ST_SR_FINISHED_A:
                case SSL3_ST_SR_FINISHED_B:
                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
@@ -632,7 +739,16 @@ int ssl3_accept(SSL *s)
                        if (ret <= 0) goto end;
                        s->state=SSL3_ST_SW_FLUSH;
                        if (s->hit)
+                               {
+#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
                                s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+#else
+                               if (s->s3->next_proto_neg_seen)
+                                       s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
+                               else
+                                       s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+#endif
+                               }
                        else
                                s->s3->tmp.next_state=SSL_ST_OK;
                        s->init_num=0;
@@ -650,11 +766,12 @@ int ssl3_accept(SSL *s)
 
                        s->init_num=0;
 
-                       if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
+                       if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
                                {
                                /* actually not necessarily a 'new' session unless
                                 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
                                
+                               s->renegotiate=0;
                                s->new_session=0;
                                
                                ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
@@ -779,7 +896,11 @@ int ssl3_get_client_hello(SSL *s)
         * If we are SSLv3, we will respond with SSLv3, even if prompted with
         * TLSv1.
         */
-       if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
+       if (s->state == SSL3_ST_SR_CLNT_HELLO_A
+#ifndef OPENSSL_NO_SRP
+               || (s->state == SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME)
+#endif
+               )
                {
                s->state=SSL3_ST_SR_CLNT_HELLO_B;
                }
@@ -813,6 +934,21 @@ int ssl3_get_client_hello(SSL *s)
                goto f_err;
                }
 
+       /* If we require cookies and this ClientHello doesn't
+        * contain one, just return since we do not want to
+        * allocate any memory yet. So check cookie length...
+        */
+       if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)
+               {
+               unsigned int session_length, cookie_length;
+               
+               session_length = *(p + SSL3_RANDOM_SIZE);
+               cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
+
+               if (cookie_length == 0)
+                       return 1;
+               }
+
        /* load the client random */
        memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE);
        p+=SSL3_RANDOM_SIZE;
@@ -852,23 +988,11 @@ int ssl3_get_client_hello(SSL *s)
 
        p+=j;
 
-       if (s->version == DTLS1_VERSION)
+       if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
                {
                /* cookie stuff */
                cookie_len = *(p++);
 
-               if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
-                       s->d1->send_cookie == 0)
-                       {
-                       /* HelloVerifyMessage has already been sent */
-                       if ( cookie_len != s->d1->cookie_len)
-                               {
-                               al = SSL_AD_HANDSHAKE_FAILURE;
-                               SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
-                               goto f_err;
-                               }
-                       }
-
                /* 
                 * The ClientHello may contain a cookie even if the
                 * HelloVerify message has not been sent--make sure that it
@@ -883,7 +1007,7 @@ int ssl3_get_client_hello(SSL *s)
                        }
 
                /* verify the cookie if appropriate option is set. */
-               if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
+               if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
                        cookie_len > 0)
                        {
                        memcpy(s->d1->rcvd_cookie, p, cookie_len);
@@ -908,6 +1032,8 @@ int ssl3_get_client_hello(SSL *s)
                                                SSL_R_COOKIE_MISMATCH);
                                        goto f_err;
                                }
+
+                       ret = 2;
                        }
 
                p += cookie_len;
@@ -957,6 +1083,10 @@ int ssl3_get_client_hello(SSL *s)
                                break;
                                }
                        }
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
                if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
                        {
                        /* Special case as client bug workaround: the previously used cipher may
@@ -971,6 +1101,7 @@ int ssl3_get_client_hello(SSL *s)
                                j = 1;
                                }
                        }
+#endif
                if (j == 0)
                        {
                        /* we need to have the cipher in the cipher
@@ -1007,7 +1138,7 @@ int ssl3_get_client_hello(SSL *s)
 
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions*/
-       if (s->version > SSL3_VERSION)
+       if (s->version >= SSL3_VERSION)
                {
                if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
                        {
@@ -1080,7 +1211,50 @@ int ssl3_get_client_hello(SSL *s)
         * algorithms from the client, starting at q. */
        s->s3->tmp.new_compression=NULL;
 #ifndef OPENSSL_NO_COMP
-       if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
+       /* This only happens if we have a cache hit */
+       if (s->session->compress_meth != 0)
+               {
+               int m, comp_id = s->session->compress_meth;
+               /* Perform sanity checks on resumed compression algorithm */
+               /* Can't disable compression */
+               if (s->options & SSL_OP_NO_COMPRESSION)
+                       {
+                       al=SSL_AD_INTERNAL_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
+                       goto f_err;
+                       }
+               /* Look for resumed compression method */
+               for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++)
+                       {
+                       comp=sk_SSL_COMP_value(s->ctx->comp_methods,m);
+                       if (comp_id == comp->id)
+                               {
+                               s->s3->tmp.new_compression=comp;
+                               break;
+                               }
+                       }
+               if (s->s3->tmp.new_compression == NULL)
+                       {
+                       al=SSL_AD_INTERNAL_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM);
+                       goto f_err;
+                       }
+               /* Look for resumed method in compression list */
+               for (m = 0; m < i; m++)
+                       {
+                       if (q[m] == comp_id)
+                               break;
+                       }
+               if (m >= i)
+                       {
+                       al=SSL_AD_ILLEGAL_PARAMETER;
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
+                       goto f_err;
+                       }
+               }
+       else if (s->hit)
+               comp = NULL;
+       else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
                { /* See if we have a match */
                int m,nn,o,v,done=0;
 
@@ -1104,6 +1278,16 @@ int ssl3_get_client_hello(SSL *s)
                else
                        comp=NULL;
                }
+#else
+       /* If compression is disabled we'd better not try to resume a session
+        * using compression.
+        */
+       if (s->session->compress_meth != 0)
+               {
+               al=SSL_AD_INTERNAL_ERROR;
+               SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
+               goto f_err;
+               }
 #endif
 
        /* Given s->session->ciphers and SSL_get_ciphers, we must
@@ -1136,6 +1320,13 @@ int ssl3_get_client_hello(SSL *s)
                        goto f_err;
                        }
                s->s3->tmp.new_cipher=c;
+               /* check whether we should disable session resumption */
+               if (s->not_resumable_session_cb != NULL)
+                       s->session->not_resumable=s->not_resumable_session_cb(s,
+                               ((c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)) != 0));
+               if (s->session->not_resumable)
+                       /* do not send a session ticket */
+                       s->tlsext_ticket_expected = 0;
                }
        else
                {
@@ -1182,7 +1373,7 @@ int ssl3_get_client_hello(SSL *s)
         * s->tmp.new_cipher    - the new cipher to use.
         */
 
-       ret=1;
+       if (ret < 0) ret=1;
        if (0)
                {
 f_err:
@@ -1239,8 +1430,9 @@ int ssl3_send_server_hello(SSL *s)
                 * if session caching is disabled so existing functionality
                 * is unaffected.
                 */
-               if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
-                       && !s->hit)
+               if (s->session->not_resumable ||
+                       (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+                               && !s->hit))
                        s->session->session_id_length=0;
 
                sl=s->session->session_id_length;
@@ -1581,14 +1773,37 @@ int ssl3_send_server_key_exchange(SSL *s)
                                }
                        else
 #endif /* !OPENSSL_NO_PSK */
+#ifndef OPENSSL_NO_SRP
+               if (type & SSL_kSRP)
+                       {
+                       if ((s->srp_ctx.N == NULL) ||
+                               (s->srp_ctx.g == NULL) ||
+                               (s->srp_ctx.s == NULL) ||
+                               (s->srp_ctx.B == NULL))
+                               {
+                               SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_SRP_PARAM);
+                               goto err;
+                               }
+                       r[0]=s->srp_ctx.N;
+                       r[1]=s->srp_ctx.g;
+                       r[2]=s->srp_ctx.s;
+                       r[3]=s->srp_ctx.B;
+                       }
+               else 
+#endif
                        {
                        al=SSL_AD_HANDSHAKE_FAILURE;
                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
                        goto f_err;
                        }
-               for (i=0; r[i] != NULL; i++)
+               for (i=0; r[i] != NULL && i<4; i++)
                        {
                        nr[i]=BN_num_bytes(r[i]);
+#ifndef OPENSSL_NO_SRP
+                       if ((i == 2) && (type & SSL_kSRP))
+                               n+=1+nr[i];
+                       else
+#endif
                        n+=2+nr[i];
                        }
 
@@ -1617,8 +1832,16 @@ int ssl3_send_server_key_exchange(SSL *s)
                d=(unsigned char *)s->init_buf->data;
                p= &(d[4]);
 
-               for (i=0; r[i] != NULL; i++)
+               for (i=0; r[i] != NULL && i<4; i++)
                        {
+#ifndef OPENSSL_NO_SRP
+                       if ((i == 2) && (type & SSL_kSRP))
+                               {
+                               *p = nr[i];
+                               p++;
+                               }
+                       else
+#endif
                        s2n(nr[i],p);
                        BN_bn2bin(r[i],p);
                        p+=nr[i];
@@ -1920,7 +2143,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                        }
 
                /* TLS and [incidentally] DTLS{0xFEFF} */
-               if (s->version > SSL3_VERSION)
+               if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER)
                        {
                        n2s(p,i);
                        if (n != i+2)
@@ -2065,7 +2288,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                krb5_data               enc_pms;
                KSSL_CTX                *kssl_ctx = s->kssl_ctx;
                EVP_CIPHER_CTX          ciph_ctx;
-               EVP_CIPHER              *enc = NULL;
+               const EVP_CIPHER        *enc = NULL;
                unsigned char           iv[EVP_MAX_IV_LENGTH];
                unsigned char           pms[SSL_MAX_MASTER_KEY_LENGTH
                                               + EVP_MAX_BLOCK_LENGTH];
@@ -2080,7 +2303,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                enc_ticket.length = i;
 
-               if (n < enc_ticket.length + 6)
+               if (n < (long)(enc_ticket.length + 6))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
@@ -2093,7 +2316,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                authenticator.length = i;
 
-               if (n < enc_ticket.length + authenticator.length + 6)
+               if (n < (long)(enc_ticket.length + authenticator.length + 6))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                SSL_R_DATA_LENGTH_TOO_LONG);
@@ -2205,7 +2428,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                                SSL_R_DATA_LENGTH_TOO_LONG);
                        goto err;
                        }
-               if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+               if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))
                    {
                    /* The premaster secret must contain the same version number as the
                     * ClientHello to detect version rollback attacks (strangely, the
@@ -2215,8 +2438,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                     * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 
                     * (Perhaps we should have a separate BUG value for the Kerberos cipher)
                     */
-                   if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
-                          (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+                   if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                               SSL_AD_DECODE_ERROR);
@@ -2386,9 +2608,10 @@ int ssl3_get_client_key_exchange(SSL *s)
 
                EVP_PKEY_free(clnt_pub_pkey);
                EC_POINT_free(clnt_ecpoint);
-               if (srvr_ecdh != NULL) 
-                       EC_KEY_free(srvr_ecdh);
+               EC_KEY_free(srvr_ecdh);
                BN_CTX_free(bn_ctx);
+               EC_KEY_free(s->s3->tmp.ecdh);
+               s->s3->tmp.ecdh = NULL; 
 
                /* Compute the master secret */
                s->session->master_key_length = s->method->ssl3_enc-> \
@@ -2494,34 +2717,116 @@ int ssl3_get_client_key_exchange(SSL *s)
                        }
                else
 #endif
+#ifndef OPENSSL_NO_SRP
+               if (alg_k & SSL_kSRP)
+                       {
+                       int param_len;
+
+                       n2s(p,i);
+                       param_len=i+2;
+                       if (param_len > n)
+                               {
+                               al=SSL_AD_DECODE_ERROR;
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH);
+                               goto f_err;
+                               }
+                       if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL)))
+                               {
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB);
+                               goto err;
+                               }
+                       if (s->session->srp_username != NULL)
+                               OPENSSL_free(s->session->srp_username);
+                       s->session->srp_username = BUF_strdup(s->srp_ctx.login);
+                       if (s->session->srp_username == NULL)
+                               {
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                       ERR_R_MALLOC_FAILURE);
+                               goto err;
+                               }
+
+                       if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0)
+                               {
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+                               goto err;
+                               }
+
+                       p+=i;
+                       }
+               else
+#endif /* OPENSSL_NO_SRP */
                if (alg_k & SSL_kGOST) 
-               {
+                       {
+                       int ret = 0;
                        EVP_PKEY_CTX *pkey_ctx;
-                       unsigned char premaster_secret[32];
-                       size_t outlen;                  
-
-                       /* Get our certificate privatec key*/
-                       pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL);     
+                       EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
+                       unsigned char premaster_secret[32], *start;
+                       size_t outlen=32, inlen;
+                       unsigned long alg_a;
+
+                       /* Get our certificate private key*/
+                       alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+                       if (alg_a & SSL_aGOST94)
+                               pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
+                       else if (alg_a & SSL_aGOST01)
+                               pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
+
+                       pkey_ctx = EVP_PKEY_CTX_new(pk,NULL);
                        EVP_PKEY_decrypt_init(pkey_ctx);
+                       /* If client certificate is present and is of the same type, maybe
+                        * use it for key exchange.  Don't mind errors from
+                        * EVP_PKEY_derive_set_peer, because it is completely valid to use
+                        * a client certificate for authorization only. */
+                       client_pub_pkey = X509_get_pubkey(s->session->peer);
+                       if (client_pub_pkey)
+                               {
+                               if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
+                                       ERR_clear_error();
+                               }
                        /* Decrypt session key */
-                       if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED)) || p[1]!=0x81 
+                       if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) 
                                {
                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
-                               goto err;
-                               }       
-                       if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,p+3,p[2]) <0) 
+                               goto gerr;
+                               }
+                       if (p[1] == 0x81)
+                               {
+                               start = p+3;
+                               inlen = p[2];
+                               }
+                       else if (p[1] < 0x80)
+                               {
+                               start = p+2;
+                               inlen = p[1];
+                               }
+                       else
+                               {
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
+                               goto gerr;
+                               }
+                       if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 
 
                                {
                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
-                               goto err;
+                               goto gerr;
                                }
                        /* Generate master secret */
-                       EVP_PKEY_CTX_free(pkey_ctx);
                        s->session->master_key_length=
                                s->method->ssl3_enc->generate_master_secret(s,
                                        s->session->master_key,premaster_secret,32);
-
-               }
+                       /* Check if pubkey from client certificate was used */
+                       if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
+                               ret = 2;
+                       else
+                               ret = 1;
+               gerr:
+                       EVP_PKEY_free(client_pub_pkey);
+                       EVP_PKEY_CTX_free(pkey_ctx);
+                       if (ret)
+                               return ret;
+                       else
+                               goto err;
+                       }
                else
                {
                al=SSL_AD_HANDSHAKE_FAILURE;
@@ -2533,7 +2838,7 @@ int ssl3_get_client_key_exchange(SSL *s)
        return(1);
 f_err:
        ssl3_send_alert(s,SSL3_AL_FATAL,al);
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH)
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
 err:
 #endif
 #ifndef OPENSSL_NO_ECDH
@@ -2845,7 +3150,7 @@ int ssl3_get_client_certificate(SSL *s)
        else
                {
                i=ssl_verify_cert_chain(s,sk);
-               if (!i)
+               if (i <= 0)
                        {
                        al=ssl_verify_alarm_type(s->verify_result);
                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
@@ -2927,6 +3232,7 @@ int ssl3_send_newsession_ticket(SSL *s)
                unsigned int hlen;
                EVP_CIPHER_CTX ctx;
                HMAC_CTX hctx;
+               SSL_CTX *tctx = s->initial_ctx;
                unsigned char iv[EVP_MAX_IV_LENGTH];
                unsigned char key_name[16];
 
@@ -2965,9 +3271,9 @@ int ssl3_send_newsession_ticket(SSL *s)
                 * it does all the work otherwise use generated values
                 * from parent ctx.
                 */
-               if (s->ctx->tlsext_ticket_key_cb)
+               if (tctx->tlsext_ticket_key_cb)
                        {
-                       if (s->ctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
+                       if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
                                                         &hctx, 1) < 0)
                                {
                                OPENSSL_free(senc);
@@ -2978,10 +3284,10 @@ int ssl3_send_newsession_ticket(SSL *s)
                        {
                        RAND_pseudo_bytes(iv, 16);
                        EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-                                       s->ctx->tlsext_tick_aes_key, iv);
-                       HMAC_Init_ex(&hctx, s->ctx->tlsext_tick_hmac_key, 16,
+                                       tctx->tlsext_tick_aes_key, iv);
+                       HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
                                        tlsext_tick_md(), NULL);
-                       memcpy(key_name, s->ctx->tlsext_tick_key_name, 16);
+                       memcpy(key_name, tctx->tlsext_tick_key_name, 16);
                        }
                l2n(s->session->tlsext_tick_lifetime_hint, p);
                /* Skip ticket length for now */
@@ -3058,4 +3364,72 @@ int ssl3_send_cert_status(SSL *s)
        /* SSL3_ST_SW_CERT_STATUS_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
+
+# ifndef OPENSSL_NO_NPN
+/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
+ * sets the next_proto member in s if found */
+int ssl3_get_next_proto(SSL *s)
+       {
+       int ok;
+       int proto_len, padding_len;
+       long n;
+       const unsigned char *p;
+
+       /* Clients cannot send a NextProtocol message if we didn't see the
+        * extension in their ClientHello */
+       if (!s->s3->next_proto_neg_seen)
+               {
+               SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
+               return -1;
+               }
+
+       n=s->method->ssl_get_message(s,
+               SSL3_ST_SR_NEXT_PROTO_A,
+               SSL3_ST_SR_NEXT_PROTO_B,
+               SSL3_MT_NEXT_PROTO,
+               514,  /* See the payload format below */
+               &ok);
+
+       if (!ok)
+               return((int)n);
+
+       /* s->state doesn't reflect whether ChangeCipherSpec has been received
+        * in this handshake, but s->s3->change_cipher_spec does (will be reset
+        * by ssl3_get_finished). */
+       if (!s->s3->change_cipher_spec)
+               {
+               SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
+               return -1;
+               }
+
+       if (n < 2)
+               return 0;  /* The body must be > 1 bytes long */
+
+       p=(unsigned char *)s->init_msg;
+
+       /* The payload looks like:
+        *   uint8 proto_len;
+        *   uint8 proto[proto_len];
+        *   uint8 padding_len;
+        *   uint8 padding[padding_len];
+        */
+       proto_len = p[0];
+       if (proto_len + 2 > s->init_num)
+               return 0;
+       padding_len = p[proto_len + 1];
+       if (proto_len + padding_len + 2 != s->init_num)
+               return 0;
+
+       s->next_proto_negotiated = OPENSSL_malloc(proto_len);
+       if (!s->next_proto_negotiated)
+               {
+               SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
+       memcpy(s->next_proto_negotiated, p + 1, proto_len);
+       s->next_proto_negotiated_len = proto_len;
+
+       return 1;
+       }
+# endif
 #endif