return SERVER_KEY_EXCH_MAX_LENGTH;
case TLS_ST_CR_CERT_REQ:
- return SSL3_RT_MAX_PLAIN_LENGTH;
+ /* Set to s->max_cert_list for compatibility with previous releases.
+ * In practice these messages can get quite long if servers are
+ * configured to provide a long list of acceptable CAs
+ */
+ return s->max_cert_list;
case TLS_ST_CR_SRVR_DONE:
return SERVER_HELLO_DONE_MAX_LENGTH;
* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end
*/
- pkey = X509_get_pubkey(x);
+ pkey = X509_get0_pubkey(x);
if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
x = NULL;
err:
ossl_statem_set_error(s);
done:
- EVP_PKEY_free(pkey);
X509_free(x);
sk_X509_pop_free(sk, X509_free);
return ret;
/* We must check if there is a certificate */
if (alg_a & (SSL_aRSA|SSL_aDSS))
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
}
#endif /* !OPENSSL_NO_SRP */
#ifndef OPENSSL_NO_DH
goto f_err;
}
if (alg_a & (SSL_aRSA|SSL_aDSS))
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
/* else anonymous DH, so no certificate or pkey. */
}
#endif /* !OPENSSL_NO_DH */
if (0) ;
# ifndef OPENSSL_NO_RSA
else if (alg_a & SSL_aRSA)
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
# endif
# ifndef OPENSSL_NO_EC
else if (alg_a & SSL_aECDSA)
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
# endif
/* else anonymous ECDH, so no certificate or pkey. */
} else if (alg_k) {
goto f_err;
}
}
- EVP_PKEY_free(pkey);
EVP_MD_CTX_free(md_ctx);
return MSG_PROCESS_CONTINUE_READING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
- EVP_PKEY_free(pkey);
#ifndef OPENSSL_NO_RSA
RSA_free(rsa);
#endif
#ifndef OPENSSL_NO_RSA
unsigned char *q;
EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *pctx = NULL;
#endif
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
EVP_PKEY *ckey = NULL, *skey = NULL;
}
#ifndef OPENSSL_NO_RSA
else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
- RSA *rsa;
+ size_t enclen;
pmslen = SSL_MAX_MASTER_KEY_LENGTH;
pms = OPENSSL_malloc(pmslen);
if (pms == NULL)
goto err;
}
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
|| (pkey->pkey.rsa == NULL)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
- EVP_PKEY_free(pkey);
goto err;
}
- rsa = pkey->pkey.rsa;
- EVP_PKEY_free(pkey);
pms[0] = s->client_version >> 8;
pms[1] = s->client_version & 0xff;
/* Fix buf for TLS and beyond */
if (s->version > SSL3_VERSION)
p += 2;
- n = RSA_public_encrypt(pmslen, pms, p, rsa, RSA_PKCS1_PADDING);
+ pctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
+ || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
+ ERR_R_EVP_LIB);
+ goto err;
+ }
+ if (EVP_PKEY_encrypt(pctx, p, &enclen, pms, pmslen) <= 0) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
+ SSL_R_BAD_RSA_ENCRYPT);
+ goto err;
+ }
+ n = enclen;
+ EVP_PKEY_CTX_free(pctx);
+ pctx = NULL;
# ifdef PKCS1_CHECK
if (s->options & SSL_OP_PKCS1_CHECK_1)
p[1]++;
if (s->options & SSL_OP_PKCS1_CHECK_2)
tmp_buf[0] = 0x70;
# endif
- if (n <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
- SSL_R_BAD_RSA_ENCRYPT);
- goto err;
- }
/* Fix buf for TLS and beyond */
if (s->version > SSL3_VERSION) {
unsigned int md_len;
unsigned char shared_ukm[32], tmp[256];
EVP_MD_CTX *ukm_hash;
- EVP_PKEY *pub_key;
int dgst_nid = NID_id_GostR3411_94;
if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
dgst_nid = NID_id_GostR3411_2012_256;
goto err;
}
- pkey_ctx = EVP_PKEY_CTX_new(pub_key =
- X509_get_pubkey(peer_cert), NULL);
+ pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
if (pkey_ctx == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_MALLOC_FAILURE);
s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
}
EVP_PKEY_CTX_free(pkey_ctx);
- EVP_PKEY_free(pub_key);
}
#endif
err:
OPENSSL_clear_free(pms, pmslen);
s->s3->tmp.pms = NULL;
+#ifndef OPENSSL_NO_RSA
+ EVP_PKEY_CTX_free(pctx);
+#endif
#ifndef OPENSSL_NO_EC
OPENSSL_free(encodedPoint);
#endif
goto f_err;
}
#endif
- pkey = X509_get_pubkey(s->session->peer);
+ pkey = X509_get0_pubkey(s->session->peer);
i = X509_certificate_type(s->session->peer, pkey);
- EVP_PKEY_free(pkey);
/* Check that we have a certificate if we require one */
if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) {