Send and receive the ticket_nonce field in a NewSessionTicket

[openssl.git] / ssl / statem / statem_clnt.c

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 46439359fbef2d6cca9c41289485a5c78dca00a3..e6c72268ca1ef6cf66d37c3d12885da9aaa3e6b6 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1790,9 +1790,10 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
     if (!SSL_IS_TLS13(s)) {
         exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
         if (exp_idx >= 0 && i != exp_idx
-            && (exp_idx != SSL_PKEY_GOST_EC ||
-                (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
-                 && i != SSL_PKEY_GOST01))) {
+                && (exp_idx != SSL_PKEY_ECC || i != SSL_PKEY_ED25519)
+                && (exp_idx != SSL_PKEY_GOST_EC ||
+                    (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
+                    && i != SSL_PKEY_GOST01))) {
             x = NULL;
             al = SSL_AD_ILLEGAL_PARAMETER;
             SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
@@ -2210,7 +2211,10 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
             goto err;
         }
 
-        md = ssl_md(s->s3->tmp.peer_sigalg->hash_idx);
+        if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
+            al = SSL_AD_INTERNAL_ERROR;
+            goto err;
+        }
 
         if (!PACKET_get_length_prefixed_2(pkt, &signature)
             || PACKET_remaining(pkt) != 0) {
@@ -2268,11 +2272,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
         rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature),
                               PACKET_remaining(&signature), tbs, tbslen);
         OPENSSL_free(tbs);
-        if (rv < 0) {
-            al = SSL_AD_INTERNAL_ERROR;
-            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
-            goto err;
-        } else if (rv == 0) {
+        if (rv <= 0) {
             al = SSL_AD_DECRYPT_ERROR;
             SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
             goto err;
@@ -2421,9 +2421,15 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
     unsigned long ticket_lifetime_hint, age_add = 0;
     unsigned int sess_len;
     RAW_EXTENSION *exts = NULL;
+    PACKET nonce;
 
     if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
-        || (SSL_IS_TLS13(s) && !PACKET_get_net_4(pkt, &age_add))
+        || (SSL_IS_TLS13(s)
+            && (!PACKET_get_net_4(pkt, &age_add)
+                || !PACKET_get_length_prefixed_1(pkt, &nonce)
+                || PACKET_remaining(&nonce) == 0
+                || !PACKET_memdup(&nonce, &s->session->ext.tick_nonce,
+                                  &s->session->ext.tick_nonce_len)))
         || !PACKET_get_net_2(pkt, &ticklen)
         || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen)
         || (SSL_IS_TLS13(s)
@@ -3320,7 +3326,12 @@ int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE,
                SSL_R_CANNOT_CHANGE_CIPHER);
-        goto err;
+        /*
+         * This is a fatal error, which leaves
+         * enc_write_ctx in an inconsistent state
+         * and thus ssl3_send_alert may crash.
+         */
+        return 0;
     }
 
     return 1;
@@ -3352,7 +3363,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 
 #ifndef OPENSSL_NO_EC
     idx = s->session->peer_type;
-    if (idx == SSL_PKEY_ECC) {
+    if (idx == SSL_PKEY_ECC || idx == SSL_PKEY_ED25519) {
         if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s) == 0) {
             /* check failed */
             SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);