X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_srvr.c;h=87678c181b0a9926d5cd7ac9503f20b3224cd206;hp=9e73d629217be160c65eec4dffb6df092570f2c6;hb=3b1fb1a0226e29c9d7c79ff7fbde21ef9cac4deb;hpb=b3720c34e5f8c2c8d262b719ba827a48bae32a27

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 9e73d62921..87678c181b 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -297,6 +297,8 @@ int ssl3_accept(SSL *s)
 				}
 
 			s->init_num=0;
+			s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
+			s->s3->flags &= ~TLS1_FLAGS_SKIP_CERT_VERIFY;
 
 			if (s->state != SSL_ST_RENEGOTIATE)
 				{
@@ -477,7 +479,7 @@ int ssl3_accept(SSL *s)
 			    /* SRP: send ServerKeyExchange */
 			    || (alg_k & SSL_kSRP)
 #endif
-			    || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
+			    || (alg_k & SSL_kEDH)
 			    || (alg_k & SSL_kEECDH)
 			    || ((alg_k & SSL_kRSA)
 				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
@@ -883,6 +885,13 @@ int ssl3_check_client_hello(SSL *s)
 	s->s3->tmp.reuse_message = 1;
 	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
 		{
+		/* We only allow the client to restart the handshake once per
+		 * negotiation. */
+		if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+			{
+			SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+			return -1;
+			}
 		/* Throw away what we have done so far in the current handshake,
 		 * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH
@@ -899,6 +908,7 @@ int ssl3_check_client_hello(SSL *s)
 			s->s3->tmp.ecdh = NULL;
 			}
 #endif
+		s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
 		return 2;
 		}
 	return 1;
@@ -1167,16 +1177,11 @@ int ssl3_get_client_hello(SSL *s)
 	/* TLS extensions*/
 	if (s->version >= SSL3_VERSION)
 		{
-		if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
+		if (!ssl_parse_clienthello_tlsext(s,&p,d,n))
 			{
-			/* 'al' set by ssl_parse_clienthello_tlsext */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
-			goto f_err;
-			}
-		}
-		if (ssl_check_clienthello_tlsext(s) <= 0) {
-			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
 			goto err;
+			}
 		}
 
 	/* Check if we want to use external pre-shared secret for this
@@ -1673,7 +1678,14 @@ int ssl3_send_server_key_exchange(SSL *s)
 			const EC_GROUP *group;
 
 			ecdhp=cert->ecdh_tmp;
-			if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
+			if (s->cert->ecdh_tmp_auto)
+				{
+				/* Get NID of first shared curve */
+				int nid = tls1_shared_curve(s, 0);
+				if (nid != NID_undef)
+					ecdhp = EC_KEY_new_by_curve_name(nid);
+				}
+			else if ((ecdhp == NULL) && s->cert->ecdh_tmp_cb)
 				{
 				ecdhp=s->cert->ecdh_tmp_cb(s,
 				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
@@ -1698,7 +1710,9 @@ int ssl3_send_server_key_exchange(SSL *s)
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
 				goto err;
 				}
-			if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
+			if (s->cert->ecdh_tmp_auto)
+				ecdh = ecdhp;
+			else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
 				{
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
 				goto err;
@@ -2122,7 +2136,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 #endif
 #ifndef OPENSSL_NO_DH
 	BIGNUM *pub=NULL;
-	DH *dh_srvr;
+	DH *dh_srvr, *dh_clnt = NULL;
 #endif
 #ifndef OPENSSL_NO_KRB5
 	KSSL_ERR kssl_err;
@@ -2256,8 +2270,13 @@ int ssl3_get_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_DH
 		if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
 		{
-		n2s(p,i);
-		if (n != i+2)
+		int idx = -1;
+		EVP_PKEY *skey = NULL;
+		if (n)
+			n2s(p,i);
+		else
+			i = 0;
+		if (n && n != i+2)
 			{
 			if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
 				{
@@ -2270,26 +2289,52 @@ int ssl3_get_client_key_exchange(SSL *s)
 				i=(int)n;
 				}
 			}
-
-		if (n == 0L) /* the parameters are in the cert */
+		if (alg_k & SSL_kDHr)
+			idx = SSL_PKEY_DH_RSA;
+		else if (alg_k & SSL_kDHd)
+			idx = SSL_PKEY_DH_DSA;
+		if (idx >= 0)
+			{
+			skey = s->cert->pkeys[idx].privatekey;
+			if ((skey == NULL) ||
+				(skey->type != EVP_PKEY_DH) ||
+				(skey->pkey.dh == NULL))
+				{
+				al=SSL_AD_HANDSHAKE_FAILURE;
+				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
+				goto f_err;
+				}
+			dh_srvr = skey->pkey.dh;
+			}
+		else if (s->s3->tmp.dh == NULL)
 			{
 			al=SSL_AD_HANDSHAKE_FAILURE;
-			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
 			goto f_err;
 			}
 		else
+			dh_srvr=s->s3->tmp.dh;
+
+		if (n == 0L)
 			{
-			if (s->s3->tmp.dh == NULL)
+			/* Get pubkey from cert */
+			EVP_PKEY *clkey=X509_get_pubkey(s->session->peer);
+			if (clkey)
+				{
+				if (EVP_PKEY_cmp_parameters(clkey, skey) == 1)
+					dh_clnt = EVP_PKEY_get1_DH(clkey);
+				}
+			if (dh_clnt == NULL)
 				{
 				al=SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
 				goto f_err;
 				}
-			else
-				dh_srvr=s->s3->tmp.dh;
+			EVP_PKEY_free(clkey);
+			pub = dh_clnt->pub_key;
 			}
-
-		pub=BN_bin2bn(p,i,NULL);
+		else
+			pub=BN_bin2bn(p,i,NULL);
 		if (pub == NULL)
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
@@ -2301,18 +2346,23 @@ int ssl3_get_client_key_exchange(SSL *s)
 		if (i <= 0)
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+			BN_clear_free(pub);
 			goto err;
 			}
 
 		DH_free(s->s3->tmp.dh);
 		s->s3->tmp.dh=NULL;
-
-		BN_clear_free(pub);
+		if (dh_clnt)
+			DH_free(dh_clnt);
+		else
+			BN_clear_free(pub);
 		pub=NULL;
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
 				s->session->master_key,p,i);
 		OPENSSL_cleanse(p,i);
+		if (dh_clnt)
+			return 2;
 		}
 	else
 #endif
@@ -2910,7 +2960,7 @@ int ssl3_get_cert_verify(SSL *s)
 		SSL3_ST_SR_CERT_VRFY_A,
 		SSL3_ST_SR_CERT_VRFY_B,
 		-1,
-		514, /* 514? */
+		516, /* Enough for 4096 bit RSA key with TLS v1.2 */
 		&ok);
 
 	if (!ok) return((int)n);
@@ -2930,7 +2980,7 @@ int ssl3_get_cert_verify(SSL *s)
 	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
 		{
 		s->s3->tmp.reuse_message=1;
-		if ((peer != NULL) && (type | EVP_PKT_SIGN))
+		if ((peer != NULL) && (type & EVP_PKT_SIGN))
 			{
 			al=SSL_AD_UNEXPECTED_MESSAGE;
 			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
@@ -3317,12 +3367,12 @@ err:
 int ssl3_send_server_certificate(SSL *s)
 	{
 	unsigned long l;
-	X509 *x;
+	CERT_PKEY *cpk;
 
 	if (s->state == SSL3_ST_SW_CERT_A)
 		{
-		x=ssl_get_server_send_cert(s);
-		if (x == NULL)
+		cpk=ssl_get_server_send_pkey(s);
+		if (cpk == NULL)
 			{
 			/* VRS: allow null cert if auth == KRB5 */
 			if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
@@ -3333,7 +3383,7 @@ int ssl3_send_server_certificate(SSL *s)
 				}
 			}
 
-		l=ssl3_output_cert_chain(s,x);
+		l=ssl3_output_cert_chain(s,cpk);
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;