This commit was manufactured by cvs2svn to create branch

[oweals/openssl.git] / ssl / s3_srvr.c

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 4088598d239f69b4a48c6f577e600c260d786202..5944d8c484824a9147f6c6f7ede2d872f966e3dd 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -180,11 +180,11 @@ static const SSL_METHOD *ssl3_get_server_method(int ver)
        }
 
 #ifndef OPENSSL_NO_SRP
-static int SSL_check_srp_ext_ClientHello(SSL *s, int *ad)
+static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
        {
        int ret = SSL_ERROR_NONE;
 
-       *ad = SSL_AD_UNRECOGNIZED_NAME;
+       *al = SSL_AD_UNRECOGNIZED_NAME;
 
        if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
            (s->srp_ctx.TLS_ext_srp_username_callback != NULL))
@@ -192,12 +192,12 @@ static int SSL_check_srp_ext_ClientHello(SSL *s, int *ad)
                if(s->srp_ctx.login == NULL)
                        {
                        /* There isn't any srp login extension !!! */
-                       ret = SSL3_AL_WARNING;
-                       *ad = SSL_AD_MISSING_SRP_USERNAME;
+                       ret = SSL3_AL_FATAL;
+                       *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
                        }
                else
                        {
-                       ret = SSL_srp_server_param_with_username(s,ad);
+                       ret = SSL_srp_server_param_with_username(s,al);
                        }
                }
        return ret;
@@ -216,10 +216,6 @@ int ssl3_accept(SSL *s)
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        int ret= -1;
        int new_state,state,skip=0;
-#ifndef OPENSSL_NO_SRP
-       int srp_no_username=0;
-       int extension_error,al;
-#endif
 
        RAND_add(&Time,sizeof(Time),0);
        ERR_clear_error();
@@ -240,6 +236,18 @@ int ssl3_accept(SSL *s)
                return(-1);
                }
 
+#ifndef OPENSSL_NO_HEARTBEATS
+       /* If we're awaiting a HeartbeatResponse, pretend we
+        * already got and don't await it anymore, because
+        * Heartbeats don't make sense during handshakes anyway.
+        */
+       if (s->tlsext_hb_pending)
+               {
+               s->tlsext_hb_pending = 0;
+               s->tlsext_hb_seq++;
+               }
+#endif
+
        for (;;)
                {
                state=s->state;
@@ -287,6 +295,7 @@ int ssl3_accept(SSL *s)
                                }
 
                        s->init_num=0;
+                       s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
 
                        if (s->state != SSL_ST_RENEGOTIATE)
                                {
@@ -340,35 +349,35 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SR_CLNT_HELLO_A:
                case SSL3_ST_SR_CLNT_HELLO_B:
                case SSL3_ST_SR_CLNT_HELLO_C:
-#ifndef OPENSSL_NO_SRP
-               case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME:
-#endif
 
                        s->shutdown=0;
-                       ret=ssl3_get_client_hello(s);
-                       if (ret <= 0) goto end;
+                       if (s->rwstate != SSL_X509_LOOKUP)
+                       {
+                               ret=ssl3_get_client_hello(s);
+                               if (ret <= 0) goto end;
+                       }
 #ifndef OPENSSL_NO_SRP
-                       extension_error = 0;
-                       if ((al = SSL_check_srp_ext_ClientHello(s,&extension_error)) != SSL_ERROR_NONE)
-                               {
-                               ssl3_send_alert(s,al,extension_error);
-                               if (extension_error == SSL_AD_MISSING_SRP_USERNAME)
+                       {
+                       int al;
+                       if ((ret = ssl_check_srp_ext_ClientHello(s,&al))  < 0)
                                        {
-                                       if (srp_no_username) goto end;
-                                       ERR_clear_error();
-                                       srp_no_username = 1;
-                                       s->state=SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME;
-                                       if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
-                                       if ((ret=BIO_flush(s->wbio)) <= 0) goto end;
-                                       s->init_num=0;
-                                       break;
+                                       /* callback indicates firther work to be done */
+                                       s->rwstate=SSL_X509_LOOKUP;
+                                       goto end;
                                        }
-                               ret = -1;
-                               SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
-                               goto end;
+                       if (ret != SSL_ERROR_NONE)
+                               {
+                               ssl3_send_alert(s,SSL3_AL_FATAL,al);    
+                               /* This is not really an error but the only means to
+                                   for a client to detect whether srp is supported. */
+                                  if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)      
+                                       SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);                     
+                               ret = SSL_TLSEXT_ERR_ALERT_FATAL;                       
+                               ret= -1;
+                               goto end;       
                                }
-#endif
-                       
+                       }
+#endif         
                        s->renegotiate = 2;
                        s->state=SSL3_ST_SW_SRVR_HELLO_A;
                        s->init_num=0;
@@ -873,6 +882,13 @@ int ssl3_check_client_hello(SSL *s)
        s->s3->tmp.reuse_message = 1;
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
+               /* We only allow the client to restart the handshake once per
+                * negotiation. */
+               if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+                       {
+                       SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+                       return -1;
+                       }
                /* Throw away what we have done so far in the current handshake,
                 * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH
@@ -889,6 +905,7 @@ int ssl3_check_client_hello(SSL *s)
                        s->s3->tmp.ecdh = NULL;
                        }
 #endif
+               s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
                return 2;
                }
        return 1;
@@ -914,9 +931,6 @@ int ssl3_get_client_hello(SSL *s)
         * TLSv1.
         */
        if (s->state == SSL3_ST_SR_CLNT_HELLO_A
-#ifndef OPENSSL_NO_SRP
-               || (s->state == SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME)
-#endif
                )
                {
                s->state=SSL3_ST_SR_CLNT_HELLO_B;
@@ -2286,6 +2300,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                if (i <= 0)
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+                       BN_clear_free(pub);
                        goto err;
                        }
 
@@ -2895,7 +2910,7 @@ int ssl3_get_cert_verify(SSL *s)
                SSL3_ST_SR_CERT_VRFY_A,
                SSL3_ST_SR_CERT_VRFY_B,
                -1,
-               514, /* 514? */
+               516, /* Enough for 4096 bit RSA key with TLS v1.2 */
                &ok);
 
        if (!ok) return((int)n);