From 50b85d1c40033a9c6fc8d887425e242e4d66e710 Mon Sep 17 00:00:00 2001
From: guenther <guenther@openbsd.org>
Date: Mon, 28 Jul 2014 04:23:12 +0000
Subject: [PATCH] The RSA, DH, and ECDH temporary key callbacks expect the
 number of keybits for the key (expressed in RSA key bits, which makes *no
 sense* for ECDH) as their second argument, not zero.

(jsing@ notes that the RSA callback is only invoked for 'export' ciphers,
which have been removed from LibreSSL, and for the SSL_OP_EPHEMERAL_RSA
option, which is makes the application non-compliant.  More fuel for the
tedu fire...)

jasper@ noted the breakage and bisected it down to the diff that broke this
ok jsing@ miod@
---
 lib/libssl/d1_srvr.c          | 11 +++++++----
 lib/libssl/s3_srvr.c          | 11 +++++++----
 lib/libssl/src/ssl/d1_srvr.c  | 11 +++++++----
 lib/libssl/src/ssl/s3_srvr.c  | 11 +++++++----
 lib/libssl/src/ssl/ssl_locl.h |  8 +++++++-
 lib/libssl/ssl_locl.h         |  8 +++++++-
 6 files changed, 42 insertions(+), 18 deletions(-)

diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c
index ecf4a198b16..6f1d436d18b 100644
--- a/lib/libssl/d1_srvr.c
+++ b/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.33 2014/07/12 22:33:39 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.34 2014/07/28 04:23:12 guenther Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -1034,7 +1034,8 @@ dtls1_send_server_key_exchange(SSL *s)
 		if (type & SSL_kRSA) {
 			rsa = cert->rsa_tmp;
 			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
-				rsa = s->cert->rsa_tmp_cb(s, 0, 0);
+				rsa = s->cert->rsa_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 				if (rsa == NULL) {
 					al = SSL_AD_HANDSHAKE_FAILURE;
 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
@@ -1055,7 +1056,8 @@ dtls1_send_server_key_exchange(SSL *s)
 		if (type & SSL_kDHE) {
 			dhp = cert->dh_tmp;
 			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
-				dhp = s->cert->dh_tmp_cb(s, 0, 0);
+				dhp = s->cert->dh_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (dhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
@@ -1099,7 +1101,8 @@ dtls1_send_server_key_exchange(SSL *s)
 
 			ecdhp = cert->ecdh_tmp;
 			if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL)
-				ecdhp = s->cert->ecdh_tmp_cb(s, 0, 0);
+				ecdhp = s->cert->ecdh_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (ecdhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 8d47a16b559..ed2aaf19b52 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.78 2014/07/12 22:33:39 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.79 2014/07/28 04:23:12 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1395,7 +1395,8 @@ ssl3_send_server_key_exchange(SSL *s)
 		if (type & SSL_kRSA) {
 			rsa = cert->rsa_tmp;
 			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
-				rsa = s->cert->rsa_tmp_cb(s, 0, 0);
+				rsa = s->cert->rsa_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 				if (rsa == NULL) {
 					al = SSL_AD_HANDSHAKE_FAILURE;
 					SSLerr(
@@ -1419,7 +1420,8 @@ ssl3_send_server_key_exchange(SSL *s)
 		if (type & SSL_kDHE) {
 			dhp = cert->dh_tmp;
 			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
-				dhp = s->cert->dh_tmp_cb(s, 0, 0);
+				dhp = s->cert->dh_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (dhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
@@ -1468,7 +1470,8 @@ ssl3_send_server_key_exchange(SSL *s)
 
 			ecdhp = cert->ecdh_tmp;
 			if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL)
-				ecdhp = s->cert->ecdh_tmp_cb(s, 0, 0);
+				ecdhp = s->cert->ecdh_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (ecdhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c
index ecf4a198b16..6f1d436d18b 100644
--- a/lib/libssl/src/ssl/d1_srvr.c
+++ b/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.33 2014/07/12 22:33:39 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.34 2014/07/28 04:23:12 guenther Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -1034,7 +1034,8 @@ dtls1_send_server_key_exchange(SSL *s)
 		if (type & SSL_kRSA) {
 			rsa = cert->rsa_tmp;
 			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
-				rsa = s->cert->rsa_tmp_cb(s, 0, 0);
+				rsa = s->cert->rsa_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 				if (rsa == NULL) {
 					al = SSL_AD_HANDSHAKE_FAILURE;
 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
@@ -1055,7 +1056,8 @@ dtls1_send_server_key_exchange(SSL *s)
 		if (type & SSL_kDHE) {
 			dhp = cert->dh_tmp;
 			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
-				dhp = s->cert->dh_tmp_cb(s, 0, 0);
+				dhp = s->cert->dh_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (dhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_DH_KEY);
@@ -1099,7 +1101,8 @@ dtls1_send_server_key_exchange(SSL *s)
 
 			ecdhp = cert->ecdh_tmp;
 			if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL)
-				ecdhp = s->cert->ecdh_tmp_cb(s, 0, 0);
+				ecdhp = s->cert->ecdh_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (ecdhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_TMP_ECDH_KEY);
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c
index 8d47a16b559..ed2aaf19b52 100644
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.78 2014/07/12 22:33:39 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.79 2014/07/28 04:23:12 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1395,7 +1395,8 @@ ssl3_send_server_key_exchange(SSL *s)
 		if (type & SSL_kRSA) {
 			rsa = cert->rsa_tmp;
 			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
-				rsa = s->cert->rsa_tmp_cb(s, 0, 0);
+				rsa = s->cert->rsa_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 				if (rsa == NULL) {
 					al = SSL_AD_HANDSHAKE_FAILURE;
 					SSLerr(
@@ -1419,7 +1420,8 @@ ssl3_send_server_key_exchange(SSL *s)
 		if (type & SSL_kDHE) {
 			dhp = cert->dh_tmp;
 			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
-				dhp = s->cert->dh_tmp_cb(s, 0, 0);
+				dhp = s->cert->dh_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (dhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
@@ -1468,7 +1470,8 @@ ssl3_send_server_key_exchange(SSL *s)
 
 			ecdhp = cert->ecdh_tmp;
 			if (ecdhp == NULL && s->cert->ecdh_tmp_cb != NULL)
-				ecdhp = s->cert->ecdh_tmp_cb(s, 0, 0);
+				ecdhp = s->cert->ecdh_tmp_cb(s, 0,
+				    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (ecdhp == NULL) {
 				al = SSL_AD_HANDSHAKE_FAILURE;
 				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h
index 34e6337856b..3c1c444cb07 100644
--- a/lib/libssl/src/ssl/ssl_locl.h
+++ b/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.62 2014/07/12 22:33:39 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.63 2014/07/28 04:23:12 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -368,6 +368,12 @@
 #define SSL_MEDIUM		0x00000040L
 #define SSL_HIGH		0x00000080L
 
+/*
+ * The keylength (measured in RSA key bits, I guess)  for temporary keys.
+ * Cipher argument is so that this can be variable in the future.
+ */
+#define SSL_C_PKEYLENGTH(c)	1024
+
 /* Check if an SSL structure is using DTLS. */
 #define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
 
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 34e6337856b..3c1c444cb07 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.62 2014/07/12 22:33:39 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.63 2014/07/28 04:23:12 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -368,6 +368,12 @@
 #define SSL_MEDIUM		0x00000040L
 #define SSL_HIGH		0x00000080L
 
+/*
+ * The keylength (measured in RSA key bits, I guess)  for temporary keys.
+ * Cipher argument is so that this can be variable in the future.
+ */
+#define SSL_C_PKEYLENGTH(c)	1024
+
 /* Check if an SSL structure is using DTLS. */
 #define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
 
-- 
2.20.1