statem_clnt.c 90.4 KB
Newer Older
R
Rich Salz 已提交
1 2
/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
R
Rich Salz 已提交
9

B
Bodo Möller 已提交
10 11 12
/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
13
 * Portions of the attached software ("Contribution") are developed by
B
Bodo Möller 已提交
14 15 16 17 18 19 20 21 22
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * ECC cipher suite support in OpenSSL originally written by
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 *
 */
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
49 50

#include <stdio.h>
M
Matt Caswell 已提交
51
#include "../ssl_locl.h"
M
Matt Caswell 已提交
52
#include "statem_locl.h"
53 54 55 56
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
57
#include <openssl/md5.h>
R
Rich Salz 已提交
58
#include <openssl/dh.h>
59
#include <openssl/bn.h>
R
Rich Salz 已提交
60
#include <openssl/engine.h>
61

M
Matt Caswell 已提交
62
static ossl_inline int cert_req_allowed(SSL *s);
63
static int key_exchange_expected(SSL *s);
64
static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
M
Matt Caswell 已提交
65
static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
M
Matt Caswell 已提交
66
                                    WPACKET *pkt);
B
Bodo Möller 已提交
67

M
Matt Caswell 已提交
68 69 70 71 72 73 74
/*
 * Is a CertificateRequest message allowed at the moment or not?
 *
 *  Return values are:
 *  1: Yes
 *  0: No
 */
M
Matt Caswell 已提交
75
static ossl_inline int cert_req_allowed(SSL *s)
M
Matt Caswell 已提交
76 77
{
    /* TLS does not like anon-DH with client cert */
78
    if ((s->version > SSL3_VERSION
E
Emilia Kasper 已提交
79 80
         && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
        || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
M
Matt Caswell 已提交
81 82 83 84 85 86
        return 0;

    return 1;
}

/*
87
 * Should we expect the ServerKeyExchange message or not?
M
Matt Caswell 已提交
88 89 90 91 92
 *
 *  Return values are:
 *  1: Yes
 *  0: No
 */
93
static int key_exchange_expected(SSL *s)
M
Matt Caswell 已提交
94 95 96 97 98
{
    long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
     * Can't skip server key exchange if this is an ephemeral
99
     * ciphersuite or for SRP
M
Matt Caswell 已提交
100
     */
101 102 103
    if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
                 | SSL_kSRP)) {
        return 1;
M
Matt Caswell 已提交
104 105
    }

106
    return 0;
M
Matt Caswell 已提交
107 108 109
}

/*
110 111 112 113
 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when the client is reading messages from the
 * server. The message type that the server has sent is provided in |mt|. The
 * current state is in |s->statem.hand_state|.
M
Matt Caswell 已提交
114 115 116 117 118
 *
 *  Return values are:
 *  1: Success (transition allowed)
 *  0: Error (transition not allowed)
 */
119
int ossl_statem_client_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
120
{
M
Matt Caswell 已提交
121
    OSSL_STATEM *st = &s->statem;
122
    int ske_expected;
M
Matt Caswell 已提交
123

E
Emilia Kasper 已提交
124
    switch (st->hand_state) {
R
Rich Salz 已提交
125 126 127
    default:
        break;

M
Matt Caswell 已提交
128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156
    case TLS_ST_CW_CLNT_HELLO:
        if (mt == SSL3_MT_SERVER_HELLO) {
            st->hand_state = TLS_ST_CR_SRVR_HELLO;
            return 1;
        }

        if (SSL_IS_DTLS(s)) {
            if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
                st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
                return 1;
            }
        }
        break;

    case TLS_ST_CR_SRVR_HELLO:
        if (s->hit) {
            if (s->tlsext_ticket_expected) {
                if (mt == SSL3_MT_NEWSESSION_TICKET) {
                    st->hand_state = TLS_ST_CR_SESSION_TICKET;
                    return 1;
                }
            } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                st->hand_state = TLS_ST_CR_CHANGE;
                return 1;
            }
        } else {
            if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
                st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
                return 1;
157
            } else if (s->version >= TLS1_VERSION
E
Emilia Kasper 已提交
158 159 160
                       && s->tls_session_secret_cb != NULL
                       && s->session->tlsext_tick != NULL
                       && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
161 162 163 164 165 166 167 168 169
                /*
                 * Normally, we can tell if the server is resuming the session
                 * from the session ID. EAP-FAST (RFC 4851), however, relies on
                 * the next server message after the ServerHello to determine if
                 * the server is resuming.
                 */
                s->hit = 1;
                st->hand_state = TLS_ST_CR_CHANGE;
                return 1;
M
Matt Caswell 已提交
170
            } else if (!(s->s3->tmp.new_cipher->algorithm_auth
E
Emilia Kasper 已提交
171
                         & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
M
Matt Caswell 已提交
172 173 174 175 176
                if (mt == SSL3_MT_CERTIFICATE) {
                    st->hand_state = TLS_ST_CR_CERT;
                    return 1;
                }
            } else {
177 178 179
                ske_expected = key_exchange_expected(s);
                /* SKE is optional for some PSK ciphersuites */
                if (ske_expected
E
Emilia Kasper 已提交
180 181
                    || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
                        && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
182 183 184 185 186
                    if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
                        st->hand_state = TLS_ST_CR_KEY_EXCH;
                        return 1;
                    }
                } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
E
Emilia Kasper 已提交
187 188 189
                           && cert_req_allowed(s)) {
                    st->hand_state = TLS_ST_CR_CERT_REQ;
                    return 1;
190
                } else if (mt == SSL3_MT_SERVER_DONE) {
E
Emilia Kasper 已提交
191 192
                    st->hand_state = TLS_ST_CR_SRVR_DONE;
                    return 1;
M
Matt Caswell 已提交
193 194 195 196 197 198
                }
            }
        }
        break;

    case TLS_ST_CR_CERT:
199 200 201 202 203 204 205
        /*
         * The CertificateStatus message is optional even if
         * |tlsext_status_expected| is set
         */
        if (s->tlsext_status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
            st->hand_state = TLS_ST_CR_CERT_STATUS;
            return 1;
206 207 208 209 210 211
        }
        /* Fall through */

    case TLS_ST_CR_CERT_STATUS:
        ske_expected = key_exchange_expected(s);
        /* SKE is optional for some PSK ciphersuites */
E
Emilia Kasper 已提交
212 213
        if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
                             && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
M
Matt Caswell 已提交
214 215 216 217
            if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
                st->hand_state = TLS_ST_CR_KEY_EXCH;
                return 1;
            }
218
            goto err;
M
Matt Caswell 已提交
219
        }
220
        /* Fall through */
M
Matt Caswell 已提交
221

222 223 224
    case TLS_ST_CR_KEY_EXCH:
        if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
            if (cert_req_allowed(s)) {
M
Matt Caswell 已提交
225 226 227
                st->hand_state = TLS_ST_CR_CERT_REQ;
                return 1;
            }
228
            goto err;
M
Matt Caswell 已提交
229
        }
230
        /* Fall through */
M
Matt Caswell 已提交
231 232 233 234 235 236 237 238 239

    case TLS_ST_CR_CERT_REQ:
        if (mt == SSL3_MT_SERVER_DONE) {
            st->hand_state = TLS_ST_CR_SRVR_DONE;
            return 1;
        }
        break;

    case TLS_ST_CW_FINISHED:
240 241 242 243 244
        if (s->tlsext_ticket_expected) {
            if (mt == SSL3_MT_NEWSESSION_TICKET) {
                st->hand_state = TLS_ST_CR_SESSION_TICKET;
                return 1;
            }
M
Matt Caswell 已提交
245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265
        } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_CR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_CR_SESSION_TICKET:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_CR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_CR_CHANGE:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_CR_FINISHED;
            return 1;
        }
        break;
    }

266
 err:
M
Matt Caswell 已提交
267
    /* No valid transition found */
268
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
269
    SSLerr(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE);
M
Matt Caswell 已提交
270 271 272 273 274 275 276
    return 0;
}

/*
 * client_write_transition() works out what handshake state to move to next
 * when the client is writing messages to be sent to the server.
 */
277
WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
M
Matt Caswell 已提交
278
{
M
Matt Caswell 已提交
279
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
280

E
Emilia Kasper 已提交
281
    switch (st->hand_state) {
R
Rich Salz 已提交
282 283 284 285
    default:
        /* Shouldn't happen */
        return WRITE_TRAN_ERROR;

E
Emilia Kasper 已提交
286 287 288 289 290
    case TLS_ST_OK:
        /* Renegotiation - fall through */
    case TLS_ST_BEFORE:
        st->hand_state = TLS_ST_CW_CLNT_HELLO;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
291

E
Emilia Kasper 已提交
292 293 294 295 296 297
    case TLS_ST_CW_CLNT_HELLO:
        /*
         * No transition at the end of writing because we don't know what
         * we will be sent
         */
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
298

E
Emilia Kasper 已提交
299 300 301
    case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
        st->hand_state = TLS_ST_CW_CLNT_HELLO;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
302

E
Emilia Kasper 已提交
303 304 305 306
    case TLS_ST_CR_SRVR_DONE:
        if (s->s3->tmp.cert_req)
            st->hand_state = TLS_ST_CW_CERT;
        else
M
Matt Caswell 已提交
307
            st->hand_state = TLS_ST_CW_KEY_EXCH;
E
Emilia Kasper 已提交
308
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
309

E
Emilia Kasper 已提交
310 311 312
    case TLS_ST_CW_CERT:
        st->hand_state = TLS_ST_CW_KEY_EXCH;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
313

E
Emilia Kasper 已提交
314 315 316 317 318 319 320 321 322 323 324 325 326 327
    case TLS_ST_CW_KEY_EXCH:
        /*
         * For TLS, cert_req is set to 2, so a cert chain of nothing is
         * sent, but no verify packet is sent
         */
        /*
         * XXX: For now, we do not support client authentication in ECDH
         * cipher suites with ECDH (rather than ECDSA) certificates. We
         * need to skip the certificate verify message when client's
         * ECDH public key is sent inside the client certificate.
         */
        if (s->s3->tmp.cert_req == 1) {
            st->hand_state = TLS_ST_CW_CERT_VRFY;
        } else {
M
Matt Caswell 已提交
328
            st->hand_state = TLS_ST_CW_CHANGE;
E
Emilia Kasper 已提交
329 330 331 332 333
        }
        if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
            st->hand_state = TLS_ST_CW_CHANGE;
        }
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
334

E
Emilia Kasper 已提交
335 336 337 338 339
    case TLS_ST_CW_CERT_VRFY:
        st->hand_state = TLS_ST_CW_CHANGE;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_CW_CHANGE:
M
Matt Caswell 已提交
340
#if defined(OPENSSL_NO_NEXTPROTONEG)
E
Emilia Kasper 已提交
341
        st->hand_state = TLS_ST_CW_FINISHED;
M
Matt Caswell 已提交
342
#else
E
Emilia Kasper 已提交
343 344 345 346
        if (!SSL_IS_DTLS(s) && s->s3->next_proto_neg_seen)
            st->hand_state = TLS_ST_CW_NEXT_PROTO;
        else
            st->hand_state = TLS_ST_CW_FINISHED;
M
Matt Caswell 已提交
347
#endif
E
Emilia Kasper 已提交
348
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
349 350

#if !defined(OPENSSL_NO_NEXTPROTONEG)
E
Emilia Kasper 已提交
351 352 353
    case TLS_ST_CW_NEXT_PROTO:
        st->hand_state = TLS_ST_CW_FINISHED;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
354 355
#endif

E
Emilia Kasper 已提交
356 357 358 359 360 361 362 363
    case TLS_ST_CW_FINISHED:
        if (s->hit) {
            st->hand_state = TLS_ST_OK;
            ossl_statem_set_in_init(s, 0);
            return WRITE_TRAN_CONTINUE;
        } else {
            return WRITE_TRAN_FINISHED;
        }
M
Matt Caswell 已提交
364

E
Emilia Kasper 已提交
365 366 367 368 369 370 371 372 373
    case TLS_ST_CR_FINISHED:
        if (s->hit) {
            st->hand_state = TLS_ST_CW_CHANGE;
            return WRITE_TRAN_CONTINUE;
        } else {
            st->hand_state = TLS_ST_OK;
            ossl_statem_set_in_init(s, 0);
            return WRITE_TRAN_CONTINUE;
        }
M
Matt Caswell 已提交
374 375 376 377 378 379 380
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the client to the server.
 */
381
WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
382
{
M
Matt Caswell 已提交
383
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
384

E
Emilia Kasper 已提交
385
    switch (st->hand_state) {
R
Rich Salz 已提交
386 387 388 389
    default:
        /* No pre work to be done */
        break;

M
Matt Caswell 已提交
390 391 392 393
    case TLS_ST_CW_CLNT_HELLO:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
            /* every DTLS ClientHello resets Finished MAC */
394 395 396 397
            if (!ssl3_init_finished_mac(s)) {
                ossl_statem_set_error(s);
                return WORK_ERROR;
            }
M
Matt Caswell 已提交
398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414
        }
        break;

    case TLS_ST_CW_CHANGE:
        if (SSL_IS_DTLS(s)) {
            if (s->hit) {
                /*
                 * We're into the last flight so we don't retransmit these
                 * messages unless we need to.
                 */
                st->use_timer = 0;
            }
#ifndef OPENSSL_NO_SCTP
            if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
                return dtls_wait_for_dry(s);
#endif
        }
R
Rich Salz 已提交
415
        break;
M
Matt Caswell 已提交
416 417 418 419 420 421 422 423 424 425 426 427

    case TLS_ST_OK:
        return tls_finish_handshake(s, wst);
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * client to the server.
 */
428
WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
429
{
M
Matt Caswell 已提交
430
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
431 432 433

    s->init_num = 0;

E
Emilia Kasper 已提交
434
    switch (st->hand_state) {
R
Rich Salz 已提交
435 436 437 438
    default:
        /* No post work to be done */
        break;

M
Matt Caswell 已提交
439
    case TLS_ST_CW_CLNT_HELLO:
M
Matt Caswell 已提交
440
        if (wst == WORK_MORE_A && statem_flush(s) != 1)
M
Matt Caswell 已提交
441
            return WORK_MORE_A;
M
Matt Caswell 已提交
442

M
Matt Caswell 已提交
443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506
        if (SSL_IS_DTLS(s)) {
            /* Treat the next message as the first packet */
            s->first_packet = 1;
        }
        break;

    case TLS_ST_CW_KEY_EXCH:
        if (tls_client_key_exchange_post_work(s) == 0)
            return WORK_ERROR;
        break;

    case TLS_ST_CW_CHANGE:
        s->session->cipher = s->s3->tmp.new_cipher;
#ifdef OPENSSL_NO_COMP
        s->session->compress_meth = 0;
#else
        if (s->s3->tmp.new_compression == NULL)
            s->session->compress_meth = 0;
        else
            s->session->compress_meth = s->s3->tmp.new_compression->id;
#endif
        if (!s->method->ssl3_enc->setup_key_block(s))
            return WORK_ERROR;

        if (!s->method->ssl3_enc->change_cipher_state(s,
                                                      SSL3_CHANGE_CIPHER_CLIENT_WRITE))
            return WORK_ERROR;

        if (SSL_IS_DTLS(s)) {
#ifndef OPENSSL_NO_SCTP
            if (s->hit) {
                /*
                 * Change to new shared key of SCTP-Auth, will be ignored if
                 * no SCTP used.
                 */
                BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                         0, NULL);
            }
#endif

            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        }
        break;

    case TLS_ST_CW_FINISHED:
#ifndef OPENSSL_NO_SCTP
        if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (statem_flush(s) != 1)
            return WORK_MORE_B;
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
507 508
 * Get the message construction function and message type for sending from the
 * client
M
Matt Caswell 已提交
509 510 511 512 513
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
514
int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
515
                                         confunc_f *confunc, int *mt)
M
Matt Caswell 已提交
516
{
M
Matt Caswell 已提交
517
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
518

519 520 521 522 523 524
    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
        return 0;

    case TLS_ST_CW_CHANGE:
525
        if (SSL_IS_DTLS(s))
526
            *confunc = dtls_construct_change_cipher_spec;
527
        else
528 529
            *confunc = tls_construct_change_cipher_spec;
        *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
530 531 532
        break;

    case TLS_ST_CW_CLNT_HELLO:
533 534
        *confunc = tls_construct_client_hello;
        *mt = SSL3_MT_CLIENT_HELLO;
535 536 537
        break;

    case TLS_ST_CW_CERT:
538 539
        *confunc = tls_construct_client_certificate;
        *mt = SSL3_MT_CERTIFICATE;
540 541 542
        break;

    case TLS_ST_CW_KEY_EXCH:
543 544
        *confunc = tls_construct_client_key_exchange;
        *mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
545 546 547
        break;

    case TLS_ST_CW_CERT_VRFY:
548 549
        *confunc = tls_construct_client_verify;
        *mt = SSL3_MT_CERTIFICATE_VERIFY;
550
        break;
M
Matt Caswell 已提交
551 552

#if !defined(OPENSSL_NO_NEXTPROTONEG)
553
    case TLS_ST_CW_NEXT_PROTO:
554 555
        *confunc = tls_construct_next_proto;
        *mt = SSL3_MT_NEXT_PROTO;
556
        break;
M
Matt Caswell 已提交
557
#endif
558
    case TLS_ST_CW_FINISHED:
559 560
        *confunc = tls_construct_finished;
        *mt = SSL3_MT_FINISHED;
561 562
        break;
    }
563 564

    return 1;
M
Matt Caswell 已提交
565 566 567 568 569 570
}

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
571
unsigned long ossl_statem_client_max_message_size(SSL *s)
M
Matt Caswell 已提交
572
{
M
Matt Caswell 已提交
573
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
574

E
Emilia Kasper 已提交
575
    switch (st->hand_state) {
R
Rich Salz 已提交
576 577 578 579
    default:
        /* Shouldn't happen */
        return 0;

E
Emilia Kasper 已提交
580 581
    case TLS_ST_CR_SRVR_HELLO:
        return SERVER_HELLO_MAX_LENGTH;
M
Matt Caswell 已提交
582

E
Emilia Kasper 已提交
583 584
    case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
        return HELLO_VERIFY_REQUEST_MAX_LENGTH;
M
Matt Caswell 已提交
585

E
Emilia Kasper 已提交
586 587
    case TLS_ST_CR_CERT:
        return s->max_cert_list;
M
Matt Caswell 已提交
588

E
Emilia Kasper 已提交
589 590
    case TLS_ST_CR_CERT_STATUS:
        return SSL3_RT_MAX_PLAIN_LENGTH;
M
Matt Caswell 已提交
591

E
Emilia Kasper 已提交
592 593
    case TLS_ST_CR_KEY_EXCH:
        return SERVER_KEY_EXCH_MAX_LENGTH;
M
Matt Caswell 已提交
594

E
Emilia Kasper 已提交
595 596 597 598 599 600 601
    case TLS_ST_CR_CERT_REQ:
        /*
         * Set to s->max_cert_list for compatibility with previous releases. In
         * practice these messages can get quite long if servers are configured
         * to provide a long list of acceptable CAs
         */
        return s->max_cert_list;
M
Matt Caswell 已提交
602

E
Emilia Kasper 已提交
603 604
    case TLS_ST_CR_SRVR_DONE:
        return SERVER_HELLO_DONE_MAX_LENGTH;
M
Matt Caswell 已提交
605

E
Emilia Kasper 已提交
606 607 608 609
    case TLS_ST_CR_CHANGE:
        if (s->version == DTLS1_BAD_VER)
            return 3;
        return CCS_MAX_LENGTH;
M
Matt Caswell 已提交
610

E
Emilia Kasper 已提交
611 612
    case TLS_ST_CR_SESSION_TICKET:
        return SSL3_RT_MAX_PLAIN_LENGTH;
M
Matt Caswell 已提交
613

E
Emilia Kasper 已提交
614 615
    case TLS_ST_CR_FINISHED:
        return FINISHED_MAX_LENGTH;
M
Matt Caswell 已提交
616 617 618 619 620 621
    }
}

/*
 * Process a message that the client has been received from the server.
 */
622
MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
623
{
M
Matt Caswell 已提交
624
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
625

E
Emilia Kasper 已提交
626
    switch (st->hand_state) {
R
Rich Salz 已提交
627 628 629 630
    default:
        /* Shouldn't happen */
        return MSG_PROCESS_ERROR;

E
Emilia Kasper 已提交
631 632
    case TLS_ST_CR_SRVR_HELLO:
        return tls_process_server_hello(s, pkt);
M
Matt Caswell 已提交
633

E
Emilia Kasper 已提交
634 635
    case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
        return dtls_process_hello_verify(s, pkt);
M
Matt Caswell 已提交
636

E
Emilia Kasper 已提交
637 638
    case TLS_ST_CR_CERT:
        return tls_process_server_certificate(s, pkt);
M
Matt Caswell 已提交
639

E
Emilia Kasper 已提交
640 641
    case TLS_ST_CR_CERT_STATUS:
        return tls_process_cert_status(s, pkt);
M
Matt Caswell 已提交
642

E
Emilia Kasper 已提交
643 644
    case TLS_ST_CR_KEY_EXCH:
        return tls_process_key_exchange(s, pkt);
M
Matt Caswell 已提交
645

E
Emilia Kasper 已提交
646 647
    case TLS_ST_CR_CERT_REQ:
        return tls_process_certificate_request(s, pkt);
M
Matt Caswell 已提交
648

E
Emilia Kasper 已提交
649 650
    case TLS_ST_CR_SRVR_DONE:
        return tls_process_server_done(s, pkt);
M
Matt Caswell 已提交
651

E
Emilia Kasper 已提交
652 653
    case TLS_ST_CR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);
M
Matt Caswell 已提交
654

E
Emilia Kasper 已提交
655 656
    case TLS_ST_CR_SESSION_TICKET:
        return tls_process_new_session_ticket(s, pkt);
M
Matt Caswell 已提交
657

E
Emilia Kasper 已提交
658 659
    case TLS_ST_CR_FINISHED:
        return tls_process_finished(s, pkt);
M
Matt Caswell 已提交
660 661 662 663 664 665 666
    }
}

/*
 * Perform any further processing required following the receipt of a message
 * from the server
 */
667
WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
668
{
M
Matt Caswell 已提交
669
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
670

E
Emilia Kasper 已提交
671
    switch (st->hand_state) {
R
Rich Salz 已提交
672 673 674 675
    default:
        /* Shouldn't happen */
        return WORK_ERROR;

676 677 678
    case TLS_ST_CR_CERT_REQ:
        return tls_prepare_client_certificate(s, wst);

M
Matt Caswell 已提交
679 680 681 682 683 684 685 686
#ifndef OPENSSL_NO_SCTP
    case TLS_ST_CR_SRVR_DONE:
        /* We only get here if we are using SCTP and we are renegotiating */
        if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
            s->s3->in_read_app_data = 2;
            s->rwstate = SSL_READING;
            BIO_clear_retry_flags(SSL_get_rbio(s));
            BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
687
            ossl_statem_set_sctp_read_sock(s, 1);
M
Matt Caswell 已提交
688 689
            return WORK_MORE_A;
        }
M
Matt Caswell 已提交
690
        ossl_statem_set_sctp_read_sock(s, 0);
M
Matt Caswell 已提交
691 692 693 694 695
        return WORK_FINISHED_STOP;
#endif
    }
}

696
int tls_construct_client_hello(SSL *s, WPACKET *pkt)
697
{
698
    unsigned char *p;
699
    int i;
700
    int protverr;
701
    int al = SSL_AD_HANDSHAKE_FAILURE;
702
#ifndef OPENSSL_NO_COMP
703 704
    SSL_COMP *comp;
#endif
705
    SSL_SESSION *sess = s->session;
706

707
    if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) {
708 709
        /* Should not happen */
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
710
        return 0;
711
    }
712

713
    /* Work out what SSL/TLS/DTLS version to use */
714 715 716
    protverr = ssl_set_client_hello_version(s);
    if (protverr != 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, protverr);
717
        return 0;
718
    }
719

E
Emilia Kasper 已提交
720
    if ((sess == NULL) || !ssl_version_supported(s, sess->ssl_version) ||
721
        /*
722 723
         * In the case of EAP-FAST, we can have a pre-shared
         * "ticket" without a session ID.
724
         */
725 726 727
        (!sess->session_id_length && !sess->tlsext_tick) ||
        (sess->not_resumable)) {
        if (!ssl_get_new_session(s, 0))
728
            return 0;
729 730
    }
    /* else use the pre-loaded session */
731

732
    p = s->s3->client_random;
733

734 735 736 737 738 739 740 741 742 743 744
    /*
     * for DTLS if client_random is initialized, reuse it, we are
     * required to use same upon reply to HelloVerify
     */
    if (SSL_IS_DTLS(s)) {
        size_t idx;
        i = 1;
        for (idx = 0; idx < sizeof(s->s3->client_random); idx++) {
            if (p[idx]) {
                i = 0;
                break;
745 746
            }
        }
747 748
    } else
        i = 1;
749

E
Emilia Kasper 已提交
750
    if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0)
751
        return 0;
752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767

    /*-
     * version indicates the negotiated version: for example from
     * an SSLv2/v3 compatible client hello). The client_version
     * field is the maximum version we permit and it is also
     * used in RSA encrypted premaster secrets. Some servers can
     * choke if we initially report a higher version then
     * renegotiate to a lower one in the premaster secret. This
     * didn't happen with TLS 1.0 as most servers supported it
     * but it can with TLS 1.1 or later if the server only supports
     * 1.0.
     *
     * Possible scenario with previous logic:
     *      1. Client hello indicates TLS 1.2
     *      2. Server hello says TLS 1.0
     *      3. RSA encrypted premaster secret uses 1.2.
F
FdaSilvaYY 已提交
768
     *      4. Handshake proceeds using TLS 1.0.
769 770 771 772 773 774 775 776 777 778 779 780 781 782
     *      5. Server sends hello request to renegotiate.
     *      6. Client hello indicates TLS v1.0 as we now
     *         know that is maximum server supports.
     *      7. Server chokes on RSA encrypted premaster secret
     *         containing version 1.0.
     *
     * For interoperability it should be OK to always use the
     * maximum version we support in client hello and then rely
     * on the checking of version to ensure the servers isn't
     * being inconsistent: for example initially negotiating with
     * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
     * client_version in client hello and not resetting it to
     * the negotiated version.
     */
783 784
    if (!WPACKET_put_bytes_u16(pkt, s->client_version)
            || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
785
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
786
        return 0;
787
    }
788 789 790 791 792 793

    /* Session ID */
    if (s->new_session)
        i = 0;
    else
        i = s->session->session_id_length;
794
    if (i > (int)sizeof(s->session->session_id)
795 796 797
            || !WPACKET_start_sub_packet_u8(pkt)
            || (i != 0 && !WPACKET_memcpy(pkt, s->session->session_id, i))
            || !WPACKET_close(pkt)) {
798
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
799
        return 0;
800
    }
801

802 803
    /* cookie stuff for DTLS */
    if (SSL_IS_DTLS(s)) {
804
        if (s->d1->cookie_len > sizeof(s->d1->cookie)
805
                || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
806
                                          s->d1->cookie_len)) {
807
            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
808
            return 0;
809
        }
810 811 812
    }

    /* Ciphers supported */
813
    if (!WPACKET_start_sub_packet_u16(pkt)) {
814
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
815
        return 0;
816 817
    }
    /* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */
818 819 820
    if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt))
        return 0;
    if (!WPACKET_close(pkt)) {
821
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
822
        return 0;
823
    }
824

825
    /* COMPRESSION */
826
    if (!WPACKET_start_sub_packet_u8(pkt)) {
827
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
828
        return 0;
829 830 831 832 833 834
    }
#ifndef OPENSSL_NO_COMP
    if (ssl_allow_compression(s) && s->ctx->comp_methods) {
        int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (i = 0; i < compnum; i++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
835
            if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
836
                SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
837
                return 0;
838 839
            }
        }
840
    }
841
#endif
842
    /* Add the NULL method */
843
    if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
844
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
845
        return 0;
846
    }
847

848 849 850
    /* TLS extensions */
    if (ssl_prepare_clienthello_tlsext(s) <= 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
851
        return 0;
852
    }
853
    if (!WPACKET_start_sub_packet_u16(pkt)
854 855 856 857
               /*
                * If extensions are of zero length then we don't even add the
                * extensions length bytes
                */
858 859 860
            || !WPACKET_set_flags(pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)
            || !ssl_add_clienthello_tlsext(s, pkt, &al)
            || !WPACKET_close(pkt)) {
861 862
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
863
        return 0;
864
    }
865

866
    return 1;
867
}
868

M
Matt Caswell 已提交
869
MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
870 871 872 873 874 875
{
    int al;
    unsigned int cookie_len;
    PACKET cookiepkt;

    if (!PACKET_forward(pkt, 2)
E
Emilia Kasper 已提交
876
        || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
M
Matt Caswell 已提交
877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH);
        goto f_err;
    }

    cookie_len = PACKET_remaining(&cookiepkt);
    if (cookie_len > sizeof(s->d1->cookie)) {
        al = SSL_AD_ILLEGAL_PARAMETER;
        SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_TOO_LONG);
        goto f_err;
    }

    if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH);
        goto f_err;
    }
    s->d1->cookie_len = cookie_len;

    return MSG_PROCESS_FINISHED_READING;
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
899
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
900 901 902
    return MSG_PROCESS_ERROR;
}

M
Matt Caswell 已提交
903
MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
904 905 906
{
    STACK_OF(SSL_CIPHER) *sk;
    const SSL_CIPHER *c;
907
    PACKET session_id;
908
    size_t session_id_len;
E
Emilia Kasper 已提交
909
    const unsigned char *cipherchars;
910 911
    int i, al = SSL_AD_INTERNAL_ERROR;
    unsigned int compression;
912 913
    unsigned int sversion;
    int protverr;
914 915 916 917
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp;
#endif

918 919 920 921 922
    if (!PACKET_get_net_2(pkt, &sversion)) {
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
        goto f_err;
    }
M
Matt Caswell 已提交
923

924 925 926 927 928
    protverr = ssl_choose_client_version(s, sversion);
    if (protverr != 0) {
        al = SSL_AD_PROTOCOL_VERSION;
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, protverr);
        goto f_err;
929 930 931 932
    }

    /* load the server hello data */
    /* load the server random */
933
    if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
M
Matt Caswell 已提交
934
        al = SSL_AD_DECODE_ERROR;
935
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
936 937
        goto f_err;
    }
938 939 940

    s->hit = 0;

941
    /* Get the session-id. */
942
    if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
943
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
944
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
945 946 947 948 949
        goto f_err;
    }
    session_id_len = PACKET_remaining(&session_id);
    if (session_id_len > sizeof s->session->session_id
        || session_id_len > SSL3_SESSION_ID_SIZE) {
950
        al = SSL_AD_ILLEGAL_PARAMETER;
951
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
952 953
        goto f_err;
    }
954

955
    if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
M
Matt Caswell 已提交
956
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
957 958 959 960
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }

961
    /*
962 963 964 965 966 967 968 969 970 971
     * Check if we can resume the session based on external pre-shared secret.
     * EAP-FAST (RFC 4851) supports two types of session resumption.
     * Resumption based on server-side state works with session IDs.
     * Resumption based on pre-shared Protected Access Credentials (PACs)
     * works by overriding the SessionTicket extension at the application
     * layer, and does not send a session ID. (We do not know whether EAP-FAST
     * servers would honour the session ID.) Therefore, the session ID alone
     * is not a reliable indicator of session resumption, so we first check if
     * we can resume, and later peek at the next handshake message to see if the
     * server wants to resume.
972
     */
973 974
    if (s->version >= TLS1_VERSION && s->tls_session_secret_cb &&
        s->session->tlsext_tick) {
975
        const SSL_CIPHER *pref_cipher = NULL;
976 977 978 979 980 981
        s->session->master_key_length = sizeof(s->session->master_key);
        if (s->tls_session_secret_cb(s, s->session->master_key,
                                     &s->session->master_key_length,
                                     NULL, &pref_cipher,
                                     s->tls_session_secret_cb_arg)) {
            s->session->cipher = pref_cipher ?
M
Matt Caswell 已提交
982
                pref_cipher : ssl_get_cipher_by_char(s, cipherchars);
983
        } else {
984
            SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
985 986
            al = SSL_AD_INTERNAL_ERROR;
            goto f_err;
987
        }
M
Matt Caswell 已提交
988 989
    }

990 991 992
    if (session_id_len != 0 && session_id_len == s->session->session_id_length
        && memcmp(PACKET_data(&session_id), s->session->session_id,
                  session_id_len) == 0) {
993 994 995 996
        if (s->sid_ctx_length != s->session->sid_ctx_length
            || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
            /* actually a client application bug */
            al = SSL_AD_ILLEGAL_PARAMETER;
997
            SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
998 999 1000 1001
                   SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
            goto f_err;
        }
        s->hit = 1;
1002
    } else {
1003
        /*
1004 1005 1006 1007 1008
         * If we were trying for session-id reuse but the server
         * didn't echo the ID, make a new SSL_SESSION.
         * In the case of EAP-FAST and PAC, we do not send a session ID,
         * so the PAC-based session secret is always preserved. It'll be
         * overwritten if the server refuses resumption.
1009 1010
         */
        if (s->session->session_id_length > 0) {
1011
            s->ctx->stats.sess_miss++;
1012 1013 1014 1015
            if (!ssl_get_new_session(s, 0)) {
                goto f_err;
            }
        }
M
Matt Caswell 已提交
1016

1017
        s->session->ssl_version = s->version;
1018 1019 1020 1021
        s->session->session_id_length = session_id_len;
        /* session_id_len could be 0 */
        memcpy(s->session->session_id, PACKET_data(&session_id),
               session_id_len);
1022
    }
1023

1024 1025 1026 1027 1028 1029 1030 1031 1032
    /* Session version and negotiated protocol version should match */
    if (s->version != s->session->ssl_version) {
        al = SSL_AD_PROTOCOL_VERSION;

        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
               SSL_R_SSL_SESSION_VERSION_MISMATCH);
        goto f_err;
    }

M
Matt Caswell 已提交
1033
    c = ssl_get_cipher_by_char(s, cipherchars);
1034 1035 1036
    if (c == NULL) {
        /* unknown cipher */
        al = SSL_AD_ILLEGAL_PARAMETER;
1037
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNKNOWN_CIPHER_RETURNED);
1038 1039 1040
        goto f_err;
    }
    /*
1041 1042 1043 1044 1045 1046 1047 1048
     * Now that we know the version, update the check to see if it's an allowed
     * version.
     */
    s->s3->tmp.min_ver = s->version;
    s->s3->tmp.max_ver = s->version;
    /*
     * If it is a disabled cipher we either didn't send it in client hello,
     * or it's not allowed for the selected protocol. So we return an error.
1049 1050 1051
     */
    if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) {
        al = SSL_AD_ILLEGAL_PARAMETER;
1052
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
1053 1054 1055 1056 1057 1058 1059 1060
        goto f_err;
    }

    sk = ssl_get_ciphers_by_id(s);
    i = sk_SSL_CIPHER_find(sk, c);
    if (i < 0) {
        /* we did not say we would use this cipher */
        al = SSL_AD_ILLEGAL_PARAMETER;
1061
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);
1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072
        goto f_err;
    }

    /*
     * Depending on the session caching (internal/external), the cipher
     * and/or cipher_id values may not be set. Make sure that cipher_id is
     * set and use it for comparison.
     */
    if (s->session->cipher)
        s->session->cipher_id = s->session->cipher->id;
    if (s->hit && (s->session->cipher_id != c->id)) {
R
Rich Salz 已提交
1073
        al = SSL_AD_ILLEGAL_PARAMETER;
1074
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
R
Rich Salz 已提交
1075 1076
               SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
        goto f_err;
1077 1078 1079 1080
    }
    s->s3->tmp.new_cipher = c;
    /* lets get the compression algorithm */
    /* COMPRESSION */
1081
    if (!PACKET_get_1(pkt, &compression)) {
M
Matt Caswell 已提交
1082
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1083 1084 1085
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
1086
#ifdef OPENSSL_NO_COMP
1087
    if (compression != 0) {
1088
        al = SSL_AD_ILLEGAL_PARAMETER;
1089
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1090 1091 1092 1093 1094 1095 1096 1097
               SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
        goto f_err;
    }
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
1098
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1099 1100
        goto f_err;
    }
1101
#else
1102
    if (s->hit && compression != s->session->compress_meth) {
1103
        al = SSL_AD_ILLEGAL_PARAMETER;
1104
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1105 1106 1107
               SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
        goto f_err;
    }
1108
    if (compression == 0)
1109 1110 1111
        comp = NULL;
    else if (!ssl_allow_compression(s)) {
        al = SSL_AD_ILLEGAL_PARAMETER;
1112
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_COMPRESSION_DISABLED);
1113
        goto f_err;
1114 1115 1116
    } else {
        comp = ssl3_comp_find(s->ctx->comp_methods, compression);
    }
1117

1118
    if (compression != 0 && comp == NULL) {
1119
        al = SSL_AD_ILLEGAL_PARAMETER;
1120
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO,
1121 1122 1123 1124 1125
               SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
        goto f_err;
    } else {
        s->s3->tmp.new_compression = comp;
    }
1126
#endif
1127

1128
    /* TLS extensions */
1129
    if (!ssl_parse_serverhello_tlsext(s, pkt)) {
1130
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
1131 1132 1133
        goto err;
    }

1134
    if (PACKET_remaining(pkt) != 0) {
1135 1136
        /* wrong packet length */
        al = SSL_AD_DECODE_ERROR;
1137
        SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
1138 1139
        goto f_err;
    }
M
Matt Caswell 已提交
1140 1141 1142 1143 1144 1145 1146 1147 1148
#ifndef OPENSSL_NO_SCTP
    if (SSL_IS_DTLS(s) && s->hit) {
        unsigned char sctpauthkey[64];
        char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

        /*
         * Add new shared key for SCTP-Auth, will be ignored if
         * no SCTP used.
         */
M
Matt Caswell 已提交
1149 1150
        memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
               sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
1151 1152

        if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
1153 1154 1155
                                       sizeof(sctpauthkey),
                                       labelbuffer,
                                       sizeof(labelbuffer), NULL, 0, 0) <= 0)
M
Matt Caswell 已提交
1156 1157 1158 1159 1160 1161 1162 1163
            goto err;

        BIO_ctrl(SSL_get_wbio(s),
                 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                 sizeof(sctpauthkey), sctpauthkey);
    }
#endif

1164
    return MSG_PROCESS_CONTINUE_READING;
1165 1166 1167
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1168
    ossl_statem_set_error(s);
1169
    return MSG_PROCESS_ERROR;
1170
}
1171

M
Matt Caswell 已提交
1172
MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
1173 1174 1175 1176
{
    int al, i, ret = MSG_PROCESS_ERROR, exp_idx;
    unsigned long cert_list_len, cert_len;
    X509 *x = NULL;
E
Emilia Kasper 已提交
1177
    const unsigned char *certstart, *certbytes;
1178 1179
    STACK_OF(X509) *sk = NULL;
    EVP_PKEY *pkey = NULL;
1180 1181

    if ((sk = sk_X509_new_null()) == NULL) {
1182
        SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1183
        goto err;
1184 1185
    }

1186
    if (!PACKET_get_net_3(pkt, &cert_list_len)
E
Emilia Kasper 已提交
1187
        || PACKET_remaining(pkt) != cert_list_len) {
1188
        al = SSL_AD_DECODE_ERROR;
1189
        SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
1190 1191
        goto f_err;
    }
1192 1193
    while (PACKET_remaining(pkt)) {
        if (!PACKET_get_net_3(pkt, &cert_len)
E
Emilia Kasper 已提交
1194
            || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
1195
            al = SSL_AD_DECODE_ERROR;
1196
            SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1197 1198 1199 1200
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

1201 1202
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len);
1203 1204
        if (x == NULL) {
            al = SSL_AD_BAD_CERTIFICATE;
1205
            SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
1206 1207
            goto f_err;
        }
1208
        if (certbytes != (certstart + cert_len)) {
1209
            al = SSL_AD_DECODE_ERROR;
1210
            SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1211 1212 1213 1214
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
        if (!sk_X509_push(sk, x)) {
1215
            SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
1216
            goto err;
1217 1218 1219 1220 1221
        }
        x = NULL;
    }

    i = ssl_verify_cert_chain(s, sk);
1222
    if ((s->verify_mode & SSL_VERIFY_PEER) && i <= 0) {
1223
        al = ssl_verify_alarm_type(s->verify_result);
1224
        SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1225 1226 1227 1228 1229
               SSL_R_CERTIFICATE_VERIFY_FAILED);
        goto f_err;
    }
    ERR_clear_error();          /* but we keep s->verify_result */
    if (i > 1) {
1230
        SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i);
1231 1232 1233 1234
        al = SSL_AD_HANDSHAKE_FAILURE;
        goto f_err;
    }

1235
    s->session->peer_chain = sk;
1236 1237
    /*
     * Inconsistency alert: cert_chain does include the peer's certificate,
M
Matt Caswell 已提交
1238
     * which we don't include in statem_srvr.c
1239 1240 1241 1242 1243 1244 1245
     */
    x = sk_X509_value(sk, 0);
    sk = NULL;
    /*
     * VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end
     */

1246
    pkey = X509_get0_pubkey(x);
1247

1248
    if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
1249 1250
        x = NULL;
        al = SSL3_AL_FATAL;
1251
        SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1252 1253 1254 1255 1256
               SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
        goto f_err;
    }

    i = ssl_cert_type(x, pkey);
1257
    if (i < 0) {
1258 1259
        x = NULL;
        al = SSL3_AL_FATAL;
1260
        SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1261 1262 1263 1264
               SSL_R_UNKNOWN_CERTIFICATE_TYPE);
        goto f_err;
    }

1265
    exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
1266
    if (exp_idx >= 0 && i != exp_idx
E
Emilia Kasper 已提交
1267 1268 1269
        && (exp_idx != SSL_PKEY_GOST_EC ||
            (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
             && i != SSL_PKEY_GOST01))) {
1270 1271
        x = NULL;
        al = SSL_AD_ILLEGAL_PARAMETER;
1272
        SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1273 1274
               SSL_R_WRONG_CERTIFICATE_TYPE);
        goto f_err;
1275
    }
1276
    s->session->peer_type = i;
1277 1278

    X509_free(s->session->peer);
D
Dr. Stephen Henson 已提交
1279
    X509_up_ref(x);
1280
    s->session->peer = x;
1281 1282 1283
    s->session->verify_result = s->verify_result;

    x = NULL;
1284
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
1285 1286
    goto done;

1287
 f_err:
R
Rich Salz 已提交
1288
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
1289
 err:
M
Matt Caswell 已提交
1290
    ossl_statem_set_error(s);
R
Rich Salz 已提交
1291
 done:
1292 1293
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
1294
    return ret;
1295
}
1296

1297
static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt, int *al)
1298 1299
{
#ifndef OPENSSL_NO_PSK
1300
    PACKET psk_identity_hint;
1301

1302 1303 1304 1305
    /* PSK ciphersuites are preceded by an identity hint */

    if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
        *al = SSL_AD_DECODE_ERROR;
1306
        SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH);
1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317
        return 0;
    }

    /*
     * Store PSK identity hint for later use, hint is used in
     * tls_construct_client_key_exchange.  Assume that the maximum length of
     * a PSK identity hint can be as long as the maximum length of a PSK
     * identity.
     */
    if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
1318
        SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG);
1319 1320
        return 0;
    }
1321

1322 1323 1324 1325
    if (PACKET_remaining(&psk_identity_hint) == 0) {
        OPENSSL_free(s->session->psk_identity_hint);
        s->session->psk_identity_hint = NULL;
    } else if (!PACKET_strndup(&psk_identity_hint,
E
Emilia Kasper 已提交
1326
                               &s->session->psk_identity_hint)) {
1327 1328 1329 1330 1331 1332
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }

    return 1;
#else
1333
    SSLerr(SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
1334 1335
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
1336 1337 1338
#endif
}

1339 1340 1341 1342 1343 1344 1345 1346 1347 1348
static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
{
#ifndef OPENSSL_NO_SRP
    PACKET prime, generator, salt, server_pub;

    if (!PACKET_get_length_prefixed_2(pkt, &prime)
        || !PACKET_get_length_prefixed_2(pkt, &generator)
        || !PACKET_get_length_prefixed_1(pkt, &salt)
        || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
        *al = SSL_AD_DECODE_ERROR;
1349
        SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, SSL_R_LENGTH_MISMATCH);
1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365
        return 0;
    }

    if ((s->srp_ctx.N =
         BN_bin2bn(PACKET_data(&prime),
                   PACKET_remaining(&prime), NULL)) == NULL
        || (s->srp_ctx.g =
            BN_bin2bn(PACKET_data(&generator),
                      PACKET_remaining(&generator), NULL)) == NULL
        || (s->srp_ctx.s =
            BN_bin2bn(PACKET_data(&salt),
                      PACKET_remaining(&salt), NULL)) == NULL
        || (s->srp_ctx.B =
            BN_bin2bn(PACKET_data(&server_pub),
                      PACKET_remaining(&server_pub), NULL)) == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
1366
        SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_BN_LIB);
1367 1368 1369 1370 1371
        return 0;
    }

    if (!srp_verify_server_param(s, al)) {
        *al = SSL_AD_DECODE_ERROR;
1372
        SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
1373 1374 1375 1376
        return 0;
    }

    /* We must check if there is a certificate */
E
Emilia Kasper 已提交
1377
    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
1378 1379 1380 1381
        *pkey = X509_get0_pubkey(s->session->peer);

    return 1;
#else
1382
    SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_INTERNAL_ERROR);
1383 1384 1385 1386 1387
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
#endif
}

1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400
static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
{
#ifndef OPENSSL_NO_DH
    PACKET prime, generator, pub_key;
    EVP_PKEY *peer_tmp = NULL;

    DH *dh = NULL;
    BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;

    if (!PACKET_get_length_prefixed_2(pkt, &prime)
        || !PACKET_get_length_prefixed_2(pkt, &generator)
        || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
        *al = SSL_AD_DECODE_ERROR;
1401
        SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_LENGTH_MISMATCH);
1402 1403 1404 1405 1406 1407 1408 1409
        return 0;
    }

    peer_tmp = EVP_PKEY_new();
    dh = DH_new();

    if (peer_tmp == NULL || dh == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
1410
        SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_MALLOC_FAILURE);
1411 1412 1413 1414
        goto err;
    }

    p = BN_bin2bn(PACKET_data(&prime), PACKET_remaining(&prime), NULL);
E
Emilia Kasper 已提交
1415
    g = BN_bin2bn(PACKET_data(&generator), PACKET_remaining(&generator), NULL);
1416 1417 1418 1419
    bnpub_key = BN_bin2bn(PACKET_data(&pub_key), PACKET_remaining(&pub_key),
                          NULL);
    if (p == NULL || g == NULL || bnpub_key == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
1420
        SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
1421 1422 1423 1424 1425
        goto err;
    }

    if (BN_is_zero(p) || BN_is_zero(g) || BN_is_zero(bnpub_key)) {
        *al = SSL_AD_DECODE_ERROR;
1426
        SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE);
1427 1428 1429 1430 1431
        goto err;
    }

    if (!DH_set0_pqg(dh, p, NULL, g)) {
        *al = SSL_AD_INTERNAL_ERROR;
1432
        SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
1433 1434 1435 1436 1437 1438
        goto err;
    }
    p = g = NULL;

    if (!DH_set0_key(dh, bnpub_key, NULL)) {
        *al = SSL_AD_INTERNAL_ERROR;
1439
        SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
1440 1441 1442 1443 1444 1445
        goto err;
    }
    bnpub_key = NULL;

    if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
1446
        SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_DH_KEY_TOO_SMALL);
1447 1448 1449 1450 1451
        goto err;
    }

    if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
        *al = SSL_AD_INTERNAL_ERROR;
1452
        SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_EVP_LIB);
1453 1454 1455 1456 1457 1458 1459 1460 1461
        goto err;
    }

    s->s3->peer_tmp = peer_tmp;

    /*
     * FIXME: This makes assumptions about which ciphersuites come with
     * public keys. We should have a less ad-hoc way of doing this
     */
E
Emilia Kasper 已提交
1462
    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476
        *pkey = X509_get0_pubkey(s->session->peer);
    /* else anonymous DH, so no certificate or pkey. */

    return 1;

 err:
    BN_free(p);
    BN_free(g);
    BN_free(bnpub_key);
    DH_free(dh);
    EVP_PKEY_free(peer_tmp);

    return 0;
#else
1477
    SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_INTERNAL_ERROR);
1478 1479 1480 1481 1482
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
#endif
}

1483 1484 1485 1486 1487 1488
static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
{
#ifndef OPENSSL_NO_EC
    PACKET encoded_pt;
    const unsigned char *ecparams;
    int curve_nid;
1489
    unsigned int curve_flags;
1490 1491 1492 1493 1494 1495 1496 1497 1498
    EVP_PKEY_CTX *pctx = NULL;

    /*
     * Extract elliptic curve parameters and the server's ephemeral ECDH
     * public key. For now we only support named (not generic) curves and
     * ECParameters in this case is just three bytes.
     */
    if (!PACKET_get_bytes(pkt, &ecparams, 3)) {
        *al = SSL_AD_DECODE_ERROR;
1499
        SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_LENGTH_TOO_SHORT);
1500 1501 1502 1503 1504 1505 1506 1507
        return 0;
    }
    /*
     * Check curve is one of our preferences, if not server has sent an
     * invalid curve. ECParameters is 3 bytes.
     */
    if (!tls1_check_curve(s, ecparams, 3)) {
        *al = SSL_AD_DECODE_ERROR;
1508
        SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_WRONG_CURVE);
1509 1510 1511
        return 0;
    }

1512 1513
    curve_nid = tls1_ec_curve_id2nid(*(ecparams + 2), &curve_flags);

E
Emilia Kasper 已提交
1514
    if (curve_nid == 0) {
1515
        *al = SSL_AD_INTERNAL_ERROR;
1516
        SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE,
1517 1518 1519 1520
               SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
        return 0;
    }

1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542
    if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
        EVP_PKEY *key = EVP_PKEY_new();

        if (key == NULL || !EVP_PKEY_set_type(key, curve_nid)) {
            *al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_EVP_LIB);
            EVP_PKEY_free(key);
            return 0;
        }
        s->s3->peer_tmp = key;
    } else {
        /* Set up EVP_PKEY with named curve as parameters */
        pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
        if (pctx == NULL
            || EVP_PKEY_paramgen_init(pctx) <= 0
            || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, curve_nid) <= 0
            || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
            *al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_EVP_LIB);
            EVP_PKEY_CTX_free(pctx);
            return 0;
        }
1543
        EVP_PKEY_CTX_free(pctx);
1544
        pctx = NULL;
1545 1546 1547 1548
    }

    if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
        *al = SSL_AD_DECODE_ERROR;
1549
        SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_LENGTH_MISMATCH);
1550 1551 1552
        return 0;
    }

1553 1554 1555
    if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
                                        PACKET_data(&encoded_pt),
                                        PACKET_remaining(&encoded_pt))) {
1556
        *al = SSL_AD_DECODE_ERROR;
1557
        SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, SSL_R_BAD_ECPOINT);
1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573
        return 0;
    }

    /*
     * The ECC/TLS specification does not mention the use of DSA to sign
     * ECParameters in the server key exchange message. We do support RSA
     * and ECDSA.
     */
    if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA)
        *pkey = X509_get0_pubkey(s->session->peer);
    else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aRSA)
        *pkey = X509_get0_pubkey(s->session->peer);
    /* else anonymous ECDH, so no certificate or pkey. */

    return 1;
#else
1574
    SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE, ERR_R_INTERNAL_ERROR);
1575 1576 1577 1578 1579
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
#endif
}

M
Matt Caswell 已提交
1580
MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
1581
{
1582
    int al = -1;
1583
    long alg_k;
1584
    EVP_PKEY *pkey = NULL;
1585
    PACKET save_param_start, signature;
1586 1587 1588

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

1589
    save_param_start = *pkt;
1590

1591
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1592 1593
    EVP_PKEY_free(s->s3->peer_tmp);
    s->s3->peer_tmp = NULL;
1594
#endif
1595

1596
    if (alg_k & SSL_PSK) {
1597 1598
        if (!tls_process_ske_psk_preamble(s, pkt, &al))
            goto err;
1599 1600 1601 1602
    }

    /* Nothing else to do for plain PSK or RSAPSK */
    if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
1603 1604
    } else if (alg_k & SSL_kSRP) {
        if (!tls_process_ske_srp(s, pkt, &pkey, &al))
1605
            goto err;
1606 1607 1608
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
        if (!tls_process_ske_dhe(s, pkt, &pkey, &al))
            goto err;
1609 1610 1611
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
        if (!tls_process_ske_ecdhe(s, pkt, &pkey, &al))
            goto err;
1612 1613
    } else if (alg_k) {
        al = SSL_AD_UNEXPECTED_MESSAGE;
1614
        SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1615
        goto err;
1616 1617 1618 1619
    }

    /* if it was signed, check the signature */
    if (pkey != NULL) {
1620
        PACKET params;
1621 1622
        int maxsig;
        const EVP_MD *md = NULL;
1623 1624
        EVP_MD_CTX *md_ctx;

1625 1626 1627 1628 1629 1630
        /*
         * |pkt| now points to the beginning of the signature, so the difference
         * equals the length of the parameters.
         */
        if (!PACKET_get_sub_packet(&save_param_start, &params,
                                   PACKET_remaining(&save_param_start) -
1631
                                   PACKET_remaining(pkt))) {
1632
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1633
            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1634
            goto err;
1635 1636
        }

1637
        if (SSL_USE_SIGALGS(s)) {
E
Emilia Kasper 已提交
1638
            const unsigned char *sigalgs;
1639
            int rv;
1640
            if (!PACKET_get_bytes(pkt, &sigalgs, 2)) {
1641
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1642
                SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
1643
                goto err;
1644
            }
1645
            rv = tls12_check_peer_sigalg(&md, s, sigalgs, pkey);
1646 1647 1648 1649 1650
            if (rv == -1) {
                al = SSL_AD_INTERNAL_ERROR;
                goto err;
            } else if (rv == 0) {
                al = SSL_AD_DECODE_ERROR;
1651 1652
                goto err;
            }
1653
#ifdef SSL_DEBUG
1654 1655
            fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
#endif
D
Dr. Stephen Henson 已提交
1656
        } else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
1657
            md = EVP_md5_sha1();
1658
        } else {
1659
            md = EVP_sha1();
1660
        }
1661

1662 1663
        if (!PACKET_get_length_prefixed_2(pkt, &signature)
            || PACKET_remaining(pkt) != 0) {
1664
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1665
            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
1666
            goto err;
1667
        }
1668 1669
        maxsig = EVP_PKEY_size(pkey);
        if (maxsig < 0) {
1670
            al = SSL_AD_INTERNAL_ERROR;
1671
            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1672
            goto err;
M
Matt Caswell 已提交
1673
        }
1674 1675

        /*
M
Matt Caswell 已提交
1676
         * Check signature length
1677
         */
1678
        if (PACKET_remaining(&signature) > (size_t)maxsig) {
1679
            /* wrong packet length */
1680
            al = SSL_AD_DECODE_ERROR;
E
Emilia Kasper 已提交
1681 1682
            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE,
                   SSL_R_WRONG_SIGNATURE_LENGTH);
1683 1684 1685 1686 1687 1688 1689 1690
            goto err;
        }

        md_ctx = EVP_MD_CTX_new();
        if (md_ctx == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto err;
1691
        }
1692

1693
        if (EVP_VerifyInit_ex(md_ctx, md, NULL) <= 0
E
Emilia Kasper 已提交
1694 1695 1696 1697 1698 1699
            || EVP_VerifyUpdate(md_ctx, &(s->s3->client_random[0]),
                                SSL3_RANDOM_SIZE) <= 0
            || EVP_VerifyUpdate(md_ctx, &(s->s3->server_random[0]),
                                SSL3_RANDOM_SIZE) <= 0
            || EVP_VerifyUpdate(md_ctx, PACKET_data(&params),
                                PACKET_remaining(&params)) <= 0) {
1700
            EVP_MD_CTX_free(md_ctx);
1701 1702
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
1703
            goto err;
1704
        }
1705
        if (EVP_VerifyFinal(md_ctx, PACKET_data(&signature),
1706 1707
                            PACKET_remaining(&signature), pkey) <= 0) {
            /* bad signature */
1708
            EVP_MD_CTX_free(md_ctx);
1709 1710
            al = SSL_AD_DECRYPT_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE);
1711
            goto err;
1712
        }
1713
        EVP_MD_CTX_free(md_ctx);
1714
    } else {
1715
        /* aNULL, aSRP or PSK do not need public keys */
1716
        if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
E
Emilia Kasper 已提交
1717
            && !(alg_k & SSL_PSK)) {
1718
            /* Might be wrong key type, check it */
1719
            if (ssl3_check_cert_and_algorithm(s)) {
1720
                /* Otherwise this shouldn't happen */
1721
                al = SSL_AD_INTERNAL_ERROR;
1722
                SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1723 1724 1725
            } else {
                al = SSL_AD_DECODE_ERROR;
            }
1726 1727 1728
            goto err;
        }
        /* still data left over */
1729
        if (PACKET_remaining(pkt) != 0) {
1730
            al = SSL_AD_DECODE_ERROR;
1731
            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE);
1732
            goto err;
1733 1734
        }
    }
1735

1736
    return MSG_PROCESS_CONTINUE_READING;
1737
 err:
1738 1739
    if (al != -1)
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
1740
    ossl_statem_set_error(s);
1741
    return MSG_PROCESS_ERROR;
1742
}
1743

M
Matt Caswell 已提交
1744
MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
1745 1746 1747 1748
{
    int ret = MSG_PROCESS_ERROR;
    unsigned int list_len, ctype_num, i, name_len;
    X509_NAME *xn = NULL;
E
Emilia Kasper 已提交
1749 1750
    const unsigned char *data;
    const unsigned char *namestart, *namebytes;
1751
    STACK_OF(X509_NAME) *ca_sk = NULL;
1752 1753

    if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
1754
        SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1755 1756 1757 1758
        goto err;
    }

    /* get the certificate types */
1759
    if (!PACKET_get_1(pkt, &ctype_num)
E
Emilia Kasper 已提交
1760
        || !PACKET_get_bytes(pkt, &data, ctype_num)) {
M
Matt Caswell 已提交
1761
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1762
        SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1763 1764
        goto err;
    }
R
Rich Salz 已提交
1765 1766
    OPENSSL_free(s->cert->ctypes);
    s->cert->ctypes = NULL;
1767 1768 1769 1770
    if (ctype_num > SSL3_CT_NUMBER) {
        /* If we exceed static buffer copy all to cert structure */
        s->cert->ctypes = OPENSSL_malloc(ctype_num);
        if (s->cert->ctypes == NULL) {
1771
            SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1772 1773
            goto err;
        }
M
Matt Caswell 已提交
1774
        memcpy(s->cert->ctypes, data, ctype_num);
1775 1776 1777 1778
        s->cert->ctype_num = (size_t)ctype_num;
        ctype_num = SSL3_CT_NUMBER;
    }
    for (i = 0; i < ctype_num; i++)
M
Matt Caswell 已提交
1779 1780
        s->s3->tmp.ctype[i] = data[i];

1781
    if (SSL_USE_SIGALGS(s)) {
1782
        if (!PACKET_get_net_2(pkt, &list_len)
E
Emilia Kasper 已提交
1783
            || !PACKET_get_bytes(pkt, &data, list_len)) {
1784
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1785 1786
            SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
                   SSL_R_LENGTH_MISMATCH);
1787 1788
            goto err;
        }
M
Matt Caswell 已提交
1789

1790 1791
        /* Clear certificate digests and validity flags */
        for (i = 0; i < SSL_PKEY_NUM; i++) {
1792
            s->s3->tmp.md[i] = NULL;
1793
            s->s3->tmp.valid_flags[i] = 0;
1794
        }
M
Matt Caswell 已提交
1795
        if ((list_len & 1) || !tls1_save_sigalgs(s, data, list_len)) {
1796
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1797
            SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
1798 1799 1800 1801 1802
                   SSL_R_SIGNATURE_ALGORITHMS_ERROR);
            goto err;
        }
        if (!tls1_process_sigalgs(s)) {
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1803
            SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1804 1805
            goto err;
        }
1806 1807
    } else {
        ssl_set_default_md(s);
1808 1809 1810
    }

    /* get the CA RDNs */
1811
    if (!PACKET_get_net_2(pkt, &list_len)
E
Emilia Kasper 已提交
1812
        || PACKET_remaining(pkt) != list_len) {
1813
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1814
        SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
1815 1816 1817
        goto err;
    }

1818 1819
    while (PACKET_remaining(pkt)) {
        if (!PACKET_get_net_2(pkt, &name_len)
E
Emilia Kasper 已提交
1820
            || !PACKET_get_bytes(pkt, &namebytes, name_len)) {
1821
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1822 1823
            SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
                   SSL_R_LENGTH_MISMATCH);
1824 1825 1826
            goto err;
        }

M
Matt Caswell 已提交
1827
        namestart = namebytes;
1828

M
Matt Caswell 已提交
1829 1830
        if ((xn = d2i_X509_NAME(NULL, (const unsigned char **)&namebytes,
                                name_len)) == NULL) {
1831
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1832
            SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
1833
            goto err;
1834 1835
        }

M
Matt Caswell 已提交
1836
        if (namebytes != (namestart + name_len)) {
1837
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1838
            SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
1839 1840 1841 1842
                   SSL_R_CA_DN_LENGTH_MISMATCH);
            goto err;
        }
        if (!sk_X509_NAME_push(ca_sk, xn)) {
1843
            SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
1844 1845
            goto err;
        }
1846
        xn = NULL;
1847 1848 1849 1850 1851
    }

    /* we should setup a certificate to return.... */
    s->s3->tmp.cert_req = 1;
    s->s3->tmp.ctype_num = ctype_num;
R
Rich Salz 已提交
1852
    sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
1853 1854 1855
    s->s3->tmp.ca_names = ca_sk;
    ca_sk = NULL;

1856
    ret = MSG_PROCESS_CONTINUE_PROCESSING;
1857
    goto done;
1858
 err:
M
Matt Caswell 已提交
1859
    ossl_statem_set_error(s);
1860
 done:
1861
    X509_NAME_free(xn);
R
Rich Salz 已提交
1862
    sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
1863
    return ret;
1864 1865 1866
}

static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
1867
{
1868
    return (X509_NAME_cmp(*a, *b));
1869 1870
}

M
Matt Caswell 已提交
1871
MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
1872 1873 1874 1875 1876
{
    int al;
    unsigned int ticklen;
    unsigned long ticket_lifetime_hint;

1877
    if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
E
Emilia Kasper 已提交
1878 1879
        || !PACKET_get_net_2(pkt, &ticklen)
        || PACKET_remaining(pkt) != ticklen) {
1880
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1881
        SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
1882 1883 1884 1885 1886
        goto f_err;
    }

    /* Server is allowed to change its mind and send an empty ticket. */
    if (ticklen == 0)
1887
        return MSG_PROCESS_CONTINUE_READING;
1888

1889 1890 1891 1892 1893 1894 1895 1896 1897
    if (s->session->session_id_length > 0) {
        int i = s->session_ctx->session_cache_mode;
        SSL_SESSION *new_sess;
        /*
         * We reused an existing session, so we need to replace it with a new
         * one
         */
        if (i & SSL_SESS_CACHE_CLIENT) {
            /*
1898
             * Remove the old session from the cache. We carry on if this fails
1899
             */
1900
            SSL_CTX_remove_session(s->session_ctx, s->session);
1901 1902 1903 1904
        }

        if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
            al = SSL_AD_INTERNAL_ERROR;
1905
            SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
1906 1907 1908 1909 1910 1911 1912
            goto f_err;
        }

        SSL_SESSION_free(s->session);
        s->session = new_sess;
    }

R
Rich Salz 已提交
1913 1914
    OPENSSL_free(s->session->tlsext_tick);
    s->session->tlsext_ticklen = 0;
1915

1916
    s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1917
    if (s->session->tlsext_tick == NULL) {
1918
        SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
1919 1920
        goto err;
    }
1921
    if (!PACKET_copy_bytes(pkt, s->session->tlsext_tick, ticklen)) {
M
Matt Caswell 已提交
1922
        al = SSL_AD_DECODE_ERROR;
1923
        SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1924 1925
        goto f_err;
    }
1926 1927

    s->session->tlsext_tick_lifetime_hint = ticket_lifetime_hint;
1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939
    s->session->tlsext_ticklen = ticklen;
    /*
     * There are two ways to detect a resumed ticket session. One is to set
     * an appropriate session ID and then the server must return a match in
     * ServerHello. This allows the normal client session ID matching to work
     * and we know much earlier that the ticket has been accepted. The
     * other way is to set zero length session ID when the ticket is
     * presented and rely on the handshake to determine session resumption.
     * We choose the former approach because this fits in with assumptions
     * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
     * SHA256 is disabled) hash of the ticket.
     */
1940 1941 1942 1943 1944 1945
    if (!EVP_Digest(s->session->tlsext_tick, ticklen,
                    s->session->session_id, &s->session->session_id_length,
                    EVP_sha256(), NULL)) {
        SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB);
        goto err;
    }
1946
    return MSG_PROCESS_CONTINUE_READING;
1947 1948 1949
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1950
    ossl_statem_set_error(s);
1951
    return MSG_PROCESS_ERROR;
1952
}
1953

M
Matt Caswell 已提交
1954
MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
1955 1956 1957 1958 1959
{
    int al;
    unsigned long resplen;
    unsigned int type;

1960
    if (!PACKET_get_1(pkt, &type)
E
Emilia Kasper 已提交
1961
        || type != TLSEXT_STATUSTYPE_ocsp) {
1962
        al = SSL_AD_DECODE_ERROR;
1963
        SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
1964 1965
        goto f_err;
    }
1966
    if (!PACKET_get_net_3(pkt, &resplen)
E
Emilia Kasper 已提交
1967
        || PACKET_remaining(pkt) != resplen) {
1968
        al = SSL_AD_DECODE_ERROR;
1969
        SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
1970 1971
        goto f_err;
    }
1972
    s->tlsext_ocsp_resp = OPENSSL_malloc(resplen);
1973
    if (s->tlsext_ocsp_resp == NULL) {
1974
        al = SSL_AD_INTERNAL_ERROR;
1975
        SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, ERR_R_MALLOC_FAILURE);
1976 1977
        goto f_err;
    }
1978
    if (!PACKET_copy_bytes(pkt, s->tlsext_ocsp_resp, resplen)) {
1979
        al = SSL_AD_DECODE_ERROR;
1980
        SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
1981 1982
        goto f_err;
    }
1983
    s->tlsext_ocsp_resplen = resplen;
1984
    return MSG_PROCESS_CONTINUE_READING;
1985 1986
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
1987
    ossl_statem_set_error(s);
1988
    return MSG_PROCESS_ERROR;
1989
}
1990

M
Matt Caswell 已提交
1991
MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
1992
{
1993
    if (PACKET_remaining(pkt) > 0) {
1994 1995
        /* should contain no data */
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1996
        SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1997
        ossl_statem_set_error(s);
1998
        return MSG_PROCESS_ERROR;
1999
    }
2000 2001 2002 2003 2004
#ifndef OPENSSL_NO_SRP
    if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
        if (SRP_Calc_A_param(s) <= 0) {
            SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, SSL_R_SRP_A_CALC);
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
2005
            ossl_statem_set_error(s);
2006 2007 2008 2009 2010
            return MSG_PROCESS_ERROR;
        }
    }
#endif

2011 2012 2013 2014 2015 2016
    /*
     * at this point we check that we have the required stuff from
     * the server
     */
    if (!ssl3_check_cert_and_algorithm(s)) {
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
M
Matt Caswell 已提交
2017
        ossl_statem_set_error(s);
2018 2019 2020
        return MSG_PROCESS_ERROR;
    }

2021 2022 2023 2024 2025
    /*
     * Call the ocsp status callback if needed. The |tlsext_ocsp_resp| and
     * |tlsext_ocsp_resplen| values will be set if we actually received a status
     * message, or NULL and -1 otherwise
     */
2026
    if (s->tlsext_status_type != -1 && s->ctx->tlsext_status_cb != NULL) {
2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041
        int ret;
        ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
        if (ret == 0) {
            ssl3_send_alert(s, SSL3_AL_FATAL,
                            SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
            SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE,
                   SSL_R_INVALID_STATUS_RESPONSE);
            return MSG_PROCESS_ERROR;
        }
        if (ret < 0) {
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
            SSLerr(SSL_F_TLS_PROCESS_SERVER_DONE, ERR_R_MALLOC_FAILURE);
            return MSG_PROCESS_ERROR;
        }
    }
2042 2043
#ifndef OPENSSL_NO_CT
    if (s->ct_validation_callback != NULL) {
2044 2045
        /* Note we validate the SCTs whether or not we abort on error */
        if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
2046 2047 2048 2049 2050 2051
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
            return MSG_PROCESS_ERROR;
        }
    }
#endif

2052 2053 2054
#ifndef OPENSSL_NO_SCTP
    /* Only applies to renegotiation */
    if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))
E
Emilia Kasper 已提交
2055
        && s->renegotiate != 0)
2056 2057 2058 2059
        return MSG_PROCESS_CONTINUE_PROCESSING;
    else
#endif
        return MSG_PROCESS_FINISHED_READING;
2060
}
2061

2062
static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt, int *al)
2063
{
2064
#ifndef OPENSSL_NO_PSK
2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078
    int ret = 0;
    /*
     * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
     * \0-terminated identity. The last byte is for us for simulating
     * strnlen.
     */
    char identity[PSK_MAX_IDENTITY_LEN + 1];
    size_t identitylen = 0;
    unsigned char psk[PSK_MAX_PSK_LEN];
    unsigned char *tmppsk = NULL;
    char *tmpidentity = NULL;
    size_t psklen = 0;

    if (s->psk_client_callback == NULL) {
2079
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_CLIENT_CB);
2080 2081 2082
        *al = SSL_AD_INTERNAL_ERROR;
        goto err;
    }
2083

2084
    memset(identity, 0, sizeof(identity));
2085

2086 2087 2088
    psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
                                    identity, sizeof(identity) - 1,
                                    psk, sizeof(psk));
2089

2090
    if (psklen > PSK_MAX_PSK_LEN) {
2091
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2092 2093 2094
        *al = SSL_AD_HANDSHAKE_FAILURE;
        goto err;
    } else if (psklen == 0) {
2095
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2096 2097 2098 2099
               SSL_R_PSK_IDENTITY_NOT_FOUND);
        *al = SSL_AD_HANDSHAKE_FAILURE;
        goto err;
    }
2100

2101 2102
    identitylen = strlen(identity);
    if (identitylen > PSK_MAX_IDENTITY_LEN) {
2103
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2104 2105 2106
        *al = SSL_AD_HANDSHAKE_FAILURE;
        goto err;
    }
2107

2108 2109 2110
    tmppsk = OPENSSL_memdup(psk, psklen);
    tmpidentity = OPENSSL_strdup(identity);
    if (tmppsk == NULL || tmpidentity == NULL) {
2111
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
2112 2113 2114
        *al = SSL_AD_INTERNAL_ERROR;
        goto err;
    }
2115

2116 2117 2118 2119 2120 2121 2122
    OPENSSL_free(s->s3->tmp.psk);
    s->s3->tmp.psk = tmppsk;
    s->s3->tmp.psklen = psklen;
    tmppsk = NULL;
    OPENSSL_free(s->session->psk_identity);
    s->session->psk_identity = tmpidentity;
    tmpidentity = NULL;
2123

2124
    if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen))  {
2125 2126 2127 2128
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
        *al = SSL_AD_INTERNAL_ERROR;
        goto err;
    }
2129

2130
    ret = 1;
2131

2132 2133 2134 2135 2136
 err:
    OPENSSL_cleanse(psk, psklen);
    OPENSSL_cleanse(identity, sizeof(identity));
    OPENSSL_clear_free(tmppsk, psklen);
    OPENSSL_clear_free(tmpidentity, identitylen);
2137

2138 2139
    return ret;
#else
2140
    SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2141 2142
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
2143
#endif
2144
}
2145

2146
static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt, int *al)
2147
{
2148
#ifndef OPENSSL_NO_RSA
2149
    unsigned char *encdata = NULL;
2150 2151 2152 2153 2154
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *pctx = NULL;
    size_t enclen;
    unsigned char *pms = NULL;
    size_t pmslen = 0;
2155

2156 2157 2158 2159
    if (s->session->peer == NULL) {
        /*
         * We should always have a server certificate with SSL_kRSA.
         */
2160
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
2161 2162
        return 0;
    }
2163

2164 2165
    pkey = X509_get0_pubkey(s->session->peer);
    if (EVP_PKEY_get0_RSA(pkey) == NULL) {
2166
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
2167 2168
        return 0;
    }
2169

2170 2171 2172
    pmslen = SSL_MAX_MASTER_KEY_LENGTH;
    pms = OPENSSL_malloc(pmslen);
    if (pms == NULL) {
2173
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_MALLOC_FAILURE);
2174 2175 2176
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }
2177

2178 2179 2180 2181 2182
    pms[0] = s->client_version >> 8;
    pms[1] = s->client_version & 0xff;
    if (RAND_bytes(pms + 2, pmslen - 2) <= 0) {
        goto err;
    }
2183

2184
    /* Fix buf for TLS and beyond */
2185 2186 2187 2188
    if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
        goto err;
    }
2189 2190 2191
    pctx = EVP_PKEY_CTX_new(pkey, NULL);
    if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
        || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
2192
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_EVP_LIB);
2193 2194
        goto err;
    }
2195 2196
    if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
            || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
2197
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, SSL_R_BAD_RSA_ENCRYPT);
2198 2199 2200 2201
        goto err;
    }
    EVP_PKEY_CTX_free(pctx);
    pctx = NULL;
2202
# ifdef PKCS1_CHECK
2203 2204 2205 2206
    if (s->options & SSL_OP_PKCS1_CHECK_1)
        (*p)[1]++;
    if (s->options & SSL_OP_PKCS1_CHECK_2)
        tmp_buf[0] = 0x70;
2207 2208
# endif

2209
    /* Fix buf for TLS and beyond */
2210 2211 2212
    if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
        goto err;
2213
    }
2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224

    s->s3->tmp.pms = pms;
    s->s3->tmp.pmslen = pmslen;

    return 1;
 err:
    OPENSSL_clear_free(pms, pmslen);
    EVP_PKEY_CTX_free(pctx);

    return 0;
#else
2225
    SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
2226 2227
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
2228
#endif
2229 2230
}

2231
static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt, int *al)
2232 2233 2234 2235 2236
{
#ifndef OPENSSL_NO_DH
    DH *dh_clnt = NULL;
    const BIGNUM *pub_key;
    EVP_PKEY *ckey = NULL, *skey = NULL;
2237
    unsigned char *keybytes = NULL;
2238 2239

    skey = s->s3->peer_tmp;
2240 2241 2242
    if (skey == NULL)
        goto err;

D
Dr. Stephen Henson 已提交
2243
    ckey = ssl_generate_pkey(skey);
2244 2245
    dh_clnt = EVP_PKEY_get0_DH(ckey);

2246 2247
    if (dh_clnt == NULL || ssl_derive(s, ckey, skey) == 0)
        goto err;
2248 2249 2250

    /* send off the data */
    DH_get0_key(dh_clnt, &pub_key, NULL);
2251
    if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), &keybytes))
2252 2253 2254
        goto err;

    BN_bn2bin(pub_key, keybytes);
2255 2256 2257
    EVP_PKEY_free(ckey);

    return 1;
2258 2259 2260
 err:
    EVP_PKEY_free(ckey);
#endif
2261
    SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR);
2262 2263 2264 2265
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
}

2266
static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt, int *al)
2267 2268 2269 2270 2271
{
#ifndef OPENSSL_NO_EC
    unsigned char *encodedPoint = NULL;
    int encoded_pt_len = 0;
    EVP_PKEY *ckey = NULL, *skey = NULL;
2272
    int ret = 0;
2273 2274

    skey = s->s3->peer_tmp;
2275
    if (skey == NULL) {
2276
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2277 2278 2279
        return 0;
    }

D
Dr. Stephen Henson 已提交
2280
    ckey = ssl_generate_pkey(skey);
2281 2282

    if (ssl_derive(s, ckey, skey) == 0) {
2283
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EVP_LIB);
2284 2285 2286 2287
        goto err;
    }

    /* Generate encoding of client key */
2288
    encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint);
2289 2290

    if (encoded_pt_len == 0) {
2291
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EC_LIB);
2292 2293 2294
        goto err;
    }

2295
    if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
2296 2297 2298
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
        goto err;
    }
2299

2300
    ret = 1;
2301
 err:
2302
    OPENSSL_free(encodedPoint);
2303
    EVP_PKEY_free(ckey);
2304
    return ret;
2305
#else
2306
    SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2307 2308 2309 2310 2311
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
#endif
}

2312
static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al)
2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334
{
#ifndef OPENSSL_NO_GOST
    /* GOST key exchange message creation */
    EVP_PKEY_CTX *pkey_ctx = NULL;
    X509 *peer_cert;
    size_t msglen;
    unsigned int md_len;
    unsigned char shared_ukm[32], tmp[256];
    EVP_MD_CTX *ukm_hash = NULL;
    int dgst_nid = NID_id_GostR3411_94;
    unsigned char *pms = NULL;
    size_t pmslen = 0;

    if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
        dgst_nid = NID_id_GostR3411_2012_256;

    /*
     * Get server sertificate PKEY and create ctx from it
     */
    peer_cert = s->session->peer;
    if (!peer_cert) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2335
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST,
2336 2337 2338 2339 2340 2341 2342
               SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
        return 0;
    }

    pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
    if (pkey_ctx == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2343
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE);
2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356
        return 0;
    }
    /*
     * If we have send a certificate, and certificate key
     * parameters match those of server certificate, use
     * certificate key for key exchange
     */

    /* Otherwise, generate ephemeral key pair */
    pmslen = 32;
    pms = OPENSSL_malloc(pmslen);
    if (pms == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2357
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_MALLOC_FAILURE);
2358
        goto err;
2359 2360 2361
    }

    if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
E
Emilia Kasper 已提交
2362 2363
        /* Generate session key */
        || RAND_bytes(pms, pmslen) <= 0) {
2364
        *al = SSL_AD_INTERNAL_ERROR;
2365
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
2366 2367 2368 2369 2370 2371 2372 2373
        goto err;
    };
    /*
     * Compute shared IV and store it in algorithm-specific context
     * data
     */
    ukm_hash = EVP_MD_CTX_new();
    if (ukm_hash == NULL
E
Emilia Kasper 已提交
2374 2375 2376 2377 2378 2379
        || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
        || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
                            SSL3_RANDOM_SIZE) <= 0
        || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
                            SSL3_RANDOM_SIZE) <= 0
        || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
2380
        *al = SSL_AD_INTERNAL_ERROR;
2381
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
2382 2383 2384 2385 2386 2387 2388
        goto err;
    }
    EVP_MD_CTX_free(ukm_hash);
    ukm_hash = NULL;
    if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
                          EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
        *al = SSL_AD_INTERNAL_ERROR;
2389
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG);
2390 2391 2392 2393 2394 2395 2396 2397 2398
        goto err;
    }
    /* Make GOST keytransport blob message */
    /*
     * Encapsulate it into sequence
     */
    msglen = 255;
    if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
        *al = SSL_AD_INTERNAL_ERROR;
2399
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG);
2400 2401
        goto err;
    }
2402

2403 2404
    if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
            || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
2405
            || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
2406 2407 2408
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
        goto err;
2409
    }
2410

2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421
    EVP_PKEY_CTX_free(pkey_ctx);
    s->s3->tmp.pms = pms;
    s->s3->tmp.pmslen = pmslen;

    return 1;
 err:
    EVP_PKEY_CTX_free(pkey_ctx);
    OPENSSL_clear_free(pms, pmslen);
    EVP_MD_CTX_free(ukm_hash);
    return 0;
#else
2422
    SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
2423 2424 2425 2426 2427
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
#endif
}

2428
static int tls_construct_cke_srp(SSL *s, WPACKET *pkt, int *al)
2429
{
2430
#ifndef OPENSSL_NO_SRP
2431 2432 2433
    unsigned char *abytes = NULL;

    if (s->srp_ctx.A == NULL
2434 2435
            || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
                                               &abytes)) {
2436
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR);
2437 2438
        return 0;
    }
2439 2440
    BN_bn2bin(s->srp_ctx.A, abytes);

2441 2442 2443
    OPENSSL_free(s->session->srp_username);
    s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
    if (s->session->srp_username == NULL) {
2444
        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_MALLOC_FAILURE);
2445 2446 2447 2448 2449
        return 0;
    }

    return 1;
#else
2450
    SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR);
2451 2452 2453 2454 2455
    *al = SSL_AD_INTERNAL_ERROR;
    return 0;
#endif
}

2456
int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
2457 2458 2459 2460
{
    unsigned long alg_k;
    int al = -1;

2461
    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2462 2463

    if ((alg_k & SSL_PSK)
2464
        && !tls_construct_cke_psk_preamble(s, pkt, &al))
2465 2466
        goto err;

2467
    if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
2468
        if (!tls_construct_cke_rsa(s, pkt, &al))
2469
            goto err;
2470
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
2471
        if (!tls_construct_cke_dhe(s, pkt, &al))
2472
            goto err;
2473
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
2474
        if (!tls_construct_cke_ecdhe(s, pkt, &al))
D
Dr. Stephen Henson 已提交
2475
            goto err;
2476
    } else if (alg_k & SSL_kGOST) {
2477
        if (!tls_construct_cke_gost(s, pkt, &al))
2478
            goto err;
2479
    } else if (alg_k & SSL_kSRP) {
2480
        if (!tls_construct_cke_srp(s, pkt, &al))
M
Matt Caswell 已提交
2481
            goto err;
2482
    } else if (!(alg_k & SSL_kPSK)) {
2483 2484 2485 2486 2487 2488
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    return 1;
2489
 err:
2490 2491
    if (al != -1)
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
2492
    OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
D
Dr. Stephen Henson 已提交
2493
    s->s3->tmp.pms = NULL;
2494 2495 2496
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
2497
#endif
2498 2499 2500 2501 2502 2503 2504 2505
    return 0;
}

int tls_client_key_exchange_post_work(SSL *s)
{
    unsigned char *pms = NULL;
    size_t pmslen = 0;

2506 2507 2508
    pms = s->s3->tmp.pms;
    pmslen = s->s3->tmp.pmslen;

2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528
#ifndef OPENSSL_NO_SRP
    /* Check for SRP */
    if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
        if (!srp_generate_client_master_secret(s)) {
            SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
        return 1;
    }
#endif

    if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
        SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
        SSLerr(SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_INTERNAL_ERROR);
2529 2530 2531
        /* ssl_generate_master_secret frees the pms even on error */
        pms = NULL;
        pmslen = 0;
2532 2533
        goto err;
    }
2534 2535
    pms = NULL;
    pmslen = 0;
2536 2537 2538 2539 2540 2541 2542 2543 2544 2545

#ifndef OPENSSL_NO_SCTP
    if (SSL_IS_DTLS(s)) {
        unsigned char sctpauthkey[64];
        char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

        /*
         * Add new shared key for SCTP-Auth, will be ignored if no SCTP
         * used.
         */
M
Matt Caswell 已提交
2546 2547
        memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
               sizeof(DTLS1_SCTP_AUTH_LABEL));
2548 2549

        if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
2550 2551
                                       sizeof(sctpauthkey), labelbuffer,
                                       sizeof(labelbuffer), NULL, 0, 0) <= 0)
2552 2553 2554 2555 2556 2557 2558
            goto err;

        BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                 sizeof(sctpauthkey), sctpauthkey);
    }
#endif

2559 2560 2561 2562 2563
    return 1;
 err:
    OPENSSL_clear_free(pms, pmslen);
    s->s3->tmp.pms = NULL;
    return 0;
2564
}
2565

2566
int tls_construct_client_verify(SSL *s, WPACKET *pkt)
2567 2568
{
    EVP_PKEY *pkey;
2569
    const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
2570
    EVP_MD_CTX *mctx = NULL;
2571
    unsigned u = 0;
2572 2573
    long hdatalen = 0;
    void *hdata;
2574 2575
    unsigned char *sig = NULL;

2576
    mctx = EVP_MD_CTX_new();
2577 2578 2579 2580
    if (mctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE);
        goto err;
    }
2581
    pkey = s->cert->key->privatekey;
2582 2583 2584

    hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
    if (hdatalen <= 0) {
2585 2586 2587
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
        goto err;
    }
2588
    if (SSL_USE_SIGALGS(s)&& !tls12_get_sigandhash(pkt, pkey, md)) {
2589 2590
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
        goto err;
2591
    }
2592
#ifdef SSL_DEBUG
2593
    fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md));
2594
#endif
2595 2596 2597 2598 2599
    sig = OPENSSL_malloc(EVP_PKEY_size(pkey));
    if (sig == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE);
        goto err;
    }
2600 2601
    if (!EVP_SignInit_ex(mctx, md, NULL)
        || !EVP_SignUpdate(mctx, hdata, hdatalen)
2602
        || (s->version == SSL3_VERSION
2603
            && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
2604 2605
                                s->session->master_key_length,
                                s->session->master_key))
2606
        || !EVP_SignFinal(mctx, sig, &u, pkey)) {
2607 2608 2609
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
        goto err;
    }
M
Matt Caswell 已提交
2610
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
2611 2612 2613 2614 2615
    {
        int pktype = EVP_PKEY_id(pkey);
        if (pktype == NID_id_GostR3410_2001
            || pktype == NID_id_GostR3410_2012_256
            || pktype == NID_id_GostR3410_2012_512)
2616
            BUF_reverse(sig, NULL, u);
2617
    }
M
Matt Caswell 已提交
2618
#endif
2619

2620
    if (!WPACKET_sub_memcpy_u16(pkt, sig, u)) {
2621 2622 2623 2624
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
        goto err;
    }

2625 2626 2627
    /* Digest cached records and discard handshake buffer */
    if (!ssl3_digest_cached_records(s, 0))
        goto err;
2628 2629

    OPENSSL_free(sig);
2630
    EVP_MD_CTX_free(mctx);
2631
    return 1;
2632
 err:
2633
    OPENSSL_free(sig);
2634
    EVP_MD_CTX_free(mctx);
2635
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
2636
    return 0;
2637 2638 2639 2640 2641 2642
}

/*
 * Check a certificate can be used for client authentication. Currently check
 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
 * certificates can be used and optionally checks suitability for Suite B.
2643 2644
 */
static int ssl3_check_client_certificate(SSL *s)
2645 2646 2647 2648
{
    if (!s->cert || !s->cert->key->x509 || !s->cert->key->privatekey)
        return 0;
    /* If no suitable signature algorithm can't use certificate */
2649
    if (SSL_USE_SIGALGS(s) && !s->s3->tmp.md[s->cert->key - s->cert->pkeys])
2650 2651 2652 2653 2654 2655 2656 2657 2658 2659
        return 0;
    /*
     * If strict mode check suitability of chain before using it. This also
     * adjusts suite B digest if necessary.
     */
    if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
        !tls1_check_chain(s, NULL, NULL, NULL, -2))
        return 0;
    return 1;
}
2660

M
Matt Caswell 已提交
2661
WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
2662 2663 2664 2665 2666
{
    X509 *x509 = NULL;
    EVP_PKEY *pkey = NULL;
    int i;

2667
    if (wst == WORK_MORE_A) {
2668 2669 2670 2671 2672
        /* Let cert callback update client certificates if required */
        if (s->cert->cert_cb) {
            i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
            if (i < 0) {
                s->rwstate = SSL_X509_LOOKUP;
2673
                return WORK_MORE_A;
2674 2675 2676
            }
            if (i == 0) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
2677
                ossl_statem_set_error(s);
2678 2679 2680 2681 2682
                return 0;
            }
            s->rwstate = SSL_NOTHING;
        }
        if (ssl3_check_client_certificate(s))
2683 2684 2685 2686
            return WORK_FINISHED_CONTINUE;

        /* Fall through to WORK_MORE_B */
        wst = WORK_MORE_B;
2687 2688 2689
    }

    /* We need to get a client cert */
2690
    if (wst == WORK_MORE_B) {
2691 2692 2693 2694 2695 2696 2697
        /*
         * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
         * return(-1); We then get retied later
         */
        i = ssl_do_client_cert_cb(s, &x509, &pkey);
        if (i < 0) {
            s->rwstate = SSL_X509_LOOKUP;
2698
            return WORK_MORE_B;
2699 2700 2701 2702 2703 2704 2705
        }
        s->rwstate = SSL_NOTHING;
        if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
            if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
                i = 0;
        } else if (i == 1) {
            i = 0;
2706
            SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
2707 2708 2709
                   SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
        }

R
Rich Salz 已提交
2710
        X509_free(x509);
R
Rich Salz 已提交
2711
        EVP_PKEY_free(pkey);
2712 2713 2714 2715 2716 2717
        if (i && !ssl3_check_client_certificate(s))
            i = 0;
        if (i == 0) {
            if (s->version == SSL3_VERSION) {
                s->s3->tmp.cert_req = 0;
                ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
2718
                return WORK_FINISHED_CONTINUE;
2719 2720
            } else {
                s->s3->tmp.cert_req = 2;
2721
                if (!ssl3_digest_cached_records(s, 0)) {
2722
                    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
2723
                    ossl_statem_set_error(s);
2724 2725
                    return 0;
                }
2726 2727 2728
            }
        }

2729
        return WORK_FINISHED_CONTINUE;
2730 2731
    }

2732 2733 2734 2735
    /* Shouldn't ever get here */
    return WORK_ERROR;
}

2736
int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
2737
{
2738
    if (!ssl3_output_cert_chain(s, pkt,
2739 2740 2741 2742 2743
                                (s->s3->tmp.cert_req ==
                                 2) ? NULL : s->cert->key)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
        return 0;
2744
    }
2745 2746

    return 1;
2747 2748 2749
}

#define has_bits(i,m)   (((i)&(m)) == (m))
2750

B
Ben Laurie 已提交
2751
int ssl3_check_cert_and_algorithm(SSL *s)
2752
{
2753 2754 2755 2756
    int i;
#ifndef OPENSSL_NO_EC
    int idx;
#endif
2757 2758
    long alg_k, alg_a;
    EVP_PKEY *pkey = NULL;
2759
    int al = SSL_AD_HANDSHAKE_FAILURE;
2760

2761 2762
    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
    alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2763

2764
    /* we don't have a certificate */
2765
    if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
2766
        return (1);
2767

2768
    /* This is the passed certificate */
2769

2770
#ifndef OPENSSL_NO_EC
2771
    idx = s->session->peer_type;
2772
    if (idx == SSL_PKEY_ECC) {
2773
        if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s) == 0) {
2774 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785
            /* check failed */
            SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
            goto f_err;
        } else {
            return 1;
        }
    } else if (alg_a & SSL_aECDSA) {
        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
               SSL_R_MISSING_ECDSA_SIGNING_CERT);
        goto f_err;
    }
#endif
2786
    pkey = X509_get0_pubkey(s->session->peer);
2787
    i = X509_certificate_type(s->session->peer, pkey);
2788 2789 2790 2791 2792 2793 2794

    /* Check that we have a certificate if we require one */
    if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA | EVP_PKT_SIGN)) {
        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
               SSL_R_MISSING_RSA_SIGNING_CERT);
        goto f_err;
    }
2795
#ifndef OPENSSL_NO_DSA
2796 2797 2798 2799 2800
    else if ((alg_a & SSL_aDSS) && !has_bits(i, EVP_PK_DSA | EVP_PKT_SIGN)) {
        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
               SSL_R_MISSING_DSA_SIGNING_CERT);
        goto f_err;
    }
2801
#endif
2802
#ifndef OPENSSL_NO_RSA
2803 2804 2805 2806 2807
    if (alg_k & (SSL_kRSA | SSL_kRSAPSK) &&
        !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
               SSL_R_MISSING_RSA_ENCRYPTING_CERT);
        goto f_err;
2808
    }
2809
#endif
2810
#ifndef OPENSSL_NO_DH
D
Dr. Stephen Henson 已提交
2811
    if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) {
2812 2813
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
2814 2815
        goto f_err;
    }
2816 2817
#endif

2818 2819
    return (1);
 f_err:
2820
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
2821 2822 2823
    return (0);
}

2824
#ifndef OPENSSL_NO_NEXTPROTONEG
2825
int tls_construct_next_proto(SSL *s, WPACKET *pkt)
2826
{
2827 2828 2829
    size_t len, padding_len;
    unsigned char *padding = NULL;

2830 2831
    len = s->next_proto_negotiated_len;
    padding_len = 32 - ((len + 2) % 32);
2832

2833 2834
    if (!WPACKET_sub_memcpy_u8(pkt, s->next_proto_negotiated, len)
            || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
2835 2836 2837 2838 2839 2840
        SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    memset(padding, 0, padding_len);

2841
    return 1;
2842 2843 2844
 err:
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
    return 0;
2845
}
2846
#endif
2847 2848

int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2849 2850
{
    int i = 0;
2851
#ifndef OPENSSL_NO_ENGINE
2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863
    if (s->ctx->client_cert_engine) {
        i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
                                        SSL_get_client_CA_list(s),
                                        px509, ppkey, NULL, NULL, NULL);
        if (i != 0)
            return i;
    }
#endif
    if (s->ctx->client_cert_cb)
        i = s->ctx->client_cert_cb(s, px509, ppkey);
    return i;
}
M
Matt Caswell 已提交
2864

M
Matt Caswell 已提交
2865
int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
M
Matt Caswell 已提交
2866
{
2867 2868
    int i;
    size_t totlen = 0, len, maxlen;
M
Matt Caswell 已提交
2869 2870 2871 2872 2873 2874 2875
    int empty_reneg_info_scsv = !s->renegotiate;
    /* Set disabled masks for this session */
    ssl_set_client_disabled(s);

    if (sk == NULL)
        return (0);

2876 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894 2895 2896 2897 2898 2899
#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
#  error Max cipher length too short
# endif
    /*
     * Some servers hang if client hello > 256 bytes as hack workaround
     * chop number of supported ciphers to keep it well below this if we
     * use TLS v1.2
     */
    if (TLS1_get_version(s) >= TLS1_2_VERSION)
        maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
    else
#endif
        /* Maximum length that can be stored in 2 bytes. Length must be even */
        maxlen = 0xfffe;

    if (empty_reneg_info_scsv)
        maxlen -= 2;
    if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
        maxlen -= 2;

    for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
        const SSL_CIPHER *c;

M
Matt Caswell 已提交
2900 2901 2902 2903
        c = sk_SSL_CIPHER_value(sk, i);
        /* Skip disabled ciphers */
        if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
            continue;
2904 2905 2906 2907 2908 2909 2910

        if (!s->method->put_cipher_by_char(c, pkt, &len)) {
            SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
            return 0;
        }

        totlen += len;
M
Matt Caswell 已提交
2911
    }
2912 2913 2914 2915 2916 2917 2918

    if (totlen == 0) {
        SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE);
        return 0;
    }

    if (totlen != 0) {
M
Matt Caswell 已提交
2919 2920 2921 2922
        if (empty_reneg_info_scsv) {
            static SSL_CIPHER scsv = {
                0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
            };
2923 2924 2925 2926
            if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
                SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
                return 0;
            }
M
Matt Caswell 已提交
2927 2928 2929 2930 2931
        }
        if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
            static SSL_CIPHER scsv = {
                0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
            };
2932 2933 2934 2935
            if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
                SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
                return 0;
            }
M
Matt Caswell 已提交
2936 2937 2938
        }
    }

2939
    return 1;
M
Matt Caswell 已提交
2940
}