statem_srvr.c 105.1 KB
Newer Older
1
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 3 4 5 6
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
7
 *
8 9 10 11 12 13
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14
 *
15 16 17 18 19 20
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
21
 *
22 23 24 25 26 27 28 29 30 31 32 33 34 35
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
36
 * 4. If you include any Windows specific code (or a derivative thereof) from
37 38
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39
 *
40 41 42 43 44 45 46 47 48 49 50
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
51
 *
52 53 54 55 56
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
57
/* ====================================================================
58
 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
59 60 61 62 63 64
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
65
 *    notice, this list of conditions and the following disclaimer.
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
B
Bodo Möller 已提交
110 111 112
/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
113
 * Portions of the attached software ("Contribution") are developed by
B
Bodo Möller 已提交
114 115 116 117 118 119 120 121 122
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * ECC cipher suite support in OpenSSL originally written by
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 *
 */
123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
149

150

151
#include <stdio.h>
M
Matt Caswell 已提交
152
#include "../ssl_locl.h"
M
Matt Caswell 已提交
153
#include "statem_locl.h"
154
#include "internal/constant_time_locl.h"
155 156 157 158
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
159
#include <openssl/hmac.h>
160
#include <openssl/x509.h>
R
Rich Salz 已提交
161
#include <openssl/dh.h>
162
#include <openssl/bn.h>
163
#include <openssl/md5.h>
164

165 166 167 168
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                      PACKET *cipher_suites,
                                                      STACK_OF(SSL_CIPHER) **skp,
                                                      int sslv2format, int *al);
M
Matt Caswell 已提交
169

M
Matt Caswell 已提交
170 171 172 173 174 175 176 177 178 179
/*
 * server_read_transition() encapsulates the logic for the allowed handshake
 * state transitions when the server is reading messages from the client. The
 * message type that the client has sent is provided in |mt|. The current state
 * is in |s->statem.hand_state|.
 *
 *  Valid return values are:
 *  1: Success (transition allowed)
 *  0: Error (transition not allowed)
 */
180
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
181
{
M
Matt Caswell 已提交
182
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214

    switch(st->hand_state) {
    case TLS_ST_BEFORE:
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE
                && (!s->s3->tmp.cert_request
                    || (!((s->verify_mode & SSL_VERIFY_PEER) &&
                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
                        && (s->version == SSL3_VERSION)))) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
215
            }
M
Matt Caswell 已提交
216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
232
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
233 234
         * set.
         */
235
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
        if (s->s3->next_proto_neg_seen) {
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    default:
        break;
    }

    /* No valid transition found */
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
310
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
311 312 313 314
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
315
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
316 317 318 319 320 321
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
D
Dr. Stephen Henson 已提交
322
    if (alg_k & (SSL_kDHE|SSL_kECDHE)
M
Matt Caswell 已提交
323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
       ) {
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
352
static int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
            * during re-negotiation:
            */
           && ((s->session->peer == NULL) ||
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
           /*
            * ... except when the application insists on
            * verification (against the specs, but s3_clnt.c accepts
            * this for SSL 3)
            */
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
381
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
382 383 384 385 386 387 388 389 390 391
        return 1;
    }

    return 0;
}

/*
 * server_write_transition() works out what handshake state to move to next
 * when the server is writing messages to be sent to the client.
 */
392
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
393
{
M
Matt Caswell 已提交
394
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
395 396 397 398 399 400 401 402 403 404 405 406 407

    switch(st->hand_state) {
        case TLS_ST_BEFORE:
            /* Just go straight to trying to read from the client */;
            return WRITE_TRAN_FINISHED;

        case TLS_ST_OK:
            /* We must be trying to renegotiate */
            st->hand_state = TLS_ST_SW_HELLO_REQ;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_HELLO_REQ:
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
408
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SR_CLNT_HELLO:
            if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
                    && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
                st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
            else
                st->hand_state = TLS_ST_SW_SRVR_HELLO;
            return WRITE_TRAN_CONTINUE;

        case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
            return WRITE_TRAN_FINISHED;

        case TLS_ST_SW_SRVR_HELLO:
            if (s->hit) {
                if (s->tlsext_ticket_expected)
                    st->hand_state = TLS_ST_SW_SESSION_TICKET;
                else
                    st->hand_state = TLS_ST_SW_CHANGE;
            } else {
                /* Check if it is anon DH or anon ECDH, */
                /* normal PSK or SRP */
                if (!(s->s3->tmp.new_cipher->algorithm_auth &
                     (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
                    st->hand_state = TLS_ST_SW_CERT;
                } else if (send_server_key_exchange(s)) {
                    st->hand_state = TLS_ST_SW_KEY_EXCH;
                } else if (send_certificate_request(s)) {
                    st->hand_state = TLS_ST_SW_CERT_REQ;
                } else {
                    st->hand_state = TLS_ST_SW_SRVR_DONE;
                }
            }
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_CERT:
            if (s->tlsext_status_expected) {
                st->hand_state = TLS_ST_SW_CERT_STATUS;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_CERT_STATUS:
            if (send_server_key_exchange(s)) {
                st->hand_state = TLS_ST_SW_KEY_EXCH;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_KEY_EXCH:
            if (send_certificate_request(s)) {
                st->hand_state = TLS_ST_SW_CERT_REQ;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_CERT_REQ:
            st->hand_state = TLS_ST_SW_SRVR_DONE;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_SRVR_DONE:
            return WRITE_TRAN_FINISHED;

        case TLS_ST_SR_FINISHED:
            if (s->hit) {
                st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
475
                ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496
                return WRITE_TRAN_CONTINUE;
            } else if (s->tlsext_ticket_expected) {
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            } else {
                st->hand_state = TLS_ST_SW_CHANGE;
            }
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_SESSION_TICKET:
            st->hand_state = TLS_ST_SW_CHANGE;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_CHANGE:
            st->hand_state = TLS_ST_SW_FINISHED;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_FINISHED:
            if (s->hit) {
                return WRITE_TRAN_FINISHED;
            }
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
497
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
498 499 500 501 502 503 504 505 506 507 508 509
            return WRITE_TRAN_CONTINUE;

        default:
            /* Shouldn't happen */
            return WRITE_TRAN_ERROR;
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
510
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
511
{
M
Matt Caswell 已提交
512
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559

    switch(st->hand_state) {
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
            dtls1_clear_record_buffer(s);
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
            dtls1_clear_record_buffer(s);
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
             * Messages we write from now on should be bufferred and
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s)))
            return dtls_wait_for_dry(s);
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
M
Matt Caswell 已提交
560
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_OK:
        return tls_finish_handshake(s, wst);

    default:
        /* No pre work to be done */
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
589
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
590
{
M
Matt Caswell 已提交
591
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624

    s->init_num = 0;

    switch(st->hand_state) {
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        ssl3_init_finished_mac(s);
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
        if (s->version != DTLS1_BAD_VER)
            ssl3_init_finished_mac(s);
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
625 626
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
627 628 629 630

            if (SSL_export_keying_material(s, sctpauthkey,
                    sizeof(sctpauthkey), labelbuffer,
                    sizeof(labelbuffer), NULL, 0, 0) <= 0) {
M
Matt Caswell 已提交
631
                ossl_statem_set_error(s);
M
Matt Caswell 已提交
632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
        break;

    case TLS_ST_SW_CHANGE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
                SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
M
Matt Caswell 已提交
654
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        break;

    default:
        /* No post work to be done */
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Construct a message to be sent from the server to the client.
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
697
int ossl_statem_server_construct_message(SSL *s)
M
Matt Caswell 已提交
698
{
M
Matt Caswell 已提交
699
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756

    switch(st->hand_state) {
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return dtls_construct_hello_verify_request(s);

    case TLS_ST_SW_HELLO_REQ:
        return tls_construct_hello_request(s);

    case TLS_ST_SW_SRVR_HELLO:
        return tls_construct_server_hello(s);

    case TLS_ST_SW_CERT:
        return tls_construct_server_certificate(s);

    case TLS_ST_SW_KEY_EXCH:
        return tls_construct_server_key_exchange(s);

    case TLS_ST_SW_CERT_REQ:
        return tls_construct_certificate_request(s);

    case TLS_ST_SW_SRVR_DONE:
        return tls_construct_server_done(s);

    case TLS_ST_SW_SESSION_TICKET:
        return tls_construct_new_session_ticket(s);

    case TLS_ST_SW_CERT_STATUS:
        return tls_construct_cert_status(s);

    case TLS_ST_SW_CHANGE:
        if (SSL_IS_DTLS(s))
            return dtls_construct_change_cipher_spec(s);
        else
            return tls_construct_change_cipher_spec(s);

    case TLS_ST_SW_FINISHED:
        return tls_construct_finished(s,
                                      s->method->
                                      ssl3_enc->server_finished_label,
                                      s->method->
                                      ssl3_enc->server_finished_label_len);

    default:
        /* Shouldn't happen */
        break;
    }

    return 0;
}

#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
757
unsigned long ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
758
{
M
Matt Caswell 已提交
759
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return SSL3_RT_MAX_PLAIN_LENGTH;

    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;

    default:
        /* Shouldn't happen */
        break;
    }

    return 0;
}

/*
 * Process a message that the server has received from the client.
 */
796
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
797
{
M
Matt Caswell 已提交
798
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);

    default:
        /* Shouldn't happen */
        break;
    }

    return MSG_PROCESS_ERROR;
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
836
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
837
{
M
Matt Caswell 已提交
838
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);

    case TLS_ST_SR_CERT_VRFY:
#ifndef OPENSSL_NO_SCTP
        if (    /* Is this SCTP? */
                BIO_dgram_is_sctp(SSL_get_wbio(s))
                /* Are we renegotiating? */
                && s->renegotiate
                && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
            s->s3->in_read_app_data = 2;
            s->rwstate = SSL_READING;
            BIO_clear_retry_flags(SSL_get_rbio(s));
            BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
858
            ossl_statem_set_sctp_read_sock(s, 1);
M
Matt Caswell 已提交
859 860
            return WORK_MORE_A;
        } else {
M
Matt Caswell 已提交
861
            ossl_statem_set_sctp_read_sock(s, 0);
M
Matt Caswell 已提交
862 863 864 865 866 867 868 869 870 871 872 873
        }
#endif
        return WORK_FINISHED_CONTINUE;

    default:
        break;
    }

    /* Shouldn't happen */
    return WORK_ERROR;
}

B
Ben Laurie 已提交
874
#ifndef OPENSSL_NO_SRP
875
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895
{
    int ret = SSL_ERROR_NONE;

    *al = SSL_AD_UNRECOGNIZED_NAME;

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
            ret = SSL3_AL_FATAL;
            *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
        } else {
            ret = SSL_srp_server_param_with_username(s, al);
        }
    }
    return ret;
}
B
Ben Laurie 已提交
896 897
#endif

M
Matt Caswell 已提交
898 899 900 901
int tls_construct_hello_request(SSL *s)
{
    if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
902
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
903 904 905 906 907 908
        return 0;
    }

    return 1;
}

M
Matt Caswell 已提交
909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939
unsigned int dtls_raw_hello_verify_request(unsigned char *buf,
                                            unsigned char *cookie,
                                            unsigned char cookie_len)
{
    unsigned int msg_len;
    unsigned char *p;

    p = buf;
    /* Always use DTLS 1.0 version: see RFC 6347 */
    *(p++) = DTLS1_VERSION >> 8;
    *(p++) = DTLS1_VERSION & 0xFF;

    *(p++) = (unsigned char)cookie_len;
    memcpy(p, cookie, cookie_len);
    p += cookie_len;
    msg_len = p - buf;

    return msg_len;
}

int dtls_construct_hello_verify_request(SSL *s)
{
    unsigned int len;
    unsigned char *buf;

    buf = (unsigned char *)s->init_buf->data;

    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
                                  &(s->d1->cookie_len)) == 0 ||
        s->d1->cookie_len > 255) {
M
Matt Caswell 已提交
940
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
M
Matt Caswell 已提交
941
               SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
M
Matt Caswell 已提交
942
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
943 944 945 946 947 948
        return 0;
    }

    len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH],
                                         s->d1->cookie, s->d1->cookie_len);

949
    dtls1_set_message_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
M
Matt Caswell 已提交
950 951 952 953 954 955 956 957 958 959
                             len);
    len += DTLS1_HM_HEADER_LENGTH;

    /* number of bytes to write */
    s->init_num = len;
    s->init_off = 0;

    return 1;
}

M
Matt Caswell 已提交
960
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
961 962 963 964
{
    int i, al = SSL_AD_INTERNAL_ERROR;
    unsigned int j, complen = 0;
    unsigned long id;
965
    const SSL_CIPHER *c;
M
Matt Caswell 已提交
966 967 968 969
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
970
    int protverr;
M
Matt Caswell 已提交
971
    /* |cookie| will only be initialized for DTLS. */
972
    PACKET session_id, cipher_suites, compression, extensions, cookie;
M
Matt Caswell 已提交
973 974
    int is_v2_record;

975 976
    is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer);

E
Emilia Kasper 已提交
977
    PACKET_null_init(&cookie);
978
    /* First lets get s->client_version set correctly */
979
    if (is_v2_record) {
M
Matt Caswell 已提交
980 981
        unsigned int version;
        unsigned int mt;
982 983 984 985 986 987 988 989 990 991 992 993 994 995 996
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

997
        if (!PACKET_get_1(pkt, &mt)
M
Matt Caswell 已提交
998
                || mt != SSL2_MT_CLIENT_HELLO) {
999 1000 1001 1002 1003
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
M
Matt Caswell 已提交
1004
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1005
            goto err;
1006 1007
        }

1008
        if (!PACKET_get_net_2(pkt, &version)) {
M
Matt Caswell 已提交
1009
            /* No protocol version supplied! */
M
Matt Caswell 已提交
1010
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
M
Matt Caswell 已提交
1011 1012 1013
            goto err;
        }
        if (version == 0x0002) {
1014
            /* This is real SSLv2. We don't support it. */
M
Matt Caswell 已提交
1015
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
1016
            goto err;
M
Matt Caswell 已提交
1017
        } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
1018
            /* SSLv3/TLS */
M
Matt Caswell 已提交
1019
            s->client_version = version;
1020 1021
        } else {
            /* No idea what protocol this is */
M
Matt Caswell 已提交
1022
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
1023 1024 1025 1026
            goto err;
        }
    } else {
        /*
M
Matt Caswell 已提交
1027 1028
         * use version from inside client hello, not from record header (may
         * differ: see RFC 2246, Appendix E, second paragraph)
1029
         */
1030
        if(!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) {
1031
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1032
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
1033 1034
            goto f_err;
        }
1035 1036
    }

1037 1038 1039 1040
    /*
     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
     * versions are potentially compatible. Version negotiation comes later.
     */
1041
    if (!SSL_IS_DTLS(s)) {
1042 1043 1044 1045 1046
        protverr = ssl_choose_server_version(s);
    } else if (s->method->version != DTLS_ANY_VERSION &&
               DTLS_VERSION_LT(s->client_version, s->version)) {
        protverr = SSL_R_VERSION_TOO_LOW;
    } else {
1047 1048 1049 1050
        protverr = 0;
    }

    if (protverr) {
1051
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
1052
        if ((!s->enc_write_ctx && !s->write_hash)) {
1053 1054 1055 1056 1057 1058 1059 1060 1061 1062
            /*
             * similar to ssl3_get_record, send alert using remote version
             * number
             */
            s->version = s->client_version;
        }
        al = SSL_AD_PROTOCOL_VERSION;
        goto f_err;
    }

1063 1064
    /* Parse the message and load client random. */
    if (is_v2_record) {
1065 1066 1067 1068 1069
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
         * Real SSLv2 is not supported, and is rejected above.
         */
1070
        unsigned int cipher_len, session_id_len, challenge_len;
1071
        PACKET challenge;
1072

1073 1074 1075
        if (!PACKET_get_net_2(pkt, &cipher_len)
                || !PACKET_get_net_2(pkt, &session_id_len)
                || !PACKET_get_net_2(pkt, &challenge_len)) {
M
Matt Caswell 已提交
1076 1077
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
1078 1079
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1080
        }
1081

1082 1083 1084 1085 1086 1087
        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1088 1089 1090
        if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len)
            || !PACKET_get_sub_packet(pkt, &session_id, session_id_len)
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1091
            /* No extensions. */
1092
            || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1093 1094
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1095 1096 1097 1098
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }

1099
        /* Load the client random */
1100 1101
        challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE :
            challenge_len;
1102
        memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
1103 1104 1105
        if (!PACKET_copy_bytes(&challenge,
                               s->s3->client_random + SSL3_RANDOM_SIZE -
                               challenge_len, challenge_len)) {
M
Matt Caswell 已提交
1106
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1107
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1108 1109
            goto f_err;
        }
1110 1111 1112

        PACKET_null_init(&compression);
        PACKET_null_init(&extensions);
1113
    } else {
1114
        /* Regular ClientHello. */
1115 1116
        if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
            || !PACKET_get_length_prefixed_1(pkt, &session_id)) {
M
Matt Caswell 已提交
1117
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1118
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1119 1120
            goto f_err;
        }
1121

1122 1123 1124 1125 1126 1127
        if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1128
        if (SSL_IS_DTLS(s)) {
1129
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1130
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1131
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1132 1133
                goto f_err;
            }
1134 1135 1136 1137 1138 1139 1140
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
                if (PACKET_remaining(&cookie) == 0)
1141
                return 1;
1142
            }
1143
        }
1144

1145 1146
        if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites)
            || !PACKET_get_length_prefixed_1(pkt, &compression)) {
1147
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1148
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1149 1150 1151
                goto f_err;
        }
        /* Could be empty. */
1152
        extensions = *pkt;
1153 1154
    }

1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186
    if (SSL_IS_DTLS(s)) {
        /* Empty cookie was already handled above by returning early. */
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
            if (s->ctx->app_verify_cookie_cb != NULL) {
                if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
                                                 PACKET_remaining(&cookie)) == 0) {
                    al = SSL_AD_HANDSHAKE_FAILURE;
                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                           SSL_R_COOKIE_MISMATCH);
                    goto f_err;
                    /* else cookie verification succeeded */
                }
            /* default verification */
            } else if (!PACKET_equal(&cookie, s->d1->cookie,
                                     s->d1->cookie_len)) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                goto f_err;
            }
            s->d1->cookie_verified = 1;
        }
        if (s->method->version == DTLS_ANY_VERSION) {
            protverr = ssl_choose_server_version(s);
            if (protverr != 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            }
        }
    }

1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211
    s->hit = 0;

    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
    if (is_v2_record ||
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
        if (!ssl_get_new_session(s, 1))
            goto err;
    } else {
        i = ssl_get_prev_session(s, &extensions, &session_id);
1212
        /*
1213 1214 1215 1216 1217 1218 1219
         * Only resume if the session's version matches the negotiated
         * version.
         * RFC 5246 does not provide much useful advice on resumption
         * with a different protocol version. It doesn't forbid it but
         * the sanity of such behaviour would be questionable.
         * In practice, clients do not accept a version mismatch and
         * will abort the handshake with an error.
1220
         */
1221 1222 1223 1224 1225
        if (i == 1 && s->version == s->session->ssl_version) {
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
            goto err;
1226
        } else {
1227 1228
            /* i == 0 */
            if (!ssl_get_new_session(s, 1))
1229
                goto err;
1230
        }
1231
    }
1232

1233 1234
    if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
                                 is_v2_record, &al) == NULL) {
1235 1236
        goto f_err;
    }
1237

1238 1239 1240 1241
    /* If it is a hit, check that the cipher is in the list */
    if (s->hit) {
        j = 0;
        id = s->session->cipher->id;
1242

1243
#ifdef CIPHER_DEBUG
1244 1245
        fprintf(stderr, "client sent %d ciphers\n",
                sk_SSL_CIPHER_num(ciphers));
1246
#endif
1247 1248
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1249
#ifdef CIPHER_DEBUG
1250 1251
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1252
#endif
1253 1254 1255
            if (c->id == id) {
                j = 1;
                break;
1256
            }
1257
        }
1258
        if (j == 0) {
1259
            /*
1260 1261
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1262
             */
1263
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1264
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1265
                   SSL_R_REQUIRED_CIPHER_MISSING);
1266 1267
            goto f_err;
        }
1268
    }
M
Matt Caswell 已提交
1269

1270 1271 1272 1273
    complen = PACKET_remaining(&compression);
    for (j = 0; j < complen; j++) {
        if (PACKET_data(&compression)[j] == 0)
            break;
1274
    }
1275

1276 1277 1278
    if (j >= complen) {
        /* no compress */
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1279
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1280 1281
        goto f_err;
    }
1282

1283 1284
    /* TLS extensions */
    if (s->version >= SSL3_VERSION) {
1285
        if (!ssl_parse_clienthello_tlsext(s, &extensions)) {
M
Matt Caswell 已提交
1286
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305
            goto err;
        }
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
            goto f_err;
        }
    }

    if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1306
        const SSL_CIPHER *pref_cipher = NULL;
1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327

        s->session->master_key_length = sizeof(s->session->master_key);
        if (s->tls_session_secret_cb(s, s->session->master_key,
                                     &s->session->master_key_length, ciphers,
                                     &pref_cipher,
                                     s->tls_session_secret_cb_arg)) {
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
            pref_cipher =
                pref_cipher ? pref_cipher : ssl3_choose_cipher(s,
                                                               s->
                                                               session->ciphers,
                                                               SSL_get_ciphers
                                                               (s));
            if (pref_cipher == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1328
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1329 1330 1331 1332
                goto f_err;
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1333
            sk_SSL_CIPHER_free(s->cipher_list);
1334
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1335
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1336 1337 1338
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1339

1340 1341
    /*
     * Worst case, we will use the NULL compression, but if we have other
1342
     * options, we will now look for them.  We have complen-1 compression
1343 1344 1345
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1346
#ifndef OPENSSL_NO_COMP
1347 1348 1349
    /* This only happens if we have a cache hit */
    if (s->session->compress_meth != 0) {
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1350
        unsigned int k;
1351 1352 1353
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
M
Matt Caswell 已提交
1354
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366
                   SSL_R_INCONSISTENT_COMPRESSION);
            goto f_err;
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
M
Matt Caswell 已提交
1367
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1368 1369 1370 1371
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
            goto f_err;
        }
        /* Look for resumed method in compression list */
M
Matt Caswell 已提交
1372
        for (k = 0; k < complen; k++) {
1373
            if (PACKET_data(&compression)[k] == comp_id)
1374 1375
                break;
        }
M
Matt Caswell 已提交
1376
        if (k >= complen) {
1377
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1378
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1379 1380 1381 1382 1383 1384
                   SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
            goto f_err;
        }
    } else if (s->hit)
        comp = NULL;
    else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1385
        /* See if we have a match */
M
Matt Caswell 已提交
1386 1387
        int m, nn, v, done = 0;
        unsigned int o;
1388 1389 1390 1391 1392

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
1393
            for (o = 0; o < complen; o++) {
1394
                if (v == PACKET_data(&compression)[o]) {
1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1407
#else
1408 1409 1410 1411 1412
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
M
Matt Caswell 已提交
1413
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1414 1415
        goto f_err;
    }
1416
#endif
1417

1418 1419 1420
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1421

1422
    if (!s->hit) {
1423
#ifdef OPENSSL_NO_COMP
1424
        s->session->compress_meth = 0;
1425
#else
1426
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1427
#endif
R
Rich Salz 已提交
1428
        sk_SSL_CIPHER_free(s->session->ciphers);
1429 1430
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1431
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1432
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1433 1434 1435 1436
            goto f_err;
        }
        ciphers = NULL;
        if (!tls1_set_server_sigalgs(s)) {
M
Matt Caswell 已提交
1437
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1438 1439
            goto err;
        }
M
Matt Caswell 已提交
1440 1441 1442 1443 1444 1445 1446
    }

    sk_SSL_CIPHER_free(ciphers);
    return MSG_PROCESS_CONTINUE_PROCESSING;
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1447
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1448 1449 1450 1451 1452 1453

    sk_SSL_CIPHER_free(ciphers);
    return MSG_PROCESS_ERROR;

}

M
Matt Caswell 已提交
1454
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1455
{
M
Matt Caswell 已提交
1456
    int al = SSL_AD_HANDSHAKE_FAILURE;
1457
    const SSL_CIPHER *cipher;
M
Matt Caswell 已提交
1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473

    if (wst == WORK_MORE_A) {
        if (!s->hit) {
            /* Let cert callback update server certificates if required */
            if (s->cert->cert_cb) {
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
                    al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
                    goto f_err;
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
                    return WORK_MORE_A;
                }
                s->rwstate = SSL_NOTHING;
1474
            }
M
Matt Caswell 已提交
1475 1476 1477 1478 1479
            cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));

            if (cipher == NULL) {
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
                goto f_err;
1480
            }
M
Matt Caswell 已提交
1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491
            s->s3->tmp.new_cipher = cipher;
            /* check whether we should disable session resumption */
            if (s->not_resumable_session_cb != NULL)
                s->session->not_resumable = s->not_resumable_session_cb(s,
                    ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
            if (s->session->not_resumable)
                /* do not send a session ticket */
                s->tlsext_ticket_expected = 0;
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
1492 1493
        }

1494
        if (!(s->verify_mode & SSL_VERIFY_PEER)) {
M
Matt Caswell 已提交
1495 1496
            if (!ssl3_digest_cached_records(s, 0)) {
                al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1497
                goto f_err;
M
Matt Caswell 已提交
1498
            }
1499 1500
        }

M
Matt Caswell 已提交
1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511
        /*-
         * we now have the following setup.
         * client_random
         * cipher_list          - our prefered list of ciphers
         * ciphers              - the clients prefered list of ciphers
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
1512

M
Matt Caswell 已提交
1513 1514 1515
        /* Handles TLS extensions that we couldn't check earlier */
        if (s->version >= SSL3_VERSION) {
            if (ssl_check_clienthello_tlsext_late(s) <= 0) {
M
Matt Caswell 已提交
1516 1517
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_CLIENTHELLO_TLSEXT);
M
Matt Caswell 已提交
1518 1519 1520
                goto f_err;
            }
        }
1521

M
Matt Caswell 已提交
1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542
        wst = WORK_MORE_B;
    }
#ifndef OPENSSL_NO_SRP
    if (wst == WORK_MORE_B) {
        int ret;
        if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
            return WORK_MORE_B;
        }
        if (ret != SSL_ERROR_NONE) {
            /*
             * This is not really an error but the only means to for
             * a client to detect whether srp is supported.
             */
            if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_CLIENTHELLO_TLSEXT);
            goto f_err;
1543 1544
        }
    }
M
Matt Caswell 已提交
1545 1546
#endif
    s->renegotiate = 2;
1547

M
Matt Caswell 已提交
1548
    return WORK_FINISHED_STOP;
1549
 f_err:
M
Matt Caswell 已提交
1550
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
1551
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1552 1553 1554 1555
    return WORK_ERROR;
}

int tls_construct_server_hello(SSL *s)
1556 1557 1558 1559 1560 1561 1562
{
    unsigned char *buf;
    unsigned char *p, *d;
    int i, sl;
    int al = 0;
    unsigned long l;

M
Matt Caswell 已提交
1563
    buf = (unsigned char *)s->init_buf->data;
1564

M
Matt Caswell 已提交
1565 1566
    /* Do the message type and length last */
    d = p = ssl_handshake_start(s);
1567

M
Matt Caswell 已提交
1568 1569
    *(p++) = s->version >> 8;
    *(p++) = s->version & 0xff;
1570

M
Matt Caswell 已提交
1571 1572 1573 1574 1575 1576
    /*
     * Random stuff. Filling of the server_random takes place in
     * tls_process_client_hello()
     */
    memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
    p += SSL3_RANDOM_SIZE;
1577

M
Matt Caswell 已提交
1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

    sl = s->session->session_id_length;
    if (sl > (int)sizeof(s->session->session_id)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1602
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1603 1604 1605 1606 1607
        return 0;
    }
    *(p++) = sl;
    memcpy(p, s->session->session_id, sl);
    p += sl;
1608

M
Matt Caswell 已提交
1609 1610 1611
    /* put the cipher */
    i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
    p += i;
1612

M
Matt Caswell 已提交
1613
    /* put the compression method */
1614
#ifdef OPENSSL_NO_COMP
M
Matt Caswell 已提交
1615
    *(p++) = 0;
1616
#else
M
Matt Caswell 已提交
1617 1618 1619 1620
    if (s->s3->tmp.new_compression == NULL)
        *(p++) = 0;
    else
        *(p++) = s->s3->tmp.new_compression->id;
1621
#endif
1622

M
Matt Caswell 已提交
1623 1624
    if (ssl_prepare_serverhello_tlsext(s) <= 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
M
Matt Caswell 已提交
1625
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1626 1627 1628 1629 1630 1631 1632
        return 0;
    }
    if ((p =
         ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
                                    &al)) == NULL) {
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1633
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1634 1635
        return 0;
    }
1636

M
Matt Caswell 已提交
1637 1638 1639 1640
    /* do the header */
    l = (p - d);
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1641
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1642
        return 0;
1643
    }
1644

M
Matt Caswell 已提交
1645
    return 1;
1646
}
1647

M
Matt Caswell 已提交
1648 1649 1650 1651
int tls_construct_server_done(SSL *s)
{
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1652
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1653 1654 1655 1656 1657
        return 0;
    }

    if (!s->s3->tmp.cert_request) {
        if (!ssl3_digest_cached_records(s, 0)) {
M
Matt Caswell 已提交
1658
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
1659 1660 1661 1662 1663 1664 1665
        }
    }

    return 1;
}

int tls_construct_server_key_exchange(SSL *s)
1666
{
1667
#ifndef OPENSSL_NO_DH
1668
    EVP_PKEY *pkdh = NULL;
B
Bodo Möller 已提交
1669
#endif
1670
#ifndef OPENSSL_NO_EC
1671 1672 1673
    unsigned char *encodedPoint = NULL;
    int encodedlen = 0;
    int curve_id = 0;
1674
#endif
1675 1676 1677 1678 1679 1680 1681 1682 1683
    EVP_PKEY *pkey;
    const EVP_MD *md = NULL;
    unsigned char *p, *d;
    int al, i;
    unsigned long type;
    int n;
    BIGNUM *r[4];
    int nr[4], kn;
    BUF_MEM *buf;
1684
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
1685

1686 1687 1688 1689 1690
    if (md_ctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
1691

M
Matt Caswell 已提交
1692 1693 1694
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    buf = s->init_buf;
1695

M
Matt Caswell 已提交
1696 1697
    r[0] = r[1] = r[2] = r[3] = NULL;
    n = 0;
1698
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709
    if (type & SSL_PSK) {
        /*
         * reserve size for record length and PSK identity hint
         */
        n += 2;
        if (s->cert->psk_identity_hint)
            n += strlen(s->cert->psk_identity_hint);
    }
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
1710
#endif                          /* !OPENSSL_NO_PSK */
1711
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
1712
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
1713 1714
        CERT *cert = s->cert;

1715 1716 1717
        EVP_PKEY *pkdhp = NULL;
        DH *dh;

M
Matt Caswell 已提交
1718
        if (s->cert->dh_tmp_auto) {
1719 1720 1721 1722
            DH *dhp = ssl_get_auto_dh(s);
            pkdh = EVP_PKEY_new();
            if (pkdh == NULL || dhp == NULL) {
                DH_free(dhp);
M
Matt Caswell 已提交
1723 1724
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
1725
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1726
                goto f_err;
1727
            }
1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744
            EVP_PKEY_assign_DH(pkdh, dhp);
            pkdhp = pkdh;
        } else {
            pkdhp = cert->dh_tmp;
        }
        if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
            DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
            pkdh = ssl_dh_to_pkey(dhp);
            if (pkdh == NULL) {
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            pkdhp = pkdh;
        }
        if (pkdhp == NULL) {
M
Matt Caswell 已提交
1745 1746 1747 1748 1749 1750
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
1751
                          EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
M
Matt Caswell 已提交
1752 1753 1754 1755 1756
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_DH_KEY_TOO_SMALL);
            goto f_err;
        }
1757
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
1758 1759 1760 1761
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
1762

1763
        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp, NID_undef);
M
Matt Caswell 已提交
1764

1765 1766
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
1767
            goto err;
M
Matt Caswell 已提交
1768
        }
1769 1770 1771 1772 1773 1774

        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);

        EVP_PKEY_free(pkdh);
        pkdh = NULL;

M
Matt Caswell 已提交
1775 1776 1777 1778
        r[0] = dh->p;
        r[1] = dh->g;
        r[2] = dh->pub_key;
    } else
1779
#endif
1780
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
1781
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
1782
        int nid;
M
Matt Caswell 已提交
1783

D
Dr. Stephen Henson 已提交
1784
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
1785 1786 1787 1788 1789
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }

1790 1791 1792 1793
        /* Get NID of appropriate shared curve */
        nid = tls1_shared_curve(s, -2);
        curve_id = tls1_ec_nid2curve_id(nid);
        if (curve_id == 0) {
M
Matt Caswell 已提交
1794 1795 1796 1797
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
            goto err;
        }
D
Dr. Stephen Henson 已提交
1798 1799 1800
        s->s3->tmp.pkey = ssl_generate_pkey(NULL, nid);
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
1801
            al = SSL_AD_INTERNAL_ERROR;
D
Dr. Stephen Henson 已提交
1802
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
1803 1804 1805
            goto f_err;
        }

D
Dr. Stephen Henson 已提交
1806 1807 1808
        /* Encode the public key. */
        encodedlen = EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(s->s3->tmp.pkey),
                                    POINT_CONVERSION_UNCOMPRESSED,
1809
                                    &encodedPoint, NULL);
1810

M
Matt Caswell 已提交
1811
        if (encodedlen == 0) {
1812
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
1813 1814
            goto err;
        }
1815

M
Matt Caswell 已提交
1816
        /*
1817 1818 1819
         * We only support named (not generic) curves in ECDH ephemeral key
         * exchanges. In this situation, we need four additional bytes to
         * encode the entire ServerECDHParams structure.
M
Matt Caswell 已提交
1820 1821
         */
        n += 4 + encodedlen;
1822

M
Matt Caswell 已提交
1823 1824 1825 1826 1827 1828 1829 1830 1831
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
1832
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
1833
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1834 1835 1836 1837 1838 1839 1840
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_SRP_PARAM);
            goto err;
1841
        }
M
Matt Caswell 已提交
1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
               SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto f_err;
    }
    for (i = 0; i < 4 && r[i] != NULL; i++) {
        nr[i] = BN_num_bytes(r[i]);
B
Ben Laurie 已提交
1856
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1857 1858 1859
        if ((i == 2) && (type & SSL_kSRP))
            n += 1 + nr[i];
        else
B
Ben Laurie 已提交
1860
#endif
M
Matt Caswell 已提交
1861 1862
            n += 2 + nr[i];
    }
1863

M
Matt Caswell 已提交
1864 1865 1866 1867 1868 1869
    if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
        && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
        if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
            == NULL) {
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1870
        }
M
Matt Caswell 已提交
1871 1872 1873 1874 1875
        kn = EVP_PKEY_size(pkey);
    } else {
        pkey = NULL;
        kn = 0;
    }
1876

M
Matt Caswell 已提交
1877 1878 1879 1880 1881
    if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
        goto err;
    }
    d = p = ssl_handshake_start(s);
1882

1883
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1884 1885 1886 1887 1888 1889 1890 1891 1892
    if (type & SSL_PSK) {
        /* copy PSK identity hint */
        if (s->cert->psk_identity_hint) {
            s2n(strlen(s->cert->psk_identity_hint), p);
            strncpy((char *)p, s->cert->psk_identity_hint,
                    strlen(s->cert->psk_identity_hint));
            p += strlen(s->cert->psk_identity_hint);
        } else {
            s2n(0, p);
1893
        }
M
Matt Caswell 已提交
1894
    }
1895 1896
#endif

M
Matt Caswell 已提交
1897
    for (i = 0; i < 4 && r[i] != NULL; i++) {
B
Ben Laurie 已提交
1898
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1899 1900 1901 1902
        if ((i == 2) && (type & SSL_kSRP)) {
            *p = nr[i];
            p++;
        } else
B
Ben Laurie 已提交
1903
#endif
M
Matt Caswell 已提交
1904 1905 1906 1907
            s2n(nr[i], p);
        BN_bn2bin(r[i], p);
        p += nr[i];
    }
1908

1909
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
         * XXX: For now, we only support named (not generic) curves. In
         * this situation, the serverKeyExchange message has: [1 byte
         * CurveType], [2 byte CurveName] [1 byte length of encoded
         * point], followed by the actual encoded point itself
         */
        *p = NAMED_CURVE_TYPE;
        p += 1;
        *p = 0;
        p += 1;
        *p = curve_id;
        p += 1;
        *p = encodedlen;
        p += 1;
        memcpy(p, encodedPoint, encodedlen);
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
        p += encodedlen;
    }
B
Bodo Möller 已提交
1930 1931
#endif

M
Matt Caswell 已提交
1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946
    /* not anonymous */
    if (pkey != NULL) {
        /*
         * n is the length of the params, they start at &(d[4]) and p
         * points to the space at the end.
         */
        if (md) {
            /* send signature algorithm */
            if (SSL_USE_SIGALGS(s)) {
                if (!tls12_get_sigandhash(p, pkey, md)) {
                    /* Should never happen */
                    al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
1947
                }
M
Matt Caswell 已提交
1948 1949
                p += 2;
            }
1950
#ifdef SSL_DEBUG
M
Matt Caswell 已提交
1951
            fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
1952
#endif
1953 1954
            if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0
                    || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
1955
                                      SSL3_RANDOM_SIZE) <= 0
1956
                    || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
1957
                                      SSL3_RANDOM_SIZE) <= 0
1958 1959
                    || EVP_SignUpdate(md_ctx, d, n) <= 0
                    || EVP_SignFinal(md_ctx, &(p[2]),
1960
                               (unsigned int *)&i, pkey) <= 0) {
M
Matt Caswell 已提交
1961
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
1962 1963
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
1964
            }
M
Matt Caswell 已提交
1965 1966 1967 1968 1969 1970
            s2n(i, p);
            n += i + 2;
            if (SSL_USE_SIGALGS(s))
                n += 2;
        } else {
            /* Is this error check actually needed? */
M
Matt Caswell 已提交
1971
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1972 1973
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNKNOWN_PKEY_TYPE);
M
Matt Caswell 已提交
1974 1975
            goto f_err;
        }
1976 1977
    }

M
Matt Caswell 已提交
1978 1979 1980 1981 1982 1983
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

1984
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
1985
    return 1;
1986 1987 1988
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
1989 1990 1991
#ifndef OPENSSL_NO_DH
    EVP_PKEY_free(pkdh);
#endif
1992
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
1993
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
1994
#endif
1995
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
1996
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1997
    return 0;
1998
}
1999

M
Matt Caswell 已提交
2000
int tls_construct_certificate_request(SSL *s)
2001 2002 2003 2004 2005 2006 2007
{
    unsigned char *p, *d;
    int i, j, nl, off, n;
    STACK_OF(X509_NAME) *sk = NULL;
    X509_NAME *name;
    BUF_MEM *buf;

M
Matt Caswell 已提交
2008
    buf = s->init_buf;
2009

M
Matt Caswell 已提交
2010
    d = p = ssl_handshake_start(s);
2011

M
Matt Caswell 已提交
2012 2013 2014 2015 2016 2017
    /* get the list of acceptable cert types */
    p++;
    n = ssl3_get_req_cert_type(s, p);
    d[0] = n;
    p += n;
    n++;
2018

M
Matt Caswell 已提交
2019 2020 2021 2022 2023
    if (SSL_USE_SIGALGS(s)) {
        const unsigned char *psigs;
        unsigned char *etmp = p;
        nl = tls12_get_psigalgs(s, &psigs);
        /* Skip over length for now */
2024
        p += 2;
M
Matt Caswell 已提交
2025 2026 2027 2028 2029 2030
        nl = tls12_copy_sigalgs(s, p, psigs, nl);
        /* Now fill in length */
        s2n(nl, etmp);
        p += nl;
        n += nl + 2;
    }
2031

M
Matt Caswell 已提交
2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046
    off = n;
    p += 2;
    n += 2;

    sk = SSL_get_client_CA_list(s);
    nl = 0;
    if (sk != NULL) {
        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
            name = sk_X509_NAME_value(sk, i);
            j = i2d_X509_NAME(name, NULL);
            if (!BUF_MEM_grow_clean
                (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                       ERR_R_BUF_LIB);
                goto err;
2047
            }
M
Matt Caswell 已提交
2048 2049 2050 2051 2052
            p = ssl_handshake_start(s) + n;
            s2n(j, p);
            i2d_X509_NAME(name, &p);
            n += 2 + j;
            nl += 2 + j;
2053
        }
M
Matt Caswell 已提交
2054 2055 2056 2057
    }
    /* else no CA names */
    p = ssl_handshake_start(s) + off;
    s2n(nl, p);
2058

M
Matt Caswell 已提交
2059 2060 2061
    if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
2062
    }
2063

M
Matt Caswell 已提交
2064 2065 2066
    s->s3->tmp.cert_request = 1;

    return 1;
2067
 err:
M
Matt Caswell 已提交
2068
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2069
    return 0;
2070
}
2071

M
Matt Caswell 已提交
2072
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2073 2074
{
    int al;
2075
    unsigned long alg_k;
2076
#ifndef OPENSSL_NO_RSA
2077
    RSA *rsa = NULL;
2078
#endif
D
Dr. Stephen Henson 已提交
2079
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
D
Dr. Stephen Henson 已提交
2080
    EVP_PKEY *ckey = NULL;
B
Bodo Möller 已提交
2081
#endif
2082
    PACKET enc_premaster;
E
Emilia Kasper 已提交
2083 2084
    const unsigned char *data;
    unsigned char *rsa_decrypt = NULL;
B
Bodo Möller 已提交
2085

2086
    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2087

2088 2089 2090 2091 2092
#ifndef OPENSSL_NO_PSK
    /* For PSK parse and retrieve identity, obtain PSK key */
    if (alg_k & SSL_PSK) {
        unsigned char psk[PSK_MAX_PSK_LEN];
        size_t psklen;
2093
        PACKET psk_identity;
2094

2095
        if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
2096
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2097
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2098 2099
            goto f_err;
        }
2100
        if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2101
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2102
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2103 2104 2105 2106 2107
                   SSL_R_DATA_LENGTH_TOO_LONG);
            goto f_err;
        }
        if (s->psk_server_callback == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2108
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2109 2110 2111 2112
                   SSL_R_PSK_NO_SERVER_CB);
            goto f_err;
        }

2113
        if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
M
Matt Caswell 已提交
2114
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2115
            al = SSL_AD_INTERNAL_ERROR;
2116 2117
            goto f_err;
        }
2118 2119 2120 2121 2122 2123

        psklen = s->psk_server_callback(s, s->session->psk_identity,
                                         psk, sizeof(psk));

        if (psklen > PSK_MAX_PSK_LEN) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2124
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2125 2126 2127 2128 2129
            goto f_err;
        } else if (psklen == 0) {
            /*
             * PSK related to the given identity not found
             */
M
Matt Caswell 已提交
2130
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2131 2132 2133 2134 2135 2136
                   SSL_R_PSK_IDENTITY_NOT_FOUND);
            al = SSL_AD_UNKNOWN_PSK_IDENTITY;
            goto f_err;
        }

        OPENSSL_free(s->s3->tmp.psk);
R
Rich Salz 已提交
2137
        s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
2138 2139 2140 2141
        OPENSSL_cleanse(psk, psklen);

        if (s->s3->tmp.psk == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2142
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2143 2144 2145 2146 2147 2148 2149
            goto f_err;
        }

        s->s3->tmp.psklen = psklen;
    }
    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
2150
        if (PACKET_remaining(pkt) != 0) {
2151
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2152
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2153 2154 2155 2156 2157
            goto f_err;
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2158
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2159 2160 2161 2162
            goto f_err;
        }
    } else
#endif
2163
#ifndef OPENSSL_NO_RSA
2164
    if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
2165 2166 2167 2168 2169 2170
        unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
        int decrypt_len;
        unsigned char decrypt_good, version_good;
        size_t j;

        /* FIX THIS UP EAY EAY EAY EAY */
D
Dr. Stephen Henson 已提交
2171 2172
        rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey);
        if (rsa == NULL) {
2173 2174 2175 2176
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_RSA_CERTIFICATE);
            goto f_err;
2177 2178
        }

2179 2180
        /* SSLv3 and pre-standard DTLS omit the length bytes. */
        if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
2181
            enc_premaster = *pkt;
2182
        } else {
2183 2184
            if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
                || PACKET_remaining(pkt) != 0) {
2185 2186 2187 2188
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                       SSL_R_LENGTH_MISMATCH);
                goto f_err;
2189
            }
2190 2191 2192
        }

        /*
2193 2194 2195 2196
         * We want to be sure that the plaintext buffer size makes it safe to
         * iterate over the entire size of a premaster secret
         * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
         * their ciphertext cannot accommodate a premaster secret anyway.
2197
         */
2198 2199
        if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2200
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2201
                   RSA_R_KEY_SIZE_TOO_SMALL);
2202 2203 2204
            goto f_err;
        }

2205 2206
        rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
        if (rsa_decrypt == NULL) {
2207
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2208
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2209 2210
            goto f_err;
        }
2211

2212 2213 2214 2215 2216 2217 2218 2219
        /*
         * We must not leak whether a decryption failure occurs because of
         * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
         * section 7.4.7.1). The code follows that advice of the TLS RFC and
         * generates a random premaster secret for the case that the decrypt
         * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
         */

M
Matt Caswell 已提交
2220
        if (RAND_bytes(rand_premaster_secret,
2221
                       sizeof(rand_premaster_secret)) <= 0) {
2222
            goto err;
2223 2224 2225 2226 2227
        }

        decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
                                          PACKET_data(&enc_premaster),
                                          rsa_decrypt, rsa, RSA_PKCS1_PADDING);
2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245
        ERR_clear_error();

        /*
         * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
         * be 0xff if so and zero otherwise.
         */
        decrypt_good =
            constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);

        /*
         * If the version in the decrypted pre-master secret is correct then
         * version_good will be 0xff, otherwise it'll be zero. The
         * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
         * (http://eprint.iacr.org/2003/052/) exploits the version number
         * check as a "bad version oracle". Thus version checks are done in
         * constant time and are treated like any other decryption error.
         */
        version_good =
2246 2247
            constant_time_eq_8(rsa_decrypt[0],
                               (unsigned)(s->client_version >> 8));
2248
        version_good &=
2249 2250
            constant_time_eq_8(rsa_decrypt[1],
                               (unsigned)(s->client_version & 0xff));
2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263

        /*
         * The premaster secret must contain the same version number as the
         * ClientHello to detect version rollback attacks (strangely, the
         * protocol does not offer such protection for DH ciphersuites).
         * However, buggy clients exist that send the negotiated protocol
         * version instead if the server does not support the requested
         * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
         * clients.
         */
        if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
            unsigned char workaround_good;
            workaround_good =
2264
                constant_time_eq_8(rsa_decrypt[0], (unsigned)(s->version >> 8));
2265
            workaround_good &=
2266 2267
                constant_time_eq_8(rsa_decrypt[1],
                                   (unsigned)(s->version & 0xff));
2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283
            version_good |= workaround_good;
        }

        /*
         * Both decryption and version must be good for decrypt_good to
         * remain non-zero (0xff).
         */
        decrypt_good &= version_good;

        /*
         * Now copy rand_premaster_secret over from p using
         * decrypt_good_mask. If decryption failed, then p does not
         * contain valid plaintext, however, a check above guarantees
         * it is still sufficiently large to read from.
         */
        for (j = 0; j < sizeof(rand_premaster_secret); j++) {
2284 2285 2286
            rsa_decrypt[j] =
                constant_time_select_8(decrypt_good, rsa_decrypt[j],
                                       rand_premaster_secret[j]);
2287 2288
        }

2289 2290
        if (!ssl_generate_master_secret(s, rsa_decrypt,
                                        sizeof(rand_premaster_secret), 0)) {
M
Matt Caswell 已提交
2291
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2292
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2293 2294
            goto f_err;
        }
2295 2296
        OPENSSL_free(rsa_decrypt);
        rsa_decrypt = NULL;
2297
    } else
U
Ulf Möller 已提交
2298
#endif
2299
#ifndef OPENSSL_NO_DH
D
Dr. Stephen Henson 已提交
2300
    if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
2301 2302
        EVP_PKEY *skey = NULL;
        DH *cdh;
2303
        unsigned int i;
2304

2305
        if (!PACKET_get_net_2(pkt, &i)) {
2306
            if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
M
Matt Caswell 已提交
2307
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2308
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
M
Matt Caswell 已提交
2309 2310 2311
                       SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
                goto f_err;
            }
2312
            i = 0;
M
Matt Caswell 已提交
2313
        }
2314
        if (PACKET_remaining(pkt) != i) {
2315 2316 2317
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
            goto err;
2318
        }
2319 2320
        skey = s->s3->tmp.pkey;
        if (skey == NULL) {
2321
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2322
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2323 2324
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
2325
        }
2326

2327
        if (PACKET_remaining(pkt) == 0L) {
D
Dr. Stephen Henson 已提交
2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!PACKET_get_bytes(pkt, &data, i)) {
            /* We already checked we have enough data */
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
2339
        }
2340 2341
        ckey = EVP_PKEY_new();
        if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
M
Matt Caswell 已提交
2342
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2343 2344
            goto err;
        }
2345 2346 2347 2348
        cdh = EVP_PKEY_get0_DH(ckey);
        cdh->pub_key = BN_bin2bn(data, i, NULL);
        if (cdh->pub_key == NULL) {
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2349 2350 2351
            goto err;
        }

2352
        if (ssl_derive(s, skey, ckey) == 0) {
M
Matt Caswell 已提交
2353
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2354
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2355 2356
            goto f_err;
        }
2357 2358 2359

        EVP_PKEY_free(ckey);
        ckey = NULL;
2360 2361
        EVP_PKEY_free(s->s3->tmp.pkey);
        s->s3->tmp.pkey = NULL;
2362

2363
    } else
2364
#endif
B
Bodo Möller 已提交
2365

2366
#ifndef OPENSSL_NO_EC
D
Dr. Stephen Henson 已提交
2367 2368
    if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
        EVP_PKEY *skey = s->s3->tmp.pkey;
2369

2370
        if (PACKET_remaining(pkt) == 0L) {
D
Dr. Stephen Henson 已提交
2371 2372 2373 2374 2375
            /* We don't support ECDH client auth */
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_ECDH_KEY);
            goto f_err;
2376
        } else {
2377 2378
            unsigned int i;

2379 2380 2381 2382 2383 2384
            /*
             * Get client's public key from encoded point in the
             * ClientKeyExchange message.
             */

            /* Get encoded point length */
2385
            if (!PACKET_get_1(pkt, &i)) {
2386
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2387
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2388 2389 2390
                       SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
2391 2392
            if (!PACKET_get_bytes(pkt, &data, i)
                    || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
2393
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2394 2395
                goto err;
            }
D
Dr. Stephen Henson 已提交
2396 2397 2398 2399 2400 2401 2402
            ckey = EVP_PKEY_new();
            if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EVP_LIB);
                goto err;
            }
            if (EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(ckey), data, i,
                               NULL) == 0) {
M
Matt Caswell 已提交
2403
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2404 2405 2406 2407
                goto err;
            }
        }

D
Dr. Stephen Henson 已提交
2408
        if (ssl_derive(s, skey, ckey) == 0) {
M
Matt Caswell 已提交
2409
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2410
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2411 2412
            goto f_err;
        }
D
Dr. Stephen Henson 已提交
2413 2414 2415

        EVP_PKEY_free(ckey);
        ckey = NULL;
2416 2417
        EVP_PKEY_free(s->s3->tmp.pkey);
        s->s3->tmp.pkey = NULL;
D
Dr. Stephen Henson 已提交
2418

M
Matt Caswell 已提交
2419
        return MSG_PROCESS_CONTINUE_PROCESSING;
2420
    } else
2421
#endif
B
Ben Laurie 已提交
2422
#ifndef OPENSSL_NO_SRP
2423
    if (alg_k & SSL_kSRP) {
2424 2425
        unsigned int i;

2426 2427
        if (!PACKET_get_net_2(pkt, &i)
                || !PACKET_get_bytes(pkt, &data, i)) {
2428
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2429
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
2430 2431
            goto f_err;
        }
2432
        if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
M
Matt Caswell 已提交
2433
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
2434 2435 2436 2437 2438
            goto err;
        }
        if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
            || BN_is_zero(s->srp_ctx.A)) {
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
2439
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2440 2441 2442
                   SSL_R_BAD_SRP_PARAMETERS);
            goto f_err;
        }
R
Rich Salz 已提交
2443
        OPENSSL_free(s->session->srp_username);
R
Rich Salz 已提交
2444
        s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
2445
        if (s->session->srp_username == NULL) {
M
Matt Caswell 已提交
2446
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2447 2448 2449
            goto err;
        }

2450
        if (!srp_generate_server_master_secret(s)) {
M
Matt Caswell 已提交
2451
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2452 2453 2454 2455
            goto err;
        }
    } else
#endif                          /* OPENSSL_NO_SRP */
M
Matt Caswell 已提交
2456
#ifndef OPENSSL_NO_GOST
2457 2458 2459
    if (alg_k & SSL_kGOST) {
        EVP_PKEY_CTX *pkey_ctx;
        EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
E
Emilia Kasper 已提交
2460 2461
        unsigned char premaster_secret[32];
        const unsigned char *start;
2462 2463 2464 2465
        size_t outlen = 32, inlen;
        unsigned long alg_a;
        int Ttag, Tclass;
        long Tlen;
2466
        long sess_key_len;
2467 2468 2469

        /* Get our certificate private key */
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481
        if (alg_a & SSL_aGOST12) {
            /*
             * New GOST ciphersuites have SSL_aGOST01 bit too
             */
            pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
            if (pk == NULL) {
                pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
            }
            if (pk == NULL) {
                pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
            }
        } else if (alg_a & SSL_aGOST01) {
2482
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2483
        }
2484 2485

        pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2486 2487 2488 2489 2490
        if (pkey_ctx == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto f_err;
        }
2491 2492 2493 2494 2495
        if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2496 2497 2498 2499 2500 2501
        /*
         * If client certificate is present and is of the same type, maybe
         * use it for key exchange.  Don't mind errors from
         * EVP_PKEY_derive_set_peer, because it is completely valid to use a
         * client certificate for authorization only.
         */
2502
        client_pub_pkey = X509_get0_pubkey(s->session->peer);
2503 2504 2505 2506 2507
        if (client_pub_pkey) {
            if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
                ERR_clear_error();
        }
        /* Decrypt session key */
2508 2509
        sess_key_len = PACKET_remaining(pkt);
        if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
2510
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2511
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2512
            goto gerr;
2513
        }
2514 2515 2516
        if (ASN1_get_object ((const unsigned char **)&data, &Tlen, &Ttag,
                             &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
            || Ttag != V_ASN1_SEQUENCE
2517
            || Tclass != V_ASN1_UNIVERSAL) {
2518
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2519
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2520 2521 2522
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
2523
        start = data;
2524 2525 2526
        inlen = Tlen;
        if (EVP_PKEY_decrypt
            (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
M
Matt Caswell 已提交
2527
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2528
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2529 2530 2531 2532
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
        /* Generate master secret */
2533 2534
        if (!ssl_generate_master_secret(s, premaster_secret,
                                        sizeof(premaster_secret), 0)) {
M
Matt Caswell 已提交
2535
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2536
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2537
            goto gerr;
M
Matt Caswell 已提交
2538
        }
2539 2540 2541
        /* Check if pubkey from client certificate was used */
        if (EVP_PKEY_CTX_ctrl
            (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2542
            s->statem.no_cert_verify = 1;
M
Matt Caswell 已提交
2543 2544 2545

        EVP_PKEY_CTX_free(pkey_ctx);
        return MSG_PROCESS_CONTINUE_PROCESSING;
2546 2547
 gerr:
        EVP_PKEY_CTX_free(pkey_ctx);
2548
        goto f_err;
M
Matt Caswell 已提交
2549 2550 2551
    } else
#endif
    {
2552
        al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2553
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
2554 2555 2556
        goto f_err;
    }

M
Matt Caswell 已提交
2557
    return MSG_PROCESS_CONTINUE_PROCESSING;
2558 2559
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
2560
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SRP)
2561
 err:
B
Bodo Möller 已提交
2562
#endif
D
Dr. Stephen Henson 已提交
2563
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
D
Dr. Stephen Henson 已提交
2564
    EVP_PKEY_free(ckey);
2565
#endif
2566
    OPENSSL_free(rsa_decrypt);
2567 2568 2569
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
2570
#endif
M
Matt Caswell 已提交
2571
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2572
    return MSG_PROCESS_ERROR;
2573
}
2574

M
Matt Caswell 已提交
2575
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
2576 2577
{
#ifndef OPENSSL_NO_SCTP
2578 2579 2580 2581 2582 2583 2584 2585
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
2586 2587
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
2588 2589 2590 2591

            if (SSL_export_keying_material(s, sctpauthkey,
                                       sizeof(sctpauthkey), labelbuffer,
                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
M
Matt Caswell 已提交
2592
                ossl_statem_set_error(s);
2593 2594
                return WORK_ERROR;;
            }
2595

2596 2597
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
2598
        }
2599 2600
        wst = WORK_MORE_B;
    }
2601

2602 2603 2604 2605 2606 2607
    if ((wst == WORK_MORE_B)
            /* Is this SCTP? */
            && BIO_dgram_is_sctp(SSL_get_wbio(s))
            /* Are we renegotiating? */
            && s->renegotiate
            /* Are we going to skip the CertificateVerify? */
2608
            && (s->session->peer == NULL || s->statem.no_cert_verify)
2609 2610 2611 2612 2613
            && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
        s->s3->in_read_app_data = 2;
        s->rwstate = SSL_READING;
        BIO_clear_retry_flags(SSL_get_rbio(s));
        BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
2614
        ossl_statem_set_sctp_read_sock(s, 1);
2615 2616
        return WORK_MORE_B;
    } else {
M
Matt Caswell 已提交
2617
        ossl_statem_set_sctp_read_sock(s, 0);
2618 2619 2620
    }
#endif

2621
    if (s->statem.no_cert_verify) {
2622 2623
        /* No certificate verify so we no longer need the handshake_buffer */
        BIO_free(s->s3->handshake_buffer);
2624
        s->s3->handshake_buffer = NULL;
2625
        return WORK_FINISHED_CONTINUE;
2626
    } else {
2627 2628 2629 2630 2631 2632 2633 2634
        if (!s->session->peer) {
            /* No peer certificate so we no longer need the handshake_buffer */
            BIO_free(s->s3->handshake_buffer);
            return WORK_FINISHED_CONTINUE;
        }
        if (!s->s3->handshake_buffer) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2635
            ossl_statem_set_error(s);
2636 2637 2638 2639 2640 2641 2642
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
M
Matt Caswell 已提交
2643
            ossl_statem_set_error(s);
2644 2645 2646 2647 2648 2649 2650
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
2651
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2652 2653
{
    EVP_PKEY *pkey = NULL;
E
Emilia Kasper 已提交
2654
    const unsigned char *sig, *data;
2655
#ifndef OPENSSL_NO_GOST
E
Emilia Kasper 已提交
2656
    unsigned char *gost_data = NULL;
2657
#endif
M
Matt Caswell 已提交
2658
    int al, ret = MSG_PROCESS_ERROR;
2659
    int type = 0, j;
M
Matt Caswell 已提交
2660 2661 2662
    unsigned int len;
    X509 *peer;
    const EVP_MD *md = NULL;
2663 2664 2665
    long hdatalen = 0;
    void *hdata;

2666
    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
2667 2668 2669 2670 2671 2672

    if (mctx == NULL) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
M
Matt Caswell 已提交
2673

2674
    peer = s->session->peer;
2675
    pkey = X509_get0_pubkey(peer);
2676
    type = X509_certificate_type(peer, pkey);
2677 2678

    if (!(type & EVP_PKT_SIGN)) {
M
Matt Caswell 已提交
2679
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY,
2680 2681 2682 2683 2684 2685 2686 2687
               SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
        al = SSL_AD_ILLEGAL_PARAMETER;
        goto f_err;
    }

    /* Check for broken implementations of GOST ciphersuites */
    /*
     * If key is GOST and n is exactly 64, it is bare signature without
2688
     * length field (CryptoPro implementations at least till CSP 4.0)
2689
     */
M
Matt Caswell 已提交
2690
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
2691 2692
    if (PACKET_remaining(pkt) == 64
        && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2693
        len = 64;
M
Matt Caswell 已提交
2694 2695 2696
    } else
#endif
    {
2697
        if (SSL_USE_SIGALGS(s)) {
2698 2699
            int rv;

2700
            if (!PACKET_get_bytes(pkt, &sig, 2)) {
2701 2702 2703 2704
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
            rv = tls12_check_peer_sigalg(&md, s, sig, pkey);
2705 2706 2707 2708 2709 2710 2711
            if (rv == -1) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            } else if (rv == 0) {
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
D
Dr. Stephen Henson 已提交
2712
#ifdef SSL_DEBUG
2713
            fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2714
#endif
2715
        } else {
2716 2717 2718 2719 2720 2721 2722 2723
            /* Use default digest for this key type */
            int idx = ssl_cert_type(NULL, pkey);
            if (idx >= 0)
                md = s->s3->tmp.md[idx];
            if (md == NULL) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            }
2724
        }
2725

2726
        if (!PACKET_get_net_2(pkt, &len)) {
M
Matt Caswell 已提交
2727
            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2728 2729 2730 2731 2732
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
    }
    j = EVP_PKEY_size(pkey);
2733 2734
    if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
            || (PACKET_remaining(pkt) == 0)) {
M
Matt Caswell 已提交
2735
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2736 2737 2738
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2739
    if (!PACKET_get_bytes(pkt, &data, len)) {
M
Matt Caswell 已提交
2740
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2741 2742 2743
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2744

2745 2746 2747 2748 2749 2750
    hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
    if (hdatalen <= 0) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
D
Dr. Stephen Henson 已提交
2751
#ifdef SSL_DEBUG
2752
    fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2753
#endif
2754 2755
    if (!EVP_VerifyInit_ex(mctx, md, NULL)
        || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) {
2756 2757 2758 2759
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
2760

M
Matt Caswell 已提交
2761
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
2762 2763 2764 2765
    {
        int pktype = EVP_PKEY_id(pkey);
        if (pktype == NID_id_GostR3410_2001
            || pktype == NID_id_GostR3410_2012_256
E
Emilia Kasper 已提交
2766 2767 2768 2769 2770 2771 2772 2773 2774
            || pktype == NID_id_GostR3410_2012_512) {
            if ((gost_data = OPENSSL_malloc(len)) == NULL) {
                SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            }
            BUF_reverse(gost_data, data, len);
            data = gost_data;
        }
2775
    }
M
Matt Caswell 已提交
2776
#endif
2777

2778
    if (s->version == SSL3_VERSION
2779
        && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
2780 2781 2782 2783 2784 2785 2786
                            s->session->master_key_length,
                            s->session->master_key)) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }

2787
    if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) {
2788 2789
        al = SSL_AD_DECRYPT_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
2790 2791 2792
        goto f_err;
    }

2793
    ret = MSG_PROCESS_CONTINUE_PROCESSING;
2794 2795 2796
    if (0) {
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2797
        ossl_statem_set_error(s);
2798
    }
R
Rich Salz 已提交
2799 2800
    BIO_free(s->s3->handshake_buffer);
    s->s3->handshake_buffer = NULL;
2801
    EVP_MD_CTX_free(mctx);
2802
#ifndef OPENSSL_NO_GOST
E
Emilia Kasper 已提交
2803
    OPENSSL_free(gost_data);
2804
#endif
M
Matt Caswell 已提交
2805
    return ret;
2806
}
2807

M
Matt Caswell 已提交
2808
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2809
{
M
Matt Caswell 已提交
2810
    int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
2811 2812
    X509 *x = NULL;
    unsigned long l, llen;
E
Emilia Kasper 已提交
2813
    const unsigned char *certstart, *certbytes;
M
Matt Caswell 已提交
2814
    STACK_OF(X509) *sk = NULL;
2815
    PACKET spkt;
2816 2817

    if ((sk = sk_X509_new_null()) == NULL) {
M
Matt Caswell 已提交
2818 2819
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
        goto f_err;
2820 2821
    }

2822 2823 2824
    if (!PACKET_get_net_3(pkt, &llen)
            || !PACKET_get_sub_packet(pkt, &spkt, llen)
            || PACKET_remaining(pkt) != 0) {
2825
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2826
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
2827 2828
        goto f_err;
    }
2829 2830 2831 2832

    while (PACKET_remaining(&spkt) > 0) {
        if (!PACKET_get_net_3(&spkt, &l)
                || !PACKET_get_bytes(&spkt, &certbytes, l)) {
2833
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2834
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2835 2836 2837 2838
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

2839 2840
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
2841
        if (x == NULL) {
M
Matt Caswell 已提交
2842 2843
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto f_err;
2844
        }
2845
        if (certbytes != (certstart + l)) {
2846
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2847
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2848 2849 2850 2851
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
        if (!sk_X509_push(sk, x)) {
M
Matt Caswell 已提交
2852 2853
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
            goto f_err;
2854 2855 2856 2857 2858 2859 2860 2861
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2862
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2863 2864 2865 2866 2867 2868
                   SSL_R_NO_CERTIFICATES_RETURNED);
            goto f_err;
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
M
Matt Caswell 已提交
2869
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2870 2871 2872 2873 2874
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        /* No client certificate so digest cached records */
2875
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
2876 2877 2878 2879 2880 2881 2882
            goto f_err;
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
            al = ssl_verify_alarm_type(s->verify_result);
M
Matt Caswell 已提交
2883
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2884 2885 2886 2887
                   SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto f_err;
        }
        if (i > 1) {
M
Matt Caswell 已提交
2888
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
2889 2890 2891
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
2892
        pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
2893 2894
        if (pkey == NULL) {
            al = SSL3_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2895
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2896 2897 2898 2899 2900
                   SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto f_err;
        }
    }

R
Rich Salz 已提交
2901
    X509_free(s->session->peer);
2902 2903 2904
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

2905 2906
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
2907 2908 2909 2910 2911
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
     * certificate, while we do include it in s3_clnt.c
     */
    sk = NULL;
M
Matt Caswell 已提交
2912
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
2913 2914
    goto done;

2915
 f_err:
R
Rich Salz 已提交
2916
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2917
    ossl_statem_set_error(s);
R
Rich Salz 已提交
2918
 done:
R
Rich Salz 已提交
2919 2920
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
2921
    return ret;
2922
}
2923

M
Matt Caswell 已提交
2924 2925 2926 2927 2928 2929 2930
int tls_construct_server_certificate(SSL *s)
{
    CERT_PKEY *cpk;

    cpk = ssl_get_server_send_pkey(s);
    if (cpk == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2931
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2932 2933 2934 2935 2936
        return 0;
    }

    if (!ssl3_output_cert_chain(s, cpk)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2937
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2938 2939 2940 2941 2942 2943 2944 2945 2946
        return 0;
    }

    return 1;
}

int tls_construct_new_session_ticket(SSL *s)
{
    unsigned char *senc = NULL;
2947
    EVP_CIPHER_CTX *ctx;
2948
    HMAC_CTX *hctx = NULL;
M
Matt Caswell 已提交
2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964
    unsigned char *p, *macstart;
    const unsigned char *const_p;
    int len, slen_full, slen;
    SSL_SESSION *sess;
    unsigned int hlen;
    SSL_CTX *tctx = s->initial_ctx;
    unsigned char iv[EVP_MAX_IV_LENGTH];
    unsigned char key_name[16];

    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
M
Matt Caswell 已提交
2965
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2966 2967 2968
        return 0;
    }
    senc = OPENSSL_malloc(slen_full);
2969
    if (senc == NULL) {
M
Matt Caswell 已提交
2970
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2971 2972
        return 0;
    }
2973

2974
    ctx = EVP_CIPHER_CTX_new();
2975
    hctx = HMAC_CTX_new();
2976

M
Matt Caswell 已提交
2977 2978 2979
    p = senc;
    if (!i2d_SSL_SESSION(s->session, &p))
        goto err;
M
Matt Caswell 已提交
2980

M
Matt Caswell 已提交
2981 2982 2983 2984 2985 2986 2987 2988
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
    if (sess == NULL)
        goto err;
    sess->session_id_length = 0; /* ID is irrelevant for the ticket */
2989

M
Matt Caswell 已提交
2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000
    slen = i2d_SSL_SESSION(sess, NULL);
    if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
3001

M
Matt Caswell 已提交
3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012 3013
    /*-
     * Grow buffer if need be: the length calculation is as
     * follows handshake_header_length +
     * 4 (ticket lifetime hint) + 2 (ticket length) +
     * 16 (key name) + max_iv_len (iv length) +
     * session_length + max_enc_block_size (max encrypted session
     * length) + max_md_size (HMAC).
     */
    if (!BUF_MEM_grow(s->init_buf,
                      SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH +
                      EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
        goto err;
3014

M
Matt Caswell 已提交
3015 3016 3017 3018 3019 3020
    p = ssl_handshake_start(s);
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
    if (tctx->tlsext_ticket_key_cb) {
3021
        if (tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, hctx, 1) < 0)
M
Matt Caswell 已提交
3022 3023 3024
            goto err;
    } else {
        if (RAND_bytes(iv, 16) <= 0)
M
Matt Caswell 已提交
3025
            goto err;
3026
        if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
M
Matt Caswell 已提交
3027
                                tctx->tlsext_tick_aes_key, iv))
M
Matt Caswell 已提交
3028
            goto err;
3029
        if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
M
Matt Caswell 已提交
3030
                          EVP_sha256(), NULL))
3031
            goto err;
M
Matt Caswell 已提交
3032
        memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3033 3034
    }

M
Matt Caswell 已提交
3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048
    /*
     * Ticket lifetime hint (advisory only): We leave this unspecified
     * for resumed session (for simplicity), and guess that tickets for
     * new sessions will live as long as their sessions.
     */
    l2n(s->hit ? 0 : s->session->timeout, p);

    /* Skip ticket length for now */
    p += 2;
    /* Output key name */
    macstart = p;
    memcpy(p, key_name, 16);
    p += 16;
    /* output IV */
3049 3050
    memcpy(p, iv, EVP_CIPHER_CTX_iv_length(ctx));
    p += EVP_CIPHER_CTX_iv_length(ctx);
M
Matt Caswell 已提交
3051
    /* Encrypt session data */
3052
    if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen))
M
Matt Caswell 已提交
3053 3054
        goto err;
    p += len;
3055
    if (!EVP_EncryptFinal(ctx, p, &len))
M
Matt Caswell 已提交
3056 3057 3058
        goto err;
    p += len;

3059
    if (!HMAC_Update(hctx, macstart, p - macstart))
M
Matt Caswell 已提交
3060
        goto err;
3061
    if (!HMAC_Final(hctx, p, &hlen))
M
Matt Caswell 已提交
3062 3063
        goto err;

3064
    EVP_CIPHER_CTX_free(ctx);
3065
    HMAC_CTX_free(hctx);
3066 3067
    ctx = NULL;
    hctx = NULL;
M
Matt Caswell 已提交
3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080

    p += hlen;
    /* Now write out lengths: p points to end of data written */
    /* Total length */
    len = p - ssl_handshake_start(s);
    /* Skip ticket lifetime hint */
    p = ssl_handshake_start(s) + 4;
    s2n(len - 6, p);
    if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
        goto err;
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
3081
 err:
R
Rich Salz 已提交
3082
    OPENSSL_free(senc);
3083
    EVP_CIPHER_CTX_free(ctx);
3084
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3085
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3086
    return 0;
3087
}
3088

M
Matt Caswell 已提交
3089 3090 3091 3092 3093 3094 3095 3096 3097 3098
int tls_construct_cert_status(SSL *s)
{
    unsigned char *p;
    /*-
     * Grow buffer if need be: the length calculation is as
     * follows 1 (message type) + 3 (message length) +
     * 1 (ocsp response type) + 3 (ocsp response length)
     * + (ocsp response)
     */
    if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
M
Matt Caswell 已提交
3099
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121
        return 0;
    }

    p = (unsigned char *)s->init_buf->data;

    /* do the header */
    *(p++) = SSL3_MT_CERTIFICATE_STATUS;
    /* message length */
    l2n3(s->tlsext_ocsp_resplen + 4, p);
    /* status type */
    *(p++) = s->tlsext_status_type;
    /* length of OCSP response */
    l2n3(s->tlsext_ocsp_resplen, p);
    /* actual response */
    memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
    /* number of bytes to write */
    s->init_num = 8 + s->tlsext_ocsp_resplen;
    s->init_off = 0;

    return 1;
}

3122
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
3123 3124 3125 3126
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
3127
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3128
{
3129
    PACKET next_proto, padding;
M
Matt Caswell 已提交
3130 3131
    size_t next_proto_len;

3132 3133 3134 3135 3136 3137 3138
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3139 3140 3141
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
M
Matt Caswell 已提交
3142
        SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
3143
        goto err;
M
Matt Caswell 已提交
3144
    }
3145

3146 3147 3148
    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated,
                       &next_proto_len)) {
        s->next_proto_negotiated_len = 0;
M
Matt Caswell 已提交
3149 3150 3151
        goto err;
    }

3152
    s->next_proto_negotiated_len = (unsigned char)next_proto_len;
3153

M
Matt Caswell 已提交
3154
    return MSG_PROCESS_CONTINUE_READING;
M
Matt Caswell 已提交
3155
err:
M
Matt Caswell 已提交
3156
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3157
    return MSG_PROCESS_ERROR;
3158
}
3159
#endif
M
Matt Caswell 已提交
3160 3161 3162

#define SSLV2_CIPHER_LEN    3

3163 3164
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                               PACKET *cipher_suites,
M
Matt Caswell 已提交
3165
                                               STACK_OF(SSL_CIPHER) **skp,
3166 3167
                                               int sslv2format, int *al
                                               )
M
Matt Caswell 已提交
3168 3169 3170
{
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *sk;
3171 3172 3173
    int n;
    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
    unsigned char cipher[SSLV2_CIPHER_LEN];
M
Matt Caswell 已提交
3174

3175 3176 3177 3178 3179 3180 3181 3182
    s->s3->send_connection_binding = 0;

    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;

    if (PACKET_remaining(cipher_suites) == 0) {
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return NULL;
M
Matt Caswell 已提交
3183
    }
3184 3185

    if (PACKET_remaining(cipher_suites) % n != 0) {
M
Matt Caswell 已提交
3186 3187
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
3188 3189
        *al = SSL_AD_DECODE_ERROR;
        return NULL;
M
Matt Caswell 已提交
3190
    }
3191

M
Matt Caswell 已提交
3192 3193 3194 3195
    if ((skp == NULL) || (*skp == NULL)) {
        sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
        if(sk == NULL) {
            SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3196
            *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3197 3198 3199 3200 3201 3202 3203
            return NULL;
        }
    } else {
        sk = *skp;
        sk_SSL_CIPHER_zero(sk);
    }

3204 3205 3206
    if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
                       &s->s3->tmp.ciphers_rawlen)) {
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3207 3208 3209
        goto err;
    }

3210 3211
    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
        /*
3212 3213 3214
         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
         * first byte set to zero, while true SSLv2 ciphers have a non-zero
         * first byte. We don't support any true SSLv2 ciphers, so skip them.
3215 3216 3217 3218
         */
        if (sslv2format && cipher[0] != '\0')
                continue;

M
Matt Caswell 已提交
3219
        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
3220 3221
        if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3222 3223 3224 3225
            /* SCSV fatal if renegotiating */
            if (s->renegotiate) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
3226
                *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3227 3228 3229 3230 3231 3232 3233
                goto err;
            }
            s->s3->send_connection_binding = 1;
            continue;
        }

        /* Check for TLS_FALLBACK_SCSV */
3234 3235
        if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3236 3237 3238 3239 3240
            /*
             * The SCSV indicates that the client previously tried a higher
             * version. Fail if the current version is an unexpected
             * downgrade.
             */
3241
            if (!ssl_check_version_downgrade(s)) {
M
Matt Caswell 已提交
3242 3243
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_INAPPROPRIATE_FALLBACK);
3244
                *al = SSL_AD_INAPPROPRIATE_FALLBACK;
M
Matt Caswell 已提交
3245 3246 3247 3248 3249
                goto err;
            }
            continue;
        }

3250 3251
        /* For SSLv2-compat, ignore leading 0-byte. */
        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
M
Matt Caswell 已提交
3252 3253 3254
        if (c != NULL) {
            if (!sk_SSL_CIPHER_push(sk, c)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3255
                *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3256 3257 3258 3259
                goto err;
            }
        }
    }
3260 3261 3262 3263 3264
    if (PACKET_remaining(cipher_suites) > 0) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
3265 3266 3267 3268 3269 3270 3271

    if (skp != NULL)
        *skp = sk;
    return (sk);
 err:
    if ((skp == NULL) || (*skp == NULL))
        sk_SSL_CIPHER_free(sk);
3272
    return NULL;
M
Matt Caswell 已提交
3273
}