statem_srvr.c 101.7 KB
Newer Older
R
Rich Salz 已提交
1 2
/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
R
Rich Salz 已提交
9

B
Bodo Möller 已提交
10 11 12
/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
13
 * Portions of the attached software ("Contribution") are developed by
B
Bodo Möller 已提交
14 15 16 17 18 19 20 21 22
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * ECC cipher suite support in OpenSSL originally written by
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 *
 */
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
49

50

51
#include <stdio.h>
M
Matt Caswell 已提交
52
#include "../ssl_locl.h"
M
Matt Caswell 已提交
53
#include "statem_locl.h"
54
#include "internal/constant_time_locl.h"
55 56 57 58
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
59
#include <openssl/hmac.h>
60
#include <openssl/x509.h>
R
Rich Salz 已提交
61
#include <openssl/dh.h>
62
#include <openssl/bn.h>
63
#include <openssl/md5.h>
64

65 66 67 68
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                      PACKET *cipher_suites,
                                                      STACK_OF(SSL_CIPHER) **skp,
                                                      int sslv2format, int *al);
M
Matt Caswell 已提交
69

M
Matt Caswell 已提交
70 71 72 73 74 75 76 77 78 79
/*
 * server_read_transition() encapsulates the logic for the allowed handshake
 * state transitions when the server is reading messages from the client. The
 * message type that the client has sent is provided in |mt|. The current state
 * is in |s->statem.hand_state|.
 *
 *  Valid return values are:
 *  1: Success (transition allowed)
 *  0: Error (transition not allowed)
 */
80
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
81
{
M
Matt Caswell 已提交
82
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114

    switch(st->hand_state) {
    case TLS_ST_BEFORE:
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE
                && (!s->s3->tmp.cert_request
                    || (!((s->verify_mode & SSL_VERIFY_PEER) &&
                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
                        && (s->version == SSL3_VERSION)))) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
115
            }
M
Matt Caswell 已提交
116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
132
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
133 134
         * set.
         */
135
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
        if (s->s3->next_proto_neg_seen) {
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    default:
        break;
    }

    /* No valid transition found */
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
210
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
211 212 213 214
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
215
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
216 217 218 219 220 221
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
D
Dr. Stephen Henson 已提交
222
    if (alg_k & (SSL_kDHE|SSL_kECDHE)
M
Matt Caswell 已提交
223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
       ) {
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
252
static int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
            * during re-negotiation:
            */
           && ((s->session->peer == NULL) ||
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
           /*
            * ... except when the application insists on
M
Matt Caswell 已提交
271
            * verification (against the specs, but statem_clnt.c accepts
M
Matt Caswell 已提交
272 273 274 275 276 277 278 279 280
            * this for SSL 3)
            */
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
281
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
282 283 284 285 286 287 288 289 290 291
        return 1;
    }

    return 0;
}

/*
 * server_write_transition() works out what handshake state to move to next
 * when the server is writing messages to be sent to the client.
 */
292
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
293
{
M
Matt Caswell 已提交
294
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
295 296 297 298 299 300 301 302 303 304 305 306 307

    switch(st->hand_state) {
        case TLS_ST_BEFORE:
            /* Just go straight to trying to read from the client */;
            return WRITE_TRAN_FINISHED;

        case TLS_ST_OK:
            /* We must be trying to renegotiate */
            st->hand_state = TLS_ST_SW_HELLO_REQ;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_HELLO_REQ:
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
308
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SR_CLNT_HELLO:
            if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
                    && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
                st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
            else
                st->hand_state = TLS_ST_SW_SRVR_HELLO;
            return WRITE_TRAN_CONTINUE;

        case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
            return WRITE_TRAN_FINISHED;

        case TLS_ST_SW_SRVR_HELLO:
            if (s->hit) {
                if (s->tlsext_ticket_expected)
                    st->hand_state = TLS_ST_SW_SESSION_TICKET;
                else
                    st->hand_state = TLS_ST_SW_CHANGE;
            } else {
                /* Check if it is anon DH or anon ECDH, */
                /* normal PSK or SRP */
                if (!(s->s3->tmp.new_cipher->algorithm_auth &
                     (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
                    st->hand_state = TLS_ST_SW_CERT;
                } else if (send_server_key_exchange(s)) {
                    st->hand_state = TLS_ST_SW_KEY_EXCH;
                } else if (send_certificate_request(s)) {
                    st->hand_state = TLS_ST_SW_CERT_REQ;
                } else {
                    st->hand_state = TLS_ST_SW_SRVR_DONE;
                }
            }
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_CERT:
            if (s->tlsext_status_expected) {
                st->hand_state = TLS_ST_SW_CERT_STATUS;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_CERT_STATUS:
            if (send_server_key_exchange(s)) {
                st->hand_state = TLS_ST_SW_KEY_EXCH;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_KEY_EXCH:
            if (send_certificate_request(s)) {
                st->hand_state = TLS_ST_SW_CERT_REQ;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_CERT_REQ:
            st->hand_state = TLS_ST_SW_SRVR_DONE;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_SRVR_DONE:
            return WRITE_TRAN_FINISHED;

        case TLS_ST_SR_FINISHED:
            if (s->hit) {
                st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
375
                ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396
                return WRITE_TRAN_CONTINUE;
            } else if (s->tlsext_ticket_expected) {
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            } else {
                st->hand_state = TLS_ST_SW_CHANGE;
            }
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_SESSION_TICKET:
            st->hand_state = TLS_ST_SW_CHANGE;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_CHANGE:
            st->hand_state = TLS_ST_SW_FINISHED;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_FINISHED:
            if (s->hit) {
                return WRITE_TRAN_FINISHED;
            }
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
397
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
398 399 400 401 402 403 404 405 406 407 408 409
            return WRITE_TRAN_CONTINUE;

        default:
            /* Shouldn't happen */
            return WRITE_TRAN_ERROR;
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
410
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
411
{
M
Matt Caswell 已提交
412
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459

    switch(st->hand_state) {
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
            dtls1_clear_record_buffer(s);
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
            dtls1_clear_record_buffer(s);
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
             * Messages we write from now on should be bufferred and
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s)))
            return dtls_wait_for_dry(s);
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
M
Matt Caswell 已提交
460
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_OK:
        return tls_finish_handshake(s, wst);

    default:
        /* No pre work to be done */
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
489
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
490
{
M
Matt Caswell 已提交
491
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
492 493 494 495 496 497 498

    s->init_num = 0;

    switch(st->hand_state) {
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
499 500 501 502
        if (!ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
503 504 505 506 507 508
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
509 510 511 512
        if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
530 531
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
532 533 534 535

            if (SSL_export_keying_material(s, sctpauthkey,
                    sizeof(sctpauthkey), labelbuffer,
                    sizeof(labelbuffer), NULL, 0, 0) <= 0) {
M
Matt Caswell 已提交
536
                ossl_statem_set_error(s);
M
Matt Caswell 已提交
537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
        break;

    case TLS_ST_SW_CHANGE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
                SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
M
Matt Caswell 已提交
559
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        break;

    default:
        /* No post work to be done */
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Construct a message to be sent from the server to the client.
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
602
int ossl_statem_server_construct_message(SSL *s)
M
Matt Caswell 已提交
603
{
M
Matt Caswell 已提交
604
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654

    switch(st->hand_state) {
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return dtls_construct_hello_verify_request(s);

    case TLS_ST_SW_HELLO_REQ:
        return tls_construct_hello_request(s);

    case TLS_ST_SW_SRVR_HELLO:
        return tls_construct_server_hello(s);

    case TLS_ST_SW_CERT:
        return tls_construct_server_certificate(s);

    case TLS_ST_SW_KEY_EXCH:
        return tls_construct_server_key_exchange(s);

    case TLS_ST_SW_CERT_REQ:
        return tls_construct_certificate_request(s);

    case TLS_ST_SW_SRVR_DONE:
        return tls_construct_server_done(s);

    case TLS_ST_SW_SESSION_TICKET:
        return tls_construct_new_session_ticket(s);

    case TLS_ST_SW_CERT_STATUS:
        return tls_construct_cert_status(s);

    case TLS_ST_SW_CHANGE:
        if (SSL_IS_DTLS(s))
            return dtls_construct_change_cipher_spec(s);
        else
            return tls_construct_change_cipher_spec(s);

    case TLS_ST_SW_FINISHED:
        return tls_construct_finished(s,
                                      s->method->
                                      ssl3_enc->server_finished_label,
                                      s->method->
                                      ssl3_enc->server_finished_label_len);

    default:
        /* Shouldn't happen */
        break;
    }

    return 0;
}

655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671
/*
 * Maximum size (excluding the Handshake header) of a ClientHello message,
 * calculated as follows:
 *
 *  2 + # client_version
 *  32 + # only valid length for random
 *  1 + # length of session_id
 *  32 + # maximum size for session_id
 *  2 + # length of cipher suites
 *  2^16-2 + # maximum length of cipher suites array
 *  1 + # length of compression_methods
 *  2^8-1 + # maximum length of compression methods
 *  2 + # length of extensions
 *  2^16-1 # maximum length of extensions
 */
#define CLIENT_HELLO_MAX_LENGTH         131396

M
Matt Caswell 已提交
672 673 674 675 676 677 678
#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
679
unsigned long ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
680
{
M
Matt Caswell 已提交
681
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
682 683 684

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
685
        return CLIENT_HELLO_MAX_LENGTH;
M
Matt Caswell 已提交
686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717

    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;

    default:
        /* Shouldn't happen */
        break;
    }

    return 0;
}

/*
 * Process a message that the server has received from the client.
 */
718
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
719
{
M
Matt Caswell 已提交
720
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);

    default:
        /* Shouldn't happen */
        break;
    }

    return MSG_PROCESS_ERROR;
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
758
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
759
{
M
Matt Caswell 已提交
760
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);

    case TLS_ST_SR_CERT_VRFY:
#ifndef OPENSSL_NO_SCTP
        if (    /* Is this SCTP? */
                BIO_dgram_is_sctp(SSL_get_wbio(s))
                /* Are we renegotiating? */
                && s->renegotiate
                && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
            s->s3->in_read_app_data = 2;
            s->rwstate = SSL_READING;
            BIO_clear_retry_flags(SSL_get_rbio(s));
            BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
780
            ossl_statem_set_sctp_read_sock(s, 1);
M
Matt Caswell 已提交
781 782
            return WORK_MORE_A;
        } else {
M
Matt Caswell 已提交
783
            ossl_statem_set_sctp_read_sock(s, 0);
M
Matt Caswell 已提交
784 785 786 787 788 789 790 791 792 793 794 795
        }
#endif
        return WORK_FINISHED_CONTINUE;

    default:
        break;
    }

    /* Shouldn't happen */
    return WORK_ERROR;
}

B
Ben Laurie 已提交
796
#ifndef OPENSSL_NO_SRP
797
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817
{
    int ret = SSL_ERROR_NONE;

    *al = SSL_AD_UNRECOGNIZED_NAME;

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
            ret = SSL3_AL_FATAL;
            *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
        } else {
            ret = SSL_srp_server_param_with_username(s, al);
        }
    }
    return ret;
}
B
Ben Laurie 已提交
818 819
#endif

M
Matt Caswell 已提交
820 821 822 823
int tls_construct_hello_request(SSL *s)
{
    if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
824
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
825 826 827 828 829 830
        return 0;
    }

    return 1;
}

M
Matt Caswell 已提交
831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861
unsigned int dtls_raw_hello_verify_request(unsigned char *buf,
                                            unsigned char *cookie,
                                            unsigned char cookie_len)
{
    unsigned int msg_len;
    unsigned char *p;

    p = buf;
    /* Always use DTLS 1.0 version: see RFC 6347 */
    *(p++) = DTLS1_VERSION >> 8;
    *(p++) = DTLS1_VERSION & 0xFF;

    *(p++) = (unsigned char)cookie_len;
    memcpy(p, cookie, cookie_len);
    p += cookie_len;
    msg_len = p - buf;

    return msg_len;
}

int dtls_construct_hello_verify_request(SSL *s)
{
    unsigned int len;
    unsigned char *buf;

    buf = (unsigned char *)s->init_buf->data;

    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
                                  &(s->d1->cookie_len)) == 0 ||
        s->d1->cookie_len > 255) {
M
Matt Caswell 已提交
862
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
M
Matt Caswell 已提交
863
               SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
M
Matt Caswell 已提交
864
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
865 866 867 868 869 870
        return 0;
    }

    len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH],
                                         s->d1->cookie, s->d1->cookie_len);

871
    dtls1_set_message_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
M
Matt Caswell 已提交
872 873 874 875 876 877 878 879 880 881
                             len);
    len += DTLS1_HM_HEADER_LENGTH;

    /* number of bytes to write */
    s->init_num = len;
    s->init_off = 0;

    return 1;
}

M
Matt Caswell 已提交
882
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
883 884 885 886
{
    int i, al = SSL_AD_INTERNAL_ERROR;
    unsigned int j, complen = 0;
    unsigned long id;
887
    const SSL_CIPHER *c;
M
Matt Caswell 已提交
888 889 890 891
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
892
    int protverr;
M
Matt Caswell 已提交
893
    /* |cookie| will only be initialized for DTLS. */
894
    PACKET session_id, cipher_suites, compression, extensions, cookie;
M
Matt Caswell 已提交
895
    int is_v2_record;
M
Matt Caswell 已提交
896
    static const unsigned char null_compression = 0;
M
Matt Caswell 已提交
897

898 899
    is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer);

E
Emilia Kasper 已提交
900
    PACKET_null_init(&cookie);
901
    /* First lets get s->client_version set correctly */
902
    if (is_v2_record) {
M
Matt Caswell 已提交
903 904
        unsigned int version;
        unsigned int mt;
905 906 907 908 909 910 911 912 913 914 915 916 917 918 919
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

920
        if (!PACKET_get_1(pkt, &mt)
M
Matt Caswell 已提交
921
                || mt != SSL2_MT_CLIENT_HELLO) {
922 923 924 925 926
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
M
Matt Caswell 已提交
927
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
928
            goto err;
929 930
        }

931
        if (!PACKET_get_net_2(pkt, &version)) {
M
Matt Caswell 已提交
932
            /* No protocol version supplied! */
M
Matt Caswell 已提交
933
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
M
Matt Caswell 已提交
934 935 936
            goto err;
        }
        if (version == 0x0002) {
937
            /* This is real SSLv2. We don't support it. */
M
Matt Caswell 已提交
938
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
939
            goto err;
M
Matt Caswell 已提交
940
        } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
941
            /* SSLv3/TLS */
M
Matt Caswell 已提交
942
            s->client_version = version;
943 944
        } else {
            /* No idea what protocol this is */
M
Matt Caswell 已提交
945
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
946 947 948 949
            goto err;
        }
    } else {
        /*
M
Matt Caswell 已提交
950 951
         * use version from inside client hello, not from record header (may
         * differ: see RFC 2246, Appendix E, second paragraph)
952
         */
953
        if(!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) {
954
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
955
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
956 957
            goto f_err;
        }
958 959
    }

960 961 962 963
    /*
     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
     * versions are potentially compatible. Version negotiation comes later.
     */
964
    if (!SSL_IS_DTLS(s)) {
965 966 967 968 969
        protverr = ssl_choose_server_version(s);
    } else if (s->method->version != DTLS_ANY_VERSION &&
               DTLS_VERSION_LT(s->client_version, s->version)) {
        protverr = SSL_R_VERSION_TOO_LOW;
    } else {
970 971 972 973
        protverr = 0;
    }

    if (protverr) {
974
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
975
        if ((!s->enc_write_ctx && !s->write_hash)) {
976 977 978 979 980 981 982 983 984 985
            /*
             * similar to ssl3_get_record, send alert using remote version
             * number
             */
            s->version = s->client_version;
        }
        al = SSL_AD_PROTOCOL_VERSION;
        goto f_err;
    }

986 987
    /* Parse the message and load client random. */
    if (is_v2_record) {
988 989 990 991 992
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
         * Real SSLv2 is not supported, and is rejected above.
         */
993
        unsigned int cipher_len, session_id_len, challenge_len;
994
        PACKET challenge;
995

996 997 998
        if (!PACKET_get_net_2(pkt, &cipher_len)
                || !PACKET_get_net_2(pkt, &session_id_len)
                || !PACKET_get_net_2(pkt, &challenge_len)) {
M
Matt Caswell 已提交
999 1000
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
1001 1002
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1003
        }
1004

1005 1006 1007 1008 1009 1010
        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1011 1012 1013
        if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len)
            || !PACKET_get_sub_packet(pkt, &session_id, session_id_len)
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1014
            /* No extensions. */
1015
            || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1016 1017
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1018 1019 1020 1021
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }

D
David Benjamin 已提交
1022
        /* Load the client random and compression list. */
1023 1024
        challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE :
            challenge_len;
1025
        memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
1026 1027
        if (!PACKET_copy_bytes(&challenge,
                               s->s3->client_random + SSL3_RANDOM_SIZE -
D
David Benjamin 已提交
1028 1029 1030
                               challenge_len, challenge_len)
            /* Advertise only null compression. */
            || !PACKET_buf_init(&compression, &null_compression, 1)) {
M
Matt Caswell 已提交
1031
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1032
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1033 1034
            goto f_err;
        }
1035 1036

        PACKET_null_init(&extensions);
1037
    } else {
1038
        /* Regular ClientHello. */
1039 1040
        if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
            || !PACKET_get_length_prefixed_1(pkt, &session_id)) {
M
Matt Caswell 已提交
1041
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1042
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1043 1044
            goto f_err;
        }
1045

1046 1047 1048 1049 1050 1051
        if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1052
        if (SSL_IS_DTLS(s)) {
1053
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1054
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1055
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1056 1057
                goto f_err;
            }
1058 1059 1060 1061 1062 1063 1064
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
                if (PACKET_remaining(&cookie) == 0)
1065
                return 1;
1066
            }
1067
        }
1068

1069 1070
        if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites)
            || !PACKET_get_length_prefixed_1(pkt, &compression)) {
1071
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1072
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1073 1074 1075
                goto f_err;
        }
        /* Could be empty. */
1076
        extensions = *pkt;
1077 1078
    }

1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110
    if (SSL_IS_DTLS(s)) {
        /* Empty cookie was already handled above by returning early. */
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
            if (s->ctx->app_verify_cookie_cb != NULL) {
                if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
                                                 PACKET_remaining(&cookie)) == 0) {
                    al = SSL_AD_HANDSHAKE_FAILURE;
                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                           SSL_R_COOKIE_MISMATCH);
                    goto f_err;
                    /* else cookie verification succeeded */
                }
            /* default verification */
            } else if (!PACKET_equal(&cookie, s->d1->cookie,
                                     s->d1->cookie_len)) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                goto f_err;
            }
            s->d1->cookie_verified = 1;
        }
        if (s->method->version == DTLS_ANY_VERSION) {
            protverr = ssl_choose_server_version(s);
            if (protverr != 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            }
        }
    }

1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135
    s->hit = 0;

    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
    if (is_v2_record ||
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
        if (!ssl_get_new_session(s, 1))
            goto err;
    } else {
        i = ssl_get_prev_session(s, &extensions, &session_id);
1136
        /*
1137 1138 1139 1140 1141 1142 1143
         * Only resume if the session's version matches the negotiated
         * version.
         * RFC 5246 does not provide much useful advice on resumption
         * with a different protocol version. It doesn't forbid it but
         * the sanity of such behaviour would be questionable.
         * In practice, clients do not accept a version mismatch and
         * will abort the handshake with an error.
1144
         */
1145 1146 1147 1148 1149
        if (i == 1 && s->version == s->session->ssl_version) {
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
            goto err;
1150
        } else {
1151 1152
            /* i == 0 */
            if (!ssl_get_new_session(s, 1))
1153
                goto err;
1154
        }
1155
    }
1156

1157 1158
    if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
                                 is_v2_record, &al) == NULL) {
1159 1160
        goto f_err;
    }
1161

1162 1163 1164 1165
    /* If it is a hit, check that the cipher is in the list */
    if (s->hit) {
        j = 0;
        id = s->session->cipher->id;
1166

1167
#ifdef CIPHER_DEBUG
1168 1169
        fprintf(stderr, "client sent %d ciphers\n",
                sk_SSL_CIPHER_num(ciphers));
1170
#endif
1171 1172
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1173
#ifdef CIPHER_DEBUG
1174 1175
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1176
#endif
1177 1178 1179
            if (c->id == id) {
                j = 1;
                break;
1180
            }
1181
        }
1182
        if (j == 0) {
1183
            /*
1184 1185
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1186
             */
1187
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1188
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1189
                   SSL_R_REQUIRED_CIPHER_MISSING);
1190 1191
            goto f_err;
        }
1192
    }
M
Matt Caswell 已提交
1193

1194 1195 1196 1197
    complen = PACKET_remaining(&compression);
    for (j = 0; j < complen; j++) {
        if (PACKET_data(&compression)[j] == 0)
            break;
1198
    }
1199

1200 1201 1202
    if (j >= complen) {
        /* no compress */
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1203
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1204 1205
        goto f_err;
    }
1206

1207 1208
    /* TLS extensions */
    if (s->version >= SSL3_VERSION) {
1209
        if (!ssl_parse_clienthello_tlsext(s, &extensions)) {
M
Matt Caswell 已提交
1210
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229
            goto err;
        }
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
            goto f_err;
        }
    }

    if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1230
        const SSL_CIPHER *pref_cipher = NULL;
1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251

        s->session->master_key_length = sizeof(s->session->master_key);
        if (s->tls_session_secret_cb(s, s->session->master_key,
                                     &s->session->master_key_length, ciphers,
                                     &pref_cipher,
                                     s->tls_session_secret_cb_arg)) {
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
            pref_cipher =
                pref_cipher ? pref_cipher : ssl3_choose_cipher(s,
                                                               s->
                                                               session->ciphers,
                                                               SSL_get_ciphers
                                                               (s));
            if (pref_cipher == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1252
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1253 1254 1255 1256
                goto f_err;
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1257
            sk_SSL_CIPHER_free(s->cipher_list);
1258
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1259
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1260 1261 1262
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1263

1264 1265
    /*
     * Worst case, we will use the NULL compression, but if we have other
1266
     * options, we will now look for them.  We have complen-1 compression
1267 1268 1269
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1270
#ifndef OPENSSL_NO_COMP
1271 1272 1273
    /* This only happens if we have a cache hit */
    if (s->session->compress_meth != 0) {
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1274
        unsigned int k;
1275 1276 1277
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
M
Matt Caswell 已提交
1278
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290
                   SSL_R_INCONSISTENT_COMPRESSION);
            goto f_err;
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
M
Matt Caswell 已提交
1291
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1292 1293 1294 1295
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
            goto f_err;
        }
        /* Look for resumed method in compression list */
M
Matt Caswell 已提交
1296
        for (k = 0; k < complen; k++) {
1297
            if (PACKET_data(&compression)[k] == comp_id)
1298 1299
                break;
        }
M
Matt Caswell 已提交
1300
        if (k >= complen) {
1301
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1302
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
F
FdaSilvaYY 已提交
1303
                   SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
1304 1305 1306 1307 1308
            goto f_err;
        }
    } else if (s->hit)
        comp = NULL;
    else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1309
        /* See if we have a match */
M
Matt Caswell 已提交
1310 1311
        int m, nn, v, done = 0;
        unsigned int o;
1312 1313 1314 1315 1316

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
1317
            for (o = 0; o < complen; o++) {
1318
                if (v == PACKET_data(&compression)[o]) {
1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1331
#else
1332 1333 1334 1335 1336
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
M
Matt Caswell 已提交
1337
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1338 1339
        goto f_err;
    }
1340
#endif
1341

1342 1343 1344
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1345

1346
    if (!s->hit) {
1347
#ifdef OPENSSL_NO_COMP
1348
        s->session->compress_meth = 0;
1349
#else
1350
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1351
#endif
R
Rich Salz 已提交
1352
        sk_SSL_CIPHER_free(s->session->ciphers);
1353 1354
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1355
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1356
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1357 1358 1359 1360
            goto f_err;
        }
        ciphers = NULL;
        if (!tls1_set_server_sigalgs(s)) {
M
Matt Caswell 已提交
1361
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1362 1363
            goto err;
        }
M
Matt Caswell 已提交
1364 1365 1366 1367 1368 1369 1370
    }

    sk_SSL_CIPHER_free(ciphers);
    return MSG_PROCESS_CONTINUE_PROCESSING;
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1371
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1372 1373 1374 1375 1376 1377

    sk_SSL_CIPHER_free(ciphers);
    return MSG_PROCESS_ERROR;

}

M
Matt Caswell 已提交
1378
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1379
{
M
Matt Caswell 已提交
1380
    int al = SSL_AD_HANDSHAKE_FAILURE;
1381
    const SSL_CIPHER *cipher;
M
Matt Caswell 已提交
1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397

    if (wst == WORK_MORE_A) {
        if (!s->hit) {
            /* Let cert callback update server certificates if required */
            if (s->cert->cert_cb) {
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
                    al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
                    goto f_err;
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
                    return WORK_MORE_A;
                }
                s->rwstate = SSL_NOTHING;
1398
            }
M
Matt Caswell 已提交
1399 1400 1401 1402 1403
            cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));

            if (cipher == NULL) {
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
                goto f_err;
1404
            }
M
Matt Caswell 已提交
1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415
            s->s3->tmp.new_cipher = cipher;
            /* check whether we should disable session resumption */
            if (s->not_resumable_session_cb != NULL)
                s->session->not_resumable = s->not_resumable_session_cb(s,
                    ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
            if (s->session->not_resumable)
                /* do not send a session ticket */
                s->tlsext_ticket_expected = 0;
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
1416 1417
        }

1418
        if (!(s->verify_mode & SSL_VERIFY_PEER)) {
M
Matt Caswell 已提交
1419 1420
            if (!ssl3_digest_cached_records(s, 0)) {
                al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1421
                goto f_err;
M
Matt Caswell 已提交
1422
            }
1423 1424
        }

M
Matt Caswell 已提交
1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435
        /*-
         * we now have the following setup.
         * client_random
         * cipher_list          - our prefered list of ciphers
         * ciphers              - the clients prefered list of ciphers
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
1436

M
Matt Caswell 已提交
1437 1438 1439
        /* Handles TLS extensions that we couldn't check earlier */
        if (s->version >= SSL3_VERSION) {
            if (ssl_check_clienthello_tlsext_late(s) <= 0) {
M
Matt Caswell 已提交
1440 1441
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_CLIENTHELLO_TLSEXT);
M
Matt Caswell 已提交
1442 1443 1444
                goto f_err;
            }
        }
1445

M
Matt Caswell 已提交
1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466
        wst = WORK_MORE_B;
    }
#ifndef OPENSSL_NO_SRP
    if (wst == WORK_MORE_B) {
        int ret;
        if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
            return WORK_MORE_B;
        }
        if (ret != SSL_ERROR_NONE) {
            /*
             * This is not really an error but the only means to for
             * a client to detect whether srp is supported.
             */
            if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_CLIENTHELLO_TLSEXT);
            goto f_err;
1467 1468
        }
    }
M
Matt Caswell 已提交
1469 1470
#endif
    s->renegotiate = 2;
1471

M
Matt Caswell 已提交
1472
    return WORK_FINISHED_STOP;
1473
 f_err:
M
Matt Caswell 已提交
1474
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
1475
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1476 1477 1478 1479
    return WORK_ERROR;
}

int tls_construct_server_hello(SSL *s)
1480 1481 1482 1483 1484 1485 1486
{
    unsigned char *buf;
    unsigned char *p, *d;
    int i, sl;
    int al = 0;
    unsigned long l;

M
Matt Caswell 已提交
1487
    buf = (unsigned char *)s->init_buf->data;
1488

M
Matt Caswell 已提交
1489 1490
    /* Do the message type and length last */
    d = p = ssl_handshake_start(s);
1491

M
Matt Caswell 已提交
1492 1493
    *(p++) = s->version >> 8;
    *(p++) = s->version & 0xff;
1494

M
Matt Caswell 已提交
1495 1496 1497 1498 1499 1500
    /*
     * Random stuff. Filling of the server_random takes place in
     * tls_process_client_hello()
     */
    memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
    p += SSL3_RANDOM_SIZE;
1501

M
Matt Caswell 已提交
1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

    sl = s->session->session_id_length;
    if (sl > (int)sizeof(s->session->session_id)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1526
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1527 1528 1529 1530 1531
        return 0;
    }
    *(p++) = sl;
    memcpy(p, s->session->session_id, sl);
    p += sl;
1532

M
Matt Caswell 已提交
1533 1534 1535
    /* put the cipher */
    i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
    p += i;
1536

M
Matt Caswell 已提交
1537
    /* put the compression method */
1538
#ifdef OPENSSL_NO_COMP
M
Matt Caswell 已提交
1539
    *(p++) = 0;
1540
#else
M
Matt Caswell 已提交
1541 1542 1543 1544
    if (s->s3->tmp.new_compression == NULL)
        *(p++) = 0;
    else
        *(p++) = s->s3->tmp.new_compression->id;
1545
#endif
1546

M
Matt Caswell 已提交
1547 1548
    if (ssl_prepare_serverhello_tlsext(s) <= 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
M
Matt Caswell 已提交
1549
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1550 1551 1552 1553 1554 1555 1556
        return 0;
    }
    if ((p =
         ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
                                    &al)) == NULL) {
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1557
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1558 1559
        return 0;
    }
1560

M
Matt Caswell 已提交
1561 1562 1563 1564
    /* do the header */
    l = (p - d);
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1565
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1566
        return 0;
1567
    }
1568

M
Matt Caswell 已提交
1569
    return 1;
1570
}
1571

M
Matt Caswell 已提交
1572 1573 1574 1575
int tls_construct_server_done(SSL *s)
{
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1576
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1577 1578 1579 1580 1581
        return 0;
    }

    if (!s->s3->tmp.cert_request) {
        if (!ssl3_digest_cached_records(s, 0)) {
M
Matt Caswell 已提交
1582
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
1583 1584 1585 1586 1587 1588 1589
        }
    }

    return 1;
}

int tls_construct_server_key_exchange(SSL *s)
1590
{
1591
#ifndef OPENSSL_NO_DH
1592
    EVP_PKEY *pkdh = NULL;
B
Bodo Möller 已提交
1593
#endif
1594
#ifndef OPENSSL_NO_EC
1595 1596 1597
    unsigned char *encodedPoint = NULL;
    int encodedlen = 0;
    int curve_id = 0;
1598
#endif
1599 1600 1601 1602 1603 1604
    EVP_PKEY *pkey;
    const EVP_MD *md = NULL;
    unsigned char *p, *d;
    int al, i;
    unsigned long type;
    int n;
1605
    const BIGNUM *r[4];
1606 1607
    int nr[4], kn;
    BUF_MEM *buf;
1608
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
1609

1610 1611 1612 1613 1614
    if (md_ctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
1615

M
Matt Caswell 已提交
1616 1617 1618
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    buf = s->init_buf;
1619

M
Matt Caswell 已提交
1620 1621
    r[0] = r[1] = r[2] = r[3] = NULL;
    n = 0;
1622
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633
    if (type & SSL_PSK) {
        /*
         * reserve size for record length and PSK identity hint
         */
        n += 2;
        if (s->cert->psk_identity_hint)
            n += strlen(s->cert->psk_identity_hint);
    }
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
1634
#endif                          /* !OPENSSL_NO_PSK */
1635
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
1636
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
1637 1638
        CERT *cert = s->cert;

1639 1640 1641
        EVP_PKEY *pkdhp = NULL;
        DH *dh;

M
Matt Caswell 已提交
1642
        if (s->cert->dh_tmp_auto) {
1643 1644 1645 1646
            DH *dhp = ssl_get_auto_dh(s);
            pkdh = EVP_PKEY_new();
            if (pkdh == NULL || dhp == NULL) {
                DH_free(dhp);
M
Matt Caswell 已提交
1647 1648
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
1649
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1650
                goto f_err;
1651
            }
1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668
            EVP_PKEY_assign_DH(pkdh, dhp);
            pkdhp = pkdh;
        } else {
            pkdhp = cert->dh_tmp;
        }
        if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
            DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
            pkdh = ssl_dh_to_pkey(dhp);
            if (pkdh == NULL) {
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            pkdhp = pkdh;
        }
        if (pkdhp == NULL) {
M
Matt Caswell 已提交
1669 1670 1671 1672 1673 1674
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
1675
                          EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
M
Matt Caswell 已提交
1676 1677 1678 1679 1680
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_DH_KEY_TOO_SMALL);
            goto f_err;
        }
1681
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
1682 1683 1684 1685
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
1686

1687
        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp, NID_undef);
M
Matt Caswell 已提交
1688

1689 1690
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
1691
            goto err;
M
Matt Caswell 已提交
1692
        }
1693 1694 1695 1696 1697 1698

        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);

        EVP_PKEY_free(pkdh);
        pkdh = NULL;

M
Matt Caswell 已提交
1699 1700
        DH_get0_pqg(dh, &r[0], NULL, &r[1]);
        DH_get0_key(dh, &r[2], NULL);
M
Matt Caswell 已提交
1701
    } else
1702
#endif
1703
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
1704
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
1705
        int nid;
M
Matt Caswell 已提交
1706

D
Dr. Stephen Henson 已提交
1707
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
1708 1709 1710 1711 1712
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }

1713 1714 1715 1716
        /* Get NID of appropriate shared curve */
        nid = tls1_shared_curve(s, -2);
        curve_id = tls1_ec_nid2curve_id(nid);
        if (curve_id == 0) {
M
Matt Caswell 已提交
1717 1718 1719 1720
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
            goto err;
        }
D
Dr. Stephen Henson 已提交
1721 1722 1723
        s->s3->tmp.pkey = ssl_generate_pkey(NULL, nid);
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
1724
            al = SSL_AD_INTERNAL_ERROR;
D
Dr. Stephen Henson 已提交
1725
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
1726 1727 1728
            goto f_err;
        }

D
Dr. Stephen Henson 已提交
1729 1730 1731
        /* Encode the public key. */
        encodedlen = EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(s->s3->tmp.pkey),
                                    POINT_CONVERSION_UNCOMPRESSED,
1732
                                    &encodedPoint, NULL);
1733

M
Matt Caswell 已提交
1734
        if (encodedlen == 0) {
1735
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
1736 1737
            goto err;
        }
1738

M
Matt Caswell 已提交
1739
        /*
1740 1741 1742
         * We only support named (not generic) curves in ECDH ephemeral key
         * exchanges. In this situation, we need four additional bytes to
         * encode the entire ServerECDHParams structure.
M
Matt Caswell 已提交
1743 1744
         */
        n += 4 + encodedlen;
1745

M
Matt Caswell 已提交
1746 1747 1748 1749 1750 1751 1752 1753 1754
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
1755
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
1756
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1757 1758 1759 1760 1761 1762 1763
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_SRP_PARAM);
            goto err;
1764
        }
M
Matt Caswell 已提交
1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
               SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto f_err;
    }
    for (i = 0; i < 4 && r[i] != NULL; i++) {
        nr[i] = BN_num_bytes(r[i]);
B
Ben Laurie 已提交
1779
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1780 1781 1782
        if ((i == 2) && (type & SSL_kSRP))
            n += 1 + nr[i];
        else
B
Ben Laurie 已提交
1783
#endif
M
Matt Caswell 已提交
1784 1785
            n += 2 + nr[i];
    }
1786

M
Matt Caswell 已提交
1787 1788 1789 1790 1791 1792
    if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
        && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
        if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
            == NULL) {
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1793
        }
M
Matt Caswell 已提交
1794 1795 1796 1797 1798
        kn = EVP_PKEY_size(pkey);
    } else {
        pkey = NULL;
        kn = 0;
    }
1799

M
Matt Caswell 已提交
1800 1801 1802 1803 1804
    if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
        goto err;
    }
    d = p = ssl_handshake_start(s);
1805

1806
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1807 1808 1809 1810 1811 1812 1813 1814 1815
    if (type & SSL_PSK) {
        /* copy PSK identity hint */
        if (s->cert->psk_identity_hint) {
            s2n(strlen(s->cert->psk_identity_hint), p);
            strncpy((char *)p, s->cert->psk_identity_hint,
                    strlen(s->cert->psk_identity_hint));
            p += strlen(s->cert->psk_identity_hint);
        } else {
            s2n(0, p);
1816
        }
M
Matt Caswell 已提交
1817
    }
1818 1819
#endif

M
Matt Caswell 已提交
1820
    for (i = 0; i < 4 && r[i] != NULL; i++) {
B
Ben Laurie 已提交
1821
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1822 1823 1824 1825
        if ((i == 2) && (type & SSL_kSRP)) {
            *p = nr[i];
            p++;
        } else
B
Ben Laurie 已提交
1826
#endif
M
Matt Caswell 已提交
1827 1828 1829 1830
            s2n(nr[i], p);
        BN_bn2bin(r[i], p);
        p += nr[i];
    }
1831

1832
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
         * XXX: For now, we only support named (not generic) curves. In
         * this situation, the serverKeyExchange message has: [1 byte
         * CurveType], [2 byte CurveName] [1 byte length of encoded
         * point], followed by the actual encoded point itself
         */
        *p = NAMED_CURVE_TYPE;
        p += 1;
        *p = 0;
        p += 1;
        *p = curve_id;
        p += 1;
        *p = encodedlen;
        p += 1;
        memcpy(p, encodedPoint, encodedlen);
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
        p += encodedlen;
    }
B
Bodo Möller 已提交
1853 1854
#endif

M
Matt Caswell 已提交
1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869
    /* not anonymous */
    if (pkey != NULL) {
        /*
         * n is the length of the params, they start at &(d[4]) and p
         * points to the space at the end.
         */
        if (md) {
            /* send signature algorithm */
            if (SSL_USE_SIGALGS(s)) {
                if (!tls12_get_sigandhash(p, pkey, md)) {
                    /* Should never happen */
                    al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
1870
                }
M
Matt Caswell 已提交
1871 1872
                p += 2;
            }
1873
#ifdef SSL_DEBUG
M
Matt Caswell 已提交
1874
            fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
1875
#endif
1876 1877
            if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0
                    || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
1878
                                      SSL3_RANDOM_SIZE) <= 0
1879
                    || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
1880
                                      SSL3_RANDOM_SIZE) <= 0
1881 1882
                    || EVP_SignUpdate(md_ctx, d, n) <= 0
                    || EVP_SignFinal(md_ctx, &(p[2]),
1883
                               (unsigned int *)&i, pkey) <= 0) {
M
Matt Caswell 已提交
1884
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
1885 1886
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
1887
            }
M
Matt Caswell 已提交
1888 1889 1890 1891 1892 1893
            s2n(i, p);
            n += i + 2;
            if (SSL_USE_SIGALGS(s))
                n += 2;
        } else {
            /* Is this error check actually needed? */
M
Matt Caswell 已提交
1894
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1895 1896
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNKNOWN_PKEY_TYPE);
M
Matt Caswell 已提交
1897 1898
            goto f_err;
        }
1899 1900
    }

M
Matt Caswell 已提交
1901 1902 1903 1904 1905 1906
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

1907
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
1908
    return 1;
1909 1910 1911
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
1912 1913 1914
#ifndef OPENSSL_NO_DH
    EVP_PKEY_free(pkdh);
#endif
1915
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
1916
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
1917
#endif
1918
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
1919
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1920
    return 0;
1921
}
1922

M
Matt Caswell 已提交
1923
int tls_construct_certificate_request(SSL *s)
1924 1925 1926 1927 1928 1929 1930
{
    unsigned char *p, *d;
    int i, j, nl, off, n;
    STACK_OF(X509_NAME) *sk = NULL;
    X509_NAME *name;
    BUF_MEM *buf;

M
Matt Caswell 已提交
1931
    buf = s->init_buf;
1932

M
Matt Caswell 已提交
1933
    d = p = ssl_handshake_start(s);
1934

M
Matt Caswell 已提交
1935 1936 1937 1938 1939 1940
    /* get the list of acceptable cert types */
    p++;
    n = ssl3_get_req_cert_type(s, p);
    d[0] = n;
    p += n;
    n++;
1941

M
Matt Caswell 已提交
1942 1943 1944 1945 1946
    if (SSL_USE_SIGALGS(s)) {
        const unsigned char *psigs;
        unsigned char *etmp = p;
        nl = tls12_get_psigalgs(s, &psigs);
        /* Skip over length for now */
1947
        p += 2;
M
Matt Caswell 已提交
1948 1949 1950 1951 1952 1953
        nl = tls12_copy_sigalgs(s, p, psigs, nl);
        /* Now fill in length */
        s2n(nl, etmp);
        p += nl;
        n += nl + 2;
    }
1954

M
Matt Caswell 已提交
1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969
    off = n;
    p += 2;
    n += 2;

    sk = SSL_get_client_CA_list(s);
    nl = 0;
    if (sk != NULL) {
        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
            name = sk_X509_NAME_value(sk, i);
            j = i2d_X509_NAME(name, NULL);
            if (!BUF_MEM_grow_clean
                (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                       ERR_R_BUF_LIB);
                goto err;
1970
            }
M
Matt Caswell 已提交
1971 1972 1973 1974 1975
            p = ssl_handshake_start(s) + n;
            s2n(j, p);
            i2d_X509_NAME(name, &p);
            n += 2 + j;
            nl += 2 + j;
1976
        }
M
Matt Caswell 已提交
1977 1978 1979 1980
    }
    /* else no CA names */
    p = ssl_handshake_start(s) + off;
    s2n(nl, p);
1981

M
Matt Caswell 已提交
1982 1983 1984
    if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
1985
    }
1986

M
Matt Caswell 已提交
1987 1988 1989
    s->s3->tmp.cert_request = 1;

    return 1;
1990
 err:
M
Matt Caswell 已提交
1991
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1992
    return 0;
1993
}
1994

M
Matt Caswell 已提交
1995
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1996 1997
{
    int al;
1998
    unsigned long alg_k;
1999
#ifndef OPENSSL_NO_RSA
2000
    RSA *rsa = NULL;
2001
#endif
D
Dr. Stephen Henson 已提交
2002
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
D
Dr. Stephen Henson 已提交
2003
    EVP_PKEY *ckey = NULL;
B
Bodo Möller 已提交
2004
#endif
2005
    PACKET enc_premaster;
E
Emilia Kasper 已提交
2006
    unsigned char *rsa_decrypt = NULL;
B
Bodo Möller 已提交
2007

2008
    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2009

2010 2011 2012 2013 2014
#ifndef OPENSSL_NO_PSK
    /* For PSK parse and retrieve identity, obtain PSK key */
    if (alg_k & SSL_PSK) {
        unsigned char psk[PSK_MAX_PSK_LEN];
        size_t psklen;
2015
        PACKET psk_identity;
2016

2017
        if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
2018
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2019
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2020 2021
            goto f_err;
        }
2022
        if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2023
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2024
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2025 2026 2027 2028 2029
                   SSL_R_DATA_LENGTH_TOO_LONG);
            goto f_err;
        }
        if (s->psk_server_callback == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2030
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2031 2032 2033 2034
                   SSL_R_PSK_NO_SERVER_CB);
            goto f_err;
        }

2035
        if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
M
Matt Caswell 已提交
2036
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2037
            al = SSL_AD_INTERNAL_ERROR;
2038 2039
            goto f_err;
        }
2040 2041 2042 2043 2044 2045

        psklen = s->psk_server_callback(s, s->session->psk_identity,
                                         psk, sizeof(psk));

        if (psklen > PSK_MAX_PSK_LEN) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2046
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2047 2048 2049 2050 2051
            goto f_err;
        } else if (psklen == 0) {
            /*
             * PSK related to the given identity not found
             */
M
Matt Caswell 已提交
2052
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2053 2054 2055 2056 2057 2058
                   SSL_R_PSK_IDENTITY_NOT_FOUND);
            al = SSL_AD_UNKNOWN_PSK_IDENTITY;
            goto f_err;
        }

        OPENSSL_free(s->s3->tmp.psk);
R
Rich Salz 已提交
2059
        s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
2060 2061 2062 2063
        OPENSSL_cleanse(psk, psklen);

        if (s->s3->tmp.psk == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2064
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2065 2066 2067 2068 2069 2070 2071
            goto f_err;
        }

        s->s3->tmp.psklen = psklen;
    }
    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
2072
        if (PACKET_remaining(pkt) != 0) {
2073
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2074
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2075 2076 2077 2078 2079
            goto f_err;
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2080
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2081 2082 2083 2084
            goto f_err;
        }
    } else
#endif
2085
#ifndef OPENSSL_NO_RSA
2086
    if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
2087 2088 2089 2090 2091 2092
        unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
        int decrypt_len;
        unsigned char decrypt_good, version_good;
        size_t j;

        /* FIX THIS UP EAY EAY EAY EAY */
D
Dr. Stephen Henson 已提交
2093 2094
        rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey);
        if (rsa == NULL) {
2095 2096 2097 2098
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_RSA_CERTIFICATE);
            goto f_err;
2099 2100
        }

2101 2102
        /* SSLv3 and pre-standard DTLS omit the length bytes. */
        if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
2103
            enc_premaster = *pkt;
2104
        } else {
2105 2106
            if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
                || PACKET_remaining(pkt) != 0) {
2107 2108 2109 2110
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                       SSL_R_LENGTH_MISMATCH);
                goto f_err;
2111
            }
2112 2113 2114
        }

        /*
2115 2116 2117 2118
         * We want to be sure that the plaintext buffer size makes it safe to
         * iterate over the entire size of a premaster secret
         * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
         * their ciphertext cannot accommodate a premaster secret anyway.
2119
         */
2120 2121
        if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2122
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2123
                   RSA_R_KEY_SIZE_TOO_SMALL);
2124 2125 2126
            goto f_err;
        }

2127 2128
        rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
        if (rsa_decrypt == NULL) {
2129
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2130
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2131 2132
            goto f_err;
        }
2133

2134 2135 2136 2137 2138 2139 2140 2141
        /*
         * We must not leak whether a decryption failure occurs because of
         * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
         * section 7.4.7.1). The code follows that advice of the TLS RFC and
         * generates a random premaster secret for the case that the decrypt
         * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
         */

M
Matt Caswell 已提交
2142
        if (RAND_bytes(rand_premaster_secret,
2143
                       sizeof(rand_premaster_secret)) <= 0) {
2144
            goto err;
2145 2146 2147 2148 2149
        }

        decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
                                          PACKET_data(&enc_premaster),
                                          rsa_decrypt, rsa, RSA_PKCS1_PADDING);
2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167
        ERR_clear_error();

        /*
         * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
         * be 0xff if so and zero otherwise.
         */
        decrypt_good =
            constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);

        /*
         * If the version in the decrypted pre-master secret is correct then
         * version_good will be 0xff, otherwise it'll be zero. The
         * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
         * (http://eprint.iacr.org/2003/052/) exploits the version number
         * check as a "bad version oracle". Thus version checks are done in
         * constant time and are treated like any other decryption error.
         */
        version_good =
2168 2169
            constant_time_eq_8(rsa_decrypt[0],
                               (unsigned)(s->client_version >> 8));
2170
        version_good &=
2171 2172
            constant_time_eq_8(rsa_decrypt[1],
                               (unsigned)(s->client_version & 0xff));
2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185

        /*
         * The premaster secret must contain the same version number as the
         * ClientHello to detect version rollback attacks (strangely, the
         * protocol does not offer such protection for DH ciphersuites).
         * However, buggy clients exist that send the negotiated protocol
         * version instead if the server does not support the requested
         * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
         * clients.
         */
        if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
            unsigned char workaround_good;
            workaround_good =
2186
                constant_time_eq_8(rsa_decrypt[0], (unsigned)(s->version >> 8));
2187
            workaround_good &=
2188 2189
                constant_time_eq_8(rsa_decrypt[1],
                                   (unsigned)(s->version & 0xff));
2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205
            version_good |= workaround_good;
        }

        /*
         * Both decryption and version must be good for decrypt_good to
         * remain non-zero (0xff).
         */
        decrypt_good &= version_good;

        /*
         * Now copy rand_premaster_secret over from p using
         * decrypt_good_mask. If decryption failed, then p does not
         * contain valid plaintext, however, a check above guarantees
         * it is still sufficiently large to read from.
         */
        for (j = 0; j < sizeof(rand_premaster_secret); j++) {
2206 2207 2208
            rsa_decrypt[j] =
                constant_time_select_8(decrypt_good, rsa_decrypt[j],
                                       rand_premaster_secret[j]);
2209 2210
        }

2211 2212
        if (!ssl_generate_master_secret(s, rsa_decrypt,
                                        sizeof(rand_premaster_secret), 0)) {
M
Matt Caswell 已提交
2213
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2214
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2215 2216
            goto f_err;
        }
2217 2218
        OPENSSL_free(rsa_decrypt);
        rsa_decrypt = NULL;
2219
    } else
U
Ulf Möller 已提交
2220
#endif
2221
#ifndef OPENSSL_NO_DH
D
Dr. Stephen Henson 已提交
2222
    if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
2223 2224
        EVP_PKEY *skey = NULL;
        DH *cdh;
2225
        unsigned int i;
M
Matt Caswell 已提交
2226
        BIGNUM *pub_key;
B
Ben Laurie 已提交
2227
        const unsigned char *data;
2228

2229
        if (!PACKET_get_net_2(pkt, &i)) {
2230
            if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
M
Matt Caswell 已提交
2231
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2232
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
M
Matt Caswell 已提交
2233 2234 2235
                       SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
                goto f_err;
            }
2236
            i = 0;
M
Matt Caswell 已提交
2237
        }
2238
        if (PACKET_remaining(pkt) != i) {
2239 2240 2241
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
            goto err;
2242
        }
2243 2244
        skey = s->s3->tmp.pkey;
        if (skey == NULL) {
2245
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2246
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2247 2248
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
2249
        }
2250

2251
        if (PACKET_remaining(pkt) == 0L) {
D
Dr. Stephen Henson 已提交
2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!PACKET_get_bytes(pkt, &data, i)) {
            /* We already checked we have enough data */
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
2263
        }
2264 2265
        ckey = EVP_PKEY_new();
        if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
M
Matt Caswell 已提交
2266
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2267 2268
            goto err;
        }
2269
        cdh = EVP_PKEY_get0_DH(ckey);
M
Matt Caswell 已提交
2270 2271 2272 2273 2274 2275
        pub_key = BN_bin2bn(data, i, NULL);

        if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            if (pub_key != NULL)
                BN_free(pub_key);
2276 2277 2278
            goto err;
        }

2279
        if (ssl_derive(s, skey, ckey) == 0) {
M
Matt Caswell 已提交
2280
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2281
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2282 2283
            goto f_err;
        }
2284 2285 2286

        EVP_PKEY_free(ckey);
        ckey = NULL;
2287 2288
        EVP_PKEY_free(s->s3->tmp.pkey);
        s->s3->tmp.pkey = NULL;
2289

2290
    } else
2291
#endif
B
Bodo Möller 已提交
2292

2293
#ifndef OPENSSL_NO_EC
D
Dr. Stephen Henson 已提交
2294 2295
    if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
        EVP_PKEY *skey = s->s3->tmp.pkey;
2296

2297
        if (PACKET_remaining(pkt) == 0L) {
D
Dr. Stephen Henson 已提交
2298 2299 2300 2301 2302
            /* We don't support ECDH client auth */
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_ECDH_KEY);
            goto f_err;
2303
        } else {
2304
            unsigned int i;
B
Ben Laurie 已提交
2305
            const unsigned char *data;
2306

2307 2308 2309 2310 2311 2312
            /*
             * Get client's public key from encoded point in the
             * ClientKeyExchange message.
             */

            /* Get encoded point length */
2313
            if (!PACKET_get_1(pkt, &i)) {
2314
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2315
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2316 2317 2318
                       SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
2319 2320
            if (!PACKET_get_bytes(pkt, &data, i)
                    || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
2321
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2322 2323
                goto err;
            }
D
Dr. Stephen Henson 已提交
2324 2325 2326 2327 2328 2329 2330
            ckey = EVP_PKEY_new();
            if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EVP_LIB);
                goto err;
            }
            if (EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(ckey), data, i,
                               NULL) == 0) {
M
Matt Caswell 已提交
2331
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2332 2333 2334 2335
                goto err;
            }
        }

D
Dr. Stephen Henson 已提交
2336
        if (ssl_derive(s, skey, ckey) == 0) {
M
Matt Caswell 已提交
2337
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2338
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2339 2340
            goto f_err;
        }
D
Dr. Stephen Henson 已提交
2341 2342 2343

        EVP_PKEY_free(ckey);
        ckey = NULL;
2344 2345
        EVP_PKEY_free(s->s3->tmp.pkey);
        s->s3->tmp.pkey = NULL;
D
Dr. Stephen Henson 已提交
2346

M
Matt Caswell 已提交
2347
        return MSG_PROCESS_CONTINUE_PROCESSING;
2348
    } else
2349
#endif
B
Ben Laurie 已提交
2350
#ifndef OPENSSL_NO_SRP
2351
    if (alg_k & SSL_kSRP) {
2352
        unsigned int i;
B
Ben Laurie 已提交
2353
        const unsigned char *data;
2354

2355 2356
        if (!PACKET_get_net_2(pkt, &i)
                || !PACKET_get_bytes(pkt, &data, i)) {
2357
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2358
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
2359 2360
            goto f_err;
        }
2361
        if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
M
Matt Caswell 已提交
2362
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
2363 2364 2365 2366 2367
            goto err;
        }
        if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
            || BN_is_zero(s->srp_ctx.A)) {
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
2368
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2369 2370 2371
                   SSL_R_BAD_SRP_PARAMETERS);
            goto f_err;
        }
R
Rich Salz 已提交
2372
        OPENSSL_free(s->session->srp_username);
R
Rich Salz 已提交
2373
        s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
2374
        if (s->session->srp_username == NULL) {
M
Matt Caswell 已提交
2375
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2376 2377 2378
            goto err;
        }

2379
        if (!srp_generate_server_master_secret(s)) {
M
Matt Caswell 已提交
2380
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2381 2382 2383 2384
            goto err;
        }
    } else
#endif                          /* OPENSSL_NO_SRP */
M
Matt Caswell 已提交
2385
#ifndef OPENSSL_NO_GOST
2386 2387 2388
    if (alg_k & SSL_kGOST) {
        EVP_PKEY_CTX *pkey_ctx;
        EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
E
Emilia Kasper 已提交
2389 2390
        unsigned char premaster_secret[32];
        const unsigned char *start;
2391 2392 2393 2394
        size_t outlen = 32, inlen;
        unsigned long alg_a;
        int Ttag, Tclass;
        long Tlen;
2395
        long sess_key_len;
B
Ben Laurie 已提交
2396
        const unsigned char *data;
2397 2398 2399

        /* Get our certificate private key */
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411
        if (alg_a & SSL_aGOST12) {
            /*
             * New GOST ciphersuites have SSL_aGOST01 bit too
             */
            pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
            if (pk == NULL) {
                pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
            }
            if (pk == NULL) {
                pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
            }
        } else if (alg_a & SSL_aGOST01) {
2412
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2413
        }
2414 2415

        pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2416 2417 2418 2419 2420
        if (pkey_ctx == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto f_err;
        }
2421 2422 2423 2424 2425
        if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2426 2427 2428 2429 2430 2431
        /*
         * If client certificate is present and is of the same type, maybe
         * use it for key exchange.  Don't mind errors from
         * EVP_PKEY_derive_set_peer, because it is completely valid to use a
         * client certificate for authorization only.
         */
2432
        client_pub_pkey = X509_get0_pubkey(s->session->peer);
2433 2434 2435 2436 2437
        if (client_pub_pkey) {
            if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
                ERR_clear_error();
        }
        /* Decrypt session key */
2438 2439
        sess_key_len = PACKET_remaining(pkt);
        if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
2440
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2441
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2442
            goto gerr;
2443
        }
2444 2445 2446
        if (ASN1_get_object ((const unsigned char **)&data, &Tlen, &Ttag,
                             &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
            || Ttag != V_ASN1_SEQUENCE
2447
            || Tclass != V_ASN1_UNIVERSAL) {
2448
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2449
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2450 2451 2452
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
2453
        start = data;
2454 2455 2456
        inlen = Tlen;
        if (EVP_PKEY_decrypt
            (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
M
Matt Caswell 已提交
2457
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2458
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2459 2460 2461 2462
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
        /* Generate master secret */
2463 2464
        if (!ssl_generate_master_secret(s, premaster_secret,
                                        sizeof(premaster_secret), 0)) {
M
Matt Caswell 已提交
2465
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2466
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2467
            goto gerr;
M
Matt Caswell 已提交
2468
        }
2469 2470 2471
        /* Check if pubkey from client certificate was used */
        if (EVP_PKEY_CTX_ctrl
            (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2472
            s->statem.no_cert_verify = 1;
M
Matt Caswell 已提交
2473 2474 2475

        EVP_PKEY_CTX_free(pkey_ctx);
        return MSG_PROCESS_CONTINUE_PROCESSING;
2476 2477
 gerr:
        EVP_PKEY_CTX_free(pkey_ctx);
2478
        goto f_err;
M
Matt Caswell 已提交
2479 2480 2481
    } else
#endif
    {
2482
        al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2483
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
2484 2485 2486
        goto f_err;
    }

M
Matt Caswell 已提交
2487
    return MSG_PROCESS_CONTINUE_PROCESSING;
2488 2489
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
2490
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SRP)
2491
 err:
B
Bodo Möller 已提交
2492
#endif
D
Dr. Stephen Henson 已提交
2493
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
D
Dr. Stephen Henson 已提交
2494
    EVP_PKEY_free(ckey);
2495
#endif
2496
    OPENSSL_free(rsa_decrypt);
2497 2498 2499
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
2500
#endif
M
Matt Caswell 已提交
2501
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2502
    return MSG_PROCESS_ERROR;
2503
}
2504

M
Matt Caswell 已提交
2505
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
2506 2507
{
#ifndef OPENSSL_NO_SCTP
2508 2509 2510 2511 2512 2513 2514 2515
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
2516 2517
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
2518 2519 2520 2521

            if (SSL_export_keying_material(s, sctpauthkey,
                                       sizeof(sctpauthkey), labelbuffer,
                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
M
Matt Caswell 已提交
2522
                ossl_statem_set_error(s);
2523 2524
                return WORK_ERROR;;
            }
2525

2526 2527
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
2528
        }
2529 2530
        wst = WORK_MORE_B;
    }
2531

2532 2533 2534 2535 2536 2537
    if ((wst == WORK_MORE_B)
            /* Is this SCTP? */
            && BIO_dgram_is_sctp(SSL_get_wbio(s))
            /* Are we renegotiating? */
            && s->renegotiate
            /* Are we going to skip the CertificateVerify? */
2538
            && (s->session->peer == NULL || s->statem.no_cert_verify)
2539 2540 2541 2542 2543
            && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
        s->s3->in_read_app_data = 2;
        s->rwstate = SSL_READING;
        BIO_clear_retry_flags(SSL_get_rbio(s));
        BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
2544
        ossl_statem_set_sctp_read_sock(s, 1);
2545 2546
        return WORK_MORE_B;
    } else {
M
Matt Caswell 已提交
2547
        ossl_statem_set_sctp_read_sock(s, 0);
2548 2549 2550
    }
#endif

2551
    if (s->statem.no_cert_verify) {
2552 2553
        /* No certificate verify so we no longer need the handshake_buffer */
        BIO_free(s->s3->handshake_buffer);
2554
        s->s3->handshake_buffer = NULL;
2555
        return WORK_FINISHED_CONTINUE;
2556
    } else {
2557 2558 2559 2560 2561 2562 2563 2564
        if (!s->session->peer) {
            /* No peer certificate so we no longer need the handshake_buffer */
            BIO_free(s->s3->handshake_buffer);
            return WORK_FINISHED_CONTINUE;
        }
        if (!s->s3->handshake_buffer) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2565
            ossl_statem_set_error(s);
2566 2567 2568 2569 2570 2571 2572
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
M
Matt Caswell 已提交
2573
            ossl_statem_set_error(s);
2574 2575 2576 2577 2578 2579 2580
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
2581
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2582 2583
{
    EVP_PKEY *pkey = NULL;
E
Emilia Kasper 已提交
2584
    const unsigned char *sig, *data;
2585
#ifndef OPENSSL_NO_GOST
E
Emilia Kasper 已提交
2586
    unsigned char *gost_data = NULL;
2587
#endif
M
Matt Caswell 已提交
2588
    int al, ret = MSG_PROCESS_ERROR;
2589
    int type = 0, j;
M
Matt Caswell 已提交
2590 2591 2592
    unsigned int len;
    X509 *peer;
    const EVP_MD *md = NULL;
2593 2594 2595
    long hdatalen = 0;
    void *hdata;

2596
    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
2597 2598 2599 2600 2601 2602

    if (mctx == NULL) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
M
Matt Caswell 已提交
2603

2604
    peer = s->session->peer;
2605
    pkey = X509_get0_pubkey(peer);
2606
    type = X509_certificate_type(peer, pkey);
2607 2608

    if (!(type & EVP_PKT_SIGN)) {
M
Matt Caswell 已提交
2609
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY,
2610 2611 2612 2613 2614 2615 2616 2617
               SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
        al = SSL_AD_ILLEGAL_PARAMETER;
        goto f_err;
    }

    /* Check for broken implementations of GOST ciphersuites */
    /*
     * If key is GOST and n is exactly 64, it is bare signature without
2618
     * length field (CryptoPro implementations at least till CSP 4.0)
2619
     */
M
Matt Caswell 已提交
2620
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
2621 2622
    if (PACKET_remaining(pkt) == 64
        && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2623
        len = 64;
M
Matt Caswell 已提交
2624 2625 2626
    } else
#endif
    {
2627
        if (SSL_USE_SIGALGS(s)) {
2628 2629
            int rv;

2630
            if (!PACKET_get_bytes(pkt, &sig, 2)) {
2631 2632 2633 2634
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
            rv = tls12_check_peer_sigalg(&md, s, sig, pkey);
2635 2636 2637 2638 2639 2640 2641
            if (rv == -1) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            } else if (rv == 0) {
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
D
Dr. Stephen Henson 已提交
2642
#ifdef SSL_DEBUG
2643
            fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2644
#endif
2645
        } else {
2646 2647 2648 2649 2650 2651 2652 2653
            /* Use default digest for this key type */
            int idx = ssl_cert_type(NULL, pkey);
            if (idx >= 0)
                md = s->s3->tmp.md[idx];
            if (md == NULL) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            }
2654
        }
2655

2656
        if (!PACKET_get_net_2(pkt, &len)) {
M
Matt Caswell 已提交
2657
            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2658 2659 2660 2661 2662
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
    }
    j = EVP_PKEY_size(pkey);
2663 2664
    if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
            || (PACKET_remaining(pkt) == 0)) {
M
Matt Caswell 已提交
2665
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2666 2667 2668
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2669
    if (!PACKET_get_bytes(pkt, &data, len)) {
M
Matt Caswell 已提交
2670
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2671 2672 2673
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2674

2675 2676 2677 2678 2679 2680
    hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
    if (hdatalen <= 0) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
D
Dr. Stephen Henson 已提交
2681
#ifdef SSL_DEBUG
2682
    fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2683
#endif
2684 2685
    if (!EVP_VerifyInit_ex(mctx, md, NULL)
        || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) {
2686 2687 2688 2689
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
2690

M
Matt Caswell 已提交
2691
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
2692 2693 2694 2695
    {
        int pktype = EVP_PKEY_id(pkey);
        if (pktype == NID_id_GostR3410_2001
            || pktype == NID_id_GostR3410_2012_256
E
Emilia Kasper 已提交
2696 2697 2698 2699 2700 2701 2702 2703 2704
            || pktype == NID_id_GostR3410_2012_512) {
            if ((gost_data = OPENSSL_malloc(len)) == NULL) {
                SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            }
            BUF_reverse(gost_data, data, len);
            data = gost_data;
        }
2705
    }
M
Matt Caswell 已提交
2706
#endif
2707

2708
    if (s->version == SSL3_VERSION
2709
        && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
2710 2711 2712 2713 2714 2715 2716
                            s->session->master_key_length,
                            s->session->master_key)) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }

2717
    if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) {
2718 2719
        al = SSL_AD_DECRYPT_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
2720 2721 2722
        goto f_err;
    }

2723
    ret = MSG_PROCESS_CONTINUE_PROCESSING;
2724 2725 2726
    if (0) {
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2727
        ossl_statem_set_error(s);
2728
    }
R
Rich Salz 已提交
2729 2730
    BIO_free(s->s3->handshake_buffer);
    s->s3->handshake_buffer = NULL;
2731
    EVP_MD_CTX_free(mctx);
2732
#ifndef OPENSSL_NO_GOST
E
Emilia Kasper 已提交
2733
    OPENSSL_free(gost_data);
2734
#endif
M
Matt Caswell 已提交
2735
    return ret;
2736
}
2737

M
Matt Caswell 已提交
2738
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2739
{
M
Matt Caswell 已提交
2740
    int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
2741 2742
    X509 *x = NULL;
    unsigned long l, llen;
E
Emilia Kasper 已提交
2743
    const unsigned char *certstart, *certbytes;
M
Matt Caswell 已提交
2744
    STACK_OF(X509) *sk = NULL;
2745
    PACKET spkt;
2746 2747

    if ((sk = sk_X509_new_null()) == NULL) {
M
Matt Caswell 已提交
2748 2749
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
        goto f_err;
2750 2751
    }

2752 2753 2754
    if (!PACKET_get_net_3(pkt, &llen)
            || !PACKET_get_sub_packet(pkt, &spkt, llen)
            || PACKET_remaining(pkt) != 0) {
2755
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2756
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
2757 2758
        goto f_err;
    }
2759 2760 2761 2762

    while (PACKET_remaining(&spkt) > 0) {
        if (!PACKET_get_net_3(&spkt, &l)
                || !PACKET_get_bytes(&spkt, &certbytes, l)) {
2763
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2764
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2765 2766 2767 2768
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

2769 2770
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
2771
        if (x == NULL) {
M
Matt Caswell 已提交
2772 2773
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto f_err;
2774
        }
2775
        if (certbytes != (certstart + l)) {
2776
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2777
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2778 2779 2780 2781
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
        if (!sk_X509_push(sk, x)) {
M
Matt Caswell 已提交
2782 2783
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
            goto f_err;
2784 2785 2786 2787 2788 2789 2790 2791
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2792
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2793 2794 2795 2796 2797 2798
                   SSL_R_NO_CERTIFICATES_RETURNED);
            goto f_err;
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
M
Matt Caswell 已提交
2799
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2800 2801 2802 2803 2804
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        /* No client certificate so digest cached records */
2805
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
2806 2807 2808 2809 2810 2811 2812
            goto f_err;
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
            al = ssl_verify_alarm_type(s->verify_result);
M
Matt Caswell 已提交
2813
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2814 2815 2816 2817
                   SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto f_err;
        }
        if (i > 1) {
M
Matt Caswell 已提交
2818
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
2819 2820 2821
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
2822
        pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
2823 2824
        if (pkey == NULL) {
            al = SSL3_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2825
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2826 2827 2828 2829 2830
                   SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto f_err;
        }
    }

R
Rich Salz 已提交
2831
    X509_free(s->session->peer);
2832 2833 2834
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

2835 2836
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
2837 2838
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
M
Matt Caswell 已提交
2839
     * certificate, while we do include it in statem_clnt.c
2840 2841
     */
    sk = NULL;
M
Matt Caswell 已提交
2842
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
2843 2844
    goto done;

2845
 f_err:
R
Rich Salz 已提交
2846
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2847
    ossl_statem_set_error(s);
R
Rich Salz 已提交
2848
 done:
R
Rich Salz 已提交
2849 2850
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
2851
    return ret;
2852
}
2853

M
Matt Caswell 已提交
2854 2855 2856 2857 2858 2859 2860
int tls_construct_server_certificate(SSL *s)
{
    CERT_PKEY *cpk;

    cpk = ssl_get_server_send_pkey(s);
    if (cpk == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2861
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2862 2863 2864 2865 2866
        return 0;
    }

    if (!ssl3_output_cert_chain(s, cpk)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2867
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2868 2869 2870 2871 2872 2873 2874 2875 2876
        return 0;
    }

    return 1;
}

int tls_construct_new_session_ticket(SSL *s)
{
    unsigned char *senc = NULL;
2877
    EVP_CIPHER_CTX *ctx;
2878
    HMAC_CTX *hctx = NULL;
M
Matt Caswell 已提交
2879 2880 2881 2882 2883 2884 2885
    unsigned char *p, *macstart;
    const unsigned char *const_p;
    int len, slen_full, slen;
    SSL_SESSION *sess;
    unsigned int hlen;
    SSL_CTX *tctx = s->initial_ctx;
    unsigned char iv[EVP_MAX_IV_LENGTH];
K
Kurt Roeckx 已提交
2886 2887
    unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
    int iv_len;
M
Matt Caswell 已提交
2888 2889 2890 2891 2892 2893 2894 2895

    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
M
Matt Caswell 已提交
2896
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2897 2898 2899
        return 0;
    }
    senc = OPENSSL_malloc(slen_full);
2900
    if (senc == NULL) {
M
Matt Caswell 已提交
2901
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2902 2903
        return 0;
    }
2904

2905
    ctx = EVP_CIPHER_CTX_new();
2906
    hctx = HMAC_CTX_new();
2907

M
Matt Caswell 已提交
2908 2909 2910
    p = senc;
    if (!i2d_SSL_SESSION(s->session, &p))
        goto err;
M
Matt Caswell 已提交
2911

M
Matt Caswell 已提交
2912 2913 2914 2915 2916 2917 2918 2919
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
    if (sess == NULL)
        goto err;
    sess->session_id_length = 0; /* ID is irrelevant for the ticket */
2920

M
Matt Caswell 已提交
2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931
    slen = i2d_SSL_SESSION(sess, NULL);
    if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
2932

M
Matt Caswell 已提交
2933 2934 2935 2936
    /*-
     * Grow buffer if need be: the length calculation is as
     * follows handshake_header_length +
     * 4 (ticket lifetime hint) + 2 (ticket length) +
K
Kurt Roeckx 已提交
2937 2938 2939
     * sizeof(keyname) + max_iv_len (iv length) +
     * max_enc_block_size (max encrypted session * length) +
     * max_md_size (HMAC) + session_length.
M
Matt Caswell 已提交
2940 2941
     */
    if (!BUF_MEM_grow(s->init_buf,
K
Kurt Roeckx 已提交
2942 2943 2944
                      SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) +
                      EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
                      EVP_MAX_MD_SIZE + slen))
M
Matt Caswell 已提交
2945
        goto err;
2946

M
Matt Caswell 已提交
2947 2948 2949 2950 2951 2952
    p = ssl_handshake_start(s);
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
    if (tctx->tlsext_ticket_key_cb) {
T
Todd Short 已提交
2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967
        /* if 0 is returned, write an empty ticket */
        int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx,
                                             hctx, 1);

        if (ret == 0) {
            l2n(0, p); /* timeout */
            s2n(0, p); /* length */
            if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s)))
                goto err;
            OPENSSL_free(senc);
            EVP_CIPHER_CTX_free(ctx);
            HMAC_CTX_free(hctx);
            return 1;
        }
        if (ret < 0)
M
Matt Caswell 已提交
2968
            goto err;
K
Kurt Roeckx 已提交
2969
        iv_len = EVP_CIPHER_CTX_iv_length(ctx);
M
Matt Caswell 已提交
2970
    } else {
K
Kurt Roeckx 已提交
2971 2972 2973 2974
        const EVP_CIPHER *cipher = EVP_aes_256_cbc();

        iv_len = EVP_CIPHER_iv_length(cipher);
        if (RAND_bytes(iv, iv_len) <= 0)
M
Matt Caswell 已提交
2975
            goto err;
K
Kurt Roeckx 已提交
2976
        if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
M
Matt Caswell 已提交
2977
                                tctx->tlsext_tick_aes_key, iv))
M
Matt Caswell 已提交
2978
            goto err;
2979 2980
        if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
                          sizeof(tctx->tlsext_tick_hmac_key),
M
Matt Caswell 已提交
2981
                          EVP_sha256(), NULL))
2982
            goto err;
2983 2984
        memcpy(key_name, tctx->tlsext_tick_key_name,
               sizeof(tctx->tlsext_tick_key_name));
2985 2986
    }

M
Matt Caswell 已提交
2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997
    /*
     * Ticket lifetime hint (advisory only): We leave this unspecified
     * for resumed session (for simplicity), and guess that tickets for
     * new sessions will live as long as their sessions.
     */
    l2n(s->hit ? 0 : s->session->timeout, p);

    /* Skip ticket length for now */
    p += 2;
    /* Output key name */
    macstart = p;
K
Kurt Roeckx 已提交
2998 2999
    memcpy(p, key_name, sizeof(key_name));
    p += sizeof(key_name);
M
Matt Caswell 已提交
3000
    /* output IV */
K
Kurt Roeckx 已提交
3001 3002
    memcpy(p, iv, iv_len);
    p += iv_len;
M
Matt Caswell 已提交
3003
    /* Encrypt session data */
3004
    if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen))
M
Matt Caswell 已提交
3005 3006
        goto err;
    p += len;
3007
    if (!EVP_EncryptFinal(ctx, p, &len))
M
Matt Caswell 已提交
3008 3009 3010
        goto err;
    p += len;

3011
    if (!HMAC_Update(hctx, macstart, p - macstart))
M
Matt Caswell 已提交
3012
        goto err;
3013
    if (!HMAC_Final(hctx, p, &hlen))
M
Matt Caswell 已提交
3014 3015
        goto err;

3016
    EVP_CIPHER_CTX_free(ctx);
3017
    HMAC_CTX_free(hctx);
3018 3019
    ctx = NULL;
    hctx = NULL;
M
Matt Caswell 已提交
3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032

    p += hlen;
    /* Now write out lengths: p points to end of data written */
    /* Total length */
    len = p - ssl_handshake_start(s);
    /* Skip ticket lifetime hint */
    p = ssl_handshake_start(s) + 4;
    s2n(len - 6, p);
    if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
        goto err;
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
3033
 err:
R
Rich Salz 已提交
3034
    OPENSSL_free(senc);
3035
    EVP_CIPHER_CTX_free(ctx);
3036
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3037
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3038
    return 0;
3039
}
3040

M
Matt Caswell 已提交
3041 3042 3043 3044 3045 3046 3047 3048 3049 3050
int tls_construct_cert_status(SSL *s)
{
    unsigned char *p;
    /*-
     * Grow buffer if need be: the length calculation is as
     * follows 1 (message type) + 3 (message length) +
     * 1 (ocsp response type) + 3 (ocsp response length)
     * + (ocsp response)
     */
    if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
M
Matt Caswell 已提交
3051
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073
        return 0;
    }

    p = (unsigned char *)s->init_buf->data;

    /* do the header */
    *(p++) = SSL3_MT_CERTIFICATE_STATUS;
    /* message length */
    l2n3(s->tlsext_ocsp_resplen + 4, p);
    /* status type */
    *(p++) = s->tlsext_status_type;
    /* length of OCSP response */
    l2n3(s->tlsext_ocsp_resplen, p);
    /* actual response */
    memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
    /* number of bytes to write */
    s->init_num = 8 + s->tlsext_ocsp_resplen;
    s->init_off = 0;

    return 1;
}

3074
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
3075 3076 3077 3078
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
3079
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3080
{
3081
    PACKET next_proto, padding;
M
Matt Caswell 已提交
3082 3083
    size_t next_proto_len;

3084 3085 3086 3087 3088 3089 3090
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3091 3092 3093
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
M
Matt Caswell 已提交
3094
        SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
3095
        goto err;
M
Matt Caswell 已提交
3096
    }
3097

3098 3099 3100
    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated,
                       &next_proto_len)) {
        s->next_proto_negotiated_len = 0;
M
Matt Caswell 已提交
3101 3102 3103
        goto err;
    }

3104
    s->next_proto_negotiated_len = (unsigned char)next_proto_len;
3105

M
Matt Caswell 已提交
3106
    return MSG_PROCESS_CONTINUE_READING;
M
Matt Caswell 已提交
3107
err:
M
Matt Caswell 已提交
3108
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3109
    return MSG_PROCESS_ERROR;
3110
}
3111
#endif
M
Matt Caswell 已提交
3112 3113 3114

#define SSLV2_CIPHER_LEN    3

3115 3116
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                               PACKET *cipher_suites,
M
Matt Caswell 已提交
3117
                                               STACK_OF(SSL_CIPHER) **skp,
3118 3119
                                               int sslv2format, int *al
                                               )
M
Matt Caswell 已提交
3120 3121 3122
{
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *sk;
3123 3124 3125
    int n;
    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
    unsigned char cipher[SSLV2_CIPHER_LEN];
M
Matt Caswell 已提交
3126

3127 3128 3129 3130 3131 3132 3133 3134
    s->s3->send_connection_binding = 0;

    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;

    if (PACKET_remaining(cipher_suites) == 0) {
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return NULL;
M
Matt Caswell 已提交
3135
    }
3136 3137

    if (PACKET_remaining(cipher_suites) % n != 0) {
M
Matt Caswell 已提交
3138 3139
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
3140 3141
        *al = SSL_AD_DECODE_ERROR;
        return NULL;
M
Matt Caswell 已提交
3142
    }
3143

M
Matt Caswell 已提交
3144 3145 3146 3147
    if ((skp == NULL) || (*skp == NULL)) {
        sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
        if(sk == NULL) {
            SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3148
            *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3149 3150 3151 3152 3153 3154 3155
            return NULL;
        }
    } else {
        sk = *skp;
        sk_SSL_CIPHER_zero(sk);
    }

3156 3157 3158
    if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
                       &s->s3->tmp.ciphers_rawlen)) {
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3159 3160 3161
        goto err;
    }

3162 3163
    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
        /*
3164 3165 3166
         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
         * first byte set to zero, while true SSLv2 ciphers have a non-zero
         * first byte. We don't support any true SSLv2 ciphers, so skip them.
3167 3168 3169 3170
         */
        if (sslv2format && cipher[0] != '\0')
                continue;

M
Matt Caswell 已提交
3171
        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
3172 3173
        if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3174 3175 3176 3177
            /* SCSV fatal if renegotiating */
            if (s->renegotiate) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
3178
                *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3179 3180 3181 3182 3183 3184 3185
                goto err;
            }
            s->s3->send_connection_binding = 1;
            continue;
        }

        /* Check for TLS_FALLBACK_SCSV */
3186 3187
        if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3188 3189 3190 3191 3192
            /*
             * The SCSV indicates that the client previously tried a higher
             * version. Fail if the current version is an unexpected
             * downgrade.
             */
3193
            if (!ssl_check_version_downgrade(s)) {
M
Matt Caswell 已提交
3194 3195
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_INAPPROPRIATE_FALLBACK);
3196
                *al = SSL_AD_INAPPROPRIATE_FALLBACK;
M
Matt Caswell 已提交
3197 3198 3199 3200 3201
                goto err;
            }
            continue;
        }

3202 3203
        /* For SSLv2-compat, ignore leading 0-byte. */
        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
M
Matt Caswell 已提交
3204 3205 3206
        if (c != NULL) {
            if (!sk_SSL_CIPHER_push(sk, c)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3207
                *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3208 3209 3210 3211
                goto err;
            }
        }
    }
3212 3213 3214 3215 3216
    if (PACKET_remaining(cipher_suites) > 0) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
3217 3218 3219 3220 3221 3222 3223

    if (skp != NULL)
        *skp = sk;
    return (sk);
 err:
    if ((skp == NULL) || (*skp == NULL))
        sk_SSL_CIPHER_free(sk);
3224
    return NULL;
M
Matt Caswell 已提交
3225
}